From b1044e5251846ce9b02c7636ddc1eea796003cd4 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 26 Nov 2021 16:23:27 +0000 Subject: [PATCH] openssl(1): drop support for netscape certificates and server gated keys. ok inoguchi jsing --- usr.bin/openssl/apps.c | 82 +-------------------------------------- usr.bin/openssl/apps.h | 8 +--- usr.bin/openssl/openssl.1 | 8 +--- usr.bin/openssl/rsa.c | 40 +++---------------- usr.bin/openssl/x509.c | 12 +----- 5 files changed, 12 insertions(+), 138 deletions(-) diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c index 5e4e8d521c7..392d3cc3393 100644 --- a/usr.bin/openssl/apps.c +++ b/usr.bin/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.60 2021/03/31 17:13:54 tb Exp $ */ +/* $OpenBSD: apps.c,v 1.61 2021/11/26 16:23:27 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -160,12 +160,6 @@ static int set_table_opts(unsigned long *flags, const char *arg, static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl); -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) -/* Looks like this stuff is worth moving into separate function */ -static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file, - const char *key_descrip, int format); -#endif - int str2fmt(char *s) { @@ -175,8 +169,6 @@ str2fmt(char *s) return (FORMAT_ASN1); else if ((*s == 'T') || (*s == 't')) return (FORMAT_TEXT); - else if ((*s == 'N') || (*s == 'n')) - return (FORMAT_NETSCAPE); else if ((*s == 'S') || (*s == 's')) return (FORMAT_SMIME); else if ((*s == 'M') || (*s == 'm')) @@ -612,24 +604,7 @@ load_cert(BIO *err, const char *file, int format, const char *pass, if (format == FORMAT_ASN1) x = d2i_X509_bio(cert, NULL); - else if (format == FORMAT_NETSCAPE) { - NETSCAPE_X509 *nx; - nx = ASN1_item_d2i_bio(&NETSCAPE_X509_it, - cert, NULL); - if (nx == NULL) - goto end; - - if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data, - nx->header->length) != 0)) { - NETSCAPE_X509_free(nx); - BIO_printf(err, - "Error reading header on certificate\n"); - goto end; - } - x = nx->cert; - nx->cert = NULL; - NETSCAPE_X509_free(nx); - } else if (format == FORMAT_PEM) + else if (format == FORMAT_PEM) x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL); else if (format == FORMAT_PKCS12) { if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL, @@ -684,10 +659,6 @@ load_key(BIO *err, const char *file, int format, int maybe_stdin, } else if (format == FORMAT_PEM) { pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data); } -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) - else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) - pkey = load_netscape_key(err, key, file, key_descrip, format); -#endif else if (format == FORMAT_PKCS12) { if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data, &pkey, NULL, NULL)) @@ -768,10 +739,6 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, else if (format == FORMAT_PEM) { pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data); } -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) - else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) - pkey = load_netscape_key(err, key, file, key_descrip, format); -#endif #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) else if (format == FORMAT_MSBLOB) pkey = b2i_PublicKey_bio(key); @@ -788,51 +755,6 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, return (pkey); } -#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) -static EVP_PKEY * -load_netscape_key(BIO *err, BIO *key, const char *file, - const char *key_descrip, int format) -{ - EVP_PKEY *pkey; - BUF_MEM *buf; - RSA *rsa; - const unsigned char *p; - int size, i; - - buf = BUF_MEM_new(); - pkey = EVP_PKEY_new(); - size = 0; - if (buf == NULL || pkey == NULL) - goto error; - for (;;) { - if (!BUF_MEM_grow_clean(buf, size + 1024 * 10)) - goto error; - i = BIO_read(key, &(buf->data[size]), 1024 * 10); - size += i; - if (i == 0) - break; - if (i < 0) { - BIO_printf(err, "Error reading %s %s", - key_descrip, file); - goto error; - } - } - p = (unsigned char *) buf->data; - rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL, - (format == FORMAT_IISSGC ? 1 : 0)); - if (rsa == NULL) - goto error; - BUF_MEM_free(buf); - EVP_PKEY_set1_RSA(pkey, rsa); - return pkey; - - error: - BUF_MEM_free(buf); - EVP_PKEY_free(pkey); - return NULL; -} -#endif /* ndef OPENSSL_NO_RC4 */ - static int load_certs_crls(BIO *err, const char *file, int format, const char *pass, const char *desc, STACK_OF(X509) **pcerts, diff --git a/usr.bin/openssl/apps.h b/usr.bin/openssl/apps.h index 4fda6420c86..e8116bfe440 100644 --- a/usr.bin/openssl/apps.h +++ b/usr.bin/openssl/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.29 2021/11/20 15:55:00 tb Exp $ */ +/* $OpenBSD: apps.h,v 1.30 2021/11/26 16:23:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -255,12 +255,10 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in); #define FORMAT_ASN1 1 #define FORMAT_TEXT 2 #define FORMAT_PEM 3 -#define FORMAT_NETSCAPE 4 + #define FORMAT_PKCS12 5 #define FORMAT_SMIME 6 -#define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid - * adding yet another param to load_*key() */ #define FORMAT_PEMRSA 9 /* PEM RSAPublicKey format */ #define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */ #define FORMAT_MSBLOB 11 /* MS Key blob format */ @@ -270,8 +268,6 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in); #define EXT_COPY_ADD 1 #define EXT_COPY_ALL 2 -#define NETSCAPE_CERT_HDR "certificate" - #define APP_PASS_LEN 1024 #define SERIAL_RAND_BITS 64 diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 05f7e21cc9f..7ebfb9c31fa 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $ +.\" $OpenBSD: openssl.1,v 1.134 2021/11/26 16:23:27 tb Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: October 23 2021 $ +.Dd $Mdocdate: November 26 2021 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -4105,7 +4105,6 @@ Any additional fields will be treated as though they were a .Op Fl pvk-none | pvk-strong | pvk-weak .Op Fl RSAPublicKey_in .Op Fl RSAPublicKey_out -.Op Fl sgckey .Op Fl text .Ek .El @@ -4177,9 +4176,6 @@ and except .Cm RSAPublicKey format is used instead. -.It Fl sgckey -Use the modified NET algorithm used with some versions of Microsoft IIS -and SGC keys. .It Fl text Print the public/private key components in plain text. .El diff --git a/usr.bin/openssl/rsa.c b/usr.bin/openssl/rsa.c index 231674b5a60..0d331f6a9ad 100644 --- a/usr.bin/openssl/rsa.c +++ b/usr.bin/openssl/rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.c,v 1.14 2019/07/14 03:30:46 guenther Exp $ */ +/* $OpenBSD: rsa.c,v 1.15 2021/11/26 16:23:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -88,7 +88,6 @@ static struct { int pubin; int pubout; int pvk_encr; - int sgckey; int text; } rsa_config; @@ -214,12 +213,6 @@ static const struct option rsa_options[] = { .value = 2, .opt.value = &rsa_config.pubout, }, - { - .name = "sgckey", - .desc = "Use modified NET algorithm for IIS and SGC keys", - .type = OPTION_FLAG, - .opt.flag = &rsa_config.sgckey, - }, { .name = "text", .desc = "Print in plain text in addition to encoded", @@ -244,7 +237,7 @@ rsa_usage() "[-inform fmt]\n" " [-modulus] [-noout] [-out file] [-outform fmt] " "[-passin src]\n" - " [-passout src] [-pubin] [-pubout] [-sgckey] [-text]\n\n"); + " [-passout src] [-pubin] [-pubout] [-text]\n\n"); options_usage(rsa_options); fprintf(stderr, "\n"); @@ -300,19 +293,14 @@ rsa_main(int argc, char **argv) tmpformat = FORMAT_PEMRSA; else if (rsa_config.informat == FORMAT_ASN1) tmpformat = FORMAT_ASN1RSA; - } else if (rsa_config.informat == FORMAT_NETSCAPE && - rsa_config.sgckey) - tmpformat = FORMAT_IISSGC; - else + } else tmpformat = rsa_config.informat; pkey = load_pubkey(bio_err, rsa_config.infile, tmpformat, 1, passin, "Public Key"); } else pkey = load_key(bio_err, rsa_config.infile, - (rsa_config.informat == FORMAT_NETSCAPE && - rsa_config.sgckey ? FORMAT_IISSGC : - rsa_config.informat), 1, passin, "Private Key"); + rsa_config.informat, 1, passin, "Private Key"); if (pkey != NULL) rsa = EVP_PKEY_get1_RSA(pkey); @@ -380,25 +368,7 @@ rsa_main(int argc, char **argv) i = i2d_RSA_PUBKEY_bio(out, rsa); } else i = i2d_RSAPrivateKey_bio(out, rsa); - } -#ifndef OPENSSL_NO_RC4 - else if (rsa_config.outformat == FORMAT_NETSCAPE) { - unsigned char *p, *pp; - int size; - - i = 1; - size = i2d_RSA_NET(rsa, NULL, NULL, rsa_config.sgckey); - if ((p = malloc(size)) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - pp = p; - i2d_RSA_NET(rsa, &p, NULL, rsa_config.sgckey); - BIO_write(out, (char *) pp, size); - free(pp); - } -#endif - else if (rsa_config.outformat == FORMAT_PEM) { + } else if (rsa_config.outformat == FORMAT_PEM) { if (rsa_config.pubout || rsa_config.pubin) { if (rsa_config.pubout == 2) i = PEM_write_bio_RSAPublicKey(out, rsa); diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c index 5ee478b050c..978f097efa6 100644 --- a/usr.bin/openssl/x509.c +++ b/usr.bin/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.25 2021/10/23 15:44:39 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.26 2021/11/26 16:23:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1298,16 +1298,6 @@ x509_main(int argc, char **argv) i = PEM_write_bio_X509_AUX(out, x); else i = PEM_write_bio_X509(out, x); - } else if (x509_config.outformat == FORMAT_NETSCAPE) { - NETSCAPE_X509 nx; - ASN1_OCTET_STRING hdr; - - hdr.data = (unsigned char *) NETSCAPE_CERT_HDR; - hdr.length = strlen(NETSCAPE_CERT_HDR); - nx.header = &hdr; - nx.cert = x; - - i = ASN1_item_i2d_bio(&NETSCAPE_X509_it, out, &nx); } else { BIO_printf(bio_err, "bad output format specified for outfile\n"); -- 2.20.1