From 652a2c127832401e38b41c6f3add4747e0e7157e Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Fri, 28 Jun 2024 13:37:49 +0000
Subject: Remove handling of SSLv2 client hello messages.

This code was only previously enabled if the minimum enabled version was
TLSv1.0 and a non-version locked method is in use. Since TLSv1.0 and
TLSv1.1 were disabled nearly a year ago, this code is no longer ever
being used.

ok tb@
---
 src/lib/libssl/ssl_packet.c | 206 +-------------------------------------------
 1 file changed, 1 insertion(+), 205 deletions(-)

diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index 70017b4664..32d6cceb7a 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_packet.c,v 1.15 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -18,34 +18,6 @@
 #include "bytestring.h"
 #include "ssl_local.h"
 
-static int
-ssl_is_sslv2_client_hello(CBS *header)
-{
-	uint16_t record_length;
-	uint8_t message_type;
-	CBS cbs;
-
-	CBS_dup(header, &cbs);
-
-	if (!CBS_get_u16(&cbs, &record_length) ||
-	    !CBS_get_u8(&cbs, &message_type))
-		return 0;
-
-	/*
-	 * The SSLv2 record length field uses variable length (2 or 3 byte)
-	 * encoding. Given the size of a client hello, we expect/require the
-	 * 2-byte form which is indicated by a one in the most significant bit.
-	 */
-	if ((record_length & 0x8000) == 0)
-		return 0;
-	if ((record_length & ~0x8000) < 3)
-		return 0;
-	if (message_type != SSL2_MT_CLIENT_HELLO)
-		return 0;
-
-	return 1;
-}
-
 static int
 ssl_is_sslv3_handshake(CBS *header)
 {
@@ -67,164 +39,6 @@ ssl_is_sslv3_handshake(CBS *header)
 	return 1;
 }
 
-static int
-ssl_convert_sslv2_client_hello(SSL *s)
-{
-	CBB cbb, handshake, client_hello, cipher_suites, compression, session_id;
-	CBS cbs, challenge, cipher_specs, session;
-	uint16_t record_length, client_version, cipher_specs_length;
-	uint16_t session_id_length, challenge_length;
-	unsigned char *client_random = NULL, *data = NULL;
-	size_t data_len, pad_len, len;
-	uint32_t cipher_spec;
-	uint8_t message_type;
-	unsigned char *pad;
-	int ret = -1;
-	int n;
-
-	memset(&cbb, 0, sizeof(cbb));
-
-	CBS_init(&cbs, s->packet, SSL3_RT_HEADER_LENGTH);
-
-	if (!CBS_get_u16(&cbs, &record_length) ||
-	    !CBS_get_u8(&cbs, &message_type) ||
-	    !CBS_get_u16(&cbs, &client_version))
-		return -1;
-
-	/*
-	 * The SSLv2 record length field uses variable length (2 or 3 byte)
-	 * encoding. Given the size of a client hello, we expect/require the
-	 * 2-byte form which is indicated by a one in the most significant bit.
-	 * Also note that the record length value does not include the bytes
-	 * used for the record length field.
-	 */
-	if ((record_length & 0x8000) == 0)
-		return -1;
-	record_length &= ~0x8000;
-	if (record_length < SSL3_RT_HEADER_LENGTH - 2)
-		return -1;
-	if (message_type != SSL2_MT_CLIENT_HELLO)
-		return -1;
-
-	if (record_length < 9) {
-		SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
-		return -1;
-	}
-	if (record_length > 4096) {
-		SSLerror(s, SSL_R_RECORD_TOO_LARGE);
-		return -1;
-	}
-
-	n = ssl3_packet_extend(s, record_length + 2);
-	if (n != record_length + 2)
-		return n;
-
-	tls1_transcript_record(s, s->packet + 2,
-	    s->packet_length - 2);
-	s->mac_packet = 0;
-
-	if (s->msg_callback)
-		s->msg_callback(0, SSL2_VERSION, 0,
-		    s->packet + 2, s->packet_length - 2, s,
-		    s->msg_callback_arg);
-
-	/* Decode the SSLv2 record containing the client hello. */
-	CBS_init(&cbs, s->packet, s->packet_length);
-
-	if (!CBS_get_u16(&cbs, &record_length))
-		return -1;
-	if (!CBS_get_u8(&cbs, &message_type))
-		return -1;
-	if (!CBS_get_u16(&cbs, &client_version))
-		return -1;
-	if (!CBS_get_u16(&cbs, &cipher_specs_length))
-		return -1;
-	if (!CBS_get_u16(&cbs, &session_id_length))
-		return -1;
-	if (!CBS_get_u16(&cbs, &challenge_length))
-		return -1;
-	if (!CBS_get_bytes(&cbs, &cipher_specs, cipher_specs_length))
-		return -1;
-	if (!CBS_get_bytes(&cbs, &session, session_id_length))
-		return -1;
-	if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
-		return -1;
-	if (CBS_len(&cbs) != 0) {
-		SSLerror(s, SSL_R_RECORD_LENGTH_MISMATCH);
-		return -1;
-	}
-
-	/*
-	 * Convert SSLv2 challenge to SSLv3/TLS client random, by truncating or
-	 * left-padding with zero bytes.
-	 */
-	if ((client_random = malloc(SSL3_RANDOM_SIZE)) == NULL)
-		goto err;
-	if (!CBB_init_fixed(&cbb, client_random, SSL3_RANDOM_SIZE))
-		goto err;
-	if ((len = CBS_len(&challenge)) > SSL3_RANDOM_SIZE)
-		len = SSL3_RANDOM_SIZE;
-	pad_len = SSL3_RANDOM_SIZE - len;
-	if (!CBB_add_space(&cbb, &pad, pad_len))
-		goto err;
-	memset(pad, 0, pad_len);
-	if (!CBB_add_bytes(&cbb, CBS_data(&challenge), len))
-		goto err;
-	if (!CBB_finish(&cbb, NULL, NULL))
-		goto err;
-
-	/* Build SSLv3/TLS record with client hello. */
-	if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH))
-		goto err;
-	if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
-		goto err;
-	if (!CBB_add_u16(&cbb, 0x0301))
-		goto err;
-	if (!CBB_add_u16_length_prefixed(&cbb, &handshake))
-		goto err;
-	if (!CBB_add_u8(&handshake, SSL3_MT_CLIENT_HELLO))
-		goto err;
-	if (!CBB_add_u24_length_prefixed(&handshake, &client_hello))
-		goto err;
-	if (!CBB_add_u16(&client_hello, client_version))
-		goto err;
-	if (!CBB_add_bytes(&client_hello, client_random, SSL3_RANDOM_SIZE))
-		goto err;
-	if (!CBB_add_u8_length_prefixed(&client_hello, &session_id))
-		goto err;
-	if (!CBB_add_u16_length_prefixed(&client_hello, &cipher_suites))
-		goto err;
-	while (CBS_len(&cipher_specs) > 0) {
-		if (!CBS_get_u24(&cipher_specs, &cipher_spec))
-			goto err;
-		if ((cipher_spec & 0xff0000) != 0)
-			continue;
-		if (!CBB_add_u16(&cipher_suites, cipher_spec & 0xffff))
-			goto err;
-	}
-	if (!CBB_add_u8_length_prefixed(&client_hello, &compression))
-		goto err;
-	if (!CBB_add_u8(&compression, 0))
-		goto err;
-	if (!CBB_finish(&cbb, &data, &data_len))
-		goto err;
-
-	if (data_len > s->s3->rbuf.len)
-		goto err;
-
-	s->packet = s->s3->rbuf.buf;
-	s->packet_length = data_len;
-	memcpy(s->packet, data, data_len);
-	ret = 1;
-
- err:
-	CBB_cleanup(&cbb);
-	free(client_random);
-	free(data);
-
-	return (ret);
-}
-
 /*
  * Potentially do legacy processing on the first packet received by a TLS
  * server. We return 1 if we want SSLv3/TLS record processing to continue
@@ -233,7 +47,6 @@ ssl_convert_sslv2_client_hello(SSL *s)
 int
 ssl_server_legacy_first_packet(SSL *s)
 {
-	uint16_t min_version;
 	const char *data;
 	CBS header;
 
@@ -249,23 +62,6 @@ ssl_server_legacy_first_packet(SSL *s)
 	if (s->method->min_tls_version == s->method->max_tls_version)
 		return 1;
 
-	if (ssl_is_sslv2_client_hello(&header) == 1) {
-		/* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
-		if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
-			SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
-			return -1;
-		}
-		if (min_version > TLS1_VERSION)
-			return 1;
-
-		if (ssl_convert_sslv2_client_hello(s) != 1) {
-			SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
-			return -1;
-		}
-
-		return 1;
-	}
-
 	/* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
 	if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
 		SSLerror(s, ERR_R_INTERNAL_ERROR);
-- 
cgit v1.2.3-55-g6feb