From: miod <miod@openbsd.org>
Date: Wed, 23 Apr 2014 22:26:25 +0000 (+0000)
Subject: Unifdef -UPKCS1_CHECK and remove SSL_OP_PKCS1_CHECK_[12], this is leftover
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d9cb48f882a31ae39da17bf8b2fe278c00f07c93;p=openbsd

Unifdef -UPKCS1_CHECK and remove SSL_OP_PKCS1_CHECK_[12], this is leftover
``debug'' code from a 15+ years old bugfix and the SSL_OP_PKCS1_CHECK_*
constants have had a value of zero since ages. No production code should use
them.

ok beck@
---

diff --git a/lib/libcrypto/rsa/rsa_pk1.c b/lib/libcrypto/rsa/rsa_pk1.c
index 8560755f1d1..9eabb4fc92e 100644
--- a/lib/libcrypto/rsa/rsa_pk1.c
+++ b/lib/libcrypto/rsa/rsa_pk1.c
@@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
 		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
 		return(-1);
 		}
-#ifdef PKCS1_CHECK
-	return(num-11);
-#endif
 
 	/* scan over padding data */
 	j=flen-1; /* one for type. */
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c
index cf9bc2d33ed..38118b13852 100644
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c
@@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s)
 				p += 2;
 			n = RSA_public_encrypt(sizeof tmp_buf,
 			tmp_buf, p, rsa, RSA_PKCS1_PADDING);
-#ifdef PKCS1_CHECK
-			if (s->options & SSL_OP_PKCS1_CHECK_1)
-				p[1]++;
-			if (s->options & SSL_OP_PKCS1_CHECK_2)
-				tmp_buf[0] = 0x70;
-#endif
 			if (n <= 0) {
 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
 				goto err;
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index ac1812d857b..f740f7e139d 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s)
 				p += 2;
 			n = RSA_public_encrypt(sizeof tmp_buf,
 			tmp_buf, p, rsa, RSA_PKCS1_PADDING);
-#ifdef PKCS1_CHECK
-			if (s->options & SSL_OP_PKCS1_CHECK_1)
-				p[1]++;
-			if (s->options & SSL_OP_PKCS1_CHECK_2)
-				tmp_buf[0] = 0x70;
-#endif
 			if (n <= 0) {
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
 				goto err;
diff --git a/lib/libssl/src/crypto/rsa/rsa_pk1.c b/lib/libssl/src/crypto/rsa/rsa_pk1.c
index 8560755f1d1..9eabb4fc92e 100644
--- a/lib/libssl/src/crypto/rsa/rsa_pk1.c
+++ b/lib/libssl/src/crypto/rsa/rsa_pk1.c
@@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
 		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
 		return(-1);
 		}
-#ifdef PKCS1_CHECK
-	return(num-11);
-#endif
 
 	/* scan over padding data */
 	j=flen-1; /* one for type. */
diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
index 43f5514cc14..935c9cd09b3 100644
--- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
+++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -170,14 +170,6 @@ preferences. When set, the SSLv3/TLSv1 server will choose following its
 own preferences. Because of the different protocol, for SSLv2 the server
 will send its list of preferences to the client and the client chooses.
 
-=item SSL_OP_PKCS1_CHECK_1
-
-...
-
-=item SSL_OP_PKCS1_CHECK_2
-
-...
-
 =item SSL_OP_NETSCAPE_CA_DN_BUG
 
 If we accept a netscape connection, demand a client cert, have a
diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c
index cf9bc2d33ed..38118b13852 100644
--- a/lib/libssl/src/ssl/d1_clnt.c
+++ b/lib/libssl/src/ssl/d1_clnt.c
@@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s)
 				p += 2;
 			n = RSA_public_encrypt(sizeof tmp_buf,
 			tmp_buf, p, rsa, RSA_PKCS1_PADDING);
-#ifdef PKCS1_CHECK
-			if (s->options & SSL_OP_PKCS1_CHECK_1)
-				p[1]++;
-			if (s->options & SSL_OP_PKCS1_CHECK_2)
-				tmp_buf[0] = 0x70;
-#endif
 			if (n <= 0) {
 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
 				goto err;
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index ac1812d857b..f740f7e139d 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s)
 				p += 2;
 			n = RSA_public_encrypt(sizeof tmp_buf,
 			tmp_buf, p, rsa, RSA_PKCS1_PADDING);
-#ifdef PKCS1_CHECK
-			if (s->options & SSL_OP_PKCS1_CHECK_1)
-				p[1]++;
-			if (s->options & SSL_OP_PKCS1_CHECK_2)
-				tmp_buf[0] = 0x70;
-#endif
 			if (n <= 0) {
 				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
 				goto err;
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index 3624bdcccd8..d3c7908a26c 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -599,14 +599,6 @@ struct ssl_session_st {
 #define SSL_OP_NO_TLSv1_2				0x08000000L
 #define SSL_OP_NO_TLSv1_1				0x10000000L
 
-/* These next two were never actually used for anything since SSLeay
- * zap so we have some more flags.
- */
-/* The next flag deliberately changes the ciphertest, this is a check
- * for the PKCS#1 attack */
-#define SSL_OP_PKCS1_CHECK_1				0x0
-#define SSL_OP_PKCS1_CHECK_2				0x0
-
 #define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x40000000L
 /* Make server add server-hello extension from early version of
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index ebc942b146f..71dac84dac2 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -169,8 +169,6 @@
 # define OPENSSL_EXTERN OPENSSL_EXPORT
 #endif
 
-#undef PKCS1_CHECK
-
 #define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
 			 l|=(((unsigned long)(*((c)++)))<< 8), \
 			 l|=(((unsigned long)(*((c)++)))<<16), \
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 3624bdcccd8..d3c7908a26c 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -599,14 +599,6 @@ struct ssl_session_st {
 #define SSL_OP_NO_TLSv1_2				0x08000000L
 #define SSL_OP_NO_TLSv1_1				0x10000000L
 
-/* These next two were never actually used for anything since SSLeay
- * zap so we have some more flags.
- */
-/* The next flag deliberately changes the ciphertest, this is a check
- * for the PKCS#1 attack */
-#define SSL_OP_PKCS1_CHECK_1				0x0
-#define SSL_OP_PKCS1_CHECK_2				0x0
-
 #define SSL_OP_NETSCAPE_CA_DN_BUG			0x20000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG		0x40000000L
 /* Make server add server-hello extension from early version of
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index ebc942b146f..71dac84dac2 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -169,8 +169,6 @@
 # define OPENSSL_EXTERN OPENSSL_EXPORT
 #endif
 
-#undef PKCS1_CHECK
-
 #define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
 			 l|=(((unsigned long)(*((c)++)))<< 8), \
 			 l|=(((unsigned long)(*((c)++)))<<16), \