spelling fixes; from paul tagliamonte

ok tb

10 files changed, 32 insertions, 23 deletions

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index e94761e5d3e..b5c68a1735f 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.83 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: d1_both.c,v 1.84 2022/12/26 07:31:44 jmc Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -806,7 +806,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 			s->init_num = 0;
 			goto again;
 		}
-		else /* Incorrectly formated Hello request */
+		else /* Incorrectly formatted Hello request */
 		{
 			al = SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
@@ -817,7 +817,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max)))
 		goto fatal_err;
 
-	/* XDTLS:  ressurect this when restart is in place */
+	/* XDTLS:  resurrect this when restart is in place */
 	s->s3->hs.state = stn;
 
 	if (frag_len > 0) {
@@ -942,7 +942,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	hm_fragment *frag;
 	unsigned char seq64be[8];
 
-	/* Buffer the messsage in order to handle DTLS retransmissions. */
+	/* Buffer the message in order to handle DTLS retransmissions. */
 
 	/*
 	 * This function is called immediately after a message has
diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf
index ed4bde52e8a..db95bb5c189 100644
--- a/lib/libssl/doc/openssl.cnf
+++ b/lib/libssl/doc/openssl.cnf
@@ -43,7 +43,7 @@ certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
+					# several certificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 
 certificate	= $dir/cacert.pem 	# The CA certificate
@@ -53,7 +53,7 @@ crlnumber	= $dir/crlnumber	# the current crl number
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -105,7 +105,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
diff --git a/lib/libssl/doc/standards.txt b/lib/libssl/doc/standards.txt
index 7bada8d35f2..6b3c5c50389 100644
--- a/lib/libssl/doc/standards.txt
+++ b/lib/libssl/doc/standards.txt
@@ -280,6 +280,6 @@ STARTTLS documents.
 To be implemented:
 ------------------
 
-These are documents that describe things that are planed to be
+These are documents that describe things that are planned to be
 implemented in the hopefully short future.
 
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 4a89bfd868c..acde94c7493 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.229 2022/09/11 17:39:46 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2348,7 +2348,7 @@ void ERR_load_SSL_strings(void);
  */
 
 /*
- * These are provided for compatibiliy, but have no effect
+ * These are provided for compatibility, but have no effect
  * on how LibreSSL is initialized.
  */
 #define OPENSSL_INIT_LOAD_SSL_STRINGS	_OPENSSL_INIT_FLAG_NOOP
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 64085b953fa..c721aede4ec 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.157 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1633,7 +1633,7 @@ ssl3_get_new_session_ticket(SSL *s)
 	}
 
 	/*
-	 * There are two ways to detect a resumed ticket sesion.
+	 * There are two ways to detect a resumed ticket session.
 	 * One is to set an appropriate session ID and then the server
 	 * must return a match in ServerHello. This allows the normal
 	 * client session ID matching to work and we know much
@@ -1941,7 +1941,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
 	int nid;
 	int ret = 0;
 
-	/* Get server sertificate PKEY and create ctx from it */
+	/* Get server certificate PKEY and create ctx from it */
 	pkey = X509_get0_pubkey(s->session->peer_cert);
 	if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
 		SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h
index 1e38d3939e8..d510f80d8c8 100644
--- a/lib/libssl/ssl_local.h
+++ b/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.3 2022/12/26 07:31:44 jmc Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1087,7 +1087,7 @@ struct ssl_st {
 	STACK_OF(X509_NAME) *client_CA;
 
 	/* set this flag to 1 and a sleep(1) is put into all SSL_read()
-	 * and SSL_write() calls, good for nbio debuging :-) */
+	 * and SSL_write() calls, good for nbio debugging :-) */
 	int debug;
 	long max_cert_list;
 	int first_packet;
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index efb71bb7170..556107f5a10 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.152 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1152,8 +1152,8 @@ ssl3_get_client_hello(SSL *s)
 	/*
 	 * We now have the following setup.
 	 * client_random
-	 * cipher_list		- our prefered list of ciphers
-	 * ciphers		- the clients prefered list of ciphers
+	 * cipher_list		- our preferred list of ciphers
+	 * ciphers		- the clients preferred list of ciphers
 	 * compression		- basically ignored right now
 	 * ssl version is set	- sslv3
 	 * s->session		- The ssl session has been setup.
diff --git a/lib/libssl/test/CAss.cnf b/lib/libssl/test/CAss.cnf
index 109bc8c10ba..336e82fd52e 100644
--- a/lib/libssl/test/CAss.cnf
+++ b/lib/libssl/test/CAss.cnf
@@ -36,7 +36,7 @@ certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
+					# several certificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 
 certificate	= $dir/cacert.pem 	# The CA certificate
@@ -45,7 +45,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= v3_ca			# The extentions to add to the cert
+x509_extensions	= v3_ca			# The extensions to add to the cert
 
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
diff --git a/lib/libssl/test/CAtsa.cnf b/lib/libssl/test/CAtsa.cnf
index f5a275bfc23..b497b504525 100644
--- a/lib/libssl/test/CAtsa.cnf
+++ b/lib/libssl/test/CAtsa.cnf
@@ -57,7 +57,7 @@ distinguished_name	= $ENV::TSDNSECT
 encrypt_rsa_key		= no
 prompt 			= no
 # attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 
 string_mask = nombstr
 
diff --git a/lib/libssl/test/pkits-test.pl b/lib/libssl/test/pkits-test.pl
index 69dffa16f90..17186066adf 100644
--- a/lib/libssl/test/pkits-test.pl
+++ b/lib/libssl/test/pkits-test.pl
@@ -124,7 +124,7 @@ my @testlists = (
     [ "4.4.7", "Valid Two CRLs Test7",              0 ],
 
     # The test document suggests these should return certificate revoked...
-    # Subsquent discussion has concluded they should not due to unhandle
+    # Subsequent discussion has concluded they should not due to unhandle
     # critical CRL extensions.
     [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
     [ "4.4.9", "Invalid Unknown CRL Extension Test9",       36 ],
@@ -749,7 +749,7 @@ my @testlists = (
     [ "4.14.29", "Valid cRLIssuer Test29",                        0 ],
 
     # Although this test is valid it has a circular dependency. As a result
-    # an attempt is made to reursively checks a CRL path and rejected due to
+    # an attempt is made to recursively check a CRL path and rejected due to
     # a CRL path validation error. PKITS notes suggest this test does not
     # need to be run due to this issue.
     [ "4.14.30", "Valid cRLIssuer Test30",                                 54 ],
@@ -784,6 +784,15 @@ my $ossl = "ossl/apps/openssl";
 
 my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
 $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
+
+# Check for expiry of trust anchor
+system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
+if ($? == 256)
+	{
+	print STDERR "WARNING: using older expired data\n";
+	$ossl_cmd .= "-attime 1291940972 ";
+	}
+
 $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
 
 system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";