From d9cb48f882a31ae39da17bf8b2fe278c00f07c93 Mon Sep 17 00:00:00 2001 From: miod Date: Wed, 23 Apr 2014 22:26:25 +0000 Subject: [PATCH] Unifdef -UPKCS1_CHECK and remove SSL_OP_PKCS1_CHECK_[12], this is leftover ``debug'' code from a 15+ years old bugfix and the SSL_OP_PKCS1_CHECK_* constants have had a value of zero since ages. No production code should use them. ok beck@ --- lib/libcrypto/rsa/rsa_pk1.c | 3 --- lib/libssl/d1_clnt.c | 6 ------ lib/libssl/s3_clnt.c | 6 ------ lib/libssl/src/crypto/rsa/rsa_pk1.c | 3 --- lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod | 8 -------- lib/libssl/src/ssl/d1_clnt.c | 6 ------ lib/libssl/src/ssl/s3_clnt.c | 6 ------ lib/libssl/src/ssl/ssl.h | 8 -------- lib/libssl/src/ssl/ssl_locl.h | 2 -- lib/libssl/ssl.h | 8 -------- lib/libssl/ssl_locl.h | 2 -- 11 files changed, 58 deletions(-) diff --git a/lib/libcrypto/rsa/rsa_pk1.c b/lib/libcrypto/rsa/rsa_pk1.c index 8560755f1d1..9eabb4fc92e 100644 --- a/lib/libcrypto/rsa/rsa_pk1.c +++ b/lib/libcrypto/rsa/rsa_pk1.c @@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); return(-1); } -#ifdef PKCS1_CHECK - return(num-11); -#endif /* scan over padding data */ j=flen-1; /* one for type. */ diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index cf9bc2d33ed..38118b13852 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s) p += 2; n = RSA_public_encrypt(sizeof tmp_buf, tmp_buf, p, rsa, RSA_PKCS1_PADDING); -#ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - p[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -#endif if (n <= 0) { SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); goto err; diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index ac1812d857b..f740f7e139d 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s) p += 2; n = RSA_public_encrypt(sizeof tmp_buf, tmp_buf, p, rsa, RSA_PKCS1_PADDING); -#ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - p[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -#endif if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); goto err; diff --git a/lib/libssl/src/crypto/rsa/rsa_pk1.c b/lib/libssl/src/crypto/rsa/rsa_pk1.c index 8560755f1d1..9eabb4fc92e 100644 --- a/lib/libssl/src/crypto/rsa/rsa_pk1.c +++ b/lib/libssl/src/crypto/rsa/rsa_pk1.c @@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); return(-1); } -#ifdef PKCS1_CHECK - return(num-11); -#endif /* scan over padding data */ j=flen-1; /* one for type. */ diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod index 43f5514cc14..935c9cd09b3 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod @@ -170,14 +170,6 @@ preferences. When set, the SSLv3/TLSv1 server will choose following its own preferences. Because of the different protocol, for SSLv2 the server will send its list of preferences to the client and the client chooses. -=item SSL_OP_PKCS1_CHECK_1 - -... - -=item SSL_OP_PKCS1_CHECK_2 - -... - =item SSL_OP_NETSCAPE_CA_DN_BUG If we accept a netscape connection, demand a client cert, have a diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c index cf9bc2d33ed..38118b13852 100644 --- a/lib/libssl/src/ssl/d1_clnt.c +++ b/lib/libssl/src/ssl/d1_clnt.c @@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s) p += 2; n = RSA_public_encrypt(sizeof tmp_buf, tmp_buf, p, rsa, RSA_PKCS1_PADDING); -#ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - p[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -#endif if (n <= 0) { SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); goto err; diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index ac1812d857b..f740f7e139d 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s) p += 2; n = RSA_public_encrypt(sizeof tmp_buf, tmp_buf, p, rsa, RSA_PKCS1_PADDING); -#ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) - p[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) - tmp_buf[0] = 0x70; -#endif if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); goto err; diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index 3624bdcccd8..d3c7908a26c 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -599,14 +599,6 @@ struct ssl_session_st { #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L -/* These next two were never actually used for anything since SSLeay - * zap so we have some more flags. - */ -/* The next flag deliberately changes the ciphertest, this is a check - * for the PKCS#1 attack */ -#define SSL_OP_PKCS1_CHECK_1 0x0 -#define SSL_OP_PKCS1_CHECK_2 0x0 - #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L /* Make server add server-hello extension from early version of diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index ebc942b146f..71dac84dac2 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -169,8 +169,6 @@ # define OPENSSL_EXTERN OPENSSL_EXPORT #endif -#undef PKCS1_CHECK - #define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ l|=(((unsigned long)(*((c)++)))<< 8), \ l|=(((unsigned long)(*((c)++)))<<16), \ diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 3624bdcccd8..d3c7908a26c 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -599,14 +599,6 @@ struct ssl_session_st { #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L -/* These next two were never actually used for anything since SSLeay - * zap so we have some more flags. - */ -/* The next flag deliberately changes the ciphertest, this is a check - * for the PKCS#1 attack */ -#define SSL_OP_PKCS1_CHECK_1 0x0 -#define SSL_OP_PKCS1_CHECK_2 0x0 - #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L /* Make server add server-hello extension from early version of diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index ebc942b146f..71dac84dac2 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -169,8 +169,6 @@ # define OPENSSL_EXTERN OPENSSL_EXPORT #endif -#undef PKCS1_CHECK - #define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ l|=(((unsigned long)(*((c)++)))<< 8), \ l|=(((unsigned long)(*((c)++)))<<16), \ -- 2.20.1