fix use of rdrand if available
- more commits cherry picked from upstream - documentation fixes
This commit is contained in:
parent
a254940dd1
commit
9c324da28e
@ -1,33 +1,84 @@
|
|||||||
From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
|
diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c
|
||||||
From: Nick Alcock <nix@esperi.org.uk>
|
--- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
Date: Fri, 15 Feb 2013 17:44:11 +0000
|
+++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200
|
||||||
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
|
@@ -167,6 +167,7 @@ start:
|
||||||
2.5.0+
|
#ifndef OPENSSL_NO_RSA
|
||||||
|
if (strcmp(name,PEM_STRING_RSA) == 0)
|
||||||
|
{
|
||||||
|
+ d2i=(D2I_OF(void))d2i_RSAPrivateKey;
|
||||||
|
if (xi->x_pkey != NULL)
|
||||||
|
{
|
||||||
|
if (!sk_X509_INFO_push(ret,xi)) goto err;
|
||||||
|
diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
|
||||||
|
--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200
|
||||||
|
@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT
|
||||||
|
pm = RSA_NO_PADDING;
|
||||||
|
else if (!strcmp(value, "oeap"))
|
||||||
|
pm = RSA_PKCS1_OAEP_PADDING;
|
||||||
|
+ else if (!strcmp(value, "oaep"))
|
||||||
|
+ pm = RSA_PKCS1_OAEP_PADDING;
|
||||||
|
else if (!strcmp(value, "x931"))
|
||||||
|
pm = RSA_X931_PADDING;
|
||||||
|
else if (!strcmp(value, "pss"))
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200
|
||||||
|
@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
|
X509_CRL *crl = NULL, *dcrl = NULL;
|
||||||
|
X509 *x;
|
||||||
|
int ok, cnum;
|
||||||
|
+ unsigned int last_reasons;
|
||||||
|
cnum = ctx->error_depth;
|
||||||
|
x = sk_X509_value(ctx->chain, cnum);
|
||||||
|
ctx->current_cert = x;
|
||||||
|
@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
|
ctx->current_reasons = 0;
|
||||||
|
while (ctx->current_reasons != CRLDP_ALL_REASONS)
|
||||||
|
{
|
||||||
|
+ last_reasons = ctx->current_reasons;
|
||||||
|
/* Try to retrieve relevant CRL */
|
||||||
|
if (ctx->get_crl)
|
||||||
|
ok = ctx->get_crl(ctx, &crl, x);
|
||||||
|
@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
|
X509_CRL_free(dcrl);
|
||||||
|
crl = NULL;
|
||||||
|
dcrl = NULL;
|
||||||
|
+ /* If reasons not updated we wont get anywhere by
|
||||||
|
+ * another iteration, so exit loop.
|
||||||
|
+ */
|
||||||
|
+ if (last_reasons == ctx->current_reasons)
|
||||||
|
+ {
|
||||||
|
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
||||||
|
+ ok = ctx->verify_cb(0, ctx);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
err:
|
||||||
|
X509_CRL_free(crl);
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200
|
||||||
|
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c
|
||||||
|
|
||||||
podlators 2.5.0 has switched to dying on POD syntax errors. This means
|
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
|
||||||
that a bunch of long-standing erroneous POD in the openssl documentation
|
{
|
||||||
now leads to fatal errors from pod2man, halting installation.
|
+ x->cert_info->enc.modified = 1;
|
||||||
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
|
||||||
|
x->cert_info->signature,
|
||||||
|
x->sig_alg, x->signature, x->cert_info, ctx);
|
||||||
|
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY
|
||||||
|
|
||||||
Unfortunately POD constraints mean that you have to sort numeric lists
|
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
|
||||||
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
|
{
|
||||||
you want 1 to appear first. I've reshuffled such (alas, I wish there
|
+ x->crl->enc.modified = 1;
|
||||||
were a better way but I don't know of one).
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
|
||||||
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
|
x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
|
||||||
---
|
}
|
||||||
doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++
|
diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
|
||||||
doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++----
|
--- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++
|
+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
doc/ssl/SSL_accept.pod | 10 +++++-----
|
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
|
||||||
doc/ssl/SSL_connect.pod | 10 +++++-----
|
|
||||||
doc/ssl/SSL_do_handshake.pod | 10 +++++-----
|
|
||||||
doc/ssl/SSL_shutdown.pod | 10 +++++-----
|
|
||||||
7 files changed, 30 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
||||||
index a883f6c..60e8332 100644
|
|
||||||
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
||||||
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
||||||
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
|
|
||||||
an application specific error. This will never be returned unless explicitly
|
an application specific error. This will never be returned unless explicitly
|
||||||
set by an application.
|
set by an application.
|
||||||
|
|
||||||
@ -36,55 +87,9 @@ index a883f6c..60e8332 100644
|
|||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
The above functions should be used instead of directly referencing the fields
|
The above functions should be used instead of directly referencing the fields
|
||||||
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
||||||
index 632b556..5e66133 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
||||||
@@ -66,16 +66,16 @@ values:
|
|
||||||
|
|
||||||
=over 4
|
|
||||||
|
|
||||||
-=item 1
|
|
||||||
-
|
|
||||||
-The operation succeeded.
|
|
||||||
-
|
|
||||||
=item 0
|
|
||||||
|
|
||||||
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
|
||||||
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
|
||||||
to find out the reason.
|
|
||||||
|
|
||||||
+=item 1
|
|
||||||
+
|
|
||||||
+The operation succeeded.
|
|
||||||
+
|
|
||||||
=back
|
|
||||||
|
|
||||||
=head1 EXAMPLES
|
|
||||||
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
index b80e25b..7e60df5 100644
|
|
||||||
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
|
|
||||||
|
|
||||||
Return values from the server callback are interpreted as follows:
|
|
||||||
|
|
||||||
+=over 4
|
|
||||||
+
|
|
||||||
=item > 0
|
|
||||||
|
|
||||||
PSK identity was found and the server callback has provided the PSK
|
|
||||||
@@ -99,4 +101,6 @@ completely.
|
|
||||||
PSK identity was not found. An "unknown_psk_identity" alert message
|
|
||||||
will be sent and the connection setup fails.
|
|
||||||
|
|
||||||
+=back
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
|
|
||||||
index cc724c0..b1c34d1 100644
|
|
||||||
--- a/doc/ssl/SSL_accept.pod
|
|
||||||
+++ b/doc/ssl/SSL_accept.pod
|
|
||||||
@@ -44,17 +44,17 @@ The following return values can occur:
|
@@ -44,17 +44,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -108,10 +113,9 @@ index cc724c0..b1c34d1 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful because a fatal error occurred either
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
||||||
index cc56ebb..946ca89 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_connect.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_connect.pod
|
|
||||||
@@ -41,17 +41,17 @@ The following return values can occur:
|
@@ -41,17 +41,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -135,10 +139,52 @@ index cc56ebb..946ca89 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
index 2435764..7f8cf24 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_do_handshake.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_do_handshake.pod
|
@@ -66,16 +66,16 @@ values:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The operation succeeded.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
||||||
|
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
||||||
|
to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The operation succeeded.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
|
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
|
||||||
|
|
||||||
|
Return values from the server callback are interpreted as follows:
|
||||||
|
|
||||||
|
+=over 4
|
||||||
|
+
|
||||||
|
=item > 0
|
||||||
|
|
||||||
|
PSK identity was found and the server callback has provided the PSK
|
||||||
|
@@ -99,4 +101,6 @@ completely.
|
||||||
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
||||||
|
will be sent and the connection setup fails.
|
||||||
|
|
||||||
|
+=back
|
||||||
|
+
|
||||||
|
=cut
|
||||||
|
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
||||||
|
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
@@ -45,17 +45,17 @@ The following return values can occur:
|
@@ -45,17 +45,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -162,10 +208,9 @@ index 2435764..7f8cf24 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful because a fatal error occurred either
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
||||||
index 89911ac..42a89b7 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_shutdown.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200
|
||||||
+++ b/doc/ssl/SSL_shutdown.pod
|
|
||||||
@@ -92,11 +92,6 @@ The following return values can occur:
|
@@ -92,11 +92,6 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -178,7 +223,7 @@ index 89911ac..42a89b7 100644
|
|||||||
=item 0
|
=item 0
|
||||||
|
|
||||||
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
||||||
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
|
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
|
||||||
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
||||||
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
||||||
|
|
||||||
@ -190,26 +235,84 @@ index 89911ac..42a89b7 100644
|
|||||||
=item -1
|
=item -1
|
||||||
|
|
||||||
The shutdown was not successful because a fatal error occurred either
|
The shutdown was not successful because a fatal error occurred either
|
||||||
--
|
diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c
|
||||||
1.7.9.5
|
--- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200
|
||||||
|
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
|
||||||
|
pqueue_free(s->d1->buffered_app_data.q);
|
||||||
|
|
||||||
From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
|
OPENSSL_free(s->d1);
|
||||||
From: "Dr. Stephen Henson" <steve@openssl.org>
|
+ s->d1 = NULL;
|
||||||
Date: Mon, 11 Feb 2013 18:24:03 +0000
|
}
|
||||||
Subject: [PATCH] Fix for SSL_get_certificate
|
|
||||||
|
|
||||||
Now we set the current certificate to the one used by a server
|
void dtls1_clear(SSL *s)
|
||||||
there is no need to call ssl_get_server_send_cert which will
|
diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c
|
||||||
fail if we haven't sent a certificate yet.
|
--- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
---
|
+++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200
|
||||||
ssl/ssl_lib.c | 4 +---
|
@@ -847,6 +847,12 @@ start:
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
}
|
||||||
|
}
|
||||||
|
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
|
||||||
index 14d143d..ff5a85a 100644
|
+ {
|
||||||
--- a/ssl/ssl_lib.c
|
+ rr->length = 0;
|
||||||
+++ b/ssl/ssl_lib.c
|
+ goto start;
|
||||||
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
+ }
|
||||||
|
+
|
||||||
|
/* we now have a packet which can be read and processed */
|
||||||
|
|
||||||
|
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
|
||||||
|
@@ -1051,6 +1057,7 @@ start:
|
||||||
|
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
||||||
|
!s->s3->renegotiate)
|
||||||
|
{
|
||||||
|
+ s->d1->handshake_read_seq++;
|
||||||
|
s->new_session = 1;
|
||||||
|
ssl3_renegotiate(s);
|
||||||
|
if (ssl3_renegotiate_check(s))
|
||||||
|
diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c
|
||||||
|
--- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200
|
||||||
|
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
|
||||||
|
case SSL3_ST_SW_HELLO_REQ_B:
|
||||||
|
|
||||||
|
s->shutdown=0;
|
||||||
|
+ dtls1_clear_record_buffer(s);
|
||||||
|
dtls1_start_timer(s);
|
||||||
|
ret=dtls1_send_hello_request(s);
|
||||||
|
if (ret <= 0) goto end;
|
||||||
|
- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
|
||||||
|
+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
|
||||||
|
s->state=SSL3_ST_SW_FLUSH;
|
||||||
|
s->init_num=0;
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c
|
||||||
|
--- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200
|
||||||
|
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s
|
||||||
|
unsigned padding_length, good, to_check, i;
|
||||||
|
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
||||||
|
/* Check if version requires explicit IV */
|
||||||
|
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
||||||
|
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
/* These lengths are all public so we can test them in
|
||||||
|
* non-constant time.
|
||||||
|
diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200
|
||||||
|
@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
|
||||||
|
|
||||||
|
ret->extra_certs=NULL;
|
||||||
|
- ret->comp_methods=SSL_COMP_get_compression_methods();
|
||||||
|
+ /* No compression for DTLS */
|
||||||
|
+ if (meth->version != DTLS1_VERSION)
|
||||||
|
+ ret->comp_methods=SSL_COMP_get_compression_methods();
|
||||||
|
|
||||||
|
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
|
||||||
|
|
||||||
|
@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
||||||
/* Fix this function so that it takes an optional type parameter */
|
/* Fix this function so that it takes an optional type parameter */
|
||||||
X509 *SSL_get_certificate(const SSL *s)
|
X509 *SSL_get_certificate(const SSL *s)
|
||||||
{
|
{
|
||||||
@ -220,37 +323,3 @@ index 14d143d..ff5a85a 100644
|
|||||||
return(s->cert->key->x509);
|
return(s->cert->key->x509);
|
||||||
else
|
else
|
||||||
return(NULL);
|
return(NULL);
|
||||||
--
|
|
||||||
1.7.9.5
|
|
||||||
|
|
||||||
From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Woodhouse <dwmw2@infradead.org>
|
|
||||||
Date: Tue, 12 Feb 2013 14:55:32 +0000
|
|
||||||
Subject: [PATCH] Check DTLS_BAD_VER for version number.
|
|
||||||
|
|
||||||
The version check for DTLS1_VERSION was redundant as
|
|
||||||
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
|
|
||||||
check for DTLS1_BAD_VER for compatibility.
|
|
||||||
|
|
||||||
PR:2984
|
|
||||||
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
|
|
||||||
---
|
|
||||||
ssl/s3_cbc.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
|
|
||||||
index 02edf3f..443a31e 100644
|
|
||||||
--- a/ssl/s3_cbc.c
|
|
||||||
+++ b/ssl/s3_cbc.c
|
|
||||||
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
|
|
||||||
unsigned padding_length, good, to_check, i;
|
|
||||||
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
|
||||||
/* Check if version requires explicit IV */
|
|
||||||
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
|
||||||
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
|
||||||
{
|
|
||||||
/* These lengths are all public so we can test them in
|
|
||||||
* non-constant time.
|
|
||||||
--
|
|
||||||
1.7.9.5
|
|
||||||
|
|
||||||
|
@ -19333,8 +19333,8 @@ diff -up openssl-1.0.1e/crypto/o_fips.c.fips openssl-1.0.1e/crypto/o_fips.c
|
|||||||
if (r)
|
if (r)
|
||||||
diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c
|
diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c
|
||||||
--- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/crypto/o_init.c.fips 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 12:47:33.744118975 +0100
|
+++ openssl-1.0.1e/crypto/o_init.c 2013-08-15 16:14:43.069221580 +0200
|
||||||
@@ -55,28 +55,63 @@
|
@@ -55,28 +55,68 @@
|
||||||
#include <e_os.h>
|
#include <e_os.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#ifdef OPENSSL_FIPS
|
#ifdef OPENSSL_FIPS
|
||||||
@ -19392,6 +19392,11 @@ diff -up openssl-1.0.1e/crypto/o_init.c.fips openssl-1.0.1e/crypto/o_init.c
|
|||||||
- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
|
- FIPS_set_malloc_callbacks(CRYPTO_malloc, CRYPTO_free);
|
||||||
RAND_init_fips();
|
RAND_init_fips();
|
||||||
+ init_fips_mode();
|
+ init_fips_mode();
|
||||||
|
+ if (!FIPS_mode())
|
||||||
|
+ {
|
||||||
|
+ /* Clean up prematurely set default rand method */
|
||||||
|
+ RAND_set_rand_method(NULL);
|
||||||
|
+ }
|
||||||
#endif
|
#endif
|
||||||
#if 0
|
#if 0
|
||||||
fprintf(stderr, "Called OPENSSL_init\n");
|
fprintf(stderr, "Called OPENSSL_init\n");
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
||||||
--- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-07-25 15:04:07.149565258 +0200
|
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 16:02:17.542089270 +0200
|
||||||
@@ -450,28 +450,28 @@ remains DER.
|
@@ -450,28 +450,28 @@ remains DER.
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -38,7 +38,7 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
|||||||
the signers certificates.
|
the signers certificates.
|
||||||
diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod
|
diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod
|
||||||
--- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/ec.pod 2013-07-25 15:12:40.782194199 +0200
|
+++ openssl-1.0.1e/doc/apps/ec.pod 2013-08-16 16:02:17.542089270 +0200
|
||||||
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
||||||
|
|
||||||
this option prevents output of the encoded version of the key.
|
this option prevents output of the encoded version of the key.
|
||||||
@ -52,7 +52,7 @@ diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod
|
|||||||
by default a private key is read from the input file: with this option a
|
by default a private key is read from the input file: with this option a
|
||||||
diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod
|
diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod
|
||||||
--- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-07-25 15:04:07.149565258 +0200
|
+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-08-16 16:02:17.542089270 +0200
|
||||||
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
||||||
|
|
||||||
Online Certificate Status Protocol utility.
|
Online Certificate Status Protocol utility.
|
||||||
@ -84,8 +84,8 @@ diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/open
|
|||||||
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
||||||
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
||||||
diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod
|
diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod
|
||||||
--- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-07-25 15:04:07.000000000 +0200
|
--- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-08-16 16:02:17.434086891 +0200
|
||||||
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-07-25 15:08:37.912168333 +0200
|
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 16:02:17.543089292 +0200
|
||||||
@@ -32,9 +32,14 @@ B<openssl> B<s_client>
|
@@ -32,9 +32,14 @@ B<openssl> B<s_client>
|
||||||
[B<-ssl2>]
|
[B<-ssl2>]
|
||||||
[B<-ssl3>]
|
[B<-ssl3>]
|
||||||
@ -112,7 +112,7 @@ diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_c
|
|||||||
the initial handshake uses a method which should be compatible with all
|
the initial handshake uses a method which should be compatible with all
|
||||||
diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod
|
diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod
|
||||||
--- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-07-25 15:04:07.149565258 +0200
|
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 16:02:17.543089292 +0200
|
||||||
@@ -308,28 +308,28 @@ remains DER.
|
@@ -308,28 +308,28 @@ remains DER.
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -150,8 +150,8 @@ diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.
|
|||||||
the signers certificates.
|
the signers certificates.
|
||||||
diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod
|
diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod
|
||||||
--- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-07-25 15:10:57.653060081 +0200
|
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 16:03:56.711273036 +0200
|
||||||
@@ -40,9 +40,14 @@ B<openssl> B<s_server>
|
@@ -40,10 +40,16 @@ B<openssl> B<s_server>
|
||||||
[B<-ssl2>]
|
[B<-ssl2>]
|
||||||
[B<-ssl3>]
|
[B<-ssl3>]
|
||||||
[B<-tls1>]
|
[B<-tls1>]
|
||||||
@ -164,9 +164,22 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_s
|
|||||||
+[B<-no_tls1_1>]
|
+[B<-no_tls1_1>]
|
||||||
+[B<-no_tls1_2>]
|
+[B<-no_tls1_2>]
|
||||||
[B<-no_dhe>]
|
[B<-no_dhe>]
|
||||||
|
+[B<-no_ecdhe>]
|
||||||
[B<-bugs>]
|
[B<-bugs>]
|
||||||
[B<-hack>]
|
[B<-hack>]
|
||||||
@@ -201,7 +206,7 @@ Use the PSK key B<key> when using a PSK
|
[B<-www>]
|
||||||
|
@@ -131,6 +137,10 @@ a static set of parameters hard coded in
|
||||||
|
if this option is set then no DH parameters will be loaded effectively
|
||||||
|
disabling the ephemeral DH cipher suites.
|
||||||
|
|
||||||
|
+=item B<-no_ecdhe>
|
||||||
|
+
|
||||||
|
+if this option is set then ephemeral ECDH cipher suites will be disabled.
|
||||||
|
+
|
||||||
|
=item B<-no_tmp_rsa>
|
||||||
|
|
||||||
|
certain export cipher suites sometimes use a temporary RSA key, this option
|
||||||
|
@@ -201,7 +211,7 @@ Use the PSK key B<key> when using a PSK
|
||||||
given as a hexadecimal number without leading 0x, for example -psk
|
given as a hexadecimal number without leading 0x, for example -psk
|
||||||
1a2b3c4d.
|
1a2b3c4d.
|
||||||
|
|
||||||
@ -176,8 +189,8 @@ diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_s
|
|||||||
these options disable the use of certain SSL or TLS protocols. By default
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
the initial handshake uses a method which should be compatible with all
|
the initial handshake uses a method which should be compatible with all
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-07-25 15:04:07.146565198 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-08-16 16:02:17.534089094 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-07-25 15:04:07.149565258 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 16:02:17.544089314 +0200
|
||||||
@@ -44,13 +44,13 @@ The following return values can occur:
|
@@ -44,13 +44,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -196,7 +209,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-08-16 16:02:17.544089314 +0200
|
||||||
@@ -56,12 +56,12 @@ The following return values can occur:
|
@@ -56,12 +56,12 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -213,8 +226,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_
|
|||||||
The SSL_clear() operation was successful.
|
The SSL_clear() operation was successful.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-07-25 15:04:07.115564555 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-08-16 16:02:17.486088037 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-08-16 16:02:17.544089314 +0200
|
||||||
@@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re
|
@@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -230,8 +243,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix opens
|
|||||||
The operation failed. Check the error queue to find out the reason.
|
The operation failed. Check the error queue to find out the reason.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-07-25 15:04:07.146565198 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-08-16 16:02:17.535089116 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 16:02:17.545089336 +0200
|
||||||
@@ -41,13 +41,13 @@ The following return values can occur:
|
@@ -41,13 +41,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -250,7 +263,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SS
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-08-16 16:02:17.545089336 +0200
|
||||||
@@ -52,13 +52,13 @@ The following values are returned by all
|
@@ -52,13 +52,13 @@ The following values are returned by all
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -269,7 +282,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/do
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-08-16 16:02:17.545089336 +0200
|
||||||
@@ -100,13 +100,13 @@ The following return values can occur:
|
@@ -100,13 +100,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -287,8 +300,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-07-25 15:04:07.146565198 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-08-16 16:02:17.535089116 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 16:02:17.545089336 +0200
|
||||||
@@ -66,13 +66,13 @@ values:
|
@@ -66,13 +66,13 @@ values:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -307,7 +320,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-07-25 15:04:07.150565279 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-08-16 16:02:17.546089358 +0200
|
||||||
@@ -64,13 +64,13 @@ return the following values:
|
@@ -64,13 +64,13 @@ return the following values:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -326,7 +339,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openss
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-08-16 16:02:17.546089358 +0200
|
||||||
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
|
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -342,8 +355,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-07-25 15:04:07.146565198 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-08-16 16:02:17.535089116 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 16:02:17.546089358 +0200
|
||||||
@@ -96,7 +96,7 @@ data to B<psk> and return the length of
|
@@ -96,7 +96,7 @@ data to B<psk> and return the length of
|
||||||
connection will fail with decryption_error before it will be finished
|
connection will fail with decryption_error before it will be finished
|
||||||
completely.
|
completely.
|
||||||
@ -354,8 +367,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl
|
|||||||
PSK identity was not found. An "unknown_psk_identity" alert message
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
||||||
will be sent and the connection setup fails.
|
will be sent and the connection setup fails.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-07-25 15:04:07.147565218 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-08-16 16:02:17.536089138 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 16:02:17.546089358 +0200
|
||||||
@@ -45,13 +45,13 @@ The following return values can occur:
|
@@ -45,13 +45,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -374,7 +387,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/s
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-08-16 16:02:17.547089380 +0200
|
||||||
@@ -86,7 +86,7 @@ The following return values can occur:
|
@@ -86,7 +86,7 @@ The following return values can occur:
|
||||||
The read operation was successful; the return value is the number of
|
The read operation was successful; the return value is the number of
|
||||||
bytes actually read from the TLS/SSL connection.
|
bytes actually read from the TLS/SSL connection.
|
||||||
@ -386,7 +399,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_r
|
|||||||
shutdown due to a "close notify" alert sent by the peer (in which case
|
shutdown due to a "close notify" alert sent by the peer (in which case
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-08-16 16:02:17.547089380 +0200
|
||||||
@@ -27,11 +27,11 @@ The following return values can occur:
|
@@ -27,11 +27,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -403,7 +416,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-08-16 16:02:17.547089380 +0200
|
||||||
@@ -35,11 +35,11 @@ The following return values can occur:
|
@@ -35,11 +35,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -420,7 +433,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-08-16 16:02:17.547089380 +0200
|
||||||
@@ -37,11 +37,11 @@ The following return values can occur:
|
@@ -37,11 +37,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -436,8 +449,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ss
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-07-25 15:04:07.147565218 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-08-16 16:02:17.536089138 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-07-25 15:04:07.151565300 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 16:02:17.548089402 +0200
|
||||||
@@ -92,14 +92,14 @@ The following return values can occur:
|
@@ -92,14 +92,14 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -457,7 +470,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/S
|
|||||||
and the peer's "close notify" alert was received.
|
and the peer's "close notify" alert was received.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-07-25 15:04:07.152565321 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-08-16 16:02:17.548089402 +0200
|
||||||
@@ -79,7 +79,7 @@ The following return values can occur:
|
@@ -79,7 +79,7 @@ The following return values can occur:
|
||||||
The write operation was successful, the return value is the number of
|
The write operation was successful, the return value is the number of
|
||||||
bytes actually written to the TLS/SSL connection.
|
bytes actually written to the TLS/SSL connection.
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
|
diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
|
||||||
--- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/apps/apps.c 2013-07-10 10:42:42.242706279 +0200
|
+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200
|
||||||
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
|
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
|
||||||
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
||||||
else if (!strcmp(arg, "-check_ss_sig"))
|
else if (!strcmp(arg, "-check_ss_sig"))
|
||||||
@ -10,11 +10,100 @@ diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
|
|||||||
else
|
else
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/CHANGES.trusted-first openssl-1.0.1e/CHANGES
|
diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
|
||||||
|
--- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200
|
||||||
|
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
|
||||||
|
--- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200
|
||||||
|
@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-path path to use in OCSP request\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
|
||||||
|
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
|
||||||
|
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c
|
||||||
|
--- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200
|
||||||
|
@@ -298,6 +298,7 @@ static void sc_usage(void)
|
||||||
|
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||||
|
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||||
|
BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
|
||||||
|
--- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200
|
||||||
|
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c
|
||||||
|
--- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200
|
||||||
|
@@ -501,6 +501,7 @@ static void sv_usage(void)
|
||||||
|
BIO_printf(bio_err," -state - Print the SSL states\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
|
||||||
|
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||||
|
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
|
||||||
|
--- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200
|
||||||
|
@@ -179,6 +179,7 @@ static void s_time_usage(void)
|
||||||
|
file if not specified by this option\n\
|
||||||
|
-CApath arg - PEM format directory of CA's\n\
|
||||||
|
-CAfile arg - PEM format file of CA's\n\
|
||||||
|
+-trusted_first - Use trusted CA's first when building the trust chain\n\
|
||||||
|
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
||||||
|
|
||||||
|
printf( "usage: s_time <args>\n\n" );
|
||||||
|
diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
|
||||||
|
--- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200
|
||||||
|
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
||||||
|
"[-queryfile request.tsq] "
|
||||||
|
"-in response.tsr [-token_in] "
|
||||||
|
- "-CApath ca_path -CAfile ca_file.pem "
|
||||||
|
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
|
||||||
|
"-untrusted cert_file.pem\n");
|
||||||
|
cleanup:
|
||||||
|
/* Clean up. */
|
||||||
|
diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
|
||||||
|
--- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200
|
||||||
|
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
end:
|
||||||
|
if (ret == 1) {
|
||||||
|
- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
||||||
|
+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||||
|
BIO_printf(bio_err," [-attime timestamp]");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
BIO_printf(bio_err," [-engine e]");
|
||||||
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-05-31 13:40:52.000000000 +0200
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200
|
||||||
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-07-10 10:45:49.473638295 +0200
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200
|
||||||
@@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
|
||||||
/* If we are self signed, we break */
|
/* If we are self signed, we break */
|
||||||
if (ctx->check_issued(ctx, x,x)) break;
|
if (ctx->check_issued(ctx, x,x)) break;
|
||||||
@ -37,8 +126,8 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/cryp
|
|||||||
/* If we were passed a cert chain, use it first */
|
/* If we were passed a cert chain, use it first */
|
||||||
if (ctx->untrusted != NULL)
|
if (ctx->untrusted != NULL)
|
||||||
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
|
||||||
--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-05-31 13:40:51.890277515 +0200
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200
|
||||||
+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-07-10 10:42:42.247706379 +0200
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200
|
||||||
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
||||||
#define X509_V_FLAG_USE_DELTAS 0x2000
|
#define X509_V_FLAG_USE_DELTAS 0x2000
|
||||||
/* Check selfsigned CA signature */
|
/* Check selfsigned CA signature */
|
||||||
@ -48,3 +137,194 @@ diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/cryp
|
|||||||
|
|
||||||
|
|
||||||
#define X509_VP_FLAG_DEFAULT 0x1
|
#define X509_VP_FLAG_DEFAULT 0x1
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200
|
||||||
|
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||||
|
[B<-print>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-md digest>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-nointern>]
|
||||||
|
@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before untrusted certificates
|
||||||
|
+from the message when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200
|
||||||
|
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||||
|
[B<-path>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-VAfile file>]
|
||||||
|
[B<-validity_period n>]
|
||||||
|
[B<-status_age n>]
|
||||||
|
@@ -138,6 +139,13 @@ or "/" by default.
|
||||||
|
file or pathname containing trusted CA certificates. These are used to verify
|
||||||
|
the signature on the OCSP response.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the response or residing in other certificates file when building the trust
|
||||||
|
+chain to verify responder certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-verify_other file>
|
||||||
|
|
||||||
|
file containing additional certificates to search when attempting to locate
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200
|
||||||
|
@@ -17,6 +17,7 @@ B<openssl> B<s_client>
|
||||||
|
[B<-pass arg>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reconnect>]
|
||||||
|
[B<-pause>]
|
||||||
|
[B<-showcerts>]
|
||||||
|
@@ -107,7 +108,7 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
||||||
|
|
||||||
|
Set various certificate chain valiadition option. See the
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200
|
||||||
|
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
||||||
|
[B<-pk7out>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-in file>]
|
||||||
|
+[B<-CAfile file>]
|
||||||
|
+[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-certfile file>]
|
||||||
|
[B<-signer file>]
|
||||||
|
[B<-recip file>]
|
||||||
|
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the message when building the trust chain to verify a certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200
|
||||||
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||||
|
[B<-state>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-nocert>]
|
||||||
|
[B<-cipher cipherlist>]
|
||||||
|
[B<-quiet>]
|
||||||
|
@@ -168,6 +169,12 @@ and to use when attempting to build the
|
||||||
|
is also used in the list of acceptable client CAs passed to the client when
|
||||||
|
a certificate is requested.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify client certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-state>
|
||||||
|
|
||||||
|
prints out the SSL session states.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200
|
||||||
|
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
||||||
|
[B<-key filename>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reuse>]
|
||||||
|
[B<-new>]
|
||||||
|
[B<-verify depth>]
|
||||||
|
@@ -76,6 +77,12 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over the certificates provided
|
||||||
|
+by the server when building the trust chain to verify server certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-new>
|
||||||
|
|
||||||
|
performs the timing test using a new session ID for each connection.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200
|
||||||
|
@@ -46,6 +46,7 @@ B<-verify>
|
||||||
|
[B<-token_in>]
|
||||||
|
[B<-CApath> trusted_cert_path]
|
||||||
|
[B<-CAfile> trusted_certs.pem]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-untrusted> cert_file.pem]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
|
||||||
|
or B<-CApath> must be specified.
|
||||||
|
(Optional)
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-untrusted> cert_file.pem
|
||||||
|
|
||||||
|
Set of additional untrusted certificates in PEM format which may be
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200
|
||||||
|
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
||||||
|
B<openssl> B<verify>
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-purpose purpose>]
|
||||||
|
[B<-policy arg>]
|
||||||
|
[B<-ignore_critical>]
|
||||||
|
@@ -56,6 +57,12 @@ in PEM format concatenated together.
|
||||||
|
A file of untrusted certificates. The file should contain multiple certificates
|
||||||
|
in PEM format concatenated together.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before the certificates in the untrusted
|
||||||
|
+file when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-purpose purpose>
|
||||||
|
|
||||||
|
The intended use for the certificate. If this option is not specified,
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1e
|
Version: 1.0.1e
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -441,6 +441,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 16 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-15
|
||||||
|
- fix use of rdrand if available
|
||||||
|
- more commits cherry picked from upstream
|
||||||
|
- documentation fixes
|
||||||
|
|
||||||
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 1:1.0.1e-14
|
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 1:1.0.1e-14
|
||||||
- Perl 5.18 rebuild
|
- Perl 5.18 rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user