Remove compat hack that disabled ECDHE-ECDSA on OS X.

For a few old releases, ECDHE-ECDSA was broken on OS X. This option cannot differentiate between working and broken OS X so it disabled ECDHE-ECDSA support on all OS X >= 10.6. 10.8-10.8.3 were the faulty releases but these are no longer relevant. Tested on OS X 10.10 by jsing. ok jsing@
author: doug <> 2015-07-17 15:50:37 +0000
committer: doug <> 2015-07-17 15:50:37 +0000
commit: 5cba53e692be72d0915031b26de7cdc95c7beea9 (patch)
tree: feb649947db1c2e92858c29d6aa7029f188bfa9b
parent: 72d01d7d13377f8533acd81c582f9c5fedba7439 (diff)
download: openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.tar.gz
openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.tar.bz2
openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.zip
10 files changed, 26 insertions, 208 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
index 922522a33c..91a1c9ad92 100644
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $
+.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.8 2015/07/17 15:50:37 doug Exp $
 .\"
 .Dd $Mdocdate: July 17 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -116,8 +116,9 @@ this option has no effect.
 .It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
 \&...
 .It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+As of
-OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 As of
 .Ox 5.8 ,
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index c838409bf7..9167257546 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.97 2015/07/14 05:20:46 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.98 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2087,8 +2087,6 @@ ssl3_clear(SSL *s)
        EC_KEY_free(s->s3->tmp.ecdh);
        s->s3->tmp.ecdh = NULL;
-        s->s3->is_probably_safari = 0;
        rp = s->s3->rbuf.buf;
        wp = s->s3->wbuf.buf;
        rlen = s->s3->rbuf.len;
@@ -2618,12 +2616,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                        continue;
                ii = sk_SSL_CIPHER_find(allow, c);
                if (ii >= 0) {
-                        if ((alg_k & SSL_kECDHE) &&
-                            (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) {
-                                if (!ret)
-                                        ret = sk_SSL_CIPHER_value(allow, ii);
-                                continue;
-                        }
                        ret = sk_SSL_CIPHER_value(allow, ii);
                        break;
                }
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index 922522a33c..91a1c9ad92 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $
+.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.8 2015/07/17 15:50:37 doug Exp $
 .\"
 .Dd $Mdocdate: July 17 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -116,8 +116,9 @@ this option has no effect.
 .It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
 \&...
 .It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+As of
-OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 As of
 .Ox 5.8 ,
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index c838409bf7..9167257546 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.97 2015/07/14 05:20:46 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.98 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2087,8 +2087,6 @@ ssl3_clear(SSL *s)
        EC_KEY_free(s->s3->tmp.ecdh);
        s->s3->tmp.ecdh = NULL;
-        s->s3->is_probably_safari = 0;
        rp = s->s3->rbuf.buf;
        wp = s->s3->wbuf.buf;
        rlen = s->s3->rbuf.len;
@@ -2618,12 +2616,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                        continue;
                ii = sk_SSL_CIPHER_find(allow, c);
                if (ii >= 0) {
-                        if ((alg_k & SSL_kECDHE) &&
-                            (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) {
-                                if (!ret)
-                                        ret = sk_SSL_CIPHER_value(allow, ii);
-                                continue;
-                        }
                        ret = sk_SSL_CIPHER_value(allow, ii);
                        break;
                }
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 84154a5176..33aaadcd20 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.89 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -520,7 +520,6 @@ struct ssl_session_st {
 #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 #define SSL_OP_TLSEXT_PADDING                           0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
-#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
@@ -575,7 +574,6 @@ struct ssl_session_st {
    (SSL_OP_LEGACY_SERVER_CONNECT | \
     SSL_OP_TLSEXT_PADDING | \
     SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | \
-     SSL_OP_SAFARI_ECDHE_ECDSA_BUG | \
     SSL_OP_TLS_D5_BUG | \
     SSL_OP_CRYPTOPRO_TLSEXT_BUG)
@@ -590,6 +588,7 @@ struct ssl_session_st {
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x0
 #define SSL_OP_PKCS1_CHECK_1                            0x0
 #define SSL_OP_PKCS1_CHECK_2                            0x0
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x0
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 8bcf9e37e8..4de50428a8 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */
+/* $OpenBSD: ssl3.h,v 1.39 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -490,9 +490,10 @@ typedef struct ssl3_state_st {
        unsigned char *alpn_selected;
        unsigned int alpn_selected_len;
-        /* This is set to true if we believe that this is a version of Safari
+        /*
-         * running on OS X 10.6 or newer. We wish to know this because Safari
+         * XXX delete on next major bump.  This was for old OS X releases
-         * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
+         * with broken ECDHE-ECDSA support.
+         */
        char is_probably_safari;
 } SSL3_STATE;
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index e901a901da..b0f0de3bd8 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1204,87 +1204,6 @@ parse_error:
        return (0);
 }
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |d|, of length |n|.
- * Safari, since 10.6, sends exactly these extensions, in this order:
- *   SNI,
- *   elliptic_curves
- *   ec_point_formats
- *
- * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
- * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
- * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
- * 10.8..10.8.3 (which don't work).
- */
-static void
-ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,
-    int n)
-{
-        unsigned short type, size;
-        static const unsigned char kSafariExtensionsBlock[] = {
-                0x00, 0x0a,  /* elliptic_curves extension */
-                0x00, 0x08,  /* 8 bytes */
-                0x00, 0x06,  /* 6 bytes of curve ids */
-                0x00, 0x17,  /* P-256 */
-                0x00, 0x18,  /* P-384 */
-                0x00, 0x19,  /* P-521 */
-                0x00, 0x0b,  /* ec_point_formats */
-                0x00, 0x02,  /* 2 bytes */
-                0x01,        /* 1 point format */
-                0x00,        /* uncompressed */
-        };
-        /* The following is only present in TLS 1.2 */
-        static const unsigned char kSafariTLS12ExtensionsBlock[] = {
-                0x00, 0x0d,  /* signature_algorithms */
-                0x00, 0x0c,  /* 12 bytes */
-                0x00, 0x0a,  /* 10 bytes */
-                0x05, 0x01,  /* SHA-384/RSA */
-                0x04, 0x01,  /* SHA-256/RSA */
-                0x02, 0x01,  /* SHA-1/RSA */
-                0x04, 0x03,  /* SHA-256/ECDSA */
-                0x02, 0x03,  /* SHA-1/ECDSA */
-        };
-        if (data >= (d + n - 2))
-                return;
-        data += 2;
-        if (data > (d + n - 4))
-                return;
-        n2s(data, type);
-        n2s(data, size);
-        if (type != TLSEXT_TYPE_server_name)
-                return;
-        if (data + size > d + n)
-                return;
-        data += size;
-        if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
-                const size_t len1 = sizeof(kSafariExtensionsBlock);
-                const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-                if (data + len1 + len2 != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-                        return;
-                if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
-                        return;
-        } else {
-                const size_t len = sizeof(kSafariExtensionsBlock);
-                if (data + len != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-                        return;
-        }
-        s->s3->is_probably_safari = 1;
-}
 int
 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
    int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        free(s->s3->alpn_selected);
        s->s3->alpn_selected = NULL;
-        if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-                ssl_check_for_safari(s, data, d, n);
        if (data >= (d + n - 2))
                goto ri_check;
        n2s(data, len);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 84154a5176..33aaadcd20 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.89 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -520,7 +520,6 @@ struct ssl_session_st {
 #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 #define SSL_OP_TLSEXT_PADDING                           0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
-#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
@@ -575,7 +574,6 @@ struct ssl_session_st {
    (SSL_OP_LEGACY_SERVER_CONNECT | \
     SSL_OP_TLSEXT_PADDING | \
     SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | \
-     SSL_OP_SAFARI_ECDHE_ECDSA_BUG | \
     SSL_OP_TLS_D5_BUG | \
     SSL_OP_CRYPTOPRO_TLSEXT_BUG)
@@ -590,6 +588,7 @@ struct ssl_session_st {
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x0
 #define SSL_OP_PKCS1_CHECK_1                            0x0
 #define SSL_OP_PKCS1_CHECK_2                            0x0
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x0
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 8bcf9e37e8..4de50428a8 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */
+/* $OpenBSD: ssl3.h,v 1.39 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -490,9 +490,10 @@ typedef struct ssl3_state_st {
        unsigned char *alpn_selected;
        unsigned int alpn_selected_len;
-        /* This is set to true if we believe that this is a version of Safari
+        /*
-         * running on OS X 10.6 or newer. We wish to know this because Safari
+         * XXX delete on next major bump.  This was for old OS X releases
-         * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
+         * with broken ECDHE-ECDSA support.
+         */
        char is_probably_safari;
 } SSL3_STATE;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index e901a901da..b0f0de3bd8 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1204,87 +1204,6 @@ parse_error:
        return (0);
 }
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |d|, of length |n|.
- * Safari, since 10.6, sends exactly these extensions, in this order:
- *   SNI,
- *   elliptic_curves
- *   ec_point_formats
- *
- * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
- * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
- * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
- * 10.8..10.8.3 (which don't work).
- */
-static void
-ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,
-    int n)
-{
-        unsigned short type, size;
-        static const unsigned char kSafariExtensionsBlock[] = {
-                0x00, 0x0a,  /* elliptic_curves extension */
-                0x00, 0x08,  /* 8 bytes */
-                0x00, 0x06,  /* 6 bytes of curve ids */
-                0x00, 0x17,  /* P-256 */
-                0x00, 0x18,  /* P-384 */
-                0x00, 0x19,  /* P-521 */
-                0x00, 0x0b,  /* ec_point_formats */
-                0x00, 0x02,  /* 2 bytes */
-                0x01,        /* 1 point format */
-                0x00,        /* uncompressed */
-        };
-        /* The following is only present in TLS 1.2 */
-        static const unsigned char kSafariTLS12ExtensionsBlock[] = {
-                0x00, 0x0d,  /* signature_algorithms */
-                0x00, 0x0c,  /* 12 bytes */
-                0x00, 0x0a,  /* 10 bytes */
-                0x05, 0x01,  /* SHA-384/RSA */
-                0x04, 0x01,  /* SHA-256/RSA */
-                0x02, 0x01,  /* SHA-1/RSA */
-                0x04, 0x03,  /* SHA-256/ECDSA */
-                0x02, 0x03,  /* SHA-1/ECDSA */
-        };
-        if (data >= (d + n - 2))
-                return;
-        data += 2;
-        if (data > (d + n - 4))
-                return;
-        n2s(data, type);
-        n2s(data, size);
-        if (type != TLSEXT_TYPE_server_name)
-                return;
-        if (data + size > d + n)
-                return;
-        data += size;
-        if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
-                const size_t len1 = sizeof(kSafariExtensionsBlock);
-                const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-                if (data + len1 + len2 != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-                        return;
-                if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
-                        return;
-        } else {
-                const size_t len = sizeof(kSafariExtensionsBlock);
-                if (data + len != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-                        return;
-        }
-        s->s3->is_probably_safari = 1;
-}
 int
 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
    int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        free(s->s3->alpn_selected);
        s->s3->alpn_selected = NULL;
-        if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-                ssl_check_for_safari(s, data, d, n);
        if (data >= (d + n - 2))
                goto ri_check;
        n2s(data, len);
author	doug <>	2015-07-17 15:50:37 +0000
committer	doug <>	2015-07-17 15:50:37 +0000
commit	5cba53e692be72d0915031b26de7cdc95c7beea9 (patch)
tree	feb649947db1c2e92858c29d6aa7029f188bfa9b
parent	72d01d7d13377f8533acd81c582f9c5fedba7439 (diff)
download	openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.tar.gz openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.tar.bz2 openbsd-5cba53e692be72d0915031b26de7cdc95c7beea9.zip

diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3 index 922522a33c..91a1c9ad92 100644 --- a/src/lib/libssl/doc/SSL_CTX_set_options.3 +++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
1	.\"	1	.\"
2	.\" $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $	2	.\" $OpenBSD: SSL_CTX_set_options.3,v 1.8 2015/07/17 15:50:37 doug Exp $
3	.\"	3	.\"
4	.Dd $Mdocdate: July 17 2015 $	4	.Dd $Mdocdate: July 17 2015 $
5	.Dt SSL_CTX_SET_OPTIONS 3	5	.Dt SSL_CTX_SET_OPTIONS 3
@@ -116,8 +116,9 @@ this option has no effect.
116	.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER	116	.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
117	\&...	117	\&...
118	.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG	118	.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
119	Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.	119	As of
120	OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.	120	.Ox 5.8 ,
		121	this option has no effect.
121	.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG	122	.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
122	As of	123	As of
123	.Ox 5.8 ,	124	.Ox 5.8 ,


diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index c838409bf7..9167257546 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.97 2015/07/14 05:20:46 doug Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.98 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2087,8 +2087,6 @@ ssl3_clear(SSL *s)
2087	EC_KEY_free(s->s3->tmp.ecdh);	2087	EC_KEY_free(s->s3->tmp.ecdh);
2088	s->s3->tmp.ecdh = NULL;	2088	s->s3->tmp.ecdh = NULL;
2089		2089
2090	s->s3->is_probably_safari = 0;
2091
2092	rp = s->s3->rbuf.buf;	2090	rp = s->s3->rbuf.buf;
2093	wp = s->s3->wbuf.buf;	2091	wp = s->s3->wbuf.buf;
2094	rlen = s->s3->rbuf.len;	2092	rlen = s->s3->rbuf.len;
@@ -2618,12 +2616,6 @@ ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) clnt,
2618	continue;	2616	continue;
2619	ii = sk_SSL_CIPHER_find(allow, c);	2617	ii = sk_SSL_CIPHER_find(allow, c);
2620	if (ii >= 0) {	2618	if (ii >= 0) {
2621	if ((alg_k & SSL_kECDHE) &&
2622	(alg_a & SSL_aECDSA) && s->s3->is_probably_safari) {
2623	if (!ret)
2624	ret = sk_SSL_CIPHER_value(allow, ii);
2625	continue;
2626	}
2627	ret = sk_SSL_CIPHER_value(allow, ii);	2619	ret = sk_SSL_CIPHER_value(allow, ii);
2628	break;	2620	break;
2629	}	2621	}


diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 index 922522a33c..91a1c9ad92 100644 --- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 +++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
1	.\"	1	.\"
2	.\" $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $	2	.\" $OpenBSD: SSL_CTX_set_options.3,v 1.8 2015/07/17 15:50:37 doug Exp $
3	.\"	3	.\"
4	.Dd $Mdocdate: July 17 2015 $	4	.Dd $Mdocdate: July 17 2015 $
5	.Dt SSL_CTX_SET_OPTIONS 3	5	.Dt SSL_CTX_SET_OPTIONS 3
@@ -116,8 +116,9 @@ this option has no effect.
116	.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER	116	.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
117	\&...	117	\&...
118	.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG	118	.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
119	Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.	119	As of
120	OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.	120	.Ox 5.8 ,
		121	this option has no effect.
121	.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG	122	.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
122	As of	123	As of
123	.Ox 5.8 ,	124	.Ox 5.8 ,


diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index c838409bf7..9167257546 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.97 2015/07/14 05:20:46 doug Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.98 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2087,8 +2087,6 @@ ssl3_clear(SSL *s)
2087	EC_KEY_free(s->s3->tmp.ecdh);	2087	EC_KEY_free(s->s3->tmp.ecdh);
2088	s->s3->tmp.ecdh = NULL;	2088	s->s3->tmp.ecdh = NULL;
2089		2089
2090	s->s3->is_probably_safari = 0;
2091
2092	rp = s->s3->rbuf.buf;	2090	rp = s->s3->rbuf.buf;
2093	wp = s->s3->wbuf.buf;	2091	wp = s->s3->wbuf.buf;
2094	rlen = s->s3->rbuf.len;	2092	rlen = s->s3->rbuf.len;
@@ -2618,12 +2616,6 @@ ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) clnt,
2618	continue;	2616	continue;
2619	ii = sk_SSL_CIPHER_find(allow, c);	2617	ii = sk_SSL_CIPHER_find(allow, c);
2620	if (ii >= 0) {	2618	if (ii >= 0) {
2621	if ((alg_k & SSL_kECDHE) &&
2622	(alg_a & SSL_aECDSA) && s->s3->is_probably_safari) {
2623	if (!ret)
2624	ret = sk_SSL_CIPHER_value(allow, ii);
2625	continue;
2626	}
2627	ret = sk_SSL_CIPHER_value(allow, ii);	2619	ret = sk_SSL_CIPHER_value(allow, ii);
2628	break;	2620	break;
2629	}	2621	}


diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 84154a5176..33aaadcd20 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */	1	/* $OpenBSD: ssl.h,v 1.89 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -520,7 +520,6 @@ struct ssl_session_st {
520	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L	520	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
521	#define SSL_OP_TLSEXT_PADDING 0x00000010L	521	#define SSL_OP_TLSEXT_PADDING 0x00000010L
522	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L	522	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
523	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
524	#define SSL_OP_TLS_D5_BUG 0x00000100L	523	#define SSL_OP_TLS_D5_BUG 0x00000100L
525		524
526	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added	525	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
@@ -575,7 +574,6 @@ struct ssl_session_st {
575	(SSL_OP_LEGACY_SERVER_CONNECT \| \	574	(SSL_OP_LEGACY_SERVER_CONNECT \| \
576	SSL_OP_TLSEXT_PADDING \| \	575	SSL_OP_TLSEXT_PADDING \| \
577	SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER \| \	576	SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER \| \
578	SSL_OP_SAFARI_ECDHE_ECDSA_BUG \| \
579	SSL_OP_TLS_D5_BUG \| \	577	SSL_OP_TLS_D5_BUG \| \
580	SSL_OP_CRYPTOPRO_TLSEXT_BUG)	578	SSL_OP_CRYPTOPRO_TLSEXT_BUG)
581		579
@@ -590,6 +588,7 @@ struct ssl_session_st {
590	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0	588	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
591	#define SSL_OP_PKCS1_CHECK_1 0x0	589	#define SSL_OP_PKCS1_CHECK_1 0x0
592	#define SSL_OP_PKCS1_CHECK_2 0x0	590	#define SSL_OP_PKCS1_CHECK_2 0x0
		591	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0
593	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0	592	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
594	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0	593	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
595	#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0	594	#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0


diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h index 8bcf9e37e8..4de50428a8 100644 --- a/src/lib/libssl/src/ssl/ssl3.h +++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */	1	/* $OpenBSD: ssl3.h,v 1.39 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -490,9 +490,10 @@ typedef struct ssl3_state_st {
490	unsigned char *alpn_selected;	490	unsigned char *alpn_selected;
491	unsigned int alpn_selected_len;	491	unsigned int alpn_selected_len;
492		492
493	/* This is set to true if we believe that this is a version of Safari	493	/*
494	* running on OS X 10.6 or newer. We wish to know this because Safari	494	* XXX delete on next major bump. This was for old OS X releases
495	* on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */	495	* with broken ECDHE-ECDSA support.
		496	*/
496	char is_probably_safari;	497	char is_probably_safari;
497	} SSL3_STATE;	498	} SSL3_STATE;
498		499


diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index e901a901da..b0f0de3bd8 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1204,87 +1204,6 @@ parse_error:
1204	return (0);	1204	return (0);
1205	}	1205	}
1206		1206
1207	/* ssl_check_for_safari attempts to fingerprint Safari using OS X
1208	* SecureTransport using the TLS extension block in \|d\|, of length \|n\|.
1209	* Safari, since 10.6, sends exactly these extensions, in this order:
1210	* SNI,
1211	* elliptic_curves
1212	* ec_point_formats
1213	*
1214	* We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1215	* but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1216	* Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1217	* 10.8..10.8.3 (which don't work).
1218	*/
1219	static void
1220	ssl_check_for_safari(SSL s, const unsigned char data, const unsigned char *d,
1221	int n)
1222	{
1223	unsigned short type, size;
1224	static const unsigned char kSafariExtensionsBlock[] = {
1225	0x00, 0x0a, /* elliptic_curves extension */
1226	0x00, 0x08, /* 8 bytes */
1227	0x00, 0x06, /* 6 bytes of curve ids */
1228	0x00, 0x17, /* P-256 */
1229	0x00, 0x18, /* P-384 */
1230	0x00, 0x19, /* P-521 */
1231
1232	0x00, 0x0b, /* ec_point_formats */
1233	0x00, 0x02, /* 2 bytes */
1234	0x01, /* 1 point format */
1235	0x00, /* uncompressed */
1236	};
1237
1238	/* The following is only present in TLS 1.2 */
1239	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1240	0x00, 0x0d, /* signature_algorithms */
1241	0x00, 0x0c, /* 12 bytes */
1242	0x00, 0x0a, /* 10 bytes */
1243	0x05, 0x01, /* SHA-384/RSA */
1244	0x04, 0x01, /* SHA-256/RSA */
1245	0x02, 0x01, /* SHA-1/RSA */
1246	0x04, 0x03, /* SHA-256/ECDSA */
1247	0x02, 0x03, /* SHA-1/ECDSA */
1248	};
1249
1250	if (data >= (d + n - 2))
1251	return;
1252	data += 2;
1253
1254	if (data > (d + n - 4))
1255	return;
1256	n2s(data, type);
1257	n2s(data, size);
1258
1259	if (type != TLSEXT_TYPE_server_name)
1260	return;
1261
1262	if (data + size > d + n)
1263	return;
1264	data += size;
1265
1266	if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1267	const size_t len1 = sizeof(kSafariExtensionsBlock);
1268	const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1269
1270	if (data + len1 + len2 != d + n)
1271	return;
1272	if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1273	return;
1274	if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1275	return;
1276	} else {
1277	const size_t len = sizeof(kSafariExtensionsBlock);
1278
1279	if (data + len != d + n)
1280	return;
1281	if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1282	return;
1283	}
1284
1285	s->s3->is_probably_safari = 1;
1286	}
1287
1288	int	1207	int
1289	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,	1208	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1290	int n, int *al)	1209	int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1302	free(s->s3->alpn_selected);	1221	free(s->s3->alpn_selected);
1303	s->s3->alpn_selected = NULL;	1222	s->s3->alpn_selected = NULL;
1304		1223
1305	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1306	ssl_check_for_safari(s, data, d, n);
1307
1308	if (data >= (d + n - 2))	1224	if (data >= (d + n - 2))
1309	goto ri_check;	1225	goto ri_check;
1310	n2s(data, len);	1226	n2s(data, len);


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 84154a5176..33aaadcd20 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */	1	/* $OpenBSD: ssl.h,v 1.89 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -520,7 +520,6 @@ struct ssl_session_st {
520	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L	520	#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
521	#define SSL_OP_TLSEXT_PADDING 0x00000010L	521	#define SSL_OP_TLSEXT_PADDING 0x00000010L
522	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L	522	#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
523	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
524	#define SSL_OP_TLS_D5_BUG 0x00000100L	523	#define SSL_OP_TLS_D5_BUG 0x00000100L
525		524
526	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added	525	/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
@@ -575,7 +574,6 @@ struct ssl_session_st {
575	(SSL_OP_LEGACY_SERVER_CONNECT \| \	574	(SSL_OP_LEGACY_SERVER_CONNECT \| \
576	SSL_OP_TLSEXT_PADDING \| \	575	SSL_OP_TLSEXT_PADDING \| \
577	SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER \| \	576	SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER \| \
578	SSL_OP_SAFARI_ECDHE_ECDSA_BUG \| \
579	SSL_OP_TLS_D5_BUG \| \	577	SSL_OP_TLS_D5_BUG \| \
580	SSL_OP_CRYPTOPRO_TLSEXT_BUG)	578	SSL_OP_CRYPTOPRO_TLSEXT_BUG)
581		579
@@ -590,6 +588,7 @@ struct ssl_session_st {
590	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0	588	#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0
591	#define SSL_OP_PKCS1_CHECK_1 0x0	589	#define SSL_OP_PKCS1_CHECK_1 0x0
592	#define SSL_OP_PKCS1_CHECK_2 0x0	590	#define SSL_OP_PKCS1_CHECK_2 0x0
		591	#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0
593	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0	592	#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
594	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0	593	#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
595	#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0	594	#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0


diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 8bcf9e37e8..4de50428a8 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */	1	/* $OpenBSD: ssl3.h,v 1.39 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -490,9 +490,10 @@ typedef struct ssl3_state_st {
490	unsigned char *alpn_selected;	490	unsigned char *alpn_selected;
491	unsigned int alpn_selected_len;	491	unsigned int alpn_selected_len;
492		492
493	/* This is set to true if we believe that this is a version of Safari	493	/*
494	* running on OS X 10.6 or newer. We wish to know this because Safari	494	* XXX delete on next major bump. This was for old OS X releases
495	* on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */	495	* with broken ECDHE-ECDSA support.
		496	*/
496	char is_probably_safari;	497	char is_probably_safari;
497	} SSL3_STATE;	498	} SSL3_STATE;
498		499


diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index e901a901da..b0f0de3bd8 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1204,87 +1204,6 @@ parse_error:
1204	return (0);	1204	return (0);
1205	}	1205	}
1206		1206
1207	/* ssl_check_for_safari attempts to fingerprint Safari using OS X
1208	* SecureTransport using the TLS extension block in \|d\|, of length \|n\|.
1209	* Safari, since 10.6, sends exactly these extensions, in this order:
1210	* SNI,
1211	* elliptic_curves
1212	* ec_point_formats
1213	*
1214	* We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1215	* but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1216	* Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1217	* 10.8..10.8.3 (which don't work).
1218	*/
1219	static void
1220	ssl_check_for_safari(SSL s, const unsigned char data, const unsigned char *d,
1221	int n)
1222	{
1223	unsigned short type, size;
1224	static const unsigned char kSafariExtensionsBlock[] = {
1225	0x00, 0x0a, /* elliptic_curves extension */
1226	0x00, 0x08, /* 8 bytes */
1227	0x00, 0x06, /* 6 bytes of curve ids */
1228	0x00, 0x17, /* P-256 */
1229	0x00, 0x18, /* P-384 */
1230	0x00, 0x19, /* P-521 */
1231
1232	0x00, 0x0b, /* ec_point_formats */
1233	0x00, 0x02, /* 2 bytes */
1234	0x01, /* 1 point format */
1235	0x00, /* uncompressed */
1236	};
1237
1238	/* The following is only present in TLS 1.2 */
1239	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1240	0x00, 0x0d, /* signature_algorithms */
1241	0x00, 0x0c, /* 12 bytes */
1242	0x00, 0x0a, /* 10 bytes */
1243	0x05, 0x01, /* SHA-384/RSA */
1244	0x04, 0x01, /* SHA-256/RSA */
1245	0x02, 0x01, /* SHA-1/RSA */
1246	0x04, 0x03, /* SHA-256/ECDSA */
1247	0x02, 0x03, /* SHA-1/ECDSA */
1248	};
1249
1250	if (data >= (d + n - 2))
1251	return;
1252	data += 2;
1253
1254	if (data > (d + n - 4))
1255	return;
1256	n2s(data, type);
1257	n2s(data, size);
1258
1259	if (type != TLSEXT_TYPE_server_name)
1260	return;
1261
1262	if (data + size > d + n)
1263	return;
1264	data += size;
1265
1266	if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1267	const size_t len1 = sizeof(kSafariExtensionsBlock);
1268	const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1269
1270	if (data + len1 + len2 != d + n)
1271	return;
1272	if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1273	return;
1274	if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1275	return;
1276	} else {
1277	const size_t len = sizeof(kSafariExtensionsBlock);
1278
1279	if (data + len != d + n)
1280	return;
1281	if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1282	return;
1283	}
1284
1285	s->s3->is_probably_safari = 1;
1286	}
1287
1288	int	1207	int
1289	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,	1208	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1290	int n, int *al)	1209	int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1302	free(s->s3->alpn_selected);	1221	free(s->s3->alpn_selected);
1303	s->s3->alpn_selected = NULL;	1222	s->s3->alpn_selected = NULL;
1304		1223
1305	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1306	ssl_check_for_safari(s, data, d, n);
1307
1308	if (data >= (d + n - 2))	1224	if (data >= (d + n - 2))
1309	goto ri_check;	1225	goto ri_check;
1310	n2s(data, len);	1226	n2s(data, len);