openssl/patches/openssl-1.0.1e-backports.patch

   1 From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
   2 From: Nick Alcock <nix@esperi.org.uk>
   3 Date: Fri, 15 Feb 2013 17:44:11 +0000
   4 Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
   5  2.5.0+
   6
   7 podlators 2.5.0 has switched to dying on POD syntax errors. This means
   8 that a bunch of long-standing erroneous POD in the openssl documentation
   9 now leads to fatal errors from pod2man, halting installation.
  10
  11 Unfortunately POD constraints mean that you have to sort numeric lists
  12 in ascending order if they start with 1: you cannot do 1, 0, 2 even if
  13 you want 1 to appear first. I've reshuffled such (alas, I wish there
  14 were a better way but I don't know of one).
  15 (cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
  16 ---
  17  doc/crypto/X509_STORE_CTX_get_error.pod   |    2 ++
  18  doc/ssl/SSL_CTX_set_client_CA_list.pod    |    8 ++++----
  19  doc/ssl/SSL_CTX_use_psk_identity_hint.pod |    4 ++++
  20  doc/ssl/SSL_accept.pod                    |   10 +++++-----
  21  doc/ssl/SSL_connect.pod                   |   10 +++++-----
  22  doc/ssl/SSL_do_handshake.pod              |   10 +++++-----
  23  doc/ssl/SSL_shutdown.pod                  |   10 +++++-----
  24  7 files changed, 30 insertions(+), 24 deletions(-)
  25
  26 diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
  27 index a883f6c..60e8332 100644
  28 --- a/doc/crypto/X509_STORE_CTX_get_error.pod
  29 +++ b/doc/crypto/X509_STORE_CTX_get_error.pod
  30 @@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
  31  an application specific error. This will never be returned unless explicitly
  32  set by an application.
  33
  34 +=back
  35 +
  36  =head1 NOTES
  37
  38  The above functions should be used instead of directly referencing the fields
  39 diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
  40 index 632b556..5e66133 100644
  41 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
  42 +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
  43 @@ -66,16 +66,16 @@ values:
  44
  45  =over 4
  46
  47 -=item 1
  48 -
  49 -The operation succeeded.
  50 -
  51  =item 0
  52
  53  A failure while manipulating the STACK_OF(X509_NAME) object occurred or
  54  the X509_NAME could not be extracted from B<cacert>. Check the error stack
  55  to find out the reason.
  56
  57 +=item 1
  58 +
  59 +The operation succeeded.
  60 +
  61  =back
  62
  63  =head1 EXAMPLES
  64 diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
  65 index b80e25b..7e60df5 100644
  66 --- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
  67 +++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
  68 @@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
  69
  70  Return values from the server callback are interpreted as follows:
  71
  72 +=over 4
  73 +
  74  =item > 0
  75
  76  PSK identity was found and the server callback has provided the PSK
  77 @@ -99,4 +101,6 @@ completely.
  78  PSK identity was not found. An "unknown_psk_identity" alert message
  79  will be sent and the connection setup fails.
  80
  81 +=back
  82 +
  83  =cut
  84 diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
  85 index cc724c0..b1c34d1 100644
  86 --- a/doc/ssl/SSL_accept.pod
  87 +++ b/doc/ssl/SSL_accept.pod
  88 @@ -44,17 +44,17 @@ The following return values can occur:
  89
  90  =over 4
  91
  92 -=item 1
  93 -
  94 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
  95 -established.
  96 -
  97  =item 0
  98
  99  The TLS/SSL handshake was not successful but was shut down controlled and
 100  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 101  return value B<ret> to find out the reason.
 102
 103 +=item 1
 104 +
 105 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 106 +established.
 107 +
 108  =item E<lt>0
 109
 110  The TLS/SSL handshake was not successful because a fatal error occurred either
 111 diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
 112 index cc56ebb..946ca89 100644
 113 --- a/doc/ssl/SSL_connect.pod
 114 +++ b/doc/ssl/SSL_connect.pod
 115 @@ -41,17 +41,17 @@ The following return values can occur:
 116
 117  =over 4
 118
 119 -=item 1
 120 -
 121 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 122 -established.
 123 -
 124  =item 0
 125
 126  The TLS/SSL handshake was not successful but was shut down controlled and
 127  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 128  return value B<ret> to find out the reason.
 129
 130 +=item 1
 131 +
 132 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 133 +established.
 134 +
 135  =item E<lt>0
 136
 137  The TLS/SSL handshake was not successful, because a fatal error occurred either
 138 diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
 139 index 2435764..7f8cf24 100644
 140 --- a/doc/ssl/SSL_do_handshake.pod
 141 +++ b/doc/ssl/SSL_do_handshake.pod
 142 @@ -45,17 +45,17 @@ The following return values can occur:
 143
 144  =over 4
 145
 146 -=item 1
 147 -
 148 -The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 149 -established.
 150 -
 151  =item 0
 152
 153  The TLS/SSL handshake was not successful but was shut down controlled and
 154  by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 155  return value B<ret> to find out the reason.
 156
 157 +=item 1
 158 +
 159 +The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 160 +established.
 161 +
 162  =item E<lt>0
 163
 164  The TLS/SSL handshake was not successful because a fatal error occurred either
 165 diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
 166 index 89911ac..42a89b7 100644
 167 --- a/doc/ssl/SSL_shutdown.pod
 168 +++ b/doc/ssl/SSL_shutdown.pod
 169 @@ -92,11 +92,6 @@ The following return values can occur:
 170
 171  =over 4
 172
 173 -=item 1
 174 -
 175 -The shutdown was successfully completed. The "close notify" alert was sent
 176 -and the peer's "close notify" alert was received.
 177 -
 178  =item 0
 179
 180  The shutdown is not yet finished. Call SSL_shutdown() for a second time,
 181 @@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
 182  The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
 183  erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
 184
 185 +=item 1
 186 +
 187 +The shutdown was successfully completed. The "close notify" alert was sent
 188 +and the peer's "close notify" alert was received.
 189 +
 190  =item -1
 191
 192  The shutdown was not successful because a fatal error occurred either
 193 --
 194 1.7.9.5
 195
 196 From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
 197 From: "Dr. Stephen Henson" <steve@openssl.org>
 198 Date: Mon, 11 Feb 2013 18:24:03 +0000
 199 Subject: [PATCH] Fix for SSL_get_certificate
 200
 201 Now we set the current certificate to the one used by a server
 202 there is no need to call ssl_get_server_send_cert which will
 203 fail if we haven't sent a certificate yet.
 204 ---
 205  ssl/ssl_lib.c |    4 +---
 206  1 file changed, 1 insertion(+), 3 deletions(-)
 207
 208 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 209 index 14d143d..ff5a85a 100644
 210 --- a/ssl/ssl_lib.c
 211 +++ b/ssl/ssl_lib.c
 212 @@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
 213  /* Fix this function so that it takes an optional type parameter */
 214  X509 *SSL_get_certificate(const SSL *s)
 215         {
 216 -       if (s->server)
 217 -               return(ssl_get_server_send_cert(s));
 218 -       else if (s->cert != NULL)
 219 +       if (s->cert != NULL)
 220                 return(s->cert->key->x509);
 221         else
 222                 return(NULL);
 223 --
 224 1.7.9.5
 225
 226 From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
 227 From: David Woodhouse <dwmw2@infradead.org>
 228 Date: Tue, 12 Feb 2013 14:55:32 +0000
 229 Subject: [PATCH] Check DTLS_BAD_VER for version number.
 230
 231 The version check for DTLS1_VERSION was redundant as
 232 DTLS1_VERSION > TLS1_1_VERSION, however we do need to
 233 check for DTLS1_BAD_VER for compatibility.
 234
 235 PR:2984
 236 (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
 237 ---
 238  ssl/s3_cbc.c |    2 +-
 239  1 file changed, 1 insertion(+), 1 deletion(-)
 240
 241 diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
 242 index 02edf3f..443a31e 100644
 243 --- a/ssl/s3_cbc.c
 244 +++ b/ssl/s3_cbc.c
 245 @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 246         unsigned padding_length, good, to_check, i;
 247         const unsigned overhead = 1 /* padding length byte */ + mac_size;
 248         /* Check if version requires explicit IV */
 249 -       if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
 250 +       if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 251                 {
 252                 /* These lengths are all public so we can test them in
 253                  * non-constant time.
 254 --
 255 1.7.9.5
 256