This is an automated email from the git hooks/post-receive script. dom pushed a commit to branch experimental in repository libnet-ssleay-perl.
commit 29b1148ef6aaf48032cefe9f442cec68baf48a89 Author: Dominic Hargreaves <d...@earth.li> Date: Thu Jul 28 11:01:27 2016 +0100 Update OpenSSL patch to latest from Subversion --- debian/changelog | 4 +- debian/patches/series | 2 +- .../patches/{openssl-1.1.patch => svn-r472.patch} | 684 +++++++++++++++++++-- 3 files changed, 641 insertions(+), 49 deletions(-) diff --git a/debian/changelog b/debian/changelog index 4dd3150..9d69e60 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libnet-ssleay-perl (1.74-2) experimental; urgency=medium +libnet-ssleay-perl (1.74-1+svn472) experimental; urgency=medium [ gregor herrmann ] * debian/copyright: change Copyright-Format 1.0 URL to HTTPS. @@ -7,7 +7,7 @@ libnet-ssleay-perl (1.74-2) experimental; urgency=medium * OpenSSL 1.1 patch from upstream SVN (Closes: #828401) * Remove Franck Joncourt from Uploaders (Closes: #831307) - -- Dominic Hargreaves <d...@earth.li> Sat, 09 Jul 2016 00:02:40 +0200 + -- Dominic Hargreaves <d...@earth.li> Thu, 28 Jul 2016 11:01:20 +0100 libnet-ssleay-perl (1.74-1) unstable; urgency=medium diff --git a/debian/patches/series b/debian/patches/series index 9cc133e..3d5191d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,3 @@ 0001-fix-typo-in-manpage.patch 20no-stray-libz-link.patch -openssl-1.1.patch +svn-r472.patch diff --git a/debian/patches/openssl-1.1.patch b/debian/patches/svn-r472.patch similarity index 54% rename from debian/patches/openssl-1.1.patch rename to debian/patches/svn-r472.patch index 806f90e..322ec9f 100644 --- a/debian/patches/openssl-1.1.patch +++ b/debian/patches/svn-r472.patch @@ -1,7 +1,33 @@ Subject: OpenSSL 1.1 support Author: Mike McCauley <mi...@airspayce.com> -Origin: svn://svn.debian.org/svn/net-ssleay@469 +Origin: svn://svn.debian.org/svn/net-ssleay@472 +Removed patched ext/Module/Install/PRIVATE/Net/SSLeay.pm which doesn't +exist in released version + +Index: inc/Module/Install/PRIVATE/Net/SSLeay.pm +=================================================================== +--- a/inc/Module/Install/PRIVATE/Net/SSLeay.pm (revision 465) ++++ b/inc/Module/Install/PRIVATE/Net/SSLeay.pm (working copy) +@@ -1,5 +1,4 @@ + #line 1 +-#line 1 + package Module::Install::PRIVATE::Net::SSLeay; + + use strict; +Index: Makefile.PL +=================================================================== +--- a/Makefile.PL (revision 465) ++++ b/Makefile.PL (working copy) +@@ -8,7 +8,7 @@ + use File::Spec; + + name('Net-SSLeay'); +-license 'perl'; ++license('perl'); + all_from('lib/Net/SSLeay.pm'); + + ssleay(); Index: SSLeay.xs =================================================================== --- a/SSLeay.xs (revision 465) @@ -93,7 +119,109 @@ Index: SSLeay.xs } PUTBACK; -@@ -1404,8 +1421,10 @@ +@@ -1221,7 +1238,101 @@ + LEAVE; + } + ++/* ++ * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was ++ * broken in various ways during the various 1.0.0* versions. ++ * Better enable it only starting with 1.0.1. ++*/ ++#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) && OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) ++#define NET_SSLEAY_CAN_TICKET_KEY_CB + ++int tlsext_ticket_key_cb_invoke( ++ SSL *ssl, ++ unsigned char *key_name, ++ unsigned char *iv, ++ EVP_CIPHER_CTX *ectx, ++ HMAC_CTX *hctx, ++ int enc ++){ ++ ++ dSP; ++ int count; ++ SV *cb_func, *cb_data; ++ SV *sv_name, *sv_key; ++ STRLEN svlen; ++ unsigned char *key; /* key[0..15] aes, key[16..32] hmac */ ++ unsigned char *name; ++ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); ++ ++ PR1("STARTED: tlsext_ticket_key_cb_invoke\n"); ++ cb_func = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!func"); ++ cb_data = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!data"); ++ ++ if (!SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) ++ croak("callback must be a code reference"); ++ ++ ENTER; ++ SAVETMPS; ++ PUSHMARK(SP); ++ XPUSHs(sv_2mortal(newSVsv(cb_data))); ++ ++ if (!enc) { ++ /* call as getkey(data,this_name) -> (key,current_name) */ ++ XPUSHs(sv_2mortal(newSVpv(key_name,16))); ++ } else { ++ /* call as getkey(data) -> (key,current_name) */ ++ } ++ ++ ++ PUTBACK; ++ count = call_sv( cb_func, G_ARRAY ); ++ ++ SPAGAIN; ++ if (count>0) sv_name = POPs; ++ if (count>1) sv_key = POPs; ++ ++ if (!enc && ( !count || !SvOK(sv_key) )) { ++ TRACE(2,"no key returned for ticket"); ++ return 0; ++ } ++ ++ if (count != 2) ++ croak("key functions needs to return (key,name)"); ++ key = SvPV(sv_key,svlen); ++ if (svlen < 32) ++ croak("key must be at least 32 random bytes, got %d",svlen); ++ name = SvPV(sv_name,svlen); ++ if (svlen != 16) ++ croak("name should be exactly 16 characters, got %d",svlen); ++ if (svlen == 0) ++ croak("name should not be empty"); ++ ++ if (enc) { ++ /* encrypt ticket information with given key */ ++ RAND_bytes(iv, 16); ++ EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); ++ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); ++ bzero(key_name,16); ++ memcpy(key_name,name,svlen); ++ return 1; ++ } else { ++ unsigned char new_name[16]; ++ bzero(new_name,16); ++ memcpy(new_name,name,svlen); ++ ++ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL); ++ EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); ++ ++ if (memcmp(new_name,key_name,16) == 0) ++ return 1; /* current key was used */ ++ else ++ return 2; /* different key was used, need to be renewed */ ++ } ++} ++ ++#endif ++ ++ + /* ============= end of callback stuff, begin helper functions ============== */ + + time_t ASN1_TIME_timet(ASN1_TIME *asn1t) { +@@ -1404,8 +1515,10 @@ OUTPUT: RETVAL @@ -105,7 +233,7 @@ Index: SSLeay.xs SSL_CTX * SSL_CTX_v2_new() CODE: -@@ -1414,7 +1433,7 @@ +@@ -1414,7 +1527,7 @@ RETVAL #endif @@ -114,7 +242,7 @@ Index: SSLeay.xs #ifndef OPENSSL_NO_SSL3 SSL_CTX * -@@ -2105,10 +2124,35 @@ +@@ -2105,10 +2218,35 @@ SSL_want(s) SSL * s @@ -150,7 +278,7 @@ Index: SSLeay.xs #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) long -@@ -2734,19 +2778,15 @@ +@@ -2734,19 +2872,15 @@ X509_ATTRIBUTE * att; int count, i; ASN1_STRING * s; @@ -176,7 +304,7 @@ Index: SSLeay.xs #endif -@@ -4439,6 +4479,7 @@ +@@ -4439,6 +4573,7 @@ const unsigned char * sid_ctx unsigned int sid_ctx_len @@ -184,7 +312,7 @@ Index: SSLeay.xs void SSL_CTX_set_tmp_rsa_callback(ctx, cb) SSL_CTX * ctx -@@ -4449,6 +4490,8 @@ +@@ -4449,6 +4584,8 @@ SSL * ssl cb_ssl_int_int_ret_RSA * cb @@ -193,7 +321,7 @@ Index: SSLeay.xs void SSL_CTX_set_tmp_dh_callback(ctx, dh) SSL_CTX * ctx -@@ -4526,6 +4569,7 @@ +@@ -4526,6 +4663,7 @@ OUTPUT: RETVAL @@ -201,7 +329,7 @@ Index: SSLeay.xs long SSL_CTX_need_tmp_RSA(ctx) SSL_CTX * ctx -@@ -4534,6 +4578,8 @@ +@@ -4534,6 +4672,8 @@ OUTPUT: RETVAL @@ -210,7 +338,7 @@ Index: SSLeay.xs int SSL_CTX_set_app_data(ctx,arg) SSL_CTX * ctx -@@ -4575,11 +4621,14 @@ +@@ -4575,11 +4715,14 @@ SSL_CTX * ctx DH * dh @@ -225,7 +353,7 @@ Index: SSLeay.xs #if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC EC_KEY * -@@ -4591,12 +4640,55 @@ +@@ -4591,12 +4734,55 @@ EC_KEY * key long @@ -282,7 +410,7 @@ Index: SSLeay.xs void * SSL_get_app_data(s) SSL * s -@@ -4622,25 +4714,20 @@ +@@ -4622,25 +4808,20 @@ OUTPUT: RETVAL @@ -312,7 +440,7 @@ Index: SSLeay.xs long SSL_need_tmp_RSA(ssl) SSL * ssl -@@ -4649,6 +4736,9 @@ +@@ -4649,6 +4830,9 @@ OUTPUT: RETVAL @@ -322,7 +450,7 @@ Index: SSLeay.xs long SSL_num_renegotiations(ssl) SSL * ssl -@@ -4668,10 +4758,6 @@ +@@ -4668,10 +4852,6 @@ long SSL_session_reused(ssl) SSL * ssl @@ -333,7 +461,7 @@ Index: SSLeay.xs int SSL_SESSION_set_app_data(s,a) -@@ -4714,6 +4800,7 @@ +@@ -4714,6 +4894,7 @@ SSL * ssl DH * dh @@ -341,7 +469,7 @@ Index: SSLeay.xs long SSL_set_tmp_rsa(ssl,rsa) SSL * ssl -@@ -4723,6 +4810,7 @@ +@@ -4723,6 +4904,7 @@ OUTPUT: RETVAL @@ -349,7 +477,7 @@ Index: SSLeay.xs #ifdef __ANDROID__ -@@ -4855,13 +4943,33 @@ +@@ -4855,13 +5037,33 @@ OUTPUT: RETVAL @@ -383,7 +511,7 @@ Index: SSLeay.xs void SSL_SESSION_set_master_key(s,key) SSL_SESSION * s -@@ -4873,24 +4981,80 @@ +@@ -4873,24 +5075,80 @@ memcpy(s->master_key, key, len); s->master_key_length = len; @@ -464,7 +592,7 @@ Index: SSLeay.xs if (s == NULL || s->enc_read_ctx == NULL || s->enc_read_ctx->cipher == NULL || -@@ -4919,6 +5083,8 @@ +@@ -4919,6 +5177,8 @@ EVP_CIPHER_iv_length(c))) : -1; } @@ -473,7 +601,7 @@ Index: SSLeay.xs OUTPUT: RETVAL -@@ -4956,9 +5122,7 @@ +@@ -4956,13 +5216,34 @@ else { cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", newSVsv(callback)); cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", newSVsv(data)); @@ -484,7 +612,34 @@ Index: SSLeay.xs } #endif -@@ -5382,7 +5546,11 @@ + ++#ifdef NET_SSLEAY_CAN_TICKET_KEY_CB ++ ++void ++SSL_CTX_set_tlsext_ticket_getkey_cb(ctx,callback=&PL_sv_undef,data=&PL_sv_undef) ++ SSL_CTX * ctx ++ SV * callback ++ SV * data ++ CODE: ++ if (callback==NULL || !SvOK(callback)) { ++ SSL_CTX_set_tlsext_ticket_key_cb(ctx, NULL); ++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", NULL); ++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", NULL); ++ } ++ else { ++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", newSVsv(callback)); ++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", newSVsv(data)); ++ SSL_CTX_set_tlsext_ticket_key_cb(ctx, &tlsext_ticket_key_cb_invoke); ++ } ++ ++ ++#endif ++ ++ + #if OPENSSL_VERSION_NUMBER < 0x0090700fL + #define REM11 "NOTE: before 0.9.7" + +@@ -5382,7 +5663,11 @@ P_X509_get_signature_alg(x) X509 * x CODE: @@ -496,7 +651,7 @@ Index: SSLeay.xs OUTPUT: RETVAL -@@ -5389,8 +5557,17 @@ +@@ -5389,8 +5674,17 @@ ASN1_OBJECT * P_X509_get_pubkey_alg(x) X509 * x @@ -514,7 +669,7 @@ Index: SSLeay.xs OUTPUT: RETVAL -@@ -5705,8 +5882,7 @@ +@@ -5705,8 +5999,7 @@ * response does not contain the chain up to the trusted root */ STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl); for(i=0;i<sk_X509_num(chain);i++) { @@ -524,7 +679,7 @@ Index: SSLeay.xs } TRACE(1,"run basic verify"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); -@@ -5718,7 +5894,7 @@ +@@ -5718,7 +6011,7 @@ X509 *issuer; X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1); if ( (issuer = find_issuer(last,store,chain))) { @@ -533,7 +688,7 @@ Index: SSLeay.xs TRACE(1,"run OCSP_basic_verify with issuer for last chain element"); RETVAL = OCSP_basic_verify(bsr, NULL, store, flags); } -@@ -5736,7 +5912,6 @@ +@@ -5736,7 +6029,6 @@ OCSP_BASICRESP *bsr; int i,want_array; time_t nextupd = 0; @@ -541,7 +696,7 @@ Index: SSLeay.xs int getall,sksn; bsr = OCSP_response_get1_basic(rsp); -@@ -5744,8 +5919,7 @@ +@@ -5744,8 +6036,7 @@ want_array = (GIMME == G_ARRAY); getall = (items <= 1); @@ -551,7 +706,7 @@ Index: SSLeay.xs for(i=0; i < (getall ? sksn : items-1); i++) { const char *error = NULL; -@@ -5754,9 +5928,8 @@ +@@ -5754,9 +6045,8 @@ SV *idsv = NULL; if(getall) { @@ -562,7 +717,7 @@ Index: SSLeay.xs STRLEN len; const unsigned char *p; -@@ -5767,22 +5940,36 @@ +@@ -5767,22 +6057,36 @@ error = "failed to get OCSP certid from string"; goto end; } @@ -612,7 +767,7 @@ Index: SSLeay.xs } end: -@@ -5791,12 +5978,20 @@ +@@ -5791,12 +6095,20 @@ if (!idsv) { /* getall: create new SV with OCSP_CERTID */ unsigned char *pi,*pc; @@ -633,7 +788,7 @@ Index: SSLeay.xs idsv = newSVpv((char*)pc,len); Safefree(pc); } else { -@@ -5809,26 +6004,26 @@ +@@ -5809,26 +6121,26 @@ HV *details = newHV(); av_push(idav,newRV_noinc((SV*)details)); hv_store(details,"statusType",10, @@ -673,19 +828,40 @@ Index: SSLeay.xs if (!nextupd || nextupd>nu) nextupd = nu; } -Index: t/local/32_x509_get_cert_info.t +Index: README =================================================================== ---- a/t/local/32_x509_get_cert_info.t (revision 465) -+++ b/t/local/32_x509_get_cert_info.t (working copy) -@@ -175,7 +175,7 @@ - } - - SKIP: { -- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; -+ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; - my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509); - is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f"); - for my $i (0..$#cdp) { +--- a/README (revision 465) ++++ b/README (working copy) +@@ -6,12 +6,18 @@ + + perl -MNet::SSLeay -e '($p)=Net::SSLeay::get_https("www.openssl.org", 443, "/"); print $p' + ++for the latest and possibly unstable version from SVN: ++ ++ svn co svn://svn.debian.org/svn/net-ssleay ++ ++ + Prerequisites + ------------- + +-perl-5.6.1 though anything starting from perl5.003 probably works. ++perl-5.6.1 though anything starting from perl5.003 probably works. Later ++ versions are OK. + +-OpenSSL-0.9.6j through to at least OpenSSL-1.0.2 and probably later ++OpenSSL-0.9.6j through to at least OpenSSL-1.1 and probably later + http://www.openssl.org/ - On Linux, you can either build and + install OpenSSL from scratch (its very portable) or you can + install the appropriate OpenSSL 'devel' package for your Linux +@@ -25,6 +31,8 @@ + in OpenSSL-0.9.2b. OpenSSL-0.9.1c support has also been dropped, + version 1.03 was the last one to support that. + ++LibreSSL is also supported. ++ + You should use the same C compiler and options to compile OpenSSL, + perl, and Net::SSLeay. This is the only supported configuration. + If you insist on using different compilers (perhaps because you Index: t/local/35_ephemeral.t =================================================================== --- a/t/local/35_ephemeral.t (revision 465) @@ -695,14 +871,27 @@ Index: t/local/35_ephemeral.t BEGIN { - plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); -+ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || $Net::SSLeay::VERSION > 1.74; ++ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") >= 0x10100000; } plan tests => 3; +Index: t/local/32_x509_get_cert_info.t +=================================================================== +--- a/t/local/32_x509_get_cert_info.t (revision 465) ++++ b/t/local/32_x509_get_cert_info.t (working copy) +@@ -175,7 +175,7 @@ + } + + SKIP: { +- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; ++ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; + my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509); + is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f"); + for my $i (0..$#cdp) { Index: t/local/63_ec_key_generate_key.t =================================================================== --- a/t/local/63_ec_key_generate_key.t (revision 0) -+++ b/t/local/63_ec_key_generate_key.t (revision 469) ++++ b/t/local/63_ec_key_generate_key.t (revision 472) @@ -0,0 +1,35 @@ +#!/usr/bin/perl + @@ -739,6 +928,281 @@ Index: t/local/63_ec_key_generate_key.t + my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); + ok($newkey,"read key again from PEM"); +} +Index: t/local/64_ticket_sharing.t +=================================================================== +--- a/t/local/64_ticket_sharing.t (revision 0) ++++ b/t/local/64_ticket_sharing.t (revision 472) +@@ -0,0 +1,270 @@ ++#!/usr/bin/perl ++ ++use strict; ++use warnings; ++use Test::More; ++use Socket; ++use File::Spec; ++use Net::SSLeay; ++use Config; ++ ++# for debugging only ++my $DEBUG = 0; ++my $PCAP = 0; ++require Net::PcapWriter if $PCAP; ++ ++plan skip_all => "no support for tlsext_ticket_key_cb" ++ if ! defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb; ++plan tests => 15; ++ ++Net::SSLeay::randomize(); ++Net::SSLeay::load_error_strings(); ++Net::SSLeay::ERR_load_crypto_strings(); ++Net::SSLeay::SSLeay_add_ssl_algorithms(); ++ ++my $SSL_ERROR; # set in _minSSL ++my %TRANSFER; # set in _handshake ++ ++my $client = _minSSL->new(); ++my $server = _minSSL->new( cert => [ ++ File::Spec->catfile('t','data','cert.pem'), ++ File::Spec->catfile('t','data','key.pem') ++]); ++ ++ ++# initial tests without reuse ++# ---------------------------------------------- ++is( _handshake($client,$server), 'full', "initial handshake is full"); ++is( _handshake($client,$server), 'full', "another full handshake"); ++ ++# explicitly reuse session in client to check that server accepts it ++# ---------------------------------------------- ++my $sess = Net::SSLeay::get1_session($client->_ssl); ++my $reuse = sub { Net::SSLeay::set_session($client->_ssl,$sess) }; ++is( _handshake($client,$server,$reuse),'reuse',"handshake with reuse"); ++is( _handshake($client,$server,$reuse),'reuse',"handshake again with reuse"); ++ ++# create another server and connect client with session from old server ++# should not be reused ++# ---------------------------------------------- ++my $server2 = _minSSL->new( cert => [ ++ File::Spec->catfile('t','data','cert.pem'), ++ File::Spec->catfile('t','data','key.pem') ++]); ++is( _handshake($client,$server2,$reuse),'full',"handshake with server2 is full"); ++ ++# now attach the same ticket key callback to both servers ++# ---------------------------------------------- ++Net::SSLeay::RAND_bytes(my $key,32); ++my $key_name = pack("a16",'secret'); ++my $keycb = sub { ++ my ($mykey,$name) = @_; ++ return ($mykey,$key_name) if ! $name or $key_name eq $name; ++ return; # unknown key ++}; ++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server->_ctx, $keycb,$key); ++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx,$keycb,$key); ++is( _handshake($client,$server),'full',"initial full handshake with server1"); ++$sess = Net::SSLeay::get1_session($client->_ssl); ++is( _handshake($client,$server,$reuse), 'reuse',"reuse session with server1"); ++is( _handshake($client,$server2,$reuse),'reuse',"reuse session with server2"); ++ ++# simulate rotation for $key: the callback returns now the right key, but ++# has a different current_name. It is expected that the callback is called again ++# for encryption with the new key and that a new session ticket gets sent to ++# the client ++# ---------------------------------------------- ++Net::SSLeay::RAND_bytes(my $newkey,32); ++my $newkey_name = pack("a16",'newsecret'); ++my @keys = ( ++ [ $newkey_name, $newkey ], # current default key ++ [ $key_name, $key ], # already expired ++); ++my @was_called_with; ++my %old_transfer = %TRANSFER; ++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub { ++ my (undef,$name) = @_; ++ push @was_called_with,$name || '<undef>'; ++ return ($keys[0][1],$keys[0][0]) if ! $name; ++ for(my $i = 0; $i<@keys; $i++) { ++ return ($keys[$i][1],$keys[0][0]) if $name eq $keys[$i][0]; ++ } ++ return; ++}); ++ ++my $expect_reuse = _handshake($client,$server2,$reuse); ++if ($expect_reuse eq '> < > <') { ++ # broken handshake seen with openssl 1.0.0 when a ticket was used where ++ # the key is still known but expired. It will do ++ # Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message ++ # in the last packet from server to client ++ is($expect_reuse,'> < > <',"(slightly broken) reuse session with old key with server2"); ++ ok( @was_called_with >= 2,'callback was called at least 2 times'); ++} else { ++ is($expect_reuse,'reuse',"reuse session with old key with server2"); ++ is( 0+@was_called_with,2,'callback was called 2 times'); ++} ++ ++is( $was_called_with[0],$key_name, 'first with the old key name'); ++is( $was_called_with[1],"<undef>", 'then with undef to get the current key'); ++ok( $TRANSFER{client} == $old_transfer{client}, 'no more data from client to server'); ++ok( $TRANSFER{server} > $old_transfer{server}, 'but more data from server (new ticket)'); ++ ++# finally try to reuse the session created with new key against server1 ++# this should result in a full handshake since server1 does not know newkey ++# ---------------------------------------------- ++$sess = Net::SSLeay::get1_session($client->_ssl); ++is( _handshake($client,$server,$reuse),'full',"full handshake with new ticker on server1"); ++ ++ ++ ++my $i; ++sub _handshake { ++ my ($client,$server,$after_init) = @_; ++ $client->state_connect; ++ $server->state_accept; ++ &$after_init if $after_init; ++ ++ my $pcap = $PCAP && do { ++ my $fname = 'test'.(++$i).'.pcap'; ++ open(my $fh,'>',$fname); ++ diag("pcap in $fname"); ++ $fh->autoflush; ++ Net::PcapWriter->new($fh)->tcp_conn('1.1.1.1',1000,'2.2.2.2',443); ++ }; ++ ++ my ($client_done,$server_done,@hs); ++ %TRANSFER = (); ++ for(my $tries = 0; $tries < 10 and !$client_done || !$server_done; $tries++ ) { ++ $client_done ||= $client->handshake || 0; ++ $server_done ||= $server->handshake || 0; ++ ++ my $transfer = 0; ++ if (defined(my $data = $client->bio_read())) { ++ $pcap && $pcap->write(0,$data); ++ $DEBUG && warn "client -> server: ".length($data)." bytes\n"; ++ $server->bio_write($data); ++ push @hs,'>'; ++ $TRANSFER{client} += length($data); ++ $transfer++; ++ } ++ if (defined(my $data = $server->bio_read())) { ++ $pcap && $pcap->write(1,$data); ++ $DEBUG && warn "server -> client: ".length($data)." bytes\n"; ++ $client->bio_write($data); ++ # assume certificate was sent if length>700 ++ push @hs, length($data) > 700 ? '<[C]':'<'; ++ $TRANSFER{server} += length($data); ++ $transfer++; ++ } ++ if (!$transfer) { ++ # no more data to transfer - assume we are done ++ $client_done = $server_done = 1; ++ } ++ } ++ ++ return ++ !$client_done || !$server_done ? 'failed' : ++ "@hs" eq '> <[C] > <' ? 'full' : ++ "@hs" eq '> < >' ? 'reuse' : ++ "@hs"; ++} ++ ++ ++{ ++ package _minSSL; ++ sub new { ++ my ($class,%args) = @_; ++ my $ctx = Net::SSLeay::CTX_tlsv1_new(); ++ Net::SSLeay::CTX_set_options($ctx,Net::SSLeay::OP_ALL()); ++ Net::SSLeay::CTX_set_cipher_list($ctx,'AES128-SHA'); ++ my $id = 'client'; ++ if ($args{cert}) { ++ my ($cert,$key) = @{ delete $args{cert} }; ++ Net::SSLeay::set_cert_and_key($ctx, $cert, $key) ++ || die "failed to use cert file $cert,$key"; ++ $id = 'server'; ++ } ++ ++ my $self = bless { id => $id, ctx => $ctx }, $class; ++ return $self; ++ } ++ ++ sub state_accept { ++ my $self = shift; ++ _reset($self); ++ Net::SSLeay::set_accept_state($self->{ssl}); ++ } ++ ++ sub state_connect { ++ my $self = shift; ++ _reset($self); ++ Net::SSLeay::set_connect_state($self->{ssl}); ++ } ++ ++ sub handshake { ++ my $self = shift; ++ my $rv = Net::SSLeay::do_handshake($self->{ssl}); ++ $rv = _error($self,$rv); ++ return $rv; ++ } ++ ++ sub ssl_read { ++ my ($self) = @_; ++ my ($data,$rv) = Net::SSLeay::read($self->{ssl}); ++ return _error($self,$rv || -1) if !$rv || $rv<0; ++ return $data; ++ } ++ ++ sub bio_write { ++ my ($self,$data) = @_; ++ defined $data and $data ne '' or return; ++ Net::SSLeay::BIO_write($self->{rbio},$data); ++ } ++ ++ sub ssl_write { ++ my ($self,$data) = @_; ++ my $rv = Net::SSLeay::write($self->{ssl},$data); ++ return _error($self,$rv || -1) if !$rv || $rv<0; ++ return $rv; ++ } ++ ++ sub bio_read { ++ my ($self) = @_; ++ return Net::SSLeay::BIO_read($self->{wbio}); ++ } ++ ++ sub _ssl { shift->{ssl} } ++ sub _ctx { shift->{ctx} } ++ ++ sub _reset { ++ my $self = shift; ++ my $ssl = Net::SSLeay::new($self->{ctx}); ++ my @bio = ( ++ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()), ++ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()), ++ ); ++ Net::SSLeay::set_bio($ssl,$bio[0],$bio[1]); ++ $self->{ssl} = $ssl; ++ $self->{rbio} = $bio[0]; ++ $self->{wbio} = $bio[1]; ++ } ++ ++ sub _error { ++ my ($self,$rv) = @_; ++ if ($rv>0) { ++ $SSL_ERROR = undef; ++ return $rv; ++ } ++ my $err = Net::SSLeay::get_error($self->{ssl},$rv); ++ if ($err == Net::SSLeay::ERROR_WANT_READ() ++ || $err == Net::SSLeay::ERROR_WANT_WRITE()) { ++ $SSL_ERROR = $err; ++ $DEBUG && warn "[$self->{id}] rw:$err\n"; ++ return; ++ } ++ $DEBUG && warn "[$self->{id}] ".Net::SSLeay::ERR_error_string($err)."\n"; ++ return; ++ } ++ ++} Index: lib/Net/SSLeay.pod =================================================================== --- a/lib/Net/SSLeay.pod (revision 465) @@ -869,7 +1333,7 @@ Index: lib/Net/SSLeay.pod =item * num_renegotiations Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl. -@@ -4131,6 +4167,21 @@ +@@ -4131,6 +4167,91 @@ # # returns: no return value @@ -888,10 +1352,80 @@ Index: lib/Net/SSLeay.pod +With OpenSSL 1.1 and later, callback_function can change the master key for the session by +altering $secret and returning 1. + ++=item * CTX_set_tlsext_ticket_getkey_cb ++ ++Setup encryption for TLS session tickets (stateless session reuse). ++ ++ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data); ++ # $ctx - value corresponding to openssl's SSL_CTX structure ++ # $func - perl reference to callback function ++ # $data - [optional] data that will be passed to callback function when invoked ++ # ++ # returns: no return value ++ ++The callback function will be called like: ++getkey($data,[$key_name]) -> ($key,$current_key_name) ++ ++# $data is the data passed to set_session_secret_cb ++# $key_name is the name of the key OpenSSL has extracted from the session ticket ++# $key is the requested key for ticket encryption + HMAC ++# $current_key_name is the name for the currently valid key ++ ++OpenSSL will call the function without a key name if it generates a new ticket. ++It then needs the callback to return the encryption+HMAC key and an identifier ++(key name) for this key. ++ ++When OpenSSL gets a session ticket from the client it extracts the key name and ++calls the callback with this name as argument. It then expects the callback to ++return the encryption+HMAC key matching the requested key name and and also the ++key name which should be used at the moment. If the requested key name and the ++returned key name differ it means that this session ticket was created with an ++expired key and need to be renewed. In this case OpenSSL will call the callback ++again with no key name to create a new session ticket based on the old one. ++ ++The key must be at least 32 byte of random data which can be created with ++RAND_bytes. Internally the first 16 byte are used as key in AES-128 encryption ++while the next 16 byte are used for the SHA-256 HMAC. ++The key name are binary data and must be exactly 16 byte long. ++ ++Example: ++ ++ Net::SSLeay::RAND_bytes(my $oldkey,32); ++ Net::SSLeay::RAND_bytes(my $newkey,32); ++ my $oldkey_name = pack("a16",'oldsecret'); ++ my $newkey_name = pack("a16",'newsecret'); ++ ++ my @keys = ( ++ [ $newkey_name, $newkey ], # current active key ++ [ $oldkey_name, $oldkey ], # already expired ++ ); ++ ++ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub { ++ my ($mykeys,$name) = @_; ++ ++ # return (current_key, current_key_name) if no name given ++ return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name; ++ ++ # return (matching_key, current_key_name) if we find a key matching ++ # the given name ++ for(my $i = 0; $i<@$mykeys; $i++) { ++ next if $name ne $mykeys->[$i][0]; ++ return ($mykeys->[$i][1],$mykeys->[0][0]); ++ } ++ ++ # no matching key found ++ return; ++ },\@keys); ++ ++ ++This function is based on the OpenSSL function SSL_CTX_set_tlsext_ticket_key_cb ++but provides a simpler to use interface. For more information see ++L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html> ++ =item * set_shutdown Sets the shutdown state of $ssl to $mode. -@@ -7961,6 +8012,23 @@ +@@ -7961,6 +8082,23 @@ TBA @@ -915,3 +1449,61 @@ Index: lib/Net/SSLeay.pod =back +Index: MANIFEST +=================================================================== +--- a/MANIFEST (revision 465) ++++ b/MANIFEST (working copy) +@@ -113,5 +113,7 @@ + t/local/50_digest.t + t/local/61_threads-cb-crash.t + t/local/62_threads-ctx_new-deadlock.t ++t/local/63_ec_key_generate_key.t ++t/local/64_ticket_sharing.t + t/local/kwalitee.t + typemap +Index: Changes +=================================================================== +--- a/Changes (revision 465) ++++ b/Changes (working copy) +@@ -1,5 +1,41 @@ + Revision history for Perl extension Net::SSLeay. + ++1.75 ????? ++ Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5: ++ - Conditionally remove threading locking code, not needed in 1.1 ++ - Rewrite code that accesses inside X509_ATTRIBUTE struct. ++ - SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa, ++ SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support ++ not available in 1.1. ++ - SSL_session_reused is now native ++ - SSL_get_keyblock_size modifed to use new API ++ - OCSP functions modified to use new API under 1.1 ++ - SSL_set_state removed with 1.1 ++ - SSL_get_state and SSL_state are now equivalent and available in all ++ versions ++ - SSL_CTX_v2_new removed ++ - SESSION_set_master_key removed with 1.1. Code that previously used ++ SESSION_set_master_key must now set $secret in the session_secret ++ callback set with SSL_set_session_secret_cb ++ - With 1.1, $secret in the session_secret ++ callback set with SSL_set_session_secret_cb can be changed to alter ++ the master key (required by EAP-FAST). ++ Added a function EC_KEY_generate_key similar to RSA_generate_key and a ++ function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using ++ these functions it is easy to create and use EC keys in the same way as ++ RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen. ++ Testing with LibreSSL 2.4.1, with compatibility patch from Steffen ++ Ullrich. Thanks Steffen. ++ Patch from Steffen Ulrich provides support for cross context (and cross process) ++ session sharing using the stateless TLS session tickets. It uses the ++ SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and ++ decryption of the tickets but provides a more simplified ++ interface. Includes new function CTX_set_tlsext_ticket_getkey_cb. ++ To not conflict with the OpenSSL name in case the more complex interface ++ will be implemented ever the current simplified interface is called ++ slightly different: CTX_set_tlsext_ticket_*get*key_cb. ++ Added documentation about downloading latest version from SVN. ++ + 1.74 2016-04-12 + README.OSX was missing from the distribution + -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-ssleay-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits