Hello community,
here is the log from the commit of package perl-Net-SSLeay for openSUSE:Factory
checked in at 2014-02-12 17:32:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Net-SSLeay (Old)
and /work/SRC/openSUSE:Factory/.perl-Net-SSLeay.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Net-SSLeay"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-Net-SSLeay/perl-Net-SSLeay.changes
2013-10-04 10:43:57.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.perl-Net-SSLeay.new/perl-Net-SSLeay.changes
2014-02-12 17:32:10.000000000 +0100
@@ -1,0 +2,41 @@
+Sun Feb 9 13:34:34 UTC 2014 - co...@suse.com
+
+- updated to 1.58
+ Always use size_t for strlen() return value, requested by Alexander
Bluhm.
+ t/external/20_cert_chain.t was missing from dist.
+ Version number in META.yml was incorrect
+ Improvements to test t/external/20_cert_chain.t to provoke following bug:
+ Fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain
+ after use.
+ Fixed a problem when compiling against openssl where OPENSSL_NO_EC is
set.
+
+ 1.57 2014-01-09
+ Fixed remaining problems with test suite: pod coverage and kwalitee tests
+ are only enabled with RELEASE_TESTING=1
+
+ 1.56 2014-01-08
+ Fixed a typo in documentation of BEAST Attack, patched by gregor
+ herrmann.
+ Added LICENSE file copied form OpenSSL distribution to prevent complaints
+ from various versions of kwalitee.
+ Adjusted license: in META.yml to be 'openssl'
+ Adds support for the basic operations necessary to support ECDH for PFS,
+ e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh.
+ Improvements to t/handle/external/50_external.t to handle the case when a
+ test connection was not possible. Patched by Alexandr Ciornii.
+ Added support for ALPN TLS extension. Patch from Lubomir Rintel. Tested
+ with openssl-1.0.2-stable-SNAP-20131205.
+ Fix an use-after-free error. Patch from Lubomir Rintel.
+ Fixed a problem with Invalid comparison on OBJ_cmp result in
+ t/local/36_verify.t. Contributed by paul.
+ Added support for get_peer_cert_chain(). Patch by Markus Benning.
+ Fixed a bug that could cause stack faults: mixed up PUTBACK with SPAGAIN
in ssleay_RSA_generate_key_cb_invoke()
+ a final PUTBACK is needed here. A second issue is also fixed:
+ cb->data defaults to &PL_sv_undef but throught the code you do not check
+ against &PL_sv_undef, just NULL.
+ To avoid passing the 3rd optional arg at all, do not create it. This
fixes all the
+ cb->data checks and wrong refcounts on &PL_sv_undef. Patched by Reini
Urban.
+ Deleted support for SSL_get_tlsa_record_byname: it is not included in
+ OpenSSL git master.
+
+-------------------------------------------------------------------
Old:
----
Net-SSLeay-1.55.tar.gz
New:
----
Net-SSLeay-1.58.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-Net-SSLeay.spec ++++++
--- /var/tmp/diff_new_pack.n4joN7/_old 2014-02-12 17:32:11.000000000 +0100
+++ /var/tmp/diff_new_pack.n4joN7/_new 2014-02-12 17:32:11.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package perl-Net-SSLeay
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%bcond_with test
Name: perl-Net-SSLeay
-Version: 1.55
+Version: 1.58
Release: 0
%define cpan_name Net-SSLeay
Summary: Perl extension for using OpenSSL
++++++ Net-SSLeay-1.55.tar.gz -> Net-SSLeay-1.58.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/Changes new/Net-SSLeay-1.58/Changes
--- old/Net-SSLeay-1.55/Changes 2013-06-08 00:26:50.000000000 +0200
+++ new/Net-SSLeay-1.58/Changes 2014-01-15 00:26:07.000000000 +0100
@@ -1,5 +1,43 @@
Revision history for Perl extension Net::SSLeay.
+1.58 2014-01-15
+ Always use size_t for strlen() return value, requested by Alexander Bluhm.
+ t/external/20_cert_chain.t was missing from dist.
+ Version number in META.yml was incorrect
+ Improvements to test t/external/20_cert_chain.t to provoke following bug:
+ Fixed crash due to SSL_get_peer_cert_chain incorrectly free'ing the chain
+ after use.
+ Fixed a problem when compiling against openssl where OPENSSL_NO_EC is set.
+
+1.57 2014-01-09
+ Fixed remaining problems with test suite: pod coverage and kwalitee tests
+ are only enabled with RELEASE_TESTING=1
+
+1.56 2014-01-08
+ Fixed a typo in documentation of BEAST Attack, patched by gregor
+ herrmann.
+ Added LICENSE file copied form OpenSSL distribution to prevent complaints
+ from various versions of kwalitee.
+ Adjusted license: in META.yml to be 'openssl'
+ Adds support for the basic operations necessary to support ECDH for PFS,
+ e.g. EC_KEY_new_by_curve_name, EC_KEY_free and SSL_CTX_set_tmp_ecdh.
+ Improvements to t/handle/external/50_external.t to handle the case when a
+ test connection was not possible. Patched by Alexandr Ciornii.
+ Added support for ALPN TLS extension. Patch from Lubomir Rintel. Tested
+ with openssl-1.0.2-stable-SNAP-20131205.
+ Fix an use-after-free error. Patch from Lubomir Rintel.
+ Fixed a problem with Invalid comparison on OBJ_cmp result in
+ t/local/36_verify.t. Contributed by paul.
+ Added support for get_peer_cert_chain(). Patch by Markus Benning.
+ Fixed a bug that could cause stack faults: mixed up PUTBACK with SPAGAIN
in ssleay_RSA_generate_key_cb_invoke()
+ a final PUTBACK is needed here. A second issue is also fixed:
+ cb->data defaults to &PL_sv_undef but throught the code you do not check
+ against &PL_sv_undef, just NULL.
+ To avoid passing the 3rd optional arg at all, do not create it. This
fixes all the
+ cb->data checks and wrong refcounts on &PL_sv_undef. Patched by Reini
Urban.
+ Deleted support for SSL_get_tlsa_record_byname: it is not included in
+ OpenSSL git master.
+
1.55 2013-06-08
Added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(),
SSL_CTX_tlsv1_2_new(), TLSv1_1_method() and TLSv1_2_method(), where
@@ -14,6 +52,7 @@
OpenSSL with the financial assistance of .SE.
Testing with openssl-1.0.2-stable-SNAP-20130521.
Added X509_NAME_new and X509_NAME_hash, patched by Franck Youssef.
+ Fixed a number of typos in pod file thanks to dsteinbrunner.
1.54 2013-03-23
t/data/testcert_cdp.crt.pem_dump and t/data/testcert_cdp.crt.pem were
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/LICENSE new/Net-SSLeay-1.58/LICENSE
--- old/Net-SSLeay-1.55/LICENSE 1970-01-01 01:00:00.000000000 +0100
+++ new/Net-SSLeay-1.58/LICENSE 2013-09-02 10:07:46.000000000 +0200
@@ -0,0 +1,127 @@
+
+ LICENSE ISSUES
+ ==============
+
+ The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+ the OpenSSL License and the original SSLeay license apply to the toolkit.
+ See below for the actual license texts. Actually both licenses are BSD-style
+ Open Source licenses. In case of any license issues related to OpenSSL
+ please contact openssl-c...@openssl.org.
+
+ OpenSSL License
+ ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-c...@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (e...@cryptsoft.com). This product includes software written by Tim
+ * Hudson (t...@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (e...@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (t...@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (e...@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an
acknowledgement:
+ * "This product includes software written by Tim Hudson
(t...@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/MANIFEST new/Net-SSLeay-1.58/MANIFEST
--- old/Net-SSLeay-1.55/MANIFEST 2013-03-22 15:28:58.000000000 +0100
+++ new/Net-SSLeay-1.58/MANIFEST 2014-01-14 00:33:27.000000000 +0100
@@ -1,6 +1,7 @@
Changes
constants.c
Credits
+LICENSE
Debian_CPANTS.txt
examples/bio.pl
examples/bulk.pl
@@ -80,6 +81,7 @@
t/data/verisign.crl.pem
t/external/08_external.t
t/external/15_altnames.t
+t/external/20_cert_chain.t
t/handle/external/10_destroy.t
t/handle/external/50_external.t
t/handle/local/05_use.t
@@ -105,6 +107,7 @@
t/local/38_priv-key.t
t/local/39_pkcs12.t
t/local/40_npn_support.t
+t/local/41_alpn_support.t
t/local/50_digest.t
t/local/61_threads-cb-crash.t
t/local/62_threads-ctx_new-deadlock.t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/META.yml new/Net-SSLeay-1.58/META.yml
--- old/Net-SSLeay-1.55/META.yml 2013-03-22 15:31:13.000000000 +0100
+++ new/Net-SSLeay-1.58/META.yml 2014-01-14 00:34:25.000000000 +0100
@@ -1,4 +1,5 @@
---
+name: Net-SSLeay
abstract: 'Perl extension for using OpenSSL'
author:
- 'Maintained by Mike McCauley and Florian Ragwitz since November 2005'
@@ -9,11 +10,10 @@
distribution_type: module
dynamic_config: 1
generated_by: 'Module::Install version 1.06'
-license: SSLeay
+license: openssl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
version: 1.4
-name: Net-SSLeay
no_index:
directory:
- examples
@@ -28,4 +28,4 @@
resources:
bugtracker: https://rt.cpan.org/Public/Dist/Display.html?Name=net-ssleay
repository: http://svn.debian.org/wsvn/net-ssleay
-version: 1.53
+version: 1.58
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/Makefile.PL
new/Net-SSLeay-1.58/Makefile.PL
--- old/Net-SSLeay-1.55/Makefile.PL 2013-03-22 01:26:17.000000000 +0100
+++ new/Net-SSLeay-1.58/Makefile.PL 2014-01-08 04:23:23.000000000 +0100
@@ -8,7 +8,7 @@
use File::Spec;
name('Net-SSLeay');
-license('SSLeay');
+license 'perl';
all_from('lib/Net/SSLeay.pm');
ssleay();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/SSLeay.xs
new/Net-SSLeay-1.58/SSLeay.xs
--- old/Net-SSLeay-1.55/SSLeay.xs 2013-06-08 00:29:53.000000000 +0200
+++ new/Net-SSLeay-1.58/SSLeay.xs 2014-01-15 00:27:17.000000000 +0100
@@ -8,7 +8,7 @@
*
* Change data removed. See Changes
*
- * $Id: SSLeay.xs 378 2013-06-07 22:29:53Z mikem-guest $
+ * $Id: SSLeay.xs 397 2014-01-14 23:27:17Z mikem-guest $
*
* The distribution and use of this module are subject to the conditions
* listed in LICENSE file at the root of OpenSSL-0.9.6b
@@ -429,7 +429,7 @@
SvREFCNT_inc(func);
SvREFCNT_inc(data);
cb->func = func;
- cb->data = data;
+ cb->data = (data == &PL_sv_undef) ? NULL : data;
}
return cb;
}
@@ -780,8 +780,8 @@
if (last_index<0) return 0;
for(i=0; i<=last_index; i++) {
char *p = SvPV_nolen(*av_fetch(list, i, 0));
- int len = strlen(p);
- if (len<0 || len>255) return 0;
+ size_t len = strlen(p);
+ if (len>255) return 0;
if (out) {
/* if out == NULL we only calculate the length of output */
out[ptr] = (unsigned char)len;
@@ -811,7 +811,7 @@
{
SV *cb_func, *cb_data;
unsigned char *next_proto_data;
- unsigned char next_proto_len;
+ size_t next_proto_len;
int next_proto_status;
SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
STRLEN n_a;
@@ -844,19 +844,22 @@
croak ("Net::SSLeay: next_proto_select_cb_invoke perl function did
not return 2 values.\n");
next_proto_data = (unsigned char*)POPpx;
next_proto_status = POPi;
+
+ next_proto_len = strlen((const char*)next_proto_data);
+ if (next_proto_len<=255) {
+ /* store last_status + last_negotiated into global hash */
+ cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status",
newSViv(next_proto_status));
+ tmpsv = newSVpv((const char*)next_proto_data, next_proto_len);
+ cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated",
tmpsv);
+ *out = (unsigned char *)SvPVX(tmpsv);
+ *outlen = next_proto_len;
+ }
+
PUTBACK;
FREETMPS;
LEAVE;
- if (strlen((const char*)next_proto_data)>255) return
SSL_TLSEXT_ERR_ALERT_FATAL;
- next_proto_len = strlen((const char*)next_proto_data);
- /* store last_status + last_negotiated into global hash */
- cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status",
newSViv(next_proto_status));
- tmpsv = newSVpv((const char*)next_proto_data, next_proto_len);
- cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated",
tmpsv);
- *out = (unsigned char *)SvPVX(tmpsv);
- *outlen = next_proto_len;
- return SSL_TLSEXT_ERR_OK;
+ return next_proto_len>255 ? SSL_TLSEXT_ERR_ALERT_FATAL :
SSL_TLSEXT_ERR_OK;
}
else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) {
next_proto_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data),
NULL);
@@ -931,10 +934,84 @@
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)
+
+int alpn_select_cb_invoke(SSL *ssl, const unsigned char **out, unsigned char
*outlen,
+ const unsigned char *in, unsigned int inlen,
void *arg)
+{
+ SV *cb_func, *cb_data;
+ unsigned char *alpn_data;
+ size_t alpn_len;
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ STRLEN n_a;
+
+ PR1("STARTED: alpn_select_cb_invoke\n");
+ cb_func = cb_data_advanced_get(ctx, "alpn_select_cb!!func");
+ cb_data = cb_data_advanced_get(ctx, "alpn_select_cb!!data");
+
+ if (SvROK(cb_func) && (SvTYPE(SvRV(cb_func)) == SVt_PVCV)) {
+ int count = -1;
+ AV *list = newAV();
+ SV *tmpsv;
+ SV *alpn_data_sv;
+ dSP;
+
+ if (!next_proto_helper_protodata2AV(list, in, inlen)) return
SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ ENTER;
+ SAVETMPS;
+ PUSHMARK(SP);
+ XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
+ XPUSHs(sv_2mortal(newRV_inc((SV*)list)));
+ XPUSHs(sv_2mortal(newSVsv(cb_data)));
+ PUTBACK;
+ count = call_sv( cb_func, G_ARRAY );
+ SPAGAIN;
+ if (count != 1)
+ croak ("Net::SSLeay: alpn_select_cb perl function did not return
exactly 1 value.\n");
+ alpn_data_sv = POPs;
+ if (SvOK(alpn_data_sv)) {
+ alpn_data = (unsigned char*)SvPVx_nolen(alpn_data_sv);
+ alpn_len = strlen((const char*)alpn_data);
+ if (alpn_len <= 255) {
+ tmpsv = newSVpv((const char*)alpn_data, alpn_len);
+ *out = (unsigned char *)SvPVX(tmpsv);
+ *outlen = alpn_len;
+ }
+ } else {
+ alpn_data = NULL;
+ alpn_len = 0;
+ }
+ PUTBACK;
+ FREETMPS;
+ LEAVE;
+
+ if (alpn_len>255) return SSL_TLSEXT_ERR_ALERT_FATAL;
+ return alpn_data ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
+ }
+ else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) {
+ int status;
+
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), NULL);
+ Newx(alpn_data, alpn_len, unsigned char);
+ if (!alpn_data) return SSL_TLSEXT_ERR_ALERT_FATAL;
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data),
alpn_data);
+
+ /* This is the same function that is used for NPN. */
+ status = SSL_select_next_proto((unsigned char **)out, outlen, in,
inlen, alpn_data, alpn_len);
+ Safefree(alpn_data);
+ return status == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK :
SSL_TLSEXT_ERR_NOACK;
+ }
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+
+#endif
+
int pem_password_cb_invoke(char *buf, int bufsize, int rwflag, void *data) {
dSP;
char *str;
- int count = -1, str_len = 0;
+ int count = -1;
+ size_t str_len = 0;
simple_cb_data_t* cb = (simple_cb_data_t*)data;
STRLEN n_a;
@@ -1003,7 +1080,7 @@
croak ("Net::SSLeay: ssleay_RSA_generate_key_cb_invoke "
"perl function did return something in void context.\n");
- PUTBACK;
+ SPAGAIN;
FREETMPS;
LEAVE;
}
@@ -1542,6 +1619,23 @@
SSL * s
void
+SSL_get_peer_cert_chain(s)
+ SSL * s
+ PREINIT:
+ STACK_OF(X509) *chain = NULL;
+ X509 *x;
+ int i;
+ PPCODE:
+ chain = SSL_get_peer_cert_chain(s);
+ if( chain == NULL ) {
+ return;
+ }
+ for (i=0; i<sk_X509_num(chain); i++) {
+ x = sk_X509_value(chain, i);
+ XPUSHs(sv_2mortal(newSViv(PTR2IV(x))));
+ }
+
+void
SSL_set_verify(s,mode,callback)
SSL * s
int mode
@@ -3158,7 +3252,7 @@
BIO *bp;
int i, n;
char *buf;
- int passwd_len = 0;
+ size_t passwd_len = 0;
pem_password_cb * cb = NULL;
void * u = NULL;
CODE:
@@ -4127,6 +4221,23 @@
SSL_CTX * ctx
RSA * rsa
+#if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC
+
+EC_KEY *
+EC_KEY_new_by_curve_name(nid)
+ int nid
+
+void
+EC_KEY_free(key)
+ EC_KEY * key
+
+long
+SSL_CTX_set_tmp_ecdh(ctx,ecdh);
+ SSL_CTX * ctx
+ EC_KEY * ecdh
+
+#endif
+
void *
SSL_get_app_data(s)
SSL * s
@@ -4952,6 +5063,98 @@
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)
+
+int
+SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef)
+ SSL_CTX * ctx
+ SV * callback
+ SV * data
+ CODE:
+ RETVAL = 1;
+ if (callback==NULL || !SvOK(callback)) {
+ SSL_CTX_set_alpn_select_cb(ctx, NULL, NULL);
+ cb_data_advanced_put(ctx, "alpn_select_cb!!func", NULL);
+ cb_data_advanced_put(ctx, "alpn_select_cb!!data", NULL);
+ PR1("SSL_CTX_set_alpn_select_cb - undef\n");
+ }
+ else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVAV)) {
+ /* callback param array ref like ['proto1','proto2'] */
+ cb_data_advanced_put(ctx, "alpn_select_cb!!func", NULL);
+ cb_data_advanced_put(ctx, "alpn_select_cb!!data",
newSVsv(callback));
+ SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb_invoke, ctx);
+ PR2("SSL_CTX_set_alpn_select_cb - simple ctx=%p\n",ctx);
+ }
+ else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) {
+ cb_data_advanced_put(ctx, "alpn_select_cb!!func",
newSVsv(callback));
+ cb_data_advanced_put(ctx, "alpn_select_cb!!data", newSVsv(data));
+ SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb_invoke, ctx);
+ PR2("SSL_CTX_set_alpn_select_cb - advanced ctx=%p\n",ctx);
+ }
+ else {
+ RETVAL = 0;
+ }
+ OUTPUT:
+ RETVAL
+
+int
+SSL_CTX_set_alpn_protos(ctx,data=&PL_sv_undef)
+ SSL_CTX * ctx
+ SV * data
+ CODE:
+ unsigned char *alpn_data;
+ unsigned char alpn_len;
+
+ RETVAL = -1;
+
+ if (!SvROK(data) || (SvTYPE(SvRV(data)) != SVt_PVAV))
+ croak("Net::SSLeay: CTX_set_alpn_protos needs a single array
reference.\n");
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), NULL);
+ Newx(alpn_data, alpn_len, unsigned char);
+ if (!alpn_data)
+ croak("Net::SSLeay: CTX_set_alpn_protos could not allocate
memory.\n");
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), alpn_data);
+ RETVAL = SSL_CTX_set_alpn_protos(ctx, alpn_data, alpn_len);
+ Safefree(alpn_data);
+
+ OUTPUT:
+ RETVAL
+
+int
+SSL_set_alpn_protos(ssl,data=&PL_sv_undef)
+ SSL * ssl
+ SV * data
+ CODE:
+ unsigned char *alpn_data;
+ unsigned char alpn_len;
+
+ RETVAL = -1;
+
+ if (!SvROK(data) || (SvTYPE(SvRV(data)) != SVt_PVAV))
+ croak("Net::SSLeay: set_alpn_protos needs a single array
reference.\n");
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), NULL);
+ Newx(alpn_data, alpn_len, unsigned char);
+ if (!alpn_data)
+ croak("Net::SSLeay: set_alpn_protos could not allocate memory.\n");
+ alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), alpn_data);
+ RETVAL = SSL_set_alpn_protos(ssl, alpn_data, alpn_len);
+ Safefree(alpn_data);
+
+ OUTPUT:
+ RETVAL
+
+void
+P_alpn_selected(s)
+ const SSL *s
+ PREINIT:
+ const unsigned char *data;
+ unsigned int len;
+ PPCODE:
+ SSL_get0_alpn_selected(s, &data, &len);
+ XPUSHs(sv_2mortal(newSVpv((char *)data, len)));
+
+#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
void
@@ -4975,14 +5178,5 @@
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_DANE)
-
-void
-SSL_get_tlsa_record_byname(name, port, type);
- char * name
- int port
- int type
-
-#endif
#define REM_EOF "/* EOF - SSLeay.xs */"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/lib/Net/SSLeay.pm
new/Net-SSLeay-1.58/lib/Net/SSLeay.pm
--- old/Net-SSLeay-1.55/lib/Net/SSLeay.pm 2013-06-08 00:29:53.000000000
+0200
+++ new/Net-SSLeay-1.58/lib/Net/SSLeay.pm 2014-01-15 00:27:17.000000000
+0100
@@ -4,7 +4,7 @@
# Copyright (C) 2005 Florian Ragwitz <r...@debian.org>, All Rights Reserved.
# Copyright (C) 2005 Mike McCauley <mi...@airspayce.com>, All Rights Reserved.
#
-# $Id: SSLeay.pm 378 2013-06-07 22:29:53Z mikem-guest $
+# $Id: SSLeay.pm 397 2014-01-14 23:27:17Z mikem-guest $
#
# Change data removed from here. See Changes
# The distribution and use of this module are subject to the conditions
@@ -61,7 +61,7 @@
$Net::SSLeay::random_device = '/dev/urandom';
$Net::SSLeay::how_random = 512;
-$VERSION = '1.55';
+$VERSION = '1.58'; # Dont foget to set verison in META.yml too
@ISA = qw(Exporter);
#BEWARE:
@@ -273,6 +273,7 @@
get_httpx
get_httpx4
get_peer_certificate
+ get_peer_cert_chain
get_rbio
get_read_ahead
get_server_random
@@ -1374,3 +1375,4 @@
1;
__END__
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/lib/Net/SSLeay.pod
new/Net-SSLeay-1.58/lib/Net/SSLeay.pod
--- old/Net-SSLeay-1.55/lib/Net/SSLeay.pod 2013-06-08 00:16:12.000000000
+0200
+++ new/Net-SSLeay-1.58/lib/Net/SSLeay.pod 2014-01-09 03:27:58.000000000
+0100
@@ -1048,7 +1048,7 @@
=item * SSLv2_method
-Returns SSL_METHOD structure corresponding to SSLv2 method, the return value
can be later used as a param of L</CTX_new_with_method>. Only available where
suported by the underlying openssl.
+Returns SSL_METHOD structure corresponding to SSLv2 method, the return value
can be later used as a param of L</CTX_new_with_method>. Only available where
supported by the underlying openssl.
my $rv = Net::SSLeay::SSLv2_method();
#
@@ -1271,7 +1271,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads PEM formated X509 certificate via given BIO structure.
+Loads PEM formatted X509 certificate via given BIO structure.
my $rv = Net::SSLeay::PEM_read_bio_X509($bio);
# $bio - value corresponding to openssl's BIO structure
@@ -1288,7 +1288,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads PEM formated X509_REQ object via given BIO structure.
+Loads PEM formatted X509_REQ object via given BIO structure.
my $rv = Net::SSLeay::PEM_read_bio_X509_REQ($bio, $x=NULL, $cb=NULL, $u=NULL);
# $bio - value corresponding to openssl's BIO structure
@@ -1323,7 +1323,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads PEM formated private key via given BIO structure.
+Loads PEM formatted private key via given BIO structure.
my $rv = Net::SSLeay::PEM_read_bio_PrivateKey($bio, $cb, $data);
# $bio - value corresponding to openssl's BIO structure
@@ -1371,14 +1371,14 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Converts public key $pk into PEM formated string (optionally protected with
password).
+Converts public key $pk into PEM formatted string (optionally protected with
password).
my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg);
# $pk - value corresponding to openssl's EVP_PKEY structure
# $passwd - [optional] (string) password to use for key encryption
# $enc_alg - [optional] algorithm to use for key encryption (default:
DES_CBC) - value corresponding to openssl's EVP_CIPHER structure
#
- # returns: PEM formated string
+ # returns: PEM formatted string
Examples:
@@ -1390,7 +1390,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Converts X509_CRL object $x509_crl into PEM formated string.
+Converts X509_CRL object $x509_crl into PEM formatted string.
Net::SSLeay::PEM_get_string_X509_CRL($x509_crl);
# $x509_crl - value corresponding to openssl's X509_CRL structure
@@ -1401,7 +1401,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Converts X509_REQ object $x509_crl into PEM formated string.
+Converts X509_REQ object $x509_crl into PEM formatted string.
Net::SSLeay::PEM_get_string_X509_REQ($x509_req);
# $x509_req - value corresponding to openssl's X509_REQ structure
@@ -1418,7 +1418,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads DER formated X509 certificate via given BIO structure.
+Loads DER formatted X509 certificate via given BIO structure.
my $rv = Net::SSLeay::d2i_X509_bio($bp);
# $bp - value corresponding to openssl's BIO structure
@@ -1437,7 +1437,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads DER formated X509_CRL object via given BIO structure.
+Loads DER formatted X509_CRL object via given BIO structure.
my $rv = Net::SSLeay::d2i_X509_CRL_bio($bp);
# $bp - value corresponding to openssl's BIO structure
@@ -1454,7 +1454,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
-Loads DER formated X509_REQ object via given BIO structure.
+Loads DER formatted X509_REQ object via given BIO structure.
my $rv = Net::SSLeay::d2i_X509_REQ_bio($bp);
# $bp - value corresponding to openssl's BIO structure
@@ -1514,7 +1514,7 @@
=item * d2i_SSL_SESSION
Transforms the external ASN1 representation of an SSL/TLS session, stored as
binary data
-at location pp with length length, into an SSL_SESSION object.
+at location pp with length of $length, into an SSL_SESSION object.
??? (does this function really work?)
@@ -1693,7 +1693,7 @@
B<NOTE:> Does not exactly correspond to any low level API function
-Prints session details (e.g. protocol version, ciprher, session-id ...) to BIO.
+Prints session details (e.g. protocol version, cipher, session-id ...) to BIO.
my $rv = Net::SSLeay::SESSION_print($fp, $ses);
# $fp - value corresponding to openssl's BIO structure
@@ -1711,7 +1711,7 @@
=item * SESSION_print_fp
-Prints session details (e.g. protocol version, ciprher, session-id ...) to
file handle.
+Prints session details (e.g. protocol version, cipher, session-id ...) to file
handle.
my $rv = Net::SSLeay::SESSION_print_fp($fp, $ses);
# $fp - perl file handle
@@ -3320,6 +3320,17 @@
Check openssl doc
L<http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html|http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
+=item * get_peer_cert_chain
+
+Get the certificate chain of the peer as an array of X509 structures.
+
+ my @rv = Net::SSLeay::get_peer_certificate($ssl);
+ # $ssl - value corresponding to openssl's SSL structure
+ #
+ # returns: list of X509 structures
+
+Check openssl doc
L<http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html|http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
+
=item * get_quiet_shutdown
Returns the 'quiet shutdown' setting of ssl.
@@ -3595,7 +3606,7 @@
=item * load_client_CA_file
-Load X509 certificates from file (PEM formated).
+Load X509 certificates from file (PEM formatted).
my $rv = Net::SSLeay::load_client_CA_file($file);
# $file - (string) file name
@@ -3643,7 +3654,7 @@
=item * peek
Copies $max bytes from the specified $ssl into the returned value.
-In constrast to the C<Net::SSLeay::read()> function, the data in the SSL
+In contrast to the C<Net::SSLeay::read()> function, the data in the SSL
buffer is unmodified after the SSL_peek() operation.
Net::SSLeay::peek($ssl, $max);
@@ -4203,7 +4214,7 @@
B<NOTE:> Does not exactly correspond to any low level API function
-Writes a fragment of data data from the buffer $data into the specified $ssl
connection.
+Writes a fragment of data in $data from the buffer $data into the specified
$ssl connection.
my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data);
# $ssl - value corresponding to openssl's SSL structure
@@ -4493,7 +4504,7 @@
=item * OBJ_txt2nid
-Returns NID corresponding to text string $s which can be a long name, a short
name or the numerical respresentation of an object.
+Returns NID corresponding to text string $s which can be a long name, a short
name or the numerical representation of an object.
my $rv = Net::SSLeay::OBJ_txt2nid($s);
# $s - (string) e.g. 'commonName' or 'CN' or '2.5.4.3'
@@ -5836,7 +5847,7 @@
B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before; requires at
least openssl-0.9.7
-Adds given serian number $serial_hex to X509_CRL object $crl.
+Adds given serial number $serial_hex to X509_CRL object $crl.
Net::SSLeay::P_X509_CRL_add_revoked_serial_hex($crl, $serial_hex, $rev_time,
$reason_code, $comp_time);
# $crl - value corresponding to openssl's X509_CRL structure
@@ -6167,7 +6178,7 @@
B<openssl note:> this is a legacy function which has various limitations which
makes it of minimal use in practice. It can only find the first matching
entry and will copy the contents of the field verbatim: this can be highly
-confusing if the target is a muticharacter string type like a BMPString or a
UTF8String.
+confusing if the target is a multicharacter string type like a BMPString or a
UTF8String.
Net::SSLeay::X509_NAME_get_text_by_NID($name, $nid);
# $name - value corresponding to openssl's X509_NAME structure
@@ -6303,7 +6314,7 @@
=item * X509_STORE_CTX_set_cert
-Sets the certificate to be vertified in $x509_store_ctx to $x.
+Sets the certificate to be verified in $x509_store_ctx to $x.
Net::SSLeay::X509_STORE_CTX_set_cert($x509_store_ctx, $x);
# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
@@ -6659,7 +6670,7 @@
The returned digest names correspond to values expected by
L</EVP_get_digestbyname>.
-Note that some of the digets are available by default and some only after
calling L</OpenSSL_add_all_digests>.
+Note that some of the digests are available by default and some only after
calling L</OpenSSL_add_all_digests>.
=item * EVP_get_digestbyname
@@ -7064,7 +7075,7 @@
=item * BIO_new_file
-Creates a new file BIO with mode mode the meaning of mode is the same
+Creates a new file BIO with mode $mode the meaning of mode is the same
as the stdio function fopen(). The BIO_CLOSE flag is set on the returned BIO.
my $rv = Net::SSLeay::BIO_new_file($filename, $mode);
@@ -7273,12 +7284,16 @@
=head3 Low level API: NPN (next protocol negotiation) related functions
+NPN is being replaced with ALPN, a more recent TLS extension for application
+protocol negotiation that's in process of being adopted by IETF. Please look
+below for APLN API description.
+
Simple approach for using NPN support looks like this:
### client side
use Net::SSLeay;
use IO::Socket::INET;
-
+
Net::SSLeay::initialize();
my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
@@ -7434,6 +7449,147 @@
=back
+=head3 Low level API: ALPN (application layer protocol negotiation) related
functions
+
+Application protocol can be negotiated via two different mechanisms employing
+two different TLS extensions: NPN (obsolete) and ALPN (recommended).
+
+The API is rather similar, with slight differences reflecting protocol
+specifics. In particular, with ALPN the protocol negotiation takes place on
+server, while with NPN the client implements the protocol negotiation logic.
+
+With ALPN, the most basic implementation looks like this:
+
+ ### client side
+ use Net::SSLeay;
+ use IO::Socket::INET;
+
+ Net::SSLeay::initialize();
+ my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
+ my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
+ Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
+ Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
+ my $ssl = Net::SSLeay::new($ctx) or die;
+ Net::SSLeay::set_fd($ssl, fileno($sock)) or die;
+ Net::SSLeay::connect($ssl);
+
+ warn "client:selected=",Net::SSLeay::P_alpn_selected($ssl), "\n";
+
+ ### server side
+ use Net::SSLeay;
+ use IO::Socket::INET;
+
+ Net::SSLeay::initialize();
+ my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
+ Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
+ Net::SSLeay::set_cert_and_key($ctx, "t/data/cert.pem", "t/data/key.pem");
+ Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
+ my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443,
Proto=>'tcp', Listen=>20) or die;
+
+ while (1) {
+ my $ssl = Net::SSLeay::new($ctx);
+ warn("server:waiting for incoming connection...\n");
+ my $fd = $sock->accept();
+ Net::SSLeay::set_fd($ssl, $fd->fileno);
+ Net::SSLeay::accept($ssl);
+ warn "server:selected=",Net::SSLeay::P_alpn_selected($ssl),"\n";
+ my $got = Net::SSLeay::read($ssl);
+ Net::SSLeay::ssl_write_all($ssl, "length=".length($got));
+ Net::SSLeay::free($ssl);
+ $fd->close();
+ }
+ # check with: openssl s_client -connect localhost:5443 -alpn spdy/3,http/1.1
+
+Advanced approach allows you to implement your own negotiation algorithm.
+
+ #see below documentation for:
+ Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function,
$callback_data);
+
+Detection of ALPN support (works even in older Net::SSLeay versions):
+
+ use Net::SSLeay;
+
+ if (exists &Net::SSLeay::P_alpn_selected) {
+ # do ALPN stuff
+ }
+
+=over
+
+=item * CTX_set_alpn_select_cb
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.55 and before; requires at
least openssl-1.0.2
+
+B<NOTE:> You need CTX_set_alpn_select_cb on B<server side> of TLS connection.
+
+Simple usage - in this case a "common" negotiation algorithm (as implemented
by openssl's function SSL_select_next_proto) is used.
+
+ $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $arrayref);
+ # $ctx - value corresponding to openssl's SSL_CTX structure
+ # $arrayref - list of accepted protocols - e.g. ['http/2.0', 'http/1.1',
'spdy/3']
+ #
+ # returns: 0 on success, 1 on failure
+
+Advanced usage (you probably do not need this):
+
+ $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function,
$callback_data);
+ # $ctx - value corresponding to openssl's SSL_CTX structure
+ # $perl_callback_function - reference to perl function
+ # $callback_data - [optional] data to passed to callback function when invoked
+ #
+ # returns: 0 on success, 1 on failure
+
+ # where callback function looks like
+ sub alpn_select_cb_invoke {
+ my ($ssl, $arrayref_proto_list_advertised_by_client, $callback_data) = @_;
+ # ...
+ if ($negotiated) {
+ return 'http/2.0';
+ } else {
+ return undef;
+ }
+ }
+
+To undefine/clear this callback use:
+
+ Net::SSleay::CTX_set_alpn_select_cb($ctx, undef);
+
+=item * set_alpn_protos
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.55 and before; requires at
least openssl-1.0.2
+
+B<NOTE:> You need set_alpn_protos on B<client side> of TLS connection.
+
+This adds list of supported application layer protocols to ClientHello message
sent by a client.
+It advertises the enumeration of supported protocols:
+
+ Net::SSLeay::set_alpn_protos($ssl, ['http/1.1', 'http/2.0', 'spdy/3]);
+ # returns 0 on success
+
+=item * CTX_set_alpn_protos
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.55 and before; requires at
least openssl-1.0.2
+
+B<NOTE:> You need CTX_set_alpn_protos on B<client side> of TLS connection.
+
+This adds list of supported application layer protocols to ClientHello message
sent by a client.
+It advertises the enumeration of supported protocols:
+
+ Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
+ # returns 0 on success
+
+=item * P_alpn_selected
+
+B<COMPATIBILITY:> not available in Net-SSLeay-1.55 and before; requires at
least openssl-1.0.2
+
+Returns the name of negotiated protocol for given TLS connection $ssl.
+
+ $rv = Net::SSLeay::P_alpn_selected($ssl)
+ # $ssl - value corresponding to openssl's SSL structure
+ #
+ # returns: (string) negotiated protocol name (or undef if no negotiation was
done or failed with fatal error)
+
+=back
+
=head3 Low level API: DANE Support
OpenSSL version 1.0.2 adds preliminary support RFC6698 Domain Authentication of
@@ -7443,7 +7599,7 @@
=item * SSL_get_tlsa_record_byname
-B<COMPATIBILITY:> Requires at least openssl-1.0.2
+B<COMPATIBILITY:> DELETED from net-ssleay, since it is not supported by OpenSSL
In order to facilitate DANE there is additional interface,
SSL_get_tlsa_record_byname, accepting hostname, port and socket type
@@ -7500,6 +7656,25 @@
=back
+=head3 Low level API: EC related functions
+
+=over
+
+=item * CTX_set_tmp_ecdh
+
+TBA
+
+=item * EC_KEY_free
+
+TBA
+
+=item * EC_KEY_new_by_curve_name
+
+TBA
+
+=back
+
+
=head2 Constants
There are many openssl constants available in L<Net::SSLeay>. You can use them
like this:
@@ -8051,7 +8226,7 @@
=head1 SECURITY
-You can mitigate some of the security vulnerabilites that might be present in
your SSL/TLS application:
+You can mitigate some of the security vulnerabilities that might be present in
your SSL/TLS application:
=head2 BEAST Attack
@@ -8072,7 +8247,7 @@
=item * Ensure SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not enabled (its not
enabled by default)
-=item * Dont support SSLv2, SSLv3
+=item * Don't support SSLv2, SSLv3
=item * Actively control the ciphers your server supports with set_cipher_list:
@@ -8175,7 +8350,7 @@
Distribution and use of this module is under the same terms as the
OpenSSL package itself (i.e. free, but mandatory attribution; NO
WARRANTY). Please consult LICENSE file in the root of the OpenSSL
-distribution.
+distribution, and also included in this distribution.
While the source distribution of this perl module does not contain
Eric's or OpenSSL's code, if you use this module you will use OpenSSL
@@ -8186,6 +8361,12 @@
auditing this module and OpenSSL library for security problems,
backdoors, and general suitability for your application.
+=head1 LICENSE
+
+See the LICENSE file included in this distribution
+
+(ignore this line: this is to keep kwalitee happy by saying: Not GPL)
+
=head1 SEE ALSO
Net::SSLeay::Handle - File handle interface
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/external/20_cert_chain.t
new/Net-SSLeay-1.58/t/external/20_cert_chain.t
--- old/Net-SSLeay-1.55/t/external/20_cert_chain.t 1970-01-01
01:00:00.000000000 +0100
+++ new/Net-SSLeay-1.58/t/external/20_cert_chain.t 2014-01-14
07:21:55.000000000 +0100
@@ -0,0 +1,51 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Socket;
+use Net::SSLeay qw( die_if_ssl_error );
+
+Net::SSLeay::randomize();
+Net::SSLeay::load_error_strings();
+Net::SSLeay::ERR_load_crypto_strings();
+Net::SSLeay::SSLeay_add_ssl_algorithms();
+
+my @sites = qw( www.verisign.com );
+
+if (@sites) {
+ plan tests => scalar @sites * 3;
+}
+else {
+ plan skip_all => 'No external hosts specified for SSL testing';
+}
+
+for my $site (@sites) {
+ SKIP: {
+ my $port = getservbyname ('https', 'tcp');
+ my $dest_ip = gethostbyname ( $site );
+
+ socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
+ connect (S, sockaddr_in($port, $dest_ip) ) or die "connect: $!";
+ select (S); $| = 1; select (STDOUT);
+
+ my $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX
$!");
+ my $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!");
+ Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno
+ Net::SSLeay::connect($ssl);
+ die_if_ssl_error('bulk: ssl connect');
+
+ my @chain = Net::SSLeay::get_peer_cert_chain($ssl);
+ ok(scalar @chain, 'get_peer_cert_chain returns some elements');
+ SKIP: {
+ if( ! scalar @chain ) {
+ skip('check returned no certificate chain!', 2);
+ }
+ my $x509 = $chain[0];
+ ok(my $subject = Net::SSLeay::X509_get_subject_name($x509),
"X509_get_subject_name");
+ like(Net::SSLeay::X509_NAME_oneline($subject), qr|/OU=.*?/CN=|,
"X509_NAME_oneline");
+ };
+ Net::SSLeay::free($ssl);
+ Net::SSLeay::CTX_free($ctx);
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/handle/external/50_external.t
new/Net-SSLeay-1.58/t/handle/external/50_external.t
--- old/Net-SSLeay-1.55/t/handle/external/50_external.t 2013-02-28
22:46:57.000000000 +0100
+++ new/Net-SSLeay-1.58/t/handle/external/50_external.t 2013-11-19
02:48:17.000000000 +0100
@@ -28,8 +28,8 @@
tie(*$ssl, 'Net::SSLeay::Handle', $site, 443);
};
- skip('could not connect', 2) if $@;
- pass('connection');
+ skip('could not connect to '.$site, 2) if $@;
+ pass('connection to '.$site);
print $ssl "GET / HTTP/1.0\r\n\r\n";
my $resp = do { local $/ = undef; <$ssl> };
@@ -47,10 +47,13 @@
tie(*$ssl, 'Net::SSLeay::Handle', $sites[$i], 443);
};
+ $sock[$i] = undef; #so scalar @sock == scalar @sites
+
skip('could not connect', 2) if $@;
pass('connection');
$sock[$i] = $ssl;
+
ok( $ssl, 'got handle' );
}
}
@@ -70,8 +73,7 @@
for my $sock (@sock) {
SKIP : {
skip('not connected', 1) unless defined $sock;
- pass('connected');
- close($sock);
+ ok(close($sock), 'socket closed');
}
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/local/02_pod_coverage.t
new/Net-SSLeay-1.58/t/local/02_pod_coverage.t
--- old/Net-SSLeay-1.55/t/local/02_pod_coverage.t 2012-02-15
22:24:36.000000000 +0100
+++ new/Net-SSLeay-1.58/t/local/02_pod_coverage.t 2014-01-09
03:21:19.000000000 +0100
@@ -3,6 +3,15 @@
use strict;
use warnings;
use Test::More;
+
+BEGIN {
+ unless ($ENV{RELEASE_TESTING})
+ {
+ plan(skip_all => 'these tests are for only for release candidate
testing. Enable with RELEASE_TESTING=1');
+ }
+}
+
+
eval "use Test::Pod::Coverage 1.00";
plan skip_all => "Test::Pod::Coverage 1.00 required for testing POD coverage"
if $@;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/local/36_verify.t
new/Net-SSLeay-1.58/t/local/36_verify.t
--- old/Net-SSLeay-1.55/t/local/36_verify.t 2012-02-05 23:29:24.000000000
+0100
+++ new/Net-SSLeay-1.58/t/local/36_verify.t 2013-12-06 23:28:35.000000000
+0100
@@ -60,6 +60,6 @@
my $asn_object2 = Net::SSLeay::OBJ_txt2obj('1.2.3.4', 0);
ok(Net::SSLeay::OBJ_cmp($asn_object2, $asn_object) == 0, 'OBJ_cmp');
$asn_object2 = Net::SSLeay::OBJ_txt2obj('1.2.3.5', 0);
-ok(Net::SSLeay::OBJ_cmp($asn_object2, $asn_object) == 1, 'OBJ_cmp');
+ok(Net::SSLeay::OBJ_cmp($asn_object2, $asn_object) != 0, 'OBJ_cmp');
ok(1, 'Finishing up');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/local/41_alpn_support.t
new/Net-SSLeay-1.58/t/local/41_alpn_support.t
--- old/Net-SSLeay-1.55/t/local/41_alpn_support.t 1970-01-01
01:00:00.000000000 +0100
+++ new/Net-SSLeay-1.58/t/local/41_alpn_support.t 2013-12-06
02:14:03.000000000 +0100
@@ -0,0 +1,104 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Test::More;
+use Socket;
+use File::Spec;
+use Symbol qw(gensym);
+use Net::SSLeay;
+use Config;
+
+BEGIN {
+ plan skip_all => "openssl 1.0.2 required" unless Net::SSLeay::SSLeay >=
0x10002000;
+ plan skip_all => "fork() not supported on $^O" unless $Config{d_fork};
+}
+
+plan tests => 6;
+
+my $sock;
+my $pid;
+
+my $port = 40000+int(rand(9999));
+my $ip = "\x7F\0\0\x01";
+my $serv_params = sockaddr_in($port, $ip);
+
+my $msg = 'ssleay-alpn-test';
+my $cert_pem = File::Spec->catfile('t', 'data', 'cert.pem');
+my $key_pem = File::Spec->catfile('t', 'data', 'key.pem');
+my @results;
+Net::SSLeay::initialize();
+
+{
+ # SSL server
+ $sock = gensym();
+ socket($sock, AF_INET, SOCK_STREAM, 0) or BAIL_OUT("failed to open socket:
$!");
+ bind($sock, $serv_params) or BAIL_OUT("failed to bind socket: $!");
+ listen($sock, 3) or BAIL_OUT("failed to listen on socket: $!");
+
+ $pid = fork();
+ BAIL_OUT("failed to fork: $!") unless defined $pid;
+ if ($pid == 0) {
+ my $ns = gensym();
+ my $addr = accept($ns, $sock);
+ my $old_out = select($ns);
+ $| = 1;
+ select($old_out);
+
+ my $ctx = Net::SSLeay::CTX_tlsv1_new();
+ Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
+
+ my $rv = Net::SSLeay::CTX_set_alpn_select_cb($ctx,
['http/1.1','spdy/2']);
+ is($rv, 1, 'CTX_set_alpn_select_cb');
+
+ my $ssl = Net::SSLeay::new($ctx);
+ Net::SSLeay::set_fd($ssl, fileno($ns));
+ Net::SSLeay::accept($ssl);
+
+ is(Net::SSLeay::P_alpn_selected($ssl), 'spdy/2',
'P_alpn_selected/server');
+
+ my $got = Net::SSLeay::ssl_read_all($ssl);
+ is($got, $msg, 'ssl_read_all compare');
+
+ Net::SSLeay::ssl_write_all($ssl, uc($got));
+ Net::SSLeay::free($ssl);
+ Net::SSLeay::CTX_free($ctx);
+ close $ns;
+ close $sock;
+ exit;
+ }
+}
+
+{
+ # SSL client
+ my $s1 = gensym();
+ socket($s1, AF_INET, SOCK_STREAM, 0) or BAIL_OUT("failed to open socket:
$!");
+ connect($s1, $serv_params) or BAIL_OUT("failed to connect: $!");
+ my $old_out = select($s1);
+ $| = 1;
+ select($old_out);
+
+ my $ctx1 = Net::SSLeay::CTX_tlsv1_new();
+
+ my $rv = Net::SSLeay::CTX_set_alpn_protos($ctx1, ['spdy/2','http/1.1']);
+ push @results, [ $rv==0, 'CTX_set_alpn_protos'];
+
+ Net::SSLeay::CTX_set_options($ctx1, &Net::SSLeay::OP_ALL);
+ my $ssl1 = Net::SSLeay::new($ctx1);
+ Net::SSLeay::set_fd($ssl1, $s1);
+ Net::SSLeay::connect($ssl1);
+ Net::SSLeay::ssl_write_all($ssl1, $msg);
+
+ push @results, [ 'spdy/2' eq Net::SSLeay::P_alpn_selected($ssl1),
'P_alpn_selected/client'];
+
+ Net::SSLeay::free($ssl1);
+ Net::SSLeay::CTX_free($ctx1);
+ close $s1;
+}
+
+waitpid $pid, 0;
+push @results, [$? == 0, 'server exited with 0'];
+END {
+ Test::More->builder->current_test(3);
+ ok( $_->[0], $_->[1] ) for (@results);
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/t/local/kwalitee.t
new/Net-SSLeay-1.58/t/local/kwalitee.t
--- old/Net-SSLeay-1.55/t/local/kwalitee.t 2012-09-22 01:11:25.000000000
+0200
+++ new/Net-SSLeay-1.58/t/local/kwalitee.t 2014-01-09 02:50:31.000000000
+0100
@@ -1,10 +1,9 @@
-#!perl
-
-use strict;
-use warnings;
-use Test::More;
-
-eval { require Test::Kwalitee; Test::Kwalitee->import() };
-
-plan( skip_all => 'Test::Kwalitee not installed; skipping' ) if $@;
+BEGIN {
+ unless ($ENV{RELEASE_TESTING})
+ {
+ use Test::More;
+ plan(skip_all => 'these tests are for only for release candidate
testing. Enable with RELEASE_TESTING=1');
+ }
+}
+use Test::Kwalitee;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Net-SSLeay-1.55/typemap new/Net-SSLeay-1.58/typemap
--- old/Net-SSLeay-1.55/typemap 2012-06-26 02:58:10.000000000 +0200
+++ new/Net-SSLeay-1.58/typemap 2013-10-12 00:32:25.000000000 +0200
@@ -6,6 +6,7 @@
SSL * T_PTR
RSA * T_PTR
DH * T_PTR
+EC_KEY * T_PTR
const X509 * T_PTR
const X509_CRL * T_PTR
const X509_REQ * T_PTR
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
