Add a comment about final empty extension intolerance.

We reordered extensions some time ago to ensure a non-empty extension was last, but the comment was since lost (or I forgot to put one in in the first place). Add one now so we don't regress. Change-Id: I2f6e2c3777912eb2c522a54bbbee579ee37ee58a Reviewed-on: https://boringssl-review.googlesource.com/7570 Reviewed-by: David Benjamin <davidben@google.com>
2016-03-25 18:56:10 -04:00 · 2016-03-25 18:56:10 -04:00 · 1e4ae00ac2
commit 1e4ae00ac2
parent 44477c03b9
1 changed files with 6 additions and 2 deletions
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -2037,6 +2037,9 @@ static const struct tls_extension kExtensions[] = {
    ext_ec_point_parse_clienthello,
    ext_ec_point_add_serverhello,
  },
+  /* The final extension must be non-empty. WebSphere Application Server 7.0 is
+   * intolerant to the last extension being zero-length. See
+   * https://crbug.com/363583. */
  {
    TLSEXT_TYPE_elliptic_curves,
    ext_ec_curves_init,
@ -2123,9 +2126,10 @@ int ssl_add_clienthello_tlsext(SSL *ssl, CBB *out, size_t header_len) {
       * NB: because this code works out the length of all existing extensions
       * it MUST always appear last. */
      size_t padding_len = 0x200 - header_len;
-      /* Extensions take at least four bytes to encode. Always include least
+      /* Extensions take at least four bytes to encode. Always include at least
       * one byte of data if including the extension. WebSphere Application
-       * Server 7.0 is intolerant to the last extension being zero-length. */
+       * Server 7.0 is intolerant to the last extension being zero-length. See
+       * https://crbug.com/363583. */
      if (padding_len >= 4 + 1) {
        padding_len -= 4;
      } else {