From 1e4ae00ac2beb893aa59b9a98eb70908332904ba Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 25 Mar 2016 18:56:10 -0400 Subject: [PATCH] Add a comment about final empty extension intolerance. We reordered extensions some time ago to ensure a non-empty extension was last, but the comment was since lost (or I forgot to put one in in the first place). Add one now so we don't regress. Change-Id: I2f6e2c3777912eb2c522a54bbbee579ee37ee58a Reviewed-on: https://boringssl-review.googlesource.com/7570 Reviewed-by: David Benjamin --- ssl/t1_lib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8facdd38..1d4565f4 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2037,6 +2037,9 @@ static const struct tls_extension kExtensions[] = { ext_ec_point_parse_clienthello, ext_ec_point_add_serverhello, }, + /* The final extension must be non-empty. WebSphere Application Server 7.0 is + * intolerant to the last extension being zero-length. See + * https://crbug.com/363583. */ { TLSEXT_TYPE_elliptic_curves, ext_ec_curves_init, @@ -2123,9 +2126,10 @@ int ssl_add_clienthello_tlsext(SSL *ssl, CBB *out, size_t header_len) { * NB: because this code works out the length of all existing extensions * it MUST always appear last. */ size_t padding_len = 0x200 - header_len; - /* Extensions take at least four bytes to encode. Always include least + /* Extensions take at least four bytes to encode. Always include at least * one byte of data if including the extension. WebSphere Application - * Server 7.0 is intolerant to the last extension being zero-length. */ + * Server 7.0 is intolerant to the last extension being zero-length. See + * https://crbug.com/363583. */ if (padding_len >= 4 + 1) { padding_len -= 4; } else {