1 diff --git android-openssl.orig/ssl/d1_clnt.c android-openssl/ssl/d1_clnt.c 2 index 7e8077e..735e544 100644 3 --- android-openssl.orig/ssl/d1_clnt.c 4 +++ android-openssl/ssl/d1_clnt.c 5 @@ -874,7 +874,7 @@ int dtls1_client_hello(SSL *s) 6 *(p++)=0; /* Add the NULL method */ 7 8 #ifndef OPENSSL_NO_TLSEXT 9 - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 10 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, 0)) == NULL) 11 { 12 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 13 goto err; 14 diff --git android-openssl.orig/ssl/s23_clnt.c android-openssl/ssl/s23_clnt.c 15 index 08ee86d..750d208 100644 16 --- android-openssl.orig/ssl/s23_clnt.c 17 +++ android-openssl/ssl/s23_clnt.c 18 @@ -467,9 +467,9 @@ static int ssl23_client_hello(SSL *s) 19 /* create Client Hello in SSL 3.0/TLS 1.0 format */ 20 21 /* do the record header (5 bytes) and handshake message 22 - * header (4 bytes) last. Note: the code to add the 23 - * padding extension in t1_lib.c depends on the size of 24 - * this prefix. */ 25 + * header (4 bytes) last. Note: the final argument to 26 + * ssl_add_clienthello_tlsext below depends on the size 27 + * of this prefix. */ 28 d = p = &(buf[9]); 29 30 *(p++) = version_major; 31 @@ -526,7 +526,10 @@ static int ssl23_client_hello(SSL *s) 32 SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 33 return -1; 34 } 35 - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 36 + /* The buffer includes the 5 byte record header, so 37 + * subtract it to compute hlen for 38 + * ssl_add_clienthello_tlsext. */ 39 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf-5)) == NULL) 40 { 41 SSLerr(SSL_F_SSL23_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 42 return -1; 43 diff --git android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c 44 index d1b3224..640df80 100644 45 --- android-openssl.orig/ssl/s3_clnt.c 46 +++ android-openssl/ssl/s3_clnt.c 47 @@ -759,7 +759,7 @@ int ssl3_client_hello(SSL *s) 48 goto err; 49 50 /* Do the message type and length last. 51 - * Note: the code to add the padding extension in t1_lib.c 52 + * Note: the final argument to ssl_add_clienthello_tlsext below 53 * depends on the size of this prefix. */ 54 d=p= &(buf[4]); 55 56 @@ -867,7 +867,7 @@ int ssl3_client_hello(SSL *s) 57 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 58 goto err; 59 } 60 - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 61 + if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH, p-buf)) == NULL) 62 { 63 SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 64 goto err; 65 diff --git android-openssl.orig/ssl/ssl_locl.h android-openssl/ssl/ssl_locl.h 66 index 4e27d9e..531a291 100644 67 --- android-openssl.orig/ssl/ssl_locl.h 68 +++ android-openssl/ssl/ssl_locl.h 69 @@ -1127,7 +1127,7 @@ int tls1_ec_nid2curve_id(int nid); 70 #endif /* OPENSSL_NO_EC */ 71 72 #ifndef OPENSSL_NO_TLSEXT 73 -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 74 +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len); 75 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 76 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); 77 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); 78 diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c 79 index a53d56b..3fe6612 100644 80 --- android-openssl.orig/ssl/t1_lib.c 81 +++ android-openssl/ssl/t1_lib.c 82 @@ -341,7 +341,10 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 83 return (int)slen; 84 } 85 86 -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) 87 +/* header_len is the length of the ClientHello header written so far, used to 88 + * compute padding. It does not include the record header. Pass 0 if no padding 89 + * is to be done. */ 90 +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, size_t header_len) 91 { 92 int extdatalen=0; 93 unsigned char *orig = buf; 94 @@ -664,27 +667,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c 95 96 /* Add padding to workaround bugs in F5 terminators. 97 * See https://tools.ietf.org/html/draft-agl-tls-padding-02 */ 98 - { 99 - int hlen = ret - (unsigned char *)s->init_buf->data; 100 - /* The code in s23_clnt.c to build ClientHello messages includes the 101 - * 5-byte record header in the buffer, while the code in s3_clnt.c does 102 - * not. */ 103 - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) 104 - hlen -= 5; 105 - if (hlen > 0xff && hlen < 0x200) 106 + if (header_len > 0) 107 { 108 - hlen = 0x200 - hlen; 109 - if (hlen >= 4) 110 - hlen -= 4; 111 - else 112 - hlen = 0; 113 + header_len += ret - orig; 114 + if (header_len > 0xff && header_len < 0x200) 115 + { 116 + size_t padding_len = 0x200 - header_len; 117 + if (padding_len >= 4) 118 + padding_len -= 4; 119 + else 120 + padding_len = 0; 121 + if (limit - ret - 4 - (long)padding_len < 0) 122 + return NULL; 123 124 - s2n(TLSEXT_TYPE_padding, ret); 125 - s2n(hlen, ret); 126 - memset(ret, 0, hlen); 127 - ret += hlen; 128 + s2n(TLSEXT_TYPE_padding, ret); 129 + s2n(padding_len, ret); 130 + memset(ret, 0, padding_len); 131 + ret += padding_len; 132 + } 133 } 134 - } 135 136 137 if ((extdatalen = ret-orig-2)== 0) 138