From: tb <tb@openbsd.org>
Date: Sun, 9 Apr 2023 18:26:26 +0000 (+0000)
Subject: Drop X9.31 support from libtls
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d4a15b220ef682241173db2d50225141a486f1fa;p=openbsd

Drop X9.31 support from libtls

The TLS signer isn't exposed in public API (we should finally fix it...)
and it supports X9.31, a standard that has been retired and deprecated for
a very long time. libcrypto will stop supporting it soon, this step is
needed to prepare userland.

ok jsing
---

diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index ca1d96f627e..f4c23f64e67 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.80 2022/03/24 15:56:34 tb Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -302,7 +302,6 @@ ECDSA_METHOD *tls_signer_ecdsa_method(void);
 
 #define TLS_PADDING_NONE			0
 #define TLS_PADDING_RSA_PKCS1			1
-#define TLS_PADDING_RSA_X9_31			2
 
 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
     void *_cb_arg);
diff --git a/lib/libtls/tls_signer.c b/lib/libtls/tls_signer.c
index 1f11096792a..f6005d3e07a 100644
--- a/lib/libtls/tls_signer.c
+++ b/lib/libtls/tls_signer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_signer.c,v 1.4 2022/02/01 17:18:38 jsing Exp $ */
+/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */
 /*
  * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
  *
@@ -193,8 +193,6 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
 		rsa_padding = RSA_NO_PADDING;
 	} else if (padding_type == TLS_PADDING_RSA_PKCS1) {
 		rsa_padding = RSA_PKCS1_PADDING;
-	} else if (padding_type == TLS_PADDING_RSA_X9_31) {
-		rsa_padding = RSA_X931_PADDING;
 	} else {
 		tls_error_setx(&signer->error, "invalid RSA padding type (%d)",
 		    padding_type);
@@ -331,8 +329,6 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
 		padding_type = TLS_PADDING_NONE;
 	} else if (rsa_padding == RSA_PKCS1_PADDING) {
 		padding_type = TLS_PADDING_RSA_PKCS1;
-	} else if (rsa_padding == RSA_X931_PADDING) {
-		padding_type = TLS_PADDING_RSA_X9_31;
 	} else {
 		goto err;
 	}