NSS: add `balloon' extension to when we might hit the F5 bug.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 4957 matching lines @@
     sslSessionID *   sid;
     ssl3CipherSpec * cwSpec;
     SECStatus        rv;
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
     PRBool           isTLS = PR_FALSE;
     PRBool           requestingResume = PR_FALSE;
     PRInt32          total_exten_len = 0;
+    unsigned         paddingExtensionLen;
     unsigned         numCompressionMethods;
     PRInt32          flags;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
@@ skipping 246 matching lines @@
     }
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
         1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
         2 + num_suites*sizeof(ssl3CipherSuite) +
         1 + numCompressionMethods + total_exten_len;
     if (IS_DTLS(ss)) {
         length += 1 + ss->ssl3.hs.cookieLen;
     }
 
+    /* A padding extension may be included to ensure that the record containing
+     * the ClientHello doesn't have a length between 256 and 511 bytes
+     * (inclusive). Records with such lengths trigger bugs in F5 devices.

[wtc, 2013/11/08 20:10:06]

Nit: Records => Initial ClientHello records

Based on the info from F5 Networks, the code in question is trying to guess
whether the record is SSL 2.0 or SSL 3.0/TLS, so it should only apply to the
initial records.

[agl, 2013/11/08 20:33:23]

Done.

+     *
+     * This is not done for DTLS nor for renegotiation. */
+    if (!IS_DTLS(ss) && !ss->firstHsDone) {
+        paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
+    } else {
+        paddingExtensionLen = 0;
+    }
+    total_exten_len += paddingExtensionLen;
+    length += paddingExtensionLen;

[wtc, 2013/11/08 20:10:06]

Nit: these two lines can be moved inside the "if" block.

[agl, 2013/11/08 20:33:23]

Done.

+
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->firstHsDone) {
         /* The client hello version must stay unchanged to work around
          * the Windows SChannel bug described above. */
         PORT_Assert(ss->version == ss->clientHelloVersion);
     }
@@ skipping 99 matching lines @@
         rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
         if (rv != SECSuccess) {
             return rv;  /* err set by AppendHandshake. */
         }
 
         extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
         if (extLen < 0) {
             return SECFailure;
         }
         maxBytes -= extLen;
+
+        extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
+        if (extLen < 0) {
+            return SECFailure;
+        }
+        maxBytes -= extLen;
+
         PORT_Assert(!maxBytes);
     } 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Since we sent the SCSV, pretend we sent empty RI extension. */
         TLSExtensionData *xtnData = &ss->xtnData;
         xtnData->advertised[xtnData->numAdvertised++] = 
             ssl_renegotiation_info_xtn;
     }
 
     flags = 0;
@@ skipping 7195 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */