1 From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
2 From: Nick Alcock <nix@esperi.org.uk>
3 Date: Fri, 15 Feb 2013 17:44:11 +0000
4 Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
7 podlators 2.5.0 has switched to dying on POD syntax errors. This means
8 that a bunch of long-standing erroneous POD in the openssl documentation
9 now leads to fatal errors from pod2man, halting installation.
11 Unfortunately POD constraints mean that you have to sort numeric lists
12 in ascending order if they start with 1: you cannot do 1, 0, 2 even if
13 you want 1 to appear first. I've reshuffled such (alas, I wish there
14 were a better way but I don't know of one).
15 (cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
17 doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++
18 doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++----
19 doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++
20 doc/ssl/SSL_accept.pod | 10 +++++-----
21 doc/ssl/SSL_connect.pod | 10 +++++-----
22 doc/ssl/SSL_do_handshake.pod | 10 +++++-----
23 doc/ssl/SSL_shutdown.pod | 10 +++++-----
24 7 files changed, 30 insertions(+), 24 deletions(-)
26 diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
27 index a883f6c..60e8332 100644
28 --- a/doc/crypto/X509_STORE_CTX_get_error.pod
29 +++ b/doc/crypto/X509_STORE_CTX_get_error.pod
30 @@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
31 an application specific error. This will never be returned unless explicitly
32 set by an application.
38 The above functions should be used instead of directly referencing the fields
39 diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
40 index 632b556..5e66133 100644
41 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
42 +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
43 @@ -66,16 +66,16 @@ values:
49 -The operation succeeded.
53 A failure while manipulating the STACK_OF(X509_NAME) object occurred or
54 the X509_NAME could not be extracted from B<cacert>. Check the error stack
55 to find out the reason.
59 +The operation succeeded.
64 diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
65 index b80e25b..7e60df5 100644
66 --- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
67 +++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
68 @@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
70 Return values from the server callback are interpreted as follows:
76 PSK identity was found and the server callback has provided the PSK
77 @@ -99,4 +101,6 @@ completely.
78 PSK identity was not found. An "unknown_psk_identity" alert message
79 will be sent and the connection setup fails.
84 diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
85 index cc724c0..b1c34d1 100644
86 --- a/doc/ssl/SSL_accept.pod
87 +++ b/doc/ssl/SSL_accept.pod
88 @@ -44,17 +44,17 @@ The following return values can occur:
94 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
99 The TLS/SSL handshake was not successful but was shut down controlled and
100 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
101 return value B<ret> to find out the reason.
105 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
110 The TLS/SSL handshake was not successful because a fatal error occurred either
111 diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
112 index cc56ebb..946ca89 100644
113 --- a/doc/ssl/SSL_connect.pod
114 +++ b/doc/ssl/SSL_connect.pod
115 @@ -41,17 +41,17 @@ The following return values can occur:
121 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
126 The TLS/SSL handshake was not successful but was shut down controlled and
127 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
128 return value B<ret> to find out the reason.
132 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
137 The TLS/SSL handshake was not successful, because a fatal error occurred either
138 diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
139 index 2435764..7f8cf24 100644
140 --- a/doc/ssl/SSL_do_handshake.pod
141 +++ b/doc/ssl/SSL_do_handshake.pod
142 @@ -45,17 +45,17 @@ The following return values can occur:
148 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
153 The TLS/SSL handshake was not successful but was shut down controlled and
154 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
155 return value B<ret> to find out the reason.
159 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
164 The TLS/SSL handshake was not successful because a fatal error occurred either
165 diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
166 index 89911ac..42a89b7 100644
167 --- a/doc/ssl/SSL_shutdown.pod
168 +++ b/doc/ssl/SSL_shutdown.pod
169 @@ -92,11 +92,6 @@ The following return values can occur:
175 -The shutdown was successfully completed. The "close notify" alert was sent
176 -and the peer's "close notify" alert was received.
180 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
181 @@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
182 The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
183 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
187 +The shutdown was successfully completed. The "close notify" alert was sent
188 +and the peer's "close notify" alert was received.
192 The shutdown was not successful because a fatal error occurred either
196 From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
197 From: "Dr. Stephen Henson" <steve@openssl.org>
198 Date: Mon, 11 Feb 2013 18:24:03 +0000
199 Subject: [PATCH] Fix for SSL_get_certificate
201 Now we set the current certificate to the one used by a server
202 there is no need to call ssl_get_server_send_cert which will
203 fail if we haven't sent a certificate yet.
205 ssl/ssl_lib.c | 4 +---
206 1 file changed, 1 insertion(+), 3 deletions(-)
208 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
209 index 14d143d..ff5a85a 100644
212 @@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
213 /* Fix this function so that it takes an optional type parameter */
214 X509 *SSL_get_certificate(const SSL *s)
217 - return(ssl_get_server_send_cert(s));
218 - else if (s->cert != NULL)
219 + if (s->cert != NULL)
220 return(s->cert->key->x509);
226 From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
227 From: David Woodhouse <dwmw2@infradead.org>
228 Date: Tue, 12 Feb 2013 14:55:32 +0000
229 Subject: [PATCH] Check DTLS_BAD_VER for version number.
231 The version check for DTLS1_VERSION was redundant as
232 DTLS1_VERSION > TLS1_1_VERSION, however we do need to
233 check for DTLS1_BAD_VER for compatibility.
236 (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
239 1 file changed, 1 insertion(+), 1 deletion(-)
241 diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
242 index 02edf3f..443a31e 100644
245 @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
246 unsigned padding_length, good, to_check, i;
247 const unsigned overhead = 1 /* padding length byte */ + mac_size;
248 /* Check if version requires explicit IV */
249 - if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
250 + if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
252 /* These lengths are all public so we can test them in