summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordoug <>2015-06-15 05:32:58 +0000
committerdoug <>2015-06-15 05:32:58 +0000
commitb5c7960f11d2b64faae5154f9709f34d00462124 (patch)
tree48e9bd19ccb5bd20c0b80b96fa9a62b66846edb4
parent6e37f91580bf8e077c11c85155cef0381d8ef35c (diff)
downloadopenbsd-b5c7960f11d2b64faae5154f9709f34d00462124.tar.gz
openbsd-b5c7960f11d2b64faae5154f9709f34d00462124.tar.bz2
openbsd-b5c7960f11d2b64faae5154f9709f34d00462124.zip
Remove ancient SSL_OP_NETSCAPE_CA_DN_BUG from SSLeay days.
This commit matches the OpenSSL removal in commit 3c33c6f6b10864355553961e638514a6d1bb00f6. ok deraadt@
Diffstat
-rw-r--r--src/lib/libssl/d1_srvr.c20
-rw-r--r--src/lib/libssl/doc/SSL_CTX_set_options.39
-rw-r--r--src/lib/libssl/s3_clnt.c24
-rw-r--r--src/lib/libssl/s3_srvr.c20
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.39
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c20
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c24
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c20
8 files changed, 40 insertions, 106 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index bd3a8e1a42..42af17e96e 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.52 2015/06/13 08:38:10 doug Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1164,20 +1164,10 @@ dtls1_send_certificate_request(SSL *s)
1164 goto err; 1164 goto err;
1165 } 1165 }
1166 p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]); 1166 p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
1167 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 1167 s2n(j, p);
1168 s2n(j, p); 1168 i2d_X509_NAME(name, &p);
1169 i2d_X509_NAME(name, &p); 1169 n += 2 + j;
1170 n += 2 + j; 1170 nl += 2 + j;
1171 nl += 2 + j;
1172 } else {
1173 d = p;
1174 i2d_X509_NAME(name, &p);
1175 j -= 2;
1176 s2n(j, d);
1177 j += 2;
1178 n += j;
1179 nl += j;
1180 }
1181 } 1171 }
1182 } 1172 }
1183 /* else no CA names */ 1173 /* else no CA names */
diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
index 8bb22b7cc6..53a7a6c9c0 100644
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
1.\" 1.\"
2.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $ 2.\" $OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
3.\" 3.\"
4.Dd $Mdocdate: June 15 2015 $ 4.Dd $Mdocdate: June 15 2015 $
5.Dt SSL_CTX_SET_OPTIONS 3 5.Dt SSL_CTX_SET_OPTIONS 3
@@ -192,10 +192,9 @@ When set, the SSLv3/TLSv1 server will choose following its own preferences.
192Because of the different protocol, for SSLv2 the server will send its list of 192Because of the different protocol, for SSLv2 the server will send its list of
193preferences to the client and the client chooses. 193preferences to the client and the client chooses.
194.It Dv SSL_OP_NETSCAPE_CA_DN_BUG 194.It Dv SSL_OP_NETSCAPE_CA_DN_BUG
195If we accept a netscape connection, demand a client cert, have a 195As of
196non-self-signed CA which does not have its CA in netscape, and the browser has 196.Ox 5.8 ,
197a cert, it will crash/hang. 197this option has no effect.
198Works for 3.x and 4.xbeta
199.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 198.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
200As of 199As of
201.Ox 5.8 , 200.Ox 5.8 ,
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 8a137056be..76c0c488c5 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.112 2015/06/15 05:32:58 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1645,8 +1645,6 @@ ssl3_get_certificate_request(SSL *s)
1645 } 1645 }
1646 n2s(p, l); 1646 n2s(p, l);
1647 if ((l + nc + 2) > llen) { 1647 if ((l + nc + 2) > llen) {
1648 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1649 goto cont; /* netscape bugs */
1650 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1648 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1651 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, 1649 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1652 SSL_R_CA_DN_TOO_LONG); 1650 SSL_R_CA_DN_TOO_LONG);
@@ -1656,16 +1654,11 @@ ssl3_get_certificate_request(SSL *s)
1656 q = p; 1654 q = p;
1657 1655
1658 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) { 1656 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1659 /* If netscape tolerance is on, ignore errors */ 1657 ssl3_send_alert(s, SSL3_AL_FATAL,
1660 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1658 SSL_AD_DECODE_ERROR);
1661 goto cont; 1659 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1662 else { 1660 ERR_R_ASN1_LIB);
1663 ssl3_send_alert(s, SSL3_AL_FATAL, 1661 goto err;
1664 SSL_AD_DECODE_ERROR);
1665 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1666 ERR_R_ASN1_LIB);
1667 goto err;
1668 }
1669 } 1662 }
1670 1663
1671 if (q != (p + l)) { 1664 if (q != (p + l)) {
@@ -1684,11 +1677,6 @@ ssl3_get_certificate_request(SSL *s)
1684 nc += l + 2; 1677 nc += l + 2;
1685 } 1678 }
1686 1679
1687 if (0) {
1688cont:
1689 ERR_clear_error();
1690 }
1691
1692 /* we should setup a certificate to return.... */ 1680 /* we should setup a certificate to return.... */
1693 s->s3->tmp.cert_req = 1; 1681 s->s3->tmp.cert_req = 1;
1694 s->s3->tmp.ctype_num = ctype_num; 1682 s->s3->tmp.ctype_num = ctype_num;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 7b6af070c9..1aa39c2863 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.106 2015/06/15 05:32:58 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1678,20 +1678,10 @@ ssl3_send_certificate_request(SSL *s)
1678 goto err; 1678 goto err;
1679 } 1679 }
1680 p = (unsigned char *)&(buf->data[4 + n]); 1680 p = (unsigned char *)&(buf->data[4 + n]);
1681 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 1681 s2n(j, p);
1682 s2n(j, p); 1682 i2d_X509_NAME(name, &p);
1683 i2d_X509_NAME(name, &p); 1683 n += 2 + j;
1684 n += 2 + j; 1684 nl += 2 + j;
1685 nl += 2 + j;
1686 } else {
1687 d = p;
1688 i2d_X509_NAME(name, &p);
1689 j -= 2;
1690 s2n(j, d);
1691 j += 2;
1692 n += j;
1693 nl += j;
1694 }
1695 } 1685 }
1696 } 1686 }
1697 /* else no CA names */ 1687 /* else no CA names */
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index 8bb22b7cc6..53a7a6c9c0 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
1.\" 1.\"
2.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $ 2.\" $OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
3.\" 3.\"
4.Dd $Mdocdate: June 15 2015 $ 4.Dd $Mdocdate: June 15 2015 $
5.Dt SSL_CTX_SET_OPTIONS 3 5.Dt SSL_CTX_SET_OPTIONS 3
@@ -192,10 +192,9 @@ When set, the SSLv3/TLSv1 server will choose following its own preferences.
192Because of the different protocol, for SSLv2 the server will send its list of 192Because of the different protocol, for SSLv2 the server will send its list of
193preferences to the client and the client chooses. 193preferences to the client and the client chooses.
194.It Dv SSL_OP_NETSCAPE_CA_DN_BUG 194.It Dv SSL_OP_NETSCAPE_CA_DN_BUG
195If we accept a netscape connection, demand a client cert, have a 195As of
196non-self-signed CA which does not have its CA in netscape, and the browser has 196.Ox 5.8 ,
197a cert, it will crash/hang. 197this option has no effect.
198Works for 3.x and 4.xbeta
199.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 198.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
200As of 199As of
201.Ox 5.8 , 200.Ox 5.8 ,
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index bd3a8e1a42..42af17e96e 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.52 2015/06/13 08:38:10 doug Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1164,20 +1164,10 @@ dtls1_send_certificate_request(SSL *s)
1164 goto err; 1164 goto err;
1165 } 1165 }
1166 p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]); 1166 p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
1167 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 1167 s2n(j, p);
1168 s2n(j, p); 1168 i2d_X509_NAME(name, &p);
1169 i2d_X509_NAME(name, &p); 1169 n += 2 + j;
1170 n += 2 + j; 1170 nl += 2 + j;
1171 nl += 2 + j;
1172 } else {
1173 d = p;
1174 i2d_X509_NAME(name, &p);
1175 j -= 2;
1176 s2n(j, d);
1177 j += 2;
1178 n += j;
1179 nl += j;
1180 }
1181 } 1171 }
1182 } 1172 }
1183 /* else no CA names */ 1173 /* else no CA names */
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 8a137056be..76c0c488c5 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.112 2015/06/15 05:32:58 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1645,8 +1645,6 @@ ssl3_get_certificate_request(SSL *s)
1645 } 1645 }
1646 n2s(p, l); 1646 n2s(p, l);
1647 if ((l + nc + 2) > llen) { 1647 if ((l + nc + 2) > llen) {
1648 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1649 goto cont; /* netscape bugs */
1650 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1648 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1651 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, 1649 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1652 SSL_R_CA_DN_TOO_LONG); 1650 SSL_R_CA_DN_TOO_LONG);
@@ -1656,16 +1654,11 @@ ssl3_get_certificate_request(SSL *s)
1656 q = p; 1654 q = p;
1657 1655
1658 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) { 1656 if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
1659 /* If netscape tolerance is on, ignore errors */ 1657 ssl3_send_alert(s, SSL3_AL_FATAL,
1660 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1658 SSL_AD_DECODE_ERROR);
1661 goto cont; 1659 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1662 else { 1660 ERR_R_ASN1_LIB);
1663 ssl3_send_alert(s, SSL3_AL_FATAL, 1661 goto err;
1664 SSL_AD_DECODE_ERROR);
1665 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
1666 ERR_R_ASN1_LIB);
1667 goto err;
1668 }
1669 } 1662 }
1670 1663
1671 if (q != (p + l)) { 1664 if (q != (p + l)) {
@@ -1684,11 +1677,6 @@ ssl3_get_certificate_request(SSL *s)
1684 nc += l + 2; 1677 nc += l + 2;
1685 } 1678 }
1686 1679
1687 if (0) {
1688cont:
1689 ERR_clear_error();
1690 }
1691
1692 /* we should setup a certificate to return.... */ 1680 /* we should setup a certificate to return.... */
1693 s->s3->tmp.cert_req = 1; 1681 s->s3->tmp.cert_req = 1;
1694 s->s3->tmp.ctype_num = ctype_num; 1682 s->s3->tmp.ctype_num = ctype_num;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 7b6af070c9..1aa39c2863 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.106 2015/06/15 05:32:58 doug Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1678,20 +1678,10 @@ ssl3_send_certificate_request(SSL *s)
1678 goto err; 1678 goto err;
1679 } 1679 }
1680 p = (unsigned char *)&(buf->data[4 + n]); 1680 p = (unsigned char *)&(buf->data[4 + n]);
1681 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 1681 s2n(j, p);
1682 s2n(j, p); 1682 i2d_X509_NAME(name, &p);
1683 i2d_X509_NAME(name, &p); 1683 n += 2 + j;
1684 n += 2 + j; 1684 nl += 2 + j;
1685 nl += 2 + j;
1686 } else {
1687 d = p;
1688 i2d_X509_NAME(name, &p);
1689 j -= 2;
1690 s2n(j, d);
1691 j += 2;
1692 n += j;
1693 nl += j;
1694 }
1695 } 1685 }
1696 } 1686 }
1697 /* else no CA names */ 1687 /* else no CA names */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 13:43:54 +0000