Commit 0467ea68 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Experimental workaround TLS filler (WTF) extension. 

Based on a suggested workaround for the "TLS hang bug" (see FAQ and PR#2771):
if the TLS Client Hello record length value would otherwise be > 255 and less
that 512 pad with a dummy extension containing zeroes so it is at least 512.

To enable it use an unused extension number (for example 0x4242) using
e.g. -DTLSEXT_TYPE_wtf=0x4242

WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
parent e0ffd129

CHANGES

+13 −0
Original line number Diff line number Diff line
@@ -4,6 +4,19 @@ 


 Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]



  *) Experimental workaround TLS filler (WTF) extension. Based on a suggested

     workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client

     Hello record length value would otherwise be > 255 and less that 512

     pad with a dummy extension containing zeroes so it is at least 512 bytes

     long.



     To enable it use an unused extension number (for example 0x4242) using

     e.g. -DTLSEXT_TYPE_wtf=0x4242



     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.

 

     [Steve Henson]



  *) Experimental encrypt-then-mac support.

    

     Experimental support for encrypt then mac from

ssl/t1_lib.c

+16 −0
Original line number Diff line number Diff line
@@ -1472,6 +1472,22 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 
	s2n(TLSEXT_TYPE_encrypt_then_mac,ret);

	s2n(0,ret);

#endif

#ifdef TLSEXT_TYPE_wtf

	{

	/* Work out length which would be used in the TLS record:

	 * NB this should ALWAYS appear after all other extensions.

	 */

	int hlen = ret - (unsigned char *)s->init_buf->data - 3;

	if (hlen > 0xff && hlen < 0x200)

		{

		hlen = 0x200 - hlen;

		s2n(TLSEXT_TYPE_wtf,ret);

		s2n(hlen,ret);

		memset(ret, 0, hlen);

		ret += hlen;

		}

	}

#endif



	if ((extdatalen = ret-p-2) == 0)

		return p;