Remove is_probably_safari logic.
We handle it externally now.
Change-Id: Ib561f64078809645195fd1a859b3256499038847
Reviewed-on: https://boringssl-review.googlesource.com/1098
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 534b299..2518bd3 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2747,10 +2747,6 @@
s->s3->tmp.ecdh = NULL;
}
#endif
-#ifndef OPENSSL_NO_EC
- s->s3->is_probably_safari = 0;
-#endif /* !OPENSSL_NO_EC */
-
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 949c8b2..72db840 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -533,13 +533,6 @@
int next_proto_neg_seen;
#endif
-#ifndef OPENSSL_NO_EC
- /* This is set to true if we believe that this is a version of Safari
- * running on OS X 10.6 or newer. We wish to know this because Safari
- * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
- char is_probably_safari;
-#endif /* !OPENSSL_NO_EC */
-
/* ALPN information
* (we are in the process of transitioning from NPN to ALPN.) */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b1f56a0..2bbd639 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1734,82 +1734,6 @@
return ret;
}
-#ifndef OPENSSL_NO_EC
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
- * SecureTransport using the TLS extension block in |cbs|.
- * Safari, since 10.6, sends exactly these extensions, in this order:
- * SNI,
- * elliptic_curves
- * ec_point_formats
- *
- * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
- * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
- * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
- * 10.8..10.8.3 (which don't work).
- */
-static void ssl_check_for_safari(SSL *s, const CBS *extensions)
- {
- static const unsigned char kSafariExtensionsBlock[] = {
- 0x00, 0x0a, /* elliptic_curves extension */
- 0x00, 0x08, /* 8 bytes */
- 0x00, 0x06, /* 6 bytes of curve ids */
- 0x00, 0x17, /* P-256 */
- 0x00, 0x18, /* P-384 */
- 0x00, 0x19, /* P-521 */
-
- 0x00, 0x0b, /* ec_point_formats */
- 0x00, 0x02, /* 2 bytes */
- 0x01, /* 1 point format */
- 0x00, /* uncompressed */
- };
-
- /* The following is only present in TLS 1.2 */
- static const unsigned char kSafariTLS12ExtensionsBlock[] = {
- 0x00, 0x0d, /* signature_algorithms */
- 0x00, 0x0c, /* 12 bytes */
- 0x00, 0x0a, /* 10 bytes */
- 0x05, 0x01, /* SHA-384/RSA */
- 0x04, 0x01, /* SHA-256/RSA */
- 0x02, 0x01, /* SHA-1/RSA */
- 0x04, 0x03, /* SHA-256/ECDSA */
- 0x02, 0x03, /* SHA-1/ECDSA */
- };
- CBS extensions_copy = *extensions, extension;
- uint16_t type;
-
- /* First extension is server_name. */
- if (!CBS_get_u16(&extensions_copy, &type) ||
- !CBS_get_u16_length_prefixed(&extensions_copy, &extension) ||
- type != TLSEXT_TYPE_server_name)
- return;
-
- /* Compare the remainder of the extensions block. */
- if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
- {
- const size_t len1 = sizeof(kSafariExtensionsBlock);
- const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-
- if (len1 + len2 != CBS_len(&extensions_copy))
- return;
- if (memcmp(CBS_data(&extensions_copy), kSafariExtensionsBlock, len1) != 0)
- return;
- if (memcmp(CBS_data(&extensions_copy) + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
- return;
- }
- else
- {
- const size_t len = sizeof(kSafariExtensionsBlock);
-
- if (len != CBS_len(&extensions_copy))
- return;
- if (memcmp(CBS_data(&extensions_copy), kSafariExtensionsBlock, len) != 0)
- return;
- }
-
- s->s3->is_probably_safari = 1;
-}
-#endif /* !OPENSSL_NO_EC */
-
/* tls1_alpn_handle_client_hello is called to process the ALPN extension in a
* ClientHello.
* cbs: the contents of the extension, not including the type and length.
@@ -1913,11 +1837,6 @@
return 0;
}
-#ifndef OPENSSL_NO_EC
- if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
- ssl_check_for_safari(s, &extensions);
-#endif /* !OPENSSL_NO_EC */
-
while (CBS_len(&extensions) != 0)
{
uint16_t type;
