-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathopenssl.openssl-3.0.patch
189 lines (185 loc) · 5.86 KB
/
openssl.openssl-3.0.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 105b4a4a3c..6c7eb4643a 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1860,6 +1860,7 @@ size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
size_t SSL_client_hello_get0_compression_methods(SSL *s,
const unsigned char **out);
int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
+size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data);
int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
const unsigned char **out, size_t *outlen);
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 91558fa8d1..b04e6ec4fa 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -134,6 +134,15 @@ extern "C" {
/* ExtensionType value from RFC7627 */
# define TLSEXT_TYPE_extended_master_secret 23
+/* ExtensionType value from RFC6961 */
+# define TLSEXT_TYPE_status_request_v2 17
+/* [draft-ietf-tls-certificate-compression] */
+# define TLSEXT_TYPE_compress_certificate 27
+/* ExtensionType value from RFC8449 */
+# define TLSEXT_TYPE_record_size_limit 28
+/* ExtensionType value from RFC7639 */
+# define TLSEXT_TYPE_application_settings 17513
+
/* ExtensionType value from RFC4507 */
# define TLSEXT_TYPE_session_ticket 35
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e628140dfa..512e5a552c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -5481,6 +5481,94 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen)
return 0;
}
+size_t SSL_client_hello_get_ja3_data(SSL *s, unsigned char *data)
+{
+ RAW_EXTENSION *ext;
+ PACKET *groups = NULL, *formats = NULL;
+ size_t num = 0, i;
+ unsigned char *ptr = data;
+
+ if (s->clienthello == NULL)
+ return 0;
+
+ if (data == NULL) {
+ num = 8 + PACKET_remaining(&s->clienthello->ciphersuites);
+ for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
+ ext = s->clienthello->pre_proc_exts + i;
+ if (ext->present) {
+ if (ext->type== TLSEXT_TYPE_supported_groups)
+ groups = &ext->data;
+ if (ext->type== TLSEXT_TYPE_ec_point_formats)
+ formats = &ext->data;
+ num += 2;
+ }
+ }
+ if (groups) {
+ num += PACKET_remaining(groups);
+ }
+ if (formats) {
+ num += PACKET_remaining(formats);
+ }
+ return num;
+ }
+
+ /* version */
+ *(uint16_t*)ptr = (uint16_t)s->clienthello->legacy_version;
+ ptr += 2;
+
+ /* ciphers */
+ if (num = PACKET_remaining(&s->clienthello->ciphersuites)) {
+ *(uint16_t*)ptr = (uint16_t)num;
+ ptr += 2;
+ memcpy(ptr, PACKET_data(&s->clienthello->ciphersuites), num);
+ ptr += num;
+ }
+
+ /* extensions */
+ num = 0;
+ for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
+ ext = s->clienthello->pre_proc_exts + i;
+ if (ext->present)
+ num++;
+ }
+ *(uint16_t*)ptr = (uint16_t)num*2;
+ ptr += 2;
+ for (i = 0; i < s->clienthello->pre_proc_exts_len; i++) {
+ ext = s->clienthello->pre_proc_exts + i;
+ if (ext->present) {
+ if (ext->received_order >= num)
+ break;
+ if (ext->type== TLSEXT_TYPE_supported_groups)
+ groups = &ext->data;
+ if (ext->type== TLSEXT_TYPE_ec_point_formats)
+ formats = &ext->data;
+ ((uint16_t*)(ptr))[ext->received_order] = (uint16_t)ext->type;
+ }
+ }
+ ptr += num*2;
+
+ /* groups */
+ if (groups && (num = PACKET_remaining(groups))) {
+ memcpy(ptr, PACKET_data(groups), num);
+ *(uint16_t*)ptr = (uint16_t)num;
+ ptr += num;
+ } else {
+ *(uint16_t*)ptr = 0;
+ ptr += 2;
+ }
+
+ /* formats */
+ if (formats && (num = PACKET_remaining(formats))) {
+ memcpy(ptr, PACKET_data(formats), num);
+ *ptr = (uint8_t)num;
+ ptr += num;
+ } else {
+ *ptr++ = 0;
+ }
+
+ return ptr - data;
+}
+
int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
size_t *outlen)
{
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 5fb1feb801..99f1370ea3 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -766,6 +766,10 @@ typedef enum tlsext_index_en {
TLSEXT_IDX_cryptopro_bug,
TLSEXT_IDX_early_data,
TLSEXT_IDX_certificate_authorities,
+ TLSEXT_IDX_status_request_v2,
+ TLSEXT_IDX_compress_certificate,
+ TLSEXT_IDX_record_size_limit,
+ TLSEXT_IDX_application_settings,
TLSEXT_IDX_padding,
TLSEXT_IDX_psk,
/* Dummy index - must always be the last entry */
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index f8157389b7..fb5e1a8453 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -370,6 +370,38 @@ static const EXTENSION_DEFINITION ext_defs[] = {
tls_construct_certificate_authorities,
tls_construct_certificate_authorities, NULL,
},
+ {
+ TLSEXT_TYPE_status_request_v2,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
+ {
+ TLSEXT_TYPE_compress_certificate,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
+ {
+ TLSEXT_TYPE_record_size_limit,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
+ {
+ TLSEXT_TYPE_application_settings,
+ SSL_EXT_CLIENT_HELLO,
+ NULL,
+ NULL, NULL,
+ NULL,
+ NULL, NULL,
+ },
{
/* Must be immediately before pre_shared_key */
TLSEXT_TYPE_padding,