Remove ssl_server_legacy_first_packet()

This has not been reachable since we made the TLSv1.3 stack the default entry point - tls13_record_layer_read_record() will send a protocol version alert and raise an error, which means we never transition into the legacy stack. ok kenjiro@
author: jsing <> 2026-04-03 07:26:20 +0000
committer: jsing <> 2026-04-03 07:26:20 +0000
commit: ba2c2f6b31a0d325528b48899a6a12f650464c2f (patch)
tree: 680bca915e405d2100094a849246e952c52d5230 /src
parent: 34c9ebaffbf06ba9d8883c4adf8061fd670f54c4 (diff)
download: openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.tar.gz
openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.tar.bz2
openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.zip
3 files changed, 2 insertions, 97 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 652ad4238f..7e423b0b43 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.85 2024/08/11 13:04:46 jsing Exp $
+# $OpenBSD: Makefile,v 1.86 2026/04/03 07:26:20 jsing Exp $
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -57,7 +57,6 @@ SRCS= \
        ssl_kex.c \
        ssl_lib.c \
        ssl_methods.c \
-        ssl_packet.c \
        ssl_pkt.c \
        ssl_rsa.c \
        ssl_seclevel.c \
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
deleted file mode 100644
index 32d6cceb7a..0000000000
--- a/src/lib/libssl/ssl_packet.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
-/*
- * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "bytestring.h"
-#include "ssl_local.h"
-static int
-ssl_is_sslv3_handshake(CBS *header)
-{
-        uint16_t record_version;
-        uint8_t record_type;
-        CBS cbs;
-        CBS_dup(header, &cbs);
-        if (!CBS_get_u8(&cbs, &record_type) ||
-            !CBS_get_u16(&cbs, &record_version))
-                return 0;
-        if (record_type != SSL3_RT_HANDSHAKE)
-                return 0;
-        if ((record_version >> 8) != SSL3_VERSION_MAJOR)
-                return 0;
-        return 1;
-}
-/*
- * Potentially do legacy processing on the first packet received by a TLS
- * server. We return 1 if we want SSLv3/TLS record processing to continue
- * normally, otherwise we must set an SSLerr and return -1.
- */
-int
-ssl_server_legacy_first_packet(SSL *s)
-{
-        const char *data;
-        CBS header;
-        if (SSL_is_dtls(s))
-                return 1;
-        CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
-        if (ssl_is_sslv3_handshake(&header) == 1)
-                return 1;
-        /* Only continue if this is not a version locked method. */
-        if (s->method->min_tls_version == s->method->max_tls_version)
-                return 1;
-        /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
-        if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        data = (const char *)CBS_data(&header);
-        /* Is this a cleartext protocol? */
-        if (strncmp("GET ", data, 4) == 0 ||
-            strncmp("POST ", data, 5) == 0 ||
-            strncmp("HEAD ", data, 5) == 0 ||
-            strncmp("PUT ", data, 4) == 0) {
-                SSLerror(s, SSL_R_HTTP_REQUEST);
-                return -1;
-        }
-        if (strncmp("CONNE", data, 5) == 0) {
-                SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST);
-                return -1;
-        }
-        SSLerror(s, SSL_R_UNKNOWN_PROTOCOL);
-        return -1;
-}
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index d2921228c1..683dc94a37 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.70 2026/04/03 07:17:36 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.71 2026/04/03 07:26:20 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -352,12 +352,6 @@ ssl3_get_record(SSL *s)
                s->rstate = SSL_ST_READ_BODY;
-                if (s->server && s->first_packet) {
-                        if ((ret = ssl_server_legacy_first_packet(s)) != 1)
-                                return (ret);
-                        ret = -1;
-                }
                CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
                /* Pull apart the header into the SSL3_RECORD_INTERNAL */
author	jsing <>	2026-04-03 07:26:20 +0000
committer	jsing <>	2026-04-03 07:26:20 +0000
commit	ba2c2f6b31a0d325528b48899a6a12f650464c2f (patch)
tree	680bca915e405d2100094a849246e952c52d5230 /src
parent	34c9ebaffbf06ba9d8883c4adf8061fd670f54c4 (diff)
download	openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.tar.gz openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.tar.bz2 openbsd-ba2c2f6b31a0d325528b48899a6a12f650464c2f.zip

diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile index 652ad4238f..7e423b0b43 100644 --- a/src/lib/libssl/Makefile +++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.85 2024/08/11 13:04:46 jsing Exp $	1	# $OpenBSD: Makefile,v 1.86 2026/04/03 07:26:20 jsing Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4	.ifndef NOMAN	4	.ifndef NOMAN
@@ -57,7 +57,6 @@ SRCS= \
57	ssl_kex.c \	57	ssl_kex.c \
58	ssl_lib.c \	58	ssl_lib.c \
59	ssl_methods.c \	59	ssl_methods.c \
60	ssl_packet.c \
61	ssl_pkt.c \	60	ssl_pkt.c \
62	ssl_rsa.c \	61	ssl_rsa.c \
63	ssl_seclevel.c \	62	ssl_seclevel.c \


diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c deleted file mode 100644 index 32d6cceb7a..0000000000 --- a/src/lib/libssl/ssl_packet.c +++ /dev/null
@@ -1,88 +0,0 @@
1	/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
2	/*
3	* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include "bytestring.h"
19	#include "ssl_local.h"
20
21	static int
22	ssl_is_sslv3_handshake(CBS *header)
23	{
24	uint16_t record_version;
25	uint8_t record_type;
26	CBS cbs;
27
28	CBS_dup(header, &cbs);
29
30	if (!CBS_get_u8(&cbs, &record_type) \|\|
31	!CBS_get_u16(&cbs, &record_version))
32	return 0;
33
34	if (record_type != SSL3_RT_HANDSHAKE)
35	return 0;
36	if ((record_version >> 8) != SSL3_VERSION_MAJOR)
37	return 0;
38
39	return 1;
40	}
41
42	/*
43	* Potentially do legacy processing on the first packet received by a TLS
44	* server. We return 1 if we want SSLv3/TLS record processing to continue
45	* normally, otherwise we must set an SSLerr and return -1.
46	*/
47	int
48	ssl_server_legacy_first_packet(SSL *s)
49	{
50	const char *data;
51	CBS header;
52
53	if (SSL_is_dtls(s))
54	return 1;
55
56	CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
57
58	if (ssl_is_sslv3_handshake(&header) == 1)
59	return 1;
60
61	/* Only continue if this is not a version locked method. */
62	if (s->method->min_tls_version == s->method->max_tls_version)
63	return 1;
64
65	/* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
66	if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
67	SSLerror(s, ERR_R_INTERNAL_ERROR);
68	return -1;
69	}
70	data = (const char *)CBS_data(&header);
71
72	/* Is this a cleartext protocol? */
73	if (strncmp("GET ", data, 4) == 0 \|\|
74	strncmp("POST ", data, 5) == 0 \|\|
75	strncmp("HEAD ", data, 5) == 0 \|\|
76	strncmp("PUT ", data, 4) == 0) {
77	SSLerror(s, SSL_R_HTTP_REQUEST);
78	return -1;
79	}
80	if (strncmp("CONNE", data, 5) == 0) {
81	SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST);
82	return -1;
83	}
84
85	SSLerror(s, SSL_R_UNKNOWN_PROTOCOL);
86
87	return -1;
88	}


diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index d2921228c1..683dc94a37 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_pkt.c,v 1.70 2026/04/03 07:17:36 jsing Exp $ */	1	/* $OpenBSD: ssl_pkt.c,v 1.71 2026/04/03 07:26:20 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -352,12 +352,6 @@ ssl3_get_record(SSL *s)
352		352
353	s->rstate = SSL_ST_READ_BODY;	353	s->rstate = SSL_ST_READ_BODY;
354		354
355	if (s->server && s->first_packet) {
356	if ((ret = ssl_server_legacy_first_packet(s)) != 1)
357	return (ret);
358	ret = -1;
359	}
360
361	CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);	355	CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
362		356
363	/* Pull apart the header into the SSL3_RECORD_INTERNAL */	357	/* Pull apart the header into the SSL3_RECORD_INTERNAL */