rpms/perl-Net-SSLeay
7
0
Fork 0
Code Issues Pull Requests Releases Activity
349171cf2a
perl-Net-SSLeay/Net-SSLeay-1.90-OpenSSL3.patch

817 lines
34 KiB
Diff
Raw Blame History

This is a set of mostly-upstream changes to support use with
OpenSSL 3.0.
The only change not yet committed upstream is:
https://github.com/radiator-software/p5-net-ssleay/pull/273
(Change default cipher for PEM_get_string_PrivateKey)
diff -urp --unidirectional-new-file Net-SSLeay-1.90/lib/Net/SSLeay.pod Net-SSLeay-1.90.patched/lib/Net/SSLeay.pod
--- Net-SSLeay-1.90/lib/Net/SSLeay.pod 2021-01-21 15:14:11.000000000 +0000
+++ Net-SSLeay-1.90.patched/lib/Net/SSLeay.pod 2021-09-15 11:26:35.478846534 +0100
@@ -1711,7 +1711,7 @@ Converts public key $pk into PEM formatt
my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg);
# $pk - value corresponding to openssl's EVP_PKEY structure
# $passwd - [optional] (string) password to use for key encryption
- # $enc_alg - [optional] algorithm to use for key encryption (default: DES_CBC) - value corresponding to openssl's EVP_CIPHER structure
+ # $enc_alg - [optional] algorithm to use for key encryption (default: DES_EDE3_CBC) - value corresponding to openssl's EVP_CIPHER structure
#
# returns: PEM formatted string
@@ -4624,6 +4624,34 @@ When callback is undef, an existing call
Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
+=item * set_msg_callback
+
+Sets the callback function, that can be used to obtain protocol messages information for $ssl during connection setup and use.
+When callback is undef, the callback setting currently valid for ctx is used.
+Note that set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by set_msg_callback.
+
+ Net::SSLeay::set_msg_callback($ssl, $cb, [$arg]);
+ # $ssl - value corresponding to openssl's SSL structure
+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
+ #
+ # returns: no return value
+
+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_set_msg_callback.html>
+
+=item * CTX_set_msg_callback
+
+Sets the callback function on ctx, that can be used to obtain protocol messages information for ssl connection setup and use.
+When callback is undef, the existing callback will be disabled.
+Note that CTX_set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by CTX_set_msg_callback.
+
+ Net::SSLeay::CTX_set_msg_callback($ssl, $cb, [$arg]);
+ # $ssl - value corresponding to openssl's SSL structure
+ # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... }
+ #
+ # returns: no return value
+
+Check openssl doc L<http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html|http://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_msg_callback.html>
+
=item * set_pref_cipher
Sets the list of available ciphers for $ssl using the control string $str.
@@ -7507,6 +7535,10 @@ Net::SSLeay::X509_STORE_CTX_init($x509_s
# $x509_store - value corresponding to openssl's X509_STORE structure (optional)
# $x509 - value corresponding to openssl's X509 structure (optional)
# $chain - value corresponding to openssl's STACK_OF(X509) structure (optional)
+#
+# returns: 1 on success, 0 on failure
+#
+# Note: returns nothing with Net::SSLeay 1.90 and earlier.
Check openssl doc L<https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html|https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
diff -urp --unidirectional-new-file Net-SSLeay-1.90/Makefile.PL Net-SSLeay-1.90.patched/Makefile.PL
--- Net-SSLeay-1.90/Makefile.PL 2021-09-15 11:36:31.240135816 +0100
+++ Net-SSLeay-1.90.patched/Makefile.PL 2021-09-15 11:26:35.384847261 +0100
@@ -4,10 +4,22 @@ use strict;
use warnings;
use Config;
+use English qw( $OSNAME -no_match_vars );
use ExtUtils::MakeMaker;
use File::Basename ();
use File::Spec;
+use File::Spec::Functions qw(catfile);
use Symbol qw(gensym);
+use Text::Wrap;
+
+# According to http://cpanwiki.grango.org/wiki/CPANAuthorNotes, the ideal
+# behaviour to exhibit when a prerequisite does not exist is to use exit code 0
+# to ensure smoke testers stop immediately without reporting a FAIL; in all
+# other environments, we want to fail more loudly
+use constant MISSING_PREREQ => ( $ENV{AUTOMATED_TESTING} ? 0 : 1 );
+
+# Error messages displayed with alert() will be this many columns wide
+use constant ALERT_WIDTH => 78;
# Define this to one if you want to link the openssl libraries statically into
# the Net-SSLeay loadable object on Windows
@@ -34,7 +46,11 @@ my %eumm_args = (
VERSION_FROM => 'lib/Net/SSLeay.pm',
MIN_PERL_VERSION => '5.8.1',
CONFIGURE_REQUIRES => {
+ 'English' => '0',
'ExtUtils::MakeMaker' => '0',
+ 'File::Spec::Functions' => '0',
+ 'Text::Wrap' => '0',
+ 'constant' => '0',
},
TEST_REQUIRES => {
'Carp' => '0',
@@ -126,12 +142,38 @@ sub ssleay {
EOM
exit 0; # according https://wiki.cpantesters.org/wiki/CPANAuthorNotes this is best-practice when "missing library"
}
+
+ my $opts = ssleay_get_build_opts($prefix);
+
+ # Ensure libssl headers exist before continuing - compilation will fail
+ # without them
+ if ( !defined $opts->{inc_path} ) {
+ my $detail =
+ 'The libssl header files are required to build Net-SSLeay, but '
+ . 'they are missing from ' . $prefix . '. They would typically '
+ . 'reside in ' . catfile( $prefix, 'include', 'openssl' ) . '.';
+
+ if ( $OSNAME eq 'linux' ) {
+ $detail .=
+ "\n\n"
+ . 'If you are using the version of OpenSSL/LibreSSL packaged '
+ . 'by your Linux distribution, you may need to install the '
+ . 'corresponding "development" package via your package '
+ . 'manager (e.g. libssl-dev for OpenSSL on Debian and Ubuntu, '
+ . 'or openssl-devel for OpenSSL on Red Hat Enterprise Linux '
+ . 'and Fedora).';
+ }
+
+ alert( 'Could not find libssl headers', $detail );
+
+ exit MISSING_PREREQ;
+ }
+
check_openssl_version($prefix, $exec);
- my $opts = ssleay_get_build_opts($prefix, $exec);
my %args = (
CCCDLFLAGS => $opts->{cccdlflags},
OPTIMIZE => $opts->{optimize},
- INC => join(' ', map qq{-I"$_"}, @{$opts->{inc_paths}}),
+ INC => qq{-I"$opts->{inc_path}"},
LIBS => join(' ', (map '-L'.maybe_quote($_), @{$opts->{lib_paths}}), (map {"-l$_"} @{$opts->{lib_links}})),
);
# From HMBRAND to handle multple version of OPENSSL installed
@@ -145,15 +187,28 @@ EOM
sub maybe_quote { $_[0] =~ / / ? qq{"$_[0]"} : $_[0] }
sub ssleay_get_build_opts {
- my ($prefix, $exec) = @_;
+ my ($prefix) = @_;
my $opts = {
lib_links => [],
cccdlflags => '',
};
- for ("$prefix/include", "$prefix/inc32", '/usr/kerberos/include') {
- push @{$opts->{inc_paths}}, $_ if -f "$_/openssl/ssl.h";
+
+ my @try_includes = (
+ 'include' => sub { 1 },
+ 'inc32' => sub { $OSNAME eq 'MSWin32' },
+ );
+
+ while (
+ !defined $opts->{inc_path}
+ && defined( my $dir = shift @try_includes )
+ && defined( my $cond = shift @try_includes )
+ ) {
+ if ( $cond->() && -f "$prefix/$dir/openssl/ssl.h" ) {
+ $opts->{inc_path} = "$prefix/$dir";
+ }
}
+
for ($prefix, "$prefix/lib64", "$prefix/lib", "$prefix/out32dll") {
push @{$opts->{lib_paths}}, $_ if -d $_;
}
@@ -369,3 +424,21 @@ sub fixpath {
$text =~ s{\b/}{$sep}g;
return $text;
}
+
+sub alert {
+ my ( $err, $detail ) = @_;
+
+ local $Text::Wrap::columns = ALERT_WIDTH - 4;
+
+ print "\n";
+
+ print '*' x ALERT_WIDTH, "\n";
+ print '* ', uc($err), ' ' x ( ALERT_WIDTH - length($err) - 4 ), ' *', "\n";
+ print '*', ' ' x ( ALERT_WIDTH - 2 ), '*', "\n";
+
+ for ( split /\n/, Text::Wrap::wrap( '', '', $detail ) ) {
+ print '* ', $_, ' ' x ( ALERT_WIDTH - length($_) - 4 ), ' *', "\n";
+ }
+
+ print '*' x ALERT_WIDTH, "\n";
+}
diff -urp --unidirectional-new-file Net-SSLeay-1.90/MANIFEST Net-SSLeay-1.90.patched/MANIFEST
--- Net-SSLeay-1.90/MANIFEST 2021-01-21 21:05:03.000000000 +0000
+++ Net-SSLeay-1.90.patched/MANIFEST 2021-09-15 11:26:35.472846580 +0100
@@ -215,6 +215,7 @@ t/local/42_info_callback.t
t/local/43_misc_functions.t
t/local/44_sess.t
t/local/45_exporter.t
+t/local/46_msg_callback.t
t/local/50_digest.t
t/local/61_threads-cb-crash.t
t/local/62_threads-ctx_new-deadlock.t
diff -urp --unidirectional-new-file Net-SSLeay-1.90/SSLeay.xs Net-SSLeay-1.90.patched/SSLeay.xs
--- Net-SSLeay-1.90/SSLeay.xs 2021-01-21 15:14:11.000000000 +0000
+++ Net-SSLeay-1.90.patched/SSLeay.xs 2021-09-15 11:26:35.554845946 +0100
@@ -1474,6 +1474,71 @@ void ssleay_ctx_info_cb_invoke(const SSL
LEAVE;
}
+void ssleay_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
+{
+ dSP;
+ SV *cb_func, *cb_data;
+
+ cb_func = cb_data_advanced_get(ssl, "ssleay_msg_cb!!func");
+ cb_data = cb_data_advanced_get(ssl, "ssleay_msg_cb!!data");
+
+ if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
+ croak ("Net::SSLeay: ssleay_msg_cb_invoke called, but not set to point to any perl function.\n");
+
+ ENTER;
+ SAVETMPS;
+
+ PUSHMARK(SP);
+ XPUSHs(sv_2mortal(newSViv(write_p)));
+ XPUSHs(sv_2mortal(newSViv(version)));
+ XPUSHs(sv_2mortal(newSViv(content_type)));
+ XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
+ XPUSHs(sv_2mortal(newSViv(len)));
+ XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
+ XPUSHs(sv_2mortal(newSVsv(cb_data)));
+ PUTBACK;
+
+ call_sv(cb_func, G_VOID);
+
+ SPAGAIN;
+ PUTBACK;
+ FREETMPS;
+ LEAVE;
+}
+
+void ssleay_ctx_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
+{
+ dSP;
+ SV *cb_func, *cb_data;
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+
+ cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!func");
+ cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!data");
+
+ if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV))
+ croak ("Net::SSLeay: ssleay_ctx_msg_cb_invoke called, but not set to point to any perl function.\n");
+
+ ENTER;
+ SAVETMPS;
+
+ PUSHMARK(SP);
+ XPUSHs(sv_2mortal(newSViv(write_p)));
+ XPUSHs(sv_2mortal(newSViv(version)));
+ XPUSHs(sv_2mortal(newSViv(content_type)));
+ XPUSHs(sv_2mortal(newSVpv((const char*)buf, len)));
+ XPUSHs(sv_2mortal(newSViv(len)));
+ XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl))));
+ XPUSHs(sv_2mortal(newSVsv(cb_data)));
+ PUTBACK;
+
+ call_sv(cb_func, G_VOID);
+
+ SPAGAIN;
+ PUTBACK;
+ FREETMPS;
+ LEAVE;
+}
+
/*
* Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was
* broken in various ways during the various 1.0.0* versions.
@@ -1654,7 +1719,7 @@ void ssleay_ssl_ctx_sess_remove_cb_invok
/* ============= end of callback stuff, begin helper functions ============== */
-time_t ASN1_TIME_timet(ASN1_TIME *asn1t) {
+time_t ASN1_TIME_timet(ASN1_TIME *asn1t, time_t *gmtoff) {
struct tm t;
const char *p = (const char*) asn1t->data;
size_t msec = 0, tz = 0, i, l;
@@ -1720,7 +1785,14 @@ time_t ASN1_TIME_timet(ASN1_TIME *asn1t)
result = mktime(&t);
if (result == -1) return 0; /* broken time */
- return result + adj + ( t.tm_isdst ? 3600:0 );
+ result += adj;
+ if (gmtoff && *gmtoff == -1) {
+ *gmtoff = result - mktime(gmtime(&result));
+ result += *gmtoff;
+ } else {
+ result += result - mktime(gmtime(&result));
+ }
+ return result;
}
X509 * find_issuer(X509 *cert,X509_STORE *store, STACK_OF(X509) *chain) {
@@ -4103,7 +4175,7 @@ X509V3_EXT_d2i(ext)
X509_STORE_CTX *
X509_STORE_CTX_new()
-void
+int
X509_STORE_CTX_init(ctx, store=NULL, x509=NULL, chain=NULL)
X509_STORE_CTX * ctx
X509_STORE * store
@@ -4336,6 +4408,10 @@ ASN1_TIME_free(s)
time_t
ASN1_TIME_timet(s)
ASN1_TIME *s
+ CODE:
+ RETVAL = ASN1_TIME_timet(s,NULL);
+ OUTPUT:
+ RETVAL
ASN1_TIME *
ASN1_TIME_new()
@@ -4556,7 +4632,7 @@ PEM_get_string_PrivateKey(pk,passwd=NULL
if (passwd_len>0) {
/* encrypted key */
if (!enc_alg)
- PEM_write_bio_PrivateKey(bp,pk,EVP_des_cbc(),(unsigned char *)passwd,passwd_len,cb,u);
+ PEM_write_bio_PrivateKey(bp,pk,EVP_des_ede3_cbc(),(unsigned char *)passwd,passwd_len,cb,u);
else
PEM_write_bio_PrivateKey(bp,pk,enc_alg,(unsigned char *)passwd,passwd_len,cb,u);
}
@@ -5447,6 +5523,39 @@ SSL_CTX_set_info_callback(ctx,callback,d
SSL_CTX_set_info_callback(ctx, ssleay_ctx_info_cb_invoke);
}
+void
+SSL_set_msg_callback(ssl,callback,data=&PL_sv_undef)
+ SSL * ssl
+ SV * callback
+ SV * data
+ CODE:
+ if (callback==NULL || !SvOK(callback)) {
+ SSL_set_msg_callback(ssl, NULL);
+ cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", NULL);
+ cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", NULL);
+ } else {
+ cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", newSVsv(callback));
+ cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", newSVsv(data));
+ SSL_set_msg_callback(ssl, ssleay_msg_cb_invoke);
+ }
+
+void
+SSL_CTX_set_msg_callback(ctx,callback,data=&PL_sv_undef)
+ SSL_CTX * ctx
+ SV * callback
+ SV * data
+ CODE:
+ if (callback==NULL || !SvOK(callback)) {
+ SSL_CTX_set_msg_callback(ctx, NULL);
+ cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", NULL);
+ cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", NULL);
+ } else {
+ cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", newSVsv(callback));
+ cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", newSVsv(data));
+ SSL_CTX_set_msg_callback(ctx, ssleay_ctx_msg_cb_invoke);
+ }
+
+
int
SSL_set_purpose(s,purpose)
SSL * s
@@ -6172,7 +6281,7 @@ SSL_total_renegotiations(ssl)
OUTPUT:
RETVAL
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
void
SSL_SESSION_get_master_key(s)
SSL_SESSION * s
@@ -7348,6 +7457,7 @@ OCSP_response_results(rsp,...)
OCSP_BASICRESP *bsr;
int i,want_array;
time_t nextupd = 0;
+ time_t gmtoff = -1;
int getall,sksn;
bsr = OCSP_response_get1_basic(rsp);
@@ -7440,15 +7550,15 @@ OCSP_response_results(rsp,...)
hv_store(details,"statusType",10,
newSViv(status),0);
if (nextupdate) hv_store(details,"nextUpdate",10,
- newSViv(ASN1_TIME_timet(nextupdate)),0);
+ newSViv(ASN1_TIME_timet(nextupdate, &gmtoff)),0);
if (thisupdate) hv_store(details,"thisUpdate",10,
- newSViv(ASN1_TIME_timet(thisupdate)),0);
+ newSViv(ASN1_TIME_timet(thisupdate, &gmtoff)),0);
if (status == V_OCSP_CERTSTATUS_REVOKED) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked;
revocationReason = ASN1_ENUMERATED_get(rev->revocationReason);
#endif
- hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0);
+ hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime, &gmtoff)),0);
hv_store(details,"revocationReason",16,newSViv(revocationReason),0);
hv_store(details,"revocationReason_str",20,newSVpv(
OCSP_crl_reason_str(revocationReason),0),0);
@@ -7457,7 +7567,7 @@ OCSP_response_results(rsp,...)
XPUSHs(sv_2mortal(newRV_noinc((SV*)idav)));
} else if (!error) {
/* compute lowest nextUpdate */
- time_t nu = ASN1_TIME_timet(nextupdate);
+ time_t nu = ASN1_TIME_timet(nextupdate, &gmtoff);
if (!nextupd || nextupd>nu) nextupd = nu;
}
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/30_error.t Net-SSLeay-1.90.patched/t/local/30_error.t
--- Net-SSLeay-1.90/t/local/30_error.t 2020-11-18 09:12:44.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/30_error.t 2021-09-15 11:26:35.571845815 +0100
@@ -12,6 +12,14 @@ if ($@) {
initialise_libssl();
+# See below near 'sub put_err' for more about how error string and
+# erro code contents have changed between library versions.
+my $err_string = "foo $$: 1 - error:10000080:BIO routines:";
+$err_string = "foo $$: 1 - error:20000080:BIO routines:"
+ if Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()) =~ m/^OpenSSL 3.0.0-alpha[1-4] /s;
+$err_string = "foo $$: 1 - error:2006D080:BIO routines:"
+ if (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") < 0x30000000);
+
# Note, die_now usually just prints the process id and the argument string eg:
# 57611: test
# but on some systems, perhaps if diagnostics are enabled, it might [roduce something like:
@@ -55,22 +63,42 @@ initialise_libssl();
throws_ok(sub {
Net::SSLeay::die_now('foo');
}, qr/^$$: foo\n$/, 'die_now dies with errors and trace');
- }, qr/foo $$: 1 - error:2006d080/i, 'die_now raises warnings about the occurred error when tracing');
+ }, qr/$err_string/i, 'die_now raises warnings about the occurred error when tracing');
put_err();
warning_like(sub {
throws_ok(sub {
Net::SSLeay::die_if_ssl_error('foo');
}, qr/^$$: foo\n$/, 'die_if_ssl_error dies with errors and trace');
- }, qr/foo $$: 1 - error:2006d080/i, 'die_if_ssl_error raises warnings about the occurred error when tracing');
+ }, qr/$err_string/i, 'die_if_ssl_error raises warnings about the occurred error when tracing');
}
+# The resulting error strings looks something like below. The number
+# after 'foo' is the process id. OpenSSL 3.0.0 drops function name and
+# changes how error code is packed.
+# - OpenSSL 3.0.0: foo 61488: 1 - error:10000080:BIO routines::no such file
+# - OpenSSL 3.0.0-alpha5: foo 16380: 1 - error:10000080:BIO routines::no such file
+# - OpenSSL 3.0.0-alpha1: foo 16293: 1 - error:20000080:BIO routines::no such file
+# - OpenSSL 1.1.1l: foo 61202: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 1.1.0l: foo 61295: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 1.0.2u: foo 61400: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 1.0.1u: foo 13621: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 1.0.0t: foo 14349: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 0.9.8zh: foo 14605: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+# - OpenSSL 0.9.8f: foo 14692: 1 - error:2006D080:BIO routines:BIO_new_file:no such file
+#
+# 1.1.1 series and earlier create error by ORing together lib, func
+# and reason with 24 bit left shift, 12 bit left shift and without bit
+# shift, respectively.
+# 3.0.0 alpha1 drops function name from error string and alpha5
+# changes bit shift of lib to 23.
+# LibreSSL 2.5.1 drops function name from error string.
sub put_err {
Net::SSLeay::ERR_put_error(
- 32, #lib
- 109, #func
- 128, #reason
- 1, #file
- 1, #line
+ 32, #lib - 0x20 ERR_LIB_BIO 'BIO routines'
+ 109, #func - 0x6D BIO_F_BIO_NEW_FILE 'BIO_new_file'
+ 128, #reason - 0x80 BIO_R_NO_SUCH_FILE 'no such file'
+ 1, #file - file name (not packed into error code)
+ 1, #line - line number (not packed into error code)
);
}
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/32_x509_get_cert_info.t Net-SSLeay-1.90.patched/t/local/32_x509_get_cert_info.t
--- Net-SSLeay-1.90/t/local/32_x509_get_cert_info.t 2020-11-18 09:12:44.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/32_x509_get_cert_info.t 2021-09-15 11:26:35.398847153 +0100
@@ -8,8 +8,8 @@ use Test::Net::SSLeay qw(
use lib '.';
my $tests = ( is_openssl() && Net::SSLeay::SSLeay < 0x10100003 ) || is_libressl()
- ? 721
- : 724;
+ ? 723
+ : 726;
plan tests => $tests;
@@ -190,7 +190,7 @@ for my $f (keys (%$dump)) {
Net::SSLeay::SSLeay < 0x30000000
|| (
Net::SSLeay::SSLeay == 0x30000000
- && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha1/
+ && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha1\ /
)
)
) {
@@ -373,8 +373,8 @@ Net::SSLeay::X509_STORE_CTX_set_cert($ct
my $ca_filename = data_file_path('root-ca.cert.pem');
my $ca_bio = Net::SSLeay::BIO_new_file($ca_filename, 'rb');
my $ca_x509 = Net::SSLeay::PEM_read_bio_X509($ca_bio);
-Net::SSLeay::X509_STORE_add_cert($x509_store,$ca_x509);
-Net::SSLeay::X509_STORE_CTX_init($ctx, $x509_store, $x509);
+is (Net::SSLeay::X509_STORE_add_cert($x509_store,$ca_x509), 1, 'X509_STORE_add_cert');
+is (Net::SSLeay::X509_STORE_CTX_init($ctx, $x509_store, $x509), 1, 'X509_STORE_CTX_init');
SKIP: {
skip('X509_STORE_CTX_get0_cert requires OpenSSL 1.1.0-pre5+ or LibreSSL 2.7.0+', 1) unless defined (&Net::SSLeay::X509_STORE_CTX_get0_cert);
ok (my $x509_from_cert = Net::SSLeay::X509_STORE_CTX_get0_cert($ctx),'Get x509 from store ctx');
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/36_verify.t Net-SSLeay-1.90.patched/t/local/36_verify.t
--- Net-SSLeay-1.90/t/local/36_verify.t 2021-01-16 17:16:40.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/36_verify.t 2021-09-15 11:26:35.376847323 +0100
@@ -7,7 +7,7 @@ use Test::Net::SSLeay qw(
can_fork data_file_path initialise_libssl is_libressl is_openssl tcp_socket
);
-plan tests => 103;
+plan tests => 105;
initialise_libssl();
@@ -223,7 +223,7 @@ sub verify_local_trust {
ok(my $store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
ok(my $ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
- Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert);
+ is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert), 1, 'X509_STORE_CTX_init succeeds');
ok(!Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly fails');
is(Net::SSLeay::X509_STORE_CTX_get_error($ctx),
Net::SSLeay::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(), "X509_STORE_CTX_get_error returns unable to get local issuer certificate");
@@ -241,7 +241,7 @@ sub verify_local_trust {
ok($store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store");
ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert");
ok($ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context");
- Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert, $x509_sk);
+ is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert, $x509_sk), 1, 'X509_STORE_CTX_init succeeds');
ok(Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly succeeds');
is(Net::SSLeay::X509_STORE_CTX_get_error($ctx), Net::SSLeay::X509_V_OK(), "X509_STORE_CTX_get_error returns ok");
Net::SSLeay::X509_STORE_free($store);
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/39_pkcs12.t Net-SSLeay-1.90.patched/t/local/39_pkcs12.t
--- Net-SSLeay-1.90/t/local/39_pkcs12.t 2020-11-18 09:12:44.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/39_pkcs12.t 2021-09-15 11:26:35.468846611 +0100
@@ -3,7 +3,7 @@ use lib 'inc';
use Net::SSLeay;
use Test::Net::SSLeay qw( data_file_path initialise_libssl );
-plan tests => 19;
+plan tests => 17;
initialise_libssl();
@@ -36,12 +36,24 @@ my $filename3 = data_file_path('simple-c
my $ca1_subj_name = Net::SSLeay::X509_get_subject_name($cachain[0]);
my $ca2_subj_name = Net::SSLeay::X509_get_subject_name($cachain[1]);
is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [2/1]");
- like(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), qr/C=.*CN=.*/, "X509_NAME_oneline [2/2]");
- like(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), qr/C=.*CN=.*/, "X509_NAME_oneline [2/3]");
- SKIP: {
- skip("cert order in CA chain is different in openssl pre-1.0.0", 2) unless Net::SSLeay::SSLeay >= 0x01000000;
- is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/4]");
- is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/5]");
+ # OpenSSL versions 1.0.0-beta2 to 3.0.0-alpha6 inclusive and all versions of
+ # LibreSSL return the CA certificate chain with the root CA certificate at the
+ # end; all other versions return the certificate chain with the root CA
+ # certificate at the start
+ if (
+ Net::SSLeay::SSLeay < 0x10000002
+ || (
+ Net::SSLeay::SSLeay == 0x30000000
+ && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) !~ /-alpha[1-6] /
+ )
+ || Net::SSLeay::SSLeay > 0x30000000
+ ) {
+ is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/3]");
+ is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/4]");
+ }
+ else {
+ is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/3]");
+ is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/4]");
}
}
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/43_misc_functions.t Net-SSLeay-1.90.patched/t/local/43_misc_functions.t
--- Net-SSLeay-1.90/t/local/43_misc_functions.t 2021-01-21 15:14:11.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/43_misc_functions.t 2021-09-15 11:26:35.563845877 +0100
@@ -245,6 +245,17 @@ sub client_test_ciphersuites
my $ciphersuites = join(':', keys(%tls_1_3_aead_cipher_to_keyblock_size));
+ # In OpenSSL 3.0.0 alpha 11 (commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9)
+ # SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() were
+ # changed to ignore unknown ciphers
+ my $ret_partially_bad_ciphersuites = 1;
+ if (Net::SSLeay::SSLeay() == 0x30000000) {
+ my $ssleay_version = Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION());
+ $ret_partially_bad_ciphersuites = 0 if ($ssleay_version =~ m/-alpha(\d+)/s) && $1 < 11;
+ } elsif (Net::SSLeay::SSLeay() < 0x30000000) {
+ $ret_partially_bad_ciphersuites = 0;
+ }
+
my ($ctx, $rv, $ssl);
$ctx = Net::SSLeay::CTX_new();
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $ciphersuites);
@@ -257,7 +268,7 @@ sub client_test_ciphersuites
};
is($rv, 1, 'CTX set undef ciphersuites');
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:' . $ciphersuites);
- is($rv, 0, 'CTX set partially bad ciphersuites');
+ is($rv, $ret_partially_bad_ciphersuites, 'CTX set partially bad ciphersuites');
$rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:');
is($rv, 0, 'CTX set bad ciphersuites');
@@ -272,7 +283,7 @@ sub client_test_ciphersuites
};
is($rv, 1, 'SSL set undef ciphersuites');
$rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:' . $ciphersuites);
- is($rv, 0, 'SSL set partially bad ciphersuites');
+ is($rv, $ret_partially_bad_ciphersuites, 'SSL set partially bad ciphersuites');
$rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:');
is($rv, 0, 'SSL set bad ciphersuites');
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/44_sess.t Net-SSLeay-1.90.patched/t/local/44_sess.t
--- Net-SSLeay-1.90/t/local/44_sess.t 2020-12-12 13:55:23.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/44_sess.t 2021-09-15 11:26:35.567845846 +0100
@@ -163,6 +163,8 @@ sub server
$ctx = new_ctx( $proto, $proto );
+ Net::SSLeay::CTX_set_security_level($ctx, 0)
+ if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1');
Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_SERVER());
# Need OP_NO_TICKET to enable server side (Session ID based) resumption.
@@ -243,6 +245,8 @@ sub client {
$ctx = new_ctx( $proto, $proto );
+ Net::SSLeay::CTX_set_security_level($ctx, 0)
+ if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1');
Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_CLIENT());
Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL());
Net::SSLeay::CTX_sess_set_new_cb($ctx, sub {client_new_cb(@_, $ctx, $round);});
@@ -250,7 +254,10 @@ sub client {
$ssl = Net::SSLeay::new($ctx);
Net::SSLeay::set_fd($ssl, $cl);
- Net::SSLeay::connect($ssl);
+ my $ret = Net::SSLeay::connect($ssl);
+ if ($ret <= 0) {
+ diag("Protocol $proto, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
+ }
my $msg = Net::SSLeay::read($ssl);
#print "server said: $msg\n";
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/45_exporter.t Net-SSLeay-1.90.patched/t/local/45_exporter.t
--- Net-SSLeay-1.90/t/local/45_exporter.t 2020-12-12 13:55:23.000000000 +0000
+++ Net-SSLeay-1.90.patched/t/local/45_exporter.t 2021-09-15 11:26:35.567845846 +0100
@@ -56,6 +56,8 @@ sub server
$ctx = new_ctx( $round, $round );
+ Net::SSLeay::CTX_set_security_level($ctx, 0)
+ if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1');
Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
$ssl = Net::SSLeay::new($ctx);
Net::SSLeay::set_fd($ssl, fileno($cl));
@@ -78,9 +80,14 @@ sub client {
my $cl = $server->connect();
my $ctx = new_ctx( $round, $round );
+ Net::SSLeay::CTX_set_security_level($ctx, 0)
+ if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1');
my $ssl = Net::SSLeay::new($ctx);
Net::SSLeay::set_fd( $ssl, $cl );
- Net::SSLeay::connect($ssl);
+ my $ret = Net::SSLeay::connect($ssl);
+ if ($ret <= 0) {
+ diag("Protocol $round, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
+ }
my $msg = Net::SSLeay::read($ssl);
diff -urp --unidirectional-new-file Net-SSLeay-1.90/t/local/46_msg_callback.t Net-SSLeay-1.90.patched/t/local/46_msg_callback.t
--- Net-SSLeay-1.90/t/local/46_msg_callback.t 1970-01-01 01:00:00.000000000 +0100
+++ Net-SSLeay-1.90.patched/t/local/46_msg_callback.t 2021-09-15 11:26:35.478846534 +0100
@@ -0,0 +1,114 @@
+use lib 'inc';
+
+use Net::SSLeay;
+use Test::Net::SSLeay qw(
+ can_fork data_file_path initialise_libssl new_ctx tcp_socket
+);
+
+if (not can_fork()) {
+ plan skip_all => "fork() not supported on this system";
+} else {
+ plan tests => 10;
+}
+
+initialise_libssl();
+
+my $pid;
+alarm(30);
+END { kill 9,$pid if $pid }
+
+my $server = tcp_socket();
+
+{
+ # SSL server - just handle single connect and shutdown connection
+ my $cert_pem = data_file_path('simple-cert.cert.pem');
+ my $key_pem = data_file_path('simple-cert.key.pem');
+
+ defined($pid = fork()) or BAIL_OUT("failed to fork: $!");
+ if ($pid == 0) {
+ for(qw(ctx ssl)) {
+ my $cl = $server->accept();
+ my $ctx = new_ctx();
+ Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem);
+ my $ssl = Net::SSLeay::new($ctx);
+ Net::SSLeay::set_fd($ssl, fileno($cl));
+ Net::SSLeay::accept($ssl);
+ for(1,2) {
+ last if Net::SSLeay::shutdown($ssl)>0;
+ }
+ close($cl) || die("server close: $!");
+ }
+ $server->close() || die("server listen socket close: $!");
+ exit;
+ }
+}
+
+sub client {
+ my ($where) = @_;
+ # SSL client - connect and shutdown, all the while getting state updates
+ # with info callback
+
+ my @cb_data;
+ my @states;
+ my $msgcb = sub {
+ my ($write_p,$version,$content_type,$buf,$len,$ssl,$cb_data) = @_;
+ # buffer is of course randomized/timestamped, this is hard to test, so
+ # skip this
+ my $hex_buf = unpack("H*", $buf||'');
+
+ # version appears to be different running in different test envs that
+ # have a different openssl version, so we skip that too. This isn't a
+ # good test for that, and it's not up to Net::SSLeay to make all
+ # openssl implementations look the same
+
+ # the 3 things this sub needs to do:
+ # 1. not die
+ # 2. no memory leak
+ # 3. provide information
+ #
+ # The validness of the buffer can be checked, so we use this as a
+ # validation instead. This selftest is not here to validate the
+ # protocol and the intricacies of the possible implementation or
+ # version (ssl3 vs tls1 etc)
+
+ push @states,(defined $buf and length($buf) == $len)||0;
+
+ # cb_data can act as a check
+ push @cb_data, $cb_data;
+ };
+
+ my $cl = $server->connect();
+ my $ctx = new_ctx();
+ Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
+ Net::SSLeay::CTX_set_msg_callback($ctx, $msgcb, "CB_DATA") if $where eq 'ctx';
+ my $ssl = Net::SSLeay::new($ctx);
+ Net::SSLeay::set_fd($ssl, $cl);
+ Net::SSLeay::set_msg_callback($ssl, $msgcb, "CB_DATA") if $where eq 'ssl';
+ Net::SSLeay::connect($ssl);
+ for(1,2) {
+ last if Net::SSLeay::shutdown($ssl)>0;
+ }
+ close($cl) || die("client close: $!");
+
+ ok(scalar(@states) > 1, "at least 2 messages logged: $where");
+ my $all_ok = 1;
+ $all_ok &= $_ for @states;
+ is($all_ok, 1, "all states are OK: length(buf) = len for $where");
+
+ ok(scalar(@cb_data) > 1, "all cb data SV's are OK for $where (at least 2)");
+ my $all_cb_data_ok = 0;
+ $all_cb_data_ok++ for grep {$_ eq "CB_DATA"} grep {defined} @cb_data;
+ is(scalar(@cb_data), $all_cb_data_ok, "all cb data SV's are OK for $where");
+
+ eval {
+ Net::SSLeay::CTX_set_msg_callback($ctx, undef) if $where eq 'ctx';
+ Net::SSLeay::set_msg_callback($ssl, undef) if $where eq 'ssl';
+ };
+ is($@, '', "no error during set_msg_callback() for $where");
+}
+
+client('ctx');
+client('ssl');
+$server->close() || die("client listen socket close: $!");
+waitpid $pid, 0;
+
Reference in New Issue View Git Blame Copy Permalink