summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormiod <>2014-04-23 22:26:26 +0000
committermiod <>2014-04-23 22:26:26 +0000
commit57f363f2f8ca275d715c73b6a4af0dadbc19d804 (patch)
treefdc347c1b6ae5bb862c0b018453022fe0225f681
parent7aa32b6e8c2f36d05bd2d61063dbe667bb62842a (diff)
downloadopenbsd-57f363f2f8ca275d715c73b6a4af0dadbc19d804.tar.gz
openbsd-57f363f2f8ca275d715c73b6a4af0dadbc19d804.tar.bz2
openbsd-57f363f2f8ca275d715c73b6a4af0dadbc19d804.zip
Unifdef -UPKCS1_CHECK and remove SSL_OP_PKCS1_CHECK_[12], this is leftover
``debug'' code from a 15+ years old bugfix and the SSL_OP_PKCS1_CHECK_* constants have had a value of zero since ages. No production code should use them. ok beck@
Diffstat
-rw-r--r--src/lib/libcrypto/rsa/rsa_pk1.c3
-rw-r--r--src/lib/libssl/d1_clnt.c6
-rw-r--r--src/lib/libssl/s3_clnt.c6
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_pk1.c3
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod8
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c6
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c6
-rw-r--r--src/lib/libssl/src/ssl/ssl.h8
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h2
-rw-r--r--src/lib/libssl/ssl.h8
-rw-r--r--src/lib/libssl/ssl_locl.h2
11 files changed, 0 insertions, 58 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 8560755f1d..9eabb4fc92 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); 190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1); 191 return(-1);
192 } 192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
196 193
197 /* scan over padding data */ 194 /* scan over padding data */
198 j=flen-1; /* one for type. */ 195 j=flen-1; /* one for type. */
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index cf9bc2d33e..38118b1385 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s)
975 p += 2; 975 p += 2;
976 n = RSA_public_encrypt(sizeof tmp_buf, 976 n = RSA_public_encrypt(sizeof tmp_buf,
977 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 977 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
978#ifdef PKCS1_CHECK
979 if (s->options & SSL_OP_PKCS1_CHECK_1)
980 p[1]++;
981 if (s->options & SSL_OP_PKCS1_CHECK_2)
982 tmp_buf[0] = 0x70;
983#endif
984 if (n <= 0) { 978 if (n <= 0) {
985 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); 979 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
986 goto err; 980 goto err;
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index ac1812d857..f740f7e139 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s)
2046 p += 2; 2046 p += 2;
2047 n = RSA_public_encrypt(sizeof tmp_buf, 2047 n = RSA_public_encrypt(sizeof tmp_buf,
2048 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 2048 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2049#ifdef PKCS1_CHECK
2050 if (s->options & SSL_OP_PKCS1_CHECK_1)
2051 p[1]++;
2052 if (s->options & SSL_OP_PKCS1_CHECK_2)
2053 tmp_buf[0] = 0x70;
2054#endif
2055 if (n <= 0) { 2049 if (n <= 0) {
2056 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); 2050 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2057 goto err; 2051 goto err;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
index 8560755f1d..9eabb4fc92 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
@@ -190,9 +190,6 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02); 190 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
191 return(-1); 191 return(-1);
192 } 192 }
193#ifdef PKCS1_CHECK
194 return(num-11);
195#endif
196 193
197 /* scan over padding data */ 194 /* scan over padding data */
198 j=flen-1; /* one for type. */ 195 j=flen-1; /* one for type. */
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
index 43f5514cc1..935c9cd09b 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod
@@ -170,14 +170,6 @@ preferences. When set, the SSLv3/TLSv1 server will choose following its
170own preferences. Because of the different protocol, for SSLv2 the server 170own preferences. Because of the different protocol, for SSLv2 the server
171will send its list of preferences to the client and the client chooses. 171will send its list of preferences to the client and the client chooses.
172 172
173=item SSL_OP_PKCS1_CHECK_1
174
175...
176
177=item SSL_OP_PKCS1_CHECK_2
178
179...
180
181=item SSL_OP_NETSCAPE_CA_DN_BUG 173=item SSL_OP_NETSCAPE_CA_DN_BUG
182 174
183If we accept a netscape connection, demand a client cert, have a 175If we accept a netscape connection, demand a client cert, have a
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index cf9bc2d33e..38118b1385 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -975,12 +975,6 @@ dtls1_send_client_key_exchange(SSL *s)
975 p += 2; 975 p += 2;
976 n = RSA_public_encrypt(sizeof tmp_buf, 976 n = RSA_public_encrypt(sizeof tmp_buf,
977 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 977 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
978#ifdef PKCS1_CHECK
979 if (s->options & SSL_OP_PKCS1_CHECK_1)
980 p[1]++;
981 if (s->options & SSL_OP_PKCS1_CHECK_2)
982 tmp_buf[0] = 0x70;
983#endif
984 if (n <= 0) { 978 if (n <= 0) {
985 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); 979 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
986 goto err; 980 goto err;
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index ac1812d857..f740f7e139 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -2046,12 +2046,6 @@ ssl3_send_client_key_exchange(SSL *s)
2046 p += 2; 2046 p += 2;
2047 n = RSA_public_encrypt(sizeof tmp_buf, 2047 n = RSA_public_encrypt(sizeof tmp_buf,
2048 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 2048 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
2049#ifdef PKCS1_CHECK
2050 if (s->options & SSL_OP_PKCS1_CHECK_1)
2051 p[1]++;
2052 if (s->options & SSL_OP_PKCS1_CHECK_2)
2053 tmp_buf[0] = 0x70;
2054#endif
2055 if (n <= 0) { 2049 if (n <= 0) {
2056 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT); 2050 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_BAD_RSA_ENCRYPT);
2057 goto err; 2051 goto err;
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 3624bdcccd..d3c7908a26 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -599,14 +599,6 @@ struct ssl_session_st {
599#define SSL_OP_NO_TLSv1_2 0x08000000L 599#define SSL_OP_NO_TLSv1_2 0x08000000L
600#define SSL_OP_NO_TLSv1_1 0x10000000L 600#define SSL_OP_NO_TLSv1_1 0x10000000L
601 601
602/* These next two were never actually used for anything since SSLeay
603 * zap so we have some more flags.
604 */
605/* The next flag deliberately changes the ciphertest, this is a check
606 * for the PKCS#1 attack */
607#define SSL_OP_PKCS1_CHECK_1 0x0
608#define SSL_OP_PKCS1_CHECK_2 0x0
609
610#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L 602#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
611#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L 603#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
612/* Make server add server-hello extension from early version of 604/* Make server add server-hello extension from early version of
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index ebc942b146..71dac84dac 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -169,8 +169,6 @@
169# define OPENSSL_EXTERN OPENSSL_EXPORT 169# define OPENSSL_EXTERN OPENSSL_EXPORT
170#endif 170#endif
171 171
172#undef PKCS1_CHECK
173
174#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ 172#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
175 l|=(((unsigned long)(*((c)++)))<< 8), \ 173 l|=(((unsigned long)(*((c)++)))<< 8), \
176 l|=(((unsigned long)(*((c)++)))<<16), \ 174 l|=(((unsigned long)(*((c)++)))<<16), \
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 3624bdcccd..d3c7908a26 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -599,14 +599,6 @@ struct ssl_session_st {
599#define SSL_OP_NO_TLSv1_2 0x08000000L 599#define SSL_OP_NO_TLSv1_2 0x08000000L
600#define SSL_OP_NO_TLSv1_1 0x10000000L 600#define SSL_OP_NO_TLSv1_1 0x10000000L
601 601
602/* These next two were never actually used for anything since SSLeay
603 * zap so we have some more flags.
604 */
605/* The next flag deliberately changes the ciphertest, this is a check
606 * for the PKCS#1 attack */
607#define SSL_OP_PKCS1_CHECK_1 0x0
608#define SSL_OP_PKCS1_CHECK_2 0x0
609
610#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L 602#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
611#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L 603#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
612/* Make server add server-hello extension from early version of 604/* Make server add server-hello extension from early version of
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index ebc942b146..71dac84dac 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -169,8 +169,6 @@
169# define OPENSSL_EXTERN OPENSSL_EXPORT 169# define OPENSSL_EXTERN OPENSSL_EXPORT
170#endif 170#endif
171 171
172#undef PKCS1_CHECK
173
174#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ 172#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
175 l|=(((unsigned long)(*((c)++)))<< 8), \ 173 l|=(((unsigned long)(*((c)++)))<< 8), \
176 l|=(((unsigned long)(*((c)++)))<<16), \ 174 l|=(((unsigned long)(*((c)++)))<<16), \
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 03:52:45 +0000