[libnet-ssleay-perl] 01/01: OpenSSL 1.1 patch from upstream SVN (Closes: #828401)
dom at earth.li
dom at earth.li
Tue Jul 12 21:21:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
dom pushed a commit to branch experimental
in repository libnet-ssleay-perl.
commit a14580e766bc5761d89609f58c9e1f9a1f8a322c
Author: Dominic Hargreaves <dom at earth.li>
Date: Fri Jul 8 17:49:47 2016 +0200
OpenSSL 1.1 patch from upstream SVN (Closes: #828401)
---
debian/changelog | 8 +-
debian/patches/openssl-1.1.patch | 917 +++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 924 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 79eba9a..0142a4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,12 @@
-libnet-ssleay-perl (1.74-2) UNRELEASED; urgency=medium
+libnet-ssleay-perl (1.74-2) experimental; urgency=medium
+ [ gregor herrmann ]
* debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
- -- gregor herrmann <gregoa at debian.org> Fri, 20 May 2016 12:07:51 +0200
+ [ Dominic Hargreaves ]
+ * OpenSSL 1.1 patch from upstream SVN (Closes: #828401)
+
+ -- Dominic Hargreaves <dom at earth.li> Sat, 09 Jul 2016 00:02:40 +0200
libnet-ssleay-perl (1.74-1) unstable; urgency=medium
diff --git a/debian/patches/openssl-1.1.patch b/debian/patches/openssl-1.1.patch
new file mode 100644
index 0000000..806f90e
--- /dev/null
+++ b/debian/patches/openssl-1.1.patch
@@ -0,0 +1,917 @@
+Subject: OpenSSL 1.1 support
+Author: Mike McCauley <mikem at airspayce.com>
+Origin: svn://svn.debian.org/svn/net-ssleay@469
+
+Index: SSLeay.xs
+===================================================================
+--- a/SSLeay.xs (revision 465)
++++ b/SSLeay.xs (working copy)
+@@ -237,8 +237,10 @@
+
+ #ifdef USE_ITHREADS
+ static perl_mutex LIB_init_mutex;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ static perl_mutex *GLOBAL_openssl_mutex = NULL;
+ #endif
++#endif
+ static int LIB_initialized;
+
+ UV get_my_thread_id(void) /* returns threads->tid() value */
+@@ -277,6 +279,8 @@
+ */
+ #if defined(USE_ITHREADS) && defined(OPENSSL_THREADS)
+
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ static void openssl_locking_function(int mode, int type, const char *file, int line)
+ {
+ PR3("openssl_locking_function %d %d\n", mode, type);
+@@ -331,6 +335,7 @@
+ MUTEX_DESTROY(&l->mutex);
+ Safefree(l);
+ }
++#endif
+
+ void openssl_threads_init(void)
+ {
+@@ -338,6 +343,7 @@
+
+ PR1("STARTED: openssl_threads_init\n");
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* initialize static locking */
+ if ( !CRYPTO_get_locking_callback() ) {
+ #if OPENSSL_VERSION_NUMBER < 0x10000000L
+@@ -371,6 +377,7 @@
+ CRYPTO_set_dynlock_lock_callback(openssl_dynlocking_lock_function);
+ CRYPTO_set_dynlock_destroy_callback(openssl_dynlocking_destroy_function);
+ }
++#endif
+ }
+
+ #endif
+@@ -395,7 +402,9 @@
+ if (!m) return; /* Skip aliases */
+ mname = OBJ_nid2ln(EVP_MD_type(m));
+ if (strcmp(from, mname)) return; /* Skip shortnames */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) return; /* Skip clones */
++#endif
+ if (strchr(mname, ' ')) mname= EVP_MD_name(m);
+ av_push(arg, newSVpv(mname,0));
+ }
+@@ -799,6 +808,7 @@
+ AV *ciphers = newAV();
+ SV *pref_cipher = sv_newmortal();
+ SV * cb_func, *cb_data;
++ SV * secretsv;
+
+ PR1("STARTED: ssleay_session_secret_cb_invoke\n");
+ cb_func = cb_data_advanced_get(arg, "ssleay_session_secret_cb!!func");
+@@ -811,8 +821,8 @@
+ SAVETMPS;
+
+ PUSHMARK(SP);
+-
+- XPUSHs( sv_2mortal( newSVpv(secret, *secret_len)) );
++ secretsv = sv_2mortal( newSVpv(secret, *secret_len));
++ XPUSHs(secretsv);
+ for (i=0; i<sk_SSL_CIPHER_num(peer_ciphers); i++) {
+ SSL_CIPHER *c = sk_SSL_CIPHER_value(peer_ciphers,i);
+ av_store(ciphers, i, sv_2mortal(newSVpv(SSL_CIPHER_get_name(c), 0)));
+@@ -835,6 +845,13 @@
+ /* See if there is a preferred cipher selected, if so it is an index into the stack */
+ if (SvIOK(pref_cipher))
+ *cipher = sk_SSL_CIPHER_value(peer_ciphers, SvIV(pref_cipher));
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ /* Use any new master secret set by the callback function in secret */
++ STRLEN newsecretlen;
++ char* newsecretdata = SvPV(secretsv, newsecretlen);
++ memcpy(secret, newsecretdata, newsecretlen);
++#endif
+ }
+
+ PUTBACK;
+@@ -1404,8 +1421,10 @@
+ OUTPUT:
+ RETVAL
+
+-#ifndef OPENSSL_NO_SSL2
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#ifndef OPENSSL_NO_SSL2
++
+ SSL_CTX *
+ SSL_CTX_v2_new()
+ CODE:
+@@ -1414,7 +1433,7 @@
+ RETVAL
+
+ #endif
+-
++#endif
+ #ifndef OPENSSL_NO_SSL3
+
+ SSL_CTX *
+@@ -2105,10 +2124,35 @@
+ SSL_want(s)
+ SSL * s
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ int
+ SSL_state(s)
+ SSL * s
+
++int
++SSL_get_state(ssl)
++ SSL * ssl
++ CODE:
++ RETVAL = SSL_state(ssl);
++ OUTPUT:
++ RETVAL
++
++
++#else
++int
++SSL_state(s)
++ SSL * s
++ CODE:
++ RETVAL = SSL_get_state(s);
++ OUTPUT:
++ RETVAL
++
++
++int
++SSL_get_state(s)
++ SSL * s
++
++#endif
+ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+
+ long
+@@ -2734,19 +2778,15 @@
+ X509_ATTRIBUTE * att;
+ int count, i;
+ ASN1_STRING * s;
++ ASN1_TYPE * t;
+ PPCODE:
+ att = X509_REQ_get_attr(req,n);
+- if (att->single) {
+- s = (att->value.single->value.asn1_string);
++ count = X509_ATTRIBUTE_count(att);
++ for (i=0; i<count; i++) {
++ t = X509_ATTRIBUTE_get0_type(att, i);
++ s = t->value.asn1_string;
+ XPUSHs(sv_2mortal(newSViv(PTR2IV(s))));
+- }
+- else {
+- count = sk_ASN1_TYPE_num(att->value.set);
+- for (i=0; i<count; i++) {
+- s = (sk_ASN1_TYPE_value(att->value.set, i)->value.asn1_string);
+- XPUSHs(sv_2mortal(newSViv(PTR2IV(s))));
+- }
+- }
++ }
+
+ #endif
+
+@@ -4439,6 +4479,7 @@
+ const unsigned char * sid_ctx
+ unsigned int sid_ctx_len
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ void
+ SSL_CTX_set_tmp_rsa_callback(ctx, cb)
+ SSL_CTX * ctx
+@@ -4449,6 +4490,8 @@
+ SSL * ssl
+ cb_ssl_int_int_ret_RSA * cb
+
++#endif
++
+ void
+ SSL_CTX_set_tmp_dh_callback(ctx, dh)
+ SSL_CTX * ctx
+@@ -4526,6 +4569,7 @@
+ OUTPUT:
+ RETVAL
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ long
+ SSL_CTX_need_tmp_RSA(ctx)
+ SSL_CTX * ctx
+@@ -4534,6 +4578,8 @@
+ OUTPUT:
+ RETVAL
+
++#endif
++
+ int
+ SSL_CTX_set_app_data(ctx,arg)
+ SSL_CTX * ctx
+@@ -4575,11 +4621,14 @@
+ SSL_CTX * ctx
+ DH * dh
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ long
+ SSL_CTX_set_tmp_rsa(ctx,rsa)
+ SSL_CTX * ctx
+ RSA * rsa
+
++#endif
++
+ #if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC
+
+ EC_KEY *
+@@ -4591,12 +4640,55 @@
+ EC_KEY * key
+
+ long
+-SSL_CTX_set_tmp_ecdh(ctx,ecdh);
++SSL_CTX_set_tmp_ecdh(ctx,ecdh)
+ SSL_CTX * ctx
+ EC_KEY * ecdh
+
++int
++EVP_PKEY_assign_EC_KEY(pkey,key)
++ EVP_PKEY * pkey
++ EC_KEY * key
++
++
++EC_KEY *
++EC_KEY_generate_key(curve)
++ SV *curve;
++ CODE:
++ EC_GROUP *group = NULL;
++ EC_KEY *eckey = NULL;
++ int nid;
++
++ RETVAL = 0;
++ if (SvIOK(curve)) {
++ nid = SvIV(curve);
++ } else {
++ nid = OBJ_sn2nid(SvPV_nolen(curve));
++#if OPENSSL_VERSION_NUMBER > 0x10002000L
++ if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve));
+ #endif
++ if (!nid) croak("unknown curve %s",SvPV_nolen(curve));
++ }
+
++ group = EC_GROUP_new_by_curve_name(nid);
++ if (!group) croak("unknown curve nid=%d",nid);
++ EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE);
++
++ eckey = EC_KEY_new();
++ if ( eckey
++ && EC_KEY_set_group(eckey, group)
++ && EC_KEY_generate_key(eckey)) {
++ RETVAL = eckey;
++ } else {
++ if (eckey) EC_KEY_free(eckey);
++ }
++ if (group) EC_GROUP_free(group);
++
++ OUTPUT:
++ RETVAL
++
++
++#endif
++
+ void *
+ SSL_get_app_data(s)
+ SSL * s
+@@ -4622,25 +4714,20 @@
+ OUTPUT:
+ RETVAL
+
+-int
+-SSL_get_state(ssl)
+- SSL * ssl
+- CODE:
+- RETVAL = SSL_state(ssl);
+- OUTPUT:
+- RETVAL
+-
+ void
+ SSL_set_state(ssl,state)
+ SSL * ssl
+ int state
+ CODE:
+-#ifdef OPENSSL_NO_SSL_INTERN
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ /* not available */
++#elif defined(OPENSSL_NO_SSL_INTERN)
+ SSL_set_state(ssl,state);
+ #else
+ ssl->state = state;
+ #endif
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ long
+ SSL_need_tmp_RSA(ssl)
+ SSL * ssl
+@@ -4649,6 +4736,9 @@
+ OUTPUT:
+ RETVAL
+
++
++#endif
++
+ long
+ SSL_num_renegotiations(ssl)
+ SSL * ssl
+@@ -4668,10 +4758,6 @@
+ long
+ SSL_session_reused(ssl)
+ SSL * ssl
+- CODE:
+- RETVAL = SSL_ctrl(ssl,SSL_CTRL_GET_SESSION_REUSED,0,NULL);
+- OUTPUT:
+- RETVAL
+
+ int
+ SSL_SESSION_set_app_data(s,a)
+@@ -4714,6 +4800,7 @@
+ SSL * ssl
+ DH * dh
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ long
+ SSL_set_tmp_rsa(ssl,rsa)
+ SSL * ssl
+@@ -4723,6 +4810,7 @@
+ OUTPUT:
+ RETVAL
+
++#endif
+
+ #ifdef __ANDROID__
+
+@@ -4855,13 +4943,33 @@
+ OUTPUT:
+ RETVAL
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ void
+ SSL_SESSION_get_master_key(s)
+ SSL_SESSION * s
++ PREINIT:
++ size_t master_key_length;
++ unsigned char* master_key;
+ CODE:
+ ST(0) = sv_newmortal(); /* Undefined to start with */
++ master_key_length = SSL_SESSION_get_master_key(s, 0, 0); /* get the length */
++ New(0, master_key, master_key_length, unsigned char);
++ SSL_SESSION_get_master_key(s, master_key, master_key_length);
++ sv_setpvn(ST(0), (const char*)master_key, master_key_length);
++ Safefree(master_key);
++
++#else
++void
++SSL_SESSION_get_master_key(s)
++ SSL_SESSION * s
++ CODE:
++ ST(0) = sv_newmortal(); /* Undefined to start with */
+ sv_setpvn(ST(0), (const char*)s->master_key, s->master_key_length);
+
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++
+ void
+ SSL_SESSION_set_master_key(s,key)
+ SSL_SESSION * s
+@@ -4873,24 +4981,80 @@
+ memcpy(s->master_key, key, len);
+ s->master_key_length = len;
+
++#endif
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++
+ void
+ SSL_get_client_random(s)
+ SSL * s
++ PREINIT:
++ size_t random_length;
++ unsigned char* random_data;
+ CODE:
+ ST(0) = sv_newmortal(); /* Undefined to start with */
++ random_length = SSL_get_client_random(s, 0, 0); /* get the length */
++ New(0, random_data, random_length, unsigned char);
++ SSL_get_client_random(s, random_data, random_length);
++ sv_setpvn(ST(0), (const char*)random_data, random_length);
++ Safefree(random_data);
++
++#else
++
++void
++SSL_get_client_random(s)
++ SSL * s
++ CODE:
++ ST(0) = sv_newmortal(); /* Undefined to start with */
+ sv_setpvn(ST(0), (const char*)s->s3->client_random, SSL3_RANDOM_SIZE);
+
++#endif
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++
+ void
+ SSL_get_server_random(s)
+ SSL * s
++ PREINIT:
++ size_t random_length;
++ unsigned char* random_data;
+ CODE:
+ ST(0) = sv_newmortal(); /* Undefined to start with */
++ random_length = SSL_get_server_random(s, 0, 0); /* get the length */
++ New(0, random_data, random_length, unsigned char);
++ SSL_get_server_random(s, random_data, random_length);
++ sv_setpvn(ST(0), (const char*)random_data, random_length);
++ Safefree(random_data);
++
++#else
++
++void
++SSL_get_server_random(s)
++ SSL * s
++ CODE:
++ ST(0) = sv_newmortal(); /* Undefined to start with */
+ sv_setpvn(ST(0), (const char*)s->s3->server_random, SSL3_RANDOM_SIZE);
+
++#endif
++
+ int
+ SSL_get_keyblock_size(s)
+ SSL * s
+ CODE:
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ const SSL_CIPHER *ssl_cipher;
++ int cipher, digest;
++ const EVP_CIPHER *c;
++ const EVP_MD *h;
++
++ ssl_cipher = SSL_get_current_cipher(s);
++ cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
++ digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
++ c = EVP_get_cipherbynid(cipher);
++ h = EVP_get_digestbynid(digest);
++ RETVAL = 2 * (EVP_CIPHER_key_length(c) + EVP_MD_size(h) +
++ EVP_CIPHER_iv_length(c));
++#else
+ if (s == NULL ||
+ s->enc_read_ctx == NULL ||
+ s->enc_read_ctx->cipher == NULL ||
+@@ -4919,6 +5083,8 @@
+ EVP_CIPHER_iv_length(c)))
+ : -1;
+ }
++#endif
++
+ OUTPUT:
+ RETVAL
+
+@@ -4956,9 +5122,7 @@
+ else {
+ cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", newSVsv(callback));
+ cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", newSVsv(data));
+- SSL_set_session_secret_cb(s, (int (*)(SSL *s, void *secret, int *secret_len,
+- STACK_OF(SSL_CIPHER) *peer_ciphers,
+- SSL_CIPHER **cipher, void *arg))&ssleay_session_secret_cb_invoke, s);
++ SSL_set_session_secret_cb(s, (tls_session_secret_cb_fn)&ssleay_session_secret_cb_invoke, s);
+ }
+
+ #endif
+@@ -5382,7 +5546,11 @@
+ P_X509_get_signature_alg(x)
+ X509 * x
+ CODE:
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ RETVAL = (X509_get0_tbs_sigalg(x)->algorithm);
++#else
+ RETVAL = (x->cert_info->signature->algorithm);
++#endif
+ OUTPUT:
+ RETVAL
+
+@@ -5389,8 +5557,17 @@
+ ASN1_OBJECT *
+ P_X509_get_pubkey_alg(x)
+ X509 * x
++ PREINIT:
+ CODE:
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ {
++ X509_ALGOR * algor;
++ X509_PUBKEY_get0_param(0, 0, 0, &algor, X509_get_X509_PUBKEY(x));
++ RETVAL = (algor->algorithm);
++ }
++#else
+ RETVAL = (x->cert_info->key->algor->algorithm);
++#endif
+ OUTPUT:
+ RETVAL
+
+@@ -5705,8 +5882,7 @@
+ * response does not contain the chain up to the trusted root */
+ STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
+ for(i=0;i<sk_X509_num(chain);i++) {
+- if (!bsr->certs) bsr->certs = sk_X509_new_null();
+- sk_X509_push(bsr->certs,X509_dup(sk_X509_value(chain,i)));
++ OCSP_basic_add1_cert(bsr, sk_X509_value(chain,i));
+ }
+ TRACE(1,"run basic verify");
+ RETVAL = OCSP_basic_verify(bsr, NULL, store, flags);
+@@ -5718,7 +5894,7 @@
+ X509 *issuer;
+ X509 *last = sk_X509_value(chain,sk_X509_num(chain)-1);
+ if ( (issuer = find_issuer(last,store,chain))) {
+- sk_X509_push(bsr->certs,X509_dup(issuer));
++ OCSP_basic_add1_cert(bsr, X509_dup(issuer));
+ TRACE(1,"run OCSP_basic_verify with issuer for last chain element");
+ RETVAL = OCSP_basic_verify(bsr, NULL, store, flags);
+ }
+@@ -5736,7 +5912,6 @@
+ OCSP_BASICRESP *bsr;
+ int i,want_array;
+ time_t nextupd = 0;
+- STACK_OF(OCSP_SINGLERESP) *sks;
+ int getall,sksn;
+
+ bsr = OCSP_response_get1_basic(rsp);
+@@ -5744,8 +5919,7 @@
+
+ want_array = (GIMME == G_ARRAY);
+ getall = (items <= 1);
+- sks = bsr->tbsResponseData->responses;
+- sksn = sk_OCSP_SINGLERESP_num(sks);
++ sksn = OCSP_resp_count(bsr);
+
+ for(i=0; i < (getall ? sksn : items-1); i++) {
+ const char *error = NULL;
+@@ -5754,9 +5928,8 @@
+ SV *idsv = NULL;
+
+ if(getall) {
+- sir = sk_OCSP_SINGLERESP_value(sks,i);
++ sir = OCSP_resp_get0(bsr,i);
+ } else {
+- int k;
+ STRLEN len;
+ const unsigned char *p;
+
+@@ -5767,22 +5940,36 @@
+ error = "failed to get OCSP certid from string";
+ goto end;
+ }
+- for(k=0;k<sksn;k++) {
+- if (!OCSP_id_cmp(certid,sk_OCSP_SINGLERESP_value(sks,k)->certId)) {
+- sir = sk_OCSP_SINGLERESP_value(sks,k);
+- break;
+- }
++ int first = OCSP_resp_find(bsr, certid, -1); /* Find the first matching */
++ if (first >= 0)
++ {
++ sir = OCSP_resp_get0(bsr,first);
++ break;
+ }
+ }
+
+- if (!sir) {
+- error = "cannot find entry for certificate in OCSP response";
+- } else if (!OCSP_check_validity(sir->thisUpdate,sir->nextUpdate,0,-1)) {
+- error = "response not yet valid or expired";
+- } else if (sir->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) {
+- error = "certificate status is revoked";
+- } else if (sir->certStatus->type != V_OCSP_CERTSTATUS_GOOD) {
+- error = "certificate status is unknown";
++ int status, revocationReason;
++ ASN1_GENERALIZEDTIME *revocationTime, *thisupdate, *nextupdate;
++ if (sir)
++ {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate);
++#else
++ status = sir->certStatus->type;
++ revocationTime = sir->certStatus->value.revoked->revocationTime;
++ thisupdate = sir->thisUpdate;
++ nextupdate = sir->nextUpdate;
++#endif
++ if (status == V_OCSP_CERTSTATUS_REVOKED) {
++ error = "certificate status is revoked";
++ } else if (status != V_OCSP_CERTSTATUS_GOOD) {
++ error = "certificate status is unknown";
++ }
++ else if (!OCSP_check_validity(thisupdate, nextupdate, 0, -1)) {
++ error = "response not yet valid or expired";
++ }
++ } else {
++ error = "cannot find entry for certificate in OCSP response";
+ }
+
+ end:
+@@ -5791,12 +5978,20 @@
+ if (!idsv) {
+ /* getall: create new SV with OCSP_CERTID */
+ unsigned char *pi,*pc;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ int len = i2d_OCSP_CERTID(OCSP_SINGLERESP_get0_id(sir),NULL);
++#else
+ int len = i2d_OCSP_CERTID(sir->certId,NULL);
++#endif
+ if(!len) continue;
+ Newx(pc,len,unsigned char);
+ if (!pc) croak("out of memory");
+ pi = pc;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++ i2d_OCSP_CERTID(OCSP_SINGLERESP_get0_id(sir),&pi);
++#else
+ i2d_OCSP_CERTID(sir->certId,&pi);
++#endif
+ idsv = newSVpv((char*)pc,len);
+ Safefree(pc);
+ } else {
+@@ -5809,26 +6004,26 @@
+ HV *details = newHV();
+ av_push(idav,newRV_noinc((SV*)details));
+ hv_store(details,"statusType",10,
+- newSViv(sir->certStatus->type),0);
+- if (sir->nextUpdate) hv_store(details,"nextUpdate",10,
+- newSViv(ASN1_TIME_timet(sir->nextUpdate)),0);
+- if (sir->thisUpdate) hv_store(details,"thisUpdate",10,
+- newSViv(ASN1_TIME_timet(sir->thisUpdate)),0);
+- if (sir->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) {
++ newSViv(status),0);
++ if (nextupdate) hv_store(details,"nextUpdate",10,
++ newSViv(ASN1_TIME_timet(nextupdate)),0);
++ if (thisupdate) hv_store(details,"thisUpdate",10,
++ newSViv(ASN1_TIME_timet(thisupdate)),0);
++ if (status == V_OCSP_CERTSTATUS_REVOKED) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked;
+- hv_store(details,"revocationTime",14,newSViv(
+- ASN1_TIME_timet(rev->revocationTime)),0);
+- hv_store(details,"revocationReason",16,newSViv(
+- ASN1_ENUMERATED_get(rev->revocationReason)),0);
++ revocationReason = ASN1_ENUMERATED_get(rev->revocationReason);
++#endif
++ hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime)),0);
++ hv_store(details,"revocationReason",16,newSViv(revocationReason),0);
+ hv_store(details,"revocationReason_str",20,newSVpv(
+- OCSP_crl_reason_str(ASN1_ENUMERATED_get(
+- rev->revocationReason)),0),0);
++ OCSP_crl_reason_str(revocationReason),0),0);
+ }
+ }
+ XPUSHs(sv_2mortal(newRV_noinc((SV*)idav)));
+ } else if (!error) {
+ /* compute lowest nextUpdate */
+- time_t nu = ASN1_TIME_timet(sir->nextUpdate);
++ time_t nu = ASN1_TIME_timet(nextupdate);
+ if (!nextupd || nextupd>nu) nextupd = nu;
+ }
+
+Index: t/local/32_x509_get_cert_info.t
+===================================================================
+--- a/t/local/32_x509_get_cert_info.t (revision 465)
++++ b/t/local/32_x509_get_cert_info.t (working copy)
+@@ -175,7 +175,7 @@
+ }
+
+ SKIP: {
+- skip('crl_distribution_points requires 0.9.7+', scalar(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
++ skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f;
+ my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509);
+ is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f");
+ for my $i (0..$#cdp) {
+Index: t/local/35_ephemeral.t
+===================================================================
+--- a/t/local/35_ephemeral.t (revision 465)
++++ b/t/local/35_ephemeral.t (working copy)
+@@ -6,7 +6,7 @@
+ use Net::SSLeay;
+
+ BEGIN {
+- plan skip_all => "libressl removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER");
++ plan skip_all => "libressl and OpenSSL 1.1 removed support for ephemeral/temporary RSA private keys" if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || $Net::SSLeay::VERSION > 1.74;
+ }
+
+ plan tests => 3;
+Index: t/local/63_ec_key_generate_key.t
+===================================================================
+--- a/t/local/63_ec_key_generate_key.t (revision 0)
++++ b/t/local/63_ec_key_generate_key.t (revision 469)
+@@ -0,0 +1,35 @@
++#!/usr/bin/perl
++
++use strict;
++use warnings;
++use Test::More;
++use Net::SSLeay;
++
++if (!defined &Net::SSLeay::EC_KEY_generate_key) {
++ plan skip_all => "no suport for ECC in your OpenSSL";
++ exit(0);
++}
++
++plan tests => 4;
++
++Net::SSLeay::randomize();
++Net::SSLeay::load_error_strings();
++Net::SSLeay::ERR_load_crypto_strings();
++Net::SSLeay::SSLeay_add_ssl_algorithms();
++
++my $ec = Net::SSLeay::EC_KEY_generate_key('prime256v1');
++ok($ec,'EC key created');
++
++if ($ec) {
++ my $key = Net::SSLeay::EVP_PKEY_new();
++ my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec);
++ ok($rv,'EC key assigned to PKEY');
++
++ my $pem = Net::SSLeay::PEM_get_string_PrivateKey($key);
++ ok( $pem =~m{^---.* PRIVATE KEY}m, "output key as PEM");
++
++ my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem());
++ Net::SSLeay::BIO_write($bio,$pem);
++ my $newkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio);
++ ok($newkey,"read key again from PEM");
++}
+Index: lib/Net/SSLeay.pod
+===================================================================
+--- a/lib/Net/SSLeay.pod (revision 465)
++++ b/lib/Net/SSLeay.pod (working copy)
+@@ -44,6 +44,8 @@
+ to use at least 0.9.7 (as older versions are not tested during development). Some low level API functions
+ may be available with certain openssl versions.
+
++It is compatible with OpenSSL 1.0 and 1.1. Some functions are not available under OpenSSL 1.1.
++
+ L<Net::SSLeay> module basically comprise of:
+
+ =over
+@@ -1393,8 +1395,8 @@
+
+ Set the key referenced by $pkey to $key
+
+-B<NOTE:> In accordance with the OpenSSL naming convention the $key assigned
+-to the $pkey using the "1" functions must be freed as well as $pkey.
++B<NOTE:> No reference counter will be increased, i.e. $key will be freed if
++$pkey is freed.
+
+ my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key);
+ # $pkey - value corresponding to openssl's EVP_PKEY structure
+@@ -1402,8 +1404,25 @@
+ #
+ # returns: 1 on success, 0 on failure
+
+-Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_set1_RSA.html>
++Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html>
++
++=item * EVP_PKEY_assign_EC_KEY
+
++B<COMPATIBILITY:> not available in Net-SSLeay-1.74 and before
++
++Set the key referenced by $pkey to $key
++
++B<NOTE:> No reference counter will be increased, i.e. $key will be freed if
++$pkey is freed.
++
++ my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key);
++ # $pkey - value corresponding to openssl's EVP_PKEY structure
++ # $key - value corresponding to openssl's EC_KEY structure
++ #
++ # returns: 1 on success, 0 on failure
++
++Check openssl doc L<http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html|http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html>
++
+ =item * EVP_PKEY_bits
+
+ B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
+@@ -1844,6 +1863,11 @@
+ #
+ # returns: no return value
+
++Not available with OpenSSL 1.1 and later.
++Code that previously used
++ SESSION_set_master_key must now set $secret in the session_secret
++ callback set with SSL_set_session_secret_cb.
++
+ =item * SESSION_get_time
+
+ Returns the time at which the session s was established.
+@@ -2447,6 +2471,8 @@
+ #
+ # returns: result of SSL_CTRL_NEED_TMP_RSA command
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * CTX_new
+
+ The same as L</CTX_v23_new>
+@@ -2457,6 +2483,8 @@
+
+ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_new.html|http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * CTX_v2_new
+
+ Creates a new SSL_CTX object - based on SSLv2_method() - as framework to establish TLS/SSL enabled connections.
+@@ -2906,6 +2934,8 @@
+
+ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * CTX_set_tmp_rsa_callback
+
+ Sets the callback function for ctx to be used when a temporary/ephemeral RSA key is required to $tmp_rsa_callback.
+@@ -2920,6 +2950,8 @@
+
+ Check openssl doc L<http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html|http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * CTX_set_trust
+
+ my $rv = Net::SSLeay::CTX_set_trust($s, $trust);
+@@ -3436,10 +3468,10 @@
+
+ =item * get_keyblock_size
+
++Gets the length of the TLS keyblock.
++
+ B<NOTE:> Does not exactly correspond to any low level API function.
+
+-??? (more info needed)
+-
+ my $rv = Net::SSLeay::get_keyblock_size($ssl);
+ # $ssl - value corresponding to openssl's SSL structure
+ #
+@@ -3680,6 +3712,8 @@
+
+ Net::SSLeay::set_state($ssl,Net::SSLeay::SSL_ST_ACCEPT());
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * get_verify_depth
+
+ Returns the verification depth limit currently set in $ssl.
+@@ -3829,6 +3863,8 @@
+ #
+ # returns: command result
+
++Not available with OpenSSL 1.1 and later.
++
+ =item * num_renegotiations
+
+ Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl.
+@@ -4131,6 +4167,21 @@
+ #
+ # returns: no return value
+
++The callback function will be called like:
++callback_function($secret, $ciphers, $pref_cipher, $data);
++
++# $secret is the current master session key, usually all 0s at the beginning of a session
++# $ciphers is ref to an array of peer cipher names
++# $pref_cipher is a ref to an index into the list of cipher names of
++# the preferred cipher. Set it if you want to specify a preferred cipher
++# $data is the data passed to set_session_secret_cb
++
++The callback function should return 1 if it likes the suggested cipher (or has selected an alternative
++by setting pref_cipher), else it should return 0 (in which case OpenSSL will select its own preferred cipher).
++
++With OpenSSL 1.1 and later, callback_function can change the master key for the session by
++altering $secret and returning 1.
++
+ =item * set_shutdown
+
+ Sets the shutdown state of $ssl to $mode.
+@@ -7961,6 +8012,23 @@
+
+ TBA
+
++=item * EC_KEY_generate_key
++
++Generates a EC key and returns it in a newly allocated EC_KEY structure.
++The EC key then can be used to create a PKEY which can be used in calls
++like X509_set_pubkey.
++
++ my $key = Net::SSLeay::EVP_PKEY_new();
++ my $ec = Net::SSLeay::EC_KEY_generate_key($curve);
++ Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec);
++
++ # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve
++ #
++ # returns: value corresponding to openssl's EC_KEY structure (0 on failure)
++
++This function has no equivalent in OpenSSL but combines multiple OpenSSL
++functions for an easier interface.
++
+ =back
+
+
diff --git a/debian/patches/series b/debian/patches/series
index a147a3a..9cc133e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-fix-typo-in-manpage.patch
20no-stray-libz-link.patch
+openssl-1.1.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-ssleay-perl.git
More information about the Pkg-perl-cvs-commits
mailing list