pool/perl-Net-SSLeay
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 681761 from home:pmonrealgonzalez:branches:devel:languages:perl

Browse Source 
- Update to 1.86_07
  1.86_07 2018-12-13
        - Net::SSLeay::RSA_generate_key() now prefers using
          RSA_generate_key_ex. This avois deprecated RSA_generate_key
          and allows removing the only Android specific code in
          SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler.
        - SSL_CTX_get0_param, SSL_CTX_get0_param,
          X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
          X509_VERIFY_PARAM_set_hostflags,
          X509_VERIFY_PARAM_get0_peername,
          X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip and
          X509_VERIFY_PARAM_set1_ip_asc added in 1.83 for OpenSSL
          1.0.2 and later are now available with LibreSSL 2.7.0 and
          later.
        - get_keyblock_size() now gets the MAC secret size from the
          cipher on LibreSSL 2.7.0 and later, rather than reaching
          into libssl internals. This effectively takes the OpenSSL
          1.1 code path for LibreSSL 2.7.0 instead of the OpenSSL 1.0
          code path.  Thanks to Alexander Bluhm.
        - get_client_random and get_server_random now use API
          functions supported by LibreSSL 2.7.0 and later. Thanks to
          Alexander Bluhm.
        - Add X509_check_host(), X509_check_email(), X509_check_ip(),
          and X509_check_ip_asc() for LibreSSL 2.5.0 and later. Thanks
          to Alexander Bluhm.
        - OpenSSL_version() and OpenSSL_version_num() are available
          with LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm.
        - Use OPENSSL_cleanse() instead of memset(). Fixes
          RT#116599. Thanks to A. Sinan Unur.
  1.86_06 2018-09-29

OBS-URL: https://build.opensuse.org/request/show/681761
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-Net-SSLeay?expand=0&rev=44
This commit is contained in:
Pedro Monreal Gonzalez 2019-03-05 14:41:56 +00:00 committed by Git OBS Bridge
parent 51341ea75b
commit caf890f794
9 changed files with 232 additions and 647 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch
View File

@ -1,237 +0,0 @@
From b01291bf88dd84529c93973da7c275e0ffe5cc1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 3 Aug 2018 14:30:22 +0200
Subject: [PATCH] Adapt to OpenSSL 1.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and
session shutdowns differently. This leads to failing various Net-SSLeay
tests that exhibits use cases that are not possible with OpenSSL 1.1.1
anymore or where the library behaves differently.
Since Net-SSLeay is a low-level wrapper, Net-SSLeay will be corrected
in tests. Higher-level code as IO::Socket::SSL and other Net::SSLeay
applications need to be adjusted on case-to-case basis.
This patche changes:
- Retry SSL_read() and SSL_write() (by sebastian [...] breakpoint.cc)
- Disable session tickets in t/local/07_sslecho.t.
- Adaps t/local/36_verify.t to a session end when Net::SSLeay::read()
returns undef.
https://rt.cpan.org/Public/Bug/Display.html?id=125218
https://github.com/openssl/openssl/issues/5637
https://github.com/openssl/openssl/issues/6904
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
SSLeay.xs | 56 ++++++++++++++++++++++++++++++++++++++++++++++++----
lib/Net/SSLeay.pod | 46 ++++++++++++++++++++++++++++++++++++++++++
t/local/07_sslecho.t | 15 ++++++++++++--
t/local/36_verify.t | 2 +-
4 files changed, 112 insertions(+), 7 deletions(-)
diff --git a/SSLeay.xs b/SSLeay.xs
index bf148c0..5aed4d7 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -1999,7 +1999,17 @@ SSL_read(s,max=32768)
int got;
PPCODE:
New(0, buf, max, char);
- got = SSL_read(s, buf, max);
+
+ do {
+ int err;
+
+ got = SSL_read(s, buf, max);
+ if (got > 0)
+ break;
+ err = SSL_get_error(s, got);
+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
+ break;
+ } while (1);
/* If in list context, return 2-item list:
* first return value: data gotten, or undef on error (got<0)
@@ -2051,10 +2061,20 @@ SSL_write(s,buf)
SSL * s
PREINIT:
STRLEN len;
+ int err;
+ int ret;
INPUT:
char * buf = SvPV( ST(1), len);
CODE:
- RETVAL = SSL_write (s, buf, (int)len);
+ do {
+ ret = SSL_write (s, buf, (int)len);
+ if (ret > 0)
+ break;
+ err = SSL_get_error(s, ret);
+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
+ break;
+ } while (1);
+ RETVAL = ret;
OUTPUT:
RETVAL
@@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf)
if (len < 0) {
croak("from beyound end of buffer");
RETVAL = -1;
- } else
- RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len);
+ } else {
+ int ret;
+ int err;
+
+ do {
+ ret = SSL_write (s, &(buf[from]), (count<=len)?count:len);
+ if (ret > 0)
+ break;
+ err = SSL_get_error(s, ret);
+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
+ break;
+ } while (1);
+ RETVAL = ret;
+ }
OUTPUT:
RETVAL
@@ -6957,4 +6989,20 @@ SSL_export_keying_material(ssl, outlen, label, p)
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
+
+int
+SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets)
+
+size_t
+SSL_CTX_get_num_tickets(SSL_CTX *ctx)
+
+int
+SSL_set_num_tickets(SSL *ssl,size_t num_tickets)
+
+size_t
+SSL_get_num_tickets(SSL *ssl)
+
+#endif
+
#define REM_EOF "/* EOF - SSLeay.xs */"
diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod
index 2e1aae3..bca7be4 100644
--- a/lib/Net/SSLeay.pod
+++ b/lib/Net/SSLeay.pod
@@ -4437,6 +4437,52 @@ getticket($ssl,$ticket,$data) -> $return_value
This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb.
+=item * CTX_set_num_tickets
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1
+
+Set number of session tickets that will be sent to a client.
+
+ my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets);
+ # $ctx - value corresponding to openssl's SSL_CTX structure
+ # $number_of_tickets - number of tickets to send
+ # returns: 1 on success, 0 on failure
+
+Set to zero if you do not no want to support a session resumption.
+
+=item * CTX_get_num_tickets
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1
+
+Get number of session tickets that will be sent to a client.
+
+ my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx);
+ # $ctx - value corresponding to openssl's SSL_CTX structure
+ # returns: number of tickets to send
+
+=item * set_num_tickets
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1
+
+Set number of session tickets that will be sent to a client.
+
+ my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets);
+ # $ssl - value corresponding to openssl's SSL structure
+ # $number_of_tickets - number of tickets to send
+ # returns: 1 on success, 0 on failure
+
+Set to zero if you do not no want to support a session resumption.
+
+=item * get_num_tickets
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1
+
+Get number of session tickets that will be sent to a client.
+
+ my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx);
+ # $ctx - value corresponding to openssl's SSL structure
+ # returns: number of tickets to send
+
=item * set_shutdown
Sets the shutdown state of $ssl to $mode.
diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t
index 5e16b04..5dc946a 100644
--- a/t/local/07_sslecho.t
+++ b/t/local/07_sslecho.t
@@ -13,7 +13,8 @@ BEGIN {
plan skip_all => "fork() not supported on $^O" unless $Config{d_fork};
}
-plan tests => 78;
+plan tests => 79;
+$SIG{'PIPE'} = 'IGNORE';
my $sock;
my $pid;
@@ -61,6 +62,16 @@ Net::SSLeay::library_init();
ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list');
my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
ok($errs eq '', "set_cert_and_key: $errs");
+ SKIP: {
+ skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1
+ unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f);
+ # TLS 1.3 server sends session tickets after a handhake as part of
+ # the SSL_accept(). If a client finishes all its job including closing
+ # TCP connectino before a server sends the tickets, SSL_accept() fails
+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives
+ # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904>
+ ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled');
+ }
$pid = fork();
BAIL_OUT("failed to fork: $!") unless defined $pid;
@@ -351,7 +362,7 @@ waitpid $pid, 0;
push @results, [ $? == 0, 'server exited with 0' ];
END {
- Test::More->builder->current_test(51);
+ Test::More->builder->current_test(52);
for my $t (@results) {
ok( $t->[0], $t->[1] );
}
diff --git a/t/local/36_verify.t b/t/local/36_verify.t
index 92afc52..e55b138 100644
--- a/t/local/36_verify.t
+++ b/t/local/36_verify.t
@@ -282,7 +282,7 @@ sub run_server
# Termination request or other message from client
my $msg = Net::SSLeay::read($ssl);
- if ($msg eq 'end')
+ if (defined $msg and $msg eq 'end')
{
Net::SSLeay::write($ssl, 'end');
exit (0);
--
2.14.4

57
Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch
View File

@ -1,57 +0,0 @@
From 173cd9c1340f1f5231625a1dd4ecaea10c207622 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 14 Aug 2018 16:55:52 +0200
Subject: [PATCH] Avoid SIGPIPE in t/local/36_verify.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
t/local/36_verify.t fails randomly with OpenSSL 1.1.1:
# Failed test 'Verify callback result and get_verify_result are equal'
# at t/local/36_verify.t line 111.
# got: '-1'
# expected: '0'
# Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY'
# at t/local/36_verify.t line 118.
# got: '-1'
# expected: '43'
Bailout called. Further testing stopped: failed to connect to server: Connection refused
FAILED--Further testing stopped: failed to connect to server: Connection refused
I believe this because TLSv1.3 server can generate SIGPIPE if a client
disconnects too soon.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/local/36_verify.t | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/t/local/36_verify.t b/t/local/36_verify.t
index e55b138..2837288 100644
--- a/t/local/36_verify.t
+++ b/t/local/36_verify.t
@@ -266,10 +266,20 @@ sub run_server
return if $pid != 0;
+ $SIG{'PIPE'} = 'IGNORE';
my $ctx = Net::SSLeay::CTX_new();
Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
my $ret = Net::SSLeay::CTX_check_private_key($ctx);
BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1;
+ if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f) {
+ # TLS 1.3 server sends session tickets after a handhake as part of
+ # the SSL_accept(). If a client finishes all its job including closing
+ # TCP connectino before a server sends the tickets, SSL_accept() fails
+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives
+ # SIGPIPE signal. <https://github.com/openssl/openssl/issues/6904>
+ my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0);
+ BAIL_OUT("Session tickets disabled") unless $ret;
+ }
while (1)
{
--
2.14.4

42
Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
View File

@ -1,42 +0,0 @@
commit 6a6bcf3d96115a6ef62289838cea418c185d8c88
Author: Paul Howarth <paul@city-fan.org>
Date: Wed Sep 19 09:38:40 2018 +0100
Expose SSL_CTX_set_post_handshake_auth
TLS 1.3 removed renegotiation in favor of rekeying and post handshake
authentication (PHA). With PHA, a server can request a client certificate from
a client at some point after the handshake. The feature is commonly used by
HTTP servers for conditional and path specific TLS client auth. For example, a
server can decide to require a cert based on HTTP method and/or path. A client
must announce support for PHA during the handshake.
Apache mod_ssl uses PHA:
https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207
As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3
clients no longer send the PHA TLS extension by default. For on-demand auth,
PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(),
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html .
This function is needed for the Apache httpd upstream test suite:
https://bugzilla.redhat.com/show_bug.cgi?id=1630391 .
diff --git a/SSLeay.xs b/SSLeay.xs
index a4dcb0a..5777ffc 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p)
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */
+
+void
+SSL_CTX_set_post_handshake_auth(s,val)
+ SSL_CTX * s
+ int val
+
+#endif
+
#define REM_EOF "/* EOF - SSLeay.xs */"

225
Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch
View File

@ -1,225 +0,0 @@
From e0b42b0120b941b5675e4071445424dc8a1230e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 15 Aug 2018 14:46:52 +0200
Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from
read()/write() up
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test
because it tests non-blocking socket operations and expects to see
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them
byt itself.
This patch purifies Net::SSLeay::{read,write}() to behave exactly as
underlying OpenSSL functions. The retry is moved to
Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in
tests are changed into Net::SSLea::ssl_{read,write}_all().
All applications should implement the retry themsleves or use
ssl_*_all() instead.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
SSLeay.xs | 28 +++++++---------------------
lib/Net/SSLeay.pm | 22 +++++++++++++++-------
t/local/07_sslecho.t | 12 ++++++------
t/local/36_verify.t | 9 +++++----
4 files changed, 33 insertions(+), 38 deletions(-)
diff --git a/SSLeay.xs b/SSLeay.xs
index 5aed4d7..7cb6eab 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -1997,19 +1997,13 @@ SSL_read(s,max=32768)
PREINIT:
char *buf;
int got;
+ int succeeded = 1;
PPCODE:
New(0, buf, max, char);
- do {
- int err;
-
- got = SSL_read(s, buf, max);
- if (got > 0)
- break;
- err = SSL_get_error(s, got);
- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
- break;
- } while (1);
+ got = SSL_read(s, buf, max);
+ if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got))
+ succeeded = 0;
/* If in list context, return 2-item list:
* first return value: data gotten, or undef on error (got<0)
@@ -2017,13 +2011,13 @@ SSL_read(s,max=32768)
*/
if (GIMME_V==G_ARRAY) {
EXTEND(SP, 2);
- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0)));
+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0)));
PUSHs(sv_2mortal(newSViv(got)));
/* If in scalar or void context, return data gotten, or undef on error. */
} else {
EXTEND(SP, 1);
- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0)));
+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0)));
}
Safefree(buf);
@@ -2066,15 +2060,7 @@ SSL_write(s,buf)
INPUT:
char * buf = SvPV( ST(1), len);
CODE:
- do {
- ret = SSL_write (s, buf, (int)len);
- if (ret > 0)
- break;
- err = SSL_get_error(s, ret);
- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
- break;
- } while (1);
- RETVAL = ret;
+ RETVAL = SSL_write (s, buf, (int)len);
OUTPUT:
RETVAL
diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm
index 3adf12c..afc6c8f 100644
--- a/lib/Net/SSLeay.pm
+++ b/lib/Net/SSLeay.pm
@@ -579,14 +579,22 @@ sub debug_read {
sub ssl_read_all {
my ($ssl,$how_much) = @_;
$how_much = 2000000000 unless $how_much;
- my ($got, $errs);
+ my ($got, $rv, $errs);
my $reply = '';
while ($how_much > 0) {
- $got = Net::SSLeay::read($ssl,
+ ($got, $rv) = Net::SSLeay::read($ssl,
($how_much > 32768) ? 32768 : $how_much
);
- last if $errs = print_errs('SSL_read');
+ if (! defined $got) {
+ my $err = Net::SSLeay::get_error($ssl, $rv);
+ if ($err != Net::SSLeay::ERROR_WANT_READ() and
+ $err != Net::SSLeay::ERROR_WANT_WRITE()) {
+ $errs = print_errs('SSL_read');
+ last;
+ }
+ next;
+ }
$how_much -= blength($got);
debug_read(\$reply, \$got) if $trace>1;
last if $got eq ''; # EOF
@@ -839,14 +847,14 @@ sub ssl_read_until ($;$$) {
$found = index($match, $delim);
if ($found > -1) {
- #$got = Net::SSLeay::read($ssl, $found+$len_delim);
+ #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim);
#read up to the end of the delimiter
- $got = Net::SSLeay::read($ssl,
+ $got = Net::SSLeay::ssl_read_all($ssl,
$found + $len_delim
- ((blength($match)) - (blength($got))));
$done = 1;
} else {
- $got = Net::SSLeay::read($ssl, $peek_length);
+ $got = Net::SSLeay::ssl_read_all($ssl, $peek_length);
$done = 1 if ($peek_length == $max_length - blength($reply));
}
@@ -857,7 +865,7 @@ sub ssl_read_until ($;$$) {
}
} else {
while (!defined $max_length || length $reply < $max_length) {
- $got = Net::SSLeay::read($ssl,1); # one by one
+ $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one
last if print_errs('SSL_read');
debug_read(\$reply, \$got) if $trace>1;
last if $got eq '';
diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t
index 74e317a..7f19027 100644
--- a/t/local/07_sslecho.t
+++ b/t/local/07_sslecho.t
@@ -134,10 +134,10 @@ my @results;
push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ];
- push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ];
+ push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ];
shutdown($s, 1);
- my ($got) = Net::SSLeay::read($ssl);
+ my $got = Net::SSLeay::ssl_read_all($ssl);
push @results, [ $got eq uc($msg), 'read' ];
Net::SSLeay::free($ssl);
@@ -177,7 +177,7 @@ my @results;
Net::SSLeay::set_fd($ssl, fileno($s));
Net::SSLeay::connect($ssl);
- Net::SSLeay::write($ssl, $msg);
+ Net::SSLeay::ssl_write_all($ssl, $msg);
shutdown $s, 2;
close $s;
@@ -231,15 +231,15 @@ my @results;
Net::SSLeay::set_fd($ssl3, $s3);
Net::SSLeay::connect($ssl1);
- Net::SSLeay::write($ssl1, $msg);
+ Net::SSLeay::ssl_write_all($ssl1, $msg);
shutdown $s1, 2;
Net::SSLeay::connect($ssl2);
- Net::SSLeay::write($ssl2, $msg);
+ Net::SSLeay::ssl_write_all($ssl2, $msg);
shutdown $s2, 2;
Net::SSLeay::connect($ssl3);
- Net::SSLeay::write($ssl3, $msg);
+ Net::SSLeay::ssl_write_all($ssl3, $msg);
shutdown $s3, 2;
close $s1;
diff --git a/t/local/36_verify.t b/t/local/36_verify.t
index 2837288..b04be13 100644
--- a/t/local/36_verify.t
+++ b/t/local/36_verify.t
@@ -252,8 +252,9 @@ sub client {
Net::SSLeay::set_fd($ssl, $cl);
Net::SSLeay::connect($ssl);
my $end = "end";
- Net::SSLeay::write($ssl, $end);
- ok($end eq Net::SSLeay::read($ssl), 'Successful termination');
+ Net::SSLeay::ssl_write_all($ssl, $end);
+ Net::SSLeay::shutdown($ssl);
+ ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination');
return;
}
@@ -291,10 +292,10 @@ sub run_server
next unless $ret == 1;
# Termination request or other message from client
- my $msg = Net::SSLeay::read($ssl);
+ my $msg = Net::SSLeay::ssl_read_all($ssl);
if (defined $msg and $msg eq 'end')
{
- Net::SSLeay::write($ssl, 'end');
+ Net::SSLeay::ssl_write_all($ssl, 'end');
exit (0);
}
}
--
2.14.4

70
Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch
View File

@ -1,70 +0,0 @@
From 122c80853a9bd66f21699fc79a689b3028d00d3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 17 Aug 2018 13:08:44 +0200
Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from
write_partial()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test
because it tests non-blocking socket operations and expects to see
SSL_ERROR_WANT_WRITE errors and to handle them byt itself.
This patch purifies Net::SSLeay::write_partial() to behave exactly as
underlying OpenSSL SSL_write() function. The retry is already
presented in Net::SSLeay::ssl_write_all().
All applications should implement the retry themsleves or use
ssl_*_all() instead.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
SSLeay.xs | 16 ++--------------
lib/Net/SSLeay.pod | 3 ++-
2 files changed, 4 insertions(+), 15 deletions(-)
diff --git a/SSLeay.xs b/SSLeay.xs
index 7cb6eab..fc7677f 100644
--- a/SSLeay.xs
+++ b/SSLeay.xs
@@ -2089,20 +2089,8 @@ SSL_write_partial(s,from,count,buf)
if (len < 0) {
croak("from beyound end of buffer");
RETVAL = -1;
- } else {
- int ret;
- int err;
-
- do {
- ret = SSL_write (s, &(buf[from]), (count<=len)?count:len);
- if (ret > 0)
- break;
- err = SSL_get_error(s, ret);
- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE)
- break;
- } while (1);
- RETVAL = ret;
- }
+ } else
+ RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len);
OUTPUT:
RETVAL
diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod
index bca7be4..8b5f738 100644
--- a/lib/Net/SSLeay.pod
+++ b/lib/Net/SSLeay.pod
@@ -4819,7 +4819,8 @@ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_write.html|http://www.op
B<NOTE:> Does not exactly correspond to any low level API function
-Writes a fragment of data in $data from the buffer $data into the specified $ssl connection.
+Writes a fragment of data in $data from the buffer $data into the specified
+$ssl connection. This is a non-blocking function like L<Net::SSLeay::write()>.
my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data);
# $ssl - value corresponding to openssl's SSL structure
--
2.14.4

3
Net-SSLeay-1.85.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9d8188b9fb1cae3bd791979c20554925d5e94a138d00414f1a6814549927b0c8
size 418349

3
Net-SSLeay-1.86_07.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:28518e246f3c1b444a95518080e47ca15ad2a8eda53b682f1a2a36c0bf7843d8
size 416532

226
perl-Net-SSLeay.changes
View File

@ -1,3 +1,229 @@
-------------------------------------------------------------------
Tue Mar 5 14:04:18 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Update to 1.86_07
1.86_07 2018-12-13
- Net::SSLeay::RSA_generate_key() now prefers using
RSA_generate_key_ex. This avois deprecated RSA_generate_key
and allows removing the only Android specific code in
SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler.
- SSL_CTX_get0_param, SSL_CTX_get0_param,
X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host,
X509_VERIFY_PARAM_set_hostflags,
X509_VERIFY_PARAM_get0_peername,
X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip and
X509_VERIFY_PARAM_set1_ip_asc added in 1.83 for OpenSSL
1.0.2 and later are now available with LibreSSL 2.7.0 and
later.
- get_keyblock_size() now gets the MAC secret size from the
cipher on LibreSSL 2.7.0 and later, rather than reaching
into libssl internals. This effectively takes the OpenSSL
1.1 code path for LibreSSL 2.7.0 instead of the OpenSSL 1.0
code path. Thanks to Alexander Bluhm.
- get_client_random and get_server_random now use API
functions supported by LibreSSL 2.7.0 and later. Thanks to
Alexander Bluhm.
- Add X509_check_host(), X509_check_email(), X509_check_ip(),
and X509_check_ip_asc() for LibreSSL 2.5.0 and later. Thanks
to Alexander Bluhm.
- OpenSSL_version() and OpenSSL_version_num() are available
with LibreSSL 2.7.0 and later. Thanks to Alexander Bluhm.
- Use OPENSSL_cleanse() instead of memset(). Fixes
RT#116599. Thanks to A. Sinan Unur.
1.86_06 2018-09-29
- Net::SSLeay::read() and SSL_peek() now check SSL_get_error()
for SSL_ERROR_ZERO_RETURN for return values <= 0 to make
Net::SSLeay::read() behave more like underlying OpenSSL
function SSL_read().
Convenience function ssl_read_all() now does an automatic
retry when ERROR_WANT_READ or ERROR_WANT_WRITE is returned
with Net::SSLeay::read().
Convenience function ssl_read_until() now uses
Net::SSLeay::ssl_read_all() instead of
Net::SSLeay::read(). Tests 07_sslecho.t and 36_verify.t were
also updated to use ssl_read_all() and ssl_write_all(). The
tests now also disable TLSv1.3 session tickets and ignore
SIGPIPE to avoid this signal when the client has finished
before server has sent session tickets and called
Net::SSLeay::accept().
Thanks to Petr Pisar and Sebastian Andrzej Siewior for the
patches (in #RT125218).
- Fix a memory leak in cb_data_advanced_put. Fixes
RT#127131. Noticed, investigated and patched by Paul
Evans. Thanks!
- Enable OpenSSL 1.1.1-pre9 with Travis CI.
- Add SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets,
SSL_set_num_ticket and SSL_get_num_tickets for controlling
the number of TLSv1.3 session tickets that are issued. Add
tests in 44_sess.t. Parts taken from a larger patch by Petr
Pisar of RedHat.
- Add SSL_CTX_set_ciphersuites and SSL_set_ciphersuites for
configuring the available TLSv1.3 ciphersuites. Add tests in
43_misc_functions.t and clarify SSL_client_version tests.
- Add SSL_CTX_set_security_level, SSL_CTX_get_security_level,
SSL_set_security_level and SSL_get_security_level.
Add new test file 65_security_level.t.
All courtesy of Damyan Ivanov of Debian project.
- Fix export_keying_material return value check and context
handling. SSL_export_keying_material use_context is now
correctly set to non-zero value when context is an empty
string. This affects values exported with TLSv1.2 and earlier.
Update documentation in NetSSLeay.pod and add tests
in t/local/45_export.t.
- Add RAND_priv_bytes. Add new test file t/local/10_rand.t for
RAND_bytes, RAND_pseudo_bytes, RAND_priv_bytes, RAND_status,
RAND_poll, RAND_file_name and RAND_load_file.
- Update documentation for RAND_*bytes return values and
RAND_file_name behaviour with LibreSSL.
- Add SSL_SESSION_is_resumable. Add and update tests in 44_sess.t.
- Set OpenSSL security level to 1 in tests that use the test suite's
(1024-bit) RSA keys, which allows the test suite to pass when
Net-SSLeay is built against an OpenSSL with a higher default
security level. Fixes RT#126987. Thanks to Petr Pisar (in
RT#126270) and Damyan Ivanov (in RT#126987) for the reports and
patches, and to Damyan Ivanov for the preferred patch.
- Add SSL_CTX_sess_set_new_cb and SSL_CTX_sess_set_remove_cb.
Add new test file 44_sess.t for these and future session
related tests for which no specific test file is needed.
- Add SSL_get_version, SSL_client_version and SSL_is_dtls.
- Add SSL_peek_ex, SSL_read_ex, SSL_write_ex and SSL_has_pending.
Add tests in t/local/11_read.t
- Add SSL_CTX_set_post_handshake_auth contributed by Paul
Howarth. Add SSL_set_post_handshake_auth,
SSL_verify_client_post_handshake and constant
SSL_VERIFY_POST_HANDSHAKE.
- Applied a patch to set_cert_and_key() from Damyan Ivanov,
Debian Perl Group. This function now returns errors from
library's error stack only when an underlying routine
fails. Unrelated errors are now skipped. Fixes RT#126988.
- Add support for TLSv1.3 via $Net::SSLeay::ssl_version.
- Enhance t/local/43_misc_functions.t get_keyblock_size test
to work better with AEAD ciphers.
- Add constants SSL_OP_ENABLE_MIDDLEBOX_COMPAT and
SSL_OP_NO_ANTI_REPLAY for TLSv1.3
- Fix compile time DEFINE=-DSHOW_XS_DEBUG to work with
non-threaded Perls. Fixes RT#127027. Thanks to SREZIC for
the report. Also fix other minor compile warnings.
1.86_05 2018-08-22
- Net-SSLeay now requires at least Perl 5.8.1. This is a
formalisation of what has been the de facto case for some time,
as the distribution hasn't compiled and passed its tests on Perl
5.005 for several years.
- Increment Net::SSLeay::Handle's version number to keep it in sync
with Net::SSLeay's, thus satisfying Kwalitee's consistent_version
metric.
- Re-enable the d2i_X509_bio() test in t/local/33_x509_create_cert.t
for LibreSSL. Thanks to Alexander Bluhm.
- Automatically detect new library names on Windows for OpenSSL
1.1.0 onwards (libcrypto, libssl). Fixes part of RT#121084. Thanks
to Jean-Damien Durand.
- Fix a typo preventing OpenSSL libraries built with the VC compiler
(i.e. ones with a ".lib" suffix) from being automatically detected
on Windows. Fixes part of RT#121084. Thanks to Jean-Damien Durand.
- Add missing call to va_end() following va_start() in TRACE().
Fixes RT#126028. Thanks to Jitka Plesnikova.
- Added SSL_in_init() and the related functions for all
libraries and their versions. All return 0 or 1 as
documented by OpenSSL 1.1.1. Use of these functions is
recommended over using constants returned by get_state() and
state(). New constants TLS_ST_*, used by OpenSSL 1.1.0 and
later, will not be made available by Net::SSLeay.
1.86_04 2018-07-30
- Re-add SSLv3_method() for OpenSSL 1.0.2 and above. Fixes
RT#101484.
- Don't expose ENGINE-related functions when building against
OpenSSL builds without ENGINE support. Fixes RT#121538. Thanks to
Paul Green.
- Automatically detect OpenSSL 1.0.x on VMS, and update VMS
installation instructions to reflect removal of Module::Install
from the build system. Fixes RT#124388. Thanks to Craig A. Berry.
- Prevent memory leak in OCSP_cert2ids() and OCSP_response_verify().
Fixes RT#125273. Thanks to Steffen Ullrich.
1.86_03 2018-07-19
- Convert packaging to ExtUtils::MakeMaker. Thanks to mohawk2.
- Module::Install is no longer a prerequisite when building
from the reposistory.
- Re-apply patch from ETJ permitting configure and build in
places with a space in the name.
1.86_02 2018-07-06
- Removed inc/ from repository. Module::Install is now a
prerequisite when building from the repository. This allowed
also removing "." from Makefile.PL lib path which was added
in version 1.81. These updates require no changes when
building from release packages. They also help AppVeyor
builds to work better with old Perls.
- Added CONTRIBUTING.md, reformatted the previous Changes
entry to use CPAN::Changes::Spec guidelines and removed
unused version control tags from comments.
1.86_01 2018-07-04
[Version control system change]
- Chris Novakovic did a full conversion from the old Debian
hosted SVN repository to git.
- Fixes to commit metadata, branches and tags that git-svn
couldn't handle or had no way of handling, were done
manually or semi-automatically afterwards. For instance, the
"git-svn-id:" lines that git-svn appends to commit messages
were kept because Mike used SVN revision numbers in RT
replies to indicate when bugs had been fixed/patches applied
(which may be useful for future reference).
- All commits were replayed onto a single master branch rather
than having separate dead-end branches for the old SVN
version tags (as this seems more "git-like").
- New lightweight tags were created for each public release
going back as far as the start of the SVN repository using
data from MetaCPAN (cross-referencing with the changelog
when it wasn't clear when a release was cut from the SVN
repo).
- Florian's and Mike's email addresses were mapped to git
author/committer IDs
[Continuous integration]
- Travis CI configuration was added for automated testing on
Linux using 64 bit Ubuntu Trusty. Build matrix dimensions
are: Perl 5.8 - 5.26 x OpenSSL 0.9.8zh - 1.1.0h. Only the
currently latest version for each major Perl and OpenSSL
release is chosen.
- AppVeyor configuration was added for automated testing on
Windows. Build matrix dimensions are: Perl 5.8 - 5.26 x
32bit and 64bit Perl environment x Windows Server 2012R2 and
Windows Server 2016. The Perl environment is Strawberry Perl
and its OpenSSL is used with builds. Only the latest major
versions are used, similarly to Travis CI. Net-SSLeay PPM
and PPD files are made available as artifacts.
- Added README.md with link to master branch build and test
status. Did minor updates to README and other misc files.
[Release packaging]
- Files t/local/43_misc_functions.t and
t/local/65_ticket_sharing_2.t were missing from MANIFEST.
- Updated inc/ directory with Module::Install 1.19. Updated
Makefile.PL author and resource information. Synced
SSLeay.pm under ext/ with the latest changes under
inc/. Reordered use imports so that META.yml gets correctly
regenerated. More Module::Install related changes will
follow.
[Repository amd maintainer change]
- Net::SSLeay functionality was not changed in this
release. Work was done to switch version contorol systems,
add automated testing, update module packaging and change
the primary maintainer. This coincided with the decommission
of previous code repository service on alioth.debian.org.
- The module is now primarily maintained by Tuure Vartiainen
and Heikki Vatiainen of Radiator Software. The new
repository location is
https://github.com/radiator-software/p5-net-ssleay
- Dropped patches merged upstream:
* Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch
* Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
* Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch
* Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch
* Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch
-------------------------------------------------------------------
Mon Jan 14 15:55:27 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>

16
perl-Net-SSLeay.spec
View File

@ -18,23 +18,14 @@
%define cpan_name Net-SSLeay
Name: perl-Net-SSLeay
Version: 1.85
Version: 1.86_07
Release: 0
Summary: Perl extension for using OpenSSL
License: Artistic-2.0
Group: Development/Libraries/Perl
URL: http://search.cpan.org/dist/Net-SSLeay/
Source: http://www.cpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz
# Adapt to OpenSSL 1.1.1, bug RH#1614884, CPAN RT#125218
Patch0: Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch
# Avoid SIGPIPE in t/local/36_verify.t, CPAN RT#125218
Patch2: Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch
# Revert retry in Net::SSLeay::{read,write}(), CPAN RT#125218
Patch3: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch
# Revert retry in Net::SSLeay::write_partial(), CPAN RT#125218
Patch4: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch
# PATCH-FIX-UPSTREAM https://github.com/radiator-software/p5-net-ssleay/pull/68
Patch5: Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
#Source: http://www.cpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz
Source: https://cpan.metacpan.org/authors/id/R/RA/RADIATOR/%{cpan_name}-%{version}.tar.gz
BuildRequires: libopenssl-devel
BuildRequires: openssl
BuildRequires: perl
@ -56,7 +47,6 @@ Net::SSLeay module basically comprise of:
%prep
%setup -q -n %{cpan_name}-%{version}
%autopatch -p1
# replace rest of /usr/local/bin/perl with /usr/bin/perl
for f in $(find . -type f -exec grep -l "%{_prefix}/local/bin/perl" {} \; ); do