[libnet-ssleay-perl] 01/01: Update OpenSSL patch to latest from Subversion
dom at earth.li
dom at earth.li
Thu Jul 28 14:47:05 UTC 2016
This is an automated email from the git hooks/post-receive script.
dom pushed a commit to branch experimental
in repository libnet-ssleay-perl.
commit 29b1148ef6aaf48032cefe9f442cec68baf48a89
Author: Dominic Hargreaves <dom at earth.li>
Date: Thu Jul 28 11:01:27 2016 +0100
Update OpenSSL patch to latest from Subversion
---
debian/changelog | 4 +-
debian/patches/series | 2 +-
.../patches/{openssl-1.1.patch => svn-r472.patch} | 684 +++++++++++++++++++--
3 files changed, 641 insertions(+), 49 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4dd3150..9d69e60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libnet-ssleay-perl (1.74-2) experimental; urgency=medium
+libnet-ssleay-perl (1.74-1+svn472) experimental; urgency=medium
[ gregor herrmann ]
* debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
@@ -7,7 +7,7 @@ libnet-ssleay-perl (1.74-2) experimental; urgency=medium
* OpenSSL 1.1 patch from upstream SVN (Closes: #828401)
* Remove Franck Joncourt from Uploaders (Closes: #831307)
- -- Dominic Hargreaves <dom at earth.li> Sat, 09 Jul 2016 00:02:40 +0200
+ -- Dominic Hargreaves <dom at earth.li> Thu, 28 Jul 2016 11:01:20 +0100
libnet-ssleay-perl (1.74-1) unstable; urgency=medium
diff --git a/debian/patches/series b/debian/patches/series
index 9cc133e..3d5191d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,3 @@
0001-fix-typo-in-manpage.patch
20no-stray-libz-link.patch
-openssl-1.1.patch
+svn-r472.patch
diff --git a/debian/patches/openssl-1.1.patch b/debian/patches/svn-r472.patch
similarity index 54%
rename from debian/patches/openssl-1.1.patch
rename to debian/patches/svn-r472.patch
index 806f90e..322ec9f 100644
--- a/debian/patches/openssl-1.1.patch
+++ b/debian/patches/svn-r472.patch
@@ -1,7 +1,33 @@
Subject: OpenSSL 1.1 support
Author: Mike McCauley <mikem at airspayce.com>
-Origin: svn://svn.debian.org/svn/net-ssleay@469
+Origin: svn://svn.debian.org/svn/net-ssleay@472
+Removed patched ext/Module/Install/PRIVATE/Net/SSLeay.pm which doesn't
+exist in released version
+
+Index: inc/Module/Install/PRIVATE/Net/SSLeay.pm
+===================================================================
+--- a/inc/Module/Install/PRIVATE/Net/SSLeay.pm (revision 465)
++++ b/inc/Module/Install/PRIVATE/Net/SSLeay.pm (working copy)
+@@ -1,5 +1,4 @@
+ #line 1
+-#line 1
+ package Module::Install::PRIVATE::Net::SSLeay;
+
+ use strict;
+Index: Makefile.PL
+===================================================================
+--- a/Makefile.PL (revision 465)
++++ b/Makefile.PL (working copy)
+@@ -8,7 +8,7 @@
+ use File::Spec;
+
+ name('Net-SSLeay');
+-license 'perl';
++license('perl');
+ all_from('lib/Net/SSLeay.pm');
+
+ ssleay();
Index: SSLeay.xs
===================================================================
--- a/SSLeay.xs (revision 465)
@@ -93,7 +119,109 @@ Index: SSLeay.xs
}
PUTBACK;
-@@ -1404,8 +1421,10 @@
+@@ -1221,7 +1238,101 @@
+ LEAVE;
+ }
+
++/*
++ * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was
++ * broken in various ways during the various 1.0.0* versions.
++ * Better enable it only starting with 1.0.1.
++*/
++#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) && OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT)
++#define NET_SSLEAY_CAN_TICKET_KEY_CB
+
++int tlsext_ticket_key_cb_invoke(
++ SSL *ssl,
++ unsigned char *key_name,
++ unsigned char *iv,
++ EVP_CIPHER_CTX *ectx,
++ HMAC_CTX *hctx,
++ int enc
++){
++
++ dSP;
++ int count;
++ SV *cb_func, *cb_data;
++ SV *sv_name, *sv_key;
++ STRLEN svlen;
++ unsigned char *key; /* key[0..15] aes, key[16..32] hmac */
++ unsigned char *name;
++ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
++
++ PR1("STARTED: tlsext_ticket_key_cb_invoke\n");
++ cb_func = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!func");
++ cb_data = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!data");
++
++ if (!SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
++ croak("callback must be a code reference");
++
++ ENTER;
++ SAVETMPS;
++ PUSHMARK(SP);
++ XPUSHs(sv_2mortal(newSVsv(cb_data)));
++
++ if (!enc) {
++ /* call as getkey(data,this_name) -> (key,current_name) */
++ XPUSHs(sv_2mortal(newSVpv(key_name,16)));
++ } else {
++ /* call as getkey(data) -> (key,current_name) */
++ }
++
++
++ PUTBACK;
++ count = call_sv( cb_func, G_ARRAY );
++
++ SPAGAIN;
++ if (count>0) sv_name = POPs;
++ if (count>1) sv_key = POPs;
++
++ if (!enc && ( !count || !SvOK(sv_key) )) {
++ TRACE(2,"no key returned for ticket");
++ return 0;
++ }
++
++ if (count != 2)
++ croak("key functions needs to return (key,name)");
++ key = SvPV(sv_key,svlen);
++ if (svlen < 32)
++ croak("key must be at least 32 random bytes, got %d",svlen);
++ name = SvPV(sv_name,svlen);
++ if (svlen != 16)
++ croak("name should be exactly 16 characters, got %d",svlen);
++ if (svlen == 0)
++ croak("name should not be empty");
++
++ if (enc) {
++ /* encrypt ticket information with given key */
++ RAND_bytes(iv, 16);
++ EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv);
++ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL);
++ bzero(key_name,16);
++ memcpy(key_name,name,svlen);
++ return 1;
++ } else {
++ unsigned char new_name[16];
++ bzero(new_name,16);
++ memcpy(new_name,name,svlen);
++
++ HMAC_Init_ex(hctx,key+16,16,EVP_sha256(),NULL);
++ EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv);
++
++ if (memcmp(new_name,key_name,16) == 0)
++ return 1; /* current key was used */
++ else
++ return 2; /* different key was used, need to be renewed */
++ }
++}
++
++#endif
++
++
+ /* ============= end of callback stuff, begin helper functions ============== */
+
+ time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
+@@ -1404,8 +1515,10 @@
OUTPUT:
RETVAL
@@ -105,7 +233,7 @@ Index: SSLeay.xs
SSL_CTX *
SSL_CTX_v2_new()
CODE:
-@@ -1414,7 +1433,7 @@
+@@ -1414,7 +1527,7 @@
RETVAL
#endif
@@ -114,7 +242,7 @@ Index: SSLeay.xs
#ifndef OPENSSL_NO_SSL3
SSL_CTX *
-@@ -2105,10 +2124,35 @@
+@@ -2105,10 +2218,35 @@
SSL_want(s)
SSL * s
@@ -150,7 +278,7 @@ Index: SSLeay.xs
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
long
-@@ -2734,19 +2778,15 @@
+@@ -2734,19 +2872,15 @@
X509_ATTRIBUTE * att;
int count, i;
ASN1_STRING * s;
@@ -176,7 +304,7 @@ Index: SSLeay.xs
#endif
-@@ -4439,6 +4479,7 @@
+@@ -4439,6 +4573,7 @@
const unsigned char * sid_ctx
unsigned int sid_ctx_len
@@ -184,7 +312,7 @@ Index: SSLeay.xs
void
SSL_CTX_set_tmp_rsa_callback(ctx, cb)
SSL_CTX * ctx
-@@ -4449,6 +4490,8 @@
+@@ -4449,6 +4584,8 @@
SSL * ssl
cb_ssl_int_int_ret_RSA * cb
@@ -193,7 +321,7 @@ Index: SSLeay.xs
void
SSL_CTX_set_tmp_dh_callback(ctx, dh)
SSL_CTX * ctx
-@@ -4526,6 +4569,7 @@
+@@ -4526,6 +4663,7 @@
OUTPUT:
RETVAL
@@ -201,7 +329,7 @@ Index: SSLeay.xs
long
SSL_CTX_need_tmp_RSA(ctx)
SSL_CTX * ctx
-@@ -4534,6 +4578,8 @@
+@@ -4534,6 +4672,8 @@
OUTPUT:
RETVAL
@@ -210,7 +338,7 @@ Index: SSLeay.xs
int
SSL_CTX_set_app_data(ctx,arg)
SSL_CTX * ctx
-@@ -4575,11 +4621,14 @@
+@@ -4575,11 +4715,14 @@
SSL_CTX * ctx
DH * dh
@@ -225,7 +353,7 @@ Index: SSLeay.xs
#if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC
EC_KEY *
-@@ -4591,12 +4640,55 @@
+@@ -4591,12 +4734,55 @@
EC_KEY * key
long
@@ -282,7 +410,7 @@ Index: SSLeay.xs
void *
SSL_get_app_data(s)
SSL * s
-@@ -4622,25 +4714,20 @@
+@@ -4622,25 +4808,20 @@
OUTPUT:
RETVAL
@@ -312,7 +440,7 @@ Index: SSLeay.xs
long
SSL_need_tmp_RSA(ssl)
SSL * ssl
-@@ -4649,6 +4736,9 @@
+@@ -4649,6 +4830,9 @@
OUTPUT:
RETVAL
@@ -322,7 +450,7 @@ Index: SSLeay.xs
long
SSL_num_renegotiations(ssl)
SSL * ssl
-@@ -4668,10 +4758,6 @@
+@@ -4668,10 +4852,6 @@
long
SSL_session_reused(ssl)
SSL * ssl
@@ -333,7 +461,7 @@ Index: SSLeay.xs
int
SSL_SESSION_set_app_data(s,a)
-@@ -4714,6 +4800,7 @@
+@@ -4714,6 +4894,7 @@
SSL * ssl
DH * dh
@@ -341,7 +469,7 @@ Index: SSLeay.xs
long
SSL_set_tmp_rsa(ssl,rsa)
SSL * ssl
-@@ -4723,6 +4810,7 @@
+@@ -4723,6 +4904,7 @@
OUTPUT:
RETVAL
@@ -349,7 +477,7 @@ Index: SSLeay.xs
#ifdef __ANDROID__
-@@ -4855,13 +4943,33 @@
+@@ -4855,13 +5037,33 @@
OUTPUT:
RETVAL
@@ -383,7 +511,7 @@ Index: SSLeay.xs
void
SSL_SESSION_set_master_key(s,key)
SSL_SESSION * s
-@@ -4873,24 +4981,80 @@
+@@ -4873,24 +5075,80 @@
memcpy(s->master_key, key, len);
s->master_key_length = len;
@@ -464,7 +592,7 @@ Index: SSLeay.xs
if (s == NULL ||
s->enc_read_ctx == NULL ||
s->enc_read_ctx->cipher == NULL ||
-@@ -4919,6 +5083,8 @@
+@@ -4919,6 +5177,8 @@
EVP_CIPHER_iv_length(c)))
: -1;
}
@@ -473,7 +601,7 @@ Index: SSLeay.xs
OUTPUT:
RETVAL
-@@ -4956,9 +5122,7 @@
+@@ -4956,13 +5216,34 @@
else {
cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", newSVsv(callback));
cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", newSVsv(data));
@@ -484,7 +612,34 @@ Index: SSLeay.xs
}
#endif
-@@ -5382,7 +5546,11 @@
+
++#ifdef NET_SSLEAY_CAN_TICKET_KEY_CB
++
++void
++SSL_CTX_set_tlsext_ticket_getkey_cb(ctx,callback=&PL_sv_undef,data=&PL_sv_undef)
++ SSL_CTX * ctx
++ SV * callback
++ SV * data
++ CODE:
++ if (callback==NULL || !SvOK(callback)) {
++ SSL_CTX_set_tlsext_ticket_key_cb(ctx, NULL);
++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", NULL);
++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", NULL);
++ }
++ else {
++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", newSVsv(callback));
++ cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", newSVsv(data));
++ SSL_CTX_set_tlsext_ticket_key_cb(ctx, &tlsext_ticket_key_cb_invoke);
++ }
++
++
++#endif
++
++
+ #if OPENSSL_VERSION_NUMBER < 0x0090700fL
+ #define REM11 "NOTE: before 0.9.7"
+
+@@ -5382,7 +5663,11 @@
P_X509_get_signature_alg(x)
X509 * x
CODE:
@@ -496,7 +651,7 @@ Index: SSLeay.xs
OUTPUT:
RETVAL
-@@ -5389,8 +5557,17 @@
+@@ -5389,8 +5674,17 @@
ASN1_OBJECT *
P_X509_get_pubkey_alg(x)
X509 * x
@@ -514,7 +669,7 @@ Index: SSLeay.xs
OUTPUT:
RETVAL
-@@ -5705,8 +5882,7 @@
+@@ -5705,8 +5999,7 @@
* response does not contain the chain up to the trusted root */
STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
for(i=0;i<sk_X509_num(chain);i++) {
@@ -524,7 +679,7 @@ Index: SSLeay.xs
}
TRACE(1,"run basic verify");
RETVAL = OCSP_basic_verify(bsr, NULL, store, flags);
-@@ -5718,7 +5894,7 @@
+@@ -5718,7 +6011,7 @@
X509 *issuer;
X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1);
if ( (issuer = find_issuer(last,store,chain))) {
@@ -533,7 +688,7 @@ Index: SSLeay.xs
TRACE(1,"run OCSP_basic_verify with issuer for last chain element");
RETVAL = OCSP_basic_verify(bsr, NULL, store, flags);
}
-@@ -5736,7 +5912,6 @@
+@@ -5736,7 +6029,6 @@
OCSP_BASICRESP *bsr;
int i,want_array;
time_t nextupd = 0;
@@ -541,7 +696,7 @@ Index: SSLeay.xs
int getall,sksn;
bsr = OCSP_response_get1_basic(rsp);
-@@ -5744,8 +5919,7 @@
+@@ -5744,8 +6036,7 @@
want_array = (GIMME == G_ARRAY);
getall = (items <= 1);
@@ -551,7 +706,7 @@ Index: SSLeay.xs
for(i=0; i < (getall ? sksn : items-1); i++) {
const char *error = NULL;
-@@ -5754,9 +5928,8 @@
+@@ -5754,9 +6045,8 @@
SV *idsv = NULL;
if(getall) {
@@ -562,7 +717,7 @@ Index: SSLeay.xs
STRLEN len;
const unsigned char *p;
-@@ -5767,22 +5940,36 @@
+@@ -5767,22 +6057,36 @@
error = "failed to get OCSP certid from string";
goto end;
}
@@ -612,7 +767,7 @@ Index: SSLeay.xs
}
end:
-@@ -5791,12 +5978,20 @@
+@@ -5791,12 +6095,20 @@
if (!idsv) {
/* getall: create new SV with OCSP_CERTID */
unsigned char *pi,*pc;
@@ -633,7 +788,7 @@ Index: SSLeay.xs
idsv = newSVpv((char*)pc,len);
Safefree(pc);
} else {
-@@ -5809,26 +6004,26 @@
+@@ -5809,26 +6121,26 @@
HV *details = newHV();
av_push(idav,newRV_noinc((SV*)details));
hv_store(details,"statusType",10,
@@ -673,19 +828,40 @@ Index: SSLeay.xs
if (!nextupd || nextupd>nu) nextupd = nu;
}
-Index: t/local/32_x509_get_cert_info.t
+Index: README
===================================================================
---- a/t/local/32_x509_get_cert_info.t (revision 465)
-+++ b/t/local/32_x509_get_cert_info.t (working copy)
-@@ -175,7 +175,7 @@
- }
-
- SKIP: {
-- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
-+ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
- my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509);
- is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f");
- for my $i (0..$#cdp) {
+--- a/README (revision 465)
++++ b/README (working copy)
+@@ -6,12 +6,18 @@
+
+ perl -MNet::SSLeay -e '($p)=Net::SSLeay::get_https("www.openssl.org", 443, "/"); print $p'
+
++for the latest and possibly unstable version from SVN:
++
++ svn co svn://svn.debian.org/svn/net-ssleay
++
++
+ Prerequisites
+ -------------
+
+-perl-5.6.1 though anything starting from perl5.003 probably works.
++perl-5.6.1 though anything starting from perl5.003 probably works. Later
++ versions are OK.
+
+-OpenSSL-0.9.6j through to at least OpenSSL-1.0.2 and probably later
++OpenSSL-0.9.6j through to at least OpenSSL-1.1 and probably later
+ http://www.openssl.org/ - On Linux, you can either build and
+ install OpenSSL from scratch (its very portable) or you can
+ install the appropriate OpenSSL 'devel' package for your Linux
+@@ -25,6 +31,8 @@
+ in OpenSSL-0.9.2b. OpenSSL-0.9.1c support has also been dropped,
+ version 1.03 was the last one to support that.
+
++LibreSSL is also supported.
++
+ You should use the same C compiler and options to compile OpenSSL,
+ perl, and Net::SSLeay. This is the only supported configuration.
+ If you insist on using different compilers (perhaps because you
Index: t/local/35_ephemeral.t
===================================================================
--- a/t/local/35_ephemeral.t (revision 465)
@@ -695,14 +871,27 @@ Index: t/local/35_ephemeral.t
BEGIN {
- plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER");
-+ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || $Net::SSLeay::VERSION > 1.74;
++ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") >= 0x10100000;
}
plan tests => 3;
+Index: t/local/32_x509_get_cert_info.t
+===================================================================
+--- a/t/local/32_x509_get_cert_info.t (revision 465)
++++ b/t/local/32_x509_get_cert_info.t (working copy)
+@@ -175,7 +175,7 @@
+ }
+
+ SKIP: {
+- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
++ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
+ my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509);
+ is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f");
+ for my $i (0..$#cdp) {
Index: t/local/63_ec_key_generate_key.t
===================================================================
--- a/t/local/63_ec_key_generate_key.t (revision 0)
-+++ b/t/local/63_ec_key_generate_key.t (revision 469)
++++ b/t/local/63_ec_key_generate_key.t (revision 472)
@@ -0,0 +1,35 @@
+#!/usr/bin/perl
+
@@ -739,6 +928,281 @@ Index: t/local/63_ec_key_generate_key.t
+ my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio);
+ ok($newkey,"read key again from PEM");
+}
+Index: t/local/64_ticket_sharing.t
+===================================================================
+--- a/t/local/64_ticket_sharing.t (revision 0)
++++ b/t/local/64_ticket_sharing.t (revision 472)
+@@ -0,0 +1,270 @@
++#!/usr/bin/perl
++
++use strict;
++use warnings;
++use Test::More;
++use Socket;
++use File::Spec;
++use Net::SSLeay;
++use Config;
++
++# for debugging only
++my $DEBUG = 0;
++my $PCAP = 0;
++require Net::PcapWriter if $PCAP;
++
++plan skip_all => "no support for tlsext_ticket_key_cb"
++ if ! defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb;
++plan tests => 15;
++
++Net::SSLeay::randomize();
++Net::SSLeay::load_error_strings();
++Net::SSLeay::ERR_load_crypto_strings();
++Net::SSLeay::SSLeay_add_ssl_algorithms();
++
++my $SSL_ERROR; # set in _minSSL
++my %TRANSFER; # set in _handshake
++
++my $client = _minSSL->new();
++my $server = _minSSL->new( cert => [
++ File::Spec->catfile('t','data','cert.pem'),
++ File::Spec->catfile('t','data','key.pem')
++]);
++
++
++# initial tests without reuse
++# ----------------------------------------------
++is( _handshake($client,$server), 'full', "initial handshake is full");
++is( _handshake($client,$server), 'full', "another full handshake");
++
++# explicitly reuse session in client to check that server accepts it
++# ----------------------------------------------
++my $sess = Net::SSLeay::get1_session($client->_ssl);
++my $reuse = sub { Net::SSLeay::set_session($client->_ssl,$sess) };
++is( _handshake($client,$server,$reuse),'reuse',"handshake with reuse");
++is( _handshake($client,$server,$reuse),'reuse',"handshake again with reuse");
++
++# create another server and connect client with session from old server
++# should not be reused
++# ----------------------------------------------
++my $server2 = _minSSL->new( cert => [
++ File::Spec->catfile('t','data','cert.pem'),
++ File::Spec->catfile('t','data','key.pem')
++]);
++is( _handshake($client,$server2,$reuse),'full',"handshake with server2 is full");
++
++# now attach the same ticket key callback to both servers
++# ----------------------------------------------
++Net::SSLeay::RAND_bytes(my $key,32);
++my $key_name = pack("a16",'secret');
++my $keycb = sub {
++ my ($mykey,$name) = @_;
++ return ($mykey,$key_name) if ! $name or $key_name eq $name;
++ return; # unknown key
++};
++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server->_ctx, $keycb,$key);
++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx,$keycb,$key);
++is( _handshake($client,$server),'full',"initial full handshake with server1");
++$sess = Net::SSLeay::get1_session($client->_ssl);
++is( _handshake($client,$server,$reuse), 'reuse',"reuse session with server1");
++is( _handshake($client,$server2,$reuse),'reuse',"reuse session with server2");
++
++# simulate rotation for $key: the callback returns now the right key, but
++# has a different current_name. It is expected that the callback is called again
++# for encryption with the new key and that a new session ticket gets sent to
++# the client
++# ----------------------------------------------
++Net::SSLeay::RAND_bytes(my $newkey,32);
++my $newkey_name = pack("a16",'newsecret');
++my @keys = (
++ [ $newkey_name, $newkey ], # current default key
++ [ $key_name, $key ], # already expired
++);
++my @was_called_with;
++my %old_transfer = %TRANSFER;
++Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub {
++ my (undef,$name) = @_;
++ push @was_called_with,$name || '<undef>';
++ return ($keys[0][1],$keys[0][0]) if ! $name;
++ for(my $i = 0; $i<@keys; $i++) {
++ return ($keys[$i][1],$keys[0][0]) if $name eq $keys[$i][0];
++ }
++ return;
++});
++
++my $expect_reuse = _handshake($client,$server2,$reuse);
++if ($expect_reuse eq '> < > <') {
++ # broken handshake seen with openssl 1.0.0 when a ticket was used where
++ # the key is still known but expired. It will do
++ # Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
++ # in the last packet from server to client
++ is($expect_reuse,'> < > <',"(slightly broken) reuse session with old key with server2");
++ ok( @was_called_with >= 2,'callback was called at least 2 times');
++} else {
++ is($expect_reuse,'reuse',"reuse session with old key with server2");
++ is( 0+ at was_called_with,2,'callback was called 2 times');
++}
++
++is( $was_called_with[0],$key_name, 'first with the old key name');
++is( $was_called_with[1],"<undef>", 'then with undef to get the current key');
++ok( $TRANSFER{client} == $old_transfer{client}, 'no more data from client to server');
++ok( $TRANSFER{server} > $old_transfer{server}, 'but more data from server (new ticket)');
++
++# finally try to reuse the session created with new key against server1
++# this should result in a full handshake since server1 does not know newkey
++# ----------------------------------------------
++$sess = Net::SSLeay::get1_session($client->_ssl);
++is( _handshake($client,$server,$reuse),'full',"full handshake with new ticker on server1");
++
++
++
++my $i;
++sub _handshake {
++ my ($client,$server,$after_init) = @_;
++ $client->state_connect;
++ $server->state_accept;
++ &$after_init if $after_init;
++
++ my $pcap = $PCAP && do {
++ my $fname = 'test'.(++$i).'.pcap';
++ open(my $fh,'>',$fname);
++ diag("pcap in $fname");
++ $fh->autoflush;
++ Net::PcapWriter->new($fh)->tcp_conn('1.1.1.1',1000,'2.2.2.2',443);
++ };
++
++ my ($client_done,$server_done, at hs);
++ %TRANSFER = ();
++ for(my $tries = 0; $tries < 10 and !$client_done || !$server_done; $tries++ ) {
++ $client_done ||= $client->handshake || 0;
++ $server_done ||= $server->handshake || 0;
++
++ my $transfer = 0;
++ if (defined(my $data = $client->bio_read())) {
++ $pcap && $pcap->write(0,$data);
++ $DEBUG && warn "client -> server: ".length($data)." bytes\n";
++ $server->bio_write($data);
++ push @hs,'>';
++ $TRANSFER{client} += length($data);
++ $transfer++;
++ }
++ if (defined(my $data = $server->bio_read())) {
++ $pcap && $pcap->write(1,$data);
++ $DEBUG && warn "server -> client: ".length($data)." bytes\n";
++ $client->bio_write($data);
++ # assume certificate was sent if length>700
++ push @hs, length($data) > 700 ? '<[C]':'<';
++ $TRANSFER{server} += length($data);
++ $transfer++;
++ }
++ if (!$transfer) {
++ # no more data to transfer - assume we are done
++ $client_done = $server_done = 1;
++ }
++ }
++
++ return
++ !$client_done || !$server_done ? 'failed' :
++ "@hs" eq '> <[C] > <' ? 'full' :
++ "@hs" eq '> < >' ? 'reuse' :
++ "@hs";
++}
++
++
++{
++ package _minSSL;
++ sub new {
++ my ($class,%args) = @_;
++ my $ctx = Net::SSLeay::CTX_tlsv1_new();
++ Net::SSLeay::CTX_set_options($ctx,Net::SSLeay::OP_ALL());
++ Net::SSLeay::CTX_set_cipher_list($ctx,'AES128-SHA');
++ my $id = 'client';
++ if ($args{cert}) {
++ my ($cert,$key) = @{ delete $args{cert} };
++ Net::SSLeay::set_cert_and_key($ctx, $cert, $key)
++ || die "failed to use cert file $cert,$key";
++ $id = 'server';
++ }
++
++ my $self = bless { id => $id, ctx => $ctx }, $class;
++ return $self;
++ }
++
++ sub state_accept {
++ my $self = shift;
++ _reset($self);
++ Net::SSLeay::set_accept_state($self->{ssl});
++ }
++
++ sub state_connect {
++ my $self = shift;
++ _reset($self);
++ Net::SSLeay::set_connect_state($self->{ssl});
++ }
++
++ sub handshake {
++ my $self = shift;
++ my $rv = Net::SSLeay::do_handshake($self->{ssl});
++ $rv = _error($self,$rv);
++ return $rv;
++ }
++
++ sub ssl_read {
++ my ($self) = @_;
++ my ($data,$rv) = Net::SSLeay::read($self->{ssl});
++ return _error($self,$rv || -1) if !$rv || $rv<0;
++ return $data;
++ }
++
++ sub bio_write {
++ my ($self,$data) = @_;
++ defined $data and $data ne '' or return;
++ Net::SSLeay::BIO_write($self->{rbio},$data);
++ }
++
++ sub ssl_write {
++ my ($self,$data) = @_;
++ my $rv = Net::SSLeay::write($self->{ssl},$data);
++ return _error($self,$rv || -1) if !$rv || $rv<0;
++ return $rv;
++ }
++
++ sub bio_read {
++ my ($self) = @_;
++ return Net::SSLeay::BIO_read($self->{wbio});
++ }
++
++ sub _ssl { shift->{ssl} }
++ sub _ctx { shift->{ctx} }
++
++ sub _reset {
++ my $self = shift;
++ my $ssl = Net::SSLeay::new($self->{ctx});
++ my @bio = (
++ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()),
++ Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()),
++ );
++ Net::SSLeay::set_bio($ssl,$bio[0],$bio[1]);
++ $self->{ssl} = $ssl;
++ $self->{rbio} = $bio[0];
++ $self->{wbio} = $bio[1];
++ }
++
++ sub _error {
++ my ($self,$rv) = @_;
++ if ($rv>0) {
++ $SSL_ERROR = undef;
++ return $rv;
++ }
++ my $err = Net::SSLeay::get_error($self->{ssl},$rv);
++ if ($err == Net::SSLeay::ERROR_WANT_READ()
++ || $err == Net::SSLeay::ERROR_WANT_WRITE()) {
++ $SSL_ERROR = $err;
++ $DEBUG && warn "[$self->{id}] rw:$err\n";
++ return;
++ }
++ $DEBUG && warn "[$self->{id}] ".Net::SSLeay::ERR_error_string($err)."\n";
++ return;
++ }
++
++}
Index: lib/Net/SSLeay.pod
===================================================================
--- a/lib/Net/SSLeay.pod (revision 465)
@@ -869,7 +1333,7 @@ Index: lib/Net/SSLeay.pod
=item * num_renegotiations
Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl.
-@@ -4131,6 +4167,21 @@
+@@ -4131,6 +4167,91 @@
#
# returns: no return value
@@ -888,10 +1352,80 @@ Index: lib/Net/SSLeay.pod
+With OpenSSL 1.1 and later, callback_function can change the master key for the session by
+altering $secret and returning 1.
+
++=item * CTX_set_tlsext_ticket_getkey_cb
++
++Setup encryption for TLS session tickets (stateless session reuse).
++
++ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data);
++ # $ctx - value corresponding to openssl's SSL_CTX structure
++ # $func - perl reference to callback function
++ # $data - [optional] data that will be passed to callback function when invoked
++ #
++ # returns: no return value
++
++The callback function will be called like:
++getkey($data,[$key_name]) -> ($key,$current_key_name)
++
++# $data is the data passed to set_session_secret_cb
++# $key_name is the name of the key OpenSSL has extracted from the session ticket
++# $key is the requested key for ticket encryption + HMAC
++# $current_key_name is the name for the currently valid key
++
++OpenSSL will call the function without a key name if it generates a new ticket.
++It then needs the callback to return the encryption+HMAC key and an identifier
++(key name) for this key.
++
++When OpenSSL gets a session ticket from the client it extracts the key name and
++calls the callback with this name as argument. It then expects the callback to
++return the encryption+HMAC key matching the requested key name and and also the
++key name which should be used at the moment. If the requested key name and the
++returned key name differ it means that this session ticket was created with an
++expired key and need to be renewed. In this case OpenSSL will call the callback
++again with no key name to create a new session ticket based on the old one.
++
++The key must be at least 32 byte of random data which can be created with
++RAND_bytes. Internally the first 16 byte are used as key in AES-128 encryption
++while the next 16 byte are used for the SHA-256 HMAC.
++The key name are binary data and must be exactly 16 byte long.
++
++Example:
++
++ Net::SSLeay::RAND_bytes(my $oldkey,32);
++ Net::SSLeay::RAND_bytes(my $newkey,32);
++ my $oldkey_name = pack("a16",'oldsecret');
++ my $newkey_name = pack("a16",'newsecret');
++
++ my @keys = (
++ [ $newkey_name, $newkey ], # current active key
++ [ $oldkey_name, $oldkey ], # already expired
++ );
++
++ Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub {
++ my ($mykeys,$name) = @_;
++
++ # return (current_key, current_key_name) if no name given
++ return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name;
++
++ # return (matching_key, current_key_name) if we find a key matching
++ # the given name
++ for(my $i = 0; $i<@$mykeys; $i++) {
++ next if $name ne $mykeys->[$i][0];
++ return ($mykeys->[$i][1],$mykeys->[0][0]);
++ }
++
++ # no matching key found
++ return;
++ },\@keys);
++
++
++This function is based on the OpenSSL function SSL_CTX_set_tlsext_ticket_key_cb
++but provides a simpler to use interface. For more information see
++L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html>
++
=item * set_shutdown
Sets the shutdown state of $ssl to $mode.
-@@ -7961,6 +8012,23 @@
+@@ -7961,6 +8082,23 @@
TBA
@@ -915,3 +1449,61 @@ Index: lib/Net/SSLeay.pod
=back
+Index: MANIFEST
+===================================================================
+--- a/MANIFEST (revision 465)
++++ b/MANIFEST (working copy)
+@@ -113,5 +113,7 @@
+ t/local/50_digest.t
+ t/local/61_threads-cb-crash.t
+ t/local/62_threads-ctx_new-deadlock.t
++t/local/63_ec_key_generate_key.t
++t/local/64_ticket_sharing.t
+ t/local/kwalitee.t
+ typemap
+Index: Changes
+===================================================================
+--- a/Changes (revision 465)
++++ b/Changes (working copy)
+@@ -1,5 +1,41 @@
+ Revision history for Perl extension Net::SSLeay.
+
++1.75 ?????
++ Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5:
++ - Conditionally remove threading locking code, not needed in 1.1
++ - Rewrite code that accesses inside X509_ATTRIBUTE struct.
++ - SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa,
++ SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support
++ not available in 1.1.
++ - SSL_session_reused is now native
++ - SSL_get_keyblock_size modifed to use new API
++ - OCSP functions modified to use new API under 1.1
++ - SSL_set_state removed with 1.1
++ - SSL_get_state and SSL_state are now equivalent and available in all
++ versions
++ - SSL_CTX_v2_new removed
++ - SESSION_set_master_key removed with 1.1. Code that previously used
++ SESSION_set_master_key must now set $secret in the session_secret
++ callback set with SSL_set_session_secret_cb
++ - With 1.1, $secret in the session_secret
++ callback set with SSL_set_session_secret_cb can be changed to alter
++ the master key (required by EAP-FAST).
++ Added a function EC_KEY_generate_key similar to RSA_generate_key and a
++ function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using
++ these functions it is easy to create and use EC keys in the same way as
++ RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen.
++ Testing with LibreSSL 2.4.1, with compatibility patch from Steffen
++ Ullrich. Thanks Steffen.
++ Patch from Steffen Ulrich provides support for cross context (and cross process)
++ session sharing using the stateless TLS session tickets. It uses the
++ SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and
++ decryption of the tickets but provides a more simplified
++ interface. Includes new function CTX_set_tlsext_ticket_getkey_cb.
++ To not conflict with the OpenSSL name in case the more complex interface
++ will be implemented ever the current simplified interface is called
++ slightly different: CTX_set_tlsext_ticket_*get*key_cb.
++ Added documentation about downloading latest version from SVN.
++
+ 1.74 2016-04-12
+ README.OSX was missing from the distribution
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-ssleay-perl.git
More information about the Pkg-perl-cvs-commits
mailing list