From 070b8e186445a9cdb02383a1d6a6715d38996d61 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 19:46:40 +0000 Subject: import perl-Net-SSLeay-1.88-1.el8 --- diff --git a/.gitignore b/.gitignore index 52c4602..e9f8e26 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Net-SSLeay-1.85.tar.gz +SOURCES/Net-SSLeay-1.88.tar.gz diff --git a/.perl-Net-SSLeay.metadata b/.perl-Net-SSLeay.metadata index a393e8e..a07de89 100644 --- a/.perl-Net-SSLeay.metadata +++ b/.perl-Net-SSLeay.metadata @@ -1 +1 @@ -5f1c7b6ccac81efd5b78b1e076c694f96ca5c439 SOURCES/Net-SSLeay-1.85.tar.gz +ab4a63502433b91b9a54504475d9df2ae2887714 SOURCES/Net-SSLeay-1.88.tar.gz diff --git a/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch b/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch deleted file mode 100644 index 0f26c6c..0000000 --- a/SOURCES/Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a00a70b7195438c543191b69382ff20e452548bf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Mon, 13 Aug 2018 12:33:58 +0200 -Subject: [PATCH] Adapt CTX_get_min_proto_version tests to system-wide policy -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In our distribution, /etc/crypto-policies/back-ends/opensslcnf.config -can override default minimal SSL/TLS protocol version. If it does, -t/local/09_ctx_new.t test will fail because OpenSSL will return -different then 0 value. - -This patch parses the configuration file and adjusts expect values in -the test. - -Signed-off-by: Petr Písař ---- - t/local/09_ctx_new.t | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/t/local/09_ctx_new.t b/t/local/09_ctx_new.t -index 6d06f21..c584856 100644 ---- a/t/local/09_ctx_new.t -+++ b/t/local/09_ctx_new.t -@@ -109,14 +109,32 @@ else - # Having TLS_method() does not necessarily that proto getters are available - if ($ctx_tls && exists &Net::SSLeay::CTX_get_min_proto_version) - { -+ my $min_ver = 0; -+ # Adjust minimal version to system-wide crypto policy -+ if (open(my $f, '<', '/etc/crypto-policies/back-ends/opensslcnf.config')) { -+ while(<$f>) { -+ if (/^MinProtocol = ([\w.]+)\b/) { -+ if ($1 eq 'TLSv1') { -+ $min_ver = 0x0301; -+ } elsif ($1 eq 'TLSv1.1') { -+ $min_ver = 0x0302; -+ } elsif ($1 eq 'TLSv1.2') { -+ $min_ver = 0x0303; -+ } elsif ($1 eq 'TLSv1.3') { -+ $min_ver = 0x0304; -+ } -+ } -+ } -+ close($f); -+ } - my $ver; - $ver = Net::SSLeay::CTX_get_min_proto_version($ctx_tls); -- is($ver, 0, 'TLS_method CTX has automatic minimum version'); -+ is($ver, $min_ver, 'TLS_method CTX has automatic minimum version'); - $ver = Net::SSLeay::CTX_get_max_proto_version($ctx_tls); - is($ver, 0, 'TLS_method CTX has automatic maximum version'); - - $ver = Net::SSLeay::get_min_proto_version($ssl_tls); -- is($ver, 0, 'SSL from TLS_method CTX has automatic minimum version'); -+ is($ver, $min_ver, 'SSL from TLS_method CTX has automatic minimum version'); - $ver = Net::SSLeay::get_max_proto_version($ssl_tls); - is($ver, 0, 'SSL from TLS_method CTX has automatic maximum version'); - --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch b/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch deleted file mode 100644 index b5b44e0..0000000 --- a/SOURCES/Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch +++ /dev/null @@ -1,237 +0,0 @@ -From b01291bf88dd84529c93973da7c275e0ffe5cc1f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 3 Aug 2018 14:30:22 +0200 -Subject: [PATCH] Adapt to OpenSSL 1.1.1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and -session shutdowns differently. This leads to failing various Net-SSLeay -tests that exhibits use cases that are not possible with OpenSSL 1.1.1 -anymore or where the library behaves differently. - -Since Net-SSLeay is a low-level wrapper, Net-SSLeay will be corrected -in tests. Higher-level code as IO::Socket::SSL and other Net::SSLeay -applications need to be adjusted on case-to-case basis. - -This patche changes: - -- Retry SSL_read() and SSL_write() (by sebastian [...] breakpoint.cc) -- Disable session tickets in t/local/07_sslecho.t. -- Adaps t/local/36_verify.t to a session end when Net::SSLeay::read() - returns undef. - -https://rt.cpan.org/Public/Bug/Display.html?id=125218 -https://github.com/openssl/openssl/issues/5637 -https://github.com/openssl/openssl/issues/6904 -Signed-off-by: Petr Písař ---- - SSLeay.xs | 56 ++++++++++++++++++++++++++++++++++++++++++++++++---- - lib/Net/SSLeay.pod | 46 ++++++++++++++++++++++++++++++++++++++++++ - t/local/07_sslecho.t | 15 ++++++++++++-- - t/local/36_verify.t | 2 +- - 4 files changed, 112 insertions(+), 7 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index bf148c0..5aed4d7 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -1999,7 +1999,17 @@ SSL_read(s,max=32768) - int got; - PPCODE: - New(0, buf, max, char); -- got = SSL_read(s, buf, max); -+ -+ do { -+ int err; -+ -+ got = SSL_read(s, buf, max); -+ if (got > 0) -+ break; -+ err = SSL_get_error(s, got); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); - - /* If in list context, return 2-item list: - * first return value: data gotten, or undef on error (got<0) -@@ -2051,10 +2061,20 @@ SSL_write(s,buf) - SSL * s - PREINIT: - STRLEN len; -+ int err; -+ int ret; - INPUT: - char * buf = SvPV( ST(1), len); - CODE: -- RETVAL = SSL_write (s, buf, (int)len); -+ do { -+ ret = SSL_write (s, buf, (int)len); -+ if (ret > 0) -+ break; -+ err = SSL_get_error(s, ret); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); -+ RETVAL = ret; - OUTPUT: - RETVAL - -@@ -2083,8 +2103,20 @@ SSL_write_partial(s,from,count,buf) - if (len < 0) { - croak("from beyound end of buffer"); - RETVAL = -1; -- } else -- RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); -+ } else { -+ int ret; -+ int err; -+ -+ do { -+ ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); -+ if (ret > 0) -+ break; -+ err = SSL_get_error(s, ret); -+ if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -+ break; -+ } while (1); -+ RETVAL = ret; -+ } - OUTPUT: - RETVAL - -@@ -6957,4 +6989,20 @@ SSL_export_keying_material(ssl, outlen, label, p) - - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL -+ -+int -+SSL_CTX_set_num_tickets(SSL_CTX *ctx,size_t num_tickets) -+ -+size_t -+SSL_CTX_get_num_tickets(SSL_CTX *ctx) -+ -+int -+SSL_set_num_tickets(SSL *ssl,size_t num_tickets) -+ -+size_t -+SSL_get_num_tickets(SSL *ssl) -+ -+#endif -+ - #define REM_EOF "/* EOF - SSLeay.xs */" -diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod -index 2e1aae3..bca7be4 100644 ---- a/lib/Net/SSLeay.pod -+++ b/lib/Net/SSLeay.pod -@@ -4437,6 +4437,52 @@ getticket($ssl,$ticket,$data) -> $return_value - - This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. - -+=item * CTX_set_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Set number of session tickets that will be sent to a client. -+ -+ my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); -+ # $ctx - value corresponding to openssl's SSL_CTX structure -+ # $number_of_tickets - number of tickets to send -+ # returns: 1 on success, 0 on failure -+ -+Set to zero if you do not no want to support a session resumption. -+ -+=item * CTX_get_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Get number of session tickets that will be sent to a client. -+ -+ my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); -+ # $ctx - value corresponding to openssl's SSL_CTX structure -+ # returns: number of tickets to send -+ -+=item * set_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Set number of session tickets that will be sent to a client. -+ -+ my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); -+ # $ssl - value corresponding to openssl's SSL structure -+ # $number_of_tickets - number of tickets to send -+ # returns: 1 on success, 0 on failure -+ -+Set to zero if you do not no want to support a session resumption. -+ -+=item * get_num_tickets -+ -+B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1 -+ -+Get number of session tickets that will be sent to a client. -+ -+ my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); -+ # $ctx - value corresponding to openssl's SSL structure -+ # returns: number of tickets to send -+ - =item * set_shutdown - - Sets the shutdown state of $ssl to $mode. -diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t -index 5e16b04..5dc946a 100644 ---- a/t/local/07_sslecho.t -+++ b/t/local/07_sslecho.t -@@ -13,7 +13,8 @@ BEGIN { - plan skip_all => "fork() not supported on $^O" unless $Config{d_fork}; - } - --plan tests => 78; -+plan tests => 79; -+$SIG{'PIPE'} = 'IGNORE'; - - my $sock; - my $pid; -@@ -61,6 +62,16 @@ Net::SSLeay::library_init(); - ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); - my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); - ok($errs eq '', "set_cert_and_key: $errs"); -+ SKIP: { -+ skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 -+ unless (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f); -+ # TLS 1.3 server sends session tickets after a handhake as part of -+ # the SSL_accept(). If a client finishes all its job including closing -+ # TCP connectino before a server sends the tickets, SSL_accept() fails -+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives -+ # SIGPIPE signal. -+ ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); -+ } - - $pid = fork(); - BAIL_OUT("failed to fork: $!") unless defined $pid; -@@ -351,7 +362,7 @@ waitpid $pid, 0; - push @results, [ $? == 0, 'server exited with 0' ]; - - END { -- Test::More->builder->current_test(51); -+ Test::More->builder->current_test(52); - for my $t (@results) { - ok( $t->[0], $t->[1] ); - } -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index 92afc52..e55b138 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -282,7 +282,7 @@ sub run_server - - # Termination request or other message from client - my $msg = Net::SSLeay::read($ssl); -- if ($msg eq 'end') -+ if (defined $msg and $msg eq 'end') - { - Net::SSLeay::write($ssl, 'end'); - exit (0); --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch b/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch deleted file mode 100644 index 19e69e6..0000000 --- a/SOURCES/Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8d83cf9cb0ff0fea802e522f4980124a8075a63f Mon Sep 17 00:00:00 2001 -From: Chris Novakovic -Date: Thu, 9 Aug 2018 17:56:26 +0100 -Subject: [PATCH] Add missing call to va_end() in TRACE() - -In SSLeay.xs, TRACE() makes a call to va_start() without a corresponding -call to va_end() before the function returns. Add the missing call to -va_end(). - -This closes RT#126028. Thanks to Jitka Plesnikova for the report and -patch. ---- - SSLeay.xs | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/SSLeay.xs b/SSLeay.xs -index 04070d3..630f09e 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -222,6 +222,7 @@ static void TRACE(int level,char *msg,...) { - va_start(args,msg); - vsnprintf(buf,4095,msg,args); - warn("%s",buf); -+ va_end(args); - } - } - --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch b/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch deleted file mode 100644 index 953d39f..0000000 --- a/SOURCES/Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 173cd9c1340f1f5231625a1dd4ecaea10c207622 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 14 Aug 2018 16:55:52 +0200 -Subject: [PATCH] Avoid SIGPIPE in t/local/36_verify.t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -t/local/36_verify.t fails randomly with OpenSSL 1.1.1: - - # Failed test 'Verify callback result and get_verify_result are equal' - # at t/local/36_verify.t line 111. - # got: '-1' - # expected: '0' - # Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY' - # at t/local/36_verify.t line 118. - # got: '-1' - # expected: '43' - Bailout called. Further testing stopped: failed to connect to server: Connection refused - FAILED--Further testing stopped: failed to connect to server: Connection refused - -I believe this because TLSv1.3 server can generate SIGPIPE if a client -disconnects too soon. - -Signed-off-by: Petr Písař ---- - t/local/36_verify.t | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index e55b138..2837288 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -266,10 +266,20 @@ sub run_server - - return if $pid != 0; - -+ $SIG{'PIPE'} = 'IGNORE'; - my $ctx = Net::SSLeay::CTX_new(); - Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); - my $ret = Net::SSLeay::CTX_check_private_key($ctx); - BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; -+ if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x1010100f) { -+ # TLS 1.3 server sends session tickets after a handhake as part of -+ # the SSL_accept(). If a client finishes all its job including closing -+ # TCP connectino before a server sends the tickets, SSL_accept() fails -+ # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives -+ # SIGPIPE signal. -+ my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); -+ BAIL_OUT("Session tickets disabled") unless $ret; -+ } - - while (1) - { --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch b/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch deleted file mode 100644 index ce79109..0000000 --- a/SOURCES/Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch +++ /dev/null @@ -1,624 +0,0 @@ -From cb4a91f8619afbdcba40a513ce1d2e5bd652c511 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Mon, 13 Aug 2018 17:27:13 +0200 -Subject: [PATCH] Generate 2048-bit keys for tests -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Distributions are experimenting with OpenSSL configured with security -level 2. That requires at least 2048-bit RSA keys otherwise tests -fail. - -This patch regenerates testing keys, certificates and revocation lists -used in tests to meet the security level. The patch also updates -scripts used for generating them. - -Signed-off-by: Petr Písař ---- - MANIFEST | 4 ++++ - examples/makecert.pl | 13 +++++----- - examples/req.conf | 2 +- - t/data/cert.pem | 42 ++++++++++++++++---------------- - t/data/key.pem | 43 +++++++++++++++++++++------------ - t/data/key.pem.e | 47 +++++++++++++++++++++++------------- - t/data/test_CA1.conf | 37 +++++++++++++++++++++++++++++ - t/data/test_CA1.crl.der | Bin 389 -> 438 bytes - t/data/test_CA1.crlnumber | 1 + - t/data/test_CA1.crt.der | Bin 550 -> 831 bytes - t/data/test_CA1.crt.pem | 30 +++++++++++++---------- - t/data/test_CA1.key.der | Bin 610 -> 1190 bytes - t/data/test_CA1.key.pem | 38 +++++++++++++++++++---------- - t/data/test_CA1_index.txt | 2 ++ - t/data/test_CA1_index.txt.attr | 0 - t/data/testcert_wildcard.crt.pem | 50 +++++++++++++++++++++++---------------- - t/local/07_sslecho.t | 2 +- - t/local/50_digest.t | 22 ++++++++--------- - 18 files changed, 215 insertions(+), 118 deletions(-) - create mode 100644 t/data/test_CA1.conf - create mode 100644 t/data/test_CA1.crlnumber - create mode 100644 t/data/test_CA1_index.txt - create mode 100644 t/data/test_CA1_index.txt.attr - -diff --git a/MANIFEST b/MANIFEST -index 2f18a0a..cedca78 100644 ---- a/MANIFEST -+++ b/MANIFEST -@@ -60,12 +60,16 @@ t/data/key.pem.e - t/data/pkcs12-full.p12 - t/data/pkcs12-no-chain.p12 - t/data/pkcs12-no-passwd.p12 -+t/data/test_CA1.conf - t/data/test_CA1.crl.der -+t/data/test_CA1.crlnumber - t/data/test_CA1.crt.der - t/data/test_CA1.crt.pem - t/data/test_CA1.encrypted_key.pem - t/data/test_CA1.key.der - t/data/test_CA1.key.pem -+t/data/test_CA1_index.txt -+t/data/test_CA1_index.txt.attr - t/data/testcert_extended.crt.pem - t/data/testcert_extended.crt.pem_dump - t/data/testcert_key_2048.pem -diff --git a/examples/makecert.pl b/examples/makecert.pl -index 221f720..3fc26ae 100644 ---- a/examples/makecert.pl -+++ b/examples/makecert.pl -@@ -25,18 +25,17 @@ open (REQ, "|$exe_path req -config $conf " - . "-x509 -days 3650 -new -keyout $key $egd >$cert") - or die "cant open req. check your path ($!)"; - print REQ <test_CA1.crlnumber -+# Then generate CRL in DER format: -+# openssl ca -config test_CA1.conf -gencrl -out test_CA1.crl.pem -+# Finally convert it to DER format into test_CA1.crl.der: -+# openssl crl -inform pem -outform der test_CA1.crl.der -+# -+[ req ] -+distinguished_name = req_distinguished_name -+prompt = no -+x509_extensions = req_ext -+ -+[ req_distinguished_name ] -+C = US -+O = Demo1 -+CN = CA1 -+ -+[ req_ext ] -+basicConstraints=critical,CA:TRUE -+keyUsage=keyCertSign,cRLSign -+subjectKeyIdentifier=hash -+authorityKeyIdentifier=keyid,issuer -+ -+[ ca ] -+default_ca = test_CA1 -+ -+[ test_CA1 ] -+database = test_CA1_index.txt -+crlnumber = test_CA1.crlnumber -+certificate = test_CA1.crt.pem -+private_key = test_CA1.key.pem -+default_md = sha256 -+default_crl_days = 30 -diff --git a/t/data/test_CA1.crl.der b/t/data/test_CA1.crl.der -index 5f2cf7cda71eb473f8732060d87718b8be25bf1b..c3948335cddf709f0d88598194ea850b95b64e62 100644 -GIT binary patch -literal 438 -zcmXqLV%%iVIGc%)(SVnYQ>)FR?K>|cBR4C9fwm#H0Vf-CC<~h~Q)sXup8*eu!^Oku -zlA4=uXvky01>!UFFgrUMit`#;7+4sZ7#bNH7+OYwxt4~;P_BWFfd~_`kVzy^+{nP# -zz|z3bz{1!f3L*+p4G}dkwJ^1eS^%^OY__Zj3o{cV6Pml2n;01xvTf1={1^(`!uN&U -zy1D$z!d -zK(NAL+o-QKJDKL{$5%W%Qu_a~6<1Vi_y3ulM^4A+rC2{Xxz3Sk=7bfy^F)@hzK|@D -zIBXx|tdyzu%S1Me9gqjXu!+HsnzDu_MMlJk(HIfK--YpfRl|ml!Z;0DKyxS&wvNS;Sy$b -zNzKhSG~_Yh0`ZxJnVlUC#d!^l42%sd4Gaw|3=E>cToWJ@!ZoNduwh~rGKoZ1W^55< -zpawQWR+NRAi;>wt0%)GB1dE^qzmWloaS+`QQ$dy(m|B=xqUvVErW>dZ=$HjSmqY9k -zVPR%sWJ2>Nb7LdJ&gZOGTXHu?F8yjC8E|4>4tL(IwIUA6Q%e5DS9)(%=5@V%dy&E= -zSKXJ3wr|=fQak06ZIn{w&XC=a;nwl02@A_^UFh+h^6s&p_s$s0;$jc4!gm(uR;hk) -u(v$Eiu=u;vQ^{mgDnm=ScfrSX`&!d>w`Z+0OaHazVsy4$i0A>|I~f3)J7|*t - -diff --git a/t/data/test_CA1.crlnumber b/t/data/test_CA1.crlnumber -new file mode 100644 -index 0000000..9e22bcb ---- /dev/null -+++ b/t/data/test_CA1.crlnumber -@@ -0,0 +1 @@ -+02 -diff --git a/t/data/test_CA1.crt.der b/t/data/test_CA1.crt.der -index 8031955a343260c858d3ad207938f08543809bc4..01e7c745fd99c3233f5c8f0eb92484471f1e6a85 100644 -GIT binary patch -literal 831 -zcmXqLVzxGDVp3kf%*4pV#L4h!Rc|(n^zzjPylk9WZ60mkc^MhGSs4tp4Y>_C*_cCF -z*o2uvgAMr%ct9L39#)ss+ScLnI3E4S}tPIRejQk7+O^jSjO^l2TFU4Y)bsjn9&-i?Hs&q=A15=@= -z>!IHz*TPipFv*?#_mQLg?FFOSz&z8$bK7_>$0fIRaD}fpv*~_bxOZ0cy%0&egJN#} -zKNCM@Ox<%qIaoMK@qxr|xm7W5Y%lt)y1rb@J$vriJwGNiRH$tDSiYiu;hOK!PafU1 -zlq9kFVb+~F8uRvY&x*OmFzF`O(*s9plJf8Fz9y%jc=nWP#JjsJOs}NF)SK?z -zNUGiO(PP?rFZT)3+dC%tPFbMQ?N#0)%3;^m?lbM@orSCR9z4++IHj({jYGv~-icmc -zfpvf8KCW2g_>)&a=TTf~!bI1kP`MjlUw_`co?pCvPg?%ub5j;dJ8fiQW@KPooL~@V -zzz>WBSz$)T|17Kq%s|S38zjKb!UBw4HUn7@hmS>!MPzaDm*x*!=2i(vU5$O%@%4J~ -ziZFizd62X+i-dt#19kg$ts?a!4s2uWUb7RTOM13ub+P~&%i3Ge_C(*xwEf-i|w9$T} -zo?TQ_EX`T*;OXQ)mF+%LbM!lRzT`|ip?rv|%0uzc{hXLA`3a>v -l%Vo_{f4yg3QW-yG+pTNNPH}S6KC2$lyK_)5e5FtFCIFX)M(Y3o - -literal 550 -zcmXqLVp1|_V(ebP%*4pV#4KbIX28qFsnzDu_MMlJk(HIfK--YpfRl|ml!Z;0DKyxS -z&wvNS;Sy$bNzKhSG~_Yh0`ZxJnVlUC4HU$A4UG&8fe;L$B>0UCfxyTZh)gX_Eu%;? -zu5muHYZzG>m>YW;3>rI`8XFl-$1E`8ZhxQoW%}E^(-)5zuP)O~a+#rP@aTeGoWJ{( -zXgP+1ym_Q+4dv5G%?1N@UH{9~UgOTc3yPDo=c}pQWZ+{f_e+(4r{n*-`?}`mBQ3BKfT4BAKFhfzu$ALtxWyw`TX372cgWX -zDrFZW@R#+3|K8ETVa~P;(_UkRhzeJz%(CBZS4(PJ-c%Vr!4^hO`C;*BmAud+QxjSt;28TJ -zs$A?n(N3z@rxr(Roz1-Xkbrn3u<>`Of1#}RTjb*1IUaG@PsLLPp=#WmD4x9wnq1ZZ -zlGzI7z{GrFZ{54r9v~sj$|YFt-2?*a8&)TR-q>P&xbaAquS!Rd8@Gs(O_ZQ0i%NHd -z6$n0thfJ3F+@Y$y!N`SClzwzZ2qZF|$c;@9uKbr8o_`bK_}^-kRm%0)c@5_lO}qDXFA+69pqis@XK5Zt9P6>eWhsat4Mw -z>-Jh8^bgLA1c+!a4(9g96RrOhEyK@nA0jc$=LmS|_FvW_dn?7JcZ*ml8dXDWJK^47 -zF!D1T&av8Xuu)7_*zK~S!`*S}7=DN6gKQQ0<)rt2qobj~XlLA)Zw}ZZbfwB20)c@5 -z@ejL}jhdZAB~SViby=b*wtDO2`6nq>X9$yQ{J|wmjuegURG7J_r4d>PTh^I4)C?Q* -z9)Veux$pD=*W~t~fc3D2LC(V9)3%*NbWD_@PSuC5aq5mV{dADtK;!->+`VD6eMs3r -z>tv8Zly{`|`pbq6?6z3BPwceJbg!1B0)c>OnzB=!%DPz1Jd5Z;OPHXh>3ez8rdzt8 -z>ldlW>A6}3#u%Wp?p{Q7UnDu2v&i@eCRzc*#+vB$fG^eIKGEc~7vQ5jtv*+Z+=YL< -z?n-H)#v>Fj@46BN6Xjmym)&Au+JJalkJU>97e>dTnKzFRku -zs(->U-3ulc3C-6jZ -z@Xa5J4~-GMFDGKVjdT%l6+scKi(o>4^t-B*j_mPRlXLiWs^#?&{}6`gNSrD!Fs -z6Q1~>kmz>A=cmsy`o;aNZ|s@8XEs$`9qUEZ`V1-=dlq~O$gm&Y!T7wdiWgQ#JrxazG-J6cx0ZM|Fn$ONT|>~UES-}LGo_SzNV{ytC(g?*8)KR(8hC!krOVdrh*Ks -zd`0U%Xz1ZNDdpp(Q-ZHDAc~L2!3|vwNCvtUWL8u7>(Z4GjRs)xCH|#FF!a58{W&}{ -z0zm+n1A9Wx<*{9*1xyFCRMgl~1D9zM%W(zs!=IYCha^1D*1?1kQO&Oo%Q5-^0(KcMVE}bJ%YaHAjLWP*J)Z*iCOl -zI+!uWic4hG^Gw;tz5A6uxa7VAqrLZAb?m`@6A=PI0MW|-r=v@lMzw7_Wv4G)sakMm -w4XEt$gdSh2A*|=jsV7%bB;&F&mlQ=Y8`dPBSMURc#tTr?jsQ)2o|)_GXMYp - -diff --git a/t/data/test_CA1.key.pem b/t/data/test_CA1.key.pem -index 78f0c3b..f3bd4a0 100644 ---- a/t/data/test_CA1.key.pem -+++ b/t/data/test_CA1.key.pem -@@ -1,15 +1,27 @@ - -----BEGIN RSA PRIVATE KEY----- --MIICXgIBAAKBgQDLXKA2C4fvafSX7W7L0cQzq3YtYkSYLTDi0C5eT0fUWx5AxXbx --4FBd3KDfAr7KWLqXpz2T0CMcBn/pNdNWY7G1OCRdu8eXBwTelOIclK9lYZAw5EI8 --2SOOJUGIsF0ZDeoUrJX40DkrhedXLSOR5L8EfHso7ub4M4tWjDwU7UKy1QIDAQAB --AoGAOryhJZsFAziWRf91HfeTdN0UQB1+9HkxAoHgsqqxc3tx7IFcTpZcgA/Gg0M2 --uhkQo9bRKU1XprOV5FUAmpYm8E1YmlkdjbkT/JAA2/s4hJH3Z5Bp6rngQzqb1cqw --6Wcfg7n5w6TVAX4Jk2Z1wYF2BMRQyolVKawSRa2B5YJ4hQ0CQQD5XLOpIcjZx8F6 --1E5S0P6L4qb3xtuH3hLlGQmGJvh+vmlnIXhknpr/tIzWSKjQPV3d69ZB8m7Ovqar --gKuYZkzXAkEA0MZziJETLqmmggyrfEXrPmjo4Tkp5eOlU4KvMiCKj8fBDV0OSAa6 --FWRWU/jr0pURjQZg8SX+pUUw9L16/Tk8MwJBAJgDe0LP5bFdpQVMB7NU1NhSA5dp --EstxBfPDn5q4hyQ8z+Se8tXkGnlnh7PZ94962Y5ABw2MzSAb+V7zwafWNWECQQDJ --QQTOeUtMiC4C38PPoHcNSoRz2G8TNUeCIVBRuhzYTW9EOpgxxopLZNXzTNnHvfuV --PrjkvgOjvfdbdezBfhMRAkEA0cr/p6NLmEa1bTtlpy9dqVpwZg2o7PKEHl+qIazn --zKknV1Ik47IylxRFMRvWJJ9X8AOFxgtQ1I4ATXuemeoaYA== -+MIIEogIBAAKCAQEA6RZdponExk8B55tlG2RRQAJxSUXC+3TWViTcAh7J/vEId+3Q -+Mn1RbjVhzrYM015jhYgKV6jMst9uV0tqW95UGT7BFkZP+WHxaJW80CNTE1oh4Bj7 -+Hqpc7D3RTqrXpxZHa53NvPiQgHgksPF3qH+hrPdb5OLdOR5x2U/FUwahatycKJ69 -+C5pc1gCS2QrlwMR8Ym/du9YeICHNyiVY7t0EAuobVieC3thifbjxSJavSkeQG7eI -+kk2UoCiLSneEFQg+hodMlvncoaq9wciFUZR+dEYIJDKeyI1NEK78neN4okH5DRAs -+4l51YJFFYlUe2PXr87uvDxd/vGZvk86UoRtCsQIDAQABAoIBAG746Ql7GiZYQ03j -+nBWYg154SztZbWWO0OUek2inBADO/PssTC1doMFZxQFHh3+ytqtCg7oMcbjPy5bg -+HvkyNtP2HrPeMgFHckoa0FRAHTNffDVXb2fAMJGBNP/BMv8oCkTgUq2fohyoFr/v -+lsqwSWcyNZwZrr2dExMleYr34y4ehdNrnw06GZiI7WtJTgcunW20Xfe7tfBzl2Te -+QaYLgr4nS1zAYLskB5vajAxia19ksyy/Ox69/bw/qdq0w5EqYL0ZkyZpBjvWoE24 -+2/dBwD0g6FXGkv1tTgw3dW7MYyEe+SkaT52DaGr5bJ6ImzPZW5WK4/GlOA26c+Np -+jd6a5eECgYEA94ghPSmppHkTBSNGqtk0oW7qj3Lq1UqAcgaGO+v2WiD0D86MBIho -+Lw7m9scTrf8VLcPPcB8iMc3nCHjp9l/WInsrxaZ3i1gpGlVDbTvh3mAw8jMczrHa -+cLBRTFbY7bKiw91x6hh+h+eDbBX65aT3f6OjocBoZ9yXbw7YInSlyh0CgYEA8Q+7 -+lo2anUQlT/oSdVmiKbZ66+T5JylWZwiTbPzBJUyOFI3tVJi5qKURWghb1pk41Awb -+8x6BWZS57/QB1+T2oID1sIVBzsLg07adRHRMlKJO1YeuceqONP10kN5A4/4o3L1h -+tH1I2UDrZJBClHek9vrLhg7stli5T+y0zHSvlqUCgYBpmrJTncq6WM08i+hCS5ig -+pul7edOmW7qg6xepyOm5WgXGGKCz7l5EdV8kOZqzyPgIJloBw8aa6PWAL9XhPtHk -+tBfgozytPleK3IV/vOSIMxGuww+vP0Gqgg6tOwAhqOy4E2neLcUNxj/ThS0dfFv7 -+IJ1XDPd+GCajQvoC+TEiIQKBgDvhxJ+pnXbjrsEnRd6Q3Y+vHOnsf1gTFLuTjcvN -+Hc2+Lq08dHBHYBdcqerLmMS+WzeRqn/CXC98mpPY8XxIDFvirSWkdKyADImLG5Yd -+rcheaWbxxYvW0GypaYNzMntwb4YmJVdIqAgP8GmSzHdFIV2Y/2XV30eM0rvf+Smw -+8s1hAoGABG5kHNz7vLUl0YhdX9uuC2eNAyfwRHHwzR+KD40RvS8nYruNdBFxFUER -+rItgQoD0u6qUjuzxWJNz+HWq5fURccov5xWdb0+laCWtE574oJDodsTnp88y+sX9 -+rW/smbxnNlVdHetF1PoMKhl7FnwKyLAf3sH4vK+KF1ZHPRalyTs= - -----END RSA PRIVATE KEY----- -diff --git a/t/data/test_CA1_index.txt b/t/data/test_CA1_index.txt -new file mode 100644 -index 0000000..2a43cd5 ---- /dev/null -+++ b/t/data/test_CA1_index.txt -@@ -0,0 +1,2 @@ -+R 120309010800Z 120309010838Z 123459 unknown /C=US/O=Demo1/CN=foo -+R 120309005800Z 120309005859Z 12345A unknown /C=US/O=Demo1/CN=bar -diff --git a/t/data/test_CA1_index.txt.attr b/t/data/test_CA1_index.txt.attr -new file mode 100644 -index 0000000..e69de29 -diff --git a/t/data/testcert_wildcard.crt.pem b/t/data/testcert_wildcard.crt.pem -index 7270c0c..4ca418d 100644 ---- a/t/data/testcert_wildcard.crt.pem -+++ b/t/data/testcert_wildcard.crt.pem -@@ -2,15 +2,15 @@ Certificate: - Data: - Version: 3 (0x2) - Serial Number: 137826015233 (0x2017121801) -- Signature Algorithm: sha256WithRSAEncryption -+ Signature Algorithm: sha256WithRSAEncryption - Issuer: C = US, O = Demo1, CN = CA1 - Validity -- Not Before: Dec 18 17:15:18 2017 GMT -- Not After : Dec 19 17:15:18 2032 GMT -+ Not Before: Aug 14 10:19:01 2018 GMT -+ Not After : Aug 15 10:19:01 2033 GMT - Subject: C = US, ST = State, L = City, O = Company, OU = Unit, CN = *.example.com, emailAddress = wildcard@example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption -- RSA Public-Key: (2048 bit) -+ Public-Key: (2048 bit) - Modulus: - 00:bd:5e:c6:d8:01:f5:cf:85:fe:eb:9b:60:dd:e8: - 8a:98:09:59:5a:71:fc:a2:ad:38:73:0a:cd:d9:5e: -@@ -45,21 +45,28 @@ Certificate: - X509v3 Subject Key Identifier: - 4B:42:86:BA:E2:BE:3D:40:0D:11:1D:66:E7:BE:94:39:B2:84:D3:06 - X509v3 Authority Key Identifier: -- keyid:C8:1C:DA:92:0A:A9:48:08:3A:76:76:15:38:04:F1:34:D9:15:D0:20 -+ keyid:A3:73:F4:83:F0:B4:9D:7A:10:1A:D5:5D:E1:88:F5:D7:73:A8:56:4F - - Signature Algorithm: sha256WithRSAEncryption -- 20:cb:ec:9d:8b:e8:2d:61:74:5e:30:b0:95:88:4e:80:09:df: -- c9:7f:b0:c9:d2:19:4e:2c:5a:eb:02:0f:ce:e8:8a:52:fa:22: -- 59:b1:c3:7b:39:db:f0:7d:9a:91:19:ef:d5:f7:73:5b:6b:47: -- 3d:48:c3:c7:4a:2e:7b:7f:3d:ff:65:53:11:21:95:2c:00:fd: -- 39:76:25:8e:05:68:c4:b9:cc:bd:ca:28:60:bf:6d:4c:00:d0: -- 4e:b4:4c:62:6b:34:48:2c:60:b9:33:76:3f:3b:72:57:11:ec: -- f4:2d:5f:b3:f1:a1:c8:d4:5b:5f:23:6b:b0:ec:28:5a:0b:43: -- 7f:e3 -+ 07:43:9b:e0:21:e6:e1:40:35:09:f3:d6:62:0d:7c:d2:6d:78: -+ 75:6e:59:57:00:d9:4a:b2:cd:9f:9c:d2:38:85:bc:f4:d0:bd: -+ b5:20:06:af:ed:ae:0a:19:2a:01:af:25:4b:e3:3a:c7:58:a9: -+ 5f:bc:86:6a:24:30:2d:0d:bb:1d:3f:dd:98:75:9a:4c:1d:d0: -+ a1:8e:43:11:b9:3a:ba:c5:e4:ec:0c:6c:da:b5:34:2a:ab:3f: -+ fb:87:27:d2:32:ca:f9:65:1f:f2:ed:e7:7e:c0:11:30:5e:3a: -+ f7:97:58:52:ff:e1:be:93:cd:96:03:48:53:bf:58:65:a5:20: -+ 09:d9:9b:7c:03:f0:39:61:28:01:92:3e:27:ed:bd:0d:94:06: -+ cd:dc:d2:34:04:99:29:fa:5e:1b:bd:70:0f:86:5e:30:df:33: -+ fc:4c:89:b5:56:a1:f6:24:c9:1f:aa:86:ef:51:62:39:22:a9: -+ a1:ed:d2:42:f6:c0:c9:45:7f:d7:ce:3a:18:ec:5a:8e:57:2e: -+ 48:c7:d8:90:1b:a6:2d:30:4b:ad:3a:f4:a7:90:ed:da:37:2f: -+ b9:9c:ba:3c:08:b6:d7:53:d9:ae:34:5f:9a:02:8a:65:20:93: -+ 17:be:e5:7e:3a:11:10:8e:d2:0c:58:bf:20:32:02:f8:05:de: -+ cd:2e:82:f1 - -----BEGIN CERTIFICATE----- --MIIDhjCCAu+gAwIBAgIFIBcSGAEwDQYJKoZIhvcNAQELBQAwKzELMAkGA1UEBhMC --VVMxDjAMBgNVBAoTBURlbW8xMQwwCgYDVQQDEwNDQTEwHhcNMTcxMjE4MTcxNTE4 --WhcNMzIxMjE5MTcxNTE4WjCBijELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRl -+MIIEBzCCAu+gAwIBAgIFIBcSGAEwDQYJKoZIhvcNAQELBQAwKzELMAkGA1UEBhMC -+VVMxDjAMBgNVBAoMBURlbW8xMQwwCgYDVQQDDANDQTEwHhcNMTgwODE0MTAxOTAx -+WhcNMzMwODE1MTAxOTAxWjCBijELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRl - MQ0wCwYDVQQHDARDaXR5MRAwDgYDVQQKDAdDb21wYW55MQ0wCwYDVQQLDARVbml0 - MRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMSMwIQYJKoZIhvcNAQkBFhR3aWxkY2Fy - ZEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1e -@@ -72,8 +79,11 @@ LU5cgpUvoGJ4WWUGAbcCAwEAAaOB0TCBzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQW - MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAXBgNVHSAEEDAOMAUGAyoEBTAFBgMpAwQw - RgYDVR0RBD8wPYINKi5leGFtcGxlLmNvbYEUd2lsZGNhcmRAZXhhbXBsZS5jb22H - BAoUHiiHECABDbgBSAEAAAAAAAAAADEwHQYDVR0OBBYEFEtChrrivj1ADREdZue+ --lDmyhNMGMB8GA1UdIwQYMBaAFMgc2pIKqUgIOnZ2FTgE8TTZFdAgMA0GCSqGSIb3 --DQEBCwUAA4GBACDL7J2L6C1hdF4wsJWIToAJ38l/sMnSGU4sWusCD87oilL6Ilmx --w3s52/B9mpEZ79X3c1trRz1Iw8dKLnt/Pf9lUxEhlSwA/Tl2JY4FaMS5zL3KKGC/ --bUwA0E60TGJrNEgsYLkzdj87clcR7PQtX7PxocjUW18ja7DsKFoLQ3/j -+lDmyhNMGMB8GA1UdIwQYMBaAFKNz9IPwtJ16EBrVXeGI9ddzqFZPMA0GCSqGSIb3 -+DQEBCwUAA4IBAQAHQ5vgIebhQDUJ89ZiDXzSbXh1bllXANlKss2fnNI4hbz00L21 -+IAav7a4KGSoBryVL4zrHWKlfvIZqJDAtDbsdP92YdZpMHdChjkMRuTq6xeTsDGza -+tTQqqz/7hyfSMsr5ZR/y7ed+wBEwXjr3l1hS/+G+k82WA0hTv1hlpSAJ2Zt8A/A5 -+YSgBkj4n7b0NlAbN3NI0BJkp+l4bvXAPhl4w3zP8TIm1VqH2JMkfqobvUWI5Iqmh -+7dJC9sDJRX/XzjoY7FqOVy5Ix9iQG6YtMEutOvSnkO3aNy+5nLo8CLbXU9muNF+a -+AoplIJMXvuV+OhEQjtIMWL8gMgL4Bd7NLoLx - -----END CERTIFICATE----- -diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t -index 5dc946a..74e317a 100644 ---- a/t/local/07_sslecho.t -+++ b/t/local/07_sslecho.t -@@ -285,7 +285,7 @@ my @results; - push @results, [ $issuer eq $cert_name, 'cert issuer' ]; - push @results, [ $subject eq $cert_name, 'cert subject' ]; - push @results, [ substr($cn, length($cn) - 1, 1) ne "\0", 'tailing 0 character is not returned from get_text_by_NID' ]; -- push @results, [ $fingerprint eq '96:9F:25:FD:42:A7:FC:4D:8B:FF:14:76:7F:2E:07:AF:F6:A4:10:96', 'SHA-1 fingerprint' ]; -+ push @results, [ $fingerprint eq 'C7:BC:62:F8:50:40:4D:0B:1D:9A:A1:16:39:8D:91:67:91:A4:1D:9D', 'SHA-1 fingerprint' ]; - - return 1; - } -diff --git a/t/local/50_digest.t b/t/local/50_digest.t -index c181837..b2de4dc 100644 ---- a/t/local/50_digest.t -+++ b/t/local/50_digest.t -@@ -179,17 +179,17 @@ SKIP: { - - my $file1 = File::Spec->catfile('t', 'data', 'cert.pem'); - my $results1 = { -- md2 => '6d89cda9599a54d03652f9464e8b6e51', -- md4 => 'ada352f40f1ca64f4168a8aae7c1a281', -- md5 => 'e060f11c6afa9e1f59a8e7c873aa3423', -- mdc2 => 'e9ca1fd1cfccfb450b402a0dd446db28', -- ripemd160 => 'cbd50056558b01b5e9ec67901b518462b5393e5b', -- sha => '79de0d0cc736d98b65f5d6b3ac89e65ca8d3b2a7', -- sha1 => '0267dd25bbd8930c537716d972dd9ba128846428', -- sha224 => '5b42d5a3b16a6cee821b03c41f0428b09b70695becb0aaafbc7d6419', -- sha256 => '764633a51af4ef374cabb1ea859cc324680cfeff694797e90562e19ffb71ab26', -- sha512 => '37e3a2e84aec822922c51d4d8d37bf003e1d85f55a4bf2fae2940a5aab5b32f7601c2a9cde5b9c6391aaa4ffef1e845f11d2f0b6a37a9b2f48fb7f6469f0a51c', -- whirlpool => 'b2dc90dbbc60e5e2dc28de3bdeab45fb2fa6d13d86ff14908130624a242e38ecc195b3b11a7ef137b77a24e9a0ba5be061ac1baa11892369286d613569199458', -+ md2 => '99c30267cbf14bc2841a5b7749ba1cc2', -+ md4 => 'd7dc371997d08d4da70501ecdfe6e09e', -+ md5 => 'e3fdc3024e8380af1d8dd3a2705ad5c9', -+ mdc2 => '44c546567b06aba23e6a808ad2210ad6', -+ ripemd160 => 'a8f3023b46590fff58733db0993fb0e66a7c2e33', -+ sha => '72bd01553288bc5e4ba558a85970d12a7c296e28', -+ sha1 => '9af9b8d6efc1efce1957944b6041fb3e299834b0', -+ sha224 => 'fc1ef172129181a1c104467a01300f6b12c472df93f65c545acd0b3b', -+ sha256 => 'c49f7c37cfb711b1e660da7567608f9433d1faf6cc903793aedbf61b6c66cfcd', -+ sha512 => 'de0fb6197c8e586bc16faf19eb53336ddc2971c2fb0c8ad24accf8bc1fd483357e98b6fc38efcd09c574ecb4ba82bf8f1451e29ba758dc8537a27f57bdc19d44', -+ whirlpool => 'f775be3610857166dd466ce9ae481c65d3938f6794b0b17294cb533b0a721b42de3726dbc15f22156778f333ddafb6db8997765a3e30ed436f6cab561ffab5de', - }; - - my $file2 = File::Spec->catfile('t', 'data', 'binary-test.file'); --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch deleted file mode 100644 index aa4b338..0000000 --- a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch +++ /dev/null @@ -1,225 +0,0 @@ -From e0b42b0120b941b5675e4071445424dc8a1230e1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Wed, 15 Aug 2018 14:46:52 +0200 -Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from - read()/write() up -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test -because it tests non-blocking socket operations and expects to see -SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them -byt itself. - -This patch purifies Net::SSLeay::{read,write}() to behave exactly as -underlying OpenSSL functions. The retry is moved to -Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in -tests are changed into Net::SSLea::ssl_{read,write}_all(). - -All applications should implement the retry themsleves or use -ssl_*_all() instead. - -Signed-off-by: Petr Písař ---- - SSLeay.xs | 28 +++++++--------------------- - lib/Net/SSLeay.pm | 22 +++++++++++++++------- - t/local/07_sslecho.t | 12 ++++++------ - t/local/36_verify.t | 9 +++++---- - 4 files changed, 33 insertions(+), 38 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index 5aed4d7..7cb6eab 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -1997,19 +1997,13 @@ SSL_read(s,max=32768) - PREINIT: - char *buf; - int got; -+ int succeeded = 1; - PPCODE: - New(0, buf, max, char); - -- do { -- int err; -- -- got = SSL_read(s, buf, max); -- if (got > 0) -- break; -- err = SSL_get_error(s, got); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -+ got = SSL_read(s, buf, max); -+ if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) -+ succeeded = 0; - - /* If in list context, return 2-item list: - * first return value: data gotten, or undef on error (got<0) -@@ -2017,13 +2011,13 @@ SSL_read(s,max=32768) - */ - if (GIMME_V==G_ARRAY) { - EXTEND(SP, 2); -- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); -+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); - PUSHs(sv_2mortal(newSViv(got))); - - /* If in scalar or void context, return data gotten, or undef on error. */ - } else { - EXTEND(SP, 1); -- PUSHs(sv_2mortal(got>=0 ? newSVpvn(buf, got) : newSV(0))); -+ PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); - } - - Safefree(buf); -@@ -2066,15 +2060,7 @@ SSL_write(s,buf) - INPUT: - char * buf = SvPV( ST(1), len); - CODE: -- do { -- ret = SSL_write (s, buf, (int)len); -- if (ret > 0) -- break; -- err = SSL_get_error(s, ret); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -- RETVAL = ret; -+ RETVAL = SSL_write (s, buf, (int)len); - OUTPUT: - RETVAL - -diff --git a/lib/Net/SSLeay.pm b/lib/Net/SSLeay.pm -index 3adf12c..afc6c8f 100644 ---- a/lib/Net/SSLeay.pm -+++ b/lib/Net/SSLeay.pm -@@ -579,14 +579,22 @@ sub debug_read { - sub ssl_read_all { - my ($ssl,$how_much) = @_; - $how_much = 2000000000 unless $how_much; -- my ($got, $errs); -+ my ($got, $rv, $errs); - my $reply = ''; - - while ($how_much > 0) { -- $got = Net::SSLeay::read($ssl, -+ ($got, $rv) = Net::SSLeay::read($ssl, - ($how_much > 32768) ? 32768 : $how_much - ); -- last if $errs = print_errs('SSL_read'); -+ if (! defined $got) { -+ my $err = Net::SSLeay::get_error($ssl, $rv); -+ if ($err != Net::SSLeay::ERROR_WANT_READ() and -+ $err != Net::SSLeay::ERROR_WANT_WRITE()) { -+ $errs = print_errs('SSL_read'); -+ last; -+ } -+ next; -+ } - $how_much -= blength($got); - debug_read(\$reply, \$got) if $trace>1; - last if $got eq ''; # EOF -@@ -839,14 +847,14 @@ sub ssl_read_until ($;$$) { - $found = index($match, $delim); - - if ($found > -1) { -- #$got = Net::SSLeay::read($ssl, $found+$len_delim); -+ #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); - #read up to the end of the delimiter -- $got = Net::SSLeay::read($ssl, -+ $got = Net::SSLeay::ssl_read_all($ssl, - $found + $len_delim - - ((blength($match)) - (blength($got)))); - $done = 1; - } else { -- $got = Net::SSLeay::read($ssl, $peek_length); -+ $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); - $done = 1 if ($peek_length == $max_length - blength($reply)); - } - -@@ -857,7 +865,7 @@ sub ssl_read_until ($;$$) { - } - } else { - while (!defined $max_length || length $reply < $max_length) { -- $got = Net::SSLeay::read($ssl,1); # one by one -+ $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one - last if print_errs('SSL_read'); - debug_read(\$reply, \$got) if $trace>1; - last if $got eq ''; -diff --git a/t/local/07_sslecho.t b/t/local/07_sslecho.t -index 74e317a..7f19027 100644 ---- a/t/local/07_sslecho.t -+++ b/t/local/07_sslecho.t -@@ -134,10 +134,10 @@ my @results; - - push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; - -- push @results, [ Net::SSLeay::write($ssl, $msg), 'write' ]; -+ push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; - shutdown($s, 1); - -- my ($got) = Net::SSLeay::read($ssl); -+ my $got = Net::SSLeay::ssl_read_all($ssl); - push @results, [ $got eq uc($msg), 'read' ]; - - Net::SSLeay::free($ssl); -@@ -177,7 +177,7 @@ my @results; - Net::SSLeay::set_fd($ssl, fileno($s)); - Net::SSLeay::connect($ssl); - -- Net::SSLeay::write($ssl, $msg); -+ Net::SSLeay::ssl_write_all($ssl, $msg); - - shutdown $s, 2; - close $s; -@@ -231,15 +231,15 @@ my @results; - Net::SSLeay::set_fd($ssl3, $s3); - - Net::SSLeay::connect($ssl1); -- Net::SSLeay::write($ssl1, $msg); -+ Net::SSLeay::ssl_write_all($ssl1, $msg); - shutdown $s1, 2; - - Net::SSLeay::connect($ssl2); -- Net::SSLeay::write($ssl2, $msg); -+ Net::SSLeay::ssl_write_all($ssl2, $msg); - shutdown $s2, 2; - - Net::SSLeay::connect($ssl3); -- Net::SSLeay::write($ssl3, $msg); -+ Net::SSLeay::ssl_write_all($ssl3, $msg); - shutdown $s3, 2; - - close $s1; -diff --git a/t/local/36_verify.t b/t/local/36_verify.t -index 2837288..b04be13 100644 ---- a/t/local/36_verify.t -+++ b/t/local/36_verify.t -@@ -252,8 +252,9 @@ sub client { - Net::SSLeay::set_fd($ssl, $cl); - Net::SSLeay::connect($ssl); - my $end = "end"; -- Net::SSLeay::write($ssl, $end); -- ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); -+ Net::SSLeay::ssl_write_all($ssl, $end); -+ Net::SSLeay::shutdown($ssl); -+ ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); - return; - } - -@@ -291,10 +292,10 @@ sub run_server - next unless $ret == 1; - - # Termination request or other message from client -- my $msg = Net::SSLeay::read($ssl); -+ my $msg = Net::SSLeay::ssl_read_all($ssl); - if (defined $msg and $msg eq 'end') - { -- Net::SSLeay::write($ssl, 'end'); -+ Net::SSLeay::ssl_write_all($ssl, 'end'); - exit (0); - } - } --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch b/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch deleted file mode 100644 index 2f8a1d2..0000000 --- a/SOURCES/Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 122c80853a9bd66f21699fc79a689b3028d00d3b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 17 Aug 2018 13:08:44 +0200 -Subject: [PATCH] Move SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE retry from - write_partial() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test -because it tests non-blocking socket operations and expects to see -SSL_ERROR_WANT_WRITE errors and to handle them byt itself. - -This patch purifies Net::SSLeay::write_partial() to behave exactly as -underlying OpenSSL SSL_write() function. The retry is already -presented in Net::SSLeay::ssl_write_all(). - -All applications should implement the retry themsleves or use -ssl_*_all() instead. - -Signed-off-by: Petr Písař ---- - SSLeay.xs | 16 ++-------------- - lib/Net/SSLeay.pod | 3 ++- - 2 files changed, 4 insertions(+), 15 deletions(-) - -diff --git a/SSLeay.xs b/SSLeay.xs -index 7cb6eab..fc7677f 100644 ---- a/SSLeay.xs -+++ b/SSLeay.xs -@@ -2089,20 +2089,8 @@ SSL_write_partial(s,from,count,buf) - if (len < 0) { - croak("from beyound end of buffer"); - RETVAL = -1; -- } else { -- int ret; -- int err; -- -- do { -- ret = SSL_write (s, &(buf[from]), (count<=len)?count:len); -- if (ret > 0) -- break; -- err = SSL_get_error(s, ret); -- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) -- break; -- } while (1); -- RETVAL = ret; -- } -+ } else -+ RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); - OUTPUT: - RETVAL - -diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod -index bca7be4..8b5f738 100644 ---- a/lib/Net/SSLeay.pod -+++ b/lib/Net/SSLeay.pod -@@ -4819,7 +4819,8 @@ Check openssl doc L Does not exactly correspond to any low level API function - --Writes a fragment of data in $data from the buffer $data into the specified $ssl connection. -+Writes a fragment of data in $data from the buffer $data into the specified -+$ssl connection. This is a non-blocking function like L. - - my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data); - # $ssl - value corresponding to openssl's SSL structure --- -2.14.4 - diff --git a/SOURCES/Net-SSLeay-1.88-pkgconfig.patch b/SOURCES/Net-SSLeay-1.88-pkgconfig.patch new file mode 100644 index 0000000..be35f17 --- /dev/null +++ b/SOURCES/Net-SSLeay-1.88-pkgconfig.patch @@ -0,0 +1,45 @@ +From 67d9ad2238c6b58ea160df731208cc6f50b64e96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 13 Jun 2019 13:14:26 +0200 +Subject: [PATCH] pkgconfig +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Link to OpenSSL library according to pkgconfig output if available. + +Signed-off-by: Petr Písař +--- + Makefile.PL | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/Makefile.PL b/Makefile.PL +index 31d9c74..6d7ceba 100644 +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -200,11 +200,17 @@ EOM + @{ $opts->{lib_links} } = map { $_ =~ s/32\b//g } @{ $opts->{lib_links} } if $Config{use64bitall}; + } + else { +- push @{ $opts->{lib_links} }, +- ($rsaref +- ? qw( ssl crypto RSAglue rsaref z ) +- : qw( ssl crypto z ) +- ); ++ my $libsflags = `pkg-config --libs-only-l openssl`; ++ if ( $libsflags ne '' ) { ++ push @{ $opts->{lib_links} }, map { s/^-l//; $_ } split(' ', $libsflags); ++ } ++ else { ++ push @{ $opts->{lib_links} }, ++ ($rsaref ++ ? qw( ssl crypto RSAglue rsaref z ) ++ : qw( ssl crypto z ) ++ ); ++ } + + if (($Config{cc} =~ /aCC/i) && $^O eq 'hpux') { + print "*** Enabling HPUX aCC options (+e)\n"; +-- +2.20.1 + diff --git a/SPECS/perl-Net-SSLeay.spec b/SPECS/perl-Net-SSLeay.spec index 67c333c..61a41cc 100644 --- a/SPECS/perl-Net-SSLeay.spec +++ b/SPECS/perl-Net-SSLeay.spec @@ -1,36 +1,25 @@ +%if ! (0%{?rhel}) %{bcond_without perl_Net_SSLeay_enables_optional_test} +%else +%{bcond_with perl_Net_SSLeay_enables_optional_test} +%endif # Provides/Requires filtering is different from rpm 4.9 onwards %global rpm49 %(rpm --version | perl -p -e 's/^.* (\\d+)\\.(\\d+).*/sprintf("%d.%03d",$1,$2) ge 4.009 ? 1 : 0/e' 2>/dev/null || echo 0) Name: perl-Net-SSLeay -Version: 1.85 -Release: 6%{?dist} +Version: 1.88 +Release: 1%{?dist} Summary: Perl extension for using OpenSSL License: Artistic 2.0 -URL: http://search.cpan.org/dist/Net-SSLeay/ -Source0: http://search.cpan.org/CPAN/authors/id/M/MI/MIKEM/Net-SSLeay-%{version}.tar.gz -# Add missing call to va_end() in TRACE() (CPAN RT# 126028) -Patch0: Net-SSLeay-1.85-Add-missing-call-to-va_end-in-TRACE.patch -# Adapt to OpenSSL 1.1.1, bug #1610376, CPAN RT#125218 -Patch1: Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch -# Adapt tests to system-wide crypto policy, bug #1610376 -Patch2: Net-SSLeay-1.85-Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch -# Adapt tests to security level 2 system-wide crypt policy, bug #1610376, -# CPAN RT#126270 -Patch3: Net-SSLeay-1.85-Generate-2048-bit-keys-for-tests.patch -# Avoid SIGPIPE in t/local/36_verify.t, bug #1610376, CPAN RT#125218 -Patch4: Net-SSLeay-1.85-Avoid-SIGPIPE-in-t-local-36_verify.t.patch -# Revert retry in Net::SSLeay::{read,write}(), bug #1610376, CPAN RT#125218 -Patch5: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch -# Revert retry in Net::SSLeay::write_partial(), bug #1610376, CPAN RT#125218 -Patch6: Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch +URL: https://metacpan.org/release/Net-SSLeay +Source0: https://cpan.metacpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz +# To prevent from linking to zlib +Patch1: Net-SSLeay-1.88-pkgconfig.patch # =========== Module Build =========================== BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc -# git-core for Generate-2048-bit-keys-for-tests.patch binary patch -BuildRequires: git-core BuildRequires: make BuildRequires: openssl BuildRequires: openssl-devel @@ -39,8 +28,11 @@ BuildRequires: perl-generators BuildRequires: perl-interpreter BuildRequires: perl(Cwd) BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(ExtUtils::MM) +BuildRequires: perl(File::Basename) BuildRequires: perl(File::Path) -BuildRequires: perl(lib) +BuildRequires: perl(Symbol) +BuildRequires: pkgconf-pkg-config # =========== Module Runtime ========================= BuildRequires: perl(AutoLoader) BuildRequires: perl(Carp) @@ -54,6 +46,8 @@ BuildRequires: perl(File::Spec) BuildRequires: perl(HTTP::Tiny) BuildRequires: perl(IO::Handle) BuildRequires: perl(IO::Socket::INET) +BuildRequires: perl(lib) +BuildRequires: perl(Storable) BuildRequires: perl(strict) BuildRequires: perl(Test::More) >= 0.61 BuildRequires: perl(threads) @@ -61,8 +55,10 @@ BuildRequires: perl(warnings) # =========== Optional Test Suite ==================== %if %{with perl_Net_SSLeay_enables_optional_test} BuildRequires: perl(Test::Exception) +# Test::Kwalitee 1.00 not used BuildRequires: perl(Test::NoWarnings) BuildRequires: perl(Test::Pod) >= 1.0 +# Test::Pod::Coverage 1.00 not used BuildRequires: perl(Test::Warn) %endif # =========== Module Runtime ========================= @@ -81,7 +77,11 @@ clients, and finally access to the SSL API of SSLeay/OpenSSL package so you can write servers or clients for more complicated applications. %prep -%autosetup -S git -n Net-SSLeay-%{version} +%setup -q -n Net-SSLeay-%{version} + +# Get libraries to link against from pkg-config +# https://github.com/radiator-software/p5-net-ssleay/pull/127 +%patch1 -p1 # Fix permissions in examples to avoid bogus doc-file dependencies chmod -c 644 examples/* @@ -93,9 +93,10 @@ chmod -c 644 examples/* %endif %build +unset OPENSSL_PREFIX PERL_MM_USE_DEFAULT=1 perl Makefile.PL \ INSTALLDIRS=vendor \ - OPTIMIZE="%{optflags}" + OPTIMIZE="%{optflags}" - 1.88-1 +- Update to 1.88 (bug #1632597, bug #1633630) + * Sat Sep 29 2018 Paul Howarth - 1.85-6 - OpenSSL 1.1.1 in Fedora disables SSL3 API, so stop trying to test it (bug #1610376)