257 lines
7.9 KiB
Diff
257 lines
7.9 KiB
Diff
From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
|
|
From: Nick Alcock <nix@esperi.org.uk>
|
|
Date: Fri, 15 Feb 2013 17:44:11 +0000
|
|
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
|
|
2.5.0+
|
|
|
|
podlators 2.5.0 has switched to dying on POD syntax errors. This means
|
|
that a bunch of long-standing erroneous POD in the openssl documentation
|
|
now leads to fatal errors from pod2man, halting installation.
|
|
|
|
Unfortunately POD constraints mean that you have to sort numeric lists
|
|
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
|
|
you want 1 to appear first. I've reshuffled such (alas, I wish there
|
|
were a better way but I don't know of one).
|
|
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
|
|
---
|
|
doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++
|
|
doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++----
|
|
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++
|
|
doc/ssl/SSL_accept.pod | 10 +++++-----
|
|
doc/ssl/SSL_connect.pod | 10 +++++-----
|
|
doc/ssl/SSL_do_handshake.pod | 10 +++++-----
|
|
doc/ssl/SSL_shutdown.pod | 10 +++++-----
|
|
7 files changed, 30 insertions(+), 24 deletions(-)
|
|
|
|
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
index a883f6c..60e8332 100644
|
|
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
|
|
an application specific error. This will never be returned unless explicitly
|
|
set by an application.
|
|
|
|
+=back
|
|
+
|
|
=head1 NOTES
|
|
|
|
The above functions should be used instead of directly referencing the fields
|
|
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
index 632b556..5e66133 100644
|
|
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
@@ -66,16 +66,16 @@ values:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The operation succeeded.
|
|
-
|
|
=item 0
|
|
|
|
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
|
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
|
to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The operation succeeded.
|
|
+
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
index b80e25b..7e60df5 100644
|
|
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
|
|
|
|
Return values from the server callback are interpreted as follows:
|
|
|
|
+=over 4
|
|
+
|
|
=item > 0
|
|
|
|
PSK identity was found and the server callback has provided the PSK
|
|
@@ -99,4 +101,6 @@ completely.
|
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
|
will be sent and the connection setup fails.
|
|
|
|
+=back
|
|
+
|
|
=cut
|
|
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
|
|
index cc724c0..b1c34d1 100644
|
|
--- a/doc/ssl/SSL_accept.pod
|
|
+++ b/doc/ssl/SSL_accept.pod
|
|
@@ -44,17 +44,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
|
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
|
|
index cc56ebb..946ca89 100644
|
|
--- a/doc/ssl/SSL_connect.pod
|
|
+++ b/doc/ssl/SSL_connect.pod
|
|
@@ -41,17 +41,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
|
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
|
|
index 2435764..7f8cf24 100644
|
|
--- a/doc/ssl/SSL_do_handshake.pod
|
|
+++ b/doc/ssl/SSL_do_handshake.pod
|
|
@@ -45,17 +45,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
|
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
|
|
index 89911ac..42a89b7 100644
|
|
--- a/doc/ssl/SSL_shutdown.pod
|
|
+++ b/doc/ssl/SSL_shutdown.pod
|
|
@@ -92,11 +92,6 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The shutdown was successfully completed. The "close notify" alert was sent
|
|
-and the peer's "close notify" alert was received.
|
|
-
|
|
=item 0
|
|
|
|
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
|
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
|
|
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
|
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
|
|
|
+=item 1
|
|
+
|
|
+The shutdown was successfully completed. The "close notify" alert was sent
|
|
+and the peer's "close notify" alert was received.
|
|
+
|
|
=item -1
|
|
|
|
The shutdown was not successful because a fatal error occurred either
|
|
--
|
|
1.7.9.5
|
|
|
|
From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
|
|
From: "Dr. Stephen Henson" <steve@openssl.org>
|
|
Date: Mon, 11 Feb 2013 18:24:03 +0000
|
|
Subject: [PATCH] Fix for SSL_get_certificate
|
|
|
|
Now we set the current certificate to the one used by a server
|
|
there is no need to call ssl_get_server_send_cert which will
|
|
fail if we haven't sent a certificate yet.
|
|
---
|
|
ssl/ssl_lib.c | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
index 14d143d..ff5a85a 100644
|
|
--- a/ssl/ssl_lib.c
|
|
+++ b/ssl/ssl_lib.c
|
|
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
|
/* Fix this function so that it takes an optional type parameter */
|
|
X509 *SSL_get_certificate(const SSL *s)
|
|
{
|
|
- if (s->server)
|
|
- return(ssl_get_server_send_cert(s));
|
|
- else if (s->cert != NULL)
|
|
+ if (s->cert != NULL)
|
|
return(s->cert->key->x509);
|
|
else
|
|
return(NULL);
|
|
--
|
|
1.7.9.5
|
|
|
|
From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
|
|
From: David Woodhouse <dwmw2@infradead.org>
|
|
Date: Tue, 12 Feb 2013 14:55:32 +0000
|
|
Subject: [PATCH] Check DTLS_BAD_VER for version number.
|
|
|
|
The version check for DTLS1_VERSION was redundant as
|
|
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
|
|
check for DTLS1_BAD_VER for compatibility.
|
|
|
|
PR:2984
|
|
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
|
|
---
|
|
ssl/s3_cbc.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
|
|
index 02edf3f..443a31e 100644
|
|
--- a/ssl/s3_cbc.c
|
|
+++ b/ssl/s3_cbc.c
|
|
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
|
|
unsigned padding_length, good, to_check, i;
|
|
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
|
/* Check if version requires explicit IV */
|
|
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
|
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
|
{
|
|
/* These lengths are all public so we can test them in
|
|
* non-constant time.
|
|
--
|
|
1.7.9.5
|
|
|