From b5c7960f11d2b64faae5154f9709f34d00462124 Mon Sep 17 00:00:00 2001
From: doug <>
Date: Mon, 15 Jun 2015 05:32:58 +0000
Subject: Remove ancient SSL_OP_NETSCAPE_CA_DN_BUG from SSLeay days.

This commit matches the OpenSSL removal in commit
3c33c6f6b10864355553961e638514a6d1bb00f6.

ok deraadt@
---
 src/lib/libssl/d1_srvr.c                         | 20 +++++---------------
 src/lib/libssl/doc/SSL_CTX_set_options.3         |  9 ++++-----
 src/lib/libssl/s3_clnt.c                         | 24 ++++++------------------
 src/lib/libssl/s3_srvr.c                         | 20 +++++---------------
 src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 |  9 ++++-----
 src/lib/libssl/src/ssl/d1_srvr.c                 | 20 +++++---------------
 src/lib/libssl/src/ssl/s3_clnt.c                 | 24 ++++++------------------
 src/lib/libssl/src/ssl/s3_srvr.c                 | 20 +++++---------------
 8 files changed, 40 insertions(+), 106 deletions(-)

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index bd3a8e1a42..42af17e96e 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.52 2015/06/13 08:38:10 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1164,20 +1164,10 @@ dtls1_send_certificate_request(SSL *s)
 					goto err;
 				}
 				p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
-				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
-					s2n(j, p);
-					i2d_X509_NAME(name, &p);
-					n += 2 + j;
-					nl += 2 + j;
-				} else {
-					d = p;
-					i2d_X509_NAME(name, &p);
-					j -= 2;
-					s2n(j, d);
-					j += 2;
-					n += j;
-					nl += j;
-				}
+				s2n(j, p);
+				i2d_X509_NAME(name, &p);
+				n += 2 + j;
+				nl += 2 + j;
 			}
 		}
 		/* else no CA names */
diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
index 8bb22b7cc6..53a7a6c9c0 100644
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $
+.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -192,10 +192,9 @@ When set, the SSLv3/TLSv1 server will choose following its own preferences.
 Because of the different protocol, for SSLv2 the server will send its list of
 preferences to the client and the client chooses.
 .It Dv SSL_OP_NETSCAPE_CA_DN_BUG
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the browser has
-a cert, it will crash/hang.
-Works for 3.x and 4.xbeta
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
 As of
 .Ox 5.8 ,
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 8a137056be..76c0c488c5 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.112 2015/06/15 05:32:58 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1645,8 +1645,6 @@ ssl3_get_certificate_request(SSL *s)
 		}
 		n2s(p, l);
 		if ((l + nc + 2) > llen) {
-			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-				goto cont; /* netscape bugs */
 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
 			    SSL_R_CA_DN_TOO_LONG);
@@ -1656,16 +1654,11 @@ ssl3_get_certificate_request(SSL *s)
 		q = p;
 
 		if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
-			/* If netscape tolerance is on, ignore errors */
-			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
-				goto cont;
-			else {
-				ssl3_send_alert(s, SSL3_AL_FATAL,
-				    SSL_AD_DECODE_ERROR);
-				SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
-				    ERR_R_ASN1_LIB);
-				goto err;
-			}
+			ssl3_send_alert(s, SSL3_AL_FATAL,
+			    SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+			    ERR_R_ASN1_LIB);
+			goto err;
 		}
 
 		if (q != (p + l)) {
@@ -1684,11 +1677,6 @@ ssl3_get_certificate_request(SSL *s)
 		nc += l + 2;
 	}
 
-	if (0) {
-cont:
-		ERR_clear_error();
-	}
-
 	/* we should setup a certificate to return.... */
 	s->s3->tmp.cert_req = 1;
 	s->s3->tmp.ctype_num = ctype_num;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 7b6af070c9..1aa39c2863 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.106 2015/06/15 05:32:58 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1678,20 +1678,10 @@ ssl3_send_certificate_request(SSL *s)
 					goto err;
 				}
 				p = (unsigned char *)&(buf->data[4 + n]);
-				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
-					s2n(j, p);
-					i2d_X509_NAME(name, &p);
-					n += 2 + j;
-					nl += 2 + j;
-				} else {
-					d = p;
-					i2d_X509_NAME(name, &p);
-					j -= 2;
-					s2n(j, d);
-					j += 2;
-					n += j;
-					nl += j;
-				}
+				s2n(j, p);
+				i2d_X509_NAME(name, &p);
+				n += 2 + j;
+				nl += 2 + j;
 			}
 		}
 		/* else no CA names */
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index 8bb22b7cc6..53a7a6c9c0 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
 .\"
-.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.5 2015/06/15 05:16:56 doug Exp $
+.\"	$OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
 .\"
 .Dd $Mdocdate: June 15 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
@@ -192,10 +192,9 @@ When set, the SSLv3/TLSv1 server will choose following its own preferences.
 Because of the different protocol, for SSLv2 the server will send its list of
 preferences to the client and the client chooses.
 .It Dv SSL_OP_NETSCAPE_CA_DN_BUG
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the browser has
-a cert, it will crash/hang.
-Works for 3.x and 4.xbeta
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
 As of
 .Ox 5.8 ,
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index bd3a8e1a42..42af17e96e 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.52 2015/06/13 08:38:10 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.53 2015/06/15 05:32:58 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1164,20 +1164,10 @@ dtls1_send_certificate_request(SSL *s)
 					goto err;
 				}
 				p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
-				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
-					s2n(j, p);
-					i2d_X509_NAME(name, &p);
-					n += 2 + j;
-					nl += 2 + j;
-				} else {
-					d = p;
-					i2d_X509_NAME(name, &p);
-					j -= 2;
-					s2n(j, d);
-					j += 2;
-					n += j;
-					nl += j;
-				}
+				s2n(j, p);
+				i2d_X509_NAME(name, &p);
+				n += 2 + j;
+				nl += 2 + j;
 			}
 		}
 		/* else no CA names */
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 8a137056be..76c0c488c5 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.111 2015/03/31 13:17:48 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.112 2015/06/15 05:32:58 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1645,8 +1645,6 @@ ssl3_get_certificate_request(SSL *s)
 		}
 		n2s(p, l);
 		if ((l + nc + 2) > llen) {
-			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
-				goto cont; /* netscape bugs */
 			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
 			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
 			    SSL_R_CA_DN_TOO_LONG);
@@ -1656,16 +1654,11 @@ ssl3_get_certificate_request(SSL *s)
 		q = p;
 
 		if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
-			/* If netscape tolerance is on, ignore errors */
-			if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
-				goto cont;
-			else {
-				ssl3_send_alert(s, SSL3_AL_FATAL,
-				    SSL_AD_DECODE_ERROR);
-				SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
-				    ERR_R_ASN1_LIB);
-				goto err;
-			}
+			ssl3_send_alert(s, SSL3_AL_FATAL,
+			    SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+			    ERR_R_ASN1_LIB);
+			goto err;
 		}
 
 		if (q != (p + l)) {
@@ -1684,11 +1677,6 @@ ssl3_get_certificate_request(SSL *s)
 		nc += l + 2;
 	}
 
-	if (0) {
-cont:
-		ERR_clear_error();
-	}
-
 	/* we should setup a certificate to return.... */
 	s->s3->tmp.cert_req = 1;
 	s->s3->tmp.ctype_num = ctype_num;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 7b6af070c9..1aa39c2863 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.105 2015/06/15 05:16:56 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.106 2015/06/15 05:32:58 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1678,20 +1678,10 @@ ssl3_send_certificate_request(SSL *s)
 					goto err;
 				}
 				p = (unsigned char *)&(buf->data[4 + n]);
-				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
-					s2n(j, p);
-					i2d_X509_NAME(name, &p);
-					n += 2 + j;
-					nl += 2 + j;
-				} else {
-					d = p;
-					i2d_X509_NAME(name, &p);
-					j -= 2;
-					s2n(j, d);
-					j += 2;
-					n += j;
-					nl += j;
-				}
+				s2n(j, p);
+				i2d_X509_NAME(name, &p);
+				n += 2 + j;
+				nl += 2 + j;
 			}
 		}
 		/* else no CA names */
-- 
cgit v1.2.3-55-g6feb