NSS: add `balloon' extension to when we might hit the F5 bug.

net/third_party/nss/ssl/ssl3ext.c

Index: net/third_party/nss/ssl/ssl3ext.c
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index 04157701e9028e670098fa47469960ffc05513c9..a596c37c8935bcfe3ec82bb86a93a6b76455cf86 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -2297,3 +2297,54 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 loser:
     return -1;
 }
+
+PRInt32
+ssl3_CalculateBalloonExtensionLength(int clientHelloLength)
+{
+    int recordLength = clientHelloLength +

[wtc, 2013/11/06 21:51:58]

Nit: is this the record length or the handshake message length? I think it's the
latter.

[wtc, 2013/11/06 22:17:30]

You are right. This is the record length. (The handshake message length is on
line 2306.)

+	               1 /* handshake message type */ +
+		       3 /* handshake message length */;

[wtc, 2013/11/06 21:51:58]

Nit: list them in the order of 1 + 3 + clientHelloLength to match the Handshake
message definition:

      struct {
          HandshakeType msg_type;    /* handshake type */
          uint24 length;             /* bytes in message */
          select (HandshakeType) {
              case hello_request:       HelloRequest;
              case client_hello:        ClientHello;
              ...
              case finished:            Finished;
          } body;
      } Handshake;

[agl, 2013/11/08 19:39:17]

Done.

+
+    if (recordLength < 256 || recordLength >= 512) {
+	return 0;
+    }
+
+    return 512 - recordLength;

[wtc, 2013/11/06 23:33:20]

IMPORTANT: we also need to make sure this is at least 4, because an extension
with a zero-length extension_data still takes four bytes to encode:

      struct {
          ExtensionType extension_type;
          opaque extension_data<0..2^16-1>;
      } Extension;

      enum {
          signature_algorithms(13), (65535)
      } ExtensionType;

See also line 2322 in ssl3_AppendBalloonExtension.

[agl, 2013/11/08 19:39:17]

Good catch, thanks!

+}
+
+/* ssl3_AppendBalloonExtension possibly adds an extension which ensures that a
+ * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures

[wtc, 2013/11/06 21:51:58]

Nit: record or handshake message?

[wtc, 2013/11/06 22:17:30]

Please ignore this comment.

+ * that we don't trigger bugs in F5 products. */
+PRInt32
+ssl3_AppendBalloonExtension(sslSocket *ss, int extensionLen, PRUint32 maxBytes)

[wtc, 2013/11/06 23:33:20]

Nit: extensionLen probably should be an unsigned int.

[agl, 2013/11/08 19:39:17]

Done.

+{
+    SECStatus rv;
+    PRInt32 paddingLen = extensionLen - 4;

[wtc, 2013/11/06 23:33:20]

Should assert extensionLen == 0 || extensionLen >= 4.

[agl, 2013/11/08 19:39:17]

Done.

+    unsigned char *padding;
+
+    if (extensionLen == 0) {
+	return 0;
+    }
+
+    if (extensionLen > maxBytes) {
+	PORT_Assert(0);
+	return 0;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ssl_balloon_xtn, 2);
+    if (rv != SECSuccess)
+	return -1;
+    rv = ssl3_AppendHandshakeNumber(ss, paddingLen, 2);
+    if (rv != SECSuccess)
+	return -1;
+    padding = PORT_Alloc(paddingLen);

[wtc, 2013/11/06 21:51:58]

Since paddingLen is at most 256, we can use a stack buffer or even a static
buffer to avoid heap allocation.

[agl, 2013/11/08 19:39:17]

Done.

+    if (!padding)
+	return -1;
+    memset(padding, ' ', paddingLen);
+    rv = ssl3_AppendHandshake(ss, padding, paddingLen);
+    PORT_Free(padding);
+    if (rv != SECSuccess)
+	return -1;
+
+    return extensionLen;
+}