From a8323a2fca96c3fe6e4b78bbb9e29f913008829c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 03 2016 06:11:12 +0000
Subject: import perl-IO-Socket-SSL-1.94-5.el7


---

diff --git a/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch b/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch
new file mode 100644
index 0000000..43a3bc7
--- /dev/null
+++ b/SOURCES/IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch
@@ -0,0 +1,174 @@
+From 24fa6df5e1910269d86cb97bb5cef464fc3111ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Wed, 19 Mar 2014 12:54:22 +0100
+Subject: [PATCH] Added support for ECDH key exchange with key SSL_ecdh_curve
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is port of following upstream commit to 1.94 version:
+
+commit e067e09bf0c6b5844693169af75ec93b22bfa660
+Author: Steffen Ullrich <Steffen_Ullrich@genua.de>
+Date:   Fri Oct 11 18:50:01 2013 +0200
+
+    1.955 - added support for ECDH key exchange with key SSL_ecdh_curve
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ MANIFEST  |  1 +
+ SSL.pm    | 28 +++++++++++++++++++++++
+ t/ecdhe.t | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 107 insertions(+)
+ create mode 100644 t/ecdhe.t
+
+diff --git a/MANIFEST b/MANIFEST
+index afed6c6..3d97511 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -50,6 +50,7 @@ t/auto_verify_hostname.t
+ t/verify_hostname.t
+ t/sni.t
+ t/mitm.t
++t/ecdhe.t
+ util/export_certs.pl
+ META.yml                                 Module YAML meta-data (added by MakeMaker)
+ META.json                                Module JSON meta-data (added by MakeMaker)
+diff --git a/SSL.pm b/SSL.pm
+index bcf098f..ad18f7a 100644
+--- a/lib/IO/Socket/SSL.pm
++++ b/lib/IO/Socket/SSL.pm
+@@ -1756,6 +1756,25 @@ sub new {
+ 	    Net::SSLeay::DH_free( $dh );
+ 	    $rv || return IO::Socket::SSL->error( "Failed to set DH from $f" );
+ 	}
++
++	if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) {
++	    return IO::Socket::SSL->error(
++		"ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0")
++		if ! defined( &Net::SSLeay::CTX_set_tmp_ecdh );
++	    if ( $curve !~ /^\d+$/ ) {
++		# name of curve, find NID
++		$curve = Net::SSLeay::OBJ_txt2nid($curve) 
++		    || return IO::Socket::SSL->error(
++		    "cannot find NID for curve name '$curve'");
++	    }
++	    my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve) or 
++		return IO::Socket::SSL->error(
++		"cannot create curve for NID $curve");
++	    Net::SSLeay::CTX_set_tmp_ecdh($ctx,$ecdh) or
++		return IO::Socket::SSL->error(
++		"failed to set ECDH curve context");
++	    Net::SSLeay::EC_KEY_free($ecdh);
++	}
+     }
+ 
+     my $verify_cb = $arg_hash->{SSL_verify_callback};
+@@ -2158,11 +2177,20 @@ C<SSL_key> option.
+ 
+ If you want Diffie-Hellman key exchange you need to supply a suitable file here
+ or use the SSL_dh parameter. See dhparam command in openssl for more information.
++To create a server which provides perfect forward secrecy you need to either
++give the DH parameters or (better, because faster) the ECDH curve.
+ 
+ =item SSL_dh
+ 
+ Like SSL_dh_file, but instead of giving a file you use a preloaded or generated DH*.
+ 
++=item SSL_ecdh_curve
++
++If you want Elliptic Curve Diffie-Hellmann key exchange you need to supply the
++OID or NID of a suitable curve (like 'prime256v1') here.
++To create a server which provides perfect forward secrecy you need to either
++give the DH parameters or (better, because faster) the ECDH curve.
++
+ =item SSL_passwd_cb
+ 
+ If your private key is encrypted, you might not want the default password prompt from
+diff --git a/t/ecdhe.t b/t/ecdhe.t
+new file mode 100644
+index 0000000..40aed59
+--- /dev/null
++++ b/t/ecdhe.t
+@@ -0,0 +1,78 @@
++#!perl
++# Before `make install' is performed this script should be runnable with
++# `make test'. After `make install' it should work as `perl t/ecdhe.t'
++
++use strict;
++use warnings;
++use Net::SSLeay;
++use Socket;
++use IO::Socket::SSL;
++
++if ( grep { $^O =~m{$_} } qw( MacOS VOS vmesa riscos amigaos ) ) {
++    print "1..0 # Skipped: fork not implemented on this platform\n";
++    exit
++}
++
++if ( ! defined &Net::SSLeay::CTX_set_tmp_ecdh ) {
++    print "1..0 # Skipped: no support for ecdh with this openssl/Net::SSLeay\n";
++    exit
++}
++
++$|=1;
++print "1..4\n";
++
++# first create simple ssl-server
++my $ID = 'server';
++my $addr = '127.0.0.1';
++my $server = IO::Socket::SSL->new(
++    LocalAddr => $addr,
++    Listen => 2,
++    ReuseAddr => 1,
++    SSL_cert_file => "certs/server-cert.pem",
++    SSL_key_file  => "certs/server-key.pem",
++    SSL_ecdh_curve => 'prime256v1',
++) || do {
++    notok($!);
++    exit
++};
++ok("Server Initialization");
++
++# add server port to addr
++$addr.= ':'.(sockaddr_in( getsockname( $server )))[0];
++
++my $pid = fork();
++if ( !defined $pid ) {
++    die $!; # fork failed
++
++} elsif ( !$pid ) {    ###### Client
++
++    $ID = 'client';
++    close($server);
++    my $to_server = IO::Socket::SSL->new(
++	PeerAddr => $addr,
++	SSL_verify_mode => 0 ) || do {
++	notok( "connect failed: $SSL_ERROR" );
++	exit
++    };
++    ok( "client connected" );
++
++    my $cipher = $to_server->get_cipher();
++    if ( $cipher !~m/^ECDHE-/ ) {
++	notok("bad key exchange: $cipher");
++	exit;
++    }
++    ok("ecdh key exchange: $cipher");
++
++} else {                ###### Server
++
++    my $to_client = $server->accept || do {
++	notok( "accept failed: $SSL_ERROR" );
++	kill(9,$pid);
++	exit;
++    };
++    ok( "Server accepted" );
++    wait;
++}
++
++sub ok { print "ok # [$ID] @_\n"; }
++sub notok { print "not ok # [$ID] @_\n"; }
+-- 
+1.8.5.3
+
diff --git a/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch b/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch
new file mode 100644
index 0000000..f66c900
--- /dev/null
+++ b/SOURCES/IO-Socket-SSL-1.94-Fix-typo-key-free.patch
@@ -0,0 +1,11 @@
+--- a/lib/IO/Socket/SSL/Utils.pm
++++ b/lib/IO/Socket/SSL/Utils.pm
+@@ -94,7 +94,7 @@ sub CERT_free {
+ 
+ sub KEY_free {
+     my $key = shift or return;
+-    Net::SSLeay::EVP_KEY_free($key);
++    Net::SSLeay::EVP_PKEY_free($key);
+ }
+ 
+ sub KEY_create_rsa {
diff --git a/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch b/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch
new file mode 100644
index 0000000..6b95469
--- /dev/null
+++ b/SOURCES/IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch
@@ -0,0 +1,88 @@
+From ffa8a34d793707a8a05652908b69fea7faeede7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Aug 2014 10:36:40 +0200
+Subject: [PATCH] Respect OpenSSL default ciphers and protocol versions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If application did not specified cipher or protocol version,
+IO::Socket::SSL set them to 'ALL:!LOW' and 'SSLv23:!SSLv2'. This
+undermined global cryptogphic setting.
+
+This patch disables these defaults hard-coded into IO::Socket::SSL and
+leves the decision on OpenSSL.
+
+http://rt.cpan.org/Public/Bug/Display.html?id=97816
+https://bugzilla.redhat.com/show_bug.cgi?id=1127322
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/IO/Socket/SSL.pm | 13 +++++++------
+ t/dhe.t              |  1 +
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
+index 3e02e8f..eb4bd05 100644
+--- a/lib/IO/Socket/SSL.pm
++++ b/lib/IO/Socket/SSL.pm
+@@ -34,13 +34,13 @@ use constant SSL_RECEIVED_SHUTDOWN => 2;
+ # global defaults
+ my %DEFAULT_SSL_ARGS = (
+     SSL_check_crl => 0,
+-    SSL_version => 'SSLv23:!SSLv2',
++    SSL_version => '',
+     SSL_verify_callback => undef,
+     SSL_verifycn_scheme => undef,  # don't verify cn
+     SSL_verifycn_name => undef,    # use from PeerAddr/PeerHost
+     SSL_npn_protocols => undef,    # meaning depends whether on server or client side
+     SSL_honor_cipher_order => 0,   # client order gets preference
+-    SSL_cipher_list => 'ALL:!LOW',
++    SSL_cipher_list => undef,
+ 
+     # default for SSL_verify_mode should be SSL_VERIFY_PEER for client
+     # for now we keep the default of SSL_VERIFY_NONE but complain, if 
+@@ -1579,7 +1579,7 @@ sub new {
+ 	return $ctx_object if ($ctx_object = ${*$ctx_object}{'_SSL_ctx'});
+     }
+ 
+-    my $ver;
++    my $ver='';
+     my $disable_ver = 0;
+     for (split(/\s*:\s*/,$arg_hash->{SSL_version})) {
+ 	m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i 
+@@ -2049,7 +2049,8 @@ to the specified version. All values are case-insensitive.
+ 
+ You can limit to set of supported protocols by adding !version separated by ':'.
+ 
+-The default SSL_version is 'SSLv23:!SSLv2' which means, that SSLv2, SSLv3 and TLSv1 
++The default SSL_version is defined by underlying cryptographic library.
++E.g. 'SSLv23:!SSLv2' means, that SSLv2, SSLv3 and TLSv1
+ are supported for initial protocol handshakes, but SSLv2 will not be accepted, leaving 
+ only SSLv3 and TLSv1. You can also use !TLSv11 and !TLSv12 to disable TLS versions
+ 1.1 and 1.2 while allowing TLS version 1.0.
+@@ -2066,8 +2067,8 @@ given value, e.g. something like 'ALL:!LOW:!EXP:!ADH'. Look into the OpenSSL
+ documentation (L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>)
+ for more details.
+ 
+-If this option is not set 'ALL:!LOW' will be used.
+-To use OpenSSL builtin default (whatever this is) set it to ''.
++If this option is not set or is set to '', OpenSSL builtin default (whatever
++this is) will be used.
+ 
+ =item SSL_honor_cipher_order
+ 
+diff --git a/t/dhe.t b/t/dhe.t
+index a2bf565..4010a26 100644
+--- a/t/dhe.t
++++ b/t/dhe.t
+@@ -55,6 +55,7 @@ if ( !defined $pid ) {
+     close($server);
+     my $to_server = IO::Socket::SSL->new( 
+ 	PeerAddr => $addr, 
++	SSL_cipher_list => 'ALL:RSA:!aRSA',
+ 	SSL_verify_mode => 0 ) || do {
+     	notok( "connect failed: $SSL_ERROR" );
+ 	exit
+-- 
+1.9.3
+
diff --git a/SPECS/perl-IO-Socket-SSL.spec b/SPECS/perl-IO-Socket-SSL.spec
index a7f39fd..231921a 100644
--- a/SPECS/perl-IO-Socket-SSL.spec
+++ b/SPECS/perl-IO-Socket-SSL.spec
@@ -1,6 +1,6 @@
 Name:           perl-IO-Socket-SSL
 Version:        1.94
-Release:        3%{?dist}
+Release:        5%{?dist}
 Summary:        Perl library for transparent SSL
 Group:          Development/Libraries
 License:        GPL+ or Artistic
@@ -8,6 +8,12 @@ URL:            http://search.cpan.org/dist/IO-Socket-SSL/
 Source0:        http://search.cpan.org/CPAN/authors/id/S/SU/SULLR/IO-Socket-SSL-%{version}.tar.gz
 # Correct error reporting, fixed in 1.953, CPAN RT#87052
 Patch0:         IO-Socket-SSL-1.94-1.953-RT-87052-fix-in-Utils.pm.patch
+# Respect OpenSSL default ciphers and protocol versions BZ#1127322
+Patch1:         IO-Socket-SSL-1.94-Respect-OpenSSL-default-ciphers-and-protocol-versions.patch
+# Fix typo in Utils.pm BZ#1097710
+Patch2:         IO-Socket-SSL-1.94-Fix-typo-key-free.patch
+# Add support for ECDH key exchange, in upstream 1.955, bug #1316377
+Patch3:         IO-Socket-SSL-1.94-Added-support-for-ECDH-key-exchange-with-key-SSL_ecd.patch
 BuildArch:      noarch
 BuildRequires:  openssl >= 0.9.8
 BuildRequires:  perl
@@ -49,6 +55,9 @@ mod_perl.
 %prep
 %setup -q -n IO-Socket-SSL-%{version}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -70,6 +79,13 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 
 %changelog
+* Thu Mar 10 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1.94-5
+- Add support for ECDH key exchange (bug #1316377)
+
+* Fri Mar 04 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1.94-4
+- Respect OpenSSL default ciphers and protocol versions (bug #1127322)
+- Fix typo in Utils.pm (bug #1097710)
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.94-3
 - Mass rebuild 2013-12-27