Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/mono/boringssl.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Benjamin <davidben@chromium.org>2014-07-04 00:15:44 +0400
committerAdam Langley <agl@google.com>2014-07-08 00:32:29 +0400
commitb9621b9c1ae1b94b6b775d4de644e4bd2809a315 (patch)
tree88ddc23b59ba7d7f7e43f11fae0ad2dfc98534cc
parent5468b2379719a56c245b78e00799874f6c56ca34 (diff)
Remove is_probably_safari logic.
We handle it externally now. Change-Id: Ib561f64078809645195fd1a859b3256499038847 Reviewed-on: https://boringssl-review.googlesource.com/1098 Reviewed-by: Adam Langley <agl@google.com>
Diffstat
-rw-r--r--ssl/s3_lib.c4
-rw-r--r--ssl/ssl3.h7
-rw-r--r--ssl/t1_lib.c81
3 files changed, 0 insertions, 92 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 534b2999..2518bd38 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2747,10 +2747,6 @@ void ssl3_clear(SSL *s)
s->s3->tmp.ecdh = NULL;
}
#endif
-#ifndef OPENSSL_NO_EC
- s->s3->is_probably_safari = 0;
-#endif /* !OPENSSL_NO_EC */
-
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 949c8b24..72db8405 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -533,13 +533,6 @@ typedef struct ssl3_state_st
int next_proto_neg_seen;
#endif
-#ifndef OPENSSL_NO_EC
- /* This is set to true if we believe that this is a version of Safari
- * running on OS X 10.6 or newer. We wish to know this because Safari
- * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
- char is_probably_safari;
-#endif /* !OPENSSL_NO_EC */
-
/* ALPN information
* (we are in the process of transitioning from NPN to ALPN.) */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b1f56a0f..2bbd6394 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1734,82 +1734,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
return ret;
}
-#ifndef OPENSSL_NO_EC
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |cbs|.
- * Safari, since 10.6, sends exactly these extensions, in this order:
- * SNI,
- * elliptic_curves
- * ec_point_formats
- *
- * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
- * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
- * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
- * 10.8..10.8.3 (which don't work).
- */
-static void ssl_check_for_safari(SSL *s, const CBS *extensions)
- {
- static const unsigned char kSafariExtensionsBlock[] = {
- 0x00, 0x0a, /* elliptic_curves extension */
- 0x00, 0x08, /* 8 bytes */
- 0x00, 0x06, /* 6 bytes of curve ids */
- 0x00, 0x17, /* P-256 */
- 0x00, 0x18, /* P-384 */
- 0x00, 0x19, /* P-521 */
-
- 0x00, 0x0b, /* ec_point_formats */
- 0x00, 0x02, /* 2 bytes */
- 0x01, /* 1 point format */
- 0x00, /* uncompressed */
- };
-
- /* The following is only present in TLS 1.2 */
- static const unsigned char kSafariTLS12ExtensionsBlock[] = {
- 0x00, 0x0d, /* signature_algorithms */
- 0x00, 0x0c, /* 12 bytes */
- 0x00, 0x0a, /* 10 bytes */
- 0x05, 0x01, /* SHA-384/RSA */
- 0x04, 0x01, /* SHA-256/RSA */
- 0x02, 0x01, /* SHA-1/RSA */
- 0x04, 0x03, /* SHA-256/ECDSA */
- 0x02, 0x03, /* SHA-1/ECDSA */
- };
- CBS extensions_copy = *extensions, extension;
- uint16_t type;
-
- /* First extension is server_name. */
- if (!CBS_get_u16(&extensions_copy, &type) ||
- !CBS_get_u16_length_prefixed(&extensions_copy, &extension) ||
- type != TLSEXT_TYPE_server_name)
- return;
-
- /* Compare the remainder of the extensions block. */
- if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
- {
- const size_t len1 = sizeof(kSafariExtensionsBlock);
- const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-
- if (len1 + len2 != CBS_len(&extensions_copy))
- return;
- if (memcmp(CBS_data(&extensions_copy), kSafariExtensionsBlock, len1) != 0)
- return;
- if (memcmp(CBS_data(&extensions_copy) + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
- return;
- }
- else
- {
- const size_t len = sizeof(kSafariExtensionsBlock);
-
- if (len != CBS_len(&extensions_copy))
- return;
- if (memcmp(CBS_data(&extensions_copy), kSafariExtensionsBlock, len) != 0)
- return;
- }
-
- s->s3->is_probably_safari = 1;
-}
-#endif /* !OPENSSL_NO_EC */
-
/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
* ClientHello.
* cbs: the contents of the extension, not including the type and length.
@@ -1913,11 +1837,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert)
return 0;
}
-#ifndef OPENSSL_NO_EC
- if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
- ssl_check_for_safari(s, &extensions);
-#endif /* !OPENSSL_NO_EC */
-
while (CBS_len(&extensions) != 0)
{
uint16_t type;
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-01 12:32:00 +0300