diff --git a/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch b/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch deleted file mode 100644 index a65d01b..0000000 --- a/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch +++ /dev/null @@ -1,237 +0,0 @@ -From b01291bf88dd84529c93973da7c275e0ffe5cc1f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 3 Aug 2018 14:30:22 +0200 -Subject: [PATCH] Adapt to OpenSSL 1.1.1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and -session shutdowns differently. This leads to failing various Net-SSLeay -tests that exhibits use cases that are not possible with OpenSSL 1.1.1 -anymore or where the library behaves differently. - -Since Net-SSLeay is a low-level wrapper, Net-SSLeay will be corrected -in tests. Higher-level code as IO::Socket::SSL and other Net::SSLeay -applications need to be adjusted on case-to-case basis. - -This patche changes: - -- Retry SSL_read() and SSL_write() (by sebastian [...] breakpoint.cc) -- Disable session tickets in t/local/07_sslecho.t. -- Adaps t/local/36_verify.t to a session end when Net::SSLeay::read() - returns undef. - -https://rt.cpan.org/Public/Bug/Display.html?id=125218 -https://github.com/openssl/openssl/issues/5637 -https://github.com/openssl/openssl/issues/6904 -Signed-off-by: Petr Písař ---- - SSLeay.xs | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---- - lib/Net/SSLeay.pod | 46 ++++++++++++++++++++++++++++++++++++++++++ - t/local/07_sslecho.t | 15 ++++++++++++-- - t/local/36_verify.t | 2 +- - 4 files changed, 112 insertions(+), 7 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index bf148c0..5aed4d7 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -1999,7 +1999,17 @@ SSL_read(s,max=32768) - int got; - PPCODE: - New(0, buf, max, char); -- got = SSL_read(s, buf, max); -+ -+ do { -+ int err; -+ -+ got = SSL_read(s, buf, max); -+ if (got > 0) -+ break; -+ err = SSL_get_error(s, got); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); - - /* If in list context, return 2-item list: - * first return value: data gotten, or undef on error (got<0) -@@ -2051,10 +2061,20 @@ SSL_write(s,buf) - SSL * s - PREINIT: - STRLEN len; -+ int err; -+ int ret; - INPUT: - char * buf = SvPV( ST(1), len); - CODE: -- RETVAL = SSL_write (s, buf, (int)len); -+ do { -+ ret = SSL_write (s, buf, (int)len); -+ if (ret > 0) -+ break; -+ err = SSL_get_error(s, ret); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); -+ RETVAL = ret; - OUTPUT: - RETVAL - -@@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf) - if (len < 0) { - croak("from beyound end of buffer"); - RETVAL = -1; -- } else -- RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); -+ } else { -+ int ret; -+ int err; -+ -+ do { -+ ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); -+ if (ret > 0) -+ break; -+ err = SSL_get_error(s, ret); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); -+ RETVAL = ret; -+ } - OUTPUT: - RETVAL - -@@ -6957,4 +6989,20 @@ SSL_export_keying_material(ssl, outlen, label, p) - - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL -+ -+int -+SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets) -+ -+size_t -+SSL_CTX_get_num_tickets(SSL_CTX *ctx) -+ -+int -+SSL_set_num_tickets(SSL *ssl,size_t num_tickets) -+ -+size_t -+SSL_get_num_tickets(SSL *ssl) -+ -+#endif -+ - #define REM_EOF "/* EOF - SSLeay.xs */" -diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod -index 2e1aae3..bca7be4 100644 ---- a/lib/Net/SSLeay.pod -+++ b/lib/Net/SSLeay.pod -@@ -4437,6 +4437,52 @@ getticket($ssl,$ticket,$data) -> $return_value - - This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. - -+=item * CTX_set_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Set number of session tickets that will be sent to a client. -+ -+ my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); -+ # $ctx - value corresponding to openssl's SSL_CTX structure -+ # $number_of_tickets - number of tickets to send -+ # returns: 1 on success, 0 on failure -+ -+Set to zero if you do not no want to support a session resumption. -+ -+=item * CTX_get_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Get number of session tickets that will be sent to a client. -+ -+ my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); -+ # $ctx - value corresponding to openssl's SSL_CTX structure -+ # returns: number of tickets to send -+ -+=item * set_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Set number of session tickets that will be sent to a client. -+ -+ my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); -+ # $ssl - value corresponding to openssl's SSL structure -+ # $number_of_tickets - number of tickets to send -+ # returns: 1 on success, 0 on failure -+ -+Set to zero if you do not no want to support a session resumption. -+ -+=item * get_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Get number of session tickets that will be sent to a client. -+ -+ my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); -+ # $ctx - value corresponding to openssl's SSL structure -+ # returns: number of tickets to send -+ - =item * set_shutdown - - Sets the shutdown state of $ssl to $mode. -diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t -index 5e16b04..5dc946a 100644 ---- a/t/local/07_sslecho.t -+++ b/t/local/07_sslecho.t -@@ -13,7 +13,8 @@ BEGIN { - plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; - } - --plan tests => 78; -+plan tests => 79; -+$SIG{'PIPE'} = 'IGNORE'; - - my $sock; - my $pid; -@@ -61,6 +62,16 @@ Net::SSLeay::library_init(); - ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); - my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); - ok($errs eq '', "set_cert_and_key: $errs"); -+ SKIP: { -+ skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 -+ unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f); -+ # TLS 1.3 server sends session tickets after a handhake as part of -+ # the SSL_accept(). If a client finishes all its job including closing -+ # TCP connectino before a server sends the tickets, SSL_accept() fails -+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives -+ # SIGPIPE signal. -+ ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); -+ } - - $pid = fork(); - BAIL_OUT("failed to fork: $!") unless defined $pid; -@@ -351,7 +362,7 @@ waitpid $pid, 0; - push @results, [ $? == 0, 'server exited with 0' ]; - - END { -- Test::More->builder->current_test(51); -+ Test::More->builder->current_test(52); - for my $t (@results) { - ok( $t->[0], $t->[1] ); - } -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index 92afc52..e55b138 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -282,7 +282,7 @@ sub run_server - - # Termination request or other message from client - my $msg = Net::SSLeay::read($ssl); -- if ($msg eq 'end') -+ if (defined $msg and $msg eq 'end') - { - Net::SSLeay::write($ssl, 'end'); - exit (0); --- -2.14.4 - diff --git a/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch b/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch deleted file mode 100644 index 044d4b2..0000000 --- a/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 173cd9c1340f1f5231625a1dd4ecaea10c207622 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 14 Aug 2018 16:55:52 +0200 -Subject: [PATCH] Avoid SIGPIPE in t/local/36_verify.t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -t/local/36_verify.t fails randomly with OpenSSL 1.1.1: - - # Failed test 'Verify callback result and get_verify_result are equal' - # at t/local/36_verify.t line 111. - # got: '-1' - # expected: '0' - # Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY' - # at t/local/36_verify.t line 118. - # got: '-1' - # expected: '43' - Bailout called. Further testing stopped: failed to connect to server: Connection refused - FAILED--Further testing stopped: failed to connect to server: Connection refused - -I believe this because TLSv1.3 server can generate SIGPIPE if a client -disconnects too soon. - -Signed-off-by: Petr Písař ---- - t/local/36_verify.t | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index e55b138..2837288 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -266,10 +266,20 @@ sub run_server - - return if $pid != 0; - -+ $SIG{'PIPE'} = 'IGNORE'; - my $ctx = Net::SSLeay::CTX_new(); - Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); - my $ret = Net::SSLeay::CTX_check_private_key($ctx); - BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; -+ if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f) { -+ # TLS 1.3 server sends session tickets after a handhake as part of -+ # the SSL_accept(). If a client finishes all its job including closing -+ # TCP connectino before a server sends the tickets, SSL_accept() fails -+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives -+ # SIGPIPE signal. -+ my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); -+ BAIL_OUT("Session tickets disabled") unless $ret; -+ } - - while (1) - { --- -2.14.4 - diff --git a/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch b/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch deleted file mode 100644 index 9ab1f33..0000000 --- a/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch +++ /dev/null @@ -1,42 +0,0 @@ -commit 6a6bcf3d96115a6ef62289838cea418c185d8c88 -Author: Paul Howarth -Date: Wed Sep 19 09:38:40 2018 +0100 - - Expose SSL_CTX_set_post_handshake_auth - - TLS 1.3 removed renegotiation in favor of rekeying and post handshake - authentication (PHA). With PHA, a server can request a client certificate from - a client at some point after the handshake. The feature is commonly used by - HTTP servers for conditional and path specific TLS client auth. For example, a - server can decide to require a cert based on HTTP method and/or path. A client - must announce support for PHA during the handshake. - - Apache mod_ssl uses PHA: - https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207 - - As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3 - clients no longer send the PHA TLS extension by default. For on-demand auth, - PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(), - https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html . - - This function is needed for the Apache httpd upstream test suite: - https://bugzilla.redhat.com/show_bug.cgi?id=1630391 . - -diff --git a/SSLeay.xs b/SSLeay.xs -index a4dcb0a..5777ffc 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p) - - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */ -+ -+void -+SSL_CTX_set_post_handshake_auth(s,val) -+ SSL_CTX * s -+ int val -+ -+#endif -+ - #define REM_EOF "/* EOF - SSLeay.xs */" diff --git a/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch b/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch deleted file mode 100644 index 24a72a0..0000000 --- a/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch +++ /dev/null @@ -1,225 +0,0 @@ -From e0b42b0120b941b5675e4071445424dc8a1230e1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Wed, 15 Aug 2018 14:46:52 +0200 -Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from - read()/write() up -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test -because it tests non-blocking socket operations and expects to see -SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them -byt itself. - -This patch purifies Net::SSLeay::{read,write}() to behave exactly as -underlying OpenSSL functions. The retry is moved to -Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in -tests are changed into Net::SSLea::ssl_{read,write}_all(). - -All applications should implement the retry themsleves or use -ssl_*_all() instead. - -Signed-off-by: Petr Písař ---- - SSLeay.xs | 28 +++++++--------------------- - lib/Net/SSLeay.pm | 22 +++++++++++++++------- - t/local/07_sslecho.t | 12 ++++++------ - t/local/36_verify.t | 9 +++++---- - 4 files changed, 33 insertions(+), 38 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index 5aed4d7..7cb6eab 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -1997,19 +1997,13 @@ SSL_read(s,max=32768) - PREINIT: - char *buf; - int got; -+ int succeeded = 1; - PPCODE: - New(0, buf, max, char); - -- do { -- int err; -- -- got = SSL_read(s, buf, max); -- if (got > 0) -- break; -- err = SSL_get_error(s, got); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -+ got = SSL_read(s, buf, max); -+ if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) -+ succeeded = 0; - - /* If in list context, return 2-item list: - * first return value: data gotten, or undef on error (got<0) -@@ -2017,13 +2011,13 @@ SSL_read(s,max=32768) - */ - if (GIMME_V==G_ARRAY) { - EXTEND(SP, 2); -- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); -+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); - PUSHs(sv_2mortal(newSViv(got))); - - /* If in scalar or void context, return data gotten, or undef on error. */ - } else { - EXTEND(SP, 1); -- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); -+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); - } - - Safefree(buf); -@@ -2066,15 +2060,7 @@ SSL_write(s,buf) - INPUT: - char * buf = SvPV( ST(1), len); - CODE: -- do { -- ret = SSL_write (s, buf, (int)len); -- if (ret > 0) -- break; -- err = SSL_get_error(s, ret); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -- RETVAL = ret; -+ RETVAL = SSL_write (s, buf, (int)len); - OUTPUT: - RETVAL - -diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm -index 3adf12c..afc6c8f 100644 ---- a/lib/Net/SSLeay.pm -+++ b/lib/Net/SSLeay.pm -@@ -579,14 +579,22 @@ sub debug_read { - sub ssl_read_all { - my ($ssl,$how_much) = @_; - $how_much = 2000000000 unless $how_much; -- my ($got, $errs); -+ my ($got, $rv, $errs); - my $reply = ''; - - while ($how_much > 0) { -- $got = Net::SSLeay::read($ssl, -+ ($got, $rv) = Net::SSLeay::read($ssl, - ($how_much > 32768) ? 32768 : $how_much - ); -- last if $errs = print_errs('SSL_read'); -+ if (! defined $got) { -+ my $err = Net::SSLeay::get_error($ssl, $rv); -+ if ($err != Net::SSLeay::ERROR_WANT_READ() and -+ $err != Net::SSLeay::ERROR_WANT_WRITE()) { -+ $errs = print_errs('SSL_read'); -+ last; -+ } -+ next; -+ } - $how_much -= blength($got); - debug_read(\$reply, \$got) if $trace>1; - last if $got eq ''; # EOF -@@ -839,14 +847,14 @@ sub ssl_read_until ($;$$) { - $found = index($match, $delim); - - if ($found > -1) { -- #$got = Net::SSLeay::read($ssl, $found+$len_delim); -+ #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); - #read up to the end of the delimiter -- $got = Net::SSLeay::read($ssl, -+ $got = Net::SSLeay::ssl_read_all($ssl, - $found + $len_delim - - ((blength($match)) - (blength($got)))); - $done = 1; - } else { -- $got = Net::SSLeay::read($ssl, $peek_length); -+ $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); - $done = 1 if ($peek_length == $max_length - blength($reply)); - } - -@@ -857,7 +865,7 @@ sub ssl_read_until ($;$$) { - } - } else { - while (!defined $max_length || length $reply < $max_length) { -- $got = Net::SSLeay::read($ssl,1); # one by one -+ $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one - last if print_errs('SSL_read'); - debug_read(\$reply, \$got) if $trace>1; - last if $got eq ''; -diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t -index 74e317a..7f19027 100644 ---- a/t/local/07_sslecho.t -+++ b/t/local/07_sslecho.t -@@ -134,10 +134,10 @@ my @results; - - push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; - -- push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ]; -+ push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; - shutdown($s, 1); - -- my ($got) = Net::SSLeay::read($ssl); -+ my $got = Net::SSLeay::ssl_read_all($ssl); - push @results, [ $got eq uc($msg), 'read' ]; - - Net::SSLeay::free($ssl); -@@ -177,7 +177,7 @@ my @results; - Net::SSLeay::set_fd($ssl, fileno($s)); - Net::SSLeay::connect($ssl); - -- Net::SSLeay::write($ssl, $msg); -+ Net::SSLeay::ssl_write_all($ssl, $msg); - - shutdown $s, 2; - close $s; -@@ -231,15 +231,15 @@ my @results; - Net::SSLeay::set_fd($ssl3, $s3); - - Net::SSLeay::connect($ssl1); -- Net::SSLeay::write($ssl1, $msg); -+ Net::SSLeay::ssl_write_all($ssl1, $msg); - shutdown $s1, 2; - - Net::SSLeay::connect($ssl2); -- Net::SSLeay::write($ssl2, $msg); -+ Net::SSLeay::ssl_write_all($ssl2, $msg); - shutdown $s2, 2; - - Net::SSLeay::connect($ssl3); -- Net::SSLeay::write($ssl3, $msg); -+ Net::SSLeay::ssl_write_all($ssl3, $msg); - shutdown $s3, 2; - - close $s1; -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index 2837288..b04be13 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -252,8 +252,9 @@ sub client { - Net::SSLeay::set_fd($ssl, $cl); - Net::SSLeay::connect($ssl); - my $end = "end"; -- Net::SSLeay::write($ssl, $end); -- ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); -+ Net::SSLeay::ssl_write_all($ssl, $end); -+ Net::SSLeay::shutdown($ssl); -+ ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); - return; - } - -@@ -291,10 +292,10 @@ sub run_server - next unless $ret == 1; - - # Termination request or other message from client -- my $msg = Net::SSLeay::read($ssl); -+ my $msg = Net::SSLeay::ssl_read_all($ssl); - if (defined $msg and $msg eq 'end') - { -- Net::SSLeay::write($ssl, 'end'); -+ Net::SSLeay::ssl_write_all($ssl, 'end'); - exit (0); - } - } --- -2.14.4 - diff --git a/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch b/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch deleted file mode 100644 index b57bd2b..0000000 --- a/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 122c80853a9bd66f21699fc79a689b3028d00d3b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 17 Aug 2018 13:08:44 +0200 -Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from - write_partial() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test -because it tests non-blocking socket operations and expects to see -SSL_ERROR_WANT_WRITE errors and to handle them byt itself. - -This patch purifies Net::SSLeay::write_partial() to behave exactly as -underlying OpenSSL SSL_write() function. The retry is already -presented in Net::SSLeay::ssl_write_all(). - -All applications should implement the retry themsleves or use -ssl_*_all() instead. - -Signed-off-by: Petr Písař ---- - SSLeay.xs | 16 ++-------------- - lib/Net/SSLeay.pod | 3 ++- - 2 files changed, 4 insertions(+), 15 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index 7cb6eab..fc7677f 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -2089,20 +2089,8 @@ SSL_write_partial(s,from,count,buf) - if (len < 0) { - croak("from beyound end of buffer"); - RETVAL = -1; -- } else { -- int ret; -- int err; -- -- do { -- ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); -- if (ret > 0) -- break; -- err = SSL_get_error(s, ret); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -- RETVAL = ret; -- } -+ } else -+ RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); - OUTPUT: - RETVAL - -diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod -index bca7be4..8b5f738 100644 ---- a/lib/Net/SSLeay.pod -+++ b/lib/Net/SSLeay.pod -@@ -4819,7 +4819,8 @@ Check openssl doc L Does not exactly correspond to any low level API function - --Writes a fragment of data in $data from the buffer $data into the specified $ssl connection. -+Writes a fragment of data in $data from the buffer $data into the specified -+$ssl connection. This is a non-blocking function like L. - - my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data); - # $ssl - value corresponding to openssl's SSL structure --- -2.14.4 - diff --git a/Net-SSLeay-1.85.tar.gz b/Net-SSLeay-1.85.tar.gz deleted file mode 100644 index d956539..0000000 --- a/Net-SSLeay-1.85.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9d8188b9fb1cae3bd791979c20554925d5e94a138d00414f1a6814549927b0c8 -size 418349 diff --git a/Net-SSLeay-1.86_07.tar.gz b/Net-SSLeay-1.86_07.tar.gz new file mode 100644 index 0000000..d3ab0e8 --- /dev/null +++ b/Net-SSLeay-1.86_07.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:28518e246f3c1b444a95518080e47ca15ad2a8eda53b682f1a2a36c0bf7843d8 +size 416532 diff --git a/perl-Net-SSLeay.changes b/perl-Net-SSLeay.changes index c9d08a2..f263561 100644 --- a/perl-Net-SSLeay.changes +++ b/perl-Net-SSLeay.changes @@ -1,3 +1,229 @@ +------------------------------------------------------------------- +Tue Mar 5 14:04:18 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 1.86_07 + 1.86_07 2018-12-13 + - Net::SSLeay::RSA_generate_key() now prefers using + RSA_generate_key_ex. This avois deprecated RSA_generate_key + and allows removing the only Android specific code in + SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler. + - SSL_CTX_get0_param, SSL_CTX_get0_param, + X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, + X509_VERIFY_PARAM_set_hostflags, + X509_VERIFY_PARAM_get0_peername, + X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip and + X509_VERIFY_PARAM_set1_ip_asc added in 1.83 for OpenSSL + 1.0.2 and later are now available with LibreSSL 2.7.0 and + later. + - get_keyblock_size() now gets the MAC secret size from the + cipher on LibreSSL 2.7.0 and later, rather than reaching + into libssl internals. This effectively takes the OpenSSL + 1.1 code path for LibreSSL 2.7.0 instead of the OpenSSL 1.0 + code path. Thanks to Alexander Bluhm. + - get_client_random and get_server_random now use API + functions supported by LibreSSL 2.7.0 and later. Thanks to + Alexander Bluhm. + - Add X509_check_host(), X509_check_email(), X509_check_ip(), + and X509_check_ip_asc() for LibreSSL 2.5.0 and later. Thanks + to Alexander Bluhm. + - OpenSSL_version() and OpenSSL_version_num() are available + with LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm. + - Use OPENSSL_cleanse() instead of memset(). Fixes + RT#116599. Thanks to A. Sinan Unur. + + 1.86_06 2018-09-29 + - Net::SSLeay::read() and SSL_peek() now check SSL_get_error() + for SSL_ERROR_ZERO_RETURN for return values <= 0 to make + Net::SSLeay::read() behave more like underlying OpenSSL + function SSL_read(). + Convenience function ssl_read_all() now does an automatic + retry when ERROR_WANT_READ or ERROR_WANT_WRITE is returned + with Net::SSLeay::read(). + Convenience function ssl_read_until() now uses + Net::SSLeay::ssl_read_all() instead of + Net::SSLeay::read(). Tests 07_sslecho.t and 36_verify.t were + also updated to use ssl_read_all() and ssl_write_all(). The + tests now also disable TLSv1.3 session tickets and ignore + SIGPIPE to avoid this signal when the client has finished + before server has sent session tickets and called + Net::SSLeay::accept(). + Thanks to Petr Pisar and Sebastian Andrzej Siewior for the + patches (in #RT125218). + - Fix a memory leak in cb_data_advanced_put. Fixes + RT#127131. Noticed, investigated and patched by Paul + Evans. Thanks! + - Enable OpenSSL 1.1.1-pre9 with Travis CI. + - Add SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets, + SSL_set_num_ticket and SSL_get_num_tickets for controlling + the number of TLSv1.3 session tickets that are issued. Add + tests in 44_sess.t. Parts taken from a larger patch by Petr + Pisar of RedHat. + - Add SSL_CTX_set_ciphersuites and SSL_set_ciphersuites for + configuring the available TLSv1.3 ciphersuites. Add tests in + 43_misc_functions.t and clarify SSL_client_version tests. + - Add SSL_CTX_set_security_level, SSL_CTX_get_security_level, + SSL_set_security_level and SSL_get_security_level. + Add new test file 65_security_level.t. + All courtesy of Damyan Ivanov of Debian project. + - Fix export_keying_material return value check and context + handling. SSL_export_keying_material use_context is now + correctly set to non-zero value when context is an empty + string. This affects values exported with TLSv1.2 and earlier. + Update documentation in NetSSLeay.pod and add tests + in t/local/45_export.t. + - Add RAND_priv_bytes. Add new test file t/local/10_rand.t for + RAND_bytes, RAND_pseudo_bytes, RAND_priv_bytes, RAND_status, + RAND_poll, RAND_file_name and RAND_load_file. + - Update documentation for RAND_*bytes return values and + RAND_file_name behaviour with LibreSSL. + - Add SSL_SESSION_is_resumable. Add and update tests in 44_sess.t. + - Set OpenSSL security level to 1 in tests that use the test suite's + (1024-bit) RSA keys, which allows the test suite to pass when + Net-SSLeay is built against an OpenSSL with a higher default + security level. Fixes RT#126987. Thanks to Petr Pisar (in + RT#126270) and Damyan Ivanov (in RT#126987) for the reports and + patches, and to Damyan Ivanov for the preferred patch. + - Add SSL_CTX_sess_set_new_cb and SSL_CTX_sess_set_remove_cb. + Add new test file 44_sess.t for these and future session + related tests for which no specific test file is needed. + - Add SSL_get_version, SSL_client_version and SSL_is_dtls. + - Add SSL_peek_ex, SSL_read_ex, SSL_write_ex and SSL_has_pending. + Add tests in t/local/11_read.t + - Add SSL_CTX_set_post_handshake_auth contributed by Paul + Howarth. Add SSL_set_post_handshake_auth, + SSL_verify_client_post_handshake and constant + SSL_VERIFY_POST_HANDSHAKE. + - Applied a patch to set_cert_and_key() from Damyan Ivanov, + Debian Perl Group. This function now returns errors from + library's error stack only when an underlying routine + fails. Unrelated errors are now skipped. Fixes RT#126988. + - Add support for TLSv1.3 via $Net::SSLeay::ssl_version. + - Enhance t/local/43_misc_functions.t get_keyblock_size test + to work better with AEAD ciphers. + - Add constants SSL_OP_ENABLE_MIDDLEBOX_COMPAT and + SSL_OP_NO_ANTI_REPLAY for TLSv1.3 + - Fix compile time DEFINE=-DSHOW_XS_DEBUG to work with + non-threaded Perls. Fixes RT#127027. Thanks to SREZIC for + the report. Also fix other minor compile warnings. + + 1.86_05 2018-08-22 + - Net-SSLeay now requires at least Perl 5.8.1. This is a + formalisation of what has been the de facto case for some time, + as the distribution hasn't compiled and passed its tests on Perl + 5.005 for several years. + - Increment Net::SSLeay::Handle's version number to keep it in sync + with Net::SSLeay's, thus satisfying Kwalitee's consistent_version + metric. + - Re-enable the d2i_X509_bio() test in t/local/33_x509_create_cert.t + for LibreSSL. Thanks to Alexander Bluhm. + - Automatically detect new library names on Windows for OpenSSL + 1.1.0 onwards (libcrypto, libssl). Fixes part of RT#121084. Thanks + to Jean-Damien Durand. + - Fix a typo preventing OpenSSL libraries built with the VC compiler + (i.e. ones with a ".lib" suffix) from being automatically detected + on Windows. Fixes part of RT#121084. Thanks to Jean-Damien Durand. + - Add missing call to va_end() following va_start() in TRACE(). + Fixes RT#126028. Thanks to Jitka Plesnikova. + - Added SSL_in_init() and the related functions for all + libraries and their versions. All return 0 or 1 as + documented by OpenSSL 1.1.1. Use of these functions is + recommended over using constants returned by get_state() and + state(). New constants TLS_ST_*, used by OpenSSL 1.1.0 and + later, will not be made available by Net::SSLeay. + + 1.86_04 2018-07-30 + - Re-add SSLv3_method() for OpenSSL 1.0.2 and above. Fixes + RT#101484. + - Don't expose ENGINE-related functions when building against + OpenSSL builds without ENGINE support. Fixes RT#121538. Thanks to + Paul Green. + - Automatically detect OpenSSL 1.0.x on VMS, and update VMS + installation instructions to reflect removal of Module::Install + from the build system. Fixes RT#124388. Thanks to Craig A. Berry. + - Prevent memory leak in OCSP_cert2ids() and OCSP_response_verify(). + Fixes RT#125273. Thanks to Steffen Ullrich. + + 1.86_03 2018-07-19 + - Convert packaging to ExtUtils::MakeMaker. Thanks to mohawk2. + - Module::Install is no longer a prerequisite when building + from the reposistory. + - Re-apply patch from ETJ permitting configure and build in + places with a space in the name. + + 1.86_02 2018-07-06 + - Removed inc/ from repository. Module::Install is now a + prerequisite when building from the repository. This allowed + also removing "." from Makefile.PL lib path which was added + in version 1.81. These updates require no changes when + building from release packages. They also help AppVeyor + builds to work better with old Perls. + - Added CONTRIBUTING.md, reformatted the previous Changes + entry to use CPAN::Changes::Spec guidelines and removed + unused version control tags from comments. + + 1.86_01 2018-07-04 + [Version control system change] + - Chris Novakovic did a full conversion from the old Debian + hosted SVN repository to git. + - Fixes to commit metadata, branches and tags that git-svn + couldn't handle or had no way of handling, were done + manually or semi-automatically afterwards. For instance, the + "git-svn-id:" lines that git-svn appends to commit messages + were kept because Mike used SVN revision numbers in RT + replies to indicate when bugs had been fixed/patches applied + (which may be useful for future reference). + - All commits were replayed onto a single master branch rather + than having separate dead-end branches for the old SVN + version tags (as this seems more "git-like"). + - New lightweight tags were created for each public release + going back as far as the start of the SVN repository using + data from MetaCPAN (cross-referencing with the changelog + when it wasn't clear when a release was cut from the SVN + repo). + - Florian's and Mike's email addresses were mapped to git + author/committer IDs + [Continuous integration] + - Travis CI configuration was added for automated testing on + Linux using 64 bit Ubuntu Trusty. Build matrix dimensions + are: Perl 5.8 - 5.26 x OpenSSL 0.9.8zh - 1.1.0h. Only the + currently latest version for each major Perl and OpenSSL + release is chosen. + - AppVeyor configuration was added for automated testing on + Windows. Build matrix dimensions are: Perl 5.8 - 5.26 x + 32bit and 64bit Perl environment x Windows Server 2012R2 and + Windows Server 2016. The Perl environment is Strawberry Perl + and its OpenSSL is used with builds. Only the latest major + versions are used, similarly to Travis CI. Net-SSLeay PPM + and PPD files are made available as artifacts. + - Added README.md with link to master branch build and test + status. Did minor updates to README and other misc files. + [Release packaging] + - Files t/local/43_misc_functions.t and + t/local/65_ticket_sharing_2.t were missing from MANIFEST. + - Updated inc/ directory with Module::Install 1.19. Updated + Makefile.PL author and resource information. Synced + SSLeay.pm under ext/ with the latest changes under + inc/. Reordered use imports so that META.yml gets correctly + regenerated. More Module::Install related changes will + follow. + [Repository amd maintainer change] + - Net::SSLeay functionality was not changed in this + release. Work was done to switch version contorol systems, + add automated testing, update module packaging and change + the primary maintainer. This coincided with the decommission + of previous code repository service on alioth.debian.org. + - The module is now primarily maintained by Tuure Vartiainen + and Heikki Vatiainen of Radiator Software. The new + repository location is + https://github.com/radiator-software/p5-net-ssleay + +- Dropped patches merged upstream: + * Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch + * Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch + * Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch + * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch + * Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch + ------------------------------------------------------------------- Mon Jan 14 15:55:27 UTC 2019 - Vítězslav Čížek diff --git a/perl-Net-SSLeay.spec b/perl-Net-SSLeay.spec index f33ede9..81d539e 100644 --- a/perl-Net-SSLeay.spec +++ b/perl-Net-SSLeay.spec @@ -18,23 +18,14 @@ %define cpan_name Net-SSLeay Name: perl-Net-SSLeay -Version: 1.85 +Version: 1.86_07 Release: 0 Summary: Perl extension for using OpenSSL License: Artistic-2.0 Group: Development/Libraries/Perl URL: http://search.cpan.org/dist/Net-SSLeay/ -Source: http://www.cpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz -# Adapt to OpenSSL 1.1.1, bug RH#1614884, CPAN RT#125218 -Patch0: Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch -# Avoid SIGPIPE in t/local/36_verify.t, CPAN RT#125218 -Patch2: Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch -# Revert retry in Net::SSLeay::{read,write}(), CPAN RT#125218 -Patch3: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch -# Revert retry in Net::SSLeay::write_partial(), CPAN RT#125218 -Patch4: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch -# PATCH-FIX-UPSTREAM https://github.com/radiator-software/p5-net-ssleay/pull/68 -Patch5: Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch +#Source: http://www.cpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz +Source: https://cpan.metacpan.org/authors/id/R/RA/RADIATOR/%{cpan_name}-%{version}.tar.gz BuildRequires: libopenssl-devel BuildRequires: openssl BuildRequires: perl @@ -56,7 +47,6 @@ Net::SSLeay module basically comprise of: %prep %setup -q -n %{cpan_name}-%{version} -%autopatch -p1 # replace rest of /usr/local/bin/perl with /usr/bin/perl for f in $(find . -type f -exec grep -l "%{_prefix}/local/bin/perl" {} \; ); do