dc696f
From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
dc696f
From: Nick Alcock <nix@esperi.org.uk>
dc696f
Date: Fri, 15 Feb 2013 17:44:11 +0000
dc696f
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
dc696f
 2.5.0+
dc696f
dc696f
podlators 2.5.0 has switched to dying on POD syntax errors. This means
dc696f
that a bunch of long-standing erroneous POD in the openssl documentation
dc696f
now leads to fatal errors from pod2man, halting installation.
dc696f
dc696f
Unfortunately POD constraints mean that you have to sort numeric lists
dc696f
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
dc696f
you want 1 to appear first. I've reshuffled such (alas, I wish there
dc696f
were a better way but I don't know of one).
dc696f
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
dc696f
---
dc696f
 doc/crypto/X509_STORE_CTX_get_error.pod   |    2 ++
dc696f
 doc/ssl/SSL_CTX_set_client_CA_list.pod    |    8 ++++----
dc696f
 doc/ssl/SSL_CTX_use_psk_identity_hint.pod |    4 ++++
dc696f
 doc/ssl/SSL_accept.pod                    |   10 +++++-----
dc696f
 doc/ssl/SSL_connect.pod                   |   10 +++++-----
dc696f
 doc/ssl/SSL_do_handshake.pod              |   10 +++++-----
dc696f
 doc/ssl/SSL_shutdown.pod                  |   10 +++++-----
dc696f
 7 files changed, 30 insertions(+), 24 deletions(-)
dc696f
dc696f
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
dc696f
index a883f6c..60e8332 100644
dc696f
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
dc696f
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
dc696f
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
dc696f
 an application specific error. This will never be returned unless explicitly
dc696f
 set by an application.
dc696f
 
dc696f
+=back
dc696f
+
dc696f
 =head1 NOTES
dc696f
 
dc696f
 The above functions should be used instead of directly referencing the fields
dc696f
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
dc696f
index 632b556..5e66133 100644
dc696f
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
dc696f
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
dc696f
@@ -66,16 +66,16 @@ values:
dc696f
 
dc696f
 =over 4
dc696f
 
dc696f
-=item 1
dc696f
-
dc696f
-The operation succeeded.
dc696f
-
dc696f
 =item 0
dc696f
 
dc696f
 A failure while manipulating the STACK_OF(X509_NAME) object occurred or
dc696f
 the X509_NAME could not be extracted from B<cacert>. Check the error stack
dc696f
 to find out the reason.
dc696f
 
dc696f
+=item 1
dc696f
+
dc696f
+The operation succeeded.
dc696f
+
dc696f
 =back
dc696f
 
dc696f
 =head1 EXAMPLES
dc696f
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
dc696f
index b80e25b..7e60df5 100644
dc696f
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
dc696f
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
dc696f
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
dc696f
 
dc696f
 Return values from the server callback are interpreted as follows:
dc696f
 
dc696f
+=over 4
dc696f
+
dc696f
 =item > 0
dc696f
 
dc696f
 PSK identity was found and the server callback has provided the PSK
dc696f
@@ -99,4 +101,6 @@ completely.
dc696f
 PSK identity was not found. An "unknown_psk_identity" alert message
dc696f
 will be sent and the connection setup fails.
dc696f
 
dc696f
+=back
dc696f
+
dc696f
 =cut
dc696f
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
dc696f
index cc724c0..b1c34d1 100644
dc696f
--- a/doc/ssl/SSL_accept.pod
dc696f
+++ b/doc/ssl/SSL_accept.pod
dc696f
@@ -44,17 +44,17 @@ The following return values can occur:
dc696f
 
dc696f
 =over 4
dc696f
 
dc696f
-=item 1
dc696f
-
dc696f
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
-established.
dc696f
-
dc696f
 =item 0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful but was shut down controlled and
dc696f
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
dc696f
 return value B<ret> to find out the reason.
dc696f
 
dc696f
+=item 1
dc696f
+
dc696f
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
+established.
dc696f
+
dc696f
 =item E<lt>0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful because a fatal error occurred either
dc696f
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
dc696f
index cc56ebb..946ca89 100644
dc696f
--- a/doc/ssl/SSL_connect.pod
dc696f
+++ b/doc/ssl/SSL_connect.pod
dc696f
@@ -41,17 +41,17 @@ The following return values can occur:
dc696f
 
dc696f
 =over 4
dc696f
 
dc696f
-=item 1
dc696f
-
dc696f
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
-established.
dc696f
-
dc696f
 =item 0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful but was shut down controlled and
dc696f
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
dc696f
 return value B<ret> to find out the reason.
dc696f
 
dc696f
+=item 1
dc696f
+
dc696f
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
+established.
dc696f
+
dc696f
 =item E<lt>0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful, because a fatal error occurred either
dc696f
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
dc696f
index 2435764..7f8cf24 100644
dc696f
--- a/doc/ssl/SSL_do_handshake.pod
dc696f
+++ b/doc/ssl/SSL_do_handshake.pod
dc696f
@@ -45,17 +45,17 @@ The following return values can occur:
dc696f
 
dc696f
 =over 4
dc696f
 
dc696f
-=item 1
dc696f
-
dc696f
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
-established.
dc696f
-
dc696f
 =item 0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful but was shut down controlled and
dc696f
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
dc696f
 return value B<ret> to find out the reason.
dc696f
 
dc696f
+=item 1
dc696f
+
dc696f
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
dc696f
+established.
dc696f
+
dc696f
 =item E<lt>0
dc696f
 
dc696f
 The TLS/SSL handshake was not successful because a fatal error occurred either
dc696f
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
dc696f
index 89911ac..42a89b7 100644
dc696f
--- a/doc/ssl/SSL_shutdown.pod
dc696f
+++ b/doc/ssl/SSL_shutdown.pod
dc696f
@@ -92,11 +92,6 @@ The following return values can occur:
dc696f
 
dc696f
 =over 4
dc696f
 
dc696f
-=item 1
dc696f
-
dc696f
-The shutdown was successfully completed. The "close notify" alert was sent
dc696f
-and the peer's "close notify" alert was received.
dc696f
-
dc696f
 =item 0
dc696f
 
dc696f
 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
dc696f
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
dc696f
 The output of L<ssl_get_error(3)|ssl_get_error(3)> may be misleading, as an
dc696f
 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
dc696f
 
dc696f
+=item 1
dc696f
+
dc696f
+The shutdown was successfully completed. The "close notify" alert was sent
dc696f
+and the peer's "close notify" alert was received.
dc696f
+
dc696f
 =item -1
dc696f
 
dc696f
 The shutdown was not successful because a fatal error occurred either
dc696f
-- 
dc696f
1.7.9.5
dc696f
dc696f
From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
dc696f
From: "Dr. Stephen Henson" <steve@openssl.org>
dc696f
Date: Mon, 11 Feb 2013 18:24:03 +0000
dc696f
Subject: [PATCH] Fix for SSL_get_certificate
dc696f
dc696f
Now we set the current certificate to the one used by a server
dc696f
there is no need to call ssl_get_server_send_cert which will
dc696f
fail if we haven't sent a certificate yet.
dc696f
---
dc696f
 ssl/ssl_lib.c |    4 +---
dc696f
 1 file changed, 1 insertion(+), 3 deletions(-)
dc696f
dc696f
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
dc696f
index 14d143d..ff5a85a 100644
dc696f
--- a/ssl/ssl_lib.c
dc696f
+++ b/ssl/ssl_lib.c
dc696f
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
dc696f
 /* Fix this function so that it takes an optional type parameter */
dc696f
 X509 *SSL_get_certificate(const SSL *s)
dc696f
 	{
dc696f
-	if (s->server)
dc696f
-		return(ssl_get_server_send_cert(s));
dc696f
-	else if (s->cert != NULL)
dc696f
+	if (s->cert != NULL)
dc696f
 		return(s->cert->key->x509);
dc696f
 	else
dc696f
 		return(NULL);
dc696f
-- 
dc696f
1.7.9.5
dc696f
dc696f
From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
dc696f
From: David Woodhouse <dwmw2@infradead.org>
dc696f
Date: Tue, 12 Feb 2013 14:55:32 +0000
dc696f
Subject: [PATCH] Check DTLS_BAD_VER for version number.
dc696f
dc696f
The version check for DTLS1_VERSION was redundant as
dc696f
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
dc696f
check for DTLS1_BAD_VER for compatibility.
dc696f
dc696f
PR:2984
dc696f
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
dc696f
---
dc696f
 ssl/s3_cbc.c |    2 +-
dc696f
 1 file changed, 1 insertion(+), 1 deletion(-)
dc696f
dc696f
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
dc696f
index 02edf3f..443a31e 100644
dc696f
--- a/ssl/s3_cbc.c
dc696f
+++ b/ssl/s3_cbc.c
dc696f
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
dc696f
 	unsigned padding_length, good, to_check, i;
dc696f
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
dc696f
 	/* Check if version requires explicit IV */
dc696f
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
dc696f
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
dc696f
 		{
dc696f
 		/* These lengths are all public so we can test them in
dc696f
 		 * non-constant time.
dc696f
-- 
dc696f
1.7.9.5
dc696f