This is an automated email from the git hooks/post-receive script. dom pushed a commit to branch master in repository libnet-ssleay-perl.
commit 6c466d4559ca201f4d6989a633c9ca5b908bfb9e Author: Dominic Hargreaves <d...@earth.li> Date: Mon Aug 8 23:26:28 2016 +0100 New upstream release Drop OpenSSL 1.1 patch included in release --- debian/changelog | 7 + debian/patches/series | 1 - debian/patches/svn-r472.patch | 1509 ----------------------------------------- 3 files changed, 7 insertions(+), 1510 deletions(-) diff --git a/debian/changelog b/debian/changelog index 9d69e60..b89de13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libnet-ssleay-perl (1.77-1) UNRELEASED; urgency=medium + + * New upstream release + * Drop OpenSSL 1.1 patch included in release + + -- Dominic Hargreaves <d...@earth.li> Mon, 08 Aug 2016 23:25:57 +0100 + libnet-ssleay-perl (1.74-1+svn472) experimental; urgency=medium [ gregor herrmann ] diff --git a/debian/patches/series b/debian/patches/series index 3d5191d..a147a3a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,2 @@ 0001-fix-typo-in-manpage.patch 20no-stray-libz-link.patch -svn-r472.patch diff --git a/debian/patches/svn-r472.patch b/debian/patches/svn-r472.patch deleted file mode 100644 index 322ec9f..0000000 --- a/debian/patches/svn-r472.patch +++ /dev/null @@ -1,1509 +0,0 @@ -Subject: OpenSSL 1.1 support -Author: Mike McCauley <mi...@airspayce.com> -Origin: svn://svn.debian.org/svn/net-ssleay@472 - -Removed patched ext/Module/Install/PRIVATE/Net/SSLeay.pm which doesn't -exist in released version - -Index: inc/Module/Install/PRIVATE/Net/SSLeay.pm -=================================================================== ---- a/inc/Module/Install/PRIVATE/Net/SSLeay.pm (revision 465) -+++ b/inc/Module/Install/PRIVATE/Net/SSLeay.pm (working copy) -@@ -1,5 +1,4 @@ - #line 1 --#line 1 - package Module::Install::PRIVATE::Net::SSLeay; - - use strict; -Index: Makefile.PL -=================================================================== ---- a/Makefile.PL (revision 465) -+++ b/Makefile.PL (working copy) -@@ -8,7 +8,7 @@ - use File::Spec; - - name('Net-SSLeay'); --license 'perl'; -+license('perl'); - all_from('lib/Net/SSLeay.pm'); - - ssleay(); -Index: SSLeay.xs -=================================================================== ---- a/SSLeay.xs (revision 465) -+++ b/SSLeay.xs (working copy) -@@ -237,8 +237,10 @@ - - #ifdef USE_ITHREADS - static perl_mutex LIB_init_mutex; -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - static perl_mutex *GLOBAL_openssl_mutex = NULL; - #endif -+#endif - static int LIB_initialized; - - UV get_my_thread_id(void) /* returns threads->tid() value */ -@@ -277,6 +279,8 @@ - */ - #if defined(USE_ITHREADS) && defined(OPENSSL_THREADS) - -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - static void openssl_locking_function(int mode, int type, const char *file, int line) - { - PR3("openssl_locking_function %d %d\n", mode, type); -@@ -331,6 +335,7 @@ - MUTEX_DESTROY(&l->mutex); - Safefree(l); - } -+#endif - - void openssl_threads_init(void) - { -@@ -338,6 +343,7 @@ - - PR1("STARTED: openssl_threads_init\n"); - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* initialize static locking */ - if ( !CRYPTO_get_locking_callback() ) { - #if OPENSSL_VERSION_NUMBER < 0x10000000L -@@ -371,6 +377,7 @@ - CRYPTO_set_dynlock_lock_callback(openssl_dynlocking_lock_function); - CRYPTO_set_dynlock_destroy_callback(openssl_dynlocking_destroy_function); - } -+#endif - } - - #endif -@@ -395,7 +402,9 @@ - if (!m) return; /* Skip aliases */ - mname = OBJ_nid2ln(EVP_MD_type(m)); - if (strcmp(from, mname)) return; /* Skip shortnames */ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) return; /* Skip clones */ -+#endif - if (strchr(mname, ' ')) mname= EVP_MD_name(m); - av_push(arg, newSVpv(mname,0)); - } -@@ -799,6 +808,7 @@ - AV *ciphers = newAV(); - SV *pref_cipher = sv_newmortal(); - SV * cb_func, *cb_data; -+ SV * secretsv; - - PR1("STARTED: ssleay_session_secret_cb_invoke\n"); - cb_func = cb_data_advanced_get(arg, "ssleay_session_secret_cb!!func"); -@@ -811,8 +821,8 @@ - SAVETMPS; - - PUSHMARK(SP); -- -- XPUSHs( sv_2mortal( newSVpv(secret, *secret_len)) ); -+ secretsv = sv_2mortal( newSVpv(secret, *secret_len)); -+ XPUSHs(secretsv); - for (i=0; i<sk_SSL_CIPHER_num(peer_ciphers); i++) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(peer_ciphers,i); - av_store(ciphers, i, sv_2mortal(newSVpv(SSL_CIPHER_get_name(c), 0))); -@@ -835,6 +845,13 @@ - /* See if there is a preferred cipher selected, if so it is an index into the stack */ - if (SvIOK(pref_cipher)) - *cipher = sk_SSL_CIPHER_value(peer_ciphers, SvIV(pref_cipher)); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ /* Use any new master secret set by the callback function in secret */ -+ STRLEN newsecretlen; -+ char* newsecretdata = SvPV(secretsv, newsecretlen); -+ memcpy(secret, newsecretdata, newsecretlen); -+#endif - } - - PUTBACK; -@@ -1221,7 +1238,101 @@ - LEAVE; - } - -+/* -+ * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was -+ * broken in various ways during the various 1.0.0* versions. -+ * Better enable it only starting with 1.0.1. -+*/ -+#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) && OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) -+#define NET_SSLEAY_CAN_TICKET_KEY_CB - -+int tlsext_ticket_key_cb_invoke( -+ SSL *ssl, -+ unsigned char *key_name, -+ unsigned char *iv, -+ EVP_CIPHER_CTX *ectx, -+ HMAC_CTX *hctx, -+ int enc -+){ -+ -+ dSP; -+ int count; -+ SV *cb_func, *cb_data; -+ SV *sv_name, *sv_key; -+ STRLEN svlen; -+ unsigned char *key; /* key[0..15] aes, key[16..32] hmac */ -+ unsigned char *name; -+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); -+ -+ PR1("STARTED: tlsext_ticket_key_cb_invoke\n"); -+ cb_func = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!func"); -+ cb_data = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!data"); -+ -+ if (!SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) -+ croak("callback must be a code reference"); -+ -+ ENTER; -+ SAVETMPS; -+ PUSHMARK(SP); -+ XPUSHs(sv_2mortal(newSVsv(cb_data))); -+ -+ if (!enc) { -+ /* call as getkey(data,this_name) -> (key,current_name) */ -+ XPUSHs(sv_2mortal(newSVpv(key_name,16))); -+ } else { -+ /* call as getkey(data) -> (key,current_name) */ -+ } -+ -+ -+ PUTBACK; -+ count = call_sv( cb_func, G_ARRAY ); -+ -+ SPAGAIN; -+ if (count>0) sv_name = POPs; -+ if (count>1) sv_key = POPs; -+ -+ if (!enc && ( !count || !SvOK(sv_key) )) { -+ TRACE(2,"no key returned for ticket"); -+ return 0; -+ } -+ -+ if (count != 2) -+ croak("key functions needs to return (key,name)"); -+ key = SvPV(sv_key,svlen); -+ if (svlen < 32) -+ croak("key must be at least 32 random bytes, got %d",svlen); -+ name = SvPV(sv_name,svlen); -+ if (svlen != 16) -+ croak("name should be exactly 16 characters, got %d",svlen); -+ if (svlen == 0) -+ croak("name should not be empty"); -+ -+ if (enc) { -+ /* encrypt ticket information with given key */ -+ RAND_bytes(iv, 16); -+ EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); -+ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); -+ bzero(key_name,16); -+ memcpy(key_name,name,svlen); -+ return 1; -+ } else { -+ unsigned char new_name[16]; -+ bzero(new_name,16); -+ memcpy(new_name,name,svlen); -+ -+ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); -+ EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); -+ -+ if (memcmp(new_name,key_name,16) == 0) -+ return 1; /* current key was used */ -+ else -+ return 2; /* different key was used, need to be renewed */ -+ } -+} -+ -+#endif -+ -+ - /* ============= end of callback stuff, begin helper functions ============== */ - - time_t ASN1_TIME_timet(ASN1_TIME *asn1t) { -@@ -1404,8 +1515,10 @@ - OUTPUT: - RETVAL - --#ifndef OPENSSL_NO_SSL2 - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#ifndef OPENSSL_NO_SSL2 -+ - SSL_CTX * - SSL_CTX_v2_new() - CODE: -@@ -1414,7 +1527,7 @@ - RETVAL - - #endif -- -+#endif - #ifndef OPENSSL_NO_SSL3 - - SSL_CTX * -@@ -2105,10 +2218,35 @@ - SSL_want(s) - SSL * s - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - int - SSL_state(s) - SSL * s - -+int -+SSL_get_state(ssl) -+ SSL * ssl -+ CODE: -+ RETVAL = SSL_state(ssl); -+ OUTPUT: -+ RETVAL -+ -+ -+#else -+int -+SSL_state(s) -+ SSL * s -+ CODE: -+ RETVAL = SSL_get_state(s); -+ OUTPUT: -+ RETVAL -+ -+ -+int -+SSL_get_state(s) -+ SSL * s -+ -+#endif - #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) - - long -@@ -2734,19 +2872,15 @@ - X509_ATTRIBUTE * att; - int count, i; - ASN1_STRING * s; -+ ASN1_TYPE * t; - PPCODE: - att = X509_REQ_get_attr(req,n); -- if (att->single) { -- s = (att->value.single->value.asn1_string); -+ count = X509_ATTRIBUTE_count(att); -+ for (i=0; i<count; i++) { -+ t = X509_ATTRIBUTE_get0_type(att, i); -+ s = t->value.asn1_string; - XPUSHs(sv_2mortal(newSViv(PTR2IV(s)))); -- } -- else { -- count = sk_ASN1_TYPE_num(att->value.set); -- for (i=0; i<count; i++) { -- s = (sk_ASN1_TYPE_value(att->value.set, i)->value.asn1_string); -- XPUSHs(sv_2mortal(newSViv(PTR2IV(s)))); -- } -- } -+ } - - #endif - -@@ -4439,6 +4573,7 @@ - const unsigned char * sid_ctx - unsigned int sid_ctx_len - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - void - SSL_CTX_set_tmp_rsa_callback(ctx, cb) - SSL_CTX * ctx -@@ -4449,6 +4584,8 @@ - SSL * ssl - cb_ssl_int_int_ret_RSA * cb - -+#endif -+ - void - SSL_CTX_set_tmp_dh_callback(ctx, dh) - SSL_CTX * ctx -@@ -4526,6 +4663,7 @@ - OUTPUT: - RETVAL - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - long - SSL_CTX_need_tmp_RSA(ctx) - SSL_CTX * ctx -@@ -4534,6 +4672,8 @@ - OUTPUT: - RETVAL - -+#endif -+ - int - SSL_CTX_set_app_data(ctx,arg) - SSL_CTX * ctx -@@ -4575,11 +4715,14 @@ - SSL_CTX * ctx - DH * dh - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - long - SSL_CTX_set_tmp_rsa(ctx,rsa) - SSL_CTX * ctx - RSA * rsa - -+#endif -+ - #if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC - - EC_KEY * -@@ -4591,12 +4734,55 @@ - EC_KEY * key - - long --SSL_CTX_set_tmp_ecdh(ctx,ecdh); -+SSL_CTX_set_tmp_ecdh(ctx,ecdh) - SSL_CTX * ctx - EC_KEY * ecdh - -+int -+EVP_PKEY_assign_EC_KEY(pkey,key) -+ EVP_PKEY * pkey -+ EC_KEY * key -+ -+ -+EC_KEY * -+EC_KEY_generate_key(curve) -+ SV *curve; -+ CODE: -+ EC_GROUP *group = NULL; -+ EC_KEY *eckey = NULL; -+ int nid; -+ -+ RETVAL = 0; -+ if (SvIOK(curve)) { -+ nid = SvIV(curve); -+ } else { -+ nid = OBJ_sn2nid(SvPV_nolen(curve)); -+#if OPENSSL_VERSION_NUMBER > 0x10002000L -+ if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); - #endif -+ if (!nid) croak("unknown curve %s",SvPV_nolen(curve)); -+ } - -+ group = EC_GROUP_new_by_curve_name(nid); -+ if (!group) croak("unknown curve nid=%d",nid); -+ EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE); -+ -+ eckey = EC_KEY_new(); -+ if ( eckey -+ && EC_KEY_set_group(eckey, group) -+ && EC_KEY_generate_key(eckey)) { -+ RETVAL = eckey; -+ } else { -+ if (eckey) EC_KEY_free(eckey); -+ } -+ if (group) EC_GROUP_free(group); -+ -+ OUTPUT: -+ RETVAL -+ -+ -+#endif -+ - void * - SSL_get_app_data(s) - SSL * s -@@ -4622,25 +4808,20 @@ - OUTPUT: - RETVAL - --int --SSL_get_state(ssl) -- SSL * ssl -- CODE: -- RETVAL = SSL_state(ssl); -- OUTPUT: -- RETVAL -- - void - SSL_set_state(ssl,state) - SSL * ssl - int state - CODE: --#ifdef OPENSSL_NO_SSL_INTERN -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ /* not available */ -+#elif defined(OPENSSL_NO_SSL_INTERN) - SSL_set_state(ssl,state); - #else - ssl->state = state; - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - long - SSL_need_tmp_RSA(ssl) - SSL * ssl -@@ -4649,6 +4830,9 @@ - OUTPUT: - RETVAL - -+ -+#endif -+ - long - SSL_num_renegotiations(ssl) - SSL * ssl -@@ -4668,10 +4852,6 @@ - long - SSL_session_reused(ssl) - SSL * ssl -- CODE: -- RETVAL = SSL_ctrl(ssl,SSL_CTRL_GET_SESSION_REUSED,0,NULL); -- OUTPUT: -- RETVAL - - int - SSL_SESSION_set_app_data(s,a) -@@ -4714,6 +4894,7 @@ - SSL * ssl - DH * dh - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - long - SSL_set_tmp_rsa(ssl,rsa) - SSL * ssl -@@ -4723,6 +4904,7 @@ - OUTPUT: - RETVAL - -+#endif - - #ifdef __ANDROID__ - -@@ -4855,13 +5037,33 @@ - OUTPUT: - RETVAL - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - void - SSL_SESSION_get_master_key(s) - SSL_SESSION * s -+ PREINIT: -+ size_t master_key_length; -+ unsigned char* master_key; - CODE: - ST(0) = sv_newmortal(); /* Undefined to start with */ -+ master_key_length = SSL_SESSION_get_master_key(s, 0, 0); /* get the length */ -+ New(0, master_key, master_key_length, unsigned char); -+ SSL_SESSION_get_master_key(s, master_key, master_key_length); -+ sv_setpvn(ST(0), (const char*)master_key, master_key_length); -+ Safefree(master_key); -+ -+#else -+void -+SSL_SESSION_get_master_key(s) -+ SSL_SESSION * s -+ CODE: -+ ST(0) = sv_newmortal(); /* Undefined to start with */ - sv_setpvn(ST(0), (const char*)s->master_key, s->master_key_length); - -+#endif -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ - void - SSL_SESSION_set_master_key(s,key) - SSL_SESSION * s -@@ -4873,24 +5075,80 @@ - memcpy(s->master_key, key, len); - s->master_key_length = len; - -+#endif -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ - void - SSL_get_client_random(s) - SSL * s -+ PREINIT: -+ size_t random_length; -+ unsigned char* random_data; - CODE: - ST(0) = sv_newmortal(); /* Undefined to start with */ -+ random_length = SSL_get_client_random(s, 0, 0); /* get the length */ -+ New(0, random_data, random_length, unsigned char); -+ SSL_get_client_random(s, random_data, random_length); -+ sv_setpvn(ST(0), (const char*)random_data, random_length); -+ Safefree(random_data); -+ -+#else -+ -+void -+SSL_get_client_random(s) -+ SSL * s -+ CODE: -+ ST(0) = sv_newmortal(); /* Undefined to start with */ - sv_setpvn(ST(0), (const char*)s->s3->client_random, SSL3_RANDOM_SIZE); - -+#endif -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ - void - SSL_get_server_random(s) - SSL * s -+ PREINIT: -+ size_t random_length; -+ unsigned char* random_data; - CODE: - ST(0) = sv_newmortal(); /* Undefined to start with */ -+ random_length = SSL_get_server_random(s, 0, 0); /* get the length */ -+ New(0, random_data, random_length, unsigned char); -+ SSL_get_server_random(s, random_data, random_length); -+ sv_setpvn(ST(0), (const char*)random_data, random_length); -+ Safefree(random_data); -+ -+#else -+ -+void -+SSL_get_server_random(s) -+ SSL * s -+ CODE: -+ ST(0) = sv_newmortal(); /* Undefined to start with */ - sv_setpvn(ST(0), (const char*)s->s3->server_random, SSL3_RANDOM_SIZE); - -+#endif -+ - int - SSL_get_keyblock_size(s) - SSL * s - CODE: -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ const SSL_CIPHER *ssl_cipher; -+ int cipher, digest; -+ const EVP_CIPHER *c; -+ const EVP_MD *h; -+ -+ ssl_cipher = SSL_get_current_cipher(s); -+ cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher); -+ digest = SSL_CIPHER_get_digest_nid(ssl_cipher); -+ c = EVP_get_cipherbynid(cipher); -+ h = EVP_get_digestbynid(digest); -+ RETVAL = 2 * (EVP_CIPHER_key_length(c) + EVP_MD_size(h) + -+ EVP_CIPHER_iv_length(c)); -+#else - if (s == NULL || - s->enc_read_ctx == NULL || - s->enc_read_ctx->cipher == NULL || -@@ -4919,6 +5177,8 @@ - EVP_CIPHER_iv_length(c))) - : -1; - } -+#endif -+ - OUTPUT: - RETVAL - -@@ -4956,13 +5216,34 @@ - else { - cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", newSVsv(callback)); - cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", newSVsv(data)); -- SSL_set_session_secret_cb(s, (int (*)(SSL *s, void *secret, int *secret_len, -- STACK_OF(SSL_CIPHER) *peer_ciphers, -- SSL_CIPHER **cipher, void *arg))&ssleay_session_secret_cb_invoke, s); -+ SSL_set_session_secret_cb(s, (tls_session_secret_cb_fn)&ssleay_session_secret_cb_invoke, s); - } - - #endif - -+#ifdef NET_SSLEAY_CAN_TICKET_KEY_CB -+ -+void -+SSL_CTX_set_tlsext_ticket_getkey_cb(ctx,callback=&PL_sv_undef,data=&PL_sv_undef) -+ SSL_CTX * ctx -+ SV * callback -+ SV * data -+ CODE: -+ if (callback==NULL || !SvOK(callback)) { -+ SSL_CTX_set_tlsext_ticket_key_cb(ctx, NULL); -+ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", NULL); -+ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", NULL); -+ } -+ else { -+ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", newSVsv(callback)); -+ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", newSVsv(data)); -+ SSL_CTX_set_tlsext_ticket_key_cb(ctx, &tlsext_ticket_key_cb_invoke); -+ } -+ -+ -+#endif -+ -+ - #if OPENSSL_VERSION_NUMBER < 0x0090700fL - #define REM11 "NOTE: before 0.9.7" - -@@ -5382,7 +5663,11 @@ - P_X509_get_signature_alg(x) - X509 * x - CODE: -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ RETVAL = (X509_get0_tbs_sigalg(x)->algorithm); -+#else - RETVAL = (x->cert_info->signature->algorithm); -+#endif - OUTPUT: - RETVAL - -@@ -5389,8 +5674,17 @@ - ASN1_OBJECT * - P_X509_get_pubkey_alg(x) - X509 * x -+ PREINIT: - CODE: -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ { -+ X509_ALGOR * algor; -+ X509_PUBKEY_get0_param(0, 0, 0, &algor, X509_get_X509_PUBKEY(x)); -+ RETVAL = (algor->algorithm); -+ } -+#else - RETVAL = (x->cert_info->key->algor->algorithm); -+#endif - OUTPUT: - RETVAL - -@@ -5705,8 +5999,7 @@ - * response does not contain the chain up to the trusted root */ - STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl); - for(i=0;i<sk_X509_num(chain);i++) { -- if (!bsr->certs) bsr->certs = sk_X509_new_null(); -- sk_X509_push(bsr->certs,X509_dup(sk_X509_value(chain,i))); -+ OCSP_basic_add1_cert(bsr, sk_X509_value(chain,i)); - } - TRACE(1,"run basic verify"); - RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); -@@ -5718,7 +6011,7 @@ - X509 *issuer; - X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); - if ( (issuer = find_issuer(last,store,chain))) { -- sk_X509_push(bsr->certs,X509_dup(issuer)); -+ OCSP_basic_add1_cert(bsr, X509_dup(issuer)); - TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); - RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); - } -@@ -5736,7 +6029,6 @@ - OCSP_BASICRESP *bsr; - int i,want_array; - time_t nextupd = 0; -- STACK_OF(OCSP_SINGLERESP) *sks; - int getall,sksn; - - bsr = OCSP_response_get1_basic(rsp); -@@ -5744,8 +6036,7 @@ - - want_array = (GIMME == G_ARRAY); - getall = (items <= 1); -- sks = bsr->tbsResponseData->responses; -- sksn = sk_OCSP_SINGLERESP_num(sks); -+ sksn = OCSP_resp_count(bsr); - - for(i=0; i < (getall ? sksn : items-1); i++) { - const char *error = NULL; -@@ -5754,9 +6045,8 @@ - SV *idsv = NULL; - - if(getall) { -- sir = sk_OCSP_SINGLERESP_value(sks,i); -+ sir = OCSP_resp_get0(bsr,i); - } else { -- int k; - STRLEN len; - const unsigned char *p; - -@@ -5767,22 +6057,36 @@ - error = "failed to get OCSP certid from string"; - goto end; - } -- for(k=0;k<sksn;k++) { -- if (!OCSP_id_cmp(certid,sk_OCSP_SINGLERESP_value(sks,k)->certId)) { -- sir = sk_OCSP_SINGLERESP_value(sks,k); -- break; -- } -+ int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */ -+ if (first >= 0) -+ { -+ sir = OCSP_resp_get0(bsr,first); -+ break; - } - } - -- if (!sir) { -- error = "cannot find entry for certificate in OCSP response"; -- } else if (!OCSP_check_validity(sir->thisUpdate,sir->nextUpdate,0,-1)) { -- error = "response not yet valid or expired"; -- } else if (sir->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) { -- error = "certificate status is revoked"; -- } else if (sir->certStatus->type != V_OCSP_CERTSTATUS_GOOD) { -- error = "certificate status is unknown"; -+ int status, revocationReason; -+ ASN1_GENERALIZEDTIME *revocationTime, *thisupdate, *nextupdate; -+ if (sir) -+ { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); -+#else -+ status = sir->certStatus->type; -+ revocationTime = sir->certStatus->value.revoked->revocationTime; -+ thisupdate = sir->thisUpdate; -+ nextupdate = sir->nextUpdate; -+#endif -+ if (status == V_OCSP_CERTSTATUS_REVOKED) { -+ error = "certificate status is revoked"; -+ } else if (status != V_OCSP_CERTSTATUS_GOOD) { -+ error = "certificate status is unknown"; -+ } -+ else if (!OCSP_check_validity(thisupdate, nextupdate, 0, -1)) { -+ error = "response not yet valid or expired"; -+ } -+ } else { -+ error = "cannot find entry for certificate in OCSP response"; - } - - end: -@@ -5791,12 +6095,20 @@ - if (!idsv) { - /* getall: create new SV with OCSP_CERTID */ - unsigned char *pi,*pc; -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ int len = i2d_OCSP_CERTID(OCSP_SINGLERESP_get0_id(sir),NULL); -+#else - int len = i2d_OCSP_CERTID(sir->certId,NULL); -+#endif - if(!len) continue; - Newx(pc,len,unsigned char); - if (!pc) croak("out of memory"); - pi = pc; -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ i2d_OCSP_CERTID(OCSP_SINGLERESP_get0_id(sir),&pi); -+#else - i2d_OCSP_CERTID(sir->certId,&pi); -+#endif - idsv = newSVpv((char*)pc,len); - Safefree(pc); - } else { -@@ -5809,26 +6121,26 @@ - HV *details = newHV(); - av_push(idav,newRV_noinc((SV*)details)); - hv_store(details,"statusType",10, -- newSViv(sir->certStatus->type),0); -- if (sir->nextUpdate) hv_store(details,"nextUpdate",10, -- newSViv(ASN1_TIME_timet(sir->nextUpdate)),0); -- if (sir->thisUpdate) hv_store(details,"thisUpdate",10, -- newSViv(ASN1_TIME_timet(sir->thisUpdate)),0); -- if (sir->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) { -+ newSViv(status),0); -+ if (nextupdate) hv_store(details,"nextUpdate",10, -+ newSViv(ASN1_TIME_timet(nextupdate)),0); -+ if (thisupdate) hv_store(details,"thisUpdate",10, -+ newSViv(ASN1_TIME_timet(thisupdate)),0); -+ if (status == V_OCSP_CERTSTATUS_REVOKED) { -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked; -- hv_store(details,"revocationTime",14,newSViv( -- ASN1_TIME_timet(rev->revocationTime)),0); -- hv_store(details,"revocationReason",16,newSViv( -- ASN1_ENUMERATED_get(rev->revocationReason)),0); -+ revocationReason = ASN1_ENUMERATED_get(rev->revocationReason); -+#endif -+ hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0); -+ hv_store(details,"revocationReason",16,newSViv(revocationReason),0); - hv_store(details,"revocationReason_str",20,newSVpv( -- OCSP_crl_reason_str(ASN1_ENUMERATED_get( -- rev->revocationReason)),0),0); -+ OCSP_crl_reason_str(revocationReason),0),0); - } - } - XPUSHs(sv_2mortal(newRV_noinc((SV*)idav))); - } else if (!error) { - /* compute lowest nextUpdate */ -- time_t nu = ASN1_TIME_timet(sir->nextUpdate); -+ time_t nu = ASN1_TIME_timet(nextupdate); - if (!nextupd || nextupd>nu) nextupd = nu; - } - -Index: README -=================================================================== ---- a/README (revision 465) -+++ b/README (working copy) -@@ -6,12 +6,18 @@ - - perl -MNet::SSLeay -e '($p)=Net::SSLeay::get_https("www.openssl.org", 443, "/"); print $p' - -+for the latest and possibly unstable version from SVN: -+ -+ svn co svn://svn.debian.org/svn/net-ssleay -+ -+ - Prerequisites - ------------- - --perl-5.6.1 though anything starting from perl5.003 probably works. -+perl-5.6.1 though anything starting from perl5.003 probably works. Later -+ versions are OK. - --OpenSSL-0.9.6j through to at least OpenSSL-1.0.2 and probably later -+OpenSSL-0.9.6j through to at least OpenSSL-1.1 and probably later - http://www.openssl.org/ - On Linux, you can either build and - install OpenSSL from scratch (its very portable) or you can - install the appropriate OpenSSL 'devel' package for your Linux -@@ -25,6 +31,8 @@ - in OpenSSL-0.9.2b. OpenSSL-0.9.1c support has also been dropped, - version 1.03 was the last one to support that. - -+LibreSSL is also supported. -+ - You should use the same C compiler and options to compile OpenSSL, - perl, and Net::SSLeay. This is the only supported configuration. - If you insist on using different compilers (perhaps because you -Index: t/local/35_ephemeral.t -=================================================================== ---- a/t/local/35_ephemeral.t (revision 465) -+++ b/t/local/35_ephemeral.t (working copy) -@@ -6,7 +6,7 @@ - use Net::SSLeay; - - BEGIN { -- plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); -+ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") >= 0x10100000; - } - - plan tests => 3; -Index: t/local/32_x509_get_cert_info.t -=================================================================== ---- a/t/local/32_x509_get_cert_info.t (revision 465) -+++ b/t/local/32_x509_get_cert_info.t (working copy) -@@ -175,7 +175,7 @@ - } - - SKIP: { -- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; -+ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; - my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509); - is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f"); - for my $i (0..$#cdp) { -Index: t/local/63_ec_key_generate_key.t -=================================================================== ---- a/t/local/63_ec_key_generate_key.t (revision 0) -+++ b/t/local/63_ec_key_generate_key.t (revision 472) -@@ -0,0 +1,35 @@ -+#!/usr/bin/perl -+ -+use strict; -+use warnings; -+use Test::More; -+use Net::SSLeay; -+ -+if (!defined &Net::SSLeay::EC_KEY_generate_key) { -+ plan skip_all => "no suport for ECC in your OpenSSL"; -+ exit(0); -+} -+ -+plan tests => 4; -+ -+Net::SSLeay::randomize(); -+Net::SSLeay::load_error_strings(); -+Net::SSLeay::ERR_load_crypto_strings(); -+Net::SSLeay::SSLeay_add_ssl_algorithms(); -+ -+my $ec = Net::SSLeay::EC_KEY_generate_key('prime256v1'); -+ok($ec,'EC key created'); -+ -+if ($ec) { -+ my $key = Net::SSLeay::EVP_PKEY_new(); -+ my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); -+ ok($rv,'EC key assigned to PKEY'); -+ -+ my $pem = Net::SSLeay::PEM_get_string_PrivateKey($key); -+ ok( $pem =~m{^---.* PRIVATE KEY}m, "output key as PEM"); -+ -+ my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); -+ Net::SSLeay::BIO_write($bio,$pem); -+ my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); -+ ok($newkey,"read key again from PEM"); -+} -Index: t/local/64_ticket_sharing.t -=================================================================== ---- a/t/local/64_ticket_sharing.t (revision 0) -+++ b/t/local/64_ticket_sharing.t (revision 472) -@@ -0,0 +1,270 @@ -+#!/usr/bin/perl -+ -+use strict; -+use warnings; -+use Test::More; -+use Socket; -+use File::Spec; -+use Net::SSLeay; -+use Config; -+ -+# for debugging only -+my $DEBUG = 0; -+my $PCAP = 0; -+require Net::PcapWriter if $PCAP; -+ -+plan skip_all => "no support for tlsext_ticket_key_cb" -+ if ! defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb; -+plan tests => 15; -+ -+Net::SSLeay::randomize(); -+Net::SSLeay::load_error_strings(); -+Net::SSLeay::ERR_load_crypto_strings(); -+Net::SSLeay::SSLeay_add_ssl_algorithms(); -+ -+my $SSL_ERROR; # set in _minSSL -+my %TRANSFER; # set in _handshake -+ -+my $client = _minSSL->new(); -+my $server = _minSSL->new( cert => [ -+ File::Spec->catfile('t','data','cert.pem'), -+ File::Spec->catfile('t','data','key.pem') -+]); -+ -+ -+# initial tests without reuse -+# ---------------------------------------------- -+is( _handshake($client,$server), 'full', "initial handshake is full"); -+is( _handshake($client,$server), 'full', "another full handshake"); -+ -+# explicitly reuse session in client to check that server accepts it -+# ---------------------------------------------- -+my $sess = Net::SSLeay::get1_session($client->_ssl); -+my $reuse = sub { Net::SSLeay::set_session($client->_ssl,$sess) }; -+is( _handshake($client,$server,$reuse),'reuse',"handshake with reuse"); -+is( _handshake($client,$server,$reuse),'reuse',"handshake again with reuse"); -+ -+# create another server and connect client with session from old server -+# should not be reused -+# ---------------------------------------------- -+my $server2 = _minSSL->new( cert => [ -+ File::Spec->catfile('t','data','cert.pem'), -+ File::Spec->catfile('t','data','key.pem') -+]); -+is( _handshake($client,$server2,$reuse),'full',"handshake with server2 is full"); -+ -+# now attach the same ticket key callback to both servers -+# ---------------------------------------------- -+Net::SSLeay::RAND_bytes(my $key,32); -+my $key_name = pack("a16",'secret'); -+my $keycb = sub { -+ my ($mykey,$name) = @_; -+ return ($mykey,$key_name) if ! $name or $key_name eq $name; -+ return; # unknown key -+}; -+Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server->_ctx, $keycb,$key); -+Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx,$keycb,$key); -+is( _handshake($client,$server),'full',"initial full handshake with server1"); -+$sess = Net::SSLeay::get1_session($client->_ssl); -+is( _handshake($client,$server,$reuse), 'reuse',"reuse session with server1"); -+is( _handshake($client,$server2,$reuse),'reuse',"reuse session with server2"); -+ -+# simulate rotation for $key: the callback returns now the right key, but -+# has a different current_name. It is expected that the callback is called again -+# for encryption with the new key and that a new session ticket gets sent to -+# the client -+# ---------------------------------------------- -+Net::SSLeay::RAND_bytes(my $newkey,32); -+my $newkey_name = pack("a16",'newsecret'); -+my @keys = ( -+ [ $newkey_name, $newkey ], # current default key -+ [ $key_name, $key ], # already expired -+); -+my @was_called_with; -+my %old_transfer = %TRANSFER; -+Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub { -+ my (undef,$name) = @_; -+ push @was_called_with,$name || '<undef>'; -+ return ($keys[0][1],$keys[0][0]) if ! $name; -+ for(my $i = 0; $i<@keys; $i++) { -+ return ($keys[$i][1],$keys[0][0]) if $name eq $keys[$i][0]; -+ } -+ return; -+}); -+ -+my $expect_reuse = _handshake($client,$server2,$reuse); -+if ($expect_reuse eq '> < > <') { -+ # broken handshake seen with openssl 1.0.0 when a ticket was used where -+ # the key is still known but expired. It will do -+ # Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message -+ # in the last packet from server to client -+ is($expect_reuse,'> < > <',"(slightly broken) reuse session with old key with server2"); -+ ok( @was_called_with >= 2,'callback was called at least 2 times'); -+} else { -+ is($expect_reuse,'reuse',"reuse session with old key with server2"); -+ is( 0+@was_called_with,2,'callback was called 2 times'); -+} -+ -+is( $was_called_with[0],$key_name, 'first with the old key name'); -+is( $was_called_with[1],"<undef>", 'then with undef to get the current key'); -+ok( $TRANSFER{client} == $old_transfer{client}, 'no more data from client to server'); -+ok( $TRANSFER{server} > $old_transfer{server}, 'but more data from server (new ticket)'); -+ -+# finally try to reuse the session created with new key against server1 -+# this should result in a full handshake since server1 does not know newkey -+# ---------------------------------------------- -+$sess = Net::SSLeay::get1_session($client->_ssl); -+is( _handshake($client,$server,$reuse),'full',"full handshake with new ticker on server1"); -+ -+ -+ -+my $i; -+sub _handshake { -+ my ($client,$server,$after_init) = @_; -+ $client->state_connect; -+ $server->state_accept; -+ &$after_init if $after_init; -+ -+ my $pcap = $PCAP && do { -+ my $fname = 'test'.(++$i).'.pcap'; -+ open(my $fh,'>',$fname); -+ diag("pcap in $fname"); -+ $fh->autoflush; -+ Net::PcapWriter->new($fh)->tcp_conn('1.1.1.1',1000,'2.2.2.2',443); -+ }; -+ -+ my ($client_done,$server_done,@hs); -+ %TRANSFER = (); -+ for(my $tries = 0; $tries < 10 and !$client_done || !$server_done; $tries++ ) { -+ $client_done ||= $client->handshake || 0; -+ $server_done ||= $server->handshake || 0; -+ -+ my $transfer = 0; -+ if (defined(my $data = $client->bio_read())) { -+ $pcap && $pcap->write(0,$data); -+ $DEBUG && warn "client -> server: ".length($data)." bytes\n"; -+ $server->bio_write($data); -+ push @hs,'>'; -+ $TRANSFER{client} += length($data); -+ $transfer++; -+ } -+ if (defined(my $data = $server->bio_read())) { -+ $pcap && $pcap->write(1,$data); -+ $DEBUG && warn "server -> client: ".length($data)." bytes\n"; -+ $client->bio_write($data); -+ # assume certificate was sent if length>700 -+ push @hs, length($data) > 700 ? '<[C]':'<'; -+ $TRANSFER{server} += length($data); -+ $transfer++; -+ } -+ if (!$transfer) { -+ # no more data to transfer - assume we are done -+ $client_done = $server_done = 1; -+ } -+ } -+ -+ return -+ !$client_done || !$server_done ? 'failed' : -+ "@hs" eq '> <[C] > <' ? 'full' : -+ "@hs" eq '> < >' ? 'reuse' : -+ "@hs"; -+} -+ -+ -+{ -+ package _minSSL; -+ sub new { -+ my ($class,%args) = @_; -+ my $ctx = Net::SSLeay::CTX_tlsv1_new(); -+ Net::SSLeay::CTX_set_options($ctx,Net::SSLeay::OP_ALL()); -+ Net::SSLeay::CTX_set_cipher_list($ctx,'AES128-SHA'); -+ my $id = 'client'; -+ if ($args{cert}) { -+ my ($cert,$key) = @{ delete $args{cert} }; -+ Net::SSLeay::set_cert_and_key($ctx, $cert, $key) -+ || die "failed to use cert file $cert,$key"; -+ $id = 'server'; -+ } -+ -+ my $self = bless { id => $id, ctx => $ctx }, $class; -+ return $self; -+ } -+ -+ sub state_accept { -+ my $self = shift; -+ _reset($self); -+ Net::SSLeay::set_accept_state($self->{ssl}); -+ } -+ -+ sub state_connect { -+ my $self = shift; -+ _reset($self); -+ Net::SSLeay::set_connect_state($self->{ssl}); -+ } -+ -+ sub handshake { -+ my $self = shift; -+ my $rv = Net::SSLeay::do_handshake($self->{ssl}); -+ $rv = _error($self,$rv); -+ return $rv; -+ } -+ -+ sub ssl_read { -+ my ($self) = @_; -+ my ($data,$rv) = Net::SSLeay::read($self->{ssl}); -+ return _error($self,$rv || -1) if !$rv || $rv<0; -+ return $data; -+ } -+ -+ sub bio_write { -+ my ($self,$data) = @_; -+ defined $data and $data ne '' or return; -+ Net::SSLeay::BIO_write($self->{rbio},$data); -+ } -+ -+ sub ssl_write { -+ my ($self,$data) = @_; -+ my $rv = Net::SSLeay::write($self->{ssl},$data); -+ return _error($self,$rv || -1) if !$rv || $rv<0; -+ return $rv; -+ } -+ -+ sub bio_read { -+ my ($self) = @_; -+ return Net::SSLeay::BIO_read($self->{wbio}); -+ } -+ -+ sub _ssl { shift->{ssl} } -+ sub _ctx { shift->{ctx} } -+ -+ sub _reset { -+ my $self = shift; -+ my $ssl = Net::SSLeay::new($self->{ctx}); -+ my @bio = ( -+ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()), -+ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()), -+ ); -+ Net::SSLeay::set_bio($ssl,$bio[0],$bio[1]); -+ $self->{ssl} = $ssl; -+ $self->{rbio} = $bio[0]; -+ $self->{wbio} = $bio[1]; -+ } -+ -+ sub _error { -+ my ($self,$rv) = @_; -+ if ($rv>0) { -+ $SSL_ERROR = undef; -+ return $rv; -+ } -+ my $err = Net::SSLeay::get_error($self->{ssl},$rv); -+ if ($err == Net::SSLeay::ERROR_WANT_READ() -+ || $err == Net::SSLeay::ERROR_WANT_WRITE()) { -+ $SSL_ERROR = $err; -+ $DEBUG && warn "[$self->{id}] rw:$err\n"; -+ return; -+ } -+ $DEBUG && warn "[$self->{id}] ".Net::SSLeay::ERR_error_string($err)."\n"; -+ return; -+ } -+ -+} -Index: lib/Net/SSLeay.pod -=================================================================== ---- a/lib/Net/SSLeay.pod (revision 465) -+++ b/lib/Net/SSLeay.pod (working copy) -@@ -44,6 +44,8 @@ - to use at least 0.9.7 (as older versions are not tested during development). Some low level API functions - may be available with certain openssl versions. - -+It is compatible with OpenSSL 1.0 and 1.1. Some functions are not available under OpenSSL 1.1. -+ - L<Net::SSLeay> module basically comprise of: - - =over -@@ -1393,8 +1395,8 @@ - - Set the key referenced by $pkey to $key - --B<NOTE:> In accordance with the OpenSSL naming convention the $key assigned --to the $pkey using the "1" functions must be freed as well as $pkey. -+B<NOTE:> No reference counter will be increased, i.e. $key will be freed if -+$pkey is freed. - - my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key); - # $pkey - value corresponding to openssl's EVP_PKEY structure -@@ -1402,8 +1404,25 @@ - # - # returns: 1 on success, 0 on failure - --Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html> -+Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html> -+ -+=item * EVP_PKEY_assign_EC_KEY - -+B<COMPATIBILITY:> not available in Net-SSLeay-1.74 and before -+ -+Set the key referenced by $pkey to $key -+ -+B<NOTE:> No reference counter will be increased, i.e. $key will be freed if -+$pkey is freed. -+ -+ my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key); -+ # $pkey - value corresponding to openssl's EVP_PKEY structure -+ # $key - value corresponding to openssl's EC_KEY structure -+ # -+ # returns: 1 on success, 0 on failure -+ -+Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html> -+ - =item * EVP_PKEY_bits - - B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before -@@ -1844,6 +1863,11 @@ - # - # returns: no return value - -+Not available with OpenSSL 1.1 and later. -+Code that previously used -+ SESSION_set_master_key must now set $secret in the session_secret -+ callback set with SSL_set_session_secret_cb. -+ - =item * SESSION_get_time - - Returns the time at which the session s was established. -@@ -2447,6 +2471,8 @@ - # - # returns: result of SSL_CTRL_NEED_TMP_RSA command - -+Not available with OpenSSL 1.1 and later. -+ - =item * CTX_new - - The same as L</CTX_v23_new> -@@ -2457,6 +2483,8 @@ - - Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_new.html|http://www.openssl.org/docs/ssl/SSL_CTX_new.html> - -+Not available with OpenSSL 1.1 and later. -+ - =item * CTX_v2_new - - Creates a new SSL_CTX object - based on SSLv2_method() - as framework to establish TLS/SSL enabled connections. -@@ -2906,6 +2934,8 @@ - - Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html> - -+Not available with OpenSSL 1.1 and later. -+ - =item * CTX_set_tmp_rsa_callback - - Sets the callback function for ctx to be used when a temporary/ephemeral RSA key is required to $tmp_rsa_callback. -@@ -2920,6 +2950,8 @@ - - Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html> - -+Not available with OpenSSL 1.1 and later. -+ - =item * CTX_set_trust - - my $rv = Net::SSLeay::CTX_set_trust($s, $trust); -@@ -3436,10 +3468,10 @@ - - =item * get_keyblock_size - -+Gets the length of the TLS keyblock. -+ - B<NOTE:> Does not exactly correspond to any low level API function. - --??? (more info needed) -- - my $rv = Net::SSLeay::get_keyblock_size($ssl); - # $ssl - value corresponding to openssl's SSL structure - # -@@ -3680,6 +3712,8 @@ - - Net::SSLeay::set_state($ssl,Net::SSLeay::SSL_ST_ACCEPT()); - -+Not available with OpenSSL 1.1 and later. -+ - =item * get_verify_depth - - Returns the verification depth limit currently set in $ssl. -@@ -3829,6 +3863,8 @@ - # - # returns: command result - -+Not available with OpenSSL 1.1 and later. -+ - =item * num_renegotiations - - Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl. -@@ -4131,6 +4167,91 @@ - # - # returns: no return value - -+The callback function will be called like: -+callback_function($secret, $ciphers, $pref_cipher, $data); -+ -+# $secret is the current master session key, usually all 0s at the beginning of a session -+# $ciphers is ref to an array of peer cipher names -+# $pref_cipher is a ref to an index into the list of cipher names of -+# the preferred cipher. Set it if you want to specify a preferred cipher -+# $data is the data passed to set_session_secret_cb -+ -+The callback function should return 1 if it likes the suggested cipher (or has selected an alternative -+by setting pref_cipher), else it should return 0 (in which case OpenSSL will select its own preferred cipher). -+ -+With OpenSSL 1.1 and later, callback_function can change the master key for the session by -+altering $secret and returning 1. -+ -+=item * CTX_set_tlsext_ticket_getkey_cb -+ -+Setup encryption for TLS session tickets (stateless session reuse). -+ -+ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data); -+ # $ctx - value corresponding to openssl's SSL_CTX structure -+ # $func - perl reference to callback function -+ # $data - [optional] data that will be passed to callback function when invoked -+ # -+ # returns: no return value -+ -+The callback function will be called like: -+getkey($data,[$key_name]) -> ($key,$current_key_name) -+ -+# $data is the data passed to set_session_secret_cb -+# $key_name is the name of the key OpenSSL has extracted from the session ticket -+# $key is the requested key for ticket encryption + HMAC -+# $current_key_name is the name for the currently valid key -+ -+OpenSSL will call the function without a key name if it generates a new ticket. -+It then needs the callback to return the encryption+HMAC key and an identifier -+(key name) for this key. -+ -+When OpenSSL gets a session ticket from the client it extracts the key name and -+calls the callback with this name as argument. It then expects the callback to -+return the encryption+HMAC key matching the requested key name and and also the -+key name which should be used at the moment. If the requested key name and the -+returned key name differ it means that this session ticket was created with an -+expired key and need to be renewed. In this case OpenSSL will call the callback -+again with no key name to create a new session ticket based on the old one. -+ -+The key must be at least 32 byte of random data which can be created with -+RAND_bytes. Internally the first 16 byte are used as key in AES-128 encryption -+while the next 16 byte are used for the SHA-256 HMAC. -+The key name are binary data and must be exactly 16 byte long. -+ -+Example: -+ -+ Net::SSLeay::RAND_bytes(my $oldkey,32); -+ Net::SSLeay::RAND_bytes(my $newkey,32); -+ my $oldkey_name = pack("a16",'oldsecret'); -+ my $newkey_name = pack("a16",'newsecret'); -+ -+ my @keys = ( -+ [ $newkey_name, $newkey ], # current active key -+ [ $oldkey_name, $oldkey ], # already expired -+ ); -+ -+ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub { -+ my ($mykeys,$name) = @_; -+ -+ # return (current_key, current_key_name) if no name given -+ return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name; -+ -+ # return (matching_key, current_key_name) if we find a key matching -+ # the given name -+ for(my $i = 0; $i<@$mykeys; $i++) { -+ next if $name ne $mykeys->[$i][0]; -+ return ($mykeys->[$i][1],$mykeys->[0][0]); -+ } -+ -+ # no matching key found -+ return; -+ },\@keys); -+ -+ -+This function is based on the OpenSSL function SSL_CTX_set_tlsext_ticket_key_cb -+but provides a simpler to use interface. For more information see -+L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html> -+ - =item * set_shutdown - - Sets the shutdown state of $ssl to $mode. -@@ -7961,6 +8082,23 @@ - - TBA - -+=item * EC_KEY_generate_key -+ -+Generates a EC key and returns it in a newly allocated EC_KEY structure. -+The EC key then can be used to create a PKEY which can be used in calls -+like X509_set_pubkey. -+ -+ my $key = Net::SSLeay::EVP_PKEY_new(); -+ my $ec = Net::SSLeay::EC_KEY_generate_key($curve); -+ Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); -+ -+ # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve -+ # -+ # returns: value corresponding to openssl's EC_KEY structure (0 on failure) -+ -+This function has no equivalent in OpenSSL but combines multiple OpenSSL -+functions for an easier interface. -+ - =back - - -Index: MANIFEST -=================================================================== ---- a/MANIFEST (revision 465) -+++ b/MANIFEST (working copy) -@@ -113,5 +113,7 @@ - t/local/50_digest.t - t/local/61_threads-cb-crash.t - t/local/62_threads-ctx_new-deadlock.t -+t/local/63_ec_key_generate_key.t -+t/local/64_ticket_sharing.t - t/local/kwalitee.t - typemap -Index: Changes -=================================================================== ---- a/Changes (revision 465) -+++ b/Changes (working copy) -@@ -1,5 +1,41 @@ - Revision history for Perl extension Net::SSLeay. - -+1.75 ????? -+ Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5: -+ - Conditionally remove threading locking code, not needed in 1.1 -+ - Rewrite code that accesses inside X509_ATTRIBUTE struct. -+ - SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa, -+ SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support -+ not available in 1.1. -+ - SSL_session_reused is now native -+ - SSL_get_keyblock_size modifed to use new API -+ - OCSP functions modified to use new API under 1.1 -+ - SSL_set_state removed with 1.1 -+ - SSL_get_state and SSL_state are now equivalent and available in all -+ versions -+ - SSL_CTX_v2_new removed -+ - SESSION_set_master_key removed with 1.1. Code that previously used -+ SESSION_set_master_key must now set $secret in the session_secret -+ callback set with SSL_set_session_secret_cb -+ - With 1.1, $secret in the session_secret -+ callback set with SSL_set_session_secret_cb can be changed to alter -+ the master key (required by EAP-FAST). -+ Added a function EC_KEY_generate_key similar to RSA_generate_key and a -+ function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using -+ these functions it is easy to create and use EC keys in the same way as -+ RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen. -+ Testing with LibreSSL 2.4.1, with compatibility patch from Steffen -+ Ullrich. Thanks Steffen. -+ Patch from Steffen Ulrich provides support for cross context (and cross process) -+ session sharing using the stateless TLS session tickets. It uses the -+ SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and -+ decryption of the tickets but provides a more simplified -+ interface. Includes new function CTX_set_tlsext_ticket_getkey_cb. -+ To not conflict with the OpenSSL name in case the more complex interface -+ will be implemented ever the current simplified interface is called -+ slightly different: CTX_set_tlsext_ticket_*get*key_cb. -+ Added documentation about downloading latest version from SVN. -+ - 1.74 2016-04-12 - README.OSX was missing from the distribution - -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-ssleay-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits