Remove RSA_SSLV23_PADDING.

It's unused with SSLv2 gone. Also, being a decryption padding check, it really should be constant-time and isn't. Change-Id: I96be02cb50f9bf0229b9174eccd80fa338bf8e3e Reviewed-on: https://boringssl-review.googlesource.com/1254 Reviewed-by: Adam Langley <agl@google.com>
10 years ago · e14dcc45e8
--- a/crypto/evp/p_rsa.c
+++ b/crypto/evp/p_rsa.c
@@ -361,7 +361,6 @@ static int check_padding_md(const EVP_MD *md, int padding) {
 static int is_known_padding(int padding_mode) {
  switch (padding_mode) {
    case RSA_PKCS1_PADDING:
    case RSA_SSLV23_PADDING:
    case RSA_NO_PADDING:
    case RSA_PKCS1_OAEP_PADDING:
    case RSA_PKCS1_PSS_PADDING:
--- a/crypto/rsa/internal.h
+++ b/crypto/rsa/internal.h
@@ -108,10 +108,6 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *to, unsigned to_len,
                                      const uint8_t *from, unsigned from_len,
                                      const uint8_t *param, unsigned plen,
                                      const EVP_MD *md, const EVP_MD *mgf1md);
 int RSA_padding_add_SSLv23(uint8_t *to, unsigned to_len, const uint8_t *from,
                           unsigned from_len);
 int RSA_padding_check_SSLv23(uint8_t *to, unsigned to_len, const uint8_t *from,
                             unsigned from_len);
 int RSA_padding_add_none(uint8_t *to, unsigned to_len, const uint8_t *from,
                         unsigned from_len);
 int RSA_padding_check_none(uint8_t *to, unsigned to_len, const uint8_t *from,
--- a/crypto/rsa/padding.c
+++ b/crypto/rsa/padding.c
@@ -301,105 +301,6 @@ int RSA_padding_check_none(uint8_t *to, unsigned tlen, const uint8_t *from,
  return flen;
 }

 int RSA_padding_add_SSLv23(uint8_t *to, unsigned tlen, const uint8_t *from,
                           unsigned flen) {
  unsigned i, j;
  uint8_t *p;

  if (tlen < RSA_PKCS1_PADDING_SIZE) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_add_PKCS1_type_2,
                      RSA_R_KEY_SIZE_TOO_SMALL);
    return 0;
  }

  if (flen > tlen - RSA_PKCS1_PADDING_SIZE) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_add_SSLv23,
                      RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
    return 0;
  }

  p = to;

  *(p++) = 0;
  *(p++) = 2; /* Public Key BT (Block Type) */

  /* pad out with non-zero random data */
  j = tlen - 3 - 8 - flen;

  if (RAND_pseudo_bytes(p, j) <= 0) {
    return 0;
  }

  for (i = 0; i < j; i++) {
    while (*p == '\0') {
      if (RAND_pseudo_bytes(p, 1) <= 0)
        return 0;
    }
    p++;
  }

  memset(p, 3, 8);
  p += 8;
  *(p++) = '\0';

  memcpy(p, from, flen);
  return 1;
 }

 int RSA_padding_check_SSLv23(uint8_t *to, unsigned tlen, const uint8_t *from,
                             unsigned flen) {
  unsigned i, j;
  int k;
  const uint8_t *p;

  p = from;
  if (flen < 10) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_check_SSLv23, RSA_R_DATA_TOO_SMALL);
    return -1;
  }
  if ((*(p++) != 0) || (*(p++) != 2)) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_check_SSLv23,
                      RSA_R_BLOCK_TYPE_IS_NOT_02);
    return -1;
  }

  /* scan over padding data */
  j = flen - 2; /* one for leading 00, one for type */
  for (i = 0; i < j; i++) {
    if (*(p++) == 0) {
      break;
    }
  }

  if (i == j || i < 8) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_check_SSLv23,
                      RSA_R_NULL_BEFORE_BLOCK_MISSING);
    return -1;
  }

  for (k = -9; k < -1; k++) {
    if (p[k] != 0x03) {
      break;
    }
  }

  if (k == -1) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_check_SSLv23,
                      RSA_R_SSLV3_ROLLBACK_ATTACK);
    return -1;
  }

  i++; /* Skip over the '\0' */
  j -= i;
  if (j > tlen) {
    OPENSSL_PUT_ERROR(RSA, RSA_padding_check_SSLv23, RSA_R_DATA_TOO_LARGE);
    return -1;
  }
  memcpy(to, p, j);

  return j;
 }

 int PKCS1_MGF1(uint8_t *mask, unsigned len, const uint8_t *seed,
               unsigned seedlen, const EVP_MD *dgst) {
  unsigned outlen = 0;
--- a/crypto/rsa/rsa_impl.c
+++ b/crypto/rsa/rsa_impl.c
@@ -140,9 +140,6 @@ static int encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
      i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
                                          NULL, 0, NULL, NULL);
      break;
    case RSA_SSLV23_PADDING:
      i = RSA_padding_add_SSLv23(buf, rsa_size, in, in_len);
      break;
    case RSA_NO_PADDING:
      i = RSA_padding_add_none(buf, rsa_size, in, in_len);
      break;
@@ -550,9 +547,6 @@ static int decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
      r = RSA_padding_check_PKCS1_OAEP_mgf1(out, rsa_size, buf, rsa_size,
                                            NULL, 0, NULL, NULL);
      break;
    case RSA_SSLV23_PADDING:
      r = RSA_padding_check_SSLv23(out, rsa_size, buf, rsa_size);
      break;
    case RSA_NO_PADDING:
      r = RSA_padding_check_none(out, rsa_size, buf, rsa_size);
      break;
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -101,7 +101,6 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);

 /* Padding types for encryption. */
 #define RSA_PKCS1_PADDING 1
 #define RSA_SSLV23_PADDING 2
 #define RSA_NO_PADDING 3
 #define RSA_PKCS1_OAEP_PADDING 4
 /* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */