1 files changed, 1 insertions, 85 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index e901a901da..b0f0de3bd8 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1204,87 +1204,6 @@ parse_error:
        return (0);
 }
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |d|, of length |n|.
- * Safari, since 10.6, sends exactly these extensions, in this order:
- *   SNI,
- *   elliptic_curves
- *   ec_point_formats
- *
- * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
- * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
- * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
- * 10.8..10.8.3 (which don't work).
- */
-static void
-ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,
-    int n)
-{
-        unsigned short type, size;
-        static const unsigned char kSafariExtensionsBlock[] = {
-                0x00, 0x0a,  /* elliptic_curves extension */
-                0x00, 0x08,  /* 8 bytes */
-                0x00, 0x06,  /* 6 bytes of curve ids */
-                0x00, 0x17,  /* P-256 */
-                0x00, 0x18,  /* P-384 */
-                0x00, 0x19,  /* P-521 */
-                0x00, 0x0b,  /* ec_point_formats */
-                0x00, 0x02,  /* 2 bytes */
-                0x01,        /* 1 point format */
-                0x00,        /* uncompressed */
-        };
-        /* The following is only present in TLS 1.2 */
-        static const unsigned char kSafariTLS12ExtensionsBlock[] = {
-                0x00, 0x0d,  /* signature_algorithms */
-                0x00, 0x0c,  /* 12 bytes */
-                0x00, 0x0a,  /* 10 bytes */
-                0x05, 0x01,  /* SHA-384/RSA */
-                0x04, 0x01,  /* SHA-256/RSA */
-                0x02, 0x01,  /* SHA-1/RSA */
-                0x04, 0x03,  /* SHA-256/ECDSA */
-                0x02, 0x03,  /* SHA-1/ECDSA */
-        };
-        if (data >= (d + n - 2))
-                return;
-        data += 2;
-        if (data > (d + n - 4))
-                return;
-        n2s(data, type);
-        n2s(data, size);
-        if (type != TLSEXT_TYPE_server_name)
-                return;
-        if (data + size > d + n)
-                return;
-        data += size;
-        if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
-                const size_t len1 = sizeof(kSafariExtensionsBlock);
-                const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-                if (data + len1 + len2 != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-                        return;
-                if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
-                        return;
-        } else {
-                const size_t len = sizeof(kSafariExtensionsBlock);
-                if (data + len != d + n)
-                        return;
-                if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-                        return;
-        }
-        s->s3->is_probably_safari = 1;
-}
 int
 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
    int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        free(s->s3->alpn_selected);
        s->s3->alpn_selected = NULL;
-        if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-                ssl_check_for_safari(s, data, d, n);
        if (data >= (d + n - 2))
                goto ri_check;
        n2s(data, len);

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index e901a901da..b0f0de3bd8 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.78 2015/06/19 01:38:54 doug Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.79 2015/07/17 15:50:37 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1204,87 +1204,6 @@ parse_error:
1204	return (0);	1204	return (0);
1205	}	1205	}
1206		1206
1207	/* ssl_check_for_safari attempts to fingerprint Safari using OS X
1208	* SecureTransport using the TLS extension block in \|d\|, of length \|n\|.
1209	* Safari, since 10.6, sends exactly these extensions, in this order:
1210	* SNI,
1211	* elliptic_curves
1212	* ec_point_formats
1213	*
1214	* We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1215	* but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1216	* Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1217	* 10.8..10.8.3 (which don't work).
1218	*/
1219	static void
1220	ssl_check_for_safari(SSL s, const unsigned char data, const unsigned char *d,
1221	int n)
1222	{
1223	unsigned short type, size;
1224	static const unsigned char kSafariExtensionsBlock[] = {
1225	0x00, 0x0a, /* elliptic_curves extension */
1226	0x00, 0x08, /* 8 bytes */
1227	0x00, 0x06, /* 6 bytes of curve ids */
1228	0x00, 0x17, /* P-256 */
1229	0x00, 0x18, /* P-384 */
1230	0x00, 0x19, /* P-521 */
1231
1232	0x00, 0x0b, /* ec_point_formats */
1233	0x00, 0x02, /* 2 bytes */
1234	0x01, /* 1 point format */
1235	0x00, /* uncompressed */
1236	};
1237
1238	/* The following is only present in TLS 1.2 */
1239	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1240	0x00, 0x0d, /* signature_algorithms */
1241	0x00, 0x0c, /* 12 bytes */
1242	0x00, 0x0a, /* 10 bytes */
1243	0x05, 0x01, /* SHA-384/RSA */
1244	0x04, 0x01, /* SHA-256/RSA */
1245	0x02, 0x01, /* SHA-1/RSA */
1246	0x04, 0x03, /* SHA-256/ECDSA */
1247	0x02, 0x03, /* SHA-1/ECDSA */
1248	};
1249
1250	if (data >= (d + n - 2))
1251	return;
1252	data += 2;
1253
1254	if (data > (d + n - 4))
1255	return;
1256	n2s(data, type);
1257	n2s(data, size);
1258
1259	if (type != TLSEXT_TYPE_server_name)
1260	return;
1261
1262	if (data + size > d + n)
1263	return;
1264	data += size;
1265
1266	if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1267	const size_t len1 = sizeof(kSafariExtensionsBlock);
1268	const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1269
1270	if (data + len1 + len2 != d + n)
1271	return;
1272	if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1273	return;
1274	if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1275	return;
1276	} else {
1277	const size_t len = sizeof(kSafariExtensionsBlock);
1278
1279	if (data + len != d + n)
1280	return;
1281	if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1282	return;
1283	}
1284
1285	s->s3->is_probably_safari = 1;
1286	}
1287
1288	int	1207	int
1289	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,	1208	ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1290	int n, int *al)	1209	int n, int *al)
@@ -1302,9 +1221,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1302	free(s->s3->alpn_selected);	1221	free(s->s3->alpn_selected);
1303	s->s3->alpn_selected = NULL;	1222	s->s3->alpn_selected = NULL;
1304		1223
1305	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
1306	ssl_check_for_safari(s, data, d, n);
1307
1308	if (data >= (d + n - 2))	1224	if (data >= (d + n - 2))
1309	goto ri_check;	1225	goto ri_check;
1310	n2s(data, len);	1226	n2s(data, len);