-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathopenssl.openssl-3.4.patch
192 lines (189 loc) · 6.06 KB
/
openssl.openssl-3.4.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 4bab2ac767..9732ece423 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1905,6 +1905,8 @@ size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_compression_methods(SSL *s,
const unsigned char **out);
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
+size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data,
+ size_t data_size);
int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts,
size_t *num_exts);
int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 8e9b110bb3..3a2407b0e4 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -142,6 +142,13 @@ extern "C" {
/* ExtensionType value from RFC7627 */
# define TLSEXT_TYPE_extended_master_secret 23
+/* ExtensionType value from RFC6961 */
+# define TLSEXT_TYPE_status_request_v2 17
+/* ExtensionType value from RFC8449 */
+# define TLSEXT_TYPE_record_size_limit 28
+/* ExtensionType value from RFC7639 */
+# define TLSEXT_TYPE_application_settings 17513
+
/* ExtensionType value from RFC8879 */
# define TLSEXT_TYPE_compress_certificate 27
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 295b719ff2..7bfc9e2eb0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -6641,6 +6641,107 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
return 0;
}
+size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data,
+ size_t data_size)
+{
+ RAW_EXTENSION *ext;
+ PACKET *groups = NULL, *formats = NULL;
+ size_t num = 0, i;
+ unsigned char *ptr = data,
+ *end = data + data_size;
+ const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+ if (sc == NULL)
+ return 0;
+
+ if (ossl_unlikely(sc->clienthello == NULL || data == NULL
+ /** just checking that we have at least this */
+ || data_size < 128))
+ return 0;
+
+ /* version */
+ *(uint16_t *) ptr = (uint16_t) sc->clienthello->legacy_version;
+ ptr += sizeof(uint16_t);
+
+ /* ciphers */
+ num = PACKET_remaining(&sc->clienthello->ciphersuites);
+ if (ossl_likely(num > 0)) {
+ *(uint16_t *) ptr = (uint16_t) num;
+ ptr += sizeof(uint16_t);
+
+ if (ossl_unlikely(ptr + num > end))
+ return 0;
+
+ memcpy(ptr, PACKET_data(&sc->clienthello->ciphersuites), num);
+ ptr += num;
+ }
+
+ /* extensions */
+ num = 0;
+ for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
+ ext = sc->clienthello->pre_proc_exts + i;
+ if (ext->present)
+ num++;
+ }
+
+ num = num * 2;
+ if (ossl_unlikely((ptr + num + sizeof(uint16_t)) > end))
+ return 0;
+
+ *(uint16_t*) ptr = (uint16_t) num;
+ ptr += sizeof(uint16_t);
+
+ for (i = 0; i < sc->clienthello->pre_proc_exts_len; i++) {
+ ext = sc->clienthello->pre_proc_exts + i;
+ if (ext->present) {
+ if (ext->received_order >= num)
+ break;
+ if (ext->type == TLSEXT_TYPE_supported_groups)
+ groups = &ext->data;
+ if (ext->type == TLSEXT_TYPE_ec_point_formats)
+ formats = &ext->data;
+ if (ossl_likely(ext->received_order < data_size)) {
+ ((uint16_t*)(ptr))[ext->received_order] = (uint16_t) ext->type;
+ }
+ }
+ }
+
+ ptr += num;
+
+ /* groups */
+ num = PACKET_remaining(groups);
+ if (groups && num > 0) {
+
+ if (ossl_unlikely((ptr + num + sizeof(uint16_t)) > end))
+ return 0;
+ memcpy(ptr, PACKET_data(groups), num);
+ *(uint16_t*) ptr = (uint16_t) num;
+ ptr += num;
+ } else {
+ if (ossl_unlikely(ptr + sizeof(uint16_t) > end))
+ return 0;
+ *(uint16_t *) ptr = (uint16_t) 0;
+ ptr += sizeof(uint16_t);
+ }
+
+ /* formats */
+ num = PACKET_remaining(formats);
+ if (formats && num > 0) {
+ if (ossl_unlikely((ptr + num + sizeof(uint8_t)) > end))
+ return 0;
+ memcpy(ptr, PACKET_data(formats), num);
+ *(uint8_t *) ptr = (uint8_t) num;
+ ptr += num;
+ } else {
+ if (ossl_unlikely(ptr + sizeof(uint8_t) > end))
+ return 0;
+ *(uint8_t *) ptr = (uint8_t) 0;
+ ptr += sizeof(uint8_t);
+ }
+
+ return ptr - data;
+}
+
int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts, size_t *num_exts)
{
RAW_EXTENSION *ext;
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 277be3084d..6b3821737f 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -701,6 +701,9 @@ typedef enum tlsext_index_en {
TLSEXT_IDX_compress_certificate,
TLSEXT_IDX_early_data,
TLSEXT_IDX_certificate_authorities,
+ TLSEXT_IDX_status_request_v2,
+ TLSEXT_IDX_record_size_limit,
+ TLSEXT_IDX_application_settings,
TLSEXT_IDX_padding,
TLSEXT_IDX_psk,
/* Dummy index - must always be the last entry */
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 762c7ac0d4..56d2f5ba60 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -413,6 +413,30 @@ static const EXTENSION_DEFINITION ext_defs[] = {
tls_construct_certificate_authorities,
tls_construct_certificate_authorities, NULL,
},
+ {
+ TLSEXT_TYPE_status_request_v2,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
+ {
+ TLSEXT_TYPE_record_size_limit,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
+ {
+ TLSEXT_TYPE_application_settings,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
{
/* Must be immediately before pre_shared_key */
TLSEXT_TYPE_padding,