Drop X9.31 support from libtls

The TLS signer isn't exposed in public API (we should finally fix it...)
and it supports X9.31, a standard that has been retired and deprecated for
a very long time. libcrypto will stop supporting it soon, this step is
needed to prepare userland.

ok jsing

diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index ca1d96f..f4c23f6 100644 (file)
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.80 2022/03/24 15:56:34 tb Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -302,7 +302,6 @@ ECDSA_METHOD *tls_signer_ecdsa_method(void);
 
 #define TLS_PADDING_NONE                       0
 #define TLS_PADDING_RSA_PKCS1                  1
-#define TLS_PADDING_RSA_X9_31                  2
 
 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
     void *_cb_arg);

diff --git a/lib/libtls/tls_signer.c b/lib/libtls/tls_signer.c
index 1f11096..f6005d3 100644 (file)
--- a/lib/libtls/tls_signer.c
+++ b/lib/libtls/tls_signer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_signer.c,v 1.4 2022/02/01 17:18:38 jsing Exp $ */
+/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
  *
@@ -193,8 +193,6 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
                rsa_padding = RSA_NO_PADDING;
        } else if (padding_type == TLS_PADDING_RSA_PKCS1) {
                rsa_padding = RSA_PKCS1_PADDING;
-       } else if (padding_type == TLS_PADDING_RSA_X9_31) {
-               rsa_padding = RSA_X931_PADDING;
        } else {
                tls_error_setx(&signer->error, "invalid RSA padding type (%d)",
                    padding_type);
@@ -331,8 +329,6 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
                padding_type = TLS_PADDING_NONE;
        } else if (rsa_padding == RSA_PKCS1_PADDING) {
                padding_type = TLS_PADDING_RSA_PKCS1;
-       } else if (rsa_padding == RSA_X931_PADDING) {
-               padding_type = TLS_PADDING_RSA_X9_31;
        } else {
                goto err;
        }