Hello community, here is the log from the commit of package perl-IO-Socket-SSL for openSUSE:Factory checked in at 2015-06-12 20:27:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL (Old) and /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-IO-Socket-SSL" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-IO-Socket-SSL/perl-IO-Socket-SSL.changes 2015-05-16 07:13:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.perl-IO-Socket-SSL.new/perl-IO-Socket-SSL.changes 2015-06-12 20:27:51.000000000 +0200 @@ -1,0 +2,6 @@ +Sun Jun 7 08:37:21 UTC 2015 - co...@suse.com + +- updated to 2.016 + see /usr/share/doc/packages/perl-IO-Socket-SSL/Changes + +------------------------------------------------------------------- Old: ---- IO-Socket-SSL-2.015.tar.gz New: ---- IO-Socket-SSL-2.016.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-IO-Socket-SSL.spec ++++++ --- /var/tmp/diff_new_pack.Xh8GkZ/_old 2015-06-12 20:27:52.000000000 +0200 +++ /var/tmp/diff_new_pack.Xh8GkZ/_new 2015-06-12 20:27:52.000000000 +0200 @@ -17,7 +17,7 @@ Name: perl-IO-Socket-SSL -Version: 2.015 +Version: 2.016 Release: 0 %define cpan_name IO-Socket-SSL Summary: Nearly transparent SSL encapsulation for IO::Socket::INET ++++++ IO-Socket-SSL-2.015.tar.gz -> IO-Socket-SSL-2.016.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/Changes new/IO-Socket-SSL-2.016/Changes --- old/IO-Socket-SSL-2.015/Changes 2015-05-13 22:40:15.000000000 +0200 +++ new/IO-Socket-SSL-2.016/Changes 2015-06-02 22:39:42.000000000 +0200 @@ -1,4 +1,11 @@ -2.014 2015/05/13 +2.016 2015/06/02 +- add flag X509_V_FLAG_TRUSTED_FIRST by default if available in OpenSSL + (since 1.02) and available with Net::SSLeay. RT#104759 (thanks GAAS) +- work around hanging prompt() with older perl in Makefile.PL RT#104731 +- make t/memleak_bad_handshake.t work on cygwin and other systems having + /proc/pid/statm, see RT#104659 +- add better debugging based on patch from H.Merijn Brand +2.015 2015/05/13 - work around problem with IO::Socket::INET6 on windows, by explicitly using Domain AF_INET in the tests. Fixes RT#104226 reported by CHORNY diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/META.json new/IO-Socket-SSL-2.016/META.json --- old/IO-Socket-SSL-2.015/META.json 2015-05-13 22:43:17.000000000 +0200 +++ new/IO-Socket-SSL-2.016/META.json 2015-06-02 22:39:52.000000000 +0200 @@ -4,7 +4,7 @@ "Steffen Ullrich <su...@cpan.org>, Peter Behroozi, Marko Asplund" ], "dynamic_config" : 1, - "generated_by" : "ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.140640", + "generated_by" : "ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921", "license" : [ "perl_5" ], @@ -50,5 +50,5 @@ "url" : "https://github.com/noxxi/p5-io-socket-ssl" } }, - "version" : "2.015" + "version" : "2.016" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/META.yml new/IO-Socket-SSL-2.016/META.yml --- old/IO-Socket-SSL-2.015/META.yml 2015-05-13 22:43:17.000000000 +0200 +++ new/IO-Socket-SSL-2.016/META.yml 2015-06-02 22:39:52.000000000 +0200 @@ -3,26 +3,26 @@ author: - 'Steffen Ullrich <su...@cpan.org>, Peter Behroozi, Marko Asplund' build_requires: - ExtUtils::MakeMaker: '0' + ExtUtils::MakeMaker: 0 configure_requires: - ExtUtils::MakeMaker: '0' + ExtUtils::MakeMaker: 0 dynamic_config: 1 -generated_by: 'ExtUtils::MakeMaker version 6.98, CPAN::Meta::Converter version 2.140640' +generated_by: 'ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921' license: perl meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html - version: '1.4' + version: 1.4 name: IO-Socket-SSL no_index: directory: - t - inc requires: - Net::SSLeay: '1.46' - Scalar::Util: '0' + Net::SSLeay: 1.46 + Scalar::Util: 0 resources: bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL homepage: https://github.com/noxxi/p5-io-socket-ssl license: http://dev.perl.org/licenses/ repository: https://github.com/noxxi/p5-io-socket-ssl -version: '2.015' +version: 2.016 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/Makefile.PL new/IO-Socket-SSL-2.016/Makefile.PL --- old/IO-Socket-SSL-2.015/Makefile.PL 2015-05-01 17:13:11.000000000 +0200 +++ new/IO-Socket-SSL-2.016/Makefile.PL 2015-05-28 09:04:12.000000000 +0200 @@ -13,6 +13,23 @@ $| = 1; +my $yesno = sub { + my ($msg,$default) = @_; + return $default if defined $default && $ENV{PERL_MM_USE_DEFAULT}; + # Taken from ExtUtils::MakeMaker 6.16 (Michael Schwern) so that + # the prompt() function can be emulated for older versions of ExtUtils::MakeMaker. + while ( -t STDIN && (-t STDOUT || !(-f STDOUT || -c STDOUT))) { + print "$msg "; + my $choice = <STDIN>; + $choice =~s{\s+$}{}; + $choice ||= $default; + next if $choice !~m{^\s*([yn])}i; + return lc($1); + } + + return $default; +}; + { # issue warning, if Net::SSLeay cannot find random generator # redefine __WARN__ only locally to allow detection of failures @@ -26,16 +43,8 @@ print "to fail. Please see the README file for more information.\n"; print "the message from Net::SSLeay was: $warning\n"; - # Taken from ExtUtils::MakeMaker 6.16 (Michael Schwern) so that - # the prompt() function can be emulated for older versions of ExtUtils::MakeMaker. - my $isa_tty = -t STDIN && (-t STDOUT || !(-f STDOUT || -c STDOUT)); - - if ($isa_tty) { - print "Do you REALLY want to continue? [Default: no] "; - die "User cancelled install!\n" if (<STDIN> !~ /^y(?:es)?$/); - } else { - die "Install cancelled.\n"; - } + $yesno->("Do you REALLY want to continue? y/[N]","n") eq 'y' + or die "Install cancelled.\n"; }; if (! defined $ENV{SKIP_RNG_TEST}) { @@ -109,11 +118,10 @@ } my $xt = $ENV{NO_NETWORK_TESTING} && 'n'; -$xt ||= prompt( "Should I do external tests?\n". +$xt ||= $yesno->( "Should I do external tests?\n". "These test will detect if there are network problems and fail soft,\n". "so please disable them only if you definitely don't want to have any\n". - "network traffic to external sites. ". - "[Y/n]", 'y' ); + "network traffic to external sites. [Y/n]", 'y' ); # See lib/ExtUtils/MakeMaker.pm for details of how to influence @@ -131,7 +139,7 @@ ! %usable_ca ? ( 'Mozilla::CA' => 0 ):(), }, 'dist' => { COMPRESS => 'gzip', SUFFIX => 'gz', }, - $xt =~m{^y}i ? ( test => { TESTS => 't/*.t t/external/*.t' }):(), + $xt eq 'y' ? ( test => { TESTS => 't/*.t t/external/*.t' }):(), $ExtUtils::MakeMaker::VERSION >= 6.46 ? ( 'META_MERGE' => { resources => { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/lib/IO/Socket/SSL.pm new/IO-Socket-SSL-2.016/lib/IO/Socket/SSL.pm --- old/IO-Socket-SSL-2.015/lib/IO/Socket/SSL.pm 2015-05-13 22:37:34.000000000 +0200 +++ new/IO-Socket-SSL-2.016/lib/IO/Socket/SSL.pm 2015-06-02 22:39:08.000000000 +0200 @@ -13,7 +13,7 @@ package IO::Socket::SSL; -our $VERSION = '2.015'; +our $VERSION = '2.016'; use IO::Socket; use Net::SSLeay 1.46; @@ -230,6 +230,10 @@ }; } +# Try to work around problems with alternative trust path by default, RT#104759 +my $DEFAULT_X509_STORE_flags = 0; +eval { $DEFAULT_X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_TRUSTED_FIRST() }; + our $DEBUG; use vars qw(@ISA $SSL_ERROR @EXPORT); @@ -256,6 +260,7 @@ my @caller_force_inet4; # in case inet4 gets forced we store here who forced it my $IOCLASS; +my $family_key; # 'Domain'||'Family' BEGIN { # declare @ISA depending of the installed socket class @@ -275,6 +280,7 @@ }; # try IO::Socket::IP or IO::Socket::INET6 for IPv6 support + $family_key = 'Domain'; # traditional if ( $ip6 ) { # if we have IO::Socket::IP >= 0.31 we will use this in preference # because it can handle both IPv4 and IPv6 @@ -284,6 +290,7 @@ }) { @ISA = qw(IO::Socket::IP); constant->import( CAN_IPV6 => "IO::Socket::IP" ); + $family_key = 'Family'; $IOCLASS = "IO::Socket::IP"; # if we have IO::Socket::INET6 we will use this not IO::Socket::INET @@ -315,7 +322,12 @@ sub DEBUG { $DEBUG or return; - my (undef,$file,$line) = caller; + my (undef,$file,$line,$sub) = caller(1); + if ($sub =~m{^IO::Socket::SSL::(?:error|(_internal_error))$}) { + (undef,$file,$line) = caller(2) if $1; + } else { + (undef,$file,$line) = caller; + } my $msg = shift; $file = '...'.substr( $file,-17 ) if length($file)>20; $msg = sprintf $msg,@_ if @_; @@ -419,7 +431,7 @@ @ISA = ( CAN_IPV6 ); warn "IPv6 support re-enabled in __PACKAGE__, got disabled in file $caller_force_inet4[1] line $caller_force_inet4[2]"; } else { - die "INET6 is not supported, install IO::Socket::INET6"; + die "INET6 is not supported, install IO::Socket::IP"; } } } elsif ( /^:?debug(\d+)/ ) { @@ -468,6 +480,7 @@ $self->configure_SSL($arg_hash) || return; + $arg_hash->{$family_key} ||= $arg_hash->{Domain} || $arg_hash->{Family}; return $self->_internal_error("@ISA configuration failed",0) if ! $self->SUPER::configure($arg_hash); @@ -668,12 +681,12 @@ my $start = defined($timeout) && time(); { - #DEBUG( 'calling ssleay::connect' ); $SSL_ERROR = undef; $CURRENT_SSL_OBJECT = $self; + $DEBUG>=3 && DEBUG("call Net::SSLeay::connect" ); my $rv = Net::SSLeay::connect($ssl); $CURRENT_SSL_OBJECT = undef; - $DEBUG>=3 && DEBUG("Net::SSLeay::connect -> $rv" ); + $DEBUG>=3 && DEBUG("done Net::SSLeay::connect -> $rv" ); if ( $rv < 0 ) { if ( my $err = $self->_skip_rw_error( $ssl,$rv )) { $self->error("SSL connect attempt failed"); @@ -826,7 +839,7 @@ }; $DEBUG>=2 && DEBUG('will not start SSL handshake yet'); return wantarray ? ($socket, getpeername($socket) ) : $socket - }; + } } $self->accept_SSL($socket) || return; @@ -1160,7 +1173,7 @@ $buf .= $pb } else { return $buf eq '' ? ():$buf; - }; + } if ( !$eod ) { my $pos = index( $buf,$delim0 ); if ( $pos<0 ) { @@ -2311,11 +2324,9 @@ } } + my $X509_STORE_flags = $DEFAULT_X509_STORE_flags; if ($arg_hash->{'SSL_check_crl'}) { - Net::SSLeay::X509_STORE_set_flags( - Net::SSLeay::CTX_get_cert_store($ctx), - Net::SSLeay::X509_V_FLAG_CRL_CHECK() - ); + $X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_CRL_CHECK(); if ($arg_hash->{'SSL_crl_file'}) { my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); @@ -2327,6 +2338,11 @@ } } + Net::SSLeay::X509_STORE_set_flags( + Net::SSLeay::CTX_get_cert_store($ctx), + $X509_STORE_flags + ) if $X509_STORE_flags; + Net::SSLeay::CTX_set_default_passwd_cb($ctx,$arg_hash->{SSL_passwd_cb}) if $arg_hash->{SSL_passwd_cb}; @@ -2373,8 +2389,8 @@ # don't free @chain, because CTX_add_extra_chain_cert # did not duplicate the certificates } - $havecert or return - IO::Socket::SSL->error("Failed to use certificate file"); + $havecert or return IO::Socket::SSL->error( + "Failed to load certificate from file (no PEM, DER or PKCS12)"); } if (!$havecert || $havekey) { @@ -2392,9 +2408,8 @@ last; } } - } - if ($havecert && !$havekey) { - return IO::Socket::SSL->error("Failed to use private key"); + $havekey or return IO::Socket::SSL->error( + "Failed to load key from file (no PEM or DER)"); } # replace arg_hash with created context diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/lib/IO/Socket/SSL.pod new/IO-Socket-SSL-2.016/lib/IO/Socket/SSL.pod --- old/IO-Socket-SSL-2.015/lib/IO/Socket/SSL.pod 2015-04-17 14:06:34.000000000 +0200 +++ new/IO-Socket-SSL-2.016/lib/IO/Socket/SSL.pod 2015-05-27 07:15:09.000000000 +0200 @@ -821,9 +821,9 @@ trusted certificate authority. In this case you should use this option to specify the file (C<SSL_ca_file>) or directory (C<SSL_ca_path>) containing the certificateZ<>(s) of the trusted certificate authorities. -Also you can give X509* certificate handles (from L<Net::SSLeay> or -L<IO::Socket::SSL::Utils>) as a list with C<SSL_ca>. These will be added to the -CA store before path and file and thus take precedence. +You can also give a list of X509* certificate handles (like you get from +L<Net::SSLeay> or L<IO::Socket::SSL::Utils::PEM_xxx2cert>) with C<SSL_ca>. These +will be added to the CA store before path and file and thus take precedence. If neither SSL_ca, nor SSL_ca_file or SSL_ca_path are set it will use C<default_ca()> to determine the user-set or system defaults. If you really don't want to set a CA set SSL_ca_file or SSL_ca_path to @@ -859,7 +859,8 @@ should be verified by the client. Same is true for client certificates, which should be verified by the server. The certificate can be given as a file with SSL_cert_file or as an internal -representation of a X509* object with SSL_cert. +representation of a X509* object (like you get from L<Net::SSLeay> or +L<IO::Socket::SSL::Utils::PEM_xxx2cert>) with SSL_cert. If given as a file it will automatically detect the format. Supported file formats are PEM, DER and PKCS#12, where PEM and PKCS#12 can contain the certicate and the chain to use, while DER can only contain a single @@ -873,7 +874,8 @@ For each certificate a key is need, which can either be given as a file with SSL_key_file or as an internal representation of a EVP_PKEY* object with -SSL_key. +SSL_key (like you get from L<Net::SSLeay> or +L<IO::Socket::SSL::Utils::PEM_xxx2key>). If a key was already given within the PKCS#12 file specified by SSL_cert_file it will ignore any SSL_key or SSL_key_file. If no SSL_key or SSL_key_file was given it will try to use the PEM file given diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/t/auto_verify_hostname.t new/IO-Socket-SSL-2.016/t/auto_verify_hostname.t --- old/IO-Socket-SSL-2.015/t/auto_verify_hostname.t 2015-05-13 22:08:44.000000000 +0200 +++ new/IO-Socket-SSL-2.016/t/auto_verify_hostname.t 2015-05-27 07:15:09.000000000 +0200 @@ -9,6 +9,19 @@ do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; +plan tests => 1 + 7 + 4 + 7*2 + 4; +my @tests = qw( + example.com www FAIL + server.local ldap OK + server.local www FAIL + bla.server.local www OK + www7.other.local www OK + www7.other.local ldap FAIL + bla.server.local ldap OK +); + + + my $server = IO::Socket::SSL->new( LocalAddr => '127.0.0.1', LocalPort => 0, @@ -32,16 +45,6 @@ } close($server); -my @tests = qw( - example.com www FAIL - server.local ldap OK - server.local www FAIL - bla.server.local www OK - www7.other.local www OK - www7.other.local ldap FAIL - bla.server.local ldap OK -); - IO::Socket::SSL::default_ca('certs/test-ca.pem'); for( my $i=0;$i<@tests;$i+=3 ) { my ($name,$scheme,$result) = @tests[$i,$i+1,$i+2]; @@ -82,4 +85,3 @@ kill(9,$pid); wait; -done_testing(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/t/io-socket-ip.t new/IO-Socket-SSL-2.016/t/io-socket-ip.t --- old/IO-Socket-SSL-2.015/t/io-socket-ip.t 2015-05-13 22:10:41.000000000 +0200 +++ new/IO-Socket-SSL-2.016/t/io-socket-ip.t 2015-05-27 07:18:13.000000000 +0200 @@ -68,7 +68,6 @@ close($server); my $to_server = IO::Socket::SSL->new( PeerAddr => $addr, - Domain => AF_INET, SSL_verify_mode => 0 ) || do { notok( "connect failed: ".IO::Socket::SSL->errstr() ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/t/memleak_bad_handshake.t new/IO-Socket-SSL-2.016/t/memleak_bad_handshake.t --- old/IO-Socket-SSL-2.015/t/memleak_bad_handshake.t 2015-04-17 14:06:34.000000000 +0200 +++ new/IO-Socket-SSL-2.016/t/memleak_bad_handshake.t 2015-05-27 07:15:09.000000000 +0200 @@ -10,7 +10,22 @@ use IO::Select; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; -if ( grep { $^O =~m{$_}i } qw( MacOS VOS vmesa riscos amigaos mswin32) ) { +my $getsize; +if ( -f "/proc/$$/statm" ) { + $getsize = sub { + my $pid = shift; + open( my $fh,'<', "/proc/$pid/statm"); + my $line = <$fh>; + return (split(' ',$line))[0] * 4; + }; +} elsif ( ! grep { $^O =~m{$_}i } qw( MacOS VOS vmesa riscos amigaos mswin32) ) { + $getsize = sub { + my $pid = shift; + open( my $ps,'-|',"ps -o vsize -p $pid 2>/dev/null" ) or return; + $ps && <$ps> or return; # header + return int(<$ps>); # size + }; +} else { print "1..0 # Skipped: ps not implemented on this platform\n"; exit } @@ -22,7 +37,7 @@ $|=1; -if ( ! getsize($$) ) { +if ( ! $getsize->($$) ) { print "1..0 # Skipped: no usable ps\n"; exit; } @@ -52,7 +67,7 @@ for(1..100) { IO::Socket::INET->new( $saddr ) or next; } -my $size100 = getsize($pid); +my $size100 = $getsize->($pid); if ( ! $size100 ) { print "1..0 # Skipped: cannot get size of child process\n"; goto done; @@ -61,12 +76,12 @@ for(100..200) { IO::Socket::INET->new( $saddr ) or next; } -my $size200 = getsize($pid); +my $size200 = $getsize->($pid); for(200..300) { IO::Socket::INET->new( $saddr ) or next; } -my $size300 = getsize($pid); +my $size300 = $getsize->($pid); if ($size100>$size200 or $size200<$size300) {; print "1..0 # skipped - do we measure the right thing?\n"; goto done; @@ -82,9 +97,3 @@ exit; -sub getsize { - my $pid = shift; - open( my $ps,'-|',"ps -o vsize -p $pid 2>/dev/null" ) or return; - $ps && <$ps> or return; # header - return int(<$ps>); # size -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/IO-Socket-SSL-2.015/t/protocol_version.t new/IO-Socket-SSL-2.016/t/protocol_version.t --- old/IO-Socket-SSL-2.015/t/protocol_version.t 2015-05-13 22:11:14.000000000 +0200 +++ new/IO-Socket-SSL-2.016/t/protocol_version.t 2015-05-27 07:15:09.000000000 +0200 @@ -7,6 +7,9 @@ use IO::Socket::SSL; do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; +plan skip_all => "Test::More has no done_testing" + if !defined &done_testing; + $|=1; my $XDEBUG = 0;