From fb7a7adad4b566192144a21e4c93b739671b0cae Mon Sep 17 00:00:00 2001 From: tb <> Date: Sun, 23 Apr 2023 18:51:53 +0000 Subject: Randomize the order of TLS extensions On creation of an SSL using SSL_new(), randomize the order in which the extensions will be sent. There are several constraints: the PSK extension must always come last. The order cannot be randomized on a per-message basis as the strict interpretation of the standard chosen in the CH hashing doesn't allow changing the order between first and second ClientHello. Another constraint is that the current code calls callbacks directly on parsing an extension, which means that the order callbacks are called depends on the order in which the peer sent the extensions. This results in breaking apache-httpd setups using virtual hosts with full ranomization because virtual hosts don't work if the SNI is unknown at the time the ALPN callback is called. So for the time being, we ensure that SNI always precedes ALPN to avoid issues until this issue is fixed. This is based on an idea by David Benjamin https://boringssl-review.googlesource.com/c/boringssl/+/48045 Input & ok jsing --- src/lib/libssl/ssl_lib.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/lib/libssl/ssl_lib.c') diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index de4ef3fb5e..68e60a5481 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.308 2022/11/26 16:08:55 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.309 2023/04/23 18:51:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -302,6 +302,9 @@ SSL_new(SSL_CTX *ctx) CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; + if (!tlsext_randomize_build_order(s)) + goto err; + if (ctx->tlsext_ecpointformatlist != NULL) { s->tlsext_ecpointformatlist = calloc(ctx->tlsext_ecpointformatlist_length, @@ -550,6 +553,8 @@ SSL_free(SSL *s) ssl_cert_free(s->cert); + free(s->tlsext_build_order); + free(s->tlsext_hostname); SSL_CTX_free(s->initial_ctx); -- cgit v1.2.3-55-g6feb