[people/ms/ipfire-3.x.git] / openssl / patches / openssl-1.0.1e-backports.patch

From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
From: Nick Alcock <nix@esperi.org.uk>
Date: Fri, 15 Feb 2013 17:44:11 +0000
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
 2.5.0+

podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.

Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
---
 doc/crypto/X509_STORE_CTX_get_error.pod   |    2 ++
 doc/ssl/SSL_CTX_set_client_CA_list.pod    |    8 ++++----
 doc/ssl/SSL_CTX_use_psk_identity_hint.pod |    4 ++++
 doc/ssl/SSL_accept.pod                    |   10 +++++-----
 doc/ssl/SSL_connect.pod                   |   10 +++++-----
 doc/ssl/SSL_do_handshake.pod              |   10 +++++-----
 doc/ssl/SSL_shutdown.pod                  |   10 +++++-----
 7 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
index a883f6c..60e8332 100644
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
 an application specific error. This will never be returned unless explicitly
 set by an application.
 
+=back
+
 =head1 NOTES
 
 The above functions should be used instead of directly referencing the fields
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
index 632b556..5e66133 100644
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -66,16 +66,16 @@ values:
 
 =over 4
 
-=item 1
-
-The operation succeeded.
-
 =item 0
 
 A failure while manipulating the STACK_OF(X509_NAME) object occurred or
 the X509_NAME could not be extracted from B<cacert>. Check the error stack
 to find out the reason.
 
+=item 1
+
+The operation succeeded.
+
 =back
 
 =head1 EXAMPLES
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
index b80e25b..7e60df5 100644
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
 
 Return values from the server callback are interpreted as follows:
 
+=over 4
+
 =item > 0
 
 PSK identity was found and the server callback has provided the PSK
@@ -99,4 +101,6 @@ completely.
 PSK identity was not found. An "unknown_psk_identity" alert message
 will be sent and the connection setup fails.
 
+=back
+
 =cut
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
index cc724c0..b1c34d1 100644
--- a/doc/ssl/SSL_accept.pod
+++ b/doc/ssl/SSL_accept.pod
@@ -44,17 +44,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
 =item 0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful because a fatal error occurred either
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
index cc56ebb..946ca89 100644
--- a/doc/ssl/SSL_connect.pod
+++ b/doc/ssl/SSL_connect.pod
@@ -41,17 +41,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
 =item 0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful, because a fatal error occurred either
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
index 2435764..7f8cf24 100644
--- a/doc/ssl/SSL_do_handshake.pod
+++ b/doc/ssl/SSL_do_handshake.pod
@@ -45,17 +45,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
 =item 0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful because a fatal error occurred either
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
index 89911ac..42a89b7 100644
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@@ -92,11 +92,6 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The shutdown was successfully completed. The "close notify" alert was sent
-and the peer's "close notify" alert was received.
-
 =item 0
 
 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
 The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
 
+=item 1
+
+The shutdown was successfully completed. The "close notify" alert was sent
+and the peer's "close notify" alert was received.
+
 =item -1
 
 The shutdown was not successful because a fatal error occurred either
-- 
1.7.9.5

From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 11 Feb 2013 18:24:03 +0000
Subject: [PATCH] Fix for SSL_get_certificate

Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.
---
 ssl/ssl_lib.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 14d143d..ff5a85a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
 	{
-	if (s->server)
-		return(ssl_get_server_send_cert(s));
-	else if (s->cert != NULL)
+	if (s->cert != NULL)
 		return(s->cert->key->x509);
 	else
 		return(NULL);
-- 
1.7.9.5

From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 12 Feb 2013 14:55:32 +0000
Subject: [PATCH] Check DTLS_BAD_VER for version number.

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
---
 ssl/s3_cbc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 02edf3f..443a31e 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 	unsigned padding_length, good, to_check, i;
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 	/* Check if version requires explicit IV */
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* These lengths are all public so we can test them in
 		 * non-constant time.
-- 
1.7.9.5
Commit	Line	Data
37d333a7 MT	1	From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
	2	From: Nick Alcock <nix@esperi.org.uk>
	3	Date: Fri, 15 Feb 2013 17:44:11 +0000
	4	Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
	5	2.5.0+
	6
	7	podlators 2.5.0 has switched to dying on POD syntax errors. This means
	8	that a bunch of long-standing erroneous POD in the openssl documentation
	9	now leads to fatal errors from pod2man, halting installation.
	10
	11	Unfortunately POD constraints mean that you have to sort numeric lists
	12	in ascending order if they start with 1: you cannot do 1, 0, 2 even if
	13	you want 1 to appear first. I've reshuffled such (alas, I wish there
	14	were a better way but I don't know of one).
	15	(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
	16	---
	17	doc/crypto/X509_STORE_CTX_get_error.pod \| 2 ++
	18	doc/ssl/SSL_CTX_set_client_CA_list.pod \| 8 ++++----
	19	doc/ssl/SSL_CTX_use_psk_identity_hint.pod \| 4 ++++
	20	doc/ssl/SSL_accept.pod \| 10 +++++-----
	21	doc/ssl/SSL_connect.pod \| 10 +++++-----
	22	doc/ssl/SSL_do_handshake.pod \| 10 +++++-----
	23	doc/ssl/SSL_shutdown.pod \| 10 +++++-----
	24	7 files changed, 30 insertions(+), 24 deletions(-)
	25
	26	diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
	27	index a883f6c..60e8332 100644
	28	--- a/doc/crypto/X509_STORE_CTX_get_error.pod
	29	+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
	30	@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
	31	an application specific error. This will never be returned unless explicitly
	32	set by an application.
	33
	34	+=back
	35	+
	36	=head1 NOTES
	37
	38	The above functions should be used instead of directly referencing the fields
	39	diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
	40	index 632b556..5e66133 100644
	41	--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
	42	+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
	43	@@ -66,16 +66,16 @@ values:
	44
	45	=over 4
	46
	47	-=item 1
	48	-
	49	-The operation succeeded.
	50	-
	51	=item 0
	52
	53	A failure while manipulating the STACK_OF(X509_NAME) object occurred or
	54	the X509_NAME could not be extracted from B<cacert>. Check the error stack
	55	to find out the reason.
	56
	57	+=item 1
	58	+
	59	+The operation succeeded.
	60	+
	61	=back
	62
	63	=head1 EXAMPLES
	64	diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
65	index b80e25b..7e60df5 100644
66	--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
67	+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
68	@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
69
70	Return values from the server callback are interpreted as follows:
71
72	+=over 4
73	+
74	=item > 0
75
76	PSK identity was found and the server callback has provided the PSK
77	@@ -99,4 +101,6 @@ completely.
78	PSK identity was not found. An "unknown_psk_identity" alert message
79	will be sent and the connection setup fails.
80
81	+=back
82	+
83	=cut
84	diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
85	index cc724c0..b1c34d1 100644
86	--- a/doc/ssl/SSL_accept.pod
87	+++ b/doc/ssl/SSL_accept.pod
88	@@ -44,17 +44,17 @@ The following return values can occur:
89
90	=over 4
91
92	-=item 1
93	-
94	-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
95	-established.
96	-
97	=item 0
98
99	The TLS/SSL handshake was not successful but was shut down controlled and
100	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
101	return value B<ret> to find out the reason.
102
103	+=item 1
104	+
105	+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
106	+established.
107	+
108	=item E<lt>0
109
110	The TLS/SSL handshake was not successful because a fatal error occurred either
111	diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
112	index cc56ebb..946ca89 100644
113	--- a/doc/ssl/SSL_connect.pod
114	+++ b/doc/ssl/SSL_connect.pod
115	@@ -41,17 +41,17 @@ The following return values can occur:
116
117	=over 4
118
119	-=item 1
120	-
121	-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
122	-established.
123	-
124	=item 0
125
126	The TLS/SSL handshake was not successful but was shut down controlled and
127	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
128	return value B<ret> to find out the reason.
129
130	+=item 1
131	+
132	+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
133	+established.
134	+
135	=item E<lt>0
136
137	The TLS/SSL handshake was not successful, because a fatal error occurred either
138	diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
139	index 2435764..7f8cf24 100644
140	--- a/doc/ssl/SSL_do_handshake.pod
141	+++ b/doc/ssl/SSL_do_handshake.pod
142	@@ -45,17 +45,17 @@ The following return values can occur:
143
144	=over 4
145
146	-=item 1
147	-
148	-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
149	-established.
150	-
151	=item 0
152
153	The TLS/SSL handshake was not successful but was shut down controlled and
154	by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
155	return value B<ret> to find out the reason.
156
157	+=item 1
158	+
159	+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
160	+established.
161	+
162	=item E<lt>0
163
164	The TLS/SSL handshake was not successful because a fatal error occurred either
165	diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
166	index 89911ac..42a89b7 100644
167	--- a/doc/ssl/SSL_shutdown.pod
168	+++ b/doc/ssl/SSL_shutdown.pod
169	@@ -92,11 +92,6 @@ The following return values can occur:
170
171	=over 4
172
173	-=item 1
174	-
175	-The shutdown was successfully completed. The "close notify" alert was sent
176	-and the peer's "close notify" alert was received.
177	-
178	=item 0
179
180	The shutdown is not yet finished. Call SSL_shutdown() for a second time,
181	@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
182	The output of L<SSL_get_error(3)\|SSL_get_error(3)> may be misleading, as an
183	erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
184
185	+=item 1
186	+
187	+The shutdown was successfully completed. The "close notify" alert was sent
188	+and the peer's "close notify" alert was received.
189	+
190	=item -1
191
192	The shutdown was not successful because a fatal error occurred either
193	--
194	1.7.9.5
195
196	From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
197	From: "Dr. Stephen Henson" <steve@openssl.org>
198	Date: Mon, 11 Feb 2013 18:24:03 +0000
199	Subject: [PATCH] Fix for SSL_get_certificate
200
201	Now we set the current certificate to the one used by a server
202	there is no need to call ssl_get_server_send_cert which will
203	fail if we haven't sent a certificate yet.
204	---
205	ssl/ssl_lib.c \| 4 +---
206	1 file changed, 1 insertion(+), 3 deletions(-)
207
208	diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
209	index 14d143d..ff5a85a 100644
210	--- a/ssl/ssl_lib.c
211	+++ b/ssl/ssl_lib.c
212	@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
213	/* Fix this function so that it takes an optional type parameter */
214	X509 SSL_get_certificate(const SSL s)
215	{
216	- if (s->server)
217	- return(ssl_get_server_send_cert(s));
218	- else if (s->cert != NULL)
219	+ if (s->cert != NULL)
220	return(s->cert->key->x509);
221	else
222	return(NULL);
223	--
224	1.7.9.5
225
226	From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
227	From: David Woodhouse <dwmw2@infradead.org>
228	Date: Tue, 12 Feb 2013 14:55:32 +0000
229	Subject: [PATCH] Check DTLS_BAD_VER for version number.
230
231	The version check for DTLS1_VERSION was redundant as
232	DTLS1_VERSION > TLS1_1_VERSION, however we do need to
233	check for DTLS1_BAD_VER for compatibility.
234
235	PR:2984
236	(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
237	---
238	ssl/s3_cbc.c \| 2 +-
239	1 file changed, 1 insertion(+), 1 deletion(-)
240
241	diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
242	index 02edf3f..443a31e 100644
243	--- a/ssl/s3_cbc.c
244	+++ b/ssl/s3_cbc.c
245	@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
246	unsigned padding_length, good, to_check, i;
247	const unsigned overhead = 1 /* padding length byte */ + mac_size;
248	/* Check if version requires explicit IV */
249	- if (s->version >= TLS1_1_VERSION \|\| s->version == DTLS1_VERSION)
250	+ if (s->version >= TLS1_1_VERSION \|\| s->version == DTLS1_BAD_VER)
251	{
252	/* These lengths are all public so we can test them in
253	* non-constant time.
254	--
255	1.7.9.5
256