Deprecate RSA_SSLV23_PADDING

[kroeckx]

With the CVE-2021-23839 change, there is at least 1 test suite that starts to fail where it does an encrypt using that padding mode, and then decrypts using the same padding mode. I think that's because of a misunderstanding of how the padding mode is supposed to work, and the error is really what should have happened.

My understanding of it that if you're talking SSLv2, but SSLv3 is supported, you should set that mode. This has as effect that if both sides of a connection use that padding mode, and so support SSLv3, but are talking SSLv2 the connection should fail. If the other doesn't support SSLv3, it would have used the RSA_PKCS1_PADDING padding mode and would not get an error.

[mattcaswell]

My understanding of it that if you're talking SSLv2, but SSLv3 is supported, you should set that mode. This has as effect that if both sides of a connection use that padding mode, and so support SSLv3, but are talking SSLv2 the connection should fail. If the other doesn't support SSLv3, it would have used the RSA_PKCS1_PADDING padding mode and would not get an error.

Your understanding is correct

[kaduk]

I think the pithy answer to "how to use RSA_SSLV23_PADDING" is just "don't", to go along with "don't use SSLv2".

[kroeckx]

I guess we should deprecate that padding mode.

[mcepl]

I think the pithy answer to "how to use RSA_SSLV23_PADDING" is just "don't", to go along with "don't use SSLv2".

Well, my understanding (speaking as the upstream maintainer of M2Crypto, which is the package in question) was that “sslv23” has for long time nothing to do with SSLv2 and it means just “do the best thing possible”. So, the code in question:

    @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
                         'Relies on fix which happened only in OpenSSL 1.1.1c')
        def test_public_encrypt(self):
            priv = RSA.load_key(self.privkey)
            # pkcs1_padding, pkcs1_oaep_padding
            for padding in self.e_padding_ok:
                p = getattr(RSA, padding)
                ctxt = priv.public_encrypt(self.data, p)
                ptxt = priv.private_decrypt(ctxt, p)
                self.assertEqual(ptxt, self.data)

            # sslv23_padding
            ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
            res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
            self.assertEqual(res, self.data)

            # no_padding
            with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
                priv.public_encrypt(self.data, RSA.no_padding)

            # Type-check the data to be encrypted.
            with self.assertRaises(TypeError):
                priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)

does nothing wrong. Does it?

[davidben]

SSLv23_method, SSLv23_client_method, and SSLv23_server_method, in libssl did mean to do SSL/TLS with version negotiation. This was very confusing so it's now TLS_method, etc.

RSA_SSLV23_PADDING is something else entirely and should not be used. Parameter negotiation happens at much much higher level than the internals of the padding, so it wouldn't make sense to "do the best thing possible" here.

[mcepl]

So, what should I do?

[davidben]

What are you trying to do? This padding mode only makes sense as part of an SSLv2 implementation. Unless your goal is to implement SSLv2, don't use it.

[mcepl]

@davidben It should be just simple encrypted-decrypted-text == original-plaintext with different parameters. I have fixed the code above so it shows whole test case.

So, perhaps just that sslv23padding part should go without a replacement?

[t8m]

@mcepl Yes, the simplest and most sane thing is to just delete the testcase with the sslv23_padding.