summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDoug Hogan <doug@cvs.openbsd.org>2015-06-15 05:32:59 +0000
committerDoug Hogan <doug@cvs.openbsd.org>2015-06-15 05:32:59 +0000
commit422b4d9b17b1e070977777cf93a1a4b3e5c2e018 (patch)
tree03e78f79d0f977d563dec295c29df63280250269
parentfb551e2bd5e9c40fe739f2a122d6a54644329e42 (diff)
Remove ancient SSL_OP_NETSCAPE_CA_DN_BUG from SSLeay days.
This commit matches the OpenSSL removal in commit 3c33c6f6b10864355553961e638514a6d1bb00f6. ok deraadt@
-rw-r--r--lib/libssl/d1_srvr.c20
-rw-r--r--lib/libssl/doc/SSL_CTX_set_options.39
-rw-r--r--lib/libssl/s3_clnt.c24
-rw-r--r--lib/libssl/s3_srvr.c20
4 files changed, 20 insertions, 53 deletions
diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c
index bd3a8e1a425..42af17e96e7 100644
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.52 2015/06/13 08:38:10 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1164,20 +1164,10 @@ dtls1_send_certificate_request(SSL *s)
goto err;
}
p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
- if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
- s2n(j, p);
- i2d_X509_NAME(name, &p);
- n += 2 + j;
- nl += 2 + j;
- } else {
- d = p;
- i2d_X509_NAME(name, &p);
- j -= 2;
- s2n(j, d);
- j += 2;
- n += j;
- nl += j;
- }
+ s2n(j, p);
+ i2d_X509_NAME(name, &p);
+ n += 2 + j;
+ nl += 2 + j;
}
}
/* else no CA names */
diff --git a/lib/libssl/doc/SSL_CTX_set_options.3 b/lib/libssl/doc/SSL_CTX_set_options.3
index 8bb22b7cc6d..53a7a6c9c06 100644
--- a/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
.\"
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
.\"
.Dd $Mdocdate: June 15 2015 $
.Dt SSL_CTX_SET_OPTIONS 3
@@ -192,10 +192,9 @@ When set, the SSLv3/TLSv1 server will choose following its own preferences.
Because of the different protocol, for SSLv2 the server will send its list of
preferences to the client and the client chooses.
.It Dv SSL_OP_NETSCAPE_CA_DN_BUG
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the browser has
-a cert, it will crash/hang.
-Works for 3.x and 4.xbeta
+As of
+.Ox 5.8 ,
+this option has no effect.
.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
As of
.Ox 5.8 ,
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 8a137056bef..76c0c488c54 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.112 2015/06/15 05:32:58 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1645,8 +1645,6 @@ ssl3_get_certificate_request(SSL *s)
}
n2s(p, l);
if ((l + nc + 2) > llen) {
- if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
- goto cont; /* netscape bugs */
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
SSL_R_CA_DN_TOO_LONG);
@@ -1656,16 +1654,11 @@ ssl3_get_certificate_request(SSL *s)
q = p;
if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
- /* If netscape tolerance is on, ignore errors */
- if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
- goto cont;
- else {
- ssl3_send_alert(s, SSL3_AL_FATAL,
- SSL_AD_DECODE_ERROR);
- SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
- ERR_R_ASN1_LIB);
- goto err;
- }
+ ssl3_send_alert(s, SSL3_AL_FATAL,
+ SSL_AD_DECODE_ERROR);
+ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+ ERR_R_ASN1_LIB);
+ goto err;
}
if (q != (p + l)) {
@@ -1684,11 +1677,6 @@ ssl3_get_certificate_request(SSL *s)
nc += l + 2;
}
- if (0) {
-cont:
- ERR_clear_error();
- }
-
/* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1;
s->s3->tmp.ctype_num = ctype_num;
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 7b6af070c97..1aa39c28635 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.106 2015/06/15 05:32:58 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1678,20 +1678,10 @@ ssl3_send_certificate_request(SSL *s)
goto err;
}
p = (unsigned char *)&(buf->data[4 + n]);
- if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
- s2n(j, p);
- i2d_X509_NAME(name, &p);
- n += 2 + j;
- nl += 2 + j;
- } else {
- d = p;
- i2d_X509_NAME(name, &p);
- j -= 2;
- s2n(j, d);
- j += 2;
- n += j;
- nl += j;
- }
+ s2n(j, p);
+ i2d_X509_NAME(name, &p);
+ n += 2 + j;
+ nl += 2 + j;
}
}
/* else no CA names */