NSS: add `balloon' extension to when we might hit the F5 bug.

net/third_party/nss/ssl/ssl3ext.c

 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
 
 #include "nssrenam.h"
@@ skipping 2279 matching lines @@
     } else if (maxBytes < extension_length) {
         PORT_Assert(0);
         return 0;
     }
 
     return extension_length;
 
 loser:
     return -1;
 }
+
+PRInt32
+ssl3_CalculateBalloonExtensionLength(int clientHelloLength)
+{
+    int recordLength = clientHelloLength +

[wtc, 2013/11/06 21:51:58]

Nit: is this the record length or the handshake message length? I think it's the
latter.

[wtc, 2013/11/06 22:17:30]

You are right. This is the record length. (The handshake message length is on
line 2306.)

+                       1 /* handshake message type */ +
+                       3 /* handshake message length */;

[wtc, 2013/11/06 21:51:58]

Nit: list them in the order of 1 + 3 + clientHelloLength to match the Handshake
message definition:

      struct {
          HandshakeType msg_type;    /* handshake type */
          uint24 length;             /* bytes in message */
          select (HandshakeType) {
              case hello_request:       HelloRequest;
              case client_hello:        ClientHello;
              ...
              case finished:            Finished;
          } body;
      } Handshake;

[agl, 2013/11/08 19:39:17]

Done.

+
+    if (recordLength < 256 || recordLength >= 512) {
+        return 0;
+    }
+
+    return 512 - recordLength;

[wtc, 2013/11/06 23:33:20]

IMPORTANT: we also need to make sure this is at least 4, because an extension
with a zero-length extension_data still takes four bytes to encode:

      struct {
          ExtensionType extension_type;
          opaque extension_data<0..2^16-1>;
      } Extension;

      enum {
          signature_algorithms(13), (65535)
      } ExtensionType;

See also line 2322 in ssl3_AppendBalloonExtension.

[agl, 2013/11/08 19:39:17]

Good catch, thanks!

+}
+
+/* ssl3_AppendBalloonExtension possibly adds an extension which ensures that a
+ * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures

[wtc, 2013/11/06 21:51:58]

Nit: record or handshake message?

[wtc, 2013/11/06 22:17:30]

Please ignore this comment.

+ * that we don't trigger bugs in F5 products. */
+PRInt32
+ssl3_AppendBalloonExtension(sslSocket *ss, int extensionLen, PRUint32 maxBytes)

[wtc, 2013/11/06 23:33:20]

Nit: extensionLen probably should be an unsigned int.

[agl, 2013/11/08 19:39:17]

Done.

+{
+    SECStatus rv;
+    PRInt32 paddingLen = extensionLen - 4;

[wtc, 2013/11/06 23:33:20]

Should assert extensionLen == 0 || extensionLen >= 4.

[agl, 2013/11/08 19:39:17]

Done.

+    unsigned char *padding;
+
+    if (extensionLen == 0) {
+        return 0;
+    }
+
+    if (extensionLen > maxBytes) {
+        PORT_Assert(0);
+        return 0;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ssl_balloon_xtn, 2);
+    if (rv != SECSuccess)
+        return -1;
+    rv = ssl3_AppendHandshakeNumber(ss, paddingLen, 2);
+    if (rv != SECSuccess)
+        return -1;
+    padding = PORT_Alloc(paddingLen);

[wtc, 2013/11/06 21:51:58]

Since paddingLen is at most 256, we can use a stack buffer or even a static
buffer to avoid heap allocation.

[agl, 2013/11/08 19:39:17]

Done.

+    if (!padding)
+        return -1;
+    memset(padding, ' ', paddingLen);
+    rv = ssl3_AppendHandshake(ss, padding, paddingLen);
+    PORT_Free(padding);
+    if (rv != SECSuccess)
+        return -1;
+
+    return extensionLen;
+}