Index: net/third_party/nss/patches/balloonextension.patch |
diff --git a/net/third_party/nss/patches/balloonextension.patch b/net/third_party/nss/patches/balloonextension.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..4f008109596d2d042ee82614818f0aaf2d5c3c70 |
--- /dev/null |
+++ b/net/third_party/nss/patches/balloonextension.patch |
@@ -0,0 +1,130 @@ |
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
+index 8b8b758..f5b973b 100644 |
+--- a/nss/lib/ssl/ssl3con.c |
++++ b/nss/lib/ssl/ssl3con.c |
+@@ -4974,7 +4974,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ int actual_count = 0; |
+ PRBool isTLS = PR_FALSE; |
+ PRBool requestingResume = PR_FALSE; |
+- PRInt32 total_exten_len = 0; |
++ PRInt32 total_exten_len = 0, balloonExtensionLen; |
+ unsigned numCompressionMethods; |
+ PRInt32 flags; |
+ |
+@@ -5241,6 +5241,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ length += 1 + ss->ssl3.hs.cookieLen; |
+ } |
+ |
++ balloonExtensionLen = ssl3_CalculateBalloonExtensionLength(length); |
++ total_exten_len += balloonExtensionLen; |
++ length += balloonExtensionLen; |
++ |
+ rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); |
+ if (rv != SECSuccess) { |
+ return rv; /* err set by ssl3_AppendHandshake* */ |
+@@ -5360,6 +5364,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
+ return SECFailure; |
+ } |
+ maxBytes -= extLen; |
++ |
++ extLen = ssl3_AppendBalloonExtension(ss, balloonExtensionLen, maxBytes); |
++ if (extLen < 0) { |
++ return SECFailure; |
++ } |
++ maxBytes -= extLen; |
++ |
+ PORT_Assert(!maxBytes); |
+ } |
+ if (ss->ssl3.hs.sendingSCSV) { |
+diff --git a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
+index 0415770..a596c37 100644 |
+--- a/nss/lib/ssl/ssl3ext.c |
++++ b/nss/lib/ssl/ssl3ext.c |
+@@ -2297,3 +2297,54 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
+ loser: |
+ return -1; |
+ } |
++ |
++PRInt32 |
++ssl3_CalculateBalloonExtensionLength(int clientHelloLength) |
++{ |
++ int recordLength = clientHelloLength + |
++ 1 /* handshake message type */ + |
++ 3 /* handshake message length */; |
++ |
++ if (recordLength < 256 || recordLength >= 512) { |
++ return 0; |
++ } |
++ |
++ return 512 - recordLength; |
++} |
++ |
++/* ssl3_AppendBalloonExtension possibly adds an extension which ensures that a |
++ * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures |
++ * that we don't trigger bugs in F5 products. */ |
++PRInt32 |
++ssl3_AppendBalloonExtension(sslSocket *ss, int extensionLen, PRUint32 maxBytes) |
++{ |
++ SECStatus rv; |
++ PRInt32 paddingLen = extensionLen - 4; |
++ unsigned char *padding; |
++ |
++ if (extensionLen == 0) { |
++ return 0; |
++ } |
++ |
++ if (extensionLen > maxBytes) { |
++ PORT_Assert(0); |
++ return 0; |
++ } |
++ |
++ rv = ssl3_AppendHandshakeNumber(ss, ssl_balloon_xtn, 2); |
++ if (rv != SECSuccess) |
++ return -1; |
++ rv = ssl3_AppendHandshakeNumber(ss, paddingLen, 2); |
++ if (rv != SECSuccess) |
++ return -1; |
++ padding = PORT_Alloc(paddingLen); |
++ if (!padding) |
++ return -1; |
++ memset(padding, ' ', paddingLen); |
++ rv = ssl3_AppendHandshake(ss, padding, paddingLen); |
++ PORT_Free(padding); |
++ if (rv != SECSuccess) |
++ return -1; |
++ |
++ return extensionLen; |
++} |
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
+index 614eed1..0fa5087 100644 |
+--- a/nss/lib/ssl/sslimpl.h |
++++ b/nss/lib/ssl/sslimpl.h |
+@@ -237,6 +237,12 @@ extern PRInt32 |
+ ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, |
+ const ssl3HelloExtensionSender *sender); |
+ |
++extern PRInt32 |
++ssl3_CalculateBalloonExtensionLength(int clientHelloLength); |
++ |
++extern PRInt32 |
++ssl3_AppendBalloonExtension(sslSocket *ss, int extensionLen, PRUint32 maxBytes); |
++ |
+ /* Socket ops */ |
+ struct sslSocketOpsStr { |
+ int (*connect) (sslSocket *, const PRNetAddr *); |
+diff --git a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h |
+index a8007d8..542afd7 100644 |
+--- a/nss/lib/ssl/sslt.h |
++++ b/nss/lib/ssl/sslt.h |
+@@ -205,9 +205,10 @@ typedef enum { |
+ ssl_session_ticket_xtn = 35, |
+ ssl_next_proto_nego_xtn = 13172, |
+ ssl_channel_id_xtn = 30031, |
++ ssl_balloon_xtn = 35655, |
+ ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
+ } SSLExtensionType; |
+ |
+-#define SSL_MAX_EXTENSIONS 11 |
++#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_balloon_xtn. */ |
+ |
+ #endif /* __sslt_h_ */ |