Package: libnet-ssleay-perl / 1.85-2

Metadata

Package Version Patches format
libnet-ssleay-perl 1.85-2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
Adapt to OpenSSL 1.1.1.patch | (download)

SSLeay.xs | 56 52 + 4 - 0 !
lib/Net/SSLeay.pod | 46 46 + 0 - 0 !
t/local/07_sslecho.t | 15 13 + 2 - 0 !
t/local/36_verify.t | 2 1 + 1 - 0 !
4 files changed, 112 insertions(+), 7 deletions(-)

 [patch] adapt to openssl 1.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenSSL 1.1.1 defaults to TLS 1.3 that handles session tickets and
Adapt CTX_get_min_proto_version tests to system wide.patch | (download)

t/local/09_ctx_new.t | 22 20 + 2 - 0 !
1 file changed, 20 insertions(+), 2 deletions(-)

 [patch] adapt ctx_get_min_proto_version tests to system-wide policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In our distribution, /etc/crypto-policies/back-ends/opensslcnf.config
can override default minimal SSL/TLS protocol version. If it does,
t/local/09_ctx_new.t test will fail because OpenSSL will return
Avoid SIGPIPE in t local 36_verify.t.patch | (download)

t/local/36_verify.t | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] avoid sigpipe in t/local/36_verify.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

t/local/36_verify.t fails randomly with OpenSSL 1.1.1:

    #   Failed test 'Verify callback result and get_verify_result are equal'
    #   at t/local/36_verify.t line 111.
    #          got: '-1'
    #     expected: '0'
    #   Failed test 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY'
    #   at t/local/36_verify.t line 118.
    #          got: '-1'
    #     expected: '43'
    Bailout called.  Further testing stopped:  failed to connect to server: Connection refused
    FAILED--Further testing stopped: failed to connect to server: Connection refused

I believe this because TLSv1.3 server can generate SIGPIPE if a client
disconnects too soon.

Signed-off-by: Petr Písař <ppisar@redhat.com>

Move SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE retry .patch | (download)

SSLeay.xs | 28 7 + 21 - 0 !
lib/Net/SSLeay.pm | 22 15 + 7 - 0 !
t/local/07_sslecho.t | 12 6 + 6 - 0 !
t/local/36_verify.t | 9 5 + 4 - 0 !
4 files changed, 33 insertions(+), 38 deletions(-)

 [patch] move ssl_error_want_read/ssl_error_want_write retry from
 read()/write() up
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/core.t test
because it tests non-blocking socket operations and expects to see
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE errors and to handle them
byt itself.

This patch purifies Net::SSLeay::{read,write}() to behave exactly as
underlying OpenSSL functions. The retry is moved to
Net::SSLeay::ssl_read_all. All relevant Net::SSLeay::{read,write}() calls in
tests are changed into Net::SSLea::ssl_{read,write}_all().

All applications should implement the retry themsleves or use
ssl_*_all() instead.

Signed-off-by: Petr Písař <ppisar@redhat.com>

Move SSL_ERROR_WANT_READ SSL_ERROR_WANT_WRITE retry from_write_partial.patch | (download)

SSLeay.xs | 16 2 + 14 - 0 !
lib/Net/SSLeay.pod | 3 2 + 1 - 0 !
2 files changed, 4 insertions(+), 15 deletions(-)

 [patch] move ssl_error_want_read/ssl_error_want_write retry from
 write_partial()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original OpenSSL 1.1.1 fix broke IO-Socket-SSL-2.058's t/nonblock.t test
because it tests non-blocking socket operations and expects to see
SSL_ERROR_WANT_WRITE errors and to handle them byt itself.

This patch purifies Net::SSLeay::write_partial() to behave exactly as
underlying OpenSSL SSL_write() function. The retry is already
presented in Net::SSLeay::ssl_write_all().

All applications should implement the retry themsleves or use
ssl_*_all() instead.

Signed-off-by: Petr Písař <ppisar@redhat.com>

20no stray libz link.patch | (download)

inc/Module/Install/PRIVATE/Net/SSLeay.pm | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 avoid unnecessary dependency on libz
add security level routines.patch | (download)

SSLeay.xs | 20 20 + 0 - 0 !
lib/Net/SSLeay.pod | 40 40 + 0 - 0 !
t/local/65_security_level.t | 41 41 + 0 - 0 !
3 files changed, 101 insertions(+)

 add set_security_level() routines
 This patch adds SSL_[CTX_](set|get)_security_level() routines
 .
 They are needed at least by the tests that use certificates with 1024-bit keys
 in environments with openssl with default security level of 2, which requires
 at least 2048-bit key sizes
test with security level 1.patch | (download)

t/local/07_sslecho.t | 2 2 + 0 - 0 !
t/local/08_pipe.t | 2 2 + 0 - 0 !
t/local/36_verify.t | 1 1 + 0 - 0 !
t/local/64_ticket_sharing.t | 2 2 + 0 - 0 !
4 files changed, 7 insertions(+)

 set security level to 1 in tests working with keys less than 2048 bits long
 When openssl is built with default security level of 2 and above, all
 operations with RSA keys under 2048 bits are rejected. Setting the security
 level to 1 makes the test pass with the smaller keys.
 .
 Requires the patch adding security_level() routines.
ok result is no error.patch | (download)

lib/Net/SSLeay.pm | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 set_cert_and_key() should return error only when some of the underlying routines does
 Currently set_cert_and_key() returns an error condition when the libssl error
 stack contains errors, even if the CTX_use_PrivateKey_file() and
 CTX_use_certificat_file() both return success.
 .
 The error stack contents are bogus and should not matter when the return codes
 indicate success.
set_num_tickets min version.patch | (download)

SSLeay.xs | 2 1 + 1 - 0 !
t/local/07_sslecho.t | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 adjust minimum openssl version for set_num_tickets() support
 SSL_CTX_set_num_tickets() & co are available since 0x10101009
 .
 Requires Adapt-to-OpenSSL-1.1.1.patch
debian min tls ver.patch | (download)

t/local/09_ctx_new.t | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 hardcode the minimal protocol version in 09_ctx_new.t
 This is a follow up of
 Adapt-CTX_get_min_proto_version-tests-to-system-wide.patch
 .
 That patch adjusts the minimal protocol version according to a system-wide
 configuration file. This file is not present in Debian, where a compile-time
 setting is used. So we need a hard-coded value, which will be subject to
 change in the future.