r44833 - in /trunk/libio-socket-ssl-perl: Changes META.yml SSL.pm debian/changelog t/memleak_bad_handshake.t t/sessions.t t/startssl.t
carnil-guest at users.alioth.debian.org
carnil-guest at users.alioth.debian.org
Sat Sep 26 06:43:09 UTC 2009
Author: carnil-guest
Date: Sat Sep 26 06:42:53 2009
New Revision: 44833
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=44833
Log:
New upstream release
Modified:
trunk/libio-socket-ssl-perl/Changes
trunk/libio-socket-ssl-perl/META.yml
trunk/libio-socket-ssl-perl/SSL.pm
trunk/libio-socket-ssl-perl/debian/changelog
trunk/libio-socket-ssl-perl/t/memleak_bad_handshake.t
trunk/libio-socket-ssl-perl/t/sessions.t
trunk/libio-socket-ssl-perl/t/startssl.t
Modified: trunk/libio-socket-ssl-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/Changes?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/Changes (original)
+++ trunk/libio-socket-ssl-perl/Changes Sat Sep 26 06:42:53 2009
@@ -1,3 +1,21 @@
+
+v1.31 2009.09.25
+- add and export constants for SSL_VERIFY_*
+- set SSL_use_cert if cert is given and not SSL_server
+- support alternative CRL file with SSL_crl_file thanks to patch of
+ w[DOT]phillip[DOT]moore[AT]gmail[DOT]com
+v1.30_3 2009.09.03
+- make t/memleak_bad_handshake.t more stable (increase listen queue,
+ ignore errors on connect, don't run on windows..)
+v1.30_2 2009.09.01
+- t/memleak_bad_handshake.t don't write errors with ps to stderr,
+ -o vsize argument is not supported on all platforms, just skip
+ test then
+v1.30_1 2009.08.31
+- make sure that idn_to_ascii gets no \0 bytes from identity, because
+ it simply cuts the string their (using C semantics). Not really a
+ security problem because IDN like identity is provided by user in
+ hostname, not by certificate.
v1.30 2009.08.19
- fix test t/memleak_bad_handshake.t
Modified: trunk/libio-socket-ssl-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/META.yml?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/META.yml (original)
+++ trunk/libio-socket-ssl-perl/META.yml Sat Sep 26 06:42:53 2009
@@ -1,6 +1,6 @@
--- #YAML:1.0
name: IO-Socket-SSL
-version: 1.30
+version: 1.31
abstract: Nearly transparent SSL encapsulation for IO::Socket::INET.
license: ~
author:
Modified: trunk/libio-socket-ssl-perl/SSL.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/SSL.pm?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/SSL.pm (original)
+++ trunk/libio-socket-ssl-perl/SSL.pm Sat Sep 26 06:42:53 2009
@@ -21,9 +21,17 @@
use Carp;
use strict;
-# from openssl/ssl.h, should be better in Net::SSLeay
-use constant SSL_SENT_SHUTDOWN => 1;
-use constant SSL_RECEIVED_SHUTDOWN => 2;
+use constant {
+ SSL_VERIFY_NONE => Net::SSLeay::VERIFY_NONE(),
+ SSL_VERIFY_PEER => Net::SSLeay::VERIFY_PEER(),
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT => Net::SSLeay::VERIFY_FAIL_IF_NO_PEER_CERT(),
+ SSL_VERIFY_CLIENT_ONCE => Net::SSLeay::VERIFY_CLIENT_ONCE(),
+ # from openssl/ssl.h, should be better in Net::SSLeay
+ SSL_SENT_SHUTDOWN => 1,
+ SSL_RECEIVED_SHUTDOWN => 2,
+};
+
+
# non-XS Versions of Scalar::Util will fail
BEGIN{
@@ -45,7 +53,11 @@
my $y = Net::SSLeay::ERROR_WANT_WRITE();
use constant SSL_WANT_WRITE => dualvar( \$y, 'SSL wants a write first' );
- @EXPORT = qw( SSL_WANT_READ SSL_WANT_WRITE $SSL_ERROR GEN_DNS GEN_IPADD );
+ @EXPORT = qw(
+ SSL_WANT_READ SSL_WANT_WRITE SSL_VERIFY_NONE SSL_VERIFY_PEER
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT SSL_VERIFY_CLIENT_ONCE
+ $SSL_ERROR GEN_DNS GEN_IPADD
+ );
}
my @caller_force_inet4; # in case inet4 gets forced we store here who forced it
@@ -66,7 +78,7 @@
}) {
@ISA = qw(IO::Socket::INET);
}
- $VERSION = '1.30';
+ $VERSION = '1.31';
$GLOBAL_CONTEXT_ARGS = {};
#Make $DEBUG another name for $Net::SSLeay::trace
@@ -206,18 +218,28 @@
my ($self, $arg_hash) = @_;
my $is_server = $arg_hash->{'SSL_server'} || $arg_hash->{'Listen'} || 0;
+
my %default_args = (
Proto => 'tcp',
SSL_server => $is_server,
SSL_use_cert => $is_server,
SSL_check_crl => 0,
SSL_version => 'sslv23',
- SSL_verify_mode => Net::SSLeay::VERIFY_NONE(),
+ SSL_verify_mode => SSL_VERIFY_NONE,
SSL_verify_callback => undef,
SSL_verifycn_scheme => undef, # don't verify cn
SSL_verifycn_name => undef, # use from PeerAddr/PeerHost
);
-
+
+ # common problem forgetting SSL_use_cert
+ # if client cert is given but SSL_use_cert undef assume that it
+ # should be set
+ if ( ! $is_server && ! defined $arg_hash->{SSL_use_cert}
+ && ( grep { $arg_hash->{$_} } qw(SSL_cert SSL_cert_file))
+ && ( grep { $arg_hash->{$_} } qw(SSL_key SSL_key_file)) ) {
+ $arg_hash->{SSL_use_cert} = 1
+ }
+
# SSL_key_file and SSL_cert_file will only be set in defaults if
# SSL_key|SSL_key_file resp SSL_cert|SSL_cert_file are not set in
# $args_hash
@@ -1082,6 +1104,7 @@
} else {
# assume hostname, check for umlauts etc
if ( $identity =~m{[^a-zA-Z0-9_.\-]} ) {
+ $identity =~m{\0} and croak("name '$identity' has \\0 byte");
$identity = idn_to_ascii($identity) or
croak "Warning: Given name '$identity' could not be converted to IDNA!";
}
@@ -1359,10 +1382,19 @@
if ($arg_hash->{'SSL_check_crl'}) {
if (Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x0090702f) {
- Net::SSLeay::X509_STORE_set_flags(
- Net::SSLeay::CTX_get_cert_store($ctx),
- Net::SSLeay::X509_V_FLAG_CRL_CHECK()
- );
+ Net::SSLeay::X509_STORE_set_flags(
+ Net::SSLeay::CTX_get_cert_store($ctx),
+ Net::SSLeay::X509_V_FLAG_CRL_CHECK()
+ );
+ if ($arg_hash->{'SSL_crl_file'}) {
+ my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r');
+ my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio);
+ if ( $crl ) {
+ Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl);
+ } else {
+ return IO::Socket::SSL->error("Invalid certificate revocation list");
+ }
+ }
} else {
return IO::Socket::SSL->error("CRL not supported for OpenSSL < v0.9.7b");
}
@@ -1456,6 +1488,7 @@
my $ctx = shift;
my $cache = $ctx->{'session_cache'} || return;
my ($addr,$port,$session) = @_;
+ $port ||= $addr =~s{:(\w+)$}{} && $1; # host:port
my $key = "$addr:$port";
return defined($session)
? $cache->add_session($key, $session)
@@ -1623,6 +1656,16 @@
you are setting up an SSL client. If this is set to 0 (the default), then you will
only need a certificate and key if you are setting up a server.
+SSL_use_cert will implicitly be set if SSL_server is set.
+For convinience it is also set if it was not given but a cert was given for use
+(SSL_cert_file or similar).
+
+=item SSL_server
+
+Use this, if the socket should be used as a server.
+If this is not explicitly set it is assumed, if Listen with given when creating
+the socket.
+
=item SSL_key_file
If your RSA private key is not in default place (F<certs/server-key.pem> for servers,
@@ -1721,11 +1764,18 @@
=item SSL_check_crl
-If you want to verify that the peer certificate has not been revoked by the
-signing authority, set this value to true. OpenSSL will search for the CRL
-in your SSL_ca_path. See the Net::SSLeay documentation for more details.
-Note that this functionality appears to be broken with OpenSSL < v0.9.7b,
-so its use with lower versions will result in an error.
+If you want to verify that the peer certificate has not been revoked
+by the signing authority, set this value to true. OpenSSL will search
+for the CRL in your SSL_ca_path, or use the file specified by
+SSL_crl_file. See the Net::SSLeay documentation for more details.
+Note that this functionality appears to be broken with OpenSSL <
+v0.9.7b, so its use with lower versions will result in an error.
+
+=item SSL_crl_file
+
+If you want to specify the CRL file to be used, set this value to the
+pathname to be used. This must be used in addition to setting
+SSL_check_crl.
=item SSL_reuse_ctx
Modified: trunk/libio-socket-ssl-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/debian/changelog?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/debian/changelog (original)
+++ trunk/libio-socket-ssl-perl/debian/changelog Sat Sep 26 06:42:53 2009
@@ -1,3 +1,9 @@
+libio-socket-ssl-perl (1.31-1) UNRELEASED; urgency=low
+
+ * New upstream release
+
+ -- Salvatore Bonaccorso <salvatore.bonaccorso at gmail.com> Sat, 26 Sep 2009 06:39:49 +0000
+
libio-socket-ssl-perl (1.30-1) unstable; urgency=low
* New upstream release.
Modified: trunk/libio-socket-ssl-perl/t/memleak_bad_handshake.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/t/memleak_bad_handshake.t?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/t/memleak_bad_handshake.t (original)
+++ trunk/libio-socket-ssl-perl/t/memleak_bad_handshake.t Sat Sep 26 06:42:53 2009
@@ -10,6 +10,11 @@
use Errno qw(EAGAIN EINPROGRESS );
use strict;
+if ( grep { $^O =~m{$_}i } qw( MacOS VOS vmesa riscos amigaos mswin32) ) {
+ print "1..0 # Skipped: ps not implemented on this platform\n";
+ exit
+}
+
$|=1;
use vars qw( $SSL_SERVER_ADDR );
do "t/ssl_settings.req" || do "ssl_settings.req";
@@ -21,7 +26,7 @@
my $server = IO::Socket::SSL->new(
LocalAddr => $SSL_SERVER_ADDR,
- Listen => 2,
+ Listen => 200,
ReuseAddr => 1,
);
my $addr = $SSL_SERVER_ADDR.':'.$server->sockport;
@@ -42,14 +47,18 @@
close($server);
# plain non-SSL connect and close w/o sending data
-IO::Socket::INET->new( $addr ) or die $! for(1..100);
+for(1..100) {
+ IO::Socket::INET->new( $addr ) or next;
+}
my $size100 = getsize($pid);
if ( ! $size100 ) {
print "1..0 # Skipped: cannot get size of child process\n";
exit
}
-IO::Socket::INET->new( $addr ) or die $! for(100..200);
+for(100..200) {
+ IO::Socket::INET->new( $addr ) or next;
+}
my $size200 = getsize($pid);
print "1..1\n";
@@ -63,8 +72,8 @@
sub getsize {
my $pid = shift;
- open( my $ps,'-|','ps','-o','vsize','-p',$pid ) or return;
- <$ps>; # header
+ open( my $ps,'-|',"ps -o vsize -p $pid 2>/dev/null" ) or return;
+ $ps && <$ps> or return; # header
return int(<$ps>); # size
}
Modified: trunk/libio-socket-ssl-perl/t/sessions.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/t/sessions.t?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/t/sessions.t (original)
+++ trunk/libio-socket-ssl-perl/t/sessions.t Sat Sep 26 06:42:53 2009
@@ -27,20 +27,19 @@
print "1..$numtests\n";
-my %server_options =
- (SSL_key_file => "certs/server-key.enc",
- SSL_passwd_cb => sub { return "bluebell" },
- LocalAddr => $SSL_SERVER_ADDR,
- Listen => 2,
- Proto => 'tcp',
- Timeout => 30,
- ReuseAddr => 1,
- SSL_verify_mode => 0x00,
- SSL_ca_file => "certs/test-ca.pem",
- SSL_use_cert => 1,
- SSL_cert_file => "certs/server-cert.pem",
- SSL_version => 'TLSv1',
- SSL_cipher_list => 'HIGH');
+my %server_options = (
+ SSL_key_file => "certs/server-key.enc",
+ SSL_passwd_cb => sub { return "bluebell" },
+ LocalAddr => $SSL_SERVER_ADDR,
+ Listen => 2,
+ Timeout => 30,
+ ReuseAddr => 1,
+ SSL_verify_mode => SSL_VERIFY_NONE,
+ SSL_ca_file => "certs/test-ca.pem",
+ SSL_cert_file => "certs/server-cert.pem",
+ SSL_version => 'TLSv1',
+ SSL_cipher_list => 'HIGH'
+);
my @servers = (IO::Socket::SSL->new( %server_options),
@@ -60,17 +59,15 @@
unless (fork) {
close $_ foreach @servers;
- my $ctx = new IO::Socket::SSL::SSL_Context
- (SSL_key_file => "certs/client-key.enc",
+ my $ctx = IO::Socket::SSL::SSL_Context->new(
SSL_passwd_cb => sub { return "opossum" },
- SSL_verify_mode => 0x01,
+ SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_file => "certs/test-ca.pem",
SSL_ca_path => '',
- SSL_use_cert => 1,
- SSL_cert_file => "certs/client-cert.pem",
SSL_version => 'TLSv1',
SSL_cipher_list => 'HIGH',
- SSL_session_cache_size => 4);
+ SSL_session_cache_size => 4
+ );
if (! defined $ctx->{'session_cache'}) {
@@ -125,8 +122,8 @@
PeerPort => $SSL_SERVER_PORT3
);
my @clients = (
- IO::Socket::SSL->new(PeerAddr => $SSL_SERVER_ADDR, PeerPort => $SSL_SERVER_PORT),
- IO::Socket::SSL->new(PeerAddr => $SSL_SERVER_ADDR, PeerPort => $SSL_SERVER_PORT2),
+ IO::Socket::SSL->new("$SSL_SERVER_ADDR:$SSL_SERVER_PORT"),
+ IO::Socket::SSL->new("$SSL_SERVER_ADDR:$SSL_SERVER_PORT2"),
IO::Socket::SSL->start_SSL( $sock3 ),
);
@@ -167,9 +164,11 @@
close $clients[$_];
}
- @clients = (new IO::Socket::SSL(PeerAddr => $SSL_SERVER_ADDR, PeerPort => $SSL_SERVER_PORT),
- new IO::Socket::SSL(PeerAddr => $SSL_SERVER_ADDR, PeerPort => $SSL_SERVER_PORT2),
- new IO::Socket::SSL(PeerAddr => $SSL_SERVER_ADDR, PeerPort => $SSL_SERVER_PORT3));
+ @clients = (
+ IO::Socket::SSL->new("$SSL_SERVER_ADDR:$SSL_SERVER_PORT"),
+ IO::Socket::SSL->new("$SSL_SERVER_ADDR:$SSL_SERVER_PORT2"),
+ IO::Socket::SSL->new("$SSL_SERVER_ADDR:$SSL_SERVER_PORT3")
+ );
if (keys(%$cache) != 6) {
print "not ";
@@ -213,7 +212,8 @@
@clients = map { scalar $_->accept } @servers;
if (!$clients[0] or !$clients[1] or !$clients[2]) {
- print "not ok \# Client init\n";
+ print $SSL_ERROR;
+ print "not ok \# Client init 2\n";
exit;
}
&ok("Client init 2");
Modified: trunk/libio-socket-ssl-perl/t/startssl.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libio-socket-ssl-perl/t/startssl.t?rev=44833&op=diff
==============================================================================
--- trunk/libio-socket-ssl-perl/t/startssl.t (original)
+++ trunk/libio-socket-ssl-perl/t/startssl.t Sat Sep 26 06:42:53 2009
@@ -92,7 +92,6 @@
SSL_server => 1,
SSL_verify_mode => 0x00,
SSL_ca_file => "certs/test-ca.pem",
- SSL_use_cert => 1,
SSL_cert_file => "certs/client-cert.pem",
SSL_version => 'TLSv1',
SSL_cipher_list => 'HIGH',
More information about the Pkg-perl-cvs-commits
mailing list