Closed Bug 944157 Opened 11 years ago Closed 11 years ago

Implement the TLS padding extension

Categories

(NSS :: Libraries, enhancement, P2)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.15.5

People

(Reporter: wtc, Assigned: agl)

References

(
URL
)

Details

Attachments

(3 files, 1 obsolete file)

Patch by Adam Langley, v2
5.98 KB, patch
wtc
: review+
briansmith
: checked-in+
Details | Diff | Splinter Review
Supplemental patch: always pad ClientHello to >= 512 bytes [NOT FOR CHECKIN]
832 bytes, patch
briansmith
: review+
Details | Diff | Splinter Review
Unlock sid->u.ssl3.lock on ssl3_AppendPaddingExtension failure
586 bytes, patch
briansmith
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Attached patch Patch by Adam Langley (obsolete) — Splinter Review
A TLS padding extension has been proposed to work around a bug in a server-side SSL/TLS implementation that incorrectly handles a ClientHello record of 256 - 511 bytes as an SSL 2.0 ClientHello. The Internet-Draft is: http://tools.ietf.org/html/draft-agl-tls-padding-02 Brian: I have reviewed the attached patch by Adam Langley at https://codereview.chromium.org/62103003 https://codereview.chromium.org/66553007 So your review is optional. The patch uses a temparary extension number 35655.
Attachment #8339587 - Flags: review+
Attachment #8339587 - Flags: feedback?(brian)
Comment on attachment 8339587 [details] [diff] [review] Patch by Adam Langley Review of attachment 8339587 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/ssl/ssl3ext.c @@ +2142,5 @@ > + unsigned int extensionLength; > + > + if (recordLength < 256 || recordLength >= 512) { > + return 0; > + } IMO, at least in the short term, it is a good idea to do this all the time, including when recordLength < 256. We will learn more about interoperability problems this way. In the short term, I would actually like to make the padded record larger, like 1024 bytes, to make sure we find all the interop issues related to large ClientHellos, not just the F5 issue. @@ +2150,5 @@ > + if (extensionLength < 4) { > + extensionLength = 4; > + } > + > + return extensionLength; The 7 lines above are indented one space too far. @@ +2161,5 @@ > +ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, > + PRUint32 maxBytes) > +{ > + unsigned int paddingLen = extensionLen - 4; > + unsigned char padding[256]; Should we just make padding static and avoid the memset call?
Attachment #8339587 - Flags: feedback?(brian) → feedback+
Brian: Thank you for the review. I made the changes you suggested. I also considered making the |padding| buffer static. I didn't do that because I thought the code to do memset may be smaller than the size taken by a 256-byte static buffer. But since you also suggested it, I made the change.
Attachment #8339587 - Attachment is obsolete: true
Attachment #8341976 - Flags: review+
Brian: here is a patch that we can apply on top of the main patch to always pad ClientHello to 512 bytes, as you suggested. Chrome's Canary build has this patch. One issue I considered is whether we should add an SSL_PAD_CLIENT_HELLO option. I think that if the ClientHello padding doesn't break other servers, we should just enable it by default, to avoid adding another option that client applications that may talk to F5 BIG-IP servers need to enable.
Attachment #8341983 - Attachment description: Supplemental patch: always pad ClientHello to >= 512 bytes → Supplemental patch: always pad ClientHello to >= 512 bytes [NOT FOR CHECKIN]
Attachment #8341983 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Brian: I didn't check in Adam's patch because I wanted to wait for an official assignment of the TLS padding extension number by IANA. Please confirm that you don't want to wait for that. We need this additional change for the current code in ssl3_SendClientHello. By the way, can you review my patch in bug 947681? Thanks.
Attachment #8359941 - Flags: review?(brian)
Flags: needinfo?(brian)
Attachment #8359941 - Flags: review?(brian) → review+
Comment on attachment 8359941 [details] [diff] [review] Unlock sid->u.ssl3.lock on ssl3_AppendPaddingExtension failure Patch checked in: https://hg.mozilla.org/projects/nss/rev/dfc0a9f054de
Attachment #8359941 - Flags: checked-in+
(In reply to Wan-Teh Chang from comment #5) > Brian: I didn't check in Adam's patch because I wanted to wait for an > official > assignment of the TLS padding extension number by IANA. Please confirm that > you don't want to wait for that. Thanks for explaining that. We are adding this and the option to do ALPN to Firefox to help with interop testing during the W3C interop event next week. It is easiest to keep the patch checked into NSS and I don't see any issue with keeping it in the NSS release even if we don't get the codepoint assignment. In particular, servers are supposed to (pretty much required to) ignore this extension and I don't think we have to worry about collisions with the unusual value that was chosen. > We need this additional change for the current code in ssl3_SendClientHello. > By the way, can you review my patch in bug 947681? Thanks. Yes, I will get to it as soon as I can. Thanks for the reminder.
Clearing NEEDINFO.
Flags: needinfo?(brian)
Target Milestone: 3.15.5 → 3.16
Target Milestone: 3.16 → 3.15.5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: