[libio-socket-ssl-perl] 01/01: Imported Upstream version 1.955
Salvatore Bonaccorso
carnil at debian.org
Fri Oct 11 21:45:58 UTC 2013
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to annotated tag upstream/1.955
in repository libio-socket-ssl-perl.
commit b597837edb6f1e5c4aad67e7fef875bc2c888022
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Oct 11 23:36:39 2013 +0200
Imported Upstream version 1.955
---
Changes | 3 ++
MANIFEST | 5 +--
META.json | 54 -------------------------------
META.yml | 48 ++++++++++++++--------------
README | 4 +++
docs/net-ssley-ecdh.patch | 40 +++++++++++++++++++++++
lib/IO/Socket/SSL.pm | 45 +++++++++++++++++++++-----
t/ecdhe.t | 78 +++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 189 insertions(+), 88 deletions(-)
diff --git a/Changes b/Changes
index 4eae5a9..4e3086a 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,6 @@
+1.955 2013/10/11
+- support for perfect forward secrecy using ECDH, if the Net::SSLeay version
+ supports it.
1.954 2013/9/15
- accept older versions of ExtUtils::MakeMaker and add meta information
like link to repository only for newer versions.
diff --git a/MANIFEST b/MANIFEST
index fe28372..9850235 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -12,6 +12,7 @@ certs/server-wildcard.pem
certs/test-ca.pem
Changes
docs/debugging.txt
+docs/net-ssley-ecdh.patch
example/async_https_server.pl
example/lwp-with-verifycn.pl
example/ssl_client.pl
@@ -50,6 +51,6 @@ t/testlib.pl
t/verify_hostname.t
t/sni.t
t/mitm.t
+t/ecdhe.t
util/export_certs.pl
-META.yml Module YAML meta-data (added by MakeMaker)
-META.json Module JSON meta-data (added by MakeMaker)
+META.yml Module meta-data (added by MakeMaker)
diff --git a/META.json b/META.json
deleted file mode 100644
index 2e08a29..0000000
--- a/META.json
+++ /dev/null
@@ -1,54 +0,0 @@
-{
- "abstract" : "Nearly transparent SSL encapsulation for IO::Socket::INET.",
- "author" : [
- "Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund"
- ],
- "dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921",
- "license" : [
- "perl_5"
- ],
- "meta-spec" : {
- "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec",
- "version" : "2"
- },
- "name" : "IO-Socket-SSL",
- "no_index" : {
- "directory" : [
- "t",
- "inc"
- ]
- },
- "prereqs" : {
- "build" : {
- "requires" : {
- "ExtUtils::MakeMaker" : "0"
- }
- },
- "configure" : {
- "requires" : {
- "ExtUtils::MakeMaker" : "0"
- }
- },
- "runtime" : {
- "requires" : {
- "Net::SSLeay" : "1.46",
- "Scalar::Util" : "0"
- }
- }
- },
- "release_status" : "stable",
- "resources" : {
- "bugtracker" : {
- "web" : "https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL"
- },
- "homepage" : "https://github.com/noxxi/p5-io-socket-ssl",
- "license" : [
- "http://dev.perl.org/licenses/"
- ],
- "repository" : {
- "url" : "https://github.com/noxxi/p5-io-socket-ssl"
- }
- },
- "version" : "1.954"
-}
diff --git a/META.yml b/META.yml
index 61fce54..d95785e 100644
--- a/META.yml
+++ b/META.yml
@@ -1,28 +1,28 @@
----
-abstract: 'Nearly transparent SSL encapsulation for IO::Socket::INET.'
+--- #YAML:1.0
+name: IO-Socket-SSL
+version: 1.955
+abstract: Nearly transparent SSL encapsulation for IO::Socket::INET.
author:
- - 'Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund'
-build_requires:
- ExtUtils::MakeMaker: 0
+ - Steffen Ullrich <sullr.org>, Peter Behroozi, Marko Asplund
+license: perl
+distribution_type: module
configure_requires:
- ExtUtils::MakeMaker: 0
-dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 6.66, CPAN::Meta::Converter version 2.120921'
-license: perl
-meta-spec:
- url: http://module-build.sourceforge.net/META-spec-v1.4.html
- version: 1.4
-name: IO-Socket-SSL
-no_index:
- directory:
- - t
- - inc
+ ExtUtils::MakeMaker: 0
+build_requires:
+ ExtUtils::MakeMaker: 0
requires:
- Net::SSLeay: 1.46
- Scalar::Util: 0
+ Net::SSLeay: 1.46
+ Scalar::Util: 0
resources:
- bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
- homepage: https://github.com/noxxi/p5-io-socket-ssl
- license: http://dev.perl.org/licenses/
- repository: https://github.com/noxxi/p5-io-socket-ssl
-version: 1.954
+ bugtracker: https://rt.cpan.org/Dist/Display.html?Queue=IO-Socket-SSL
+ homepage: https://github.com/noxxi/p5-io-socket-ssl
+ license: http://dev.perl.org/licenses/
+ repository: https://github.com/noxxi/p5-io-socket-ssl
+no_index:
+ directory:
+ - t
+ - inc
+generated_by: ExtUtils::MakeMaker version 6.57_05
+meta-spec:
+ url: http://module-build.sourceforge.net/META-spec-v1.4.html
+ version: 1.4
diff --git a/README b/README
index 044ae26..f872779 100644
--- a/README
+++ b/README
@@ -6,6 +6,10 @@ IO::Socket::INET.
In order to use IO::Socket::SSL you need to have Net::SSLeay
v1.46 or newer installed.
+To use ECDH curves (needed for perfect forward secrecy) you need
+to use Net::SSLeay >= 1.56 (not released at time of writing) or
+patch Net::SSLeay yourself using docs/net-ssley-ecdh.patch.
+
For those who do not have a built-in random number generator
(including most users of Solaris), you should install one
before attempting to install IO::Socket::SSL. If you don't
diff --git a/docs/net-ssley-ecdh.patch b/docs/net-ssley-ecdh.patch
new file mode 100644
index 0000000..7ffc246
--- /dev/null
+++ b/docs/net-ssley-ecdh.patch
@@ -0,0 +1,40 @@
+Index: typemap
+===================================================================
+--- typemap (revision 382)
++++ typemap (working copy)
+@@ -6,6 +6,7 @@
+ SSL * T_PTR
+ RSA * T_PTR
+ DH * T_PTR
++EC_KEY * T_PTR
+ const X509 * T_PTR
+ const X509_CRL * T_PTR
+ const X509_REQ * T_PTR
+Index: SSLeay.xs
+===================================================================
+--- SSLeay.xs (revision 382)
++++ SSLeay.xs (working copy)
+@@ -4127,6 +4127,23 @@
+ SSL_CTX * ctx
+ RSA * rsa
+
++#if OPENSSL_VERSION_NUMBER > 0x10000000L
++
++EC_KEY *
++EC_KEY_new_by_curve_name(nid)
++ int nid
++
++void
++EC_KEY_free(key)
++ EC_KEY * key
++
++long
++SSL_CTX_set_tmp_ecdh(ctx,ecdh);
++ SSL_CTX * ctx
++ EC_KEY * ecdh
++
++#endif
++
+ void *
+ SSL_get_app_data(s)
+ SSL * s
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index 69011c3..2ca42f1 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -20,7 +20,7 @@ use Errno qw( EAGAIN ETIMEDOUT );
use Carp;
use strict;
-our $VERSION = '1.954';
+our $VERSION = '1.955';
use constant SSL_VERIFY_NONE => Net::SSLeay::VERIFY_NONE();
use constant SSL_VERIFY_PEER => Net::SSLeay::VERIFY_PEER();
@@ -1377,7 +1377,7 @@ sub get_cipher {
sub errstr {
my $self = shift;
- return ((ref($self) ? ${*$self}{'_SSL_last_err'} : $SSL_ERROR) or '');
+ return (ref($self) ? ${*$self}{'_SSL_last_err'} : $SSL_ERROR) || '';
}
sub fatal_ssl_error {
@@ -1596,8 +1596,9 @@ sub new {
return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'});
}
+ my $ssl_op = Net::SSLeay::OP_ALL();
+
my $ver;
- my $disable_ver = 0;
for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i
or croak("invalid SSL_version specified");
@@ -1605,7 +1606,7 @@ sub new {
( my $v = lc($2||$3) ) =~s{^(...)}{\U$1};
$v =~s{/}{}; # interpret SSLv2/3 as SSLv23
if ( $not ) {
- $disable_ver |=
+ $ssl_op |=
$v eq 'SSLv2' ? 0x01000000 : # SSL_OP_NO_SSLv2
$v eq 'SSLv3' ? 0x02000000 : # SSL_OP_NO_SSLv3
$v eq 'TLSv1' ? 0x04000000 : # SSL_OP_NO_TLSv1
@@ -1628,10 +1629,10 @@ sub new {
my $ctx = $ctx_new_sub->() or return
IO::Socket::SSL->error("SSL Context init failed");
- Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL() | $disable_ver );
- if ( $arg_hash->{SSL_honor_cipher_order} ) {
- Net::SSLeay::CTX_set_options($ctx, 0x00400000);
- }
+ # SSL_OP_CIPHER_SERVER_PREFERENCE
+ $ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order};
+
+ Net::SSLeay::CTX_set_options($ctx,$ssl_op);
# if we don't set session_id_context if client certificate is expected
# client session caching will fail
@@ -1777,6 +1778,25 @@ sub new {
Net::SSLeay::DH_free( $dh );
$rv || return IO::Socket::SSL->error( "Failed to set DH from $f" );
}
+
+ if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) {
+ return IO::Socket::SSL->error(
+ "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0")
+ if ! defined( &Net::SSLeay::CTX_set_tmp_ecdh );
+ if ( $curve !~ /^\d+$/ ) {
+ # name of curve, find NID
+ $curve = Net::SSLeay::OBJ_txt2nid($curve)
+ || return IO::Socket::SSL->error(
+ "cannot find NID for curve name '$curve'");
+ }
+ my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve) or
+ return IO::Socket::SSL->error(
+ "cannot create curve for NID $curve");
+ Net::SSLeay::CTX_set_tmp_ecdh($ctx,$ecdh) or
+ return IO::Socket::SSL->error(
+ "failed to set ECDH curve context");
+ Net::SSLeay::EC_KEY_free($ecdh);
+ }
}
my $verify_cb = $arg_hash->{SSL_verify_callback};
@@ -2157,11 +2177,20 @@ Examples:
If you want Diffie-Hellman key exchange you need to supply a suitable file here
or use the SSL_dh parameter. See dhparam command in openssl for more information.
+To create a server which provides perfect forward secrecy you need to either
+give the DH parameters or (better, because faster) the ECDH curve.
=item SSL_dh
Like SSL_dh_file, but instead of giving a file you use a preloaded or generated DH*.
+=item SSL_ecdh_curve
+
+If you want Elliptic Curve Diffie-Hellmann key exchange you need to supply the
+OID or NID of a suitable curve (like 'prime256v1') here.
+To create a server which provides perfect forward secrecy you need to either
+give the DH parameters or (better, because faster) the ECDH curve.
+
=item SSL_passwd_cb
If your private key is encrypted, you might not want the default password prompt from
diff --git a/t/ecdhe.t b/t/ecdhe.t
new file mode 100644
index 0000000..aa68796
--- /dev/null
+++ b/t/ecdhe.t
@@ -0,0 +1,78 @@
+#!perl -w
+# Before `make install' is performed this script should be runnable with
+# `make test'. After `make install' it should work as `perl t/ecdh.t'
+
+
+use Net::SSLeay;
+use Socket;
+use IO::Socket::SSL;
+use strict;
+
+if ( grep { $^O =~m{$_} } qw( MacOS VOS vmesa riscos amigaos ) ) {
+ print "1..0 # Skipped: fork not implemented on this platform\n";
+ exit
+}
+
+if ( ! defined &Net::SSLeay::CTX_set_tmp_ecdh ) {
+ print "1..0 # Skipped: no support for ecdh with this openssl/Net::SSLeay\n";
+ exit
+}
+
+$|=1;
+print "1..4\n";
+
+# first create simple ssl-server
+my $ID = 'server';
+my $addr = '127.0.0.1';
+my $server = IO::Socket::SSL->new(
+ LocalAddr => $addr,
+ Listen => 2,
+ ReuseAddr => 1,
+ SSL_cert_file => "certs/server-cert.pem",
+ SSL_key_file => "certs/server-key.pem",
+ SSL_ecdh_curve => 'prime256v1',
+) || do {
+ notok($!);
+ exit
+};
+ok("Server Initialization");
+
+# add server port to addr
+$addr.= ':'.(sockaddr_in( getsockname( $server )))[0];
+
+my $pid = fork();
+if ( !defined $pid ) {
+ die $!; # fork failed
+
+} elsif ( !$pid ) { ###### Client
+
+ $ID = 'client';
+ close($server);
+ my $to_server = IO::Socket::SSL->new(
+ PeerAddr => $addr,
+ SSL_verify_mode => 0 ) || do {
+ notok( "connect failed: $SSL_ERROR" );
+ exit
+ };
+ ok( "client connected" );
+
+ my $cipher = $to_server->get_cipher();
+ if ( $cipher !~m/^ECDHE-/ ) {
+ notok("bad key exchange: $cipher");
+ exit;
+ }
+ ok("ecdh key exchange: $cipher");
+
+} else { ###### Server
+
+ my $to_client = $server->accept || do {
+ notok( "accept failed: $SSL_ERROR" );
+ kill(9,$pid);
+ exit;
+ };
+ ok( "Server accepted" );
+ wait;
+}
+
+sub ok { print "ok # [$ID] @_\n"; }
+sub notok { print "not ok # [$ID] @_\n"; }
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libio-socket-ssl-perl.git
More information about the Pkg-perl-cvs-commits
mailing list