In the old days (not in this century), SSLeay 0.4.5 would create X.509 RSA

signatures using the wrong oid for the signature type. The signature
verification code has thus been modified to allow these signatures to be
accepted, with a printf to stderr to notify the user something was fishy.

Remove this chunk; these signatures will no longer get accepted.
ok deraadt@ guenther@ jsing@ tedu@

2 files changed, 6 insertions, 28 deletions

diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 239435fe91..9718589be7 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.18 2014/07/09 08:20:08 miod Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.19 2014/07/09 09:04:14 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -223,19 +223,8 @@ int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 sigtype = OBJ_obj2nid(sig->algor->algorithm);
 
                 if (sigtype != dtype) {
-                        if ((dtype == NID_md5 &&
-                             sigtype == NID_md5WithRSAEncryption) ||
-                            (dtype == NID_md2 &&
-                             sigtype == NID_md2WithRSAEncryption)) {
-                                /* ok, we will let it through */
-                                fprintf(stderr,
-                                    "signature has problems, "
-                                    "re-make with post SSLeay045\n");
-                        } else {
-                                RSAerr(RSA_F_INT_RSA_VERIFY,
-                                    RSA_R_ALGORITHM_MISMATCH);
-                                goto err;
-                        }
+                        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
+                        goto err;
                 }
                 if (rm) {
                         const EVP_MD *md;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_sign.c b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
index 239435fe91..9718589be7 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_sign.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.18 2014/07/09 08:20:08 miod Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.19 2014/07/09 09:04:14 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -223,19 +223,8 @@ int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 sigtype = OBJ_obj2nid(sig->algor->algorithm);
 
                 if (sigtype != dtype) {
-                        if ((dtype == NID_md5 &&
-                             sigtype == NID_md5WithRSAEncryption) ||
-                            (dtype == NID_md2 &&
-                             sigtype == NID_md2WithRSAEncryption)) {
-                                /* ok, we will let it through */
-                                fprintf(stderr,
-                                    "signature has problems, "
-                                    "re-make with post SSLeay045\n");
-                        } else {
-                                RSAerr(RSA_F_INT_RSA_VERIFY,
-                                    RSA_R_ALGORITHM_MISMATCH);
-                                goto err;
-                        }
+                        RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
+                        goto err;
                 }
                 if (rm) {
                         const EVP_MD *md;