diff options
-rw-r--r-- | lib/libssl/d1_both.c | 8 | ||||
-rw-r--r-- | lib/libssl/doc/openssl.cnf | 6 | ||||
-rw-r--r-- | lib/libssl/doc/standards.txt | 2 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_clnt.c | 6 | ||||
-rw-r--r-- | lib/libssl/ssl_local.h | 4 | ||||
-rw-r--r-- | lib/libssl/ssl_srvr.c | 6 | ||||
-rw-r--r-- | lib/libssl/test/CAss.cnf | 4 | ||||
-rw-r--r-- | lib/libssl/test/CAtsa.cnf | 2 | ||||
-rw-r--r-- | lib/libssl/test/pkits-test.pl | 13 |
10 files changed, 32 insertions, 23 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index e94761e5d3e..b5c68a1735f 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.83 2022/11/26 16:08:55 tb Exp $ */ +/* $OpenBSD: d1_both.c,v 1.84 2022/12/26 07:31:44 jmc Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -806,7 +806,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->init_num = 0; goto again; } - else /* Incorrectly formated Hello request */ + else /* Incorrectly formatted Hello request */ { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); @@ -817,7 +817,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) goto fatal_err; - /* XDTLS: ressurect this when restart is in place */ + /* XDTLS: resurrect this when restart is in place */ s->s3->hs.state = stn; if (frag_len > 0) { @@ -942,7 +942,7 @@ dtls1_buffer_message(SSL *s, int is_ccs) hm_fragment *frag; unsigned char seq64be[8]; - /* Buffer the messsage in order to handle DTLS retransmissions. */ + /* Buffer the message in order to handle DTLS retransmissions. */ /* * This function is called immediately after a message has diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf index ed4bde52e8a..db95bb5c189 100644 --- a/lib/libssl/doc/openssl.cnf +++ b/lib/libssl/doc/openssl.cnf @@ -43,7 +43,7 @@ certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. + # several certificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate @@ -53,7 +53,7 @@ crlnumber = $dir/crlnumber # the current crl number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -x509_extensions = usr_cert # The extentions to add to the cert +x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. @@ -105,7 +105,7 @@ default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert +x509_extensions = v3_ca # The extensions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret diff --git a/lib/libssl/doc/standards.txt b/lib/libssl/doc/standards.txt index 7bada8d35f2..6b3c5c50389 100644 --- a/lib/libssl/doc/standards.txt +++ b/lib/libssl/doc/standards.txt @@ -280,6 +280,6 @@ STARTTLS documents. To be implemented: ------------------ -These are documents that describe things that are planed to be +These are documents that describe things that are planned to be implemented in the hopefully short future. diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index 4a89bfd868c..acde94c7493 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.229 2022/09/11 17:39:46 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2348,7 +2348,7 @@ void ERR_load_SSL_strings(void); */ /* - * These are provided for compatibiliy, but have no effect + * These are provided for compatibility, but have no effect * on how LibreSSL is initialized. */ #define OPENSSL_INIT_LOAD_SSL_STRINGS _OPENSSL_INIT_FLAG_NOOP diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 64085b953fa..c721aede4ec 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.157 2022/11/26 16:08:55 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1633,7 +1633,7 @@ ssl3_get_new_session_ticket(SSL *s) } /* - * There are two ways to detect a resumed ticket sesion. + * There are two ways to detect a resumed ticket session. * One is to set an appropriate session ID and then the server * must return a match in ServerHello. This allows the normal * client session ID matching to work and we know much @@ -1941,7 +1941,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb) int nid; int ret = 0; - /* Get server sertificate PKEY and create ctx from it */ + /* Get server certificate PKEY and create ctx from it */ pkey = X509_get0_pubkey(s->session->peer_cert); if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) { SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index 1e38d3939e8..d510f80d8c8 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.3 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1087,7 +1087,7 @@ struct ssl_st { STACK_OF(X509_NAME) *client_CA; /* set this flag to 1 and a sleep(1) is put into all SSL_read() - * and SSL_write() calls, good for nbio debuging :-) */ + * and SSL_write() calls, good for nbio debugging :-) */ int debug; long max_cert_list; int first_packet; diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index efb71bb7170..556107f5a10 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.152 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1152,8 +1152,8 @@ ssl3_get_client_hello(SSL *s) /* * We now have the following setup. * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers + * cipher_list - our preferred list of ciphers + * ciphers - the clients preferred list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. diff --git a/lib/libssl/test/CAss.cnf b/lib/libssl/test/CAss.cnf index 109bc8c10ba..336e82fd52e 100644 --- a/lib/libssl/test/CAss.cnf +++ b/lib/libssl/test/CAss.cnf @@ -36,7 +36,7 @@ certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. + # several certificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate @@ -45,7 +45,7 @@ crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file -x509_extensions = v3_ca # The extentions to add to the cert +x509_extensions = v3_ca # The extensions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options diff --git a/lib/libssl/test/CAtsa.cnf b/lib/libssl/test/CAtsa.cnf index f5a275bfc23..b497b504525 100644 --- a/lib/libssl/test/CAtsa.cnf +++ b/lib/libssl/test/CAtsa.cnf @@ -57,7 +57,7 @@ distinguished_name = $ENV::TSDNSECT encrypt_rsa_key = no prompt = no # attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert +x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = nombstr diff --git a/lib/libssl/test/pkits-test.pl b/lib/libssl/test/pkits-test.pl index 69dffa16f90..17186066adf 100644 --- a/lib/libssl/test/pkits-test.pl +++ b/lib/libssl/test/pkits-test.pl @@ -124,7 +124,7 @@ my @testlists = ( [ "4.4.7", "Valid Two CRLs Test7", 0 ], # The test document suggests these should return certificate revoked... - # Subsquent discussion has concluded they should not due to unhandle + # Subsequent discussion has concluded they should not due to unhandle # critical CRL extensions. [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ], [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ], @@ -749,7 +749,7 @@ my @testlists = ( [ "4.14.29", "Valid cRLIssuer Test29", 0 ], # Although this test is valid it has a circular dependency. As a result - # an attempt is made to reursively checks a CRL path and rejected due to + # an attempt is made to recursively check a CRL path and rejected due to # a CRL path validation error. PKITS notes suggest this test does not # need to be run due to this issue. [ "4.14.30", "Valid cRLIssuer Test30", 54 ], @@ -784,6 +784,15 @@ my $ossl = "ossl/apps/openssl"; my $ossl_cmd = "$ossl_path cms -verify -verify_retcode "; $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict "; + +# Check for expiry of trust anchor +system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0"; +if ($? == 256) + { + print STDERR "WARNING: using older expired data\n"; + $ossl_cmd .= "-attime 1291940972 "; + } + $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 "; system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem"; |