summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libssl/d1_both.c8
-rw-r--r--lib/libssl/doc/openssl.cnf6
-rw-r--r--lib/libssl/doc/standards.txt2
-rw-r--r--lib/libssl/ssl.h4
-rw-r--r--lib/libssl/ssl_clnt.c6
-rw-r--r--lib/libssl/ssl_local.h4
-rw-r--r--lib/libssl/ssl_srvr.c6
-rw-r--r--lib/libssl/test/CAss.cnf4
-rw-r--r--lib/libssl/test/CAtsa.cnf2
-rw-r--r--lib/libssl/test/pkits-test.pl13
10 files changed, 32 insertions, 23 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index e94761e5d3e..b5c68a1735f 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.83 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: d1_both.c,v 1.84 2022/12/26 07:31:44 jmc Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -806,7 +806,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
s->init_num = 0;
goto again;
}
- else /* Incorrectly formated Hello request */
+ else /* Incorrectly formatted Hello request */
{
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
@@ -817,7 +817,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max)))
goto fatal_err;
- /* XDTLS: ressurect this when restart is in place */
+ /* XDTLS: resurrect this when restart is in place */
s->s3->hs.state = stn;
if (frag_len > 0) {
@@ -942,7 +942,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
hm_fragment *frag;
unsigned char seq64be[8];
- /* Buffer the messsage in order to handle DTLS retransmissions. */
+ /* Buffer the message in order to handle DTLS retransmissions. */
/*
* This function is called immediately after a message has
diff --git a/lib/libssl/doc/openssl.cnf b/lib/libssl/doc/openssl.cnf
index ed4bde52e8a..db95bb5c189 100644
--- a/lib/libssl/doc/openssl.cnf
+++ b/lib/libssl/doc/openssl.cnf
@@ -43,7 +43,7 @@ certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
+ # several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
@@ -53,7 +53,7 @@ crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
-x509_extensions = usr_cert # The extentions to add to the cert
+x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
@@ -105,7 +105,7 @@ default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
+x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
diff --git a/lib/libssl/doc/standards.txt b/lib/libssl/doc/standards.txt
index 7bada8d35f2..6b3c5c50389 100644
--- a/lib/libssl/doc/standards.txt
+++ b/lib/libssl/doc/standards.txt
@@ -280,6 +280,6 @@ STARTTLS documents.
To be implemented:
------------------
-These are documents that describe things that are planed to be
+These are documents that describe things that are planned to be
implemented in the hopefully short future.
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 4a89bfd868c..acde94c7493 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.229 2022/09/11 17:39:46 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -2348,7 +2348,7 @@ void ERR_load_SSL_strings(void);
*/
/*
- * These are provided for compatibiliy, but have no effect
+ * These are provided for compatibility, but have no effect
* on how LibreSSL is initialized.
*/
#define OPENSSL_INIT_LOAD_SSL_STRINGS _OPENSSL_INIT_FLAG_NOOP
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 64085b953fa..c721aede4ec 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.157 2022/11/26 16:08:55 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1633,7 +1633,7 @@ ssl3_get_new_session_ticket(SSL *s)
}
/*
- * There are two ways to detect a resumed ticket sesion.
+ * There are two ways to detect a resumed ticket session.
* One is to set an appropriate session ID and then the server
* must return a match in ServerHello. This allows the normal
* client session ID matching to work and we know much
@@ -1941,7 +1941,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb)
int nid;
int ret = 0;
- /* Get server sertificate PKEY and create ctx from it */
+ /* Get server certificate PKEY and create ctx from it */
pkey = X509_get0_pubkey(s->session->peer_cert);
if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) {
SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h
index 1e38d3939e8..d510f80d8c8 100644
--- a/lib/libssl/ssl_local.h
+++ b/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.3 2022/12/26 07:31:44 jmc Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1087,7 +1087,7 @@ struct ssl_st {
STACK_OF(X509_NAME) *client_CA;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
- * and SSL_write() calls, good for nbio debuging :-) */
+ * and SSL_write() calls, good for nbio debugging :-) */
int debug;
long max_cert_list;
int first_packet;
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index efb71bb7170..556107f5a10 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.152 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1152,8 +1152,8 @@ ssl3_get_client_hello(SSL *s)
/*
* We now have the following setup.
* client_random
- * cipher_list - our prefered list of ciphers
- * ciphers - the clients prefered list of ciphers
+ * cipher_list - our preferred list of ciphers
+ * ciphers - the clients preferred list of ciphers
* compression - basically ignored right now
* ssl version is set - sslv3
* s->session - The ssl session has been setup.
diff --git a/lib/libssl/test/CAss.cnf b/lib/libssl/test/CAss.cnf
index 109bc8c10ba..336e82fd52e 100644
--- a/lib/libssl/test/CAss.cnf
+++ b/lib/libssl/test/CAss.cnf
@@ -36,7 +36,7 @@ certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
+ # several certificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
@@ -45,7 +45,7 @@ crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
-x509_extensions = v3_ca # The extentions to add to the cert
+x509_extensions = v3_ca # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
diff --git a/lib/libssl/test/CAtsa.cnf b/lib/libssl/test/CAtsa.cnf
index f5a275bfc23..b497b504525 100644
--- a/lib/libssl/test/CAtsa.cnf
+++ b/lib/libssl/test/CAtsa.cnf
@@ -57,7 +57,7 @@ distinguished_name = $ENV::TSDNSECT
encrypt_rsa_key = no
prompt = no
# attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
+x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = nombstr
diff --git a/lib/libssl/test/pkits-test.pl b/lib/libssl/test/pkits-test.pl
index 69dffa16f90..17186066adf 100644
--- a/lib/libssl/test/pkits-test.pl
+++ b/lib/libssl/test/pkits-test.pl
@@ -124,7 +124,7 @@ my @testlists = (
[ "4.4.7", "Valid Two CRLs Test7", 0 ],
# The test document suggests these should return certificate revoked...
- # Subsquent discussion has concluded they should not due to unhandle
+ # Subsequent discussion has concluded they should not due to unhandle
# critical CRL extensions.
[ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
[ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
@@ -749,7 +749,7 @@ my @testlists = (
[ "4.14.29", "Valid cRLIssuer Test29", 0 ],
# Although this test is valid it has a circular dependency. As a result
- # an attempt is made to reursively checks a CRL path and rejected due to
+ # an attempt is made to recursively check a CRL path and rejected due to
# a CRL path validation error. PKITS notes suggest this test does not
# need to be run due to this issue.
[ "4.14.30", "Valid cRLIssuer Test30", 54 ],
@@ -784,6 +784,15 @@ my $ossl = "ossl/apps/openssl";
my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
+
+# Check for expiry of trust anchor
+system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
+if ($? == 256)
+ {
+ print STDERR "WARNING: using older expired data\n";
+ $ossl_cmd .= "-attime 1291940972 ";
+ }
+
$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";