2 files changed, 5 insertions, 35 deletions

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 5f7f2394f7..05f7e21cc9 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.132 2021/09/05 06:16:30 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.133 2021/10/23 11:36:44 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: September 5 2021 $
+.Dd $Mdocdate: October 23 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -3649,7 +3649,6 @@ or standard output if not specified.
 .It Nm openssl req
 .Bk -words
 .Op Fl addext Ar ext
-.Op Fl asn1-kludge
 .Op Fl batch
 .Op Fl config Ar file
 .Op Fl days Ar n
@@ -3666,7 +3665,6 @@ or standard output if not specified.
 .Op Fl new
 .Op Fl newhdr
 .Op Fl newkey Ar arg
-.Op Fl no-asn1-kludge
 .Op Fl nodes
 .Op Fl noout
 .Op Fl out Ar file
@@ -3705,9 +3703,6 @@ option is present) or certificate request.
 The argument must have the form of a key=value pair as it would appear in a
 config file.
 This option can be given multiple times.
-.It Fl asn1-kludge
-Produce requests in an invalid format for certain picky CAs.
-Very few CAs still require the use of this option.
 .It Fl batch
 Non-interactive mode.
 .It Fl config Ar file
@@ -3819,9 +3814,6 @@ can be omitted,
 in which case any parameters can be specified via the
 .Fl pkeyopt
 option.
-.It Fl no-asn1-kludge
-Reverse the effect of
-.Fl asn1-kludge .
 .It Fl nodes
 Do not encrypt the private key.
 .It Fl noout
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index aaf3dceb30..4ab091a097 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.20 2021/10/22 09:44:30 tb Exp $ */
+/* $OpenBSD: req.c,v 1.21 2021/10/23 11:36:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -143,7 +143,6 @@ struct {
         char *keyfile;
         int keyform;
         char *keyout;
-        int kludge;
         int modulus;
         int multirdn;
         int newhdr;
@@ -296,12 +295,6 @@ static const struct option req_options[] = {
                 .opt.argfunc = req_opt_addext,
         },
         {
-                .name = "asn1-kludge",
-                .type = OPTION_VALUE,
-                .opt.value = &req_config.kludge,
-                .value = 1,
-        },
-        {
                 .name = "batch",
                 .desc = "Operate in batch mode",
                 .type = OPTION_FLAG,
@@ -402,12 +395,6 @@ static const struct option req_options[] = {
                 .opt.argfunc = req_opt_newkey,
         },
         {
-                .name = "no-asn1-kludge",
-                .type = OPTION_VALUE,
-                .opt.value = &req_config.kludge,
-                .value = 0,
-        },
-        {
                 .name = "nodes",
                 .desc = "Do not encrypt output private key",
                 .type = OPTION_FLAG,
@@ -544,12 +531,12 @@ static void
 req_usage(void)
 {
         fprintf(stderr,
-            "usage: req [-addext ext] [-asn1-kludge] [-batch] [-config file]\n"
+            "usage: req [-addext ext] [-batch] [-config file]\n"
             "    [-days n] [-extensions section] [-in file]\n"
             "    [-inform der | pem] [-key keyfile] [-keyform der | pem]\n"
             "    [-keyout file] [-md4 | -md5 | -sha1] [-modulus]\n"
             "    [-multivalue-rdn] [-nameopt option] [-new] [-newhdr]\n"
-            "    [-newkey arg] [-no-asn1-kludge] [-nodes] [-noout]\n"
+            "    [-newkey arg] [-nodes] [-noout]\n"
             "    [-out file] [-outform der | pem] [-passin arg]\n"
             "    [-passout arg] [-pkeyopt opt:value] [-pubkey]\n"
             "    [-reqexts section] [-reqopt option] [-set_serial n]\n"
@@ -851,11 +838,6 @@ req_main(int argc, char **argv)
                 BIO_printf(bio_err, "-----\n");
         }
         if (!req_config.newreq) {
-                /*
-                 * Since we are using a pre-existing certificate request, the
-                 * kludge 'format' info should not be changed.
-                 */
-                req_config.kludge = -1;
                 if (req_config.infile == NULL)
                         BIO_set_fp(in, stdin, BIO_NOCLOSE);
                 else {
@@ -890,10 +872,6 @@ req_main(int argc, char **argv)
                         }
                         i = make_REQ(req, pkey, req_config.subj, req_config.multirdn, !req_config.x509, req_config.chtype);
                         req_config.subj = NULL; /* done processing '-subj' option */
-                        if ((req_config.kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
-                                sk_X509_ATTRIBUTE_free(req->req_info->attributes);
-                                req->req_info->attributes = NULL;
-                        }
                         if (!i) {
                                 BIO_printf(bio_err, "problems making Certificate Request\n");
                                 goto end;