From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001 From: Nick Alcock Date: Fri, 15 Feb 2013 17:44:11 +0000 Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man 2.5.0+ podlators 2.5.0 has switched to dying on POD syntax errors. This means that a bunch of long-standing erroneous POD in the openssl documentation now leads to fatal errors from pod2man, halting installation. Unfortunately POD constraints mean that you have to sort numeric lists in ascending order if they start with 1: you cannot do 1, 0, 2 even if you want 1 to appear first. I've reshuffled such (alas, I wish there were a better way but I don't know of one). (cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b) --- doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++ doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++---- doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++ doc/ssl/SSL_accept.pod | 10 +++++----- doc/ssl/SSL_connect.pod | 10 +++++----- doc/ssl/SSL_do_handshake.pod | 10 +++++----- doc/ssl/SSL_shutdown.pod | 10 +++++----- 7 files changed, 30 insertions(+), 24 deletions(-) diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod index a883f6c..60e8332 100644 --- a/doc/crypto/X509_STORE_CTX_get_error.pod +++ b/doc/crypto/X509_STORE_CTX_get_error.pod @@ -278,6 +278,8 @@ happen if extended CRL checking is enabled. an application specific error. This will never be returned unless explicitly set by an application. +=back + =head1 NOTES The above functions should be used instead of directly referencing the fields diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 632b556..5e66133 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -66,16 +66,16 @@ values: =over 4 -=item 1 - -The operation succeeded. - =item 0 A failure while manipulating the STACK_OF(X509_NAME) object occurred or the X509_NAME could not be extracted from B. Check the error stack to find out the reason. +=item 1 + +The operation succeeded. + =back =head1 EXAMPLES diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod index b80e25b..7e60df5 100644 --- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod @@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return Return values from the server callback are interpreted as follows: +=over 4 + =item > 0 PSK identity was found and the server callback has provided the PSK @@ -99,4 +101,6 @@ completely. PSK identity was not found. An "unknown_psk_identity" alert message will be sent and the connection setup fails. +=back + =cut diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod index cc724c0..b1c34d1 100644 --- a/doc/ssl/SSL_accept.pod +++ b/doc/ssl/SSL_accept.pod @@ -44,17 +44,17 @@ The following return values can occur: =over 4 -=item 1 - -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -established. - =item 0 The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. +=item 1 + +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +established. + =item E0 The TLS/SSL handshake was not successful because a fatal error occurred either diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod index cc56ebb..946ca89 100644 --- a/doc/ssl/SSL_connect.pod +++ b/doc/ssl/SSL_connect.pod @@ -41,17 +41,17 @@ The following return values can occur: =over 4 -=item 1 - -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -established. - =item 0 The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. +=item 1 + +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +established. + =item E0 The TLS/SSL handshake was not successful, because a fatal error occurred either diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod index 2435764..7f8cf24 100644 --- a/doc/ssl/SSL_do_handshake.pod +++ b/doc/ssl/SSL_do_handshake.pod @@ -45,17 +45,17 @@ The following return values can occur: =over 4 -=item 1 - -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been -established. - =item 0 The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. +=item 1 + +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been +established. + =item E0 The TLS/SSL handshake was not successful because a fatal error occurred either diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index 89911ac..42a89b7 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -92,11 +92,6 @@ The following return values can occur: =over 4 -=item 1 - -The shutdown was successfully completed. The "close notify" alert was sent -and the peer's "close notify" alert was received. - =item 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, @@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed. The output of L may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. +=item 1 + +The shutdown was successfully completed. The "close notify" alert was sent +and the peer's "close notify" alert was received. + =item -1 The shutdown was not successful because a fatal error occurred either -- 1.7.9.5 From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 11 Feb 2013 18:24:03 +0000 Subject: [PATCH] Fix for SSL_get_certificate Now we set the current certificate to the one used by a server there is no need to call ssl_get_server_send_cert which will fail if we haven't sent a certificate yet. --- ssl/ssl_lib.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 14d143d..ff5a85a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->server) - return(ssl_get_server_send_cert(s)); - else if (s->cert != NULL) + if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); -- 1.7.9.5 From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 12 Feb 2013 14:55:32 +0000 Subject: [PATCH] Check DTLS_BAD_VER for version number. The version check for DTLS1_VERSION was redundant as DTLS1_VERSION > TLS1_1_VERSION, however we do need to check for DTLS1_BAD_VER for compatibility. PR:2984 (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) --- ssl/s3_cbc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 02edf3f..443a31e 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) + if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. -- 1.7.9.5