X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_client.t0;h=ea9f5b515dc3fed0b577babdae7f5b298df8391b;hp=e2a76f7c2635d61382e52e2cf71d62f4975a55b0;hb=d16eee962a72a600c370f18f2ae25b36b4f532df;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb;ds=sidebyside

diff --git a/src/ssl/ssl_hs_client.t0 b/src/ssl/ssl_hs_client.t0
index e2a76f7..ea9f5b5 100644
--- a/src/ssl/ssl_hs_client.t0
+++ b/src/ssl/ssl_hs_client.t0
@@ -302,6 +302,8 @@ make_pms_ecdh(br_ssl_client_context *ctx, unsigned ecdhe, int prf_id)
 	0 8191 "offsetof(br_ssl_client_context, " field + ")" + make-CX
 	postpone literal postpone ; ;
 
+addr-ctx: min_clienthello_len
+
 \ Length of the Secure Renegotiation extension. This is 5 for the
 \ first handshake, 17 for a renegotiation (if the server supports the
 \ extension), or 0 if we know that the server does not support the
@@ -369,7 +371,8 @@ cc: supports-ecdsa? ( -- bool ) {
 : write-ClientHello ( -- )
 	{ ; total-ext-length }
 
-	\ Compute length for extensions (without the general two-byte header)
+	\ Compute length for extensions (without the general two-byte header).
+	\ This does not take padding extension into account.
 	ext-reneg-length ext-sni-length + ext-frag-length +
 	ext-signatures-length +
 	ext-supported-curves-length + ext-point-format-length +
@@ -381,6 +384,23 @@ cc: supports-ecdsa? ( -- bool ) {
 	\ Compute and write length
 	39 addr-session_id_len get8 + addr-suites_num get8 1 << +
 	total-ext-length if 2+ total-ext-length + then
+	\ Compute padding (if requested).
+	addr-min_clienthello_len get16 over - dup 0> if
+		\ We well add a Pad ClientHello extension, which has its
+		\ own header (4 bytes) and might be the only extension
+		\ (2 extra bytes for the extension list header).
+		total-ext-length ifnot swap 2+ swap 2- then
+		\ Account for the extension header.
+		4 - dup 0< if drop 0 then
+		\ Adjust total extension length.
+		dup 4 + total-ext-length + >total-ext-length
+		\ Adjust ClientHello length.
+		swap 4 + over + swap
+	else
+		drop
+		-1
+	then
+	{ ext-padding-amount }
 	write24
 
 	\ Protocol version
@@ -460,6 +480,14 @@ cc: supports-ecdsa? ( -- bool ) {
 			0x0002 write16          \ extension length
 			0x0100 write16          \ value: 1 format: uncompressed
 		then
+		ext-padding-amount 0< ifnot
+			0x0015 write16          \ extension value (21)
+			ext-padding-amount
+			dup write16             \ extension length
+			begin dup while
+			1- 0 write8 repeat      \ value (only zeros)
+			drop
+		then
 	then
 	;
 
@@ -971,12 +999,9 @@ cc: do-ecdh ( echde prf_id -- ulen ) {
 				0 addr-application_data set8
 				read-HelloRequest
 				\ Reject renegotiations if the peer does not
-				\ support secure renegotiation. Theoretically
-				\ we could just ignore that, however if the
-				\ server sent an HelloRequest then it is
-				\ expecting a handshake and will wait for our
-				\ ClientHello.
-				addr-reneg get8 1 = if
+				\ support secure renegotiation, or if the
+				\ "no renegotiation" flag is set.
+				addr-reneg get8 1 = 1 flag? or if
 					flush-record
 					begin can-output? not while
 						wait-co drop