OpenSSL: add support for the TLS padding extension.

openssl/ssl/t1_lib.c

Index: openssl/ssl/t1_lib.c
diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c
index f447f227c295294f94f9b1d8cf3e160f1d89ad7c..7a507f974e9d34b7c70bab8045e00f17dce14971 100644
--- a/openssl/ssl/t1_lib.c
+++ b/openssl/ssl/t1_lib.c
@@ -661,6 +661,31 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                 }
 #endif
 
+	/* Add padding to workaround bugs in F5 terminators.
+	 * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */
+	{
+	int hlen = ret - (unsigned char *)s->init_buf->data;
+	/* The code in s23_clnt.c to build ClientHello messages includes the
+	 * 5-byte record header in the buffer, while the code in s3_clnt.c does
+	 * not. */

[digit1, 2013/12/12 17:02:28]

That's really subtle. Is this per-spec/per-protocol or an implementation detail?
If the latter, how about adding a comment in the appropriate places to avoid
breaking this if the sources are independently modified in the future?

[agl, 2013/12/16 19:44:19]

This is sadly an implementation niggle. I've added comments at the sites where
the buffers are setup about the subtle dependency.

+	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+		hlen -= 5;
+	if (hlen > 0xff && hlen < 0x200)
+		{
+		hlen = 0x200 - hlen;
+		if (hlen >= 4)
+			hlen -= 4;
+		else
+			hlen = 0;
+
+		s2n(TLSEXT_TYPE_padding, ret);
+		s2n(hlen, ret);
+		memset(ret, 0, hlen);
+		ret += hlen;
+		}
+	}
+
+
 	if ((extdatalen = ret-p-2)== 0) 
 		return p;