diff --git a/AUTHORS b/AUTHORS index fcb43a7b32ca..d8a6b6081441 100644 --- a/AUTHORS +++ b/AUTHORS @@ -730,6 +730,7 @@ John W. Krahn John Wright Johnny Lam Jon Eveland +Jon Gentle Jon Gunnip Jon Orwant Jonathan Biggar diff --git a/Configure b/Configure index 88658048280a..4c1298a92392 100755 --- a/Configure +++ b/Configure @@ -1093,6 +1093,7 @@ i_utime='' i_vfork='' i_wchar='' i_wctype='' +i_ssl='' d_inc_version_list='' inc_version_list='' inc_version_list_init='' @@ -24069,6 +24070,18 @@ esac set wchar.h i_wchar eval $inhdr +: see if openssl/ssl.h is available +: right now, we cannot compile Net::SSLeay with a c++ compiler +set openssl/ssl.h i_ssl +eval $inhdr +case "$i_ssl" in +"$define") + case "$d_cplusplus" in + "$define") i_ssl="$undef" ;; + esac + ;; +esac + : Check extensions echo " " echo "Looking for extensions..." >&4 @@ -24173,6 +24186,11 @@ for xxx in $xs_extensions ; do *"${define}"*) avail_ext="$avail_ext $xxx" ;; esac ;; + Net/SSLeay|net/ssleay) + case "$i_ssl" in + $define) avail_ext="$avail_ext $xxx" ;; + esac + ;; NDBM_File|ndbm_fil) case "$d_ndbm" in $define) @@ -24317,6 +24335,11 @@ esac nonxs_ext='' for xxx in $nonxs_extensions ; do case "$xxx" in + IO/Socket/SSL|io/socket/ssl) + case "$i_ssl" in + $define) nonxs_ext="$nonxs_ext $xxx" ;; + esac + ;; VMS*) ;; *) nonxs_ext="$nonxs_ext $xxx" diff --git a/MANIFEST b/MANIFEST index f370602ab857..ccdb1b958525 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1230,6 +1230,76 @@ cpan/IO-Socket-IP/t/22timeout.t cpan/IO-Socket-IP/t/30nonblocking-connect.t IO::Socket::IP tests cpan/IO-Socket-IP/t/31nonblocking-connect-internet.t IO::Socket::IP tests cpan/IO-Socket-IP/t/99pod.t IO::Socket::IP tests +cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pm +cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pod +cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Intercept.pm +cpan/IO-Socket-SSL/lib/IO/Socket/SSL/PublicSuffix.pm +cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Utils.pm +cpan/IO-Socket-SSL/t/01loadmodule.t +cpan/IO-Socket-SSL/t/acceptSSL-timeout.t +cpan/IO-Socket-SSL/t/alpn.t +cpan/IO-Socket-SSL/t/auto_verify_hostname.t +cpan/IO-Socket-SSL/t/cert_formats.t +cpan/IO-Socket-SSL/t/cert_no_file.t +cpan/IO-Socket-SSL/t/certs/client-cert.pem +cpan/IO-Socket-SSL/t/certs/client-key.enc +cpan/IO-Socket-SSL/t/certs/client-key.pem +cpan/IO-Socket-SSL/t/certs/create-certs.pl +cpan/IO-Socket-SSL/t/certs/proxyca.pem +cpan/IO-Socket-SSL/t/certs/server.p12 +cpan/IO-Socket-SSL/t/certs/server-cert.der +cpan/IO-Socket-SSL/t/certs/server-cert.pem +cpan/IO-Socket-SSL/t/certs/server-ecc-cert.pem +cpan/IO-Socket-SSL/t/certs/server-ecc-key.pem +cpan/IO-Socket-SSL/t/certs/server-key.der +cpan/IO-Socket-SSL/t/certs/server-key.enc +cpan/IO-Socket-SSL/t/certs/server-key.pem +cpan/IO-Socket-SSL/t/certs/server-wildcard.pem +cpan/IO-Socket-SSL/t/certs/server2-cert.pem +cpan/IO-Socket-SSL/t/certs/server2-key.pem +cpan/IO-Socket-SSL/t/certs/server_enc.p12 +cpan/IO-Socket-SSL/t/certs/sub-server.pem +cpan/IO-Socket-SSL/t/certs/test-ca.pem +cpan/IO-Socket-SSL/t/certs/test-subca.pem +cpan/IO-Socket-SSL/t/compatibility.t +cpan/IO-Socket-SSL/t/connectSSL-timeout.t +cpan/IO-Socket-SSL/t/core.t +cpan/IO-Socket-SSL/t/dhe.t +cpan/IO-Socket-SSL/t/ecdhe.t +cpan/IO-Socket-SSL/t/external/fingerprint.pl +cpan/IO-Socket-SSL/t/external/ocsp.t +cpan/IO-Socket-SSL/t/external/usable_ca.t +cpan/IO-Socket-SSL/t/io-socket-inet6.t +cpan/IO-Socket-SSL/t/io-socket-ip.t +cpan/IO-Socket-SSL/t/memleak_bad_handshake.t +cpan/IO-Socket-SSL/t/mitm.t +cpan/IO-Socket-SSL/t/multiple-cert-rsa-ecc.t +cpan/IO-Socket-SSL/t/nonblock.t +cpan/IO-Socket-SSL/t/npn.t +cpan/IO-Socket-SSL/t/plain_upgrade_downgrade.t +cpan/IO-Socket-SSL/t/protocol_version.t +cpan/IO-Socket-SSL/t/public_suffix_lib.pl +cpan/IO-Socket-SSL/t/public_suffix_lib_encode_idn.t +cpan/IO-Socket-SSL/t/public_suffix_lib_libidn.t +cpan/IO-Socket-SSL/t/public_suffix_lib_uri.t +cpan/IO-Socket-SSL/t/public_suffix_ssl.t +cpan/IO-Socket-SSL/t/readline.t +cpan/IO-Socket-SSL/t/session_cache.t +cpan/IO-Socket-SSL/t/session_ticket.t +cpan/IO-Socket-SSL/t/sessions.t +cpan/IO-Socket-SSL/t/set_curves.t +cpan/IO-Socket-SSL/t/signal-readline.t +cpan/IO-Socket-SSL/t/sni.t +cpan/IO-Socket-SSL/t/sni_verify.t +cpan/IO-Socket-SSL/t/start-stopssl.t +cpan/IO-Socket-SSL/t/startssl.t +cpan/IO-Socket-SSL/t/startssl-failed.t +cpan/IO-Socket-SSL/t/sysread_write.t +cpan/IO-Socket-SSL/t/testlib.pl +cpan/IO-Socket-SSL/t/verify_fingerprint.t +cpan/IO-Socket-SSL/t/verify_hostname.t +cpan/IO-Socket-SSL/t/verify_hostname_standalone.t +cpan/IO-Socket-SSL/t/verify_partial_chain.t cpan/IO-Zlib/t/basic.t Tests for IO::Zlib cpan/IO-Zlib/t/external.t Tests for IO::Zlib cpan/IO-Zlib/t/getc.t Tests for IO::Zlib @@ -1543,6 +1613,202 @@ cpan/Module-Metadata/t/lib/GeneratePackage.pm cpan/Module-Metadata/t/metadata.t cpan/Module-Metadata/t/taint.t cpan/Module-Metadata/t/version.t +cpan/Net-SSLeay/constants.c +cpan/Net-SSLeay/helper_script/constants.txt +cpan/Net-SSLeay/helper_script/generate-test-pki +cpan/Net-SSLeay/helper_script/pki.cfg +cpan/Net-SSLeay/helper_script/update-exported-constants +cpan/Net-SSLeay/inc/Test/Net/SSLeay.pm +cpan/Net-SSLeay/inc/Test/Net/SSLeay/Socket.pm +cpan/Net-SSLeay/lib/Net/SSLeay.pm +cpan/Net-SSLeay/lib/Net/SSLeay.pod +cpan/Net-SSLeay/lib/Net/SSLeay/Handle.pm +cpan/Net-SSLeay/Makefile.PL +cpan/Net-SSLeay/SSLeay.xs +cpan/Net-SSLeay/t/data/binary-test.file +cpan/Net-SSLeay/t/data/extended-cert.p12 +cpan/Net-SSLeay/t/data/extended-cert.cert.der +cpan/Net-SSLeay/t/data/extended-cert.cert.dump +cpan/Net-SSLeay/t/data/extended-cert.cert.pem +cpan/Net-SSLeay/t/data/extended-cert.certchain.der +cpan/Net-SSLeay/t/data/extended-cert.certchain.p12 +cpan/Net-SSLeay/t/data/extended-cert.certchain.pem +cpan/Net-SSLeay/t/data/extended-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/extended-cert.csr.der +cpan/Net-SSLeay/t/data/extended-cert.csr.pem +cpan/Net-SSLeay/t/data/extended-cert.enc.p12 +cpan/Net-SSLeay/t/data/extended-cert.key.der +cpan/Net-SSLeay/t/data/extended-cert.key.pem +cpan/Net-SSLeay/t/data/extended-cert.key.enc.der +cpan/Net-SSLeay/t/data/extended-cert.key.enc.pem +cpan/Net-SSLeay/t/data/intermediate-ca.p12 +cpan/Net-SSLeay/t/data/intermediate-ca.cert.der +cpan/Net-SSLeay/t/data/intermediate-ca.cert.dump +cpan/Net-SSLeay/t/data/intermediate-ca.cert.pem +cpan/Net-SSLeay/t/data/intermediate-ca.certchain.der +cpan/Net-SSLeay/t/data/intermediate-ca.certchain.p12 +cpan/Net-SSLeay/t/data/intermediate-ca.certchain.pem +cpan/Net-SSLeay/t/data/intermediate-ca.certchain.enc.p12 +cpan/Net-SSLeay/t/data/intermediate-ca.crl.der +cpan/Net-SSLeay/t/data/intermediate-ca.crl.pem +cpan/Net-SSLeay/t/data/intermediate-ca.csr.der +cpan/Net-SSLeay/t/data/intermediate-ca.csr.pem +cpan/Net-SSLeay/t/data/intermediate-ca.enc.p12 +cpan/Net-SSLeay/t/data/intermediate-ca.key.der +cpan/Net-SSLeay/t/data/intermediate-ca.key.pem +cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.der +cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.pem +cpan/Net-SSLeay/t/data/revoked-cert.p12 +cpan/Net-SSLeay/t/data/revoked-cert.cert.der +cpan/Net-SSLeay/t/data/revoked-cert.cert.dump +cpan/Net-SSLeay/t/data/revoked-cert.cert.pem +cpan/Net-SSLeay/t/data/revoked-cert.certchain.der +cpan/Net-SSLeay/t/data/revoked-cert.certchain.p12 +cpan/Net-SSLeay/t/data/revoked-cert.certchain.pem +cpan/Net-SSLeay/t/data/revoked-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/revoked-cert.csr.der +cpan/Net-SSLeay/t/data/revoked-cert.csr.pem +cpan/Net-SSLeay/t/data/revoked-cert.enc.p12 +cpan/Net-SSLeay/t/data/revoked-cert.key.der +cpan/Net-SSLeay/t/data/revoked-cert.key.pem +cpan/Net-SSLeay/t/data/revoked-cert.key.enc.der +cpan/Net-SSLeay/t/data/revoked-cert.key.enc.pem +cpan/Net-SSLeay/t/data/root-ca.p12 +cpan/Net-SSLeay/t/data/root-ca.cert.der +cpan/Net-SSLeay/t/data/root-ca.cert.dump +cpan/Net-SSLeay/t/data/root-ca.cert.pem +cpan/Net-SSLeay/t/data/root-ca.certchain.der +cpan/Net-SSLeay/t/data/root-ca.certchain.p12 +cpan/Net-SSLeay/t/data/root-ca.certchain.pem +cpan/Net-SSLeay/t/data/root-ca.certchain.enc.p12 +cpan/Net-SSLeay/t/data/root-ca.csr.der +cpan/Net-SSLeay/t/data/root-ca.csr.pem +cpan/Net-SSLeay/t/data/root-ca.enc.p12 +cpan/Net-SSLeay/t/data/root-ca.key.der +cpan/Net-SSLeay/t/data/root-ca.key.pem +cpan/Net-SSLeay/t/data/root-ca.key.enc.der +cpan/Net-SSLeay/t/data/root-ca.key.enc.pem +cpan/Net-SSLeay/t/data/simple-cert.p12 +cpan/Net-SSLeay/t/data/simple-cert.cert.der +cpan/Net-SSLeay/t/data/simple-cert.cert.dump +cpan/Net-SSLeay/t/data/simple-cert.cert.pem +cpan/Net-SSLeay/t/data/simple-cert.certchain.der +cpan/Net-SSLeay/t/data/simple-cert.certchain.p12 +cpan/Net-SSLeay/t/data/simple-cert.certchain.pem +cpan/Net-SSLeay/t/data/simple-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/simple-cert.csr.der +cpan/Net-SSLeay/t/data/simple-cert.csr.pem +cpan/Net-SSLeay/t/data/simple-cert.enc.p12 +cpan/Net-SSLeay/t/data/simple-cert.key.der +cpan/Net-SSLeay/t/data/simple-cert.key.pem +cpan/Net-SSLeay/t/data/simple-cert.key.enc.der +cpan/Net-SSLeay/t/data/simple-cert.key.enc.pem +cpan/Net-SSLeay/t/data/strange-cert.p12 +cpan/Net-SSLeay/t/data/strange-cert.cert.der +cpan/Net-SSLeay/t/data/strange-cert.cert.dump +cpan/Net-SSLeay/t/data/strange-cert.cert.pem +cpan/Net-SSLeay/t/data/strange-cert.certchain.der +cpan/Net-SSLeay/t/data/strange-cert.certchain.p12 +cpan/Net-SSLeay/t/data/strange-cert.certchain.pem +cpan/Net-SSLeay/t/data/strange-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/strange-cert.csr.der +cpan/Net-SSLeay/t/data/strange-cert.csr.pem +cpan/Net-SSLeay/t/data/strange-cert.enc.p12 +cpan/Net-SSLeay/t/data/strange-cert.key.der +cpan/Net-SSLeay/t/data/strange-cert.key.pem +cpan/Net-SSLeay/t/data/strange-cert.key.enc.der +cpan/Net-SSLeay/t/data/strange-cert.key.enc.pem +cpan/Net-SSLeay/t/data/verify-ca.p12 +cpan/Net-SSLeay/t/data/verify-ca.cert.der +cpan/Net-SSLeay/t/data/verify-ca.cert.dump +cpan/Net-SSLeay/t/data/verify-ca.cert.pem +cpan/Net-SSLeay/t/data/verify-ca.certchain.der +cpan/Net-SSLeay/t/data/verify-ca.certchain.p12 +cpan/Net-SSLeay/t/data/verify-ca.certchain.pem +cpan/Net-SSLeay/t/data/verify-ca.certchain.enc.p12 +cpan/Net-SSLeay/t/data/verify-ca.csr.der +cpan/Net-SSLeay/t/data/verify-ca.csr.pem +cpan/Net-SSLeay/t/data/verify-ca.enc.p12 +cpan/Net-SSLeay/t/data/verify-ca.key.der +cpan/Net-SSLeay/t/data/verify-ca.key.pem +cpan/Net-SSLeay/t/data/verify-ca.key.enc.der +cpan/Net-SSLeay/t/data/verify-ca.key.enc.pem +cpan/Net-SSLeay/t/data/verify-cert.p12 +cpan/Net-SSLeay/t/data/verify-cert.cert.der +cpan/Net-SSLeay/t/data/verify-cert.cert.dump +cpan/Net-SSLeay/t/data/verify-cert.cert.pem +cpan/Net-SSLeay/t/data/verify-cert.certchain.der +cpan/Net-SSLeay/t/data/verify-cert.certchain.p12 +cpan/Net-SSLeay/t/data/verify-cert.certchain.pem +cpan/Net-SSLeay/t/data/verify-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/verify-cert.csr.der +cpan/Net-SSLeay/t/data/verify-cert.csr.pem +cpan/Net-SSLeay/t/data/verify-cert.enc.p12 +cpan/Net-SSLeay/t/data/verify-cert.key.der +cpan/Net-SSLeay/t/data/verify-cert.key.pem +cpan/Net-SSLeay/t/data/verify-cert.key.enc.der +cpan/Net-SSLeay/t/data/verify-cert.key.enc.pem +cpan/Net-SSLeay/t/data/wildcard-cert.p12 +cpan/Net-SSLeay/t/data/wildcard-cert.cert.der +cpan/Net-SSLeay/t/data/wildcard-cert.cert.dump +cpan/Net-SSLeay/t/data/wildcard-cert.cert.pem +cpan/Net-SSLeay/t/data/wildcard-cert.certchain.der +cpan/Net-SSLeay/t/data/wildcard-cert.certchain.p12 +cpan/Net-SSLeay/t/data/wildcard-cert.certchain.pem +cpan/Net-SSLeay/t/data/wildcard-cert.certchain.enc.p12 +cpan/Net-SSLeay/t/data/wildcard-cert.csr.der +cpan/Net-SSLeay/t/data/wildcard-cert.csr.pem +cpan/Net-SSLeay/t/data/wildcard-cert.enc.p12 +cpan/Net-SSLeay/t/data/wildcard-cert.key.der +cpan/Net-SSLeay/t/data/wildcard-cert.key.pem +cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.der +cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.pem +cpan/Net-SSLeay/t/external/ocsp.t +cpan/Net-SSLeay/t/handle/external/10_destroy.t +cpan/Net-SSLeay/t/handle/external/50_external.t +cpan/Net-SSLeay/t/handle/local/05_use.t +cpan/Net-SSLeay/t/local/03_use.t +cpan/Net-SSLeay/t/local/04_basic.t +cpan/Net-SSLeay/t/local/05_passwd_cb.t +cpan/Net-SSLeay/t/local/06_tcpecho.t +cpan/Net-SSLeay/t/local/07_sslecho.t +cpan/Net-SSLeay/t/local/08_pipe.t +cpan/Net-SSLeay/t/local/09_ctx_new.t +cpan/Net-SSLeay/t/local/10_rand.t +cpan/Net-SSLeay/t/local/11_read.t +cpan/Net-SSLeay/t/local/15_bio.t +cpan/Net-SSLeay/t/local/20_functions.t +cpan/Net-SSLeay/t/local/21_constants.t +cpan/Net-SSLeay/t/local/22_provider.t +cpan/Net-SSLeay/t/local/22_provider_try_load.t +cpan/Net-SSLeay/t/local/22_provider_try_load_zero_retain.t +cpan/Net-SSLeay/t/local/30_error.t +cpan/Net-SSLeay/t/local/31_rsa_generate_key.t +cpan/Net-SSLeay/t/local/32_x509_get_cert_info.t +cpan/Net-SSLeay/t/local/33_x509_create_cert.t +cpan/Net-SSLeay/t/local/34_x509_crl.t +cpan/Net-SSLeay/t/local/35_ephemeral.t +cpan/Net-SSLeay/t/local/36_verify.t +cpan/Net-SSLeay/t/local/37_asn1_time.t +cpan/Net-SSLeay/t/local/38_priv-key.t +cpan/Net-SSLeay/t/local/39_pkcs12.t +cpan/Net-SSLeay/t/local/40_npn_support.t +cpan/Net-SSLeay/t/local/41_alpn_support.t +cpan/Net-SSLeay/t/local/42_info_callback.t +cpan/Net-SSLeay/t/local/43_misc_functions.t +cpan/Net-SSLeay/t/local/44_sess.t +cpan/Net-SSLeay/t/local/45_exporter.t +cpan/Net-SSLeay/t/local/46_msg_callback.t +cpan/Net-SSLeay/t/local/47_keylog.t +cpan/Net-SSLeay/t/local/50_digest.t +cpan/Net-SSLeay/t/local/61_threads-cb-crash.t +cpan/Net-SSLeay/t/local/62_threads-ctx_new-deadlock.t +cpan/Net-SSLeay/t/local/63_ec_key_generate_key.t +cpan/Net-SSLeay/t/local/64_ticket_sharing.t +cpan/Net-SSLeay/t/local/65_security_level.t +cpan/Net-SSLeay/t/local/65_ticket_sharing_2.t +cpan/Net-SSLeay/t/local/66_curves.t +cpan/Net-SSLeay/typemap cpan/NEXT/lib/NEXT.pm Pseudo-class NEXT for method redispatch cpan/NEXT/t/actual.t NEXT cpan/NEXT/t/actuns.t NEXT diff --git a/Makefile.SH b/Makefile.SH index ac05dee12044..0c8e9f934226 100755 --- a/Makefile.SH +++ b/Makefile.SH @@ -209,6 +209,7 @@ extra_dep=' cpan/Pod-Simple/pm_to_blib: dist/if/pm_to_blib ext/Pod-Functions/pm_to_blib: cpan/Pod-Simple/pm_to_blib cpan/Pod-Escapes/pm_to_blib pod/perlfunc.pod cpan/IO-Compress/pm_to_blib: dist/lib/pm_to_blib +cpan/IO-Socket-SSL: cpan/Net-SSLeay/pm_to_blib ' for f in $dynamic_ext; do : the dependency named here will never exist @@ -1418,13 +1419,15 @@ _cleaner2: -rmdir ext/B/lib -rm -f dist/Time-HiRes/xdefine rm -f so_locations $(LIBPERL_NONSHR) - -rmdir lib/version lib/threads lib/inc/ExtUtils lib/inc lib/encoding - -rmdir lib/autodie/exception lib/autodie/Scope lib/autodie lib/XS - -rmdir lib/Win32API lib/VMS lib/Unicode/Collate/Locale - -rmdir lib/Unicode/Collate/CJK lib/Unicode/Collate lib/Tie/Hash - -rmdir lib/Thread lib/Text lib/Test2/Util lib/Test2/Tools - -rmdir lib/Test2/IPC/Driver lib/Test2/IPC lib/Test2/Hub/Interceptor - -rmdir lib/Test2/Hub lib/Test2/Formatter lib/Test2/EventFacet/Info + -rmdir lib/version lib/threads lib/inc/Test/Net/SSLeay + -rmdir lib/inc/Test/Net lib/inc/Test lib/inc/ExtUtils lib/inc + -rmdir lib/encoding lib/autodie/exception lib/autodie/Scope + -rmdir lib/autodie lib/XS lib/Win32API lib/VMS + -rmdir lib/Unicode/Collate/Locale lib/Unicode/Collate/CJK + -rmdir lib/Unicode/Collate lib/Tie/Hash lib/Thread lib/Text + -rmdir lib/Test2/Util lib/Test2/Tools lib/Test2/IPC/Driver + -rmdir lib/Test2/IPC lib/Test2/Hub/Interceptor lib/Test2/Hub + -rmdir lib/Test2/Formatter lib/Test2/EventFacet/Info -rmdir lib/Test2/EventFacet lib/Test2/Event/TAP lib/Test2/Event -rmdir lib/Test2/API/InterceptResult lib/Test2/API lib/Test2 -rmdir lib/Test/use lib/Test/Tester lib/Test/Builder/Tester @@ -1436,19 +1439,19 @@ _cleaner2: -rmdir lib/TAP/Formatter lib/TAP lib/Sys/Syslog lib/Sys lib/Sub -rmdir lib/Search lib/Scalar lib/Pod/Text lib/Pod/Simple -rmdir lib/Pod/Perldoc lib/Pod/Html lib/PerlIO/via lib/PerlIO lib/Perl - -rmdir lib/Parse/CPAN lib/Parse lib/Params lib/Net/FTP lib/Module/Load - -rmdir lib/Module/CoreList lib/Module lib/Memoize lib/Math/BigRat - -rmdir lib/Math/BigInt lib/Math/BigFloat lib/Math lib/MIME - -rmdir lib/Locale/Maketext lib/Locale lib/List/Util lib/List + -rmdir lib/Parse/CPAN lib/Parse lib/Params lib/Net/SSLeay lib/Net/FTP + -rmdir lib/Module/Load lib/Module/CoreList lib/Module lib/Memoize + -rmdir lib/Math/BigRat lib/Math/BigInt lib/Math/BigFloat lib/Math + -rmdir lib/MIME lib/Locale/Maketext lib/Locale lib/List/Util lib/List -rmdir lib/JSON/PP lib/JSON lib/IPC lib/IO/Uncompress/Adapter - -rmdir lib/IO/Uncompress lib/IO/Socket lib/IO/Compress/Zlib - -rmdir lib/IO/Compress/Zip lib/IO/Compress/Gzip lib/IO/Compress/Base - -rmdir lib/IO/Compress/Adapter lib/IO/Compress lib/IO - -rmdir lib/I18N/LangTags lib/I18N lib/Hash/Util lib/Hash lib/HTTP - -rmdir lib/Filter/Util lib/Filter lib/File/Spec lib/ExtUtils/Typemaps - -rmdir lib/ExtUtils/ParseXS lib/ExtUtils/MakeMaker/version - -rmdir lib/ExtUtils/MakeMaker lib/ExtUtils/Liblist - -rmdir lib/ExtUtils/Constant lib/ExtUtils/Command + -rmdir lib/IO/Uncompress lib/IO/Socket/SSL lib/IO/Socket + -rmdir lib/IO/Compress/Zlib lib/IO/Compress/Zip lib/IO/Compress/Gzip + -rmdir lib/IO/Compress/Base lib/IO/Compress/Adapter lib/IO/Compress + -rmdir lib/IO lib/I18N/LangTags lib/I18N lib/Hash/Util lib/Hash + -rmdir lib/HTTP lib/Filter/Util lib/Filter lib/File/Spec + -rmdir lib/ExtUtils/Typemaps lib/ExtUtils/ParseXS + -rmdir lib/ExtUtils/MakeMaker/version lib/ExtUtils/MakeMaker + -rmdir lib/ExtUtils/Liblist lib/ExtUtils/Constant lib/ExtUtils/Command -rmdir lib/ExtUtils/CBuilder/Platform/Windows -rmdir lib/ExtUtils/CBuilder/Platform lib/ExtUtils/CBuilder -rmdir lib/Exporter lib/Encode/Unicode lib/Encode/MIME/Header diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl index f38ae1ddd2af..bc6a34057bda 100755 --- a/Porting/Maintainers.pl +++ b/Porting/Maintainers.pl @@ -662,6 +662,17 @@ package Maintainers; ], }, + 'IO::Socket::SSL' => { + 'DISTRIBUTION' => 'SULLR/IO-Socket-SSL-2.080.tar.gz', + 'FILES' => q[cpan/IO-Socket-SSL], + 'EXCLUDED' => [ + qr[^example/], + qr[^docs/], + q[README], + q[README.Win32], + ], + }, + 'IO::Zlib' => { 'DISTRIBUTION' => 'TOMHUGHES/IO-Zlib-1.14.tar.gz', 'FILES' => q[cpan/IO-Zlib], @@ -884,6 +895,25 @@ package Maintainers; ], }, + 'Net::SSLeay' => { + 'DISTRIBUTION' => 'CHRISN/Net-SSLeay-1.92.tar.gz', + 'FILES' => q[cpan/Net-SSLeay], + 'EXCLUDED' => [ + qr[^README], + q[Credits], + q[QuickRef], + q[t/local/01_pod.t], + q[t/local/02_pod_coverage.t], + q[t/local/kwalitee.t], + ], + 'CUSTOMIZED' => [ + qw[ + SSLeay.xs + Makefile.PL + ], + ], + }, + 'NEXT' => { 'DISTRIBUTION' => 'NEILB/NEXT-0.69.tar.gz', 'FILES' => q[cpan/NEXT], diff --git a/Porting/cmpVERSION.pl b/Porting/cmpVERSION.pl index 6c805136e38c..91b503b25020 100755 --- a/Porting/cmpVERSION.pl +++ b/Porting/cmpVERSION.pl @@ -227,6 +227,9 @@ sub pm_file_from_xs { if (!defined $orig_pm_version || $orig_pm_version eq 'undef') { # sigh print "ok $count - SKIP Can't parse \$VERSION in $pm_file\n" if $tap; + if (defined $pm_version && $pm_version ne 'undef' && $pm_file =~ m!^((?:dist|ext|cpan)/[^/]+)/!) { + $dist_bumped{$1}++; + } } elsif (!defined $pm_version || $pm_version eq 'undef') { my $nok = "not ok $count - in $pm_file version was $orig_pm_version, now unparsable\n"; print $nok if $tap; diff --git a/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pm b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pm new file mode 100644 index 000000000000..5898f46855dd --- /dev/null +++ b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pm @@ -0,0 +1,3662 @@ +#vim: set sts=4 sw=4 ts=8 ai: +# +# IO::Socket::SSL: +# provide an interface to SSL connections similar to IO::Socket modules +# +# Current Code Shepherd: Steffen Ullrich +# Code Shepherd before: Peter Behroozi, +# +# The original version of this module was written by +# Marko Asplund, , who drew from +# Crypt::SSLeay (Net::SSL) by Gisle Aas. +# + +package IO::Socket::SSL; + +our $VERSION = '2.080'; + +use IO::Socket; +use Net::SSLeay 1.46; +use IO::Socket::SSL::PublicSuffix; +use Exporter (); +use Errno qw( EWOULDBLOCK EAGAIN ETIMEDOUT EINTR EPIPE ); +use Carp; +use strict; + +my $use_threads; +BEGIN { + die "no support for weaken - please install Scalar::Util" if ! do { + local $SIG{__DIE__}; + eval { require Scalar::Util; Scalar::Util->import("weaken"); 1 } + || eval { require WeakRef; WeakRef->import("weaken"); 1 } + }; + require Config; + $use_threads = $Config::Config{usethreads}; +} + + +# results from commonly used constant functions from Net::SSLeay for fast access +my $Net_SSLeay_ERROR_WANT_READ = Net::SSLeay::ERROR_WANT_READ(); +my $Net_SSLeay_ERROR_WANT_WRITE = Net::SSLeay::ERROR_WANT_WRITE(); +my $Net_SSLeay_ERROR_SYSCALL = Net::SSLeay::ERROR_SYSCALL(); +my $Net_SSLeay_ERROR_SSL = Net::SSLeay::ERROR_SSL(); +my $Net_SSLeay_VERIFY_NONE = Net::SSLeay::VERIFY_NONE(); +my $Net_SSLeay_VERIFY_PEER = Net::SSLeay::VERIFY_PEER(); + + +use constant SSL_VERIFY_NONE => &Net::SSLeay::VERIFY_NONE; +use constant SSL_VERIFY_PEER => &Net::SSLeay::VERIFY_PEER; +use constant SSL_VERIFY_FAIL_IF_NO_PEER_CERT => Net::SSLeay::VERIFY_FAIL_IF_NO_PEER_CERT(); +use constant SSL_VERIFY_CLIENT_ONCE => Net::SSLeay::VERIFY_CLIENT_ONCE(); + +# from openssl/ssl.h; should be better in Net::SSLeay +use constant SSL_SENT_SHUTDOWN => 1; +use constant SSL_RECEIVED_SHUTDOWN => 2; + +use constant SSL_OCSP_NO_STAPLE => 0b00001; +use constant SSL_OCSP_MUST_STAPLE => 0b00010; +use constant SSL_OCSP_FAIL_HARD => 0b00100; +use constant SSL_OCSP_FULL_CHAIN => 0b01000; +use constant SSL_OCSP_TRY_STAPLE => 0b10000; + +# capabilities of underlying Net::SSLeay/openssl +my $can_client_sni; # do we support SNI on the client side +my $can_server_sni; # do we support SNI on the server side +my $can_multi_cert; # RSA and ECC certificate in same context +my $can_npn; # do we support NPN (obsolete) +my $can_alpn; # do we support ALPN +my $can_ecdh; # do we support ECDH key exchange +my $set_groups_list; # SSL_CTX_set1_groups_list || SSL_CTX_set1_curves_list || undef +my $can_ocsp; # do we support OCSP +my $can_ocsp_staple; # do we support OCSP stapling +my $can_tckt_keycb; # TLS ticket key callback +my $can_pha; # do we support PHA +my $session_upref; # SSL_SESSION_up_ref is implemented +my %sess_cb; # SSL_CTX_sess_set_(new|remove)_cb +my $check_partial_chain; # use X509_V_FLAG_PARTIAL_CHAIN if available +my $auto_retry; # (clear|set)_mode SSL_MODE_AUTO_RETRY with OpenSSL 1.1.1+ with non-blocking +my $ssl_mode_release_buffers = 0; # SSL_MODE_RELEASE_BUFFERS if available +my $can_ciphersuites; # support for SSL_CTX_set_ciphersuites (TLS 1.3) + +my $openssl_version; +my $netssleay_version; + +BEGIN { + $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER(); + $netssleay_version = do { no warnings; $Net::SSLeay::VERSION + 0.0; }; + $can_client_sni = $openssl_version >= 0x10000000; + $can_server_sni = defined &Net::SSLeay::get_servername; + $can_npn = defined &Net::SSLeay::P_next_proto_negotiated && + ! Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); + # LibreSSL 2.6.1 disabled NPN by keeping the relevant functions + # available but removed the actual functionality from these functions. + $can_alpn = defined &Net::SSLeay::CTX_set_alpn_protos; + $can_ecdh = + ($openssl_version >= 0x1010000f) ? 'auto' : + defined(&Net::SSLeay::CTX_set_ecdh_auto) ? 'can_auto' : + (defined &Net::SSLeay::CTX_set_tmp_ecdh && + # There is a regression with elliptic curves on 1.0.1d with 64bit + # http://rt.openssl.org/Ticket/Display.html?id=2975 + ( $openssl_version != 0x1000104f + || length(pack("P",0)) == 4 )) ? 'tmp_ecdh' : + ''; + $set_groups_list = + defined &Net::SSLeay::CTX_set1_groups_list ? \&Net::SSLeay::CTX_set1_groups_list : + defined &Net::SSLeay::CTX_set1_curves_list ? \&Net::SSLeay::CTX_set1_curves_list : + undef; + $can_multi_cert = $can_ecdh + && $openssl_version >= 0x10002000; + $can_ocsp = defined &Net::SSLeay::OCSP_cert2ids + # OCSP got broken in 1.75..1.77 + && ($netssleay_version < 1.75 || $netssleay_version > 1.77); + $can_ocsp_staple = $can_ocsp + && defined &Net::SSLeay::set_tlsext_status_type; + $can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb + && $netssleay_version >= 1.80; + $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth; + $can_ciphersuites = defined &Net::SSLeay::CTX_set_ciphersuites; + + if (defined &Net::SSLeay::SESSION_up_ref) { + $session_upref = 1; + } + + if ($session_upref + && defined &Net::SSLeay::CTX_sess_set_new_cb + && defined &Net::SSLeay::CTX_sess_set_remove_cb) { + %sess_cb = ( + new => \&Net::SSLeay::CTX_sess_set_new_cb, + remove => \&Net::SSLeay::CTX_sess_set_remove_cb, + ); + } + + if (my $c = defined &Net::SSLeay::CTX_get0_param + && eval { Net::SSLeay::X509_V_FLAG_PARTIAL_CHAIN() }) { + $check_partial_chain = sub { + my $ctx = shift; + my $param = Net::SSLeay::CTX_get0_param($ctx); + Net::SSLeay::X509_VERIFY_PARAM_set_flags($param, $c); + }; + } + + if (!defined &Net::SSLeay::clear_mode) { + # assume SSL_CTRL_CLEAR_MODE being 78 since it was always this way + *Net::SSLeay::clear_mode = sub { + my ($ctx,$opt) = @_; + Net::SSLeay::ctrl($ctx,78,$opt,0); + }; + } + + if ($openssl_version >= 0x10101000) { + # openssl 1.1.1 enabled SSL_MODE_AUTO_RETRY by default, which is bad for + # non-blocking sockets + my $mode_auto_retry = + # was always 0x00000004 + eval { Net::SSLeay::MODE_AUTO_RETRY() } || 0x00000004; + $auto_retry = sub { + my ($ssl,$on) = @_; + if ($on) { + Net::SSLeay::set_mode($ssl, $mode_auto_retry); + } else { + Net::SSLeay::clear_mode($ssl, $mode_auto_retry); + } + } + } + if ($openssl_version >= 0x10000000) { + # ssl/ssl.h:#define SSL_MODE_RELEASE_BUFFERS 0x00000010L + $ssl_mode_release_buffers = 0x00000010; + } +} + +my $algo2digest = do { + my %digest; + sub { + my $digest_name = shift; + return $digest{$digest_name} ||= do { + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::EVP_get_digestbyname($digest_name) + or die "Digest algorithm $digest_name is not available"; + }; + } +}; + +my $CTX_tlsv1_3_new; +if ( defined &Net::SSLeay::CTX_set_min_proto_version + and defined &Net::SSLeay::CTX_set_max_proto_version + and my $tls13 = eval { Net::SSLeay::TLS1_3_VERSION() } +) { + $CTX_tlsv1_3_new = sub { + my $ctx = Net::SSLeay::CTX_new(); + return $ctx if Net::SSLeay::CTX_set_min_proto_version($ctx,$tls13) + && Net::SSLeay::CTX_set_max_proto_version($ctx,$tls13); + Net::SSLeay::CTX_free($ctx); + return; + }; +} + +my $set_msg_callback = defined &Net::SSLeay::CTX_set_msg_callback + && \&Net::SSLeay::CTX_set_msg_callback; + +# global defaults +my %DEFAULT_SSL_ARGS = ( + SSL_check_crl => 0, + SSL_version => 'SSLv23:!SSLv3:!SSLv2', # consider both SSL3.0 and SSL2.0 as broken + SSL_verify_callback => undef, + SSL_verifycn_scheme => undef, # fallback cn verification + SSL_verifycn_publicsuffix => undef, # fallback default list verification + #SSL_verifycn_name => undef, # use from PeerAddr/PeerHost - do not override in set_args_filter_hack 'use_defaults' + SSL_npn_protocols => undef, # meaning depends whether on server or client side + SSL_alpn_protocols => undef, # list of protocols we'll accept/send, for example ['http/1.1','spdy/3.1'] + + # rely on system default but be sure to disable some definitely bad ones + SSL_cipher_list => 'DEFAULT !EXP !MEDIUM !LOW !eNULL !aNULL !RC4 !DES !MD5 !PSK !SRP', +); + +my %DEFAULT_SSL_CLIENT_ARGS = ( + %DEFAULT_SSL_ARGS, + SSL_verify_mode => SSL_VERIFY_PEER, + + SSL_ca_file => undef, + SSL_ca_path => undef, +); + +# set values inside _init to work with perlcc, RT#95452 +my %DEFAULT_SSL_SERVER_ARGS; + +# Initialization of OpenSSL internals +# This will be called once during compilation - perlcc users might need to +# call it again by hand, see RT#95452 +{ + sub init { + # library_init returns false if the library was already initialized. + # This way we can find out if the library needs to be re-initialized + # inside code compiled with perlcc + Net::SSLeay::library_init() or return; + + Net::SSLeay::load_error_strings(); + Net::SSLeay::OpenSSL_add_all_digests(); + Net::SSLeay::randomize(); + + %DEFAULT_SSL_SERVER_ARGS = ( + %DEFAULT_SSL_ARGS, + SSL_verify_mode => SSL_VERIFY_NONE, + SSL_honor_cipher_order => 1, # trust server to know the best cipher + SSL_dh => do { + my $bio = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()); + # generated with: openssl dhparam 2048 + Net::SSLeay::BIO_write($bio,<<'DH'); +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAr8wskArj5+1VCVsnWt/RUR7tXkHJ7mGW7XxrLSPOaFyKyWf8lZht +iSY2Lc4oa4Zw8wibGQ3faeQu/s8fvPq/aqTxYmyHPKCMoze77QJHtrYtJAosB9SY +CN7s5Hexxb5/vQ4qlQuOkVrZDiZO9GC4KaH9mJYnCoAsXDhDft6JT0oRVSgtZQnU +gWFKShIm+JVjN94kGs0TcBEesPTK2g8XVHK9H8AtSUb9BwW2qD/T5RmgNABysApO +Ps2vlkxjAHjJcqc3O+OiImKik/X2rtBTZjpKmzN3WWTB0RJZCOWaLlDO81D01o1E +aZecz3Np9KIYey900f+X7zC2bJxEHp95ywIBAg== +-----END DH PARAMETERS----- +DH + my $dh = Net::SSLeay::PEM_read_bio_DHparams($bio); + Net::SSLeay::BIO_free($bio); + $dh or die "no DH"; + $dh; + }, + ( + $can_ecdh eq 'auto' ? () : # automatically enabled by openssl + $can_ecdh eq 'can_auto' ? (SSL_ecdh_curve => 'auto') : + $can_ecdh eq 'tmp_ecdh' ? ( SSL_ecdh_curve => 'prime256v1' ) : + (), + ) + ); + } + # Call it once at compile time and try it at INIT. + # This should catch all cases of including the module, e.g. 'use' (INIT) or + # 'require' (compile time) and works also with perlcc + { + no warnings; + INIT { init() } + init(); + } +} + +# global defaults which can be changed using set_defaults +# either key/value can be set or it can just be set to an external hash +my $GLOBAL_SSL_ARGS = {}; +my $GLOBAL_SSL_CLIENT_ARGS = {}; +my $GLOBAL_SSL_SERVER_ARGS = {}; + +# hack which is used to filter bad settings from used modules +my $FILTER_SSL_ARGS = undef; + +# non-XS Versions of Scalar::Util will fail +BEGIN{ + die "You need the XS Version of Scalar::Util for dualvar() support" if !do { + local $SIG{__DIE__}; local $SIG{__WARN__}; # be silent + eval { use Scalar::Util 'dualvar'; dualvar(0,''); 1 }; + }; +} + +# get constants for SSL_OP_NO_* now, instead calling the related functions +# every time we setup a connection +my %SSL_OP_NO; +for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 + TLSv1_3 TLSv13:TLSv1_3 )) { + my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_); + my $sub = "Net::SSLeay::OP_NO_$op"; + local $SIG{__DIE__}; + $SSL_OP_NO{$k} = eval { no strict 'refs'; &$sub } || 0; +} + +# Make SSL_CTX_clear_options accessible through SSL_CTX_ctrl unless it is +# already implemented in Net::SSLeay +if (!defined &Net::SSLeay::CTX_clear_options) { + *Net::SSLeay::CTX_clear_options = sub { + my ($ctx,$opt) = @_; + # 77 = SSL_CTRL_CLEAR_OPTIONS + Net::SSLeay::CTX_ctrl($ctx,77,$opt,0); + }; +} + +# Try to work around problems with alternative trust path by default, RT#104759 +my $DEFAULT_X509_STORE_flags = 0; +{ + local $SIG{__DIE__}; + eval { $DEFAULT_X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_TRUSTED_FIRST() }; +} + +our $DEBUG; +use vars qw(@ISA $SSL_ERROR @EXPORT); + +{ + # These constants will be used in $! at return from SSL_connect, + # SSL_accept, _generic_(read|write), thus notifying the caller + # the usual way of problems. Like with EWOULDBLOCK, EINPROGRESS.. + # these are especially important for non-blocking sockets + + my $x = $Net_SSLeay_ERROR_WANT_READ; + use constant SSL_WANT_READ => dualvar( \$x, 'SSL wants a read first' ); + my $y = $Net_SSLeay_ERROR_WANT_WRITE; + use constant SSL_WANT_WRITE => dualvar( \$y, 'SSL wants a write first' ); + + @EXPORT = qw( + SSL_WANT_READ SSL_WANT_WRITE SSL_VERIFY_NONE SSL_VERIFY_PEER + SSL_VERIFY_FAIL_IF_NO_PEER_CERT SSL_VERIFY_CLIENT_ONCE + SSL_OCSP_NO_STAPLE SSL_OCSP_TRY_STAPLE SSL_OCSP_MUST_STAPLE + SSL_OCSP_FAIL_HARD SSL_OCSP_FULL_CHAIN + $SSL_ERROR GEN_DNS GEN_IPADD + ); +} + +my @caller_force_inet4; # in case inet4 gets forced we store here who forced it + +my $IOCLASS; +my $family_key; # 'Domain'||'Family' +BEGIN { + # declare @ISA depending of the installed socket class + + # try to load inet_pton from Socket or Socket6 and make sure it is usable + local $SIG{__DIE__}; local $SIG{__WARN__}; # be silent + my $ip6 = eval { + require Socket; + Socket->VERSION(1.95); + Socket::inet_pton( AF_INET6(),'::1') && AF_INET6() or die; + Socket->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ ); + # behavior different to Socket6::getnameinfo - wrap + *_getnameinfo = sub { + my ($err,$host,$port) = Socket::getnameinfo(@_) or return; + return if $err; + return ($host,$port); + }; + 'Socket'; + } || eval { + require Socket6; + Socket6::inet_pton( AF_INET6(),'::1') && AF_INET6() or die; + Socket6->import( qw/inet_pton NI_NUMERICHOST NI_NUMERICSERV/ ); + # behavior different to Socket::getnameinfo - wrap + *_getnameinfo = sub { return Socket6::getnameinfo(@_); }; + 'Socket6'; + } || undef; + + # try IO::Socket::IP or IO::Socket::INET6 for IPv6 support + $family_key = 'Domain'; # traditional + if ($ip6) { + # if we have IO::Socket::IP >= 0.31 we will use this in preference + # because it can handle both IPv4 and IPv6 + if ( eval { + require IO::Socket::IP; + IO::Socket::IP->VERSION(0.31) + }) { + @ISA = qw(IO::Socket::IP); + constant->import( CAN_IPV6 => "IO::Socket::IP" ); + $family_key = 'Family'; + $IOCLASS = "IO::Socket::IP"; + + # if we have IO::Socket::INET6 we will use this not IO::Socket::INET + # because it can handle both IPv4 and IPv6 + # require at least 2.62 because of several problems before that version + } elsif( eval { require IO::Socket::INET6; IO::Socket::INET6->VERSION(2.62) } ) { + @ISA = qw(IO::Socket::INET6); + constant->import( CAN_IPV6 => "IO::Socket::INET6" ); + $IOCLASS = "IO::Socket::INET6"; + } else { + $ip6 = '' + } + } + + # fall back to IO::Socket::INET for IPv4 only + if (!$ip6) { + @ISA = qw(IO::Socket::INET); + $IOCLASS = "IO::Socket::INET"; + constant->import(CAN_IPV6 => ''); + if (!defined $ip6) { + constant->import(NI_NUMERICHOST => 1); + constant->import(NI_NUMERICSERV => 2); + } + } + + #Make $DEBUG another name for $Net::SSLeay::trace + *DEBUG = \$Net::SSLeay::trace; + + #Compatibility + *ERROR = \$SSL_ERROR; +} + + +sub DEBUG { + $DEBUG or return; + my (undef,$file,$line,$sub) = caller(1); + if ($sub =~m{^IO::Socket::SSL::(?:error|(_internal_error))$}) { + (undef,$file,$line) = caller(2) if $1; + } else { + (undef,$file,$line) = caller; + } + my $msg = shift; + $file = '...'.substr( $file,-17 ) if length($file)>20; + $msg = sprintf $msg,@_ if @_; + print STDERR "DEBUG: $file:$line: $msg\n"; +} + +BEGIN { + # import some constants from Net::SSLeay or use hard-coded defaults + # if Net::SSLeay isn't recent enough to provide the constants + my %const = ( + NID_CommonName => 13, + GEN_DNS => 2, + GEN_IPADD => 7, + ); + while ( my ($name,$value) = each %const ) { + no strict 'refs'; + *{$name} = UNIVERSAL::can( 'Net::SSLeay', $name ) || sub { $value }; + } + + *idn_to_ascii = \&IO::Socket::SSL::PublicSuffix::idn_to_ascii; + *idn_to_unicode = \&IO::Socket::SSL::PublicSuffix::idn_to_unicode; +} + +my $OPENSSL_LIST_SEPARATOR = $^O =~m{^(?:(dos|os2|mswin32|netware)|vms)$}i + ? $1 ? ';' : ',' : ':'; +my $CHECK_SSL_PATH = sub { + my %args = (@_ == 1) ? ('',@_) : @_; + for my $type (keys %args) { + my $path = $args{$type}; + if (!$type) { + delete $args{$type}; + $type = (ref($path) || -d $path) ? 'SSL_ca_path' : 'SSL_ca_file'; + $args{$type} = $path; + } + + next if ref($path) eq 'SCALAR' && ! $$path; + if ($type eq 'SSL_ca_file') { + die "SSL_ca_file $path can't be used: $!" + if ! open(my $fh,'<',$path); + } elsif ($type eq 'SSL_ca_path') { + $path = [ split($OPENSSL_LIST_SEPARATOR,$path) ] if !ref($path); + my @err; + for my $d (ref($path) ? @$path : $path) { + if (! -d $d) { + push @err, "SSL_ca_path $d does not exist"; + } elsif (! opendir(my $dh,$d)) { + push @err, "SSL_ca_path $d is not accessible: $!" + } else { + @err = (); + last + } + } + die "@err" if @err; + } + } + return %args; +}; + + +{ + my %default_ca; + my $ca_detected; # 0: never detect, undef: need to (re)detect + my $openssldir; + + sub default_ca { + if (@_) { + # user defined default CA or reset + if ( @_ > 1 ) { + %default_ca = @_; + $ca_detected = 0; + } elsif ( my $path = shift ) { + %default_ca = $CHECK_SSL_PATH->($path); + $ca_detected = 0; + } else { + $ca_detected = undef; + } + } + return %default_ca if defined $ca_detected; + + # SSLEAY_DIR was 5 up to OpenSSL 1.1, then switched to 4 and got + # renamed to OPENSSL_DIR. Unfortunately it is not exported as constant + # by Net::SSLeay so we use the fixed number. + $openssldir ||= + Net::SSLeay::SSLeay_version(5) =~m{^OPENSSLDIR: "(.+)"$} ? $1 : + Net::SSLeay::SSLeay_version(4) =~m{^OPENSSLDIR: "(.+)"$} ? $1 : + 'cannot-determine-openssldir-from-ssleay-version'; + + # (re)detect according to openssl crypto/cryptlib.h + my $dir = $ENV{SSL_CERT_DIR} + || ( $^O =~m{vms}i ? "SSLCERTS:":"$openssldir/certs" ); + if ( opendir(my $dh,$dir)) { + FILES: for my $f ( grep { m{^[a-f\d]{8}(\.\d+)?$} } readdir($dh) ) { + open( my $fh,'<',"$dir/$f") or next; + while (my $line = <$fh>) { + $line =~m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; + $default_ca{SSL_ca_path} = $dir; + last FILES; + } + } + } + my $file = $ENV{SSL_CERT_FILE} + || ( $^O =~m{vms}i ? "SSLCERTS:cert.pem":"$openssldir/cert.pem" ); + if ( open(my $fh,'<',$file)) { + while (my $line = <$fh>) { + $line =~m{^-+BEGIN (X509 |TRUSTED |)CERTIFICATE-} or next; + $default_ca{SSL_ca_file} = $file; + last; + } + } + + $default_ca{SSL_ca_file} = Mozilla::CA::SSL_ca_file() if ! %default_ca && do { + local $SIG{__DIE__}; + eval { require Mozilla::CA; 1 }; + }; + + $ca_detected = 1; + return %default_ca; + } +} + + +# Export some stuff +# inet4|inet6|debug will be handled by myself, everything +# else will be handled the Exporter way +sub import { + my $class = shift; + + my @export; + foreach (@_) { + if ( /^inet4$/i ) { + # explicitly fall back to inet4 + @ISA = 'IO::Socket::INET'; + @caller_force_inet4 = caller(); # save for warnings for 'inet6' case + } elsif ( /^inet6$/i ) { + # check if we have already ipv6 as base + if ( ! UNIVERSAL::isa( $class, 'IO::Socket::INET6') + and ! UNIVERSAL::isa( $class, 'IO::Socket::IP' )) { + # either we don't support it or we disabled it by explicitly + # loading it with 'inet4'. In this case re-enable but warn + # because this is probably an error + if ( CAN_IPV6 ) { + @ISA = ( CAN_IPV6 ); + warn "IPv6 support re-enabled in __PACKAGE__, got disabled in file $caller_force_inet4[1] line $caller_force_inet4[2]"; + } else { + die "INET6 is not supported, install IO::Socket::IP"; + } + } + } elsif ( /^:?debug(\d+)/ ) { + $DEBUG=$1; + } else { + push @export,$_ + } + } + + @_ = ( $class,@export ); + goto &Exporter::import; +} + +my %SSL_OBJECT; +my %CREATED_IN_THIS_THREAD; +sub CLONE { %CREATED_IN_THIS_THREAD = (); } + +# all keys used internally, these should be cleaned up at end +my @all_my_keys = qw( + _SSL_arguments + _SSL_certificate + _SSL_ctx + _SSL_fileno + _SSL_in_DESTROY + _SSL_ioclass_downgrade + _SSL_ioclass_upgraded + _SSL_last_err + _SSL_object + _SSL_ocsp_verify + _SSL_opened + _SSL_opening + _SSL_servername +); + + +# we have callbacks associated with contexts, but have no way to access the +# current SSL object from these callbacks. To work around this +# CURRENT_SSL_OBJECT will be set before calling Net::SSLeay::{connect,accept} +# and reset afterwards, so we have access to it inside _internal_error. +my $CURRENT_SSL_OBJECT; + +# You might be expecting to find a new() subroutine here, but that is +# not how IO::Socket::INET works. All configuration gets performed in +# the calls to configure() and either connect() or accept(). + +#Call to configure occurs when a new socket is made using +#IO::Socket::INET. Returns false (empty list) on failure. +sub configure { + my ($self, $arg_hash) = @_; + return _invalid_object() unless($self); + + # force initial blocking + # otherwise IO::Socket::SSL->new might return undef if the + # socket is nonblocking and it fails to connect immediately + # for real nonblocking behavior one should create a nonblocking + # socket and later call connect explicitly + my $blocking = delete $arg_hash->{Blocking}; + + # because Net::HTTPS simple redefines blocking() to {} (e.g. + # return undef) and IO::Socket::INET does not like this we + # set Blocking only explicitly if it was set + $arg_hash->{Blocking} = 1 if defined ($blocking); + + $self->configure_SSL($arg_hash) || return; + + if ($arg_hash->{$family_key} ||= $arg_hash->{Domain} || $arg_hash->{Family}) { + # Hack to work around the problem that IO::Socket::IP defaults to + # AI_ADDRCONFIG which creates problems if we have only the loopback + # interface. If we already know the family this flag is more harmful + # then useful. + $arg_hash->{GetAddrInfoFlags} = 0 if $IOCLASS eq 'IO::Socket::IP' + && ! defined $arg_hash->{GetAddrInfoFlags}; + } + return $self->_internal_error("@ISA configuration failed",0) + if ! $self->SUPER::configure($arg_hash); + + $self->blocking(0) if defined $blocking && !$blocking; + return $self; +} + +sub configure_SSL { + my ($self, $arg_hash) = @_; + + $arg_hash->{Proto} ||= 'tcp'; + my $is_server = $arg_hash->{SSL_server}; + if ( ! defined $is_server ) { + $is_server = $arg_hash->{SSL_server} = $arg_hash->{Listen} || 0; + } + + # add user defined defaults, maybe after filtering + $FILTER_SSL_ARGS->($is_server,$arg_hash) if $FILTER_SSL_ARGS; + + delete @{*$self}{@all_my_keys}; + ${*$self}{_SSL_opened} = $is_server; + ${*$self}{_SSL_arguments} = $arg_hash; + + # this adds defaults to $arg_hash as a side effect! + ${*$self}{'_SSL_ctx'} = IO::Socket::SSL::SSL_Context->new($arg_hash) + or return; + + return $self; +} + + +sub _skip_rw_error { + my ($self,$ssl,$rv) = @_; + my $err = Net::SSLeay::get_error($ssl,$rv); + if ( $err == $Net_SSLeay_ERROR_WANT_READ) { + $SSL_ERROR = SSL_WANT_READ; + } elsif ( $err == $Net_SSLeay_ERROR_WANT_WRITE) { + $SSL_ERROR = SSL_WANT_WRITE; + } else { + return $err; + } + $! ||= EWOULDBLOCK; + ${*$self}{_SSL_last_err} = [$SSL_ERROR,4] if ref($self); + Net::SSLeay::ERR_clear_error(); + return 0; +} + + +# Call to connect occurs when a new client socket is made using IO::Socket::* +sub connect { + my $self = shift || return _invalid_object(); + return $self if ${*$self}{'_SSL_opened'}; # already connected + + if ( ! ${*$self}{'_SSL_opening'} ) { + # call SUPER::connect if the underlying socket is not connected + # if this fails this might not be an error (e.g. if $! = EINPROGRESS + # and socket is nonblocking this is normal), so keep any error + # handling to the client + $DEBUG>=2 && DEBUG('socket not yet connected' ); + $self->SUPER::connect(@_) || return; + $DEBUG>=2 && DEBUG('socket connected' ); + + # IO::Socket works around systems, which return EISCONN or similar + # on non-blocking re-connect by returning true, even if $! is set + # but it does not clear $!, so do it here + $! = undef; + + # don't continue with connect_SSL if SSL_startHandshake is set to 0 + my $sh = ${*$self}{_SSL_arguments}{SSL_startHandshake}; + return $self if defined $sh && ! $sh; + } + return $self->connect_SSL; +} + + +sub connect_SSL { + my $self = shift; + my $args = @_>1 ? {@_}: $_[0]||{}; + return $self if ${*$self}{'_SSL_opened'}; # already connected + + my ($ssl,$ctx); + if ( ! ${*$self}{'_SSL_opening'} ) { + # start ssl connection + $DEBUG>=2 && DEBUG('ssl handshake not started' ); + ${*$self}{'_SSL_opening'} = 1; + my $arg_hash = ${*$self}{'_SSL_arguments'}; + + my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self); + return $self->_internal_error("Socket has no fileno",9) + if ! defined $fileno; + + $ctx = ${*$self}{'_SSL_ctx'}; # Reference to real context + $ssl = ${*$self}{'_SSL_object'} = Net::SSLeay::new($ctx->{context}) + || return $self->error("SSL structure creation failed"); + $CREATED_IN_THIS_THREAD{$ssl} = 1 if $use_threads; + $SSL_OBJECT{$ssl} = [$self,0]; + weaken($SSL_OBJECT{$ssl}[0]); + + if ($ctx->{session_cache}) { + $arg_hash->{SSL_session_key} ||= do { + my $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} + || $self->_update_peer; + my $port = $arg_hash->{PeerPort} || $arg_hash->{PeerService}; + $port ? "$host:$port" : $host; + } + } + + Net::SSLeay::set_fd($ssl, $fileno) + || return $self->error("SSL filehandle association failed"); + + if ( $can_client_sni ) { + my $host; + if ( exists $arg_hash->{SSL_hostname} ) { + # explicitly given + # can be set to undef/'' to not use extension + $host = $arg_hash->{SSL_hostname} + } elsif ( $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} ) { + # implicitly given + $host =~s{:[a-zA-Z0-9_\-]+$}{}; + # should be hostname, not IPv4/6 + $host = undef if $host !~m{[a-z_]}i or $host =~m{:}; + } + # define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 + # define TLSEXT_NAMETYPE_host_name 0 + if ($host) { + $DEBUG>=2 && DEBUG("using SNI with hostname $host"); + Net::SSLeay::ctrl($ssl,55,0,$host); + } else { + $DEBUG>=2 && DEBUG("not using SNI because hostname is unknown"); + } + } elsif ( $arg_hash->{SSL_hostname} ) { + return $self->_internal_error( + "Client side SNI not supported for this openssl",9); + } else { + $DEBUG>=2 && DEBUG("not using SNI because openssl is too old"); + } + + $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} || $self->_update_peer; + if ( $ctx->{verify_name_ref} ) { + # need target name for update + my $host = $arg_hash->{SSL_verifycn_name} + || $arg_hash->{SSL_hostname}; + if ( ! defined $host ) { + if ( $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} ) { + $host =~s{^ + (?: + ([^:\[]+) | # ipv4|host + (\[(.*)\]) # [ipv6|host] + ) + (:[\w\-]+)? # optional :port + $}{$1$2}x; # ipv4|host|ipv6 + } + } + ${$ctx->{verify_name_ref}} = $host; + } + + my $ocsp = $ctx->{ocsp_mode}; + if ( $ocsp & SSL_OCSP_NO_STAPLE ) { + # don't try stapling + } elsif ( ! $can_ocsp_staple ) { + croak("OCSP stapling not support") if $ocsp & SSL_OCSP_MUST_STAPLE; + } elsif ( $ocsp & (SSL_OCSP_TRY_STAPLE|SSL_OCSP_MUST_STAPLE)) { + # staple by default if verification enabled + ${*$self}{_SSL_ocsp_verify} = undef; + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + $DEBUG>=2 && DEBUG("request OCSP stapling"); + } + + if ($ctx->{session_cache} and my $session = + $ctx->{session_cache}->get_session($arg_hash->{SSL_session_key}) + ) { + Net::SSLeay::set_session($ssl, $session); + } + } + + $ssl ||= ${*$self}{'_SSL_object'}; + + $SSL_ERROR = $! = undef; + my $timeout = exists $args->{Timeout} + ? $args->{Timeout} + : ${*$self}{io_socket_timeout}; # from IO::Socket + if ( defined($timeout) && $timeout>0 && $self->blocking(0) ) { + $DEBUG>=2 && DEBUG( "set socket to non-blocking to enforce timeout=$timeout" ); + # timeout was given and socket was blocking + # enforce timeout with now non-blocking socket + } else { + # timeout does not apply because invalid or socket non-blocking + $timeout = undef; + $auto_retry && $auto_retry->($ssl,$self->blocking); + } + + my $start = defined($timeout) && time(); + { + $SSL_ERROR = undef; + $CURRENT_SSL_OBJECT = $self; + $DEBUG>=3 && DEBUG("call Net::SSLeay::connect" ); + my $rv = Net::SSLeay::connect($ssl); + $CURRENT_SSL_OBJECT = undef; + $DEBUG>=3 && DEBUG("done Net::SSLeay::connect -> $rv" ); + if ( $rv < 0 ) { + if ( my $err = $self->_skip_rw_error( $ssl,$rv )) { + $self->error("SSL connect attempt failed"); + delete ${*$self}{'_SSL_opening'}; + ${*$self}{'_SSL_opened'} = -1; + $DEBUG>=1 && DEBUG( "fatal SSL error: $SSL_ERROR" ); + return $self->fatal_ssl_error(); + } + + $DEBUG>=2 && DEBUG('ssl handshake in progress' ); + # connect failed because handshake needs to be completed + # if socket was non-blocking or no timeout was given return with this error + return if ! defined($timeout); + + # wait until socket is readable or writable + my $rv; + if ( $timeout>0 ) { + my $vec = ''; + vec($vec,$self->fileno,1) = 1; + $DEBUG>=2 && DEBUG( "waiting for fd to become ready: $SSL_ERROR" ); + $rv = + $SSL_ERROR == SSL_WANT_READ ? select( $vec,undef,undef,$timeout) : + $SSL_ERROR == SSL_WANT_WRITE ? select( undef,$vec,undef,$timeout) : + undef; + } else { + $DEBUG>=2 && DEBUG("handshake failed because no more time" ); + $! = ETIMEDOUT + } + if ( ! $rv ) { + $DEBUG>=2 && DEBUG("handshake failed because socket did not became ready" ); + # failed because of timeout, return + $! ||= ETIMEDOUT; + delete ${*$self}{'_SSL_opening'}; + ${*$self}{'_SSL_opened'} = -1; + $self->blocking(1); # was blocking before + return + } + + # socket is ready, try non-blocking connect again after recomputing timeout + $DEBUG>=2 && DEBUG("socket ready, retrying connect" ); + my $now = time(); + $timeout -= $now - $start; + $start = $now; + redo; + + } elsif ( $rv == 0 ) { + delete ${*$self}{'_SSL_opening'}; + $DEBUG>=2 && DEBUG("connection failed - connect returned 0" ); + $self->error("SSL connect attempt failed because of handshake problems" ); + ${*$self}{'_SSL_opened'} = -1; + return $self->fatal_ssl_error(); + } + } + + $DEBUG>=2 && DEBUG('ssl handshake done' ); + # ssl connect successful + delete ${*$self}{'_SSL_opening'}; + ${*$self}{'_SSL_opened'}=1; + if (defined($timeout)) { + $self->blocking(1); # reset back to blocking + $! = undef; # reset errors from non-blocking + } + + $ctx ||= ${*$self}{'_SSL_ctx'}; + + if ( my $ocsp_result = ${*$self}{_SSL_ocsp_verify} ) { + # got result from OCSP stapling + if ( $ocsp_result->[0] > 0 ) { + $DEBUG>=3 && DEBUG("got OCSP success with stapling"); + # successful validated + } elsif ( $ocsp_result->[0] < 0 ) { + # Permanent problem with validation because certificate + # is either self-signed or the issuer cannot be found. + # Ignore here, because this will cause other errors too. + $DEBUG>=3 && DEBUG("got OCSP failure with stapling: %s", + $ocsp_result->[1]); + } else { + # definitely revoked + $DEBUG>=3 && DEBUG("got OCSP revocation with stapling: %s", + $ocsp_result->[1]); + $self->_internal_error($ocsp_result->[1],5); + return $self->fatal_ssl_error(); + } + } elsif ( $ctx->{ocsp_mode} & SSL_OCSP_MUST_STAPLE ) { + $self->_internal_error("did not receive the required stapled OCSP response",5); + return $self->fatal_ssl_error(); + } + + if (!%sess_cb and $ctx->{session_cache} + and my $session = Net::SSLeay::get1_session($ssl)) { + $ctx->{session_cache}->add_session( + ${*$self}{_SSL_arguments}{SSL_session_key}, + $session + ); + } + + tie *{$self}, "IO::Socket::SSL::SSL_HANDLE", $self; + + return $self; +} + +# called if PeerAddr is not set in ${*$self}{'_SSL_arguments'} +# this can be the case if start_SSL is called with a normal IO::Socket::INET +# so that PeerAddr|PeerPort are not set from args +# returns PeerAddr +sub _update_peer { + my $self = shift; + my $arg_hash = ${*$self}{'_SSL_arguments'}; + eval { + my $sockaddr = getpeername( $self ); + my $af = sockaddr_family($sockaddr); + if( CAN_IPV6 && $af == AF_INET6 ) { + my (undef, $host, $port) = _getnameinfo($sockaddr, + NI_NUMERICHOST | NI_NUMERICSERV); + $arg_hash->{PeerPort} = $port; + $arg_hash->{PeerAddr} = $host; + } else { + my ($port,$addr) = sockaddr_in( $sockaddr); + $arg_hash->{PeerPort} = $port; + $arg_hash->{PeerAddr} = inet_ntoa( $addr ); + } + } +} + +#Call to accept occurs when a new client connects to a server using +#IO::Socket::SSL +sub accept { + my $self = shift || return _invalid_object(); + my $class = shift || 'IO::Socket::SSL'; + + my $socket = ${*$self}{'_SSL_opening'}; + if ( ! $socket ) { + # underlying socket not done + $DEBUG>=2 && DEBUG('no socket yet' ); + $socket = $self->SUPER::accept($class) || return; + $DEBUG>=2 && DEBUG('accept created normal socket '.$socket ); + + # don't continue with accept_SSL if SSL_startHandshake is set to 0 + my $sh = ${*$self}{_SSL_arguments}{SSL_startHandshake}; + if (defined $sh && ! $sh) { + ${*$socket}{_SSL_ctx} = ${*$self}{_SSL_ctx}; + ${*$socket}{_SSL_arguments} = { + %{${*$self}{_SSL_arguments}}, + SSL_server => 0, + }; + $DEBUG>=2 && DEBUG('will not start SSL handshake yet'); + return wantarray ? ($socket, getpeername($socket) ) : $socket + } + } + + $self->accept_SSL($socket) || return; + $DEBUG>=2 && DEBUG('accept_SSL ok' ); + + return wantarray ? ($socket, getpeername($socket) ) : $socket; +} + +sub accept_SSL { + my $self = shift; + my $socket = ( @_ && UNIVERSAL::isa( $_[0], 'IO::Handle' )) ? shift : $self; + my $args = @_>1 ? {@_}: $_[0]||{}; + + my $ssl; + if ( ! ${*$self}{'_SSL_opening'} ) { + $DEBUG>=2 && DEBUG('starting sslifying' ); + ${*$self}{'_SSL_opening'} = $socket; + if ($socket != $self) { + ${*$socket}{_SSL_ctx} = ${*$self}{_SSL_ctx}; + ${*$socket}{_SSL_arguments} = { + %{${*$self}{_SSL_arguments}}, + SSL_server => 0 + }; + } + + my $fileno = ${*$socket}{'_SSL_fileno'} = fileno($socket); + return $socket->_internal_error("Socket has no fileno",9) + if ! defined $fileno; + + $ssl = ${*$socket}{_SSL_object} = + Net::SSLeay::new(${*$socket}{_SSL_ctx}{context}) + || return $socket->error("SSL structure creation failed"); + $CREATED_IN_THIS_THREAD{$ssl} = 1 if $use_threads; + $SSL_OBJECT{$ssl} = [$socket,1]; + weaken($SSL_OBJECT{$ssl}[0]); + + Net::SSLeay::set_fd($ssl, $fileno) + || return $socket->error("SSL filehandle association failed"); + } + + $ssl ||= ${*$socket}{'_SSL_object'}; + + $SSL_ERROR = $! = undef; + #$DEBUG>=2 && DEBUG('calling ssleay::accept' ); + + my $timeout = exists $args->{Timeout} + ? $args->{Timeout} + : ${*$self}{io_socket_timeout}; # from IO::Socket + if ( defined($timeout) && $timeout>0 && $socket->blocking(0) ) { + # timeout was given and socket was blocking + # enforce timeout with now non-blocking socket + } else { + # timeout does not apply because invalid or socket non-blocking + $timeout = undef; + $auto_retry && $auto_retry->($ssl,$socket->blocking); + } + + my $start = defined($timeout) && time(); + { + $SSL_ERROR = undef; + $CURRENT_SSL_OBJECT = $self; + my $rv = Net::SSLeay::accept($ssl); + $CURRENT_SSL_OBJECT = undef; + $DEBUG>=3 && DEBUG( "Net::SSLeay::accept -> $rv" ); + if ( $rv < 0 ) { + if ( my $err = $socket->_skip_rw_error( $ssl,$rv )) { + $socket->error("SSL accept attempt failed"); + delete ${*$self}{'_SSL_opening'}; + ${*$socket}{'_SSL_opened'} = -1; + return $socket->fatal_ssl_error(); + } + + # accept failed because handshake needs to be completed + # if socket was non-blocking or no timeout was given return with this error + return if ! defined($timeout); + + # wait until socket is readable or writable + my $rv; + if ( $timeout>0 ) { + my $vec = ''; + vec($vec,$socket->fileno,1) = 1; + $rv = + $SSL_ERROR == SSL_WANT_READ ? select( $vec,undef,undef,$timeout) : + $SSL_ERROR == SSL_WANT_WRITE ? select( undef,$vec,undef,$timeout) : + undef; + } else { + $! = ETIMEDOUT + } + if ( ! $rv ) { + # failed because of timeout, return + $! ||= ETIMEDOUT; + delete ${*$self}{'_SSL_opening'}; + ${*$socket}{'_SSL_opened'} = -1; + $socket->blocking(1); # was blocking before + return + } + + # socket is ready, try non-blocking accept again after recomputing timeout + my $now = time(); + $timeout -= $now - $start; + $start = $now; + redo; + + } elsif ( $rv == 0 ) { + $socket->error("SSL accept attempt failed because of handshake problems" ); + delete ${*$self}{'_SSL_opening'}; + ${*$socket}{'_SSL_opened'} = -1; + return $socket->fatal_ssl_error(); + } + } + + $DEBUG>=2 && DEBUG('handshake done, socket ready' ); + # socket opened + delete ${*$self}{'_SSL_opening'}; + ${*$socket}{'_SSL_opened'} = 1; + if (defined($timeout)) { + $socket->blocking(1); # reset back to blocking + $! = undef; # reset errors from non-blocking + } + + tie *{$socket}, "IO::Socket::SSL::SSL_HANDLE", $socket; + + return $socket; +} + + +####### I/O subroutines ######################## + +if ($auto_retry) { + *blocking = sub { + my $self = shift; + { @_ && $auto_retry->(${*$self}{_SSL_object} || last, @_); } + return $self->SUPER::blocking(@_); + }; +} + +sub _generic_read { + my ($self, $read_func, undef, $length, $offset) = @_; + my $ssl = ${*$self}{_SSL_object} || return; + my $buffer=\$_[2]; + + $SSL_ERROR = $! = undef; + my ($data,$rwerr) = $read_func->($ssl, $length); + while ( ! defined($data)) { + if ( my $err = $self->_skip_rw_error( $ssl, defined($rwerr) ? $rwerr:-1 )) { + # OpenSSL 1.1.0c+ : EOF can now result in SSL_read returning -1 and SSL_ERROR_SYSCALL + # OpenSSL 3.0 : EOF can now result in SSL_read returning -1 and SSL_ERROR_SSL + if (not $! and $err == $Net_SSLeay_ERROR_SSL || $err == $Net_SSLeay_ERROR_SYSCALL) { + # treat as EOF + $data = ''; + last; + } + $self->error("SSL read error"); + } + return; + } + + $length = length($data); + $$buffer = '' if !defined $$buffer; + $offset ||= 0; + if ($offset>length($$buffer)) { + $$buffer.="\0" x ($offset-length($$buffer)); #mimic behavior of read + } + + substr($$buffer, $offset, length($$buffer), $data); + return $length; +} + +sub read { + my $self = shift; + ${*$self}{_SSL_object} && return _generic_read($self, + $self->blocking ? \&Net::SSLeay::ssl_read_all : \&Net::SSLeay::read, + @_ + ); + + # fall back to plain read if we are not required to use SSL yet + return $self->SUPER::read(@_); +} + +# contrary to the behavior of read sysread can read partial data +sub sysread { + my $self = shift; + ${*$self}{_SSL_object} && return _generic_read( $self, + \&Net::SSLeay::read, @_ ); + + # fall back to plain sysread if we are not required to use SSL yet + my $rv = $self->SUPER::sysread(@_); + return $rv; +} + +sub peek { + my $self = shift; + ${*$self}{_SSL_object} && return _generic_read( $self, + \&Net::SSLeay::peek, @_ ); + + # fall back to plain peek if we are not required to use SSL yet + # emulate peek with recv(...,MS_PEEK) - peek(buf,len,offset) + return if ! defined recv($self,my $buf,$_[1],MSG_PEEK); + $_[0] = $_[2] ? substr($_[0],0,$_[2]).$buf : $buf; + return length($buf); +} + + +sub _generic_write { + my ($self, $write_all, undef, $length, $offset) = @_; + + my $ssl = ${*$self}{_SSL_object} || return; + my $buffer = \$_[2]; + + my $buf_len = length($$buffer); + $length ||= $buf_len; + $offset ||= 0; + return $self->_internal_error("Invalid offset for SSL write",9) + if $offset>$buf_len; + return 0 if ($offset == $buf_len); + + $SSL_ERROR = $! = undef; + my $written; + if ( $write_all ) { + my $data = $length < $buf_len-$offset ? substr($$buffer, $offset, $length) : $$buffer; + ($written, my $errs) = Net::SSLeay::ssl_write_all($ssl, $data); + # ssl_write_all returns number of bytes written + $written = undef if ! $written && $errs; + } else { + $written = Net::SSLeay::write_partial( $ssl,$offset,$length,$$buffer ); + # write_partial does SSL_write which returns -1 on error + $written = undef if $written <= 0; + } + if ( !defined($written) ) { + if ( my $err = $self->_skip_rw_error( $ssl,-1 )) { + # if $! is not set with ERROR_SYSCALL then report as EPIPE + $! ||= EPIPE if $err == $Net_SSLeay_ERROR_SYSCALL; + $self->error("SSL write error ($err)"); + } + return; + } + + return $written; +} + +# if socket is blocking write() should return only on error or +# if all data are written +sub write { + my $self = shift; + ${*$self}{_SSL_object} && return _generic_write( $self, + scalar($self->blocking),@_ ); + + # fall back to plain write if we are not required to use SSL yet + return $self->SUPER::write(@_); +} + +# contrary to write syswrite() returns already if only +# a part of the data is written +sub syswrite { + my $self = shift; + ${*$self}{_SSL_object} && return _generic_write($self,0,@_); + + # fall back to plain syswrite if we are not required to use SSL yet + return $self->SUPER::syswrite(@_); +} + +sub print { + my $self = shift; + my $string = join(($, or ''), @_, ($\ or '')); + return $self->write( $string ); +} + +sub printf { + my ($self,$format) = (shift,shift); + return $self->write(sprintf($format, @_)); +} + +sub getc { + my ($self, $buffer) = (shift, undef); + return $buffer if $self->read($buffer, 1, 0); +} + +sub readline { + my $self = shift; + ${*$self}{_SSL_object} or return $self->SUPER::getline; + + if ( not defined $/ or wantarray) { + # read all and split + + my $buf = ''; + while (1) { + my $rv = $self->sysread($buf,2**16,length($buf)); + if ( ! defined $rv ) { + next if $! == EINTR; # retry + last if $! == EWOULDBLOCK || $! == EAGAIN; # use everything so far + return; # return error + } elsif ( ! $rv ) { + last + } + } + + if ( ! defined $/ ) { + return $buf + } elsif ( ref($/)) { + my $size = ${$/}; + die "bad value in ref \$/: $size" unless $size>0; + return $buf=~m{\G(.{1,$size})}g; + } elsif ( $/ eq '' ) { + return $buf =~m{\G(.*\n\n+|.+)}g; + } else { + return $buf =~m{\G(.*$/|.+)}g; + } + } + + # read only one line + if ( ref($/) ) { + my $size = ${$/}; + # read record of $size bytes + die "bad value in ref \$/: $size" unless $size>0; + my $buf = ''; + while ( $size>length($buf)) { + my $rv = $self->sysread($buf,$size-length($buf),length($buf)); + if ( ! defined $rv ) { + next if $! == EINTR; # retry + last if $! == EWOULDBLOCK || $! == EAGAIN; # use everything so far + return; # return error + } elsif ( ! $rv ) { + last + } + } + return $buf; + } + + my ($delim0,$delim1) = $/ eq '' ? ("\n\n","\n"):($/,''); + + # find first occurrence of $delim0 followed by as much as possible $delim1 + my $buf = ''; + my $eod = 0; # pointer into $buf after $delim0 $delim1* + my $ssl = $self->_get_ssl_object or return; + while (1) { + + # wait until we have more data or eof + my $poke = Net::SSLeay::peek($ssl,1); + if ( ! defined $poke or $poke eq '' ) { + next if $! == EINTR; + } + + my $skip = 0; + + # peek into available data w/o reading + my $pending = Net::SSLeay::pending($ssl); + if ( $pending and + ( my $pb = Net::SSLeay::peek( $ssl,$pending )) ne '' ) { + $buf .= $pb + } else { + return $buf eq '' ? ():$buf; + } + if ( !$eod ) { + my $pos = index( $buf,$delim0 ); + if ( $pos<0 ) { + $skip = $pending + } else { + $eod = $pos + length($delim0); # pos after delim0 + } + } + + if ( $eod ) { + if ( $delim1 ne '' ) { + # delim0 found, check for as much delim1 as possible + while ( index( $buf,$delim1,$eod ) == $eod ) { + $eod+= length($delim1); + } + } + $skip = $pending - ( length($buf) - $eod ); + } + + # remove data from $self which I already have in buf + while ( $skip>0 ) { + if ($self->sysread(my $p,$skip,0)) { + $skip -= length($p); + next; + } + $! == EINTR or last; + } + + if ( $eod and ( $delim1 eq '' or $eod < length($buf))) { + # delim0 found and there can be no more delim1 pending + last + } + } + return substr($buf,0,$eod); +} + +sub close { + my $self = shift || return _invalid_object(); + my $close_args = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; + + return if ! $self->stop_SSL( + SSL_fast_shutdown => 1, + %$close_args, + _SSL_ioclass_downgrade => 0, + ); + + if ( ! $close_args->{_SSL_in_DESTROY} ) { + untie( *$self ); + undef ${*$self}{_SSL_fileno}; + return $self->SUPER::close; + } + return 1; +} + +sub is_SSL { + my $self = pop; + return ${*$self}{_SSL_object} && 1 +} + +sub stop_SSL { + my $self = shift || return _invalid_object(); + my $stop_args = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; + $stop_args->{SSL_no_shutdown} = 1 if ! ${*$self}{_SSL_opened}; + + if (my $ssl = ${*$self}{'_SSL_object'}) { + if (delete ${*$self}{'_SSL_opening'}) { + # just destroy the object further below + } elsif ( ! $stop_args->{SSL_no_shutdown} ) { + my $status = Net::SSLeay::get_shutdown($ssl); + + my $timeout = + not($self->blocking) ? undef : + exists $stop_args->{Timeout} ? $stop_args->{Timeout} : + ${*$self}{io_socket_timeout}; # from IO::Socket + if ($timeout) { + $self->blocking(0); + $timeout += time(); + } + + while (1) { + if ( $status & SSL_SENT_SHUTDOWN and + # don't care for received if fast shutdown + $status & SSL_RECEIVED_SHUTDOWN + || $stop_args->{SSL_fast_shutdown}) { + # shutdown complete + last; + } + if ((${*$self}{'_SSL_opened'}||0) <= 0) { + # not really open, thus don't expect shutdown to return + # something meaningful + last; + } + + # initiate or complete shutdown + local $SIG{PIPE} = 'IGNORE'; + $SSL_ERROR = $! = undef; + my $rv = Net::SSLeay::shutdown($ssl); + if ( $rv < 0 ) { + # non-blocking socket? + if ( ! $timeout ) { + if ( my $err = $self->_skip_rw_error( $ssl, $rv )) { + # if $! is not set with ERROR_SYSCALL then report as EPIPE + $! ||= EPIPE if $err == $Net_SSLeay_ERROR_SYSCALL; + $self->error("SSL shutdown error ($err)"); + } + # need to try again + return; + } + + # don't use _skip_rw_error so that existing error does + # not get cleared + my $wait = $timeout - time(); + last if $wait<=0; + vec(my $vec = '',fileno($self),1) = 1; + my $err = Net::SSLeay::get_error($ssl,$rv); + if ( $err == $Net_SSLeay_ERROR_WANT_READ) { + select($vec,undef,undef,$wait) + } elsif ( $err == $Net_SSLeay_ERROR_WANT_READ) { + select(undef,$vec,undef,$wait) + } else { + last; + } + } + + $status |= SSL_SENT_SHUTDOWN; + $status |= SSL_RECEIVED_SHUTDOWN if $rv>0; + } + $self->blocking(1) if $timeout; + } + + # destroy allocated objects for SSL and untie + # do not destroy CTX unless explicitly specified + Net::SSLeay::free($ssl); + if (my $cert = delete ${*$self}{'_SSL_certificate'}) { + Net::SSLeay::X509_free($cert); + } + delete ${*$self}{_SSL_object}; + ${*$self}{'_SSL_opened'} = 0; + delete $SSL_OBJECT{$ssl}; + delete $CREATED_IN_THIS_THREAD{$ssl}; + untie(*$self); + } + + if ($stop_args->{'SSL_ctx_free'}) { + my $ctx = delete ${*$self}{'_SSL_ctx'}; + $ctx && $ctx->DESTROY(); + } + + + if ( ! $stop_args->{_SSL_in_DESTROY} ) { + + my $downgrade = $stop_args->{_SSL_ioclass_downgrade}; + if ( $downgrade || ! defined $downgrade ) { + # rebless to original class from start_SSL + if ( my $orig_class = delete ${*$self}{'_SSL_ioclass_upgraded'} ) { + bless $self,$orig_class; + # FIXME: if original class was tied too we need to restore the tie + # remove all _SSL related from *$self + my @sslkeys = grep { m{^_?SSL_} } keys %{*$self}; + delete @{*$self}{@sslkeys} if @sslkeys; + } + } + } + return 1; +} + + +sub fileno { + my $self = shift; + my $fn = ${*$self}{'_SSL_fileno'}; + return defined($fn) ? $fn : $self->SUPER::fileno(); +} + + +####### IO::Socket::SSL specific functions ####### +# _get_ssl_object is for internal use ONLY! +sub _get_ssl_object { + my $self = shift; + return ${*$self}{'_SSL_object'} || + IO::Socket::SSL->_internal_error("Undefined SSL object",9); +} + +# _get_ctx_object is for internal use ONLY! +sub _get_ctx_object { + my $self = shift; + my $ctx_object = ${*$self}{_SSL_ctx}; + return $ctx_object && $ctx_object->{context}; +} + +# default error for undefined arguments +sub _invalid_object { + return IO::Socket::SSL->_internal_error("Undefined IO::Socket::SSL object",9); +} + + +sub pending { + my $ssl = shift()->_get_ssl_object || return; + return Net::SSLeay::pending($ssl); +} + +sub start_SSL { + my ($class,$socket) = (shift,shift); + return $class->_internal_error("Not a socket",9) if ! ref($socket); + my $arg_hash = @_ == 1 ? $_[0] : {@_}; + my %to = exists $arg_hash->{Timeout} ? ( Timeout => delete $arg_hash->{Timeout} ) :(); + my $original_class = ref($socket); + if ( ! $original_class ) { + $socket = ($original_class = $ISA[0])->new_from_fd($socket,'<+') + or return $class->_internal_error( + "creating $original_class from file handle failed",9); + } + my $original_fileno = (UNIVERSAL::can($socket, "fileno")) + ? $socket->fileno : CORE::fileno($socket); + return $class->_internal_error("Socket has no fileno",9) + if ! defined $original_fileno; + + bless $socket, $class; + $socket->configure_SSL($arg_hash) or bless($socket, $original_class) && return; + + ${*$socket}{'_SSL_fileno'} = $original_fileno; + ${*$socket}{'_SSL_ioclass_upgraded'} = $original_class + if $class ne $original_class; + + my $start_handshake = $arg_hash->{SSL_startHandshake}; + if ( ! defined($start_handshake) || $start_handshake ) { + # if we have no callback force blocking mode + $DEBUG>=2 && DEBUG( "start handshake" ); + my $was_blocking = $socket->blocking(1); + my $result = ${*$socket}{'_SSL_arguments'}{SSL_server} + ? $socket->accept_SSL(%to) + : $socket->connect_SSL(%to); + if ( $result ) { + $socket->blocking(0) if ! $was_blocking; + return $socket; + } else { + # upgrade to SSL failed, downgrade socket to original class + if ( $original_class ) { + bless($socket,$original_class); + $socket->blocking(0) if ! $was_blocking + && $socket->can('blocking'); + } + return; + } + } else { + $DEBUG>=2 && DEBUG( "don't start handshake: $socket" ); + return $socket; # just return upgraded socket + } + +} + +sub new_from_fd { + my ($class, $fd) = (shift,shift); + # Check for accidental inclusion of MODE in the argument list + if (length($_[0]) < 4) { + (my $mode = $_[0]) =~ tr/+<>//d; + shift unless length($mode); + } + my $handle = $ISA[0]->new_from_fd($fd, '+<') + || return($class->error("Could not create socket from file descriptor.")); + + # Annoying workaround for Perl 5.6.1 and below: + $handle = $ISA[0]->new_from_fd($handle, '+<'); + + return $class->start_SSL($handle, @_); +} + + +sub dump_peer_certificate { + my $ssl = shift()->_get_ssl_object || return; + return Net::SSLeay::dump_peer_certificate($ssl); +} + +if ( defined &Net::SSLeay::get_peer_cert_chain + && $netssleay_version >= 1.58 ) { + *peer_certificates = sub { + my $self = shift; + my $ssl = $self->_get_ssl_object || return; + my @chain = Net::SSLeay::get_peer_cert_chain($ssl); + @chain = () if @chain && !$self->peer_certificate; # work around #96013 + if ( ${*$self}{_SSL_arguments}{SSL_server} ) { + # in the client case the chain contains the peer certificate, + # in the server case not + # this one has an increased reference counter, the other not + if ( my $peer = Net::SSLeay::get_peer_certificate($ssl)) { + Net::SSLeay::X509_free($peer); + unshift @chain, $peer; + } + } + return @chain; + + } +} else { + *peer_certificates = sub { + die "peer_certificates needs Net::SSLeay>=1.58"; + } +} + +{ + my %dispatcher = ( + issuer => sub { Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_issuer_name( shift )) }, + subject => sub { Net::SSLeay::X509_NAME_oneline( Net::SSLeay::X509_get_subject_name( shift )) }, + commonName => sub { + my $cn = Net::SSLeay::X509_NAME_get_text_by_NID( + Net::SSLeay::X509_get_subject_name( shift ), NID_CommonName); + $cn; + }, + subjectAltNames => sub { Net::SSLeay::X509_get_subjectAltNames( shift ) }, + ); + + # alternative names + $dispatcher{authority} = $dispatcher{issuer}; + $dispatcher{owner} = $dispatcher{subject}; + $dispatcher{cn} = $dispatcher{commonName}; + + sub peer_certificate { + my ($self,$field,$reload) = @_; + my $ssl = $self->_get_ssl_object or return; + + Net::SSLeay::X509_free(delete ${*$self}{_SSL_certificate}) + if $reload && ${*$self}{_SSL_certificate}; + my $cert = ${*$self}{_SSL_certificate} + ||= Net::SSLeay::get_peer_certificate($ssl) + or return $self->error("Could not retrieve peer certificate"); + + if ($field) { + my $sub = $dispatcher{$field} or croak + "invalid argument for peer_certificate, valid are: ".join( " ",keys %dispatcher ). + "\nMaybe you need to upgrade your Net::SSLeay"; + return $sub->($cert); + } else { + return $cert + } + } + + sub sock_certificate { + my ($self,$field) = @_; + my $ssl = $self->_get_ssl_object || return; + my $cert = Net::SSLeay::get_certificate( $ssl ) || return; + if ($field) { + my $sub = $dispatcher{$field} or croak + "invalid argument for sock_certificate, valid are: ".join( " ",keys %dispatcher ). + "\nMaybe you need to upgrade your Net::SSLeay"; + return $sub->($cert); + } else { + return $cert + } + } + + + # known schemes, possible attributes are: + # - wildcards_in_alt (0, 'full_label', 'anywhere') + # - wildcards_in_cn (0, 'full_label', 'anywhere') + # - check_cn (0, 'always', 'when_only') + # unfortunately there are a lot of different schemes used, see RFC 6125 for a + # summary, which references all of the following except RFC4217/ftp + + my %scheme = ( + none => {}, # do not check + # default set is a superset of all the others and thus worse than a more + # specific set, but much better than not verifying name at all + default => { + wildcards_in_cn => 'anywhere', + wildcards_in_alt => 'anywhere', + check_cn => 'always', + ip_in_cn => 1, + }, + ); + + for(qw( + rfc2818 + rfc3920 xmpp + rfc4217 ftp + )) { + $scheme{$_} = { + wildcards_in_cn => 'anywhere', + wildcards_in_alt => 'anywhere', + check_cn => 'when_only', + } + } + + for(qw(www http)) { + $scheme{$_} = { + wildcards_in_cn => 'anywhere', + wildcards_in_alt => 'anywhere', + check_cn => 'when_only', + ip_in_cn => 4, + } + } + + for(qw( + rfc4513 ldap + )) { + $scheme{$_} = { + wildcards_in_cn => 0, + wildcards_in_alt => 'full_label', + check_cn => 'always', + }; + } + + for(qw( + rfc2595 smtp + rfc4642 imap pop3 acap + rfc5539 nntp + rfc5538 netconf + rfc5425 syslog + rfc5953 snmp + )) { + $scheme{$_} = { + wildcards_in_cn => 'full_label', + wildcards_in_alt => 'full_label', + check_cn => 'always' + }; + } + for(qw( + rfc5971 gist + )) { + $scheme{$_} = { + wildcards_in_cn => 'full_label', + wildcards_in_alt => 'full_label', + check_cn => 'when_only', + }; + } + + for(qw( + rfc5922 sip + )) { + $scheme{$_} = { + wildcards_in_cn => 0, + wildcards_in_alt => 0, + check_cn => 'always', + }; + } + + + # function to verify the hostname + # + # as every application protocol has its own rules to do this + # we provide some default rules as well as a user-defined + # callback + + sub verify_hostname_of_cert { + my $identity = shift; + my $cert = shift; + my $scheme = shift || 'default'; + my $publicsuffix = shift; + if ( ! ref($scheme) ) { + $DEBUG>=3 && DEBUG( "scheme=$scheme cert=$cert" ); + $scheme = $scheme{$scheme} || croak("scheme $scheme not defined"); + } + + return 1 if ! %$scheme; # 'none' + $identity =~s{\.+$}{}; # ignore absolutism + + # get data from certificate + my $commonName = $dispatcher{cn}->($cert); + my @altNames = $dispatcher{subjectAltNames}->($cert); + $DEBUG>=3 && DEBUG("identity=$identity cn=$commonName alt=@altNames" ); + + if ( my $sub = $scheme->{callback} ) { + # use custom callback + return $sub->($identity,$commonName,@altNames); + } + + # is the given hostname an IP address? Then we have to convert to network byte order [RFC791][RFC2460] + + my $ipn; + if ( CAN_IPV6 and $identity =~m{:} ) { + # no IPv4 or hostname have ':' in it, try IPv6. + $identity =~m{[^\da-fA-F:\.]} and return; # invalid characters in name + $ipn = inet_pton(AF_INET6,$identity) or return; # invalid name + } elsif ( my @ip = $identity =~m{^(\d+)(?:\.(\d+)\.(\d+)\.(\d+)|[\d\.]*)$} ) { + # check for invalid IP/hostname + return if 4 != @ip or 4 != grep { defined($_) && $_<256 } @ip; + $ipn = pack("CCCC",@ip); + } else { + # assume hostname, check for umlauts etc + if ( $identity =~m{[^a-zA-Z0-9_.\-]} ) { + $identity =~m{\0} and return; # $identity has \\0 byte + $identity = idn_to_ascii($identity) + or return; # conversation to IDNA failed + $identity =~m{[^a-zA-Z0-9_.\-]} + and return; # still junk inside + } + } + + # do the actual verification + my $check_name = sub { + my ($name,$identity,$wtyp,$publicsuffix) = @_; + $name =~s{\.+$}{}; # ignore absolutism + $name eq '' and return; + $wtyp ||= ''; + my $pattern; + ### IMPORTANT! + # We accept only a single wildcard and only for a single part of the FQDN + # e.g. *.example.org does match www.example.org but not bla.www.example.org + # The RFCs are in this regard unspecific but we don't want to have to + # deal with certificates like *.com, *.co.uk or even * + # see also http://nils.toedtmann.net/pub/subjectAltName.txt . + # Also, we fall back to full_label matches if the identity is an IDNA + # name, see RFC6125 and the discussion at + # http://bugs.python.org/issue17997#msg194950 + if ( $wtyp eq 'anywhere' and $name =~m{^([a-zA-Z0-9_\-]*)\*(.+)} ) { + return if $1 ne '' and substr($identity,0,4) eq 'xn--'; # IDNA + $pattern = qr{^\Q$1\E[a-zA-Z0-9_\-]+\Q$2\E$}i; + } elsif ( $wtyp =~ m{^(?:full_label|leftmost)$} + and $name =~m{^\*(\..+)$} ) { + $pattern = qr{^[a-zA-Z0-9_\-]+\Q$1\E$}i; + } else { + return lc($identity) eq lc($name); + } + if ( $identity =~ $pattern ) { + $publicsuffix = IO::Socket::SSL::PublicSuffix->default + if ! defined $publicsuffix; + return 1 if $publicsuffix eq ''; + my @labels = split( m{\.+}, $identity ); + my $tld = $publicsuffix->public_suffix(\@labels,+1); + return 1 if @labels > ( $tld ? 0+@$tld : 1 ); + } + return; + }; + + + my $alt_dnsNames = 0; + while (@altNames) { + my ($type, $name) = splice (@altNames, 0, 2); + if ( $ipn and $type == GEN_IPADD ) { + # exact match needed for IP + # $name is already packed format (inet_xton) + return 1 if $ipn eq $name; + + } elsif ( ! $ipn and $type == GEN_DNS ) { + $name =~s/\s+$//; $name =~s/^\s+//; + $alt_dnsNames++; + $check_name->($name,$identity,$scheme->{wildcards_in_alt},$publicsuffix) + and return 1; + } + } + + if ( $scheme->{check_cn} eq 'always' or + $scheme->{check_cn} eq 'when_only' and !$alt_dnsNames ) { + if ( ! $ipn ) { + $check_name->($commonName,$identity,$scheme->{wildcards_in_cn},$publicsuffix) + and return 1; + } elsif ( $scheme->{ip_in_cn} ) { + if ( $identity eq $commonName ) { + return 1 if + $scheme->{ip_in_cn} == 4 ? length($ipn) == 4 : + $scheme->{ip_in_cn} == 6 ? length($ipn) == 16 : + 1; + } + } + } + + return 0; # no match + } +} + +sub verify_hostname { + my $self = shift; + my $host = shift; + my $cert = $self->peer_certificate; + return verify_hostname_of_cert( $host,$cert,@_ ); +} + + +sub get_servername { + my $self = shift; + return ${*$self}{_SSL_servername} ||= do { + my $ssl = $self->_get_ssl_object or return; + Net::SSLeay::get_servername($ssl); + }; +} + +sub get_fingerprint_bin { + my ($self,$algo,$cert,$key_only) = @_; + $cert ||= $self->peer_certificate; + return $key_only + ? Net::SSLeay::X509_pubkey_digest($cert, $algo2digest->($algo || 'sha256')) + : Net::SSLeay::X509_digest($cert, $algo2digest->($algo || 'sha256')); +} + +sub get_fingerprint { + my ($self,$algo,$cert,$key_only) = @_; + $algo ||= 'sha256'; + my $fp = get_fingerprint_bin($self,$algo,$cert,$key_only) or return; + return $algo.'$'.($key_only ? 'pub$':'').unpack('H*',$fp); +} + +sub get_cipher { + my $ssl = shift()->_get_ssl_object || return; + return Net::SSLeay::get_cipher($ssl); +} + +sub get_sslversion { + my $ssl = shift()->_get_ssl_object || return; + my $version = Net::SSLeay::version($ssl) or return; + return + $version == 0x0304 ? 'TLSv1_3' : + $version == 0x0303 ? 'TLSv1_2' : + $version == 0x0302 ? 'TLSv1_1' : + $version == 0x0301 ? 'TLSv1' : + $version == 0x0300 ? 'SSLv3' : + $version == 0x0002 ? 'SSLv2' : + $version == 0xfeff ? 'DTLS1' : + undef; +} + +sub get_sslversion_int { + my $ssl = shift()->_get_ssl_object || return; + return Net::SSLeay::version($ssl); +} + +sub get_session_reused { + return Net::SSLeay::session_reused( + shift()->_get_ssl_object || return); +} + +if ($can_ocsp) { + no warnings 'once'; + *ocsp_resolver = sub { + my $self = shift; + my $ssl = $self->_get_ssl_object || return; + my $ctx = ${*$self}{_SSL_ctx}; + return IO::Socket::SSL::OCSP_Resolver->new( + $ssl, + $ctx->{ocsp_cache} ||= IO::Socket::SSL::OCSP_Cache->new, + $ctx->{ocsp_mode} & SSL_OCSP_FAIL_HARD, + @_ ? \@_ : + $ctx->{ocsp_mode} & SSL_OCSP_FULL_CHAIN ? [ $self->peer_certificates ]: + [ $self->peer_certificate ] + ); + }; +} + +sub errstr { + my $self = shift; + my $oe = ref($self) && ${*$self}{_SSL_last_err}; + return $oe ? $oe->[0] : $SSL_ERROR || ''; +} + +sub fatal_ssl_error { + my $self = shift; + my $error_trap = ${*$self}{'_SSL_arguments'}->{'SSL_error_trap'}; + $@ = $self->errstr; + my $saved_error = $SSL_ERROR; + if (defined $error_trap and ref($error_trap) eq 'CODE') { + $error_trap->($self, $self->errstr()."\n".$self->get_ssleay_error()); + } elsif ( ${*$self}{'_SSL_ioclass_upgraded'} + || ${*$self}{_SSL_arguments}{SSL_keepSocketOnError}) { + # downgrade only + $DEBUG>=3 && DEBUG('downgrading SSL only, not closing socket' ); + $self->stop_SSL; + } else { + # kill socket + $self->close + } + $SSL_ERROR = $saved_error if $saved_error; + return; +} + +sub get_ssleay_error { + #Net::SSLeay will print out the errors itself unless we explicitly + #undefine $Net::SSLeay::trace while running print_errs() + local $Net::SSLeay::trace; + return Net::SSLeay::print_errs('SSL error: ') || ''; +} + +# internal errors, e.g. unsupported features, hostname check failed etc +# _SSL_last_err contains severity so that on error chains we can decide if one +# error should replace the previous one or if this is just a less specific +# follow-up error, e.g. configuration failed because certificate failed because +# hostname check went wrong: +# 0 - fallback errors +# 4 - errors bubbled up from OpenSSL (sub error, r/w error) +# 5 - hostname or OCSP verification failed +# 9 - fatal problems, e.g. missing feature, no fileno... +# _SSL_last_err and SSL_ERROR are only replaced if the error has a higher +# severity than the previous one + +sub _internal_error { + my ($self, $error, $severity) = @_; + $error = dualvar( -1, $error ); + $self = $CURRENT_SSL_OBJECT if !ref($self) && $CURRENT_SSL_OBJECT; + if (ref($self)) { + my $oe = ${*$self}{_SSL_last_err}; + if (!$oe || $oe->[1] <= $severity) { + ${*$self}{_SSL_last_err} = [$error,$severity]; + $SSL_ERROR = $error; + $DEBUG && DEBUG("local error: $error"); + } else { + $DEBUG && DEBUG("ignoring less severe local error '$error', keep '$oe->[0]'"); + } + } else { + $SSL_ERROR = $error; + $DEBUG && DEBUG("global error: $error"); + } + return; +} + +# OpenSSL errors +sub error { + my ($self, $error) = @_; + my @err; + while ( my $err = Net::SSLeay::ERR_get_error()) { + push @err, Net::SSLeay::ERR_error_string($err); + $DEBUG>=2 && DEBUG( $error."\n".$self->get_ssleay_error()); + } + $error .= ' '.join(' ',@err) if @err; + return $self->_internal_error($error,4) if $error; + return; +} + +sub _errstack { + my @err; + while (my $err = Net::SSLeay::ERR_get_error()) { + push @err, Net::SSLeay::ERR_error_string($err); + } + return @err; +} + +sub can_client_sni { return $can_client_sni } +sub can_server_sni { return $can_server_sni } +sub can_multi_cert { return $can_multi_cert } +sub can_npn { return $can_npn } +sub can_alpn { return $can_alpn } +sub can_ecdh { return $can_ecdh } +sub can_ipv6 { return CAN_IPV6 } +sub can_ocsp { return $can_ocsp } +sub can_ticket_keycb { return $can_tckt_keycb } +sub can_pha { return $can_pha } +sub can_partial_chain { return $check_partial_chain && 1 } + +sub DESTROY { + my $self = shift or return; + if (my $ssl = ${*$self}{_SSL_object}) { + delete $SSL_OBJECT{$ssl}; + if (!$use_threads or delete $CREATED_IN_THIS_THREAD{$ssl}) { + $self->close(_SSL_in_DESTROY => 1, SSL_no_shutdown => 1); + } + } + delete @{*$self}{@all_my_keys}; +} + + +#######Extra Backwards Compatibility Functionality####### +sub socket_to_SSL { IO::Socket::SSL->start_SSL(@_); } +sub socketToSSL { IO::Socket::SSL->start_SSL(@_); } +sub kill_socket { shift->close } + +sub issuer_name { return(shift()->peer_certificate("issuer")) } +sub subject_name { return(shift()->peer_certificate("subject")) } +sub get_peer_certificate { return shift() } + +sub context_init { + return($GLOBAL_SSL_ARGS = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}); +} + +sub set_default_context { + $GLOBAL_SSL_ARGS->{'SSL_reuse_ctx'} = shift; +} + +sub set_default_session_cache { + $GLOBAL_SSL_ARGS->{SSL_session_cache} = shift; +} + + +{ + my $set_defaults = sub { + my $args = shift; + for(my $i=0;$i<@$args;$i+=2 ) { + my ($k,$v) = @{$args}[$i,$i+1]; + if ( $k =~m{^SSL_} ) { + $_->{$k} = $v for(@_); + } elsif ( $k =~m{^(name|scheme)$} ) { + $_->{"SSL_verifycn_$k"} = $v for (@_); + } elsif ( $k =~m{^(callback|mode)$} ) { + $_->{"SSL_verify_$k"} = $v for(@_); + } else { + $_->{"SSL_$k"} = $v for(@_); + } + } + }; + sub set_defaults { + my %args = @_; + $set_defaults->(\@_, + $GLOBAL_SSL_ARGS, + $GLOBAL_SSL_CLIENT_ARGS, + $GLOBAL_SSL_SERVER_ARGS + ); + } + { # deprecated API + no warnings; + *set_ctx_defaults = \&set_defaults; + } + sub set_client_defaults { + my %args = @_; + $set_defaults->(\@_, $GLOBAL_SSL_CLIENT_ARGS ); + } + sub set_server_defaults { + my %args = @_; + $set_defaults->(\@_, $GLOBAL_SSL_SERVER_ARGS ); + } +} + +sub set_args_filter_hack { + my $sub = shift; + if ( ref $sub ) { + $FILTER_SSL_ARGS = $sub; + } elsif ( $sub eq 'use_defaults' ) { + # override args with defaults + $FILTER_SSL_ARGS = sub { + my ($is_server,$args) = @_; + %$args = ( %$args, $is_server + ? ( %DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_SERVER_ARGS ) + : ( %DEFAULT_SSL_CLIENT_ARGS, %$GLOBAL_SSL_CLIENT_ARGS ) + ); + } + } +} + +sub next_proto_negotiated { + my $self = shift; + return $self->_internal_error("NPN not supported in Net::SSLeay",9) if ! $can_npn; + my $ssl = $self->_get_ssl_object || return; + return Net::SSLeay::P_next_proto_negotiated($ssl); +} + +sub alpn_selected { + my $self = shift; + return $self->_internal_error("ALPN not supported in Net::SSLeay",9) if ! $can_alpn; + my $ssl = $self->_get_ssl_object || return; + return Net::SSLeay::P_alpn_selected($ssl); +} + +sub opened { + my $self = shift; + return IO::Handle::opened($self) && ${*$self}{'_SSL_opened'}; +} + +sub opening { + my $self = shift; + return ${*$self}{'_SSL_opening'}; +} + +sub want_read { shift->errstr == SSL_WANT_READ } +sub want_write { shift->errstr == SSL_WANT_WRITE } + + +#Redundant IO::Handle functionality +sub getline { return(scalar shift->readline()) } +sub getlines { + return(shift->readline()) if wantarray(); + croak("Use of getlines() not allowed in scalar context"); +} + +#Useless IO::Handle functionality +sub truncate { croak("Use of truncate() not allowed with SSL") } +sub stat { croak("Use of stat() not allowed with SSL" ) } +sub setbuf { croak("Use of setbuf() not allowed with SSL" ) } +sub setvbuf { croak("Use of setvbuf() not allowed with SSL" ) } +sub fdopen { croak("Use of fdopen() not allowed with SSL" ) } + +#Unsupported socket functionality +sub ungetc { croak("Use of ungetc() not implemented in IO::Socket::SSL") } +sub send { croak("Use of send() not implemented in IO::Socket::SSL; use print/printf/syswrite instead") } +sub recv { croak("Use of recv() not implemented in IO::Socket::SSL; use read/sysread instead") } + +package IO::Socket::SSL::SSL_HANDLE; +use strict; +use Errno 'EBADF'; +*weaken = *IO::Socket::SSL::weaken; + +sub TIEHANDLE { + my ($class, $handle) = @_; + weaken($handle); + bless \$handle, $class; +} + +sub READ { ${shift()}->sysread(@_) } +sub READLINE { ${shift()}->readline(@_) } +sub GETC { ${shift()}->getc(@_) } + +sub PRINT { ${shift()}->print(@_) } +sub PRINTF { ${shift()}->printf(@_) } +sub WRITE { ${shift()}->syswrite(@_) } + +sub FILENO { ${shift()}->fileno(@_) } + +sub TELL { $! = EBADF; return -1 } +sub BINMODE { return 0 } # not perfect, but better than not implementing the method + +sub CLOSE { #<---- Do not change this function! + my $ssl = ${$_[0]}; + local @_; + $ssl->close(); +} + + +package IO::Socket::SSL::SSL_Context; +use Carp; +use strict; + +my %CTX_CREATED_IN_THIS_THREAD; +*DEBUG = *IO::Socket::SSL::DEBUG; +*_errstack = \&IO::Socket::SSL::_errstack; + +use constant SSL_MODE_ENABLE_PARTIAL_WRITE => 1; +use constant SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER => 2; + +use constant FILETYPE_PEM => Net::SSLeay::FILETYPE_PEM(); +use constant FILETYPE_ASN1 => Net::SSLeay::FILETYPE_ASN1(); + +my $DEFAULT_SSL_OP = &Net::SSLeay::OP_ALL + | &Net::SSLeay::OP_SINGLE_DH_USE + | ($can_ecdh ? &Net::SSLeay::OP_SINGLE_ECDH_USE : 0); + +# Note that the final object will actually be a reference to the scalar +# (C-style pointer) returned by Net::SSLeay::CTX_*_new() so that +# it can be blessed. +sub new { + my $class = shift; + #DEBUG( "$class @_" ); + my $arg_hash = (ref($_[0]) eq 'HASH') ? $_[0] : {@_}; + + my $is_server = $arg_hash->{SSL_server}; + my %defaults = $is_server + ? (%DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_ARGS, %$GLOBAL_SSL_SERVER_ARGS) + : (%DEFAULT_SSL_CLIENT_ARGS, %$GLOBAL_SSL_ARGS, %$GLOBAL_SSL_CLIENT_ARGS); + if ( $defaults{SSL_reuse_ctx} ) { + # ignore default context if there are args to override it + delete $defaults{SSL_reuse_ctx} + if grep { m{^SSL_(?!verifycn_name|hostname)$} } keys %$arg_hash; + } + %$arg_hash = ( %defaults, %$arg_hash ) if %defaults; + + if (my $ctx = $arg_hash->{'SSL_reuse_ctx'}) { + if ($ctx->isa('IO::Socket::SSL::SSL_Context') and + $ctx->{context}) { + # valid context + } elsif ( $ctx = ${*$ctx}{_SSL_ctx} ) { + # reuse context from existing SSL object + } + return $ctx + } + + # common problem forgetting to set SSL_use_cert + # if client cert is given by user but SSL_use_cert is undef, assume that it + # should be set + if ( ! $is_server && ! defined $arg_hash->{SSL_use_cert} + && ( grep { $arg_hash->{$_} } qw(SSL_cert SSL_cert_file)) + && ( grep { $arg_hash->{$_} } qw(SSL_key SSL_key_file)) ) { + $arg_hash->{SSL_use_cert} = 1 + } + + # if any of SSL_ca* is set don't set the other SSL_ca* + # from defaults + if ( $arg_hash->{SSL_ca} ) { + $arg_hash->{SSL_ca_file} ||= undef + $arg_hash->{SSL_ca_path} ||= undef + } elsif ( $arg_hash->{SSL_ca_path} ) { + $arg_hash->{SSL_ca_file} ||= undef + } elsif ( $arg_hash->{SSL_ca_file} ) { + $arg_hash->{SSL_ca_path} ||= undef; + } + + # add library defaults + $arg_hash->{SSL_use_cert} = $is_server if ! defined $arg_hash->{SSL_use_cert}; + + + # Avoid passing undef arguments to Net::SSLeay + defined($arg_hash->{$_}) or delete($arg_hash->{$_}) for(keys %$arg_hash); + + # check SSL CA, cert etc arguments + # some apps set keys '' to signal that it is not set, replace with undef + for (qw( SSL_cert SSL_cert_file SSL_key SSL_key_file + SSL_ca SSL_ca_file SSL_ca_path + SSL_fingerprint )) { + $arg_hash->{$_} = undef if defined $arg_hash->{$_} + and $arg_hash->{$_} eq ''; + } + for(qw(SSL_cert_file SSL_key_file)) { + defined( my $file = $arg_hash->{$_} ) or next; + for my $f (ref($file) eq 'HASH' ? values(%$file):$file ) { + die "$_ $f can't be used: $!" if ! open(my $fh,'<',$f) + } + } + + my $verify_mode = $arg_hash->{SSL_verify_mode} || 0; + if ( $verify_mode != $Net_SSLeay_VERIFY_NONE) { + for (qw(SSL_ca_file SSL_ca_path)) { + $CHECK_SSL_PATH->($_ => $arg_hash->{$_} || next); + } + } elsif ( $verify_mode ne '0' ) { + # some users use the string 'SSL_VERIFY_PEER' instead of the constant + die "SSL_verify_mode must be a number and not a string"; + } + + my $self = bless {},$class; + + my $vcn_scheme = delete $arg_hash->{SSL_verifycn_scheme}; + my $vcn_publicsuffix = delete $arg_hash->{SSL_verifycn_publicsuffix}; + if ( ! $is_server and $verify_mode & 0x01 and + ! $vcn_scheme || $vcn_scheme ne 'none' ) { + + # gets updated during configure_SSL + my $verify_name; + $self->{verify_name_ref} = \$verify_name; + + my $vcb = $arg_hash->{SSL_verify_callback}; + $arg_hash->{SSL_verify_callback} = sub { + my ($ok,$ctx_store,$certname,$error,$cert,$depth) = @_; + $ok = $vcb->($ok,$ctx_store,$certname,$error,$cert,$depth) if $vcb; + $ok or return 0; + + return $ok if $depth != 0; + + my $host = $verify_name || ref($vcn_scheme) && $vcn_scheme->{callback} && 'unknown'; + if ( ! $host ) { + if ( $vcn_scheme ) { + IO::Socket::SSL->_internal_error( + "Cannot determine peer hostname for verification",8); + return 0; + } + warn "Cannot determine hostname of peer for verification. ". + "Disabling default hostname verification for now. ". + "Please specify hostname with SSL_verifycn_name and better set SSL_verifycn_scheme too.\n"; + return $ok; + } + + + # verify name + my $rv = IO::Socket::SSL::verify_hostname_of_cert( + $host,$cert,$vcn_scheme,$vcn_publicsuffix ); + if ( ! $rv ) { + IO::Socket::SSL->_internal_error( + "hostname verification failed",5); + } + return $rv; + }; + } + + if ($is_server) { + if ($arg_hash->{SSL_ticket_keycb} && !$can_tckt_keycb) { + warn "Ticket Key Callback is not supported - ignoring option SSL_ticket_keycb\n"; + delete $arg_hash->{SSL_ticket_keycb}; + } + } + + + my $ssl_op = $DEFAULT_SSL_OP; + + my $ver; + for (split(/\s*:\s*/,$arg_hash->{SSL_version})) { + m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i + or croak("invalid SSL_version specified"); + my $not = $1; + ( my $v = lc($2||$3) ) =~s{^(...)}{\U$1}; + if ( $not ) { + $ssl_op |= $SSL_OP_NO{$v}; + } else { + croak("cannot set multiple SSL protocols in SSL_version") + if $ver && $v ne $ver; + $ver = $v; + $ver =~s{/}{}; # interpret SSLv2/3 as SSLv23 + $ver =~s{(TLSv1)(\d)}{$1\_$2}; # TLSv1_1 + } + } + + my $ctx_new_sub = + $ver eq 'TLSv1_3' ? $CTX_tlsv1_3_new : + UNIVERSAL::can( 'Net::SSLeay', + $ver eq 'SSLv2' ? 'CTX_v2_new' : + $ver eq 'SSLv3' ? 'CTX_v3_new' : + $ver eq 'TLSv1' ? 'CTX_tlsv1_new' : + $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' : + $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' : + 'CTX_new' + ) + or return IO::Socket::SSL->_internal_error("SSL Version $ver not supported",9); + + # For SNI in server mode we need a separate context for each certificate. + my %ctx; + if ($is_server) { + my %sni; + for my $opt (qw(SSL_key SSL_key_file SSL_cert SSL_cert_file)) { + my $val = $arg_hash->{$opt} or next; + if ( ref($val) eq 'HASH' ) { + while ( my ($host,$v) = each %$val ) { + $sni{lc($host)}{$opt} = $v; + } + } + } + while (my ($host,$v) = each %sni) { + $ctx{$host} = $host =~m{%} ? $v : { %$arg_hash, %$v }; + } + } + $ctx{''} = $arg_hash if ! %ctx; + + for my $host (sort keys %ctx) { + my $arg_hash = delete $ctx{$host}; + my $ctx; + if ($host =~m{^([^%]*)%}) { + $ctx = $ctx{$1} or return IO::Socket::SSL->error( + "SSL Context init for $host failed - no config for $1"); + if (my @k = grep { !m{^SSL_(?:cert|key)(?:_file)?$} } + keys %$arg_hash) { + return IO::Socket::SSL->error( + "invalid keys @k in configuration '$host' of additional certs"); + } + $can_multi_cert or return IO::Socket::SSL->error( + "no support for both RSA and ECC certificate in same context"); + $host = $1; + goto just_configure_certs; + } + + $ctx = $ctx_new_sub->() or return + IO::Socket::SSL->error("SSL Context init failed"); + $CTX_CREATED_IN_THIS_THREAD{$ctx} = 1 if $use_threads; + $ctx{$host} = $ctx; # replace value in %ctx with real context + + # SSL_OP_CIPHER_SERVER_PREFERENCE + $ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order}; + + if ($ver eq 'SSLv23' && !($ssl_op & $SSL_OP_NO{SSLv3})) { + # At least LibreSSL disables SSLv3 by default in SSL_CTX_new. + # If we really want SSL3.0 we need to explicitly allow it with + # SSL_CTX_clear_options. + Net::SSLeay::CTX_clear_options($ctx,$SSL_OP_NO{SSLv3}); + } + + Net::SSLeay::CTX_set_options($ctx,$ssl_op); + $DEBUG>=2 && $set_msg_callback + && $set_msg_callback->($ctx, \&IO::Socket::SSL::Trace::ossl_trace); + + # enable X509_V_FLAG_PARTIAL_CHAIN if possible (OpenSSL 1.1.0+) + $check_partial_chain && $check_partial_chain->($ctx); + + # if we don't set session_id_context if client certificate is expected + # client session caching will fail + # if user does not provide explicit id just use the stringification + # of the context + if($arg_hash->{SSL_server} and my $id = + $arg_hash->{SSL_session_id_context} || + ( $arg_hash->{SSL_verify_mode} & 0x01 ) && "$ctx" ) { + Net::SSLeay::CTX_set_session_id_context($ctx,$id,length($id)); + } + + # SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER makes syswrite return if at least one + # buffer was written and not block for the rest + # SSL_MODE_ENABLE_PARTIAL_WRITE can be necessary for non-blocking because we + # cannot guarantee, that the location of the buffer stays constant + Net::SSLeay::CTX_set_mode( $ctx, + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_ENABLE_PARTIAL_WRITE | + ($arg_hash->{SSL_mode_release_buffers} ? $ssl_mode_release_buffers : 0) + ); + + if ( my $proto_list = $arg_hash->{SSL_npn_protocols} ) { + return IO::Socket::SSL->_internal_error("NPN not supported in Net::SSLeay",9) + if ! $can_npn; + if($arg_hash->{SSL_server}) { + # on server side SSL_npn_protocols means a list of advertised protocols + Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, $proto_list); + } else { + # on client side SSL_npn_protocols means a list of preferred protocols + # negotiation algorithm used is "as-openssl-implements-it" + Net::SSLeay::CTX_set_next_proto_select_cb($ctx, $proto_list); + } + } + + if ( my $proto_list = $arg_hash->{SSL_alpn_protocols} ) { + return IO::Socket::SSL->_internal_error("ALPN not supported in Net::SSLeay",9) + if ! $can_alpn; + if($arg_hash->{SSL_server}) { + Net::SSLeay::CTX_set_alpn_select_cb($ctx, $proto_list); + } else { + Net::SSLeay::CTX_set_alpn_protos($ctx, $proto_list); + } + } + + if ($arg_hash->{SSL_ticket_keycb}) { + my $cb = $arg_hash->{SSL_ticket_keycb}; + ($cb,my $arg) = ref($cb) eq 'CODE' ? ($cb):@$cb; + Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx,$cb,$arg); + } + + # Try to apply SSL_ca even if SSL_verify_mode is 0, so that they can be + # used to verify OCSP responses. + # If applying fails complain only if verify_mode != VERIFY_NONE. + if ( $arg_hash->{SSL_ca} + || defined $arg_hash->{SSL_ca_file} + || defined $arg_hash->{SSL_ca_path} ) { + my $file = $arg_hash->{SSL_ca_file}; + $file = undef if ref($file) eq 'SCALAR' && ! $$file; + my $dir = $arg_hash->{SSL_ca_path}; + $dir = undef if ref($dir) eq 'SCALAR' && ! $$dir; + if ( $arg_hash->{SSL_ca} ) { + my $store = Net::SSLeay::CTX_get_cert_store($ctx); + for (@{$arg_hash->{SSL_ca}}) { + Net::SSLeay::X509_STORE_add_cert($store,$_) or + return IO::Socket::SSL->error( + "Failed to add certificate to CA store"); + } + } + $dir = join($OPENSSL_LIST_SEPARATOR,@$dir) if ref($dir); + if ( $file || $dir and ! Net::SSLeay::CTX_load_verify_locations( + $ctx, $file || '', $dir || '')) { + return IO::Socket::SSL->error( + "Invalid certificate authority locations") + if $verify_mode != $Net_SSLeay_VERIFY_NONE; + } + } elsif ( my %ca = IO::Socket::SSL::default_ca()) { + # no CA path given, continue with system defaults + my $dir = $ca{SSL_ca_path}; + $dir = join($OPENSSL_LIST_SEPARATOR,@$dir) if ref($dir); + if (! Net::SSLeay::CTX_load_verify_locations( $ctx, + $ca{SSL_ca_file} || '',$dir || '') + && $verify_mode != $Net_SSLeay_VERIFY_NONE) { + return IO::Socket::SSL->error( + "Invalid default certificate authority locations") + } + } + + if ($is_server && ($verify_mode & $Net_SSLeay_VERIFY_PEER)) { + if ($arg_hash->{SSL_client_ca}) { + for (@{$arg_hash->{SSL_client_ca}}) { + return IO::Socket::SSL->error( + "Failed to add certificate to client CA list") if + ! Net::SSLeay::CTX_add_client_CA($ctx,$_); + } + } + if ($arg_hash->{SSL_client_ca_file}) { + my $list = Net::SSLeay::load_client_CA_file( + $arg_hash->{SSL_client_ca_file}) or + return IO::Socket::SSL->error( + "Failed to load certificate to client CA list"); + Net::SSLeay::CTX_set_client_CA_list($ctx,$list); + } + } + + my $X509_STORE_flags = $DEFAULT_X509_STORE_flags; + if ($arg_hash->{'SSL_check_crl'}) { + $X509_STORE_flags |= Net::SSLeay::X509_V_FLAG_CRL_CHECK(); + if ($arg_hash->{'SSL_crl_file'}) { + my $bio = Net::SSLeay::BIO_new_file($arg_hash->{'SSL_crl_file'}, 'r'); + my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); + Net::SSLeay::BIO_free($bio); + if ( $crl ) { + Net::SSLeay::X509_STORE_add_crl(Net::SSLeay::CTX_get_cert_store($ctx), $crl); + Net::SSLeay::X509_CRL_free($crl); + } else { + return IO::Socket::SSL->error("Invalid certificate revocation list"); + } + } + } + + Net::SSLeay::X509_STORE_set_flags( + Net::SSLeay::CTX_get_cert_store($ctx), + $X509_STORE_flags + ) if $X509_STORE_flags; + + Net::SSLeay::CTX_set_default_passwd_cb($ctx,$arg_hash->{SSL_passwd_cb}) + if $arg_hash->{SSL_passwd_cb}; + + just_configure_certs: + my ($havekey,$havecert); + if ( my $x509 = $arg_hash->{SSL_cert} ) { + # binary, e.g. X509* + # we have either a single certificate or a list with + # a chain of certificates + my @x509 = ref($x509) eq 'ARRAY' ? @$x509: ($x509); + my $cert = shift @x509; + Net::SSLeay::CTX_use_certificate( $ctx,$cert ) + || return IO::Socket::SSL->error("Failed to use Certificate"); + foreach my $ca (@x509) { + Net::SSLeay::CTX_add_extra_chain_cert( $ctx,$ca ) + || return IO::Socket::SSL->error("Failed to use Certificate"); + } + $havecert = 'OBJ'; + } elsif ( my $f = $arg_hash->{SSL_cert_file} ) { + # try to load chain from PEM or certificate from ASN1 + my @err; + if (Net::SSLeay::CTX_use_certificate_chain_file($ctx,$f)) { + $havecert = 'PEM'; + } elsif (do { + push @err, [ PEM => _errstack() ]; + Net::SSLeay::CTX_use_certificate_file($ctx,$f,FILETYPE_ASN1) + }) { + $havecert = 'DER'; + } else { + push @err, [ DER => _errstack() ]; + # try to load certificate, key and chain from PKCS12 file + my ($key,$cert,@chain) = Net::SSLeay::P_PKCS12_load_file($f,1); + if (!$cert and $arg_hash->{SSL_passwd_cb} + and defined( my $pw = $arg_hash->{SSL_passwd_cb}->(0))) { + ($key,$cert,@chain) = Net::SSLeay::P_PKCS12_load_file($f,1,$pw); + } + PKCS12: while ($cert) { + Net::SSLeay::CTX_use_certificate($ctx,$cert) or last; + # Net::SSLeay::P_PKCS12_load_file is implemented using + # OpenSSL PKCS12_parse which according to the source code + # returns the chain with the last CA certificate first (i.e. + # reverse order as in the PKCS12 file). This is not + # documented but given the age of this function we'll assume + # that this will stay this way in the future. + while (my $ca = pop @chain) { + Net::SSLeay::CTX_add_extra_chain_cert($ctx,$ca) + or last PKCS12; + } + last if $key && ! Net::SSLeay::CTX_use_PrivateKey($ctx,$key); + $havecert = 'PKCS12'; + last; + } + $havekey = 'PKCS12' if $key; + Net::SSLeay::X509_free($cert) if $cert; + Net::SSLeay::EVP_PKEY_free($key) if $key; + # don't free @chain, because CTX_add_extra_chain_cert + # did not duplicate the certificates + } + if (!$havecert) { + push @err, [ PKCS12 => _errstack() ]; + my $err = "Failed to load certificate from file $f:"; + for(@err) { + my ($type,@e) = @$_; + $err .= " [format:$type] @e **" if @e; + } + return IO::Socket::SSL->error($err); + } + } + + if (!$havecert || $havekey) { + # skip SSL_key_* + } elsif ( my $pkey = $arg_hash->{SSL_key} ) { + # binary, e.g. EVP_PKEY* + Net::SSLeay::CTX_use_PrivateKey($ctx, $pkey) + || return IO::Socket::SSL->error("Failed to use Private Key"); + $havekey = 'MEM'; + } elsif ( my $f = $arg_hash->{SSL_key_file} + || (($havecert eq 'PEM') ? $arg_hash->{SSL_cert_file}:undef) ) { + for my $ft ( FILETYPE_PEM, FILETYPE_ASN1 ) { + if (Net::SSLeay::CTX_use_PrivateKey_file($ctx,$f,$ft)) { + $havekey = ($ft == FILETYPE_PEM) ? 'PEM':'DER'; + last; + } + } + $havekey or return IO::Socket::SSL->error( + "Failed to load key from file (no PEM or DER)"); + } + + Net::SSLeay::CTX_set_post_handshake_auth($ctx,1) + if (!$is_server && $can_pha && $havecert && $havekey); + } + + if ($arg_hash->{SSL_server}) { + + if ( my $f = $arg_hash->{SSL_dh_file} ) { + my $bio = Net::SSLeay::BIO_new_file( $f,'r' ) + || return IO::Socket::SSL->error( "Failed to open DH file $f" ); + my $dh = Net::SSLeay::PEM_read_bio_DHparams($bio); + Net::SSLeay::BIO_free($bio); + $dh || return IO::Socket::SSL->error( "Failed to read PEM for DH from $f - wrong format?" ); + my $rv; + for (values (%ctx)) { + $rv = Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) or last; + } + Net::SSLeay::DH_free( $dh ); + $rv || return IO::Socket::SSL->error( "Failed to set DH from $f" ); + } elsif ( my $dh = $arg_hash->{SSL_dh} ) { + # binary, e.g. DH* + + for( values %ctx ) { + Net::SSLeay::CTX_set_tmp_dh( $_,$dh ) || return + IO::Socket::SSL->error( "Failed to set DH from SSL_dh" ); + } + } + } + + if ( my $curve = $arg_hash->{SSL_ecdh_curve} ) { + return IO::Socket::SSL->_internal_error( + "ECDH curve needs Net::SSLeay>=1.56 and OpenSSL>=1.0",9) + if ! $can_ecdh; + + for(values %ctx) { + if ($arg_hash->{SSL_server} and $curve eq 'auto') { + if ($can_ecdh eq 'can_auto') { + Net::SSLeay::CTX_set_ecdh_auto($_,1) or + return IO::Socket::SSL->error( + "failed to set ECDH curve context"); + } elsif ($can_ecdh eq 'auto') { + # automatically enabled anyway + } else { + return IO::Socket::SSL->error( + "SSL_CTX_set_ecdh_auto not implemented"); + } + + } elsif ($set_groups_list) { + $set_groups_list->($_,$curve) or return IO::Socket::SSL->error( + "failed to set ECDH groups/curves on context"); + # needed for OpenSSL 1.0.2 if ($can_ecdh eq 'can_auto') { + Net::SSLeay::CTX_set_ecdh_auto($_,1) if $can_ecdh eq 'can_auto'; + } elsif ($curve =~m{:}) { + return IO::Socket::SSL->error( + "SSL_CTX_groups_list or SSL_CTX_curves_list not implemented"); + + } elsif ($arg_hash->{SSL_server}) { + if ( $curve !~ /^\d+$/ ) { + # name of curve, find NID + $curve = Net::SSLeay::OBJ_txt2nid($curve) + || return IO::Socket::SSL->error( + "cannot find NID for curve name '$curve'"); + } + my $ecdh = Net::SSLeay::EC_KEY_new_by_curve_name($curve) or + return IO::Socket::SSL->error( + "cannot create curve for NID $curve"); + for( values %ctx ) { + Net::SSLeay::CTX_set_tmp_ecdh($_,$ecdh) or + return IO::Socket::SSL->error( + "failed to set ECDH curve context"); + } + Net::SSLeay::EC_KEY_free($ecdh); + } + } + } + + my $verify_cb = $arg_hash->{SSL_verify_callback}; + my @accept_fp; + if ( my $fp = $arg_hash->{SSL_fingerprint} ) { + for( ref($fp) ? @$fp : $fp) { + my ($algo,$pubkey,$digest) = m{^(?:([\w-]+)\$)?(pub\$)?([a-f\d:]+)$}i + or return IO::Socket::SSL->_internal_error("invalid fingerprint '$_'",9); + ( $digest = lc($digest) ) =~s{:}{}g; + $algo ||= + length($digest) == 32 ? 'md5' : + length($digest) == 40 ? 'sha1' : + length($digest) == 64 ? 'sha256' : + return IO::Socket::SSL->_internal_error( + "cannot detect hash algorithm from fingerprint '$_'",9); + $algo = lc($algo); + push @accept_fp,[ $algo, $pubkey || '', pack('H*',$digest) ] + } + } + my $verify_fingerprint = @accept_fp && do { + my $fail; + sub { + my ($ok,$cert,$depth) = @_; + $fail = 1 if ! $ok; + return 1 if $depth>0; # to let us continue with verification + # Check fingerprint only from top certificate. + my %fp; + for(@accept_fp) { + my $fp = $fp{$_->[0],$_->[1]} ||= $_->[1] + ? Net::SSLeay::X509_pubkey_digest($cert,$algo2digest->($_->[0])) + : Net::SSLeay::X509_digest($cert,$algo2digest->($_->[0])); + next if $fp ne $_->[2]; + return 1; + } + return ! $fail; + } + }; + my $verify_callback = ( $verify_cb || @accept_fp ) && sub { + my ($ok, $ctx_store) = @_; + my ($certname,$cert,$error,$depth); + if ($ctx_store) { + $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($ctx_store); + $error = Net::SSLeay::X509_STORE_CTX_get_error($ctx_store); + $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($ctx_store); + $certname = + Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert)). + Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)); + $error &&= Net::SSLeay::ERR_error_string($error); + } + $DEBUG>=3 && DEBUG( "ok=$ok [$depth] $certname" ); + $ok = $verify_cb->($ok,$ctx_store,$certname,$error,$cert,$depth) if $verify_cb; + $ok = $verify_fingerprint->($ok,$cert,$depth) if $verify_fingerprint && $cert; + return $ok; + }; + + if ( $^O eq 'darwin' ) { + # explicitly set error code to disable use of apples TEA patch + # https://hynek.me/articles/apple-openssl-verification-surprises/ + my $vcb = $verify_callback; + $verify_callback = sub { + my $rv = $vcb ? &$vcb : $_[0]; + if ( $rv != 1 ) { + # 50 - X509_V_ERR_APPLICATION_VERIFICATION: application verification failure + Net::SSLeay::X509_STORE_CTX_set_error($_[1], 50); + } + return $rv; + }; + } + Net::SSLeay::CTX_set_verify($_, $verify_mode, $verify_callback) + for (values %ctx); + + my $staple_callback = $arg_hash->{SSL_ocsp_staple_callback}; + if ( !$is_server && $can_ocsp_staple && ! $verify_fingerprint) { + $self->{ocsp_cache} = $arg_hash->{SSL_ocsp_cache}; + my $status_cb = sub { + my ($ssl,$resp) = @_; + my $iossl = $SSL_OBJECT{$ssl} or + die "no IO::Socket::SSL object found for SSL $ssl"; + $iossl->[1] and do { + # we must return with 1 or it will be called again + # and because we have no SSL object we must make the error global + Carp::cluck($IO::Socket::SSL::SSL_ERROR + = "OCSP callback on server side"); + return 1; + }; + $iossl = $iossl->[0]; + + # if we have a callback use this + # callback must not free or copy $resp !! + if ( $staple_callback ) { + $staple_callback->($iossl,$resp); + return 1; + } + + # default callback does verification + if ( ! $resp ) { + $DEBUG>=3 && DEBUG("did not get stapled OCSP response"); + return 1; + } + $DEBUG>=3 && DEBUG("got stapled OCSP response"); + my $status = Net::SSLeay::OCSP_response_status($resp); + if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) { + $DEBUG>=3 && DEBUG("bad status of stapled OCSP response: ". + Net::SSLeay::OCSP_response_status_str($status)); + return 1; + } + if (!eval { Net::SSLeay::OCSP_response_verify($ssl,$resp) }) { + $DEBUG>=3 && DEBUG("verify of stapled OCSP response failed"); + return 1; + } + my (@results,$hard_error); + my @chain = $iossl->peer_certificates; + for my $cert (@chain) { + my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) }; + if (!$certid) { + $DEBUG>=3 && DEBUG("cannot create OCSP_CERTID: $@"); + push @results,[-1,$@]; + last; + } + ($status) = Net::SSLeay::OCSP_response_results($resp,$certid); + if ($status && $status->[2]) { + my $cache = ${*$iossl}{_SSL_ctx}{ocsp_cache}; + if (!$status->[1]) { + push @results,[1,$status->[2]{nextUpdate}]; + $cache && $cache->put($certid,$status->[2]); + } elsif ( $status->[2]{statusType} == + Net::SSLeay::V_OCSP_CERTSTATUS_GOOD()) { + push @results,[1,$status->[2]{nextUpdate}]; + $cache && $cache->put($certid,{ + %{$status->[2]}, + expire => time()+120, + soft_error => $status->[1], + }); + } else { + push @results,($hard_error = [0,$status->[1]]); + $cache && $cache->put($certid,{ + %{$status->[2]}, + hard_error => $status->[1], + }); + } + } + } + # return result of lead certificate, this should be in chain[0] and + # thus result[0], but we better check. But if we had any hard_error + # return this instead + if ($hard_error) { + ${*$iossl}{_SSL_ocsp_verify} = $hard_error; + } elsif (@results and $chain[0] == $iossl->peer_certificate) { + ${*$iossl}{_SSL_ocsp_verify} = $results[0]; + } + return 1; + }; + Net::SSLeay::CTX_set_tlsext_status_cb($_,$status_cb) for (values %ctx); + } + + if ( my $cl = $arg_hash->{SSL_cipher_list} ) { + for (keys %ctx) { + Net::SSLeay::CTX_set_cipher_list($ctx{$_}, ref($cl) + ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list} || next + : $cl + ) || return IO::Socket::SSL->error("Failed to set SSL cipher list"); + } + } + if ( my $cl = $arg_hash->{SSL_ciphersuites} ) { + return IO::Socket::SSL->error("no support for SSL_ciphersuites in Net::SSLeay") + if ! $can_ciphersuites; + for (keys %ctx) { + Net::SSLeay::CTX_set_ciphersuites($ctx{$_}, ref($cl) + ? $cl->{$_} || $cl->{''} || $DEFAULT_SSL_ARGS{SSL_cipher_list} || next + : $cl + ) || return IO::Socket::SSL->error("Failed to set SSL cipher list"); + } + } + + # Main context is default context or any other if no default context. + my $ctx = $ctx{''} || (values %ctx)[0]; + if (keys(%ctx) > 1 || ! exists $ctx{''}) { + $can_server_sni or return IO::Socket::SSL->_internal_error( + "Server side SNI not supported for this openssl/Net::SSLeay",9); + + Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub { + my $ssl = shift; + my $host = Net::SSLeay::get_servername($ssl); + $host = '' if ! defined $host; + my $snictx = $ctx{lc($host)} || $ctx{''} or do { + $DEBUG>1 and DEBUG( + "cannot get context from servername '$host'"); + return 2; # SSL_TLSEXT_ERR_ALERT_FATAL + }; + $DEBUG>1 and DEBUG("set context from servername $host"); + Net::SSLeay::set_SSL_CTX($ssl,$snictx) if $snictx != $ctx; + return 0; # SSL_TLSEXT_ERR_OK + }); + } + + if ( my $cb = $arg_hash->{SSL_create_ctx_callback} ) { + $cb->($_) for values (%ctx); + } + + $self->{context} = $ctx; + $self->{verify_mode} = $arg_hash->{SSL_verify_mode}; + $self->{ocsp_mode} = + defined($arg_hash->{SSL_ocsp_mode}) ? $arg_hash->{SSL_ocsp_mode} : + $self->{verify_mode} ? IO::Socket::SSL::SSL_OCSP_TRY_STAPLE() : + 0; + $DEBUG>=3 && DEBUG( "new ctx $ctx" ); + + if ( my $cache = $arg_hash->{SSL_session_cache} ) { + # use predefined cache + $self->{session_cache} = $cache + } elsif ( my $size = $arg_hash->{SSL_session_cache_size}) { + $self->{session_cache} = IO::Socket::SSL::Session_Cache->new( $size ); + } + + + if ($self->{session_cache} and %sess_cb) { + Net::SSLeay::CTX_set_session_cache_mode($ctx, + Net::SSLeay::SESS_CACHE_CLIENT()); + my $cache = $self->{session_cache}; + $sess_cb{new}($ctx, sub { + my ($ssl,$session) = @_; + my $self = ($SSL_OBJECT{$ssl} || do { + warn "callback session new: no known SSL object for $ssl"; + return; + })->[0]; + my $args = ${*$self}{_SSL_arguments}; + my $key = $args->{SSL_session_key} or do { + warn "callback session new: no known SSL_session_key for $ssl"; + return; + }; + $DEBUG>=3 && DEBUG("callback session new <$key> $session"); + Net::SSLeay::SESSION_up_ref($session); + $cache->add_session($key,$session); + }); + $sess_cb{remove}($ctx, sub { + my ($ctx,$session) = @_; + $DEBUG>=3 && DEBUG("callback session remove $session"); + $cache->del_session(undef,$session); + }); + } + + return $self; +} + + +sub has_session_cache { + return defined shift->{session_cache}; +} + + +sub CLONE { %CTX_CREATED_IN_THIS_THREAD = (); } +sub DESTROY { + my $self = shift; + if ( my $ctx = $self->{context} ) { + $DEBUG>=3 && DEBUG("free ctx $ctx open=".join( " ",keys %CTX_CREATED_IN_THIS_THREAD )); + if (!$use_threads or delete $CTX_CREATED_IN_THIS_THREAD{$ctx} ) { + # remove any verify callback for this context + if ( $self->{verify_mode}) { + $DEBUG>=3 && DEBUG("free ctx $ctx callback" ); + Net::SSLeay::CTX_set_verify($ctx, 0,undef); + } + if ( $self->{ocsp_error_ref}) { + $DEBUG>=3 && DEBUG("free ctx $ctx tlsext_status_cb" ); + Net::SSLeay::CTX_set_tlsext_status_cb($ctx,undef); + } + $DEBUG>=3 && DEBUG("OK free ctx $ctx" ); + Net::SSLeay::CTX_free($ctx); + } + } + delete(@{$self}{'context','session_cache'}); +} + +package IO::Socket::SSL::Session_Cache; +*DEBUG = *IO::Socket::SSL::DEBUG; +use constant { + SESSION => 0, + KEY => 1, + GNEXT => 2, + GPREV => 3, + SNEXT => 4, + SPREV => 5, +}; + +sub new { + my ($class, $size) = @_; + $size>0 or return; + return bless { + room => $size, + ghead => undef, + shead => {}, + }, $class; +} + +sub add_session { + my ($self, $key, $session) = @_; + + # create new + my $v = []; + $v->[SESSION] = $session; + $v->[KEY] = $key; + $DEBUG>=3 && DEBUG("add_session($key,$session)"); + _add_entry($self,$v); +} + +sub replace_session { + my ($self, $key, $session) = @_; + $self->del_session($key); + $self->add_session($key, $session); +} + +sub del_session { + my ($self, $key, $session) = @_; + my ($head,$inext) = $key + ? ($self->{shead}{$key},SNEXT) : ($self->{ghead},GNEXT); + my $v = $head; + my @del; + while ($v) { + if (!$session) { + push @del,$v + } elsif ($v->[SESSION] == $session) { + push @del, $v; + last; + } + $v = $v->[$inext]; + last if $v == $head; + } + $DEBUG>=3 && DEBUG("del_session(" + . ($key ? $key : "undef") + . ($session ? ",$session) -> " : ") -> ") + . (~~@del || 'none')); + for (@del) { + _del_entry($self,$_); + Net::SSLeay::SESSION_free($_->[SESSION]) if $_->[SESSION]; + @$_ = (); + } + return ~~@del; +} + +sub get_session { + my ($self, $key, $session) = @_; + my $v = $self->{shead}{$key}; + if ($session) { + my $shead = $v; + while ($v) { + $DEBUG>=3 && DEBUG("check $session - $v->[SESSION]"); + last if $v->[SESSION] == $session; + $v = $v->[SNEXT]; + $v = undef if $v == $shead; # session not found + } + } + if ($v) { + _del_entry($self, $v); # remove + _add_entry($self, $v); # and add back on top + } + $DEBUG>=3 && DEBUG("get_session($key" + . ( $session ? ",$session) -> " : ") -> ") + . ($v? $v->[SESSION]:"none")); + return $v && $v->[SESSION]; +} + +sub _add_entry { + my ($self,$v) = @_; + for( + [ SNEXT, SPREV, \$self->{shead}{$v->[KEY]} ], + [ GNEXT, GPREV, \$self->{ghead} ], + ) { + my ($inext,$iprev,$rhead) = @$_; + if ($$rhead) { + $v->[$inext] = $$rhead; + $v->[$iprev] = ${$rhead}->[$iprev]; + ${$rhead}->[$iprev][$inext] = $v; + ${$rhead}->[$iprev] = $v; + } else { + $v->[$inext] = $v->[$iprev] = $v; + } + $$rhead = $v; + } + + $self->{room}--; + + # drop old entries if necessary + if ($self->{room}<0) { + my $l = $self->{ghead}[GPREV]; + _del_entry($self,$l); + Net::SSLeay::SESSION_free($l->[SESSION]) if $l->[SESSION]; + @$l = (); + } +} + +sub _del_entry { + my ($self,$v) = @_; + for( + [ SNEXT, SPREV, \$self->{shead}{$v->[KEY]} ], + [ GNEXT, GPREV, \$self->{ghead} ], + ) { + my ($inext,$iprev,$rhead) = @$_; + $$rhead or return; + $v->[$inext][$iprev] = $v->[$iprev]; + $v->[$iprev][$inext] = $v->[$inext]; + if ($v != $$rhead) { + # not removed from top of list + } elsif ($v->[$inext] == $v) { + # was only element on list, drop list + if ($inext == SNEXT) { + delete $self->{shead}{$v->[KEY]}; + } else { + $$rhead = undef; + } + } else { + # was top element, keep others + $$rhead = $v->[$inext]; + } + } + $self->{room}++; +} + +sub _dump { + my $self = shift; + + my %v2i; + my $v = $self->{ghead}; + while ($v) { + exists $v2i{$v} and die; + $v2i{$v} = int(keys %v2i); + $v = $v->[GNEXT]; + last if $v == $self->{ghead}; + } + + my $out = "room: $self->{room}\nghead:\n"; + $v = $self->{ghead}; + while ($v) { + $out .= sprintf(" - [%d] <%d,%d> '%s' <%s>\n", + $v2i{$v}, $v2i{$v->[GPREV]}, $v2i{$v->[GNEXT]}, + $v->[KEY], $v->[SESSION]); + $v = $v->[GNEXT]; + last if $v == $self->{ghead}; + } + $out .= "shead:\n"; + for my $key (sort keys %{$self->{shead}}) { + $out .= " - '$key'\n"; + my $shead = $self->{shead}{$key}; + my $v = $shead; + while ($v) { + $out .= sprintf(" - [%d] <%d,%d> '%s' <%s>\n", + $v2i{$v}, $v2i{$v->[SPREV]}, $v2i{$v->[SNEXT]}, + $v->[KEY], $v->[SESSION]); + $v = $v->[SNEXT]; + last if $v == $shead; + } + } + return $out; +} + +sub DESTROY { + my $self = shift; + delete $self->{shead}; + my $v = delete $self->{ghead}; + while ($v) { + Net::SSLeay::SESSION_free($v->[SESSION]) if $v->[SESSION]; + my $next = $v->[GNEXT]; + @$v = (); + $v = $next; + } +} + + + +package IO::Socket::SSL::OCSP_Cache; + +sub new { + my ($class,$size) = @_; + return bless { + '' => { _lru => 0, size => $size || 100 } + },$class; +} +sub get { + my ($self,$id) = @_; + my $e = $self->{$id} or return; + $e->{_lru} = $self->{''}{_lru}++; + if ( $e->{expire} && time()<$e->{expire}) { + delete $self->{$id}; + return; + } + if ( $e->{nextUpdate} && time()<$e->{nextUpdate} ) { + delete $self->{$id}; + return; + } + return $e; +} + +sub put { + my ($self,$id,$e) = @_; + $self->{$id} = $e; + $e->{_lru} = $self->{''}{_lru}++; + my $del = keys(%$self) - $self->{''}{size}; + if ($del>0) { + my @k = sort { $self->{$a}{_lru} <=> $self->{$b}{_lru} } keys %$self; + delete @{$self}{ splice(@k,0,$del) }; + } + return $e; +} + +package IO::Socket::SSL::OCSP_Resolver; +*DEBUG = *IO::Socket::SSL::DEBUG; + +# create a new resolver +# $ssl - the ssl object +# $cache - OCSP_Cache object (put,get) +# $failhard - flag if we should fail hard on OCSP problems +# $certs - list of certs to verify +sub new { + my ($class,$ssl,$cache,$failhard,$certs) = @_; + my (%todo,$done,$hard_error,@soft_error); + for my $cert (@$certs) { + # skip entries which have no OCSP uri or where we cannot get a certid + # (e.g. self-signed or where we don't have the issuer) + my $subj = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)); + my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert) or do { + $DEBUG>2 && DEBUG("no URI for certificate $subj"); + push @soft_error,"no ocsp_uri for $subj"; + next; + }; + my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do { + $DEBUG>2 && DEBUG("no OCSP_CERTID for certificate $subj: $@"); + push @soft_error,"no certid for $subj: $@"; + next; + }; + if (!($done = $cache->get($certid))) { + push @{ $todo{$uri}{ids} }, $certid; + push @{ $todo{$uri}{subj} }, $subj; + } elsif ( $done->{hard_error} ) { + # one error is enough to fail validation + $hard_error = $done->{hard_error}; + %todo = (); + last; + } elsif ( $done->{soft_error} ) { + push @soft_error,$done->{soft_error}; + } + } + while ( my($uri,$v) = each %todo) { + my $ids = $v->{ids}; + $v->{req} = Net::SSLeay::i2d_OCSP_REQUEST( + Net::SSLeay::OCSP_ids2req(@$ids)); + } + $hard_error ||= '' if ! %todo; + return bless { + ssl => $ssl, + cache => $cache, + failhard => $failhard, + hard_error => $hard_error, + soft_error => @soft_error ? join("; ",@soft_error) : undef, + todo => \%todo, + },$class; +} + +# return current result, e.g. '' for no error, else error +# if undef we have no final result yet +sub hard_error { return shift->{hard_error} } +sub soft_error { return shift->{soft_error} } + +# return hash with uri => ocsp_request_data for open requests +sub requests { + my $todo = shift()->{todo}; + return map { ($_,$todo->{$_}{req}) } keys %$todo; +} + +# add new response +sub add_response { + my ($self,$uri,$resp) = @_; + my $todo = delete $self->{todo}{$uri}; + return $self->{error} if ! $todo || $self->{error}; + + my ($req,@soft_error,@hard_error); + + # do we have a response + if (!$resp) { + @soft_error = "http request for OCSP failed; subject: ". + join("; ",@{$todo->{subj}}); + + # is it a valid OCSP_RESPONSE + } elsif ( ! eval { $resp = Net::SSLeay::d2i_OCSP_RESPONSE($resp) }) { + @soft_error = "invalid response (no OCSP_RESPONSE); subject: ". + join("; ",@{$todo->{subj}}); + # hopefully short-time error + $self->{cache}->put($_,{ + soft_error => "@soft_error", + expire => time()+10, + }) for (@{$todo->{ids}}); + # is the OCSP response status success + } elsif ( + ( my $status = Net::SSLeay::OCSP_response_status($resp)) + != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL() + ){ + @soft_error = "OCSP response failed: ". + Net::SSLeay::OCSP_response_status_str($status). + "; subject: ".join("; ",@{$todo->{subj}}); + # hopefully short-time error + $self->{cache}->put($_,{ + soft_error => "@soft_error", + expire => time()+10, + }) for (@{$todo->{ids}}); + + # does nonce match the request and can the signature be verified + } elsif ( ! eval { + $req = Net::SSLeay::d2i_OCSP_REQUEST($todo->{req}); + Net::SSLeay::OCSP_response_verify($self->{ssl},$resp,$req); + }) { + if ($@) { + @soft_error = $@ + } else { + my @err; + while ( my $err = Net::SSLeay::ERR_get_error()) { + push @soft_error, Net::SSLeay::ERR_error_string($err); + } + @soft_error = 'failed to verify OCSP response; subject: '. + join("; ",@{$todo->{subj}}) if ! @soft_error; + } + # configuration problem or we don't know the signer + $self->{cache}->put($_,{ + soft_error => "@soft_error", + expire => time()+120, + }) for (@{$todo->{ids}}); + + # extract results from response + } elsif ( my @result = + Net::SSLeay::OCSP_response_results($resp,@{$todo->{ids}})) { + my (@found,@miss); + for my $rv (@result) { + if ($rv->[2]) { + push @found,$rv->[0]; + if (!$rv->[1]) { + # no error + $self->{cache}->put($rv->[0],$rv->[2]); + } elsif ( $rv->[2]{statusType} == + Net::SSLeay::V_OCSP_CERTSTATUS_GOOD()) { + # soft error, like response after nextUpdate + push @soft_error,$rv->[1]."; subject: ". + join("; ",@{$todo->{subj}}); + $self->{cache}->put($rv->[0],{ + %{$rv->[2]}, + soft_error => "@soft_error", + expire => time()+120, + }); + } else { + # hard error + $self->{cache}->put($rv->[0],$rv->[2]); + push @hard_error, $rv->[1]."; subject: ". + join("; ",@{$todo->{subj}}); + } + } else { + push @miss,$rv->[0]; + } + } + if (@miss && @found) { + # we sent multiple responses, but server answered only to one + # try again + $self->{todo}{$uri} = $todo; + $todo->{ids} = \@miss; + $todo->{req} = Net::SSLeay::i2d_OCSP_REQUEST( + Net::SSLeay::OCSP_ids2req(@miss)); + $DEBUG>=2 && DEBUG("$uri just answered ".@found." of ".(@found+@miss)." requests"); + } + } else { + @soft_error = "no data in response; subject: ". + join("; ",@{$todo->{subj}}); + # probably configuration problem + $self->{cache}->put($_,{ + soft_error => "@soft_error", + expire => time()+120, + }) for (@{$todo->{ids}}); + } + + Net::SSLeay::OCSP_REQUEST_free($req) if $req; + if ($self->{failhard}) { + push @hard_error,@soft_error; + @soft_error = (); + } + if (@soft_error) { + $self->{soft_error} .= "; " if $self->{soft_error}; + $self->{soft_error} .= "$uri: ".join('; ',@soft_error); + } + if (@hard_error) { + $self->{hard_error} = "$uri: ".join('; ',@hard_error); + %{$self->{todo}} = (); + } elsif ( ! %{$self->{todo}} ) { + $self->{hard_error} = '' + } + return $self->{hard_error}; +} + +# make all necessary requests to get OCSP responses blocking +sub resolve_blocking { + my ($self,%args) = @_; + while ( my %todo = $self->requests ) { + eval { require HTTP::Tiny } or die "need HTTP::Tiny installed"; + # OCSP responses have their own signature, so we don't need SSL verification + my $ua = HTTP::Tiny->new(verify_SSL => 0,%args); + while (my ($uri,$reqdata) = each %todo) { + $DEBUG && DEBUG("sending OCSP request to $uri"); + my $resp = $ua->request('POST',$uri, { + headers => { 'Content-type' => 'application/ocsp-request' }, + content => $reqdata + }); + $DEBUG && DEBUG("got OCSP response from $uri code=$resp->{status}"); + defined ($self->add_response($uri, + $resp->{success} && $resp->{content})) + && last; + } + } + $DEBUG>=2 && DEBUG("no more open OCSP requests"); + return $self->{hard_error}; +} + +package IO::Socket::SSL::Trace; +*DEBUG = *IO::Socket::SSL::DEBUG; + +# Exhaustive list of constants we need for tracing +my %trace_constants = map { $_ => eval { Net::SSLeay->$_ } || -1 } qw( + SSL2_VERSION + SSL3_VERSION + TLS1_VERSION + TLS1_1_VERSION + TLS1_2_VERSION + TLS1_3_VERSION + DTLS1_VERSION + DTLS1_2_VERSION + DTLS1_BAD_VER + SSL3_RT_INNER_CONTENT_TYPE + SSL3_RT_CHANGE_CIPHER_SPEC + SSL3_RT_ALERT + SSL3_RT_HEADER + SSL3_RT_HANDSHAKE + SSL3_RT_APPLICATION_DATA + SSL2_MT_ERROR + SSL2_MT_CLIENT_HELLO + SSL2_MT_CLIENT_MASTER_KEY + SSL2_MT_CLIENT_FINISHED + SSL2_MT_SERVER_HELLO + SSL2_MT_SERVER_VERIFY + SSL2_MT_SERVER_FINISHED + SSL2_MT_REQUEST_CERTIFICATE + SSL2_MT_CLIENT_CERTIFICATE + SSL3_MT_HELLO_REQUEST + SSL3_MT_CLIENT_HELLO + SSL3_MT_SERVER_HELLO + SSL3_MT_NEWSESSION_TICKET + SSL3_MT_CERTIFICATE + SSL3_MT_SERVER_KEY_EXCHANGE + SSL3_MT_CLIENT_KEY_EXCHANGE + SSL3_MT_CERTIFICATE_REQUEST + SSL3_MT_SERVER_DONE + SSL3_MT_CERTIFICATE_VERIFY + SSL3_MT_FINISHED + SSL3_MT_CERTIFICATE_STATUS + SSL3_MT_ENCRYPTED_EXTENSIONS + SSL3_MT_SUPPLEMENTAL_DATA + SSL3_MT_END_OF_EARLY_DATA + SSL3_MT_KEY_UPDATE + SSL3_MT_NEXT_PROTO + SSL3_MT_MESSAGE_HASH +); + +# +# Major versions +# +$trace_constants{SSL2_VERSION_MAJOR} = $trace_constants{SSL2_VERSION} >> 8; +$trace_constants{SSL3_VERSION_MAJOR} = $trace_constants{SSL3_VERSION} >> 8; + +# +# Mapping between trace constant and version string +# +my %tc_ver2s; +for ( + [ SSL2_VERSION => "SSLv2" ], + [ SSL2_VERSION => "SSLv2" ], + [ SSL3_VERSION => "SSLv3" ], + [ TLS1_VERSION => "TLSv1.0" ], + [ TLS1_1_VERSION => "TLSv1.1" ], + [ TLS1_2_VERSION => "TLSv1.2" ], + [ TLS1_3_VERSION => "TLSv1.3" ], + [ DTLS1_VERSION => "DTLSv1.0" ], + [ DTLS1_2_VERSION => "DTLSv1.2" ], + [ DTLS1_BAD_VER => "DTLSv1.0 (bad)" ] +) { + next if $trace_constants{$_->[0]} == -1; + $tc_ver2s{$trace_constants{$_->[0]}} = $_->[1]; +} + +my %tc_type2s; +for ( + [ SSL3_RT_HEADER => "TLS header" ], + [ SSL3_RT_CHANGE_CIPHER_SPEC => "TLS change cipher" ], + [ SSL3_RT_ALERT => "TLS alert" ], + [ SSL3_RT_HANDSHAKE => "TLS handshake" ], + [ SSL3_RT_APPLICATION_DATA => "TLS app data" ] +) { + next if $trace_constants{$_->[0]} == -1; + $tc_type2s{$trace_constants{$_->[0]}} = $_->[1]; +} + +my %tc_msgtype2s; +for( + [ SSL2_MT_ERROR => "Error" ], + [ SSL2_MT_CLIENT_HELLO => "Client hello" ], + [ SSL2_MT_CLIENT_MASTER_KEY => "Client key" ], + [ SSL2_MT_CLIENT_FINISHED => "Client finished" ], + [ SSL2_MT_SERVER_HELLO => "Server hello" ], + [ SSL2_MT_SERVER_VERIFY => "Server verify" ], + [ SSL2_MT_SERVER_FINISHED => "Server finished" ], + [ SSL2_MT_REQUEST_CERTIFICATE => "Request CERT" ], + [ SSL2_MT_REQUEST_CERTIFICATE => "Client CERT" ] +) { + next if $trace_constants{$_->[0]} == -1; + $tc_msgtype2s{$trace_constants{SSL2_VERSION_MAJOR}, $trace_constants{$_->[0]}} = $_->[1]; +} +for( + [ SSL3_MT_HELLO_REQUEST => "Hello request" ], + [ SSL3_MT_CLIENT_HELLO => "Client hello" ], + [ SSL3_MT_SERVER_HELLO => "Server hello" ], + [ SSL3_MT_NEWSESSION_TICKET => "Newsession Ticket" ], + [ SSL3_MT_CERTIFICATE => "Certificate" ], + [ SSL3_MT_SERVER_KEY_EXCHANGE => "Server key exchange" ], + [ SSL3_MT_CLIENT_KEY_EXCHANGE => "Client key exchange" ], + [ SSL3_MT_CERTIFICATE_REQUEST => "Request CERT" ], + [ SSL3_MT_SERVER_DONE => "Server finished" ], + [ SSL3_MT_CERTIFICATE_VERIFY => "CERT verify" ], + [ SSL3_MT_FINISHED => "Finished" ], + [ SSL3_MT_CERTIFICATE_STATUS => "Certificate Status" ], + [ SSL3_MT_ENCRYPTED_EXTENSIONS => "Encrypted Extensions" ], + [ SSL3_MT_SUPPLEMENTAL_DATA => "Supplemental data" ], + [ SSL3_MT_END_OF_EARLY_DATA => "End of early data" ], + [ SSL3_MT_KEY_UPDATE => "Key update" ], + [ SSL3_MT_NEXT_PROTO => "Next protocol" ], + [ SSL3_MT_MESSAGE_HASH => "Message hash" ] +) { + next if $trace_constants{$_->[0]} == -1; + $tc_msgtype2s{$trace_constants{SSL3_VERSION_MAJOR}, $trace_constants{$_->[0]}} = $_->[1]; +} + +# +# Translation of curl ossl_trace +# + +sub ossl_trace { + $DEBUG>=2 or return; + my ($direction, $ssl_ver, $content_type, $buf, $len, $ssl, $userp) = @_; + + my $verstr = $tc_ver2s{$ssl_ver} || "(version=$ssl_ver)"; + + # Log progress for interesting records only (like Handshake or Alert), skip + # all raw record headers (content_type == SSL3_RT_HEADER or ssl_ver == 0). + # For TLS 1.3, skip notification of the decrypted inner Content-Type. + + if ($ssl_ver && ($content_type != $trace_constants{SSL3_RT_INNER_CONTENT_TYPE})) { + + # the info given when the version is zero is not that useful for us + $ssl_ver >>= 8; # check the upper 8 bits only below */ + + # SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL + # always pass-up content-type as 0. But the interesting message-type + # is at 'buf[0]'. + + my $tls_rt_name = ($ssl_ver == $trace_constants{SSL3_VERSION_MAJOR} && $content_type) + ? $tc_type2s{$content_type} || "TLS Unknown (type=$content_type)" + : ""; + + my $msg_type; + my $msg_name; + if ($content_type == $trace_constants{SSL3_RT_CHANGE_CIPHER_SPEC}) { + $msg_type = unpack('c1', $buf); + $msg_name = "Change cipher spec"; + } elsif ($content_type == $trace_constants{SSL3_RT_ALERT}) { + my @c = unpack('c2', $buf); + $msg_type = ($c[0] << 8) + $c[1]; + $msg_name = eval { Net::SSLeay::SSL_alert_desc_string_long($msg_type) } || "Unknown alert"; + } else { + $msg_type = unpack('c1', $buf); + $msg_name = $tc_msgtype2s{$ssl_ver, $msg_type} || "Unknown (ssl_ver=$ssl_ver, msg=$msg_type)"; + } + DEBUG(sprintf("* %s (%s), %s, %s (%d)", + $verstr, $direction ? "OUT" : "IN", $tls_rt_name, $msg_name, $msg_type)); + } + + # + # Here one might want to hexdump $buf (?) + # + # $DEBUG>=4 && printf STDERR "%s", hexdump($buf); +} + + +1; + +__END__ diff --git a/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pod b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pod new file mode 100644 index 000000000000..e75836f3c6e7 --- /dev/null +++ b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL.pod @@ -0,0 +1,2213 @@ + +=head1 NAME + +IO::Socket::SSL - SSL sockets with IO::Socket interface + +=head1 SYNOPSIS + + use strict; + use IO::Socket::SSL; + + # simple client + my $cl = IO::Socket::SSL->new('www.google.com:443'); + print $cl "GET / HTTP/1.0\r\n\r\n"; + print <$cl>; + + # simple server + my $srv = IO::Socket::SSL->new( + LocalAddr => '0.0.0.0:1234', + Listen => 10, + SSL_cert_file => 'server-cert.pem', + SSL_key_file => 'server-key.pem', + ); + $srv->accept; + +=head1 DESCRIPTION + +IO::Socket::SSL makes using SSL/TLS much easier by wrapping the necessary +functionality into the familiar L interface and providing secure +defaults whenever possible. +This way, existing applications can be made SSL-aware without much effort, at +least if you do blocking I/O and don't use select or poll. + +But, under the hood, SSL is a complex beast. +So there are lots of methods to make it do what you need if the default +behavior is not adequate. +Because it is easy to inadvertently introduce critical security bugs or just +hard to debug problems, I would recommend studying the following +documentation carefully. + +The documentation consists of the following parts: + +=over 4 + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + +=back + +Additional documentation can be found in + +=over 4 + +=item * L - Doing Man-In-The-Middle with SSL + +=item * L - Useful functions for certificates etc + +=back + + +=head1 Essential Information About SSL/TLS + +SSL (Secure Socket Layer) or its successor TLS (Transport Layer Security) are +protocols to facilitate end-to-end security. These protocols are used when +accessing web sites (https), delivering or retrieving email, and in lots of other +use cases. +In the following documentation we will refer to both SSL and TLS as simply 'SSL'. + +SSL enables end-to-end security by providing two essential functions: + +=over 4 + +=item Encryption + +This part encrypts the data for transit between the communicating parties, so +that nobody in between can read them. It also provides tamper resistance so that +nobody in between can manipulate the data. + +=item Identification + +This part makes sure that you talk to the right peer. +If the identification is done incorrectly it is easy to mount man-in-the-middle +attacks, e.g. if Alice wants to talk to Bob it would be possible for Mallory to +put itself in the middle, so that Alice talks to Mallory and Mallory to Bob. +All the data would still be encrypted, but not end-to-end between Alice and Bob, +but only between Alice and Mallory and then between Mallory and Bob. +Thus Mallory would be able to read and modify all traffic between Alice and Bob. + +=back + +Identification is the part which is the hardest to understand and the easiest +to get wrong. + +With SSL, the Identification is usually done with B inside a B +(Public Key Infrastructure). +These Certificates are comparable to an identity card, which contains +information about the owner of the card. The card then is somehow B by +the B of the card, the B (Certificate Agency). + +To verify the identity of the peer the following must be done inside SSL: + +=over 4 + +=item * + +Get the certificate from the peer. +If the peer does not present a certificate we cannot verify it. + +=item * + +Check if we trust the certificate, e.g. make sure it's not a forgery. + +We believe that a certificate is not a fake if we either know the certificate +already or if we B the issuer (the CA) and can verify the issuers +signature on the certificate. +In reality there is often a hierarchy of certificate agencies and we only +directly trust the root of this hierarchy. +In this case the peer not only sends his own certificate, but also all +B. +Verification will be done by building a B from the trusted root up +to the peers certificate and checking in each step if the we can verify the +issuer's signature. + +This step often causes problems because the client does not know the necessary +trusted root certificates. These are usually stored in a system dependent +CA store, but often the browsers have their own CA store. + +=item * + +Check if the certificate is still valid. +Each certificate has a lifetime and should not be used after that time because +it might be compromised or the underlying cryptography got broken in the mean +time. + +=item * + +Check if the subject of the certificate matches the peer. +This is like comparing the picture on the identity card against the person +representing the identity card. + +When connecting to a server this is usually done by comparing the hostname used +for connecting against the names represented in the certificate. +A certificate might contain multiple names or wildcards, so that it can be used +for multiple hosts (e.g. *.example.com and *.example.org). + +Although nobody sane would accept an identity card where the picture does not +match the person we see, it is a common implementation error with SSL to omit +this check or get it wrong. + +=item * + +Check if the certificate was revoked by the issuer. +This might be the case if the certificate was compromised somehow and now +somebody else might use it to claim the wrong identity. +Such revocations happened a lot after the heartbleed attack. + +For SSL there are two ways to verify a revocation, CRL and OCSP. +With CRLs (Certificate Revocation List) the CA provides a list of serial numbers +for revoked certificates. The client somehow has to download the list +(which can be huge) and keep it up to date. +With OCSP (Online Certificate Status Protocol) the client can check a single +certificate directly by asking the issuer. + +Revocation is the hardest part of the verification and none of today's browsers +get it fully correct. But, they are still better than most other implementations +which don't implement revocation checks or leave the hard parts to the +developer. + +=back + +When accessing a web site with SSL or delivering mail in a secure way the +identity is usually only checked one way, e.g. the client wants to make sure it +talks to the right server, but the server usually does not care which client it +talks to. +But, sometimes the server wants to identify the client too and will request a +certificate from the client which the server must verify in a similar way. + + +=head1 Basic SSL Client + +A basic SSL client is simple: + + my $client = IO::Socket::SSL->new('www.example.com:443') + or die "error=$!, ssl_error=$SSL_ERROR"; + +This will take the OpenSSL default CA store as the store for the trusted CA. +This usually works on UNIX systems. +If there are no certificates in the store it will try use L which +provides the default CAs of Firefox. + +In the default settings, L will use a safer cipher set and SSL +version, do a proper hostname check against the certificate, and use SNI (server +name indication) to send the hostname inside the SSL handshake. This is +necessary to work with servers which have different certificates behind the +same IP address. +It will also check the revocation of the certificate with OCSP, but currently +only if the server provides OCSP stapling (for deeper checks see +C method). + +Lots of options can be used to change ciphers, SSL version, location of CA and +much more. See documentation of methods for details. + +With protocols like SMTP it is necessary to upgrade an existing socket to SSL. +This can be done like this: + + my $client = IO::Socket::INET->new('mx.example.com:25') or die $!; + # .. read greeting from server + # .. send EHLO and read response + # .. send STARTTLS command and read response + # .. if response was successful we can upgrade the socket to SSL now: + IO::Socket::SSL->start_SSL($client, + # explicitly set hostname we should use for SNI + SSL_hostname => 'mx.example.com' + ) or die $SSL_ERROR; + +A more complete example for a simple HTTP client: + + my $client = IO::Socket::SSL->new( + # where to connect + PeerHost => "www.example.com", + PeerPort => "https", + + # certificate verification - VERIFY_PEER is default + SSL_verify_mode => SSL_VERIFY_PEER, + + # location of CA store + # need only be given if default store should not be used + SSL_ca_path => '/etc/ssl/certs', # typical CA path on Linux + SSL_ca_file => '/etc/ssl/cert.pem', # typical CA file on BSD + + # or just use default path on system: + IO::Socket::SSL::default_ca(), # either explicitly + # or implicitly by not giving SSL_ca_* + + # easy hostname verification + # It will use PeerHost as default name a verification + # scheme as default, which is safe enough for most purposes. + SSL_verifycn_name => 'foo.bar', + SSL_verifycn_scheme => 'http', + + # SNI support - defaults to PeerHost + SSL_hostname => 'foo.bar', + + ) or die "failed connect or ssl handshake: $!,$SSL_ERROR"; + + # send and receive over SSL connection + print $client "GET / HTTP/1.0\r\n\r\n"; + print <$client>; + +And to do revocation checks with OCSP (only available with OpenSSL 1.0.0 or +higher and L 1.59 or higher): + + # default will try OCSP stapling and check only leaf certificate + my $client = IO::Socket::SSL->new($dst); + + # better yet: require checking of full chain + my $client = IO::Socket::SSL->new( + PeerAddr => $dst, + SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN, + ); + + # even better: make OCSP errors fatal + # (this will probably fail with lots of sites because of bad OCSP setups) + # also use common OCSP response cache + my $ocsp_cache = IO::Socket::SSL::OCSP_Cache->new; + my $client = IO::Socket::SSL->new( + PeerAddr => $dst, + SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN|SSL_OCSP_FAIL_HARD, + SSL_ocsp_cache => $ocsp_cache, + ); + + # disable OCSP stapling in case server has problems with it + my $client = IO::Socket::SSL->new( + PeerAddr => $dst, + SSL_ocsp_mode => SSL_OCSP_NO_STAPLE, + ); + + # check any certificates which are not yet checked by OCSP stapling or + # where we have already cached results. For your own resolving combine + # $ocsp->requests with $ocsp->add_response(uri,response). + my $ocsp = $client->ocsp_resolver(); + my $errors = $ocsp->resolve_blocking(); + if ($errors) { + warn "OCSP verification failed: $errors"; + close($client); + } + +=head1 Basic SSL Server + +A basic SSL server looks similar to other L servers, only that it +also contains settings for certificate and key: + + # simple server + my $server = IO::Socket::SSL->new( + # where to listen + LocalAddr => '127.0.0.1', + LocalPort => 8080, + Listen => 10, + + # which certificate to offer + # with SNI support there can be different certificates per hostname + SSL_cert_file => 'cert.pem', + SSL_key_file => 'key.pem', + ) or die "failed to listen: $!"; + + # accept client + my $client = $server->accept or die + "failed to accept or ssl handshake: $!,$SSL_ERROR"; + +This will automatically use a secure set of ciphers and SSL version and also +supports Forward Secrecy with (Elliptic-Curve) Diffie-Hellmann Key Exchange. + +If you are doing a forking or threading server, we recommend that you do the SSL +handshake inside the new process/thread so that the master is free for new +connections. +We recommend this because a client with improper or slow SSL handshake could +make the server block in the handshake which would be bad to do on the +listening socket: + + # inet server + my $server = IO::Socket::INET->new( + # where to listen + LocalAddr => '127.0.0.1', + LocalPort => 8080, + Listen => 10, + ); + + # accept client + my $client = $server->accept or die; + + # SSL upgrade client (in new process/thread) + IO::Socket::SSL->start_SSL($client, + SSL_server => 1, + SSL_cert_file => 'cert.pem', + SSL_key_file => 'key.pem', + ) or die "failed to ssl handshake: $SSL_ERROR"; + +Like with normal sockets, neither forking nor threading servers scale well. +It is recommended to use non-blocking sockets instead, see +L + +=head1 Common Usage Errors + +This is a list of typical errors seen with the use of L: + +=over 4 + +=item * + +Disabling verification with C. + +As described in L, a proper +identification of the peer is essential and failing to verify makes +Man-In-The-Middle attacks possible. + +Nevertheless, lots of scripts and even public modules or applications disable +verification, because it is probably the easiest way to make the thing work +and usually nobody notices any security problems anyway. + +If the verification does not succeed with the default settings, one can do the +following: + +=over 8 + +=item * + +Make sure the needed CAs are in the store, maybe use C or +C to specify a different CA store. + +=item * + +If the validation fails because the certificate is self-signed and that's what +you expect, you can use the C option to accept specific +leaf certificates by their certificate or pubkey fingerprint. + +=item * + +If the validation failed because the hostname does not match and you cannot +access the host with the name given in the certificate, you can use +C to specify the hostname you expect in the certificate. + +=back + +A common error pattern is also to disable verification if they found no CA +store (different modules look at different "default" places). +Because L is now able to provide a usable CA store on most +platforms (UNIX, Mac OSX and Windows) it is better to use the defaults provided +by L. +If necessary these can be checked with the C method. + +=item * + +Polling of SSL sockets (e.g. select, poll and other event loops). + +If you sysread one byte on a normal socket it will result in a syscall to read +one byte. Thus, if more than one byte is available on the socket it will be kept +in the network stack of your OS and the next select or poll call will return the +socket as readable. +But, with SSL you don't deliver single bytes. Multiple data bytes are packaged +and encrypted together in an SSL frame. Decryption can only be done on the whole +frame, so a sysread for one byte actually reads the complete SSL frame from the +socket, decrypts it and returns the first decrypted byte. Further sysreads will +return more bytes from the same frame until all bytes are returned and the +next SSL frame will be read from the socket. + +Thus, in order to decide if you can read more data (e.g. if sysread will block) +you must check if there are still data in the current SSL frame by calling +C and if there are no data pending you might check the underlying +socket with select or poll. +Another way might be if you try to sysread at least 16kByte all the time. +16kByte is the maximum size of an SSL frame and because sysread returns data +from only a single SSL frame you can guarantee that there are no pending +data. + +Additionally, contrary to plain sockets the data delivered on the socket are +not necessarily application payload. +It might be a TLS handshake, it might just be the beginning of a TLS record or +it might be TLS session tickets which are send after the TLS handshake in TLS +1.3. +In such situations select will return that data are available for read since it +only looks at the plain socket. +A sysread on the IO::Socket::SSL socket will not return any data though since it +is an abstraction which only returns application data. +This causes the sysread to hang in case the socket was blocking or to return +an error with EAGAIN on non-blocking sockets. +Applications using select or similar should therefore set the socket to +non-blocking and also expect that the sysread might temporarily fail with +EAGAIN. + +See also L. + +=item * + +Expecting exactly the same behavior as plain sockets. + +IO::Socket::SSL tries to emulate the usual socket behavior as good as possible, +but full emulation can not be done. Specifically a read on the SSL socket might +also result in a write on the TCP socket or a write on the SSL socket might +result in a read on the TCP socket. Also C and B on the SSL +socket will result in writing and reading data to the TCP socket too. + +Especially the hidden writes might result in a connection reset if the +underlying TCP socket is already closed by the peer. Unless signal PIPE is +explicitly handled by the application this will usually result in the +application crashing. It is thus recommended to explicitly IGNORE signal PIPE so +that the errors get propagated as EPIPE instead of causing a crash of the +application. + +=item * + +Set 'SSL_version' or 'SSL_cipher_list' to a "better" value. + +L tries to set these values to reasonable, secure values which +are compatible with the rest of the world. +But, there are some scripts or modules out there which tried to be smart and +get more secure or compatible settings. +Unfortunately, they did this years ago and never updated these values, so they +are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11). +Or they set 'HIGH' as the cipher list and thought they were secure, but did not +notice that 'HIGH' includes anonymous ciphers, e.g. without identification of +the peer. + +So it is recommended to leave the settings at the secure defaults which +L sets and which get updated from time to time to +better fit the real world. + +=item * + +Make SSL settings inaccessible by the user, together with bad builtin settings. + +Some modules use L, but don't make the SSL settings available +to the user. This is often combined with bad builtin settings or defaults (like +switching verification off). + +Thus the user needs to hack around these restrictions by using +C or similar. + +=item * + +Use of constants as strings. + +Constants like C or C should be used as +constants and not be put inside quotes, because they represent numerical values. + +=item * + +Forking and handling the socket in parent and child. + +A B of the process will duplicate the internal user space SSL state of the +socket. If both master and child interact with the socket by using their own SSL +state strange error messages will happen. Such interaction includes explicit or +implicit B of the SSL socket. To avoid this the socket should be explicitly +closed with B. + +=item * + +Forking and executing a new process. + +Since the SSL state is stored in user space it will be duplicated by a B but +it will be lost when doing B. This means it is not possible to simply +redirect stdin and stdout for the new process to the SSL socket by duplicating +the relevant file handles. Instead explicitly exchanging plain data between +child-process and SSL socket are needed. + +=back + + + +=head1 Common Problems with SSL + +SSL is a complex protocol with multiple implementations and each of these has +their own quirks. While most of these implementations work together, it often +gets problematic with older versions, minimal versions in load balancers, or plain +wrong setups. + +Unfortunately these problems are hard to debug. +Helpful for debugging are a knowledge of SSL internals, wireshark and the use of +the debug settings of L and L, which can both be +set with C<$IO::Socket::SSL::DEBUG>. +The following debugs levels are defined, but used not in any consistent way: + +=over 4 + +=item * + +0 - No debugging (default). + +=item * + +1 - Print out errors from L and ciphers from L. + +=item * + +2 - Print also information about call flow from L, progress +information from L and state information from OpenSSL. + +=item * + +3 - Print also some data dumps from L and from L. + +=back + +Also, C from the ssl-tools repository at +L might be a helpful tool when debugging +SSL problems, as do the C command line tool and a check with a +different SSL implementation (e.g. a web browser). + +The following problems are not uncommon: + +=over 4 + +=item * + +Bad server setup: missing intermediate certificates. + +It is a regular problem that administrators fail to include all necessary +certificates into their server setup, e.g. everything needed to build the trust +chain from the trusted root. +If they check the setup with the browser everything looks ok, because browsers +work around these problems by caching any intermediate certificates and apply +them to new connections if certificates are missing. + +But, fresh browser profiles which have never seen these intermediates cannot +fill in the missing certificates and fail to verify; the same is true with +L. + +=item * + +Old versions of servers or load balancers which do not understand specific TLS +versions or croak on specific data. + +From time to time one encounters an SSL peer, which just closes the connection +inside the SSL handshake. This can usually be worked around by downgrading the +SSL version, e.g. by setting C. Modern Browsers usually deal with +such servers by automatically downgrading the SSL version and repeat the +connection attempt until they succeed. + +Worse servers do not close the underlying TCP connection but instead just +drop the relevant packet. This is harder to detect because it looks like a +stalled connection. But downgrading the SSL version often works here too. + +A cause of such problems are often load balancers or security devices, which +have hardware acceleration and only a minimal (and less robust) SSL stack. They +can often be detected because they support much fewer ciphers than other +implementations. + +=item * + +Bad or old OpenSSL versions. + +L uses OpenSSL with the help of the L library. It +is recommend to have a recent version of this library, because it has more +features and usually fewer known bugs. + +=item * + +Validation of client certificates fail. + +Make sure that the purpose of the certificate allows use as ssl client (check +with C<< openssl x509 -purpose >>, that the necessary root certificate is in the +path specified by C (or the default path) and that any intermediate +certificates needed to build the trust chain are sent by the client. + +=item * + +Validation of self-signed certificate fails even if it is given with +C argument. + +The C arguments do not give a general trust store for arbitrary +certificates but only specify a store for CA certificates which then can be used +to verify other certificates. This especially means that certificates which are +not a CA get simply ignored, notably self-signed certificates which do not also +have the CA-flag set. + +This behavior of OpenSSL differs from the more general trust-store concept which +can be found in browsers and where it is possible to simply added arbitrary +certificates (CA or not) as trusted. + + +=back + + + +=head1 Using Non-Blocking Sockets + +If you have a non-blocking socket, the expected behavior on read, write, accept +or connect is to set C<$!> to EWOULDBLOCK if the operation cannot be completed +immediately. Note that EWOULDBLOCK is the same as EAGAIN on UNIX systems, but +is different on Windows. + +With SSL, handshakes might occur at any time, even within an established +connection. In these cases it is necessary to finish the handshake before +you can read or write data. This might result in situations where you want to +read but must first finish the write of a handshake or where you want to write +but must first finish a read. +In these cases C<$!> is set to EAGAIN like expected, and additionally +C<$SSL_ERROR> is set to either SSL_WANT_READ or SSL_WANT_WRITE. +Thus if you get EWOULDBLOCK on a SSL socket you must check C<$SSL_ERROR> for +SSL_WANT_* and adapt your event mask accordingly. + +Using readline on non-blocking sockets does not make much sense and I would +advise against using it. +And, while the behavior is not documented for other L classes, it +will try to emulate the behavior seen there, e.g. to return the received data +instead of blocking, even if the line is not complete. If an unrecoverable error +occurs it will return nothing, even if it already received some data. + +Also, I would advise against using C with a non-blocking SSL object +because it might block and this is not what most would expect. The reason for +this is that C on a non-blocking TCP socket (e.g. L, +L..) results in a new TCP socket which does not inherit the +non-blocking behavior of the master socket. And thus, the initial SSL handshake +on the new socket inside C will be done in a blocking +way. To work around this you are safer by doing a TCP accept and later upgrade the +TCP socket in a non-blocking way with C and C. + + my $cl = IO::Socket::SSL->new($dst); + $cl->blocking(0); + my $sel = IO::Select->new($cl); + while (1) { + # with SSL a call for reading n bytes does not result in reading of n + # bytes from the socket, but instead it must read at least one full SSL + # frame. If the socket has no new bytes, but there are unprocessed data + # from the SSL frame can_read will block! + + # wait for data on socket + $sel->can_read(); + + # new data on socket or eof + READ: + # this does not read only 1 byte from socket, but reads the complete SSL + # frame and then just returns one byte. On subsequent calls it than + # returns more byte of the same SSL frame until it needs to read the + # next frame. + my $n = sysread( $cl,my $buf,1); + if ( ! defined $n ) { + die $! if not $!{EWOULDBLOCK}; + next if $SSL_ERROR == SSL_WANT_READ; + if ( $SSL_ERROR == SSL_WANT_WRITE ) { + # need to write data on renegotiation + $sel->can_write; + next; + } + die "something went wrong: $SSL_ERROR"; + } elsif ( ! $n ) { + last; # eof + } else { + # read next bytes + # we might have still data within the current SSL frame + # thus first process these data instead of waiting on the underlying + # socket object + goto READ if $cl->pending; # goto sysread + next; # goto $sel->can_read + } + } + + +Additionally there are differences to plain sockets when using select, poll, +kqueue or similar technologies to get notified if data are available. +Relying only on these calls is not sufficient in all cases since unread data +might be internally buffered in the SSL stack. To detect such buffering +B need to be used. Alternatively the buffering can be avoided by using +B with the maximum size of an SSL frame. See L +for details. + +=head1 Advanced Usage + +=head2 SNI Support + +Newer extensions to SSL can distinguish between multiple hostnames on the same +IP address using Server Name Indication (SNI). + +Support for SNI on the client side was added somewhere in the OpenSSL 0.9.8 +series, but with 1.0 a bug was fixed when the server could not decide about +its hostname. Therefore client side SNI is only supported with OpenSSL 1.0 or +higher in L. +With a supported version, SNI is used automatically on the client side, if it +can determine the hostname from C or C (which are synonyms +in the underlying IO::Socket:: classes and thus should never be set both or at +least not to different values). +On unsupported OpenSSL versions it will silently not use SNI. +The hostname can also be given explicitly given with C, but in +this case it will throw in error, if SNI is not supported. +To check for support you might call C<< IO::Socket::SSL->can_client_sni() >>. + +On the server side, earlier versions of OpenSSL are supported, but only together +with L version >= 1.50. +To check for support you might call C<< IO::Socket::SSL->can_server_sni() >>. +If server side SNI is supported, you might specify different certificates per +host with C and C, and check the requested name using +C. + +=head2 Talk Plain and SSL With The Same Socket + +It is often required to first exchange some plain data and then upgrade the +socket to SSL after some kind of STARTTLS command. Protocols like FTPS even +need a way to downgrade the socket again back to plain. + +The common way to do this would be to create a normal socket and use C +to upgrade and stop_SSL to downgrade: + + my $sock = IO::Socket::INET->new(...) or die $!; + ... exchange plain data on $sock until starttls command ... + IO::Socket::SSL->start_SSL($sock,%sslargs) or die $SSL_ERROR; + ... now $sock is an IO::Socket::SSL object ... + ... exchange data with SSL on $sock until stoptls command ... + $sock->stop_SSL or die $SSL_ERROR; + ... now $sock is again an IO::Socket::INET object ... + +But, lots of modules just derive directly from L. +While this base class can be replaced with L, these modules cannot +easily support different base classes for SSL and plain data and switch between +these classes on a starttls command. + +To help in this case, L can be reduced to a plain socket on +startup, and connect_SSL/accept_SSL/start_SSL can be used to enable SSL and +C to talk plain again: + + my $sock = IO::Socket::SSL->new( + PeerAddr => ... + SSL_startHandshake => 0, + %sslargs + ) or die $!; + ... exchange plain data on $sock until starttls command ... + $sock->connect_SSL or die $SSL_ERROR; + ... now $sock is an IO::Socket::SSL object ... + ... exchange data with SSL on $sock until stoptls command ... + $sock->stop_SSL or die $SSL_ERROR; + ... $sock is still an IO::Socket::SSL object ... + ... but data exchanged again in plain ... + + +=head1 Integration Into Own Modules + +L behaves similarly to other L modules and thus could +be integrated in the same way, but you have to take special care when using +non-blocking I/O (like for handling timeouts) or using select or poll. +Please study the documentation on how to deal with these differences. + +Also, it is recommended to not set or touch most of the C options, so +that they keep their secure defaults. It is also recommended to let the user +override these SSL specific settings without the need of global settings or hacks +like C. + +The notable exception is C. +This should be set to the hostname verification scheme required by the module or +protocol. + + + + +=head1 Description Of Methods + +L inherits from another L module. +The choice of the super class depends on the installed modules: + +=over 4 + +=item * + +If L with at least version 0.20 is installed it will use this +module as super class, transparently providing IPv6 and IPv4 support. + +=item * + +If L is installed it will use this module as super class, +transparently providing IPv6 and IPv4 support. + +=item * + +Otherwise it will fall back to L, which is a perl core module. +With L you only get IPv4 support. + +=back + +Please be aware that with the IPv6 capable super classes, it will look first +for the IPv6 address of a given hostname. If the resolver provides an IPv6 +address, but the host cannot be reached by IPv6, there will be no automatic +fallback to IPv4. +To avoid these problems you can enforce IPv4 for a specific socket by +using the C or C option with the value AF_INET as described in +L. Alternatively you can enforce IPv4 globally by loading +L with the option 'inet4', in which case it will use the IPv4 +only class L as the super class. + +L will provide all of the methods of its super class, but +sometimes it will override them to match the behavior expected from SSL or to +provide additional arguments. + +The new or changed methods are described below, but please also read the +section about SSL specific error handling. + +=over 4 + +=item Error Handling + +If an SSL specific error occurs, the global variable C<$SSL_ERROR> will be set. +If the error occurred on an existing SSL socket, the method C will +give access to the latest socket specific error. +Both C<$SSL_ERROR> and the C method give a dualvar similar to C<$!>, e.g. +providing an error number in numeric context or an error description in string +context. + + +=item B + +Creates a new L object. You may use all the friendly options +that came bundled with the super class (e.g. L, +L, ...) plus (optionally) the ones described below. +If you don't specify any SSL related options it will do its best in using +secure defaults, e.g. choosing good ciphers, enabling proper verification, etc. + +=over 2 + +=item SSL_server + +Set this option to a true value if the socket should be used as a server. +If this is not explicitly set it is assumed if the C parameter is given +when creating the socket. + +=item SSL_hostname + +This can be given to specify the hostname used for SNI, which is needed if you +have multiple SSL hostnames on the same IP address. If not given it will try to +determine the hostname from C, which will fail if only an IP was given or if +this argument is used within C. + +If you want to disable SNI, set this argument to ''. + +Currently only supported for the client side and will be ignored for the server +side. + +See section "SNI Support" for details of SNI the support. + +=item SSL_startHandshake + +If this option is set to false (defaults to true) it will not start the SSL +handshake yet. This has to be done later with C or C. +Before the handshake is started read/write/etc. can be used to exchange plain +data. + +=item SSL_keepSocketOnError + +If this option is set to true (defaults to false) it will not close the +underlying TCP socket on errors. In most cases there is no real use for this +behavior since both sides of the TCP connection will probably have a +different idea of the current state of the connection. + +=item SSL_ca | SSL_ca_file | SSL_ca_path + +Usually you want to verify that the peer certificate has been signed by a +trusted certificate authority. In this case you should use this option to +specify the file (C) or directory (C) containing the +certificateZ<>(s) of the trusted certificate authorities. + +C can also be an array or a string containing multiple path, where +the path are separated by the platform specific separator. This separator is +C<;> on DOS, Windows, Netware, C<,> on VMS and C<:> for all the other systems. +If multiple path are given at least one of these must be accessible. + +You can also give a list of X509* certificate handles (like you get from +L or L) with C. These +will be added to the CA store before path and file and thus take precedence. +If neither SSL_ca, nor SSL_ca_file or SSL_ca_path are set it will use +C to determine the user-set or system defaults. +If you really don't want to set a CA set SSL_ca_file or SSL_ca_path to +C<\undef> or SSL_ca to an empty list. (unfortunately C<''> is used by some +modules using L when CA is not explicitly given). + +=item SSL_client_ca | SSL_client_ca_file + +If verify_mode is VERIFY_PEER on the server side these options can be used to +set the list of acceptable CAs for the client. This way the client can select +they required certificate from a list of certificates. +The value for these options is similar to C and C. + +=item SSL_fingerprint + +Sometimes you have a self-signed certificate or a certificate issued by an +unknown CA and you really want to accept it, but don't want to disable +verification at all. In this case you can specify the fingerprint of the +certificate as C<'algo$hex_fingerprint'>. C is a fingerprint algorithm +supported by OpenSSL, e.g. 'sha1','sha256'... and C is the +hexadecimal representation of the binary fingerprint. Any colons inside the +hex string will be ignored. + +If you want to use the fingerprint of the pubkey inside the certificate instead +of the certificate use the syntax C<'algo$pub$hex_fingerprint'> instead. +To get the fingerprint of an established connection you can use +C. + +It is also possible to skip C, i.e. only specify the fingerprint. In +this case the likely algorithms will be automatically detected based on the +length of the digest string. + +You can specify a list of fingerprints in case you have several acceptable +certificates. +If a fingerprint matches the topmost (i.e. leaf) certificate no additional +validations can make the verification fail. + +=item SSL_cert_file | SSL_cert | SSL_key_file | SSL_key + +If you create a server you usually need to specify a server certificate which +should be verified by the client. Same is true for client certificates, which +should be verified by the server. +The certificate can be given as a file with SSL_cert_file or as an internal +representation of an X509* object (like you get from L or +L) with SSL_cert. +If given as a file it will automatically detect the format. +Supported file formats are PEM, DER and PKCS#12, where PEM and PKCS#12 can +contain the certificate and the chain to use, while DER can only contain a single +certificate. + +If given as a list of X509* please note, that the all the chain certificates +(e.g. all except the first) will be "consumed" by openssl and will be freed +if the SSL context gets destroyed - so you should never free them yourself. But +the servers certificate (e.g. the first) will not be consumed by openssl and +thus must be freed by the application. + +For each certificate a key is need, which can either be given as a file with +SSL_key_file or as an internal representation of an EVP_PKEY* object with +SSL_key (like you get from L or +L). +If a key was already given within the PKCS#12 file specified by SSL_cert_file +it will ignore any SSL_key or SSL_key_file. +If no SSL_key or SSL_key_file was given it will try to use the PEM file given +with SSL_cert_file again, maybe it contains the key too. + +If your SSL server should be able to use different certificates on the same IP +address, depending on the name given by SNI, you can use a hash reference +instead of a file with C< cert_file>>. + +If your SSL server should be able to use both RSA and ECDSA certificates for the +same domain/IP a similar hash reference like with SNI is given. The +domain names used to specify the additional certificates should be +C, i.e. C or similar. This needs at least +OpenSSL 1.0.2. To let the server pick the certificate based on the clients +cipher preference C should be set to false. + +In case certs and keys are needed but not given it might fall back to builtin +defaults, see "Defaults for Cert, Key and CA". + +Examples: + + SSL_cert_file => 'mycert.pem', + SSL_key_file => 'mykey.pem', + + SSL_cert_file => { + "foo.example.org" => 'foo-cert.pem', + "foo.example.org%ecc" => 'foo-ecc-cert.pem', + "bar.example.org" => 'bar-cert.pem', + # used when nothing matches or client does not support SNI + '' => 'default-cert.pem', + '%ecc' => 'default-ecc-cert.pem', + }, + SSL_key_file => { + "foo.example.org" => 'foo-key.pem', + "foo.example.org%ecc" => 'foo-ecc-key.pem', + "bar.example.org" => 'bar-key.pem', + # used when nothing matches or client does not support SNI + '' => 'default-key.pem', + '%ecc' => 'default-ecc-key.pem', + } + +=item SSL_passwd_cb + +If your private key is encrypted, you might not want the default password prompt +from Net::SSLeay. This option takes a reference to a subroutine that should +return the password required to decrypt your private key. + +=item SSL_use_cert + +If this is true, it forces IO::Socket::SSL to use a certificate and key, even if +you are setting up an SSL client. If this is set to 0 (the default), then you +will only need a certificate and key if you are setting up a server. + +SSL_use_cert will implicitly be set if SSL_server is set. +For convenience it is also set if it was not given but a cert was given for use +(SSL_cert_file or similar). + + +=item SSL_version + +Sets the version of the SSL protocol used to transmit data. +'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x, while +'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1', 'TLSv1_2', or 'TLSv1_3' restrict +handshake and protocol to the specified version. +All values are case-insensitive. Instead of 'TLSv1_1', 'TLSv1_2', and +'TLSv1_3' one can also use 'TLSv11', 'TLSv12', and 'TLSv13'. Support for +'TLSv1_1', 'TLSv1_2', and 'TLSv1_3' requires recent versions of Net::SSLeay +and openssl. + +Independent from the handshake format you can limit to set of accepted SSL +versions by adding !version separated by ':'. + +The default SSL_version is 'SSLv23:!SSLv3:!SSLv2' which means, that the +handshake format is compatible to SSL2.0 and higher, but that the successful +handshake is limited to TLS1.0 and higher, that is no SSL2.0 or SSL3.0 because +both of these versions have serious security issues and should not be used +anymore. +You can also use !TLSv1_1 and !TLSv1_2 to disable TLS versions 1.1 and 1.2 while +still allowing TLS version 1.0. + +Setting the version instead to 'TLSv1' might break interaction with older +clients, which need and SSL2.0 compatible handshake. On the other +side some clients just close the connection when they receive a TLS version 1.1 +request. In this case setting the version to +'SSLv23:!SSLv2:!SSLv3:!TLSv1_1:!TLSv1_2' might help. + +=item SSL_cipher_list + +If this option is set the cipher list for the connection will be set to the +given value, e.g. something like 'ALL:!LOW:!EXP:!aNULL'. This will only affect +ciphers for TLS 1.2 and lower. See the OpenSSL documentation +(L) +for more details. + +Unless you fail to contact your peer because of no shared ciphers it is +recommended to leave this option at the default setting, which uses the system +default but disables some insecure ciphers which might still be enabled on older +systems. + +In case different cipher lists are needed for different SNI hosts a hash can be +given with the host as key and the cipher suite as value, similar to +B. + +=item SSL_ciphersuites + +If this option is set the TLS 1.3 ciphersuites for the connection will be +set to the given value. This is similar to SSL_cipher_list, but only for TLS 1.3 +ciphers. See argument C<-ciphersuits> in the OpenSSL documentation +(L) for +details. + +Unless you fail to contact your peer because of no shared ciphers it is +recommended to leave this option at the default setting, which uses the system +default. + +In case different cipher lists are needed for different SNI hosts a hash can be +given with the host as key and the cipher suite as value, similar to +B. + +=item SSL_honor_cipher_order + +If this option is true the cipher order the server specified is used instead +of the order proposed by the client. This option defaults to true to make use of +our secure cipher list setting. + +=item SSL_dh_file + +To create a server which provides forward secrecy you need to either give the DH +parameters or (better, because faster) the ECDH curve. This setting cares +about DH parameters. + +To support non-elliptic Diffie-Hellman key exchange a suitable file needs to +be given here or the SSL_dh should be used with an appropriate value. +See dhparam command in openssl for more information. + +If neither C nor C are set a builtin DH parameter with a +length of 2048 bit is used to offer DH key exchange by default. If you don't +want this (e.g. disable DH key exchange) explicitly set this or the C +parameter to undef. + +=item SSL_dh + +Like SSL_dh_file, but instead of giving a file you use a preloaded or generated +DH*. + +=item SSL_ecdh_curve + +To create a server which provides forward secrecy you need to either give the DH +parameters or (better, because faster) the ECDH curve. This setting cares +about the ECDH curve(s). + +To support Elliptic Curve Diffie-Hellmann key exchange the OID or NID of at +least one suitable curve needs to be provided here. + +With OpenSSL 1.1.0+ this parameter defaults to C, which means that it +lets OpenSSL pick the best settings. If support for CTX_set_ecdh_auto is +implemented in Net::SSLeay (needs at least version 1.86) it will use this to +implement the same default. Otherwise it will default to C +(builtin of OpenSSL) in order to offer ECDH key exchange by default. + +If setting groups or curves is supported by Net::SSLeay (needs at least +version 1.86) then multiple curves can be given here in the order of the +preference, i.e. C. When used at the client side this +will include the supported curves as extension in the TLS handshake. + +If you don't want to have ECDH key exchange this could be set to undef or +set C to exclude all of these ciphers. + +You can check if ECDH support is available by calling +C<< IO::Socket::SSL->can_ecdh >>. + +=item SSL_verify_mode + +This option sets the verification mode for the peer certificate. +You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT +(fail verification if no peer certificate exists; ignored for clients), +SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). +See OpenSSL man page for SSL_CTX_set_verify for more information. + +The default is SSL_VERIFY_NONE for server (e.g. no check for client +certificate) and SSL_VERIFY_PEER for client (check server certificate). + +=item SSL_verify_callback + +If you want to verify certificates yourself, you can pass a sub reference along +with this parameter to do so. When the callback is called, it will be passed: + +=over 4 + +=item 1. +a true/false value that indicates what OpenSSL thinks of the certificate, + +=item 2. +a C-style memory address of the certificate store, + +=item 3. +a string containing the certificate's issuer attributes and owner attributes, +and + +=item 4. +a string containing any errors encountered (0 if no errors). + +=item 5. +a C-style memory address of the peer's own certificate (convertible to +PEM form with Net::SSLeay::PEM_get_string_X509()). + +=item 6. +The depth of the certificate in the chain. Depth 0 is the leaf certificate. + +=back + +The function should return 1 or 0, depending on whether it thinks the +certificate is valid or invalid. The default is to let OpenSSL do all of the +busy work. + +The callback will be called for each element in the certificate chain. + +See the OpenSSL documentation for SSL_CTX_set_verify for more information. + +=item SSL_verifycn_scheme + +The scheme is used to correctly verify the identity inside the certificate +by using the hostname of the peer. +See the information about the verification schemes in B. + +If you don't specify a scheme it will use 'default', but only complain loudly if +the name verification fails instead of letting the whole certificate +verification fail. THIS WILL CHANGE, e.g. it will let the certificate +verification fail in the future if the hostname does not match the certificate +!!!! To override the name used in verification use B. + +The scheme 'default' is a superset of the usual schemes, which will accept the +hostname in common name and subjectAltName and allow wildcards everywhere. +While using this scheme is way more secure than no name verification at all you +better should use the scheme specific to your application protocol, e.g. 'http', +'ftp'... + +If you are really sure, that you don't want to verify the identity using the +hostname you can use 'none' as a scheme. In this case you'd better have +alternative forms of verification, like a certificate fingerprint or do a manual +verification later by calling B yourself. + +=item SSL_verifycn_publicsuffix + +This option is used to specify the behavior when checking wildcards certificates +for public suffixes, e.g. no wildcard certificates for *.com or *.co.uk should +be accepted, while *.example.com or *.example.co.uk is ok. + +If not specified it will simply use the builtin default of +L, you can create another object with +from_string or from_file of this module. + +To disable verification of public suffix set this option to C<''>. + +=item SSL_verifycn_name + +Set the name which is used in verification of hostname. If SSL_verifycn_scheme +is set and no SSL_verifycn_name is given it will try to use SSL_hostname or +PeerHost and PeerAddr settings and fail if no name can be determined. +If SSL_verifycn_scheme is not set it will use a default scheme and warn if it +cannot determine a hostname, but it will not fail. + +Using PeerHost or PeerAddr works only if you create the connection directly +with C<< IO::Socket::SSL->new >>, if an IO::Socket::INET object is upgraded +with B the name has to be given in B or +B. + +=item SSL_check_crl + +If you want to verify that the peer certificate has not been revoked +by the signing authority, set this value to true. OpenSSL will search +for the CRL in your SSL_ca_path, or use the file specified by +SSL_crl_file. See the Net::SSLeay documentation for more details. +Note that this functionality appears to be broken with OpenSSL < +v0.9.7b, so its use with lower versions will result in an error. + +=item SSL_crl_file + +If you want to specify the CRL file to be used, set this value to the +pathname to be used. This must be used in addition to setting +SSL_check_crl. + +=item SSL_ocsp_mode + +Defines how certificate revocation is done using OCSP (Online Status Revocation +Protocol). The default is to send a request for OCSP stapling to the server and +if the server sends an OCSP response back the result will be used. + +Any other OCSP checking needs to be done manually with C. + +The following flags can be combined with C<|>: + +=over 8 + +=item SSL_OCSP_NO_STAPLE + +Don't ask for OCSP stapling. +This is the default if SSL_verify_mode is VERIFY_NONE. + +=item SSL_OCSP_TRY_STAPLE + +Try OCSP stapling, but don't complain if it gets no stapled response back. +This is the default if SSL_verify_mode is VERIFY_PEER (the default). + +=item SSL_OCSP_MUST_STAPLE + +Consider it a hard error, if the server does not send a stapled OCSP response +back. Most servers currently send no stapled OCSP response back. + +=item SSL_OCSP_FAIL_HARD + +Fail hard on response errors, default is to fail soft like the browsers do. +Soft errors mean, that the OCSP response is not usable, e.g. no response, +error response, no valid signature etc. +Certificate revocations inside a verified response are considered hard errors +in any case. + +Soft errors inside a stapled response are never considered hard, e.g. it is +expected that in this case an OCSP request will be send to the responsible +OCSP responder. + +=item SSL_OCSP_FULL_CHAIN + +This will set up the C so that all certificates from the peer +chain will be checked, otherwise only the leaf certificate will be checked +against revocation. + +=back + +=item SSL_ocsp_staple_callback + +If this callback is defined, it will be called with the SSL object and the OCSP +response handle obtained from the peer, e.g. C<<$cb->($ssl,$resp)>>. +If the peer did not provide a stapled OCSP response the function will be called +with C<$resp=undef>. +Because the OCSP response handle is no longer valid after leaving this function +it should not by copied or freed. If access to the response is necessary after +leaving this function it can be serialized with +C. + +If no such callback is provided, it will use the default one, which verifies the +response and uses it to check if the certificate(s) of the connection got +revoked. + +=item SSL_ocsp_cache + +With this option a cache can be given for caching OCSP responses, which could +be shared between different SSL contexts. If not given a cache specific to the +SSL context only will be used. + +You can either create a new cache with +C<< IO::Socket::SSL::OCSP_Cache->new([size]) >> or implement your own cache, +which needs to have methods C and C (returning +C<\%entry>) where entry is the hash representation of the OCSP response with +fields like C. The default implementation of the cache will consider +responses valid as long as C is less then the current time. + +=item SSL_reuse_ctx + +If you have already set the above options for a previous instance of +IO::Socket::SSL, then you can reuse the SSL context of that instance by passing +it as the value for the SSL_reuse_ctx parameter. You may also create a +new instance of the IO::Socket::SSL::SSL_Context class, using any context +options that you desire without specifying connection options, and pass that +here instead. + +If you use this option, all other context-related options that you pass +in the same call to new() will be ignored unless the context supplied was +invalid. Note that, contrary to versions of IO::Socket::SSL below v0.90, a +global SSL context will not be implicitly used unless you use the +set_default_context() function. + +=item SSL_create_ctx_callback + +With this callback you can make individual settings to the context after it +got created and the default setup was done. +The callback will be called with the CTX object from Net::SSLeay as the single +argument. + +Example for limiting the server session cache size: + + SSL_create_ctx_callback => sub { + my $ctx = shift; + Net::SSLeay::CTX_sess_set_cache_size($ctx,128); + } + +=item SSL_session_cache_size + +If you make repeated connections to the same host/port and the SSL renegotiation +time is an issue, you can turn on client-side session caching with this option +by specifying a positive cache size. For successive connections, pass the +SSL_reuse_ctx option to the new() calls (or use set_default_context()) to make +use of the cached sessions. The session cache size refers to the number of +unique host/port pairs that can be stored at one time; the oldest sessions in +the cache will be removed if new ones are added. + +This option does not effect the session cache a server has for it's clients, +e.g. it does not affect SSL objects with SSL_server set. + +Note that session caching with TLS 1.3 needs at least Net::SSLeay 1.86. + +=item SSL_session_cache + +Specifies session cache object which should be used instead of creating a new. +Overrules SSL_session_cache_size. +This option is useful if you want to reuse the cache, but not the rest of +the context. + +A session cache object can be created using +C<< IO::Socket::SSL::Session_Cache->new( cachesize ) >>. + +Use set_default_session_cache() to set a global cache object. + +=item SSL_session_key + +Specifies a key to use for lookups and inserts into client-side session cache. +Per default ip:port of destination will be used, but sometimes you want to +share the same session over multiple ports on the same server (like with FTPS). + +=item SSL_session_id_context + +This gives an id for the servers session cache. It's necessary if you want +clients to connect with a client certificate. If not given but SSL_verify_mode +specifies the need for client certificate a context unique id will be picked. + +=item SSL_error_trap + +When using the accept() or connect() methods, it may be the case that the +actual socket connection works but the SSL negotiation fails, as in the case of +an HTTP client connecting to an HTTPS server. Passing a subroutine ref attached +to this parameter allows you to gain control of the orphaned socket instead of +having it be closed forcibly. +The subroutine, if called, will be passed two parameters: +a reference to the socket on which the SSL negotiation failed and the full +text of the error message. + +=item SSL_npn_protocols + +If used on the server side it specifies list of protocols advertised by SSL +server as an array ref, e.g. ['spdy/2','http1.1']. +On the client side it specifies the protocols offered by the client for NPN +as an array ref. +See also method C. + +Next Protocol Negotiation (NPN) is available with Net::SSLeay 1.46+ and +openssl-1.0.1+. NPN is unavailable in TLSv1.3 protocol. +To check support you might call C<< IO::Socket::SSL->can_npn() >>. +If you use this option with an unsupported Net::SSLeay/OpenSSL it will +throw an error. + +=item SSL_alpn_protocols + +If used on the server side it specifies list of protocols supported by the SSL +server as an array ref, e.g. ['http/2.0', 'spdy/3.1','http/1.1']. +On the client side it specifies the protocols advertised by the client for ALPN +as an array ref. +See also method C. + +Application-Layer Protocol Negotiation (ALPN) is available with Net::SSLeay +1.56+ and openssl-1.0.2+. More details about the extension are in RFC7301. To +check support you might call C<< IO::Socket::SSL->can_alpn() >>. If you use +this option with an unsupported Net::SSLeay/OpenSSL it will throw an error. + +Note that some client implementations may encounter problems if both NPN and +ALPN are specified. Since ALPN is intended as a replacement for NPN, try +providing ALPN protocols then fall back to NPN if that fails. + +=item SSL_ticket_keycb => [$sub,$data] | $sub + +This is a callback used for stateless session reuse (Session Tickets, RFC 5077). + +This callback will be called as C<< $sub->($data,[$key_name]) >> where C<$data> +is the argument given to SSL_ticket_keycb (or undef) and C<$key_name> depends +on the mode: + +=over 8 + +=item encrypt ticket + +If a ticket needs to be encrypted the callback will be called without +C<$key_name>. In this case it should return C<($current_key,$current_key_name>) +where C<$current_key> is the current key (32 byte random data) and +C<$current_key_name> the name associated with this key (exactly 16 byte). This +C<$current_key_name> will be incorporated into the ticket. + +=item decrypt ticket + +If a ticket needs to be decrypted the callback will be called with C<$key_name> +as found in the ticket. It should return C<($key,$current_key_name>) where +C<$key> is the key associated with the given C<$key_name> and +C<$current_key_name> the name associated with the currently active key. +If C<$current_key_name> is different from the given C<$key_name> the callback +will be called again to re-encrypt the ticket with the currently active key. + +If no key can be found which matches the given C<$key_name> then this function +should return nothing (empty list). + +This mechanism should be used to limit the life time for each key encrypting the +ticket. Compromise of a ticket encryption key might lead to decryption of SSL +sessions which used session tickets protected by this key. + +=back + +Example: + + Net::SSLeay::RAND_bytes(my $oldkey,32); + Net::SSLeay::RAND_bytes(my $newkey,32); + my $oldkey_name = pack("a16",'oldsecret'); + my $newkey_name = pack("a16",'newsecret'); + + my @keys = ( + [ $newkey_name, $newkey ], # current active key + [ $oldkey_name, $oldkey ], # already expired + ); + + my $keycb = [ sub { + my ($mykeys,$name) = @_; + + # return (current_key, current_key_name) if no name given + return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name; + + # return (matching_key, current_key_name) if we find a key matching + # the given name + for(my $i = 0; $i<@$mykeys; $i++) { + next if $name ne $mykeys->[$i][0]; + return ($mykeys->[$i][1],$mykeys->[0][0]); + } + + # no matching key found + return; + },\@keys ]; + + my $srv = IO::Socket::SSL->new(..., SSL_ticket_keycb => $keycb); + +=item SSL_mode_release_buffers 1|0 + +This enables or disables the SSL_MODE_RELEASE_BUFFERS option on the SSL object. +With this option the read buffer will be released after each SSL_read but will +need to be reallocated for each new SSL_read. If memory usage is a concern this +might save lots of memory in the mean time though, about 34k per idle SSL +connection according to the documentation in SSL_CTX_set_mode(3ssl). + +=back + +=item B + +This behaves similar to the accept function of the underlying socket class, but +additionally does the initial SSL handshake. But because the underlying socket +class does return a blocking file handle even when accept is called on a +non-blocking socket, the SSL handshake on the new file object will be done in a +blocking way. Please see the section about non-blocking I/O for details. +If you don't like this behavior you should do accept on the TCP socket and then +upgrade it with C later. + +=item B + +This behaves similar to the connect function but also does an SSL handshake. +Because you cannot give SSL specific arguments to this function, you should +better either use C to create a connect SSL socket or C to +upgrade an established TCP socket to SSL. + +=item B + +Contrary to a close for a simple INET socket a close in SSL also mandates a +proper shutdown of the SSL part. This is done by sending a close notify message +by both peers. + +A naive implementation would thus wait until it receives the +close notify message from the peer - which conflicts with the commonly expected +semantic that a close will not block. The default behavior is thus to only send +a close notify but not wait for the close notify of the peer. If this is +required C need to be explicitly set to false. + +There are also cases where a SSL shutdown should not be done at all. This is +true for example when forking to let a child deal with the socket and closing +the socket in the parent process. A naive explicit C or an implicit close +when destroying the socket in the parent would send a close notify to the peer +which would make the SSL socket in the client process unusable. In this case an +explicit C with C set to true should be done in the +parent process. + +For more details and other arguments see C which gets called from +C to shutdown the SSL state of the socket. + +=item B + +This function behaves from the outside the same as B in other +L objects, e.g. it returns at most LEN bytes of data. +But in reality it reads not only LEN bytes from the underlying socket, but at +a single SSL frame. It then returns up to LEN bytes it decrypted from this SSL +frame. If the frame contained more data than requested it will return only LEN +data, buffer the rest and return it on further read calls. +This means, that it might be possible to read data, even if the underlying +socket is not readable, so using poll or select might not be sufficient. + +sysread will only return data from a single SSL frame, e.g. either the pending +data from the already buffered frame or it will read a frame from the underlying +socket and return the decrypted data. It will not return data spanning several +SSL frames in a single call. + +Also, calls to sysread might fail, because it must first finish an SSL +handshake. + +To understand these behaviors is essential, if you write applications which use +event loops and/or non-blocking sockets. Please read the specific sections in +this documentation. + +=item B + +This functions behaves from the outside the same as B in other +L objects, e.g. it will write at most LEN bytes to the socket, but +there is no guarantee, that all LEN bytes are written. It will return the number +of bytes written. +Because it basically just calls SSL_write from OpenSSL syswrite will write at +most a single SSL frame. This means, that no more than 16.384 bytes, which is +the maximum size of an SSL frame, will be written at once. + +For non-blocking sockets SSL specific behavior applies. +Pease read the specific section in this documentation. + +=item B + +This function has exactly the same syntax as B, and performs nearly the +same task but will not advance the read position so that successive calls to +peek() with the same arguments will return the same results. This function +requires OpenSSL 0.9.6a or later to work. + +=item B + +This function gives you the number of bytes available without reading from the +underlying socket object. This function is essential if you work with event +loops, please see the section about polling SSL sockets. + +=item B + +This methods returns the fingerprint of the given certificate in the form +C, where C is the used algorithm, default 'sha256'. +If no certificate is given the peer certificate of the connection is used. +If C is true it will not return the fingerprint of the certificate but +instead the fingerprint of the pubkey inside the certificate as +C. + +=item B + +This methods returns the binary fingerprint of the given certificate by using +the algorithm C, default 'sha256'. +If no certificate is given the peer certificate of the connection is used. +If C is true it will not return the fingerprint of the certificate but +instead the fingerprint of the pubkey inside the certificate. + +=item B + +Returns the string form of the cipher that the IO::Socket::SSL object is using. + +=item B + +Returns the string representation of the SSL version of an established +connection. + +=item B + +Returns the integer representation of the SSL version of an established +connection. + +=item B + +This returns true if the session got reused and false otherwise. Note that with +a reused session no certificates are send within the handshake and no ciphers +are offered and thus functions which rely on this might not work. + +=item B + +Returns a parsable string with select fields from the peer SSL certificate. +This method directly returns the result of the dump_peer_certificate() method of +Net::SSLeay. + +=item B + +If a peer certificate exists, this function can retrieve values from it. +If no field is given the internal representation of certificate from Net::SSLeay +is returned. +If refresh is true it will not used a cached version, but check again in case +the certificate of the connection has changed due to renegotiation. + +The following fields can be queried: + +=over 8 + +=item authority (alias issuer) + +The certificate authority which signed the certificate. + +=item owner (alias subject) + +The owner of the certificate. + +=item commonName (alias cn) - only for Net::SSLeay version >=1.30 + +The common name, usually the server name for SSL certificates. + +=item subjectAltNames - only for Net::SSLeay version >=1.33 + +Alternative names for the subject, usually different names for the same +server, like example.org, example.com, *.example.com. + +It returns a list of (typ,value) with typ GEN_DNS, GEN_IPADD etc (these +constants are exported from IO::Socket::SSL). +See Net::SSLeay::X509_get_subjectAltNames. + +=back + +=item B + +This is similar to C but will return the sites own +certificate. The same arguments for B<$field> can be used. +If no B<$field> is given the certificate handle from the underlying OpenSSL will +be returned. This handle will only be valid as long as the SSL connection exists +and if used afterwards it might result in strange crashes of the application. + +=item B + +This returns all the certificates send by the peer, e.g. first the peers own +certificate and then the rest of the chain. You might use B from +L to inspect each of the certificates. + +This function depends on a version of Net::SSLeay >= 1.58 . + +=item B + +This gives the name requested by the client if Server Name Indication +(SNI) was used. + +=item B + +This verifies the given hostname against the peer certificate using the +given scheme. Hostname is usually what you specify within the PeerAddr. +See the C parameter for an explanation of suffix +checking and for the possible values. + +Verification of hostname against a certificate is different between various +applications and RFCs. Some scheme allow wildcards for hostnames, some only +in subjectAltNames, and even their different wildcard schemes are possible. +RFC 6125 provides a good overview. + +To ease the verification the following schemes are predefined (both protocol +name and rfcXXXX name can be used): + +=over 8 + +=item rfc2818, xmpp (rfc3920), ftp (rfc4217) + +Extended wildcards in subjectAltNames and common name are possible, e.g. +*.example.org or even www*.example.org. The common +name will be only checked if no DNS names are given in subjectAltNames. + +=item http (alias www) + +While name checking is defined in rfc2818 the current browsers usually accept +also an IP address (w/o wildcards) within the common name as long as no +subjectAltNames are defined. Thus this is rfc2818 extended with this feature. + +=item smtp (rfc2595), imap, pop3, acap (rfc4642), netconf (rfc5538), syslog (rfc5425), snmp (rfc5953) + +Simple wildcards in subjectAltNames are possible, e.g. *.example.org matches +www.example.org but not lala.www.example.org. If nothing from subjectAltNames +match it checks against the common name, where wildcards are also allowed to +match the full leftmost label. + +=item ldap (rfc4513) + +Simple wildcards are allowed in subjectAltNames, but not in common name. +Common name will be checked even if subjectAltNames exist. + +=item sip (rfc5922) + +No wildcards are allowed and common name is checked even if subjectAltNames +exist. + +=item gist (rfc5971) + +Simple wildcards are allowed in subjectAltNames and common name, but common name +will only be checked if their are no DNS names in subjectAltNames. + +=item default + +This is a superset of all the rules and is automatically used if no scheme is +given but a hostname (instead of IP) is known. +Extended wildcards are allowed in subjectAltNames and common name and common +name is checked always. + +=item none + +No verification will be done. +Actually is does not make any sense to call verify_hostname in this case. + +=back + +The scheme can be given either by specifying the name for one of the above +predefined schemes, or by using a hash which can have the following keys and +values: + +=over 8 + +=item check_cn: 0|'always'|'when_only' + +Determines if the common name gets checked. If 'always' it will always be +checked (like in ldap), if 'when_only' it will only be checked if no names are +given in subjectAltNames (like in http), for any other values the common name +will not be checked. + +=item wildcards_in_alt: 0|'full_label'|'anywhere' + +Determines if and where wildcards in subjectAltNames are possible. If +'full_label' only cases like *.example.org will be possible (like in ldap), for +'anywhere' www*.example.org is possible too (like http), dangerous things like +but www.*.org or even '*' will not be allowed. +For compatibility with older versions 'leftmost' can be given instead of +'full_label'. + +=item wildcards_in_cn: 0|'full_label'|'anywhere' + +Similar to wildcards_in_alt, but checks the common name. There is no predefined +scheme which allows wildcards in common names. + +=item ip_in_cn: 0|1|4|6 + +Determines if an IP address is allowed in the common name (no wildcards are +allowed). If set to 4 or 6 it only allows IPv4 or IPv6 addresses, any other +true value allows both. + +=item callback: \&coderef + +If you give a subroutine for verification it will be called with the arguments +($hostname,$commonName,@subjectAltNames), where hostname is the name given for +verification, commonName is the result from peer_certificate('cn') and +subjectAltNames is the result from peer_certificate('subjectAltNames'). + +All other arguments for the verification scheme will be ignored in this case. + +=back + +=item B + +This method returns the name of negotiated protocol - e.g. 'http/1.1'. It works +for both client and server side of SSL connection. + +NPN support is available with Net::SSLeay 1.46+ and openssl-1.0.1+. +To check support you might call C<< IO::Socket::SSL->can_npn() >>. + +=item B + +Returns the protocol negotiated via ALPN as a string, e.g. 'http/1.1', +'http/2.0' or 'spdy/3.1'. + +ALPN support is available with Net::SSLeay 1.56+ and openssl-1.0.2+. +To check support, use C<< IO::Socket::SSL->can_alpn() >>. + +=item B + +Returns the last error (in string form) that occurred. If you do not have a +real object to perform this method on, call IO::Socket::SSL::errstr() instead. + +For read and write errors on non-blocking sockets, this method may include the +string C or C meaning that +the other side is expecting to read from or write to the socket and wants to be +satisfied before you get to do anything. But with version 0.98 you are better +comparing the global exported variable $SSL_ERROR against the exported symbols +SSL_WANT_READ and SSL_WANT_WRITE. + +=item B + +This returns false if the socket could not be opened, 1 if the socket could be +opened and the SSL handshake was successful done and -1 if the underlying +IO::Handle is open, but the SSL handshake failed. + +=item B<< IO::Socket::SSL->start_SSL($socket, ... ) >> + +This will convert a glob reference or a socket that you provide to an +IO::Socket::SSL object. You may also pass parameters to specify context or +connection options as with a call to new(). If you are using this function on +an accept()ed socket, you must set the parameter "SSL_server" to 1, i.e. +IO::Socket::SSL->start_SSL($socket, SSL_server => 1). If you have a class that +inherits from IO::Socket::SSL and you want the $socket to be blessed into your +own class instead, use MyClass->start_SSL($socket) to achieve the desired +effect. + +Note that if start_SSL() fails in SSL negotiation, $socket will remain blessed +in its original class. For non-blocking sockets you better just upgrade the +socket to IO::Socket::SSL and call accept_SSL or connect_SSL and the upgraded +object. To just upgrade the socket set B explicitly to 0. If +you call start_SSL w/o this parameter it will revert to blocking behavior for +accept_SSL and connect_SSL. + +If given the parameter "Timeout" it will stop if after the timeout no SSL +connection was established. This parameter is only used for blocking sockets, if +it is not given the default Timeout from the underlying IO::Socket will be +used. + +=item B + +This is the opposite of start_SSL(), connect_SSL() and accept_SSL(), e.g. it +will shutdown the SSL connection and return to the class before start_SSL(). It +gets the same arguments as close(), in fact close() calls stop_SSL() (but +without downgrading the class). + +Will return true if it succeeded and undef if failed. This might be the case for +non-blocking sockets. In this case $! is set to EWOULDBLOCK and the ssl error to +SSL_WANT_READ or SSL_WANT_WRITE. In this case the call should be retried again +with the same arguments once the socket is ready. + +For calling from C C default to false, e.g. it +waits for the close_notify of the peer. This is necessary in case you want to +downgrade the socket and continue to use it as a plain socket. + +After stop_SSL the socket can again be used to exchange plain data. + +=item B, B + +These functions should be used to do the relevant handshake, if the socket got +created with C or upgraded with C and C was +set to false. +They will return undef until the handshake succeeded or an error got thrown. +As long as the function returns undef and $! is set to EWOULDBLOCK one could +retry the call after the socket got readable (SSL_WANT_READ) or writeable +(SSL_WANT_WRITE). + +=item B + +This will create an OCSP resolver object, which can be used to create OCSP +requests for the certificates of the SSL connection. Which certificates are +verified depends on the setting of C: by default only the leaf +certificate will be checked, but with SSL_OCSP_FULL_CHAIN all chain +certificates will be checked. + +Because to create an OCSP request the certificate and its issuer certificate +need to be known it is not possible to check certificates when the trust chain +is incomplete or if the certificate is self-signed. + +The OCSP resolver gets created by calling C<< $ssl->ocsp_resolver >> and +provides the following methods: + +=over 8 + +=item hard_error + +This returns the hard error when checking the OCSP response. +Hard errors are certificate revocations. With the C of +SSL_OCSP_FAIL_HARD any soft error (e.g. failures to get signed information +about the certificates) will be considered a hard error too. + +The OCSP resolving will stop on the first hard error. + +The method will return undef as long as no hard errors occurred and still +requests to be resolved. If all requests got resolved and no hard errors +occurred the method will return C<''>. + +=item soft_error + +This returns the soft error(s) which occurred when asking the OCSP responders. + +=item requests + +This will return a hash consisting of C<(url,request)>-tuples, e.g. which +contain the OCSP request string and the URL where it should be sent too. The +usual way to send such a request is as HTTP POST request with a content-type +of C or as a GET request with the base64 and +url-encoded request is added to the path of the URL. + +After you've handled all these requests and added the response with +C you should better call this method again to make sure, that no +more requests are outstanding. IO::Socket::SSL will combine multiple OCSP +requests for the same server inside a single request, but some server don't +give a response to all these requests, so that one has to ask again with the +remaining requests. + +=item add_response($uri,$response) + +This method takes the HTTP body of the response which got received when sending +the OCSP request to C<$uri>. If no response was received or an error occurred +one should either retry or consider C<$response> as empty which will trigger a +soft error. + +The method returns the current value of C, e.g. a defined value +when no more requests need to be done. + +=item resolve_blocking(%args) + +This combines C and C which L to do all +necessary requests in a blocking way. C<%args> will be given to L +so that you can put proxy settings etc here. L will be called with +C of false, because the OCSP responses have their own signatures so +no extra SSL verification is needed. + +If you don't want to use blocking requests you need to roll your own user agent +with C and C. + +=back + +=item B<< IO::Socket::SSL->new_from_fd($fd, [mode], %sslargs) >> + +This will convert a socket identified via a file descriptor into an SSL socket. +Note that the argument list does not include a "MODE" argument; if you supply +one, it will be thoughtfully ignored (for compatibility with IO::Socket::INET). +Instead, a mode of '+<' is assumed, and the file descriptor passed must be able +to handle such I/O because the initial SSL handshake requires bidirectional +communication. + +Internally the given $fd will be upgraded to a socket object using the +C method of the super class (L or similar) and +then C will be called using the given C<%sslargs>. +If C<$fd> is already an IO::Socket object you should better call C +directly. + +=item B ..., SSL_ca_path => ... ])> + +Determines or sets the default CA path. +If existing path or dir or a hash is given it will set the default CA path to +this value and never try to detect it automatically. +If C is given it will forget any stored defaults and continue with +detection of system defaults. +If no arguments are given it will start detection of system defaults, unless it +has already stored user-set or previously detected values. + +The detection of system defaults works similar to OpenSSL, e.g. it will check +the directory specified in environment variable SSL_CERT_DIR or the path +OPENSSLDIR/certs (SSLCERTS: on VMS) and the file specified in environment +variable SSL_CERT_FILE or the path OPENSSLDIR/cert.pem (SSLCERTS:cert.pem on +VMS). Contrary to OpenSSL it will check if the SSL_ca_path contains PEM files +with the hash as file name and if the SSL_ca_file looks like PEM. +If no usable system default can be found it will try to load and use +L and if not available give up detection. +The result of the detection will be saved to speed up future calls. + +The function returns the saved default CA as hash with SSL_ca_file and +SSL_ca_path. + +=item B + +You may use this to make IO::Socket::SSL automatically re-use a given context +(unless specifically overridden in a call to new()). +It accepts one argument, which should be either an IO::Socket::SSL object or an +IO::Socket::SSL::SSL_Context object. +See the SSL_reuse_ctx option of new() for more details. +Note that this sets the default context globally, so use with caution (esp. in +mod_perl scripts). + +=item B + +You may use this to make IO::Socket::SSL automatically re-use a given session +cache (unless specifically overridden in a call to new()). +It accepts one argument, which should be an IO::Socket::SSL::Session_Cache +object or similar (e.g. something which implements get_session, add_session and +del_session like IO::Socket::SSL::Session_Cache does). +See the SSL_session_cache option of new() for more details. +Note that this sets the default cache globally, so use with caution. + +=item B + +With this function one can set defaults for all SSL_* parameter used for +creation of the context, like the SSL_verify* parameter. Any SSL_* parameter can +be given or the following short versions: + +=over 8 + +=item mode - SSL_verify_mode + +=item callback - SSL_verify_callback + +=item scheme - SSL_verifycn_scheme + +=item name - SSL_verifycn_name + +=back + +=item B + +Similar to C, but only sets the defaults for client mode. + +=item B + +Similar to C, but only sets the defaults for server mode. + +=item B + +Sometimes one has to use code which uses unwanted or invalid arguments for SSL, +typically disabling SSL verification or setting wrong ciphers or SSL versions. +With this hack it is possible to override these settings and restore sanity. +Example: + + IO::Socket::SSL::set_args_filter_hack( sub { + my ($is_server,$args) = @_; + if ( ! $is_server ) { + # client settings - enable verification with default CA + # and fallback hostname verification etc + delete @{$args}{qw( + SSL_verify_mode + SSL_ca_file + SSL_ca_path + SSL_verifycn_scheme + SSL_version + )}; + # and add some fingerprints for known certs which are signed by + # unknown CAs or are self-signed + $args->{SSL_fingerprint} = ... + } + }); + +With the short setting C it will prefer +the default settings in all cases. These default settings can be modified with +C, C and C. + +=back + +The following methods are unsupported (not to mention futile!) and +IO::Socket::SSL will emit a large CROAK() if you are silly enough to use them: + +=over 4 + +=item truncate + +=item stat + +=item ungetc + +=item setbuf + +=item setvbuf + +=item fdopen + +=item send/recv + +Note that send() and recv() cannot be reliably trapped by a tied filehandle +(such as that used by IO::Socket::SSL) and so may send unencrypted data over the +socket. Object-oriented calls to these functions will fail, telling you to use +the print/printf/syswrite and read/sysread families instead. + +=back + +=head1 DEPRECATIONS + +The following functions are deprecated and are only retained for compatibility: + +=over 2 + +=item context_init() + +use the SSL_reuse_ctx option if you want to re-use a context + +=item socketToSSL() and socket_to_SSL() + +use IO::Socket::SSL->start_SSL() instead + +=item kill_socket() + +use close() instead + +=item get_peer_certificate() + +use the peer_certificate() function instead. +Used to return X509_Certificate with methods subject_name and issuer_name. +Now simply returns $self which has these methods (although deprecated). + +=item issuer_name() + +use peer_certificate( 'issuer' ) instead + +=item subject_name() + +use peer_certificate( 'subject' ) instead + +=back + + +=head1 EXAMPLES + +See the 'example' directory, the tests in 't' and also the tools in 'util'. + + +=head1 BUGS + +If you use IO::Socket::SSL together with threads you should load it (e.g. use or +require) inside the main thread before creating any other threads which use it. +This way it is much faster because it will be initialized only once. Also there +are reports that it might crash the other way. + +Creating an IO::Socket::SSL object in one thread and closing it in another +thread will not work. + +IO::Socket::SSL does not work together with Storable::fd_retrieve/fd_store. +See BUGS file for more information and how to work around the problem. + +Non-blocking and timeouts (which are based on non-blocking) are not +supported on Win32, because the underlying IO::Socket::INET does not support +non-blocking on this platform. + +If you have a server and it looks like you have a memory leak you might +check the size of your session cache. Default for Net::SSLeay seems to be +20480, see the example for SSL_create_ctx_callback for how to limit it. + +TLS 1.3 support regarding session reuse is incomplete. + +=head1 SEE ALSO + +IO::Socket::INET, IO::Socket::INET6, IO::Socket::IP, Net::SSLeay. + + +=head1 THANKS + +Many thanks to all who added patches or reported bugs or helped IO::Socket::SSL +another way. Please keep reporting bugs and help with patches, even if they just +fix the documentation. + +Special thanks to the team of Net::SSLeay for the good cooperation. + +=head1 AUTHORS + +Steffen Ullrich, is the current maintainer. + +Peter Behroozi, (Note the lack of an "i" at the end of "behrooz") + +Marko Asplund, , was the original author of IO::Socket::SSL. + +Patches incorporated from various people, see file Changes. + + +=head1 COPYRIGHT + +The original versions of this module are Copyright (C) 1999-2002 Marko Asplund. + +The rewrite of this module is Copyright (C) 2002-2005 Peter Behroozi. + +Versions 0.98 and newer are Copyright (C) 2006-2014 Steffen Ullrich. + +This module is free software; you can redistribute it and/or +modify it under the same terms as Perl itself. diff --git a/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Intercept.pm b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Intercept.pm new file mode 100644 index 000000000000..4177cb9cf265 --- /dev/null +++ b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Intercept.pm @@ -0,0 +1,379 @@ + +package IO::Socket::SSL::Intercept; +use strict; +use warnings; +use Carp 'croak'; +use IO::Socket::SSL::Utils; +use Net::SSLeay; + +our $VERSION = '2.056'; + + +sub new { + my ($class,%args) = @_; + + my $cacert = delete $args{proxy_cert}; + if ( ! $cacert ) { + if ( my $f = delete $args{proxy_cert_file} ) { + $cacert = PEM_file2cert($f); + } else { + croak "no proxy_cert or proxy_cert_file given"; + } + } + + my $cakey = delete $args{proxy_key}; + if ( ! $cakey ) { + if ( my $f = delete $args{proxy_key_file} ) { + $cakey = PEM_file2key($f); + } else { + croak "no proxy_cert or proxy_cert_file given"; + } + } + + my $certkey = delete $args{cert_key}; + if ( ! $certkey ) { + if ( my $f = delete $args{cert_key_file} ) { + $certkey = PEM_file2key($f); + } + } + + my $cache = delete $args{cache} || {}; + if (ref($cache) eq 'CODE') { + # check cache type + my $type = $cache->('type'); + if (!$type) { + # old cache interface - change into new interface + # get: $cache->(fp) + # set: $cache->(fp,cert,key) + my $oc = $cache; + $cache = sub { + my ($fp,$create_cb) = @_; + my @ck = $oc->($fp); + $oc->($fp, @ck = &$create_cb) if !@ck; + return @ck; + }; + } elsif ($type == 1) { + # current interface: + # get/set: $cache->(fp,cb_create) + } else { + die "invalid type of cache: $type"; + } + } + + my $self = bless { + cacert => $cacert, + cakey => $cakey, + certkey => $certkey, + cache => $cache, + serial => delete $args{serial}, + }; + return $self; +} + +sub DESTROY { + # call various ssl _free routines + my $self = shift or return; + for ( \$self->{cacert}, + map { \$_->{cert} } ref($self->{cache}) ne 'CODE' ? values %{$self->{cache}} :()) { + $$_ or next; + CERT_free($$_); + $$_ = undef; + } + for ( \$self->{cakey}, \$self->{pubkey} ) { + $$_ or next; + KEY_free($$_); + $$_ = undef; + } +} + +sub clone_cert { + my ($self,$old_cert,$clone_key) = @_; + + my $hash = CERT_asHash($old_cert); + my $create_cb = sub { + # if not in cache create new certificate based on original + # copy most but not all extensions + if (my $ext = $hash->{ext}) { + @$ext = grep { + defined($_->{sn}) && $_->{sn} !~m{^(?: + authorityInfoAccess | + subjectKeyIdentifier | + authorityKeyIdentifier | + certificatePolicies | + crlDistributionPoints + )$}x + } @$ext; + } + my ($clone,$key) = CERT_create( + %$hash, + issuer_cert => $self->{cacert}, + issuer_key => $self->{cakey}, + key => $self->{certkey}, + serial => + ! defined($self->{serial}) ? (unpack('L',$hash->{x509_digest_sha256}))[0] : + ref($self->{serial}) eq 'CODE' ? $self->{serial}($old_cert,$hash) : + ++$self->{serial}, + ); + return ($clone,$key); + }; + + $clone_key ||= substr(unpack("H*", $hash->{x509_digest_sha256}),0,32); + my $c = $self->{cache}; + return $c->($clone_key,$create_cb) if ref($c) eq 'CODE'; + + my $e = $c->{$clone_key} ||= do { + my ($cert,$key) = &$create_cb; + { cert => $cert, key => $key }; + }; + $e->{atime} = time(); + return ($e->{cert},$e->{key}); +} + + +sub STORABLE_freeze { my $self = shift; $self->serialize() } +sub STORABLE_thaw { my ($class,undef,$data) = @_; $class->unserialize($data) } + +sub serialize { + my $self = shift; + my $data = pack("N",2); # version + $data .= pack("N/a", PEM_cert2string($self->{cacert})); + $data .= pack("N/a", PEM_key2string($self->{cakey})); + if ( $self->{certkey} ) { + $data .= pack("N/a", PEM_key2string($self->{certkey})); + } else { + $data .= pack("N/a", ''); + } + $data .= pack("N",$self->{serial}); + if ( ref($self->{cache}) eq 'HASH' ) { + while ( my($k,$v) = each %{ $self->{cache}} ) { + $data .= pack("N/aN/aN/aN", $k, + PEM_cert2string($k->{cert}), + $k->{key} ? PEM_key2string($k->{key}) : '', + $k->{atime}); + } + } + return $data; +} + +sub unserialize { + my ($class,$data) = @_; + unpack("N",substr($data,0,4,'')) == 2 or + croak("serialized with wrong version"); + ( my $cacert,my $cakey,my $certkey,my $serial,$data) + = unpack("N/aN/aN/aNa*",$data); + my $self = bless { + serial => $serial, + cacert => PEM_string2cert($cacert), + cakey => PEM_string2key($cakey), + $certkey ? ( certkey => PEM_string2key($certkey)):(), + }, ref($class)||$class; + + $self->{cache} = {} if $data ne ''; + while ( $data ne '' ) { + (my $key,my $cert,my $certkey, my $atime,$data) = unpack("N/aN/aNa*",$data); + $self->{cache}{$key} = { + cert => PEM_string2cert($cert), + $key ? ( key => PEM_string2key($certkey)):(), + atime => $atime + }; + } + return $self; +} + +1; + +__END__ + +=head1 NAME + +IO::Socket::SSL::Intercept -- SSL interception (man in the middle) + +=head1 SYNOPSIS + + use IO::Socket::SSL::Intercept; + # create interceptor with proxy certificates + my $mitm = IO::Socket::SSL::Intercept->new( + proxy_cert_file => 'proxy_cert.pem', + proxy_key_file => 'proxy_key.pem', + ... + ); + my $listen = IO::Socket::INET->new( LocalAddr => .., Listen => .. ); + while (1) { + # TCP accept new client + my $client = $listen->accept or next; + # SSL connect to server + my $server = IO::Socket::SSL->new( + PeerAddr => .., + SSL_verify_mode => ..., + ... + ) or die "ssl connect failed: $!,$SSL_ERROR"; + # clone server certificate + my ($cert,$key) = $mitm->clone_cert( $server->peer_certificate ); + # and upgrade client side to SSL with cloned certificate + IO::Socket::SSL->start_SSL($client, + SSL_server => 1, + SSL_cert => $cert, + SSL_key => $key + ) or die "upgrade failed: $SSL_ERROR"; + # now transfer data between $client and $server and analyze + # the unencrypted data + ... + } + + +=head1 DESCRIPTION + +This module provides functionality to clone certificates and sign them with a +proxy certificate, thus making it easy to intercept SSL connections (man in the +middle). It also manages a cache of the generated certificates. + +=head1 How Intercepting SSL Works + +Intercepting SSL connections is useful for analyzing encrypted traffic for +security reasons or for testing. It does not break the end-to-end security of +SSL, e.g. a properly written client will notice the interception unless you +explicitly configure the client to trust your interceptor. +Intercepting SSL works the following way: + +=over 4 + +=item * + +Create a new CA certificate, which will be used to sign the cloned certificates. +This proxy CA certificate should be trusted by the client, or (a properly +written client) will throw error messages or deny the connections because it +detected a man in the middle attack. +Due to the way the interception works there no support for client side +certificates is possible. + +Using openssl such a proxy CA certificate and private key can be created with: + + openssl genrsa -out proxy_key.pem 1024 + openssl req -new -x509 -extensions v3_ca -key proxy_key.pem -out proxy_cert.pem + # export as PKCS12 for import into browser + openssl pkcs12 -export -in proxy_cert.pem -inkey proxy_key.pem -out proxy_cert.p12 + +=item * + +Configure client to connect to use intercepting proxy or somehow redirect +connections from client to the proxy (e.g. packet filter redirects, ARP or DNS +spoofing etc). + +=item * + +Accept the TCP connection from the client, e.g. don't do any SSL handshakes with +the client yet. + +=item * + +Establish the SSL connection to the server and verify the servers certificate as +usually. Then create a new certificate based on the original servers +certificate, but signed by your proxy CA. +This is the step where IO::Socket::SSL::Intercept helps. + +=item * + +Upgrade the TCP connection to the client to SSL using the cloned certificate +from the server. If the client trusts your proxy CA it will accept the upgrade +to SSL. + +=item * + +Transfer data between client and server. While the connections to client and +server are both encrypted with SSL you will read/write the unencrypted data in +your proxy application. + +=back + +=head1 METHODS + +IO::Socket::SSL::Intercept helps creating the cloned certificate with the +following methods: + +=over 4 + +=item B<< $mitm = IO::Socket::SSL::Intercept->new(%args) >> + +This creates a new interceptor object. C<%args> should be + +=over 8 + +=item proxy_cert X509 | proxy_cert_file filename + +This is the proxy certificate. +It can be either given by an X509 object from Ls internal +representation, or using a file in PEM format. + +=item proxy_key EVP_PKEY | proxy_key_file filename + +This is the key for the proxy certificate. +It can be either given by an EVP_PKEY object from Ls internal +representation, or using a file in PEM format. +The key should not have a passphrase. + +=item pubkey EVP_PKEY | pubkey_file filename + +This optional argument specifies the public key used for the cloned certificate. +It can be either given by an EVP_PKEY object from Ls internal +representation, or using a file in PEM format. +If not given it will create a new public key on each call of C. + +=item serial INTEGER|CODE + +This optional argument gives the starting point for the serial numbers of the +newly created certificates. If not set the serial number will be created based +on the digest of the original certificate. If the value is code it will be +called with C<< serial(original_cert,CERT_asHash(original_cert)) >> and should +return the new serial number. + +=item cache HASH | SUBROUTINE + +This optional argument gives a way to cache created certificates, so that they +don't get recreated on future accesses to the same host. +If the argument ist not given an internal HASH ist used. + +If the argument is a hash it will store for each generated certificate a hash +reference with C and C in the hash, where C is the time of +last access (to expire unused entries) and C is the certificate. Please +note, that the certificate is in Ls internal X509 format and can +thus not be simply dumped and restored. +The key for the hash is an C either given to C or generated +from the original certificate. + +If the argument is a subroutine it will be called as C<< $cache->(ident,sub) >>. +This call should return either an existing (cached) C<< (cert,key) >> or +call C without arguments to create a new C<< (cert,key) >>, store it +and return it. +If called with C<< $cache->('type') >> the function should just return 1 to +signal that it supports the current type of cache. If it reutrns nothing +instead the older cache interface is assumed for compatibility reasons. + +=back + +=item B<< ($clone_cert,$key) = $mitm->clone_cert($original_cert,[ $ident ]) >> + +This clones the given certificate. +An ident as the key into the cache can be given (like C), if not it +will be created from the properties of the original certificate. +It returns the cloned certificate and its key (which is the same for alle +created certificates). + +=item B<< $string = $mitm->serialize >> + +This creates a serialized version of the object (e.g. a string) which can then +be used to persistantly store created certificates over restarts of the +application. The cache will only be serialized if it is a HASH. +To work together with L the C function is defined to +call C. + +=item B<< $mitm = IO::Socket::SSL::Intercept->unserialize($string) >> + +This restores an Intercept object from a serialized string. +To work together with L the C function is defined to +call C. + +=back + +=head1 AUTHOR + +Steffen Ullrich diff --git a/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/PublicSuffix.pm b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/PublicSuffix.pm new file mode 100644 index 000000000000..e91cc44f2fea --- /dev/null +++ b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/PublicSuffix.pm @@ -0,0 +1,14537 @@ + +use strict; +use warnings; +package IO::Socket::SSL::PublicSuffix; +use Carp; + +# for updates +use constant URL => 'http://publicsuffix.org/list/effective_tld_names.dat'; + +=head1 NAME + +IO::Socket::SSL::PublicSuffix - provide access to Mozilla's list of effective TLD names + +=head1 SYNOPSIS + + # use builtin default + use IO::Socket::SSL::PublicSuffix; + $ps = IO::Socket::SSL::PublicSuffix->default; + + # load from string + $ps = IO::Socket::SSL::PublicSuffix->from_string("*.uk\n*"); + + # load from file or file handle + $ps = IO::Socket::SSL::PublicSuffix->from_file($filename); + $ps = IO::Socket::SSL::PublicSuffix->from_file(\*STDIN); + + + # --- string in -> string out + # $rest -> whatever.host + # $tld -> co.uk + my ($rest,$tld) = $ps->public_suffix('whatever.host.co.uk'); + my $tld = $ps->public_suffix('whatever.host.co.uk'); + + # $root_domain -> host.co.uk + my $root_domain = $ps->public_suffix('whatever.host.co.uk', 1); + + # --- array in -> array out + # $rest -> [qw(whatever host)] + # $tld -> [qw(co uk)] + my ($rest,$tld) = $ps->public_suffix([qw(whatever host co uk)]); + + ---- + + # To update this file with the current list: + perl -MIO::Socket::SSL::PublicSuffix -e 'IO::Socket::SSL::PublicSuffix::update_self_from_url()' + + + +=head1 DESCRIPTION + +This module uses the list of effective top level domain names from the mozilla +project to determine the public top level domain for a given hostname. + +=head2 Method + +=over 4 + +=item class->default(%args) + +Returns object with builtin default. +C can be given in C<%args> to specify the minimal suffix, default +is 1. + +=item class->from_string(string,%args) + +Returns object with configuration from string. +See method C for C<%args>. + +=item class->from_file( file name| file handle, %args ) + +Returns object with configuration from file or file handle. +See method C for C<%args>. + +=item $self->public_suffix( $host|\@host, [ $add ] ) + +In array context the function returns the non-tld part and the tld part of the +given hostname, in scalar context only the tld part. +It adds C<$add> parts of the non-tld part to the tld, e.g. with C<$add=1> it +will return the root domain. + +If there were no explicit matches against the public suffix configuration it +will fall back to a suffix of length 1. + +The function accepts a string or an array-ref (e.g. host split by C<.>). In the +first case it will return string(s), in the latter case array-ref(s). + +International hostnames or labels can be in ASCII (IDNA form starting with +C) or unicode. In the latter case an IDNA handling library needs to be +available. L is preferred, but L, L are +still supported. + +=item ($self|class)->can_idn + +Returns true if IDN support is available. + +=back + +=head1 FILES + +http://publicsuffix.org/list/effective_tld_names.dat + +=head1 SEE ALSO + +Domain::PublicSuffix, Mozilla::PublicSuffix + +=head1 BUGS + + Q: Why yet another module, we already have L and + L. + A: Because the public suffix data change more often than these modules do, + IO::Socket::SSL needs this list and it is more easy this way to keep it + up-to-date. + + +=head1 AUTHOR + +Steffen Ullrich + +=cut + + +BEGIN { + if ( eval { + require URI::_idna; + defined &URI::_idna::encode && defined &URI::_idna::decode + }) { + *idn_to_ascii = \&URI::_idna::encode; + *idn_to_unicode = \&URI::_idna::decode; + *can_idn = sub { 1 }; + } elsif ( eval { require Net::IDN::Encode } ) { + *idn_to_ascii = \&Net::IDN::Encode::domain_to_ascii; + *idn_to_unicode = \&Net::IDN::Encode::domain_to_unicode; + *can_idn = sub { 1 }; + } elsif ( eval { require Net::LibIDN; require Encode } ) { + # Net::LibIDN does not use utf-8 flag and expects raw data + *idn_to_ascii = sub { + Net::LibIDN::idn_to_ascii(Encode::encode('utf-8',$_[0]),'utf-8'); + }, + *idn_to_unicode = sub { + Encode::decode('utf-8',Net::LibIDN::idn_to_unicode($_[0],'utf-8')); + }, + *can_idn = sub { 1 }; + } else { + *idn_to_ascii = sub { croak "idn_to_ascii(@_) - no IDNA library installed" }; + *idn_to_unicode = sub { croak "idn_to_unicode(@_) - no IDNA library installed" }; + *can_idn = sub { 0 }; + } +} + +{ + my %default; + sub default { + my (undef,%args) = @_; + my $min_suffix = delete $args{min_suffix}; + $min_suffix = 1 if ! defined $min_suffix; + %args and die "unknown args: ".join(" ",sort keys %args); + return $default{$min_suffix} ||= shift->from_string(_default_data(), + min_suffix => $min_suffix); + } +} + +sub from_string { + my $class = shift; + my $data = shift; + open( my $fh,'<', \$data ); + return $class->from_file($fh,@_); +} + +sub from_file { + my ($class,$file,%args) = @_; + my $min_suffix = delete $args{min_suffix}; + $min_suffix = 1 if ! defined $min_suffix; + %args and die "unknown args: ".join(" ",sort keys %args); + + my $fh; + if ( ref($file)) { + $fh = $file + } elsif ( ! open($fh,'<',$file)) { + die "failed to open $file: $!"; + } + my %tree; + local $/ = "\n"; + while ( my $line = <$fh>) { + $line =~s{//.*}{}; + $line =~s{\s+$}{}; + $line eq '' and next; + my $p = \%tree; + $line = idn_to_ascii($line) if $line !~m{\A[\x00-\x7f]*\Z}; + my $not = $line =~s{^!}{}; + my @path = split(m{\.},$line); + for(reverse @path) { + $p = $p->{$_} ||= {} + } + $p->{'\0'} = $not ? -1:1; + } + return bless { + tree => \%tree, + min_suffix => $min_suffix + },$class; +} + + +sub public_suffix { + my ($self,$name,$add) = @_; + my $want; # [a]rray, [s]tring, [u]nicode-string + if ( ref($name)) { + $want = 'a'; + $name = [ @$name ]; # don't change input + } else { + return if ! defined $name; + if ( $name !~m{\A[\x00-\x7f]*\Z} ) { + $name = idn_to_ascii($name); + $want = 'u'; + } else { + $want = 's'; + } + $name = lc($name); + $name =~s{\.$}{}; + $name = [ $name =~m{([^.]+)}g ]; + } + @$name or return; + $_ = lc($_) for(@$name); + + my (%wild,%host,%xcept,@stack,$choices); + my $p = $self->{tree}; + for( my $i=0; $i<@$name; $i++ ) { + $choices = []; + if ( my $px = $p->{ $name->[$#$name-$i] } ) { + # name match, continue with next path element + push @$choices,$px; + if ( my $end = $px->{'\0'} ) { + ( $end>0 ? \%host : \%xcept )->{$i+1} = $end; + } + } + if ( my $px = $p->{'*'} ) { + # wildcard match, continue with next path element + push @$choices,$px; + if ( my $end = $px->{'\0'} ) { + ( $end>0 ? \%wild : \%xcept )->{$i+1} = $end; + } + } + + + next_choice: + if ( @$choices ) { + $p = shift(@$choices); + push @stack, [ $choices, $i ] if @$choices; + next; # go deeper + } + + # backtrack + @stack or last; + ($choices,$i) = @{ pop(@stack) }; + goto next_choice; + } + + #warn Dumper([\%wild,\%host,\%xcept]); use Data::Dumper; + + + # remove all exceptions from wildcards + delete @wild{ keys %xcept } if %xcept; + # get longest match + my ($len) = sort { $b <=> $a } ( + keys(%wild), keys(%host), map { $_-1 } keys(%xcept)); + # if we have no matches use a minimum of min_suffix + $len = $self->{min_suffix} if ! defined $len; + $len += $add if $add; + my $suffix; + if ( $len < @$name ) { + $suffix = [ splice( @$name, -$len, $len ) ]; + } elsif ( $len > 0 ) { + $suffix = $name; + $name = [] + } else { + $suffix = [] + } + + if ( $want ne 'a' ) { + $suffix = join('.',@$suffix); + $name = join('.',@$name); + if ( $want eq 'u' ) { + $suffix = idn_to_unicode($suffix); + $name = idn_to_unicode($name); + } + } + + return wantarray ? ($name,$suffix):$suffix; +} + + +{ + my $data; + sub _default_data { + if ( ! defined $data ) { + $data = _builtin_data(); + $data =~s{^// ===END ICANN DOMAINS.*}{}ms + or die "cannot find END ICANN DOMAINS"; + } + return $data; + } +} + +sub update_self_from_url { + my $url = shift || URL(); + my $dst = __FILE__; + -w $dst or die "cannot write $dst"; + open( my $fh,'<',$dst ) or die "open $dst: $!"; + my $code = ''; + local $/ = "\n"; + while (<$fh>) { + $code .= $_; + m{<<\'END_BUILTIN_DATA\'} and last; + } + my $tail; + while (<$fh>) { + m{\AEND_BUILTIN_DATA\r?\n} or next; + $tail = $_; + last; + } + $tail .= do { local $/; <$fh> }; + close($fh); + + require LWP::UserAgent; + my $resp = LWP::UserAgent->new->get($url) + or die "no response from $url"; + die "no success url=$url code=".$resp->code." ".$resp->message + if ! $resp->is_success; + my $content = $resp->decoded_content; + while ( $content =~m{(.*\n)}g ) { + my $line = $1; + if ( $line =~m{\S} && $line !~m{\A\s*//} ) { + $line =~s{//.*}{}; + $line =~s{\s+$}{}; + $line eq '' and next; + if ( $line !~m{\A[\x00-\x7f]+\Z} ) { + $line = idn_to_ascii($line); + } + $code .= "$line\n"; + } else { + $code .= "$line"; + } + } + + open( $fh,'>:utf8',$dst ) or die "open $dst: $!"; + print $fh $code.$tail; +} + +sub _builtin_data { return <<'END_BUILTIN_DATA' } +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +// Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat, +// rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported. + +// Instructions on pulling and using this list can be found at https://publicsuffix.org/list/. + +// ===BEGIN ICANN DOMAINS=== + +// ac : http://nic.ac/rules.htm +ac +com.ac +edu.ac +gov.ac +net.ac +mil.ac +org.ac + +// ad : https://en.wikipedia.org/wiki/.ad +ad +nom.ad + +// ae : https://tdra.gov.ae/en/aeda/ae-policies +ae +co.ae +net.ae +org.ae +sch.ae +ac.ae +gov.ae +mil.ae + +// aero : see https://www.information.aero/index.php?id=66 +aero +accident-investigation.aero +accident-prevention.aero +aerobatic.aero +aeroclub.aero +aerodrome.aero +agents.aero +aircraft.aero +airline.aero +airport.aero +air-surveillance.aero +airtraffic.aero +air-traffic-control.aero +ambulance.aero +amusement.aero +association.aero +author.aero +ballooning.aero +broker.aero +caa.aero +cargo.aero +catering.aero +certification.aero +championship.aero +charter.aero +civilaviation.aero +club.aero +conference.aero +consultant.aero +consulting.aero +control.aero +council.aero +crew.aero +design.aero +dgca.aero +educator.aero +emergency.aero +engine.aero +engineer.aero +entertainment.aero +equipment.aero +exchange.aero +express.aero +federation.aero +flight.aero +fuel.aero +gliding.aero +government.aero +groundhandling.aero +group.aero +hanggliding.aero +homebuilt.aero +insurance.aero +journal.aero +journalist.aero +leasing.aero +logistics.aero +magazine.aero +maintenance.aero +media.aero +microlight.aero +modelling.aero +navigation.aero +parachuting.aero +paragliding.aero +passenger-association.aero +pilot.aero +press.aero +production.aero +recreation.aero +repbody.aero +res.aero +research.aero +rotorcraft.aero +safety.aero +scientist.aero +services.aero +show.aero +skydiving.aero +software.aero +student.aero +trader.aero +trading.aero +trainer.aero +union.aero +workinggroup.aero +works.aero + +// af : http://www.nic.af/help.jsp +af +gov.af +com.af +org.af +net.af +edu.af + +// ag : http://www.nic.ag/prices.htm +ag +com.ag +org.ag +net.ag +co.ag +nom.ag + +// ai : http://nic.com.ai/ +ai +off.ai +com.ai +net.ai +org.ai + +// al : http://www.ert.gov.al/ert_alb/faq_det.html?Id=31 +al +com.al +edu.al +gov.al +mil.al +net.al +org.al + +// am : https://www.amnic.net/policy/en/Policy_EN.pdf +am +co.am +com.am +commune.am +net.am +org.am + +// ao : https://en.wikipedia.org/wiki/.ao +// http://www.dns.ao/REGISTR.DOC +ao +ed.ao +gv.ao +og.ao +co.ao +pb.ao +it.ao + +// aq : https://en.wikipedia.org/wiki/.aq +aq + +// ar : https://nic.ar/es/nic-argentina/normativa +ar +bet.ar +com.ar +coop.ar +edu.ar +gob.ar +gov.ar +int.ar +mil.ar +musica.ar +mutual.ar +net.ar +org.ar +senasa.ar +tur.ar + +// arpa : https://en.wikipedia.org/wiki/.arpa +// Confirmed by registry 2008-06-18 +arpa +e164.arpa +in-addr.arpa +ip6.arpa +iris.arpa +uri.arpa +urn.arpa + +// as : https://en.wikipedia.org/wiki/.as +as +gov.as + +// asia : https://en.wikipedia.org/wiki/.asia +asia + +// at : https://en.wikipedia.org/wiki/.at +// Confirmed by registry 2008-06-17 +at +ac.at +co.at +gv.at +or.at +sth.ac.at + +// au : https://en.wikipedia.org/wiki/.au +// http://www.auda.org.au/ +au +// 2LDs +com.au +net.au +org.au +edu.au +gov.au +asn.au +id.au +// Historic 2LDs (closed to new registration, but sites still exist) +info.au +conf.au +oz.au +// CGDNs - http://www.cgdn.org.au/ +act.au +nsw.au +nt.au +qld.au +sa.au +tas.au +vic.au +wa.au +// 3LDs +act.edu.au +catholic.edu.au +// eq.edu.au - Removed at the request of the Queensland Department of Education +nsw.edu.au +nt.edu.au +qld.edu.au +sa.edu.au +tas.edu.au +vic.edu.au +wa.edu.au +// act.gov.au Bug 984824 - Removed at request of Greg Tankard +// nsw.gov.au Bug 547985 - Removed at request of +// nt.gov.au Bug 940478 - Removed at request of Greg Connors +qld.gov.au +sa.gov.au +tas.gov.au +vic.gov.au +wa.gov.au +// 4LDs +// education.tas.edu.au - Removed at the request of the Department of Education Tasmania +schools.nsw.edu.au + +// aw : https://en.wikipedia.org/wiki/.aw +aw +com.aw + +// ax : https://en.wikipedia.org/wiki/.ax +ax + +// az : https://en.wikipedia.org/wiki/.az +az +com.az +net.az +int.az +gov.az +org.az +edu.az +info.az +pp.az +mil.az +name.az +pro.az +biz.az + +// ba : http://nic.ba/users_data/files/pravilnik_o_registraciji.pdf +ba +com.ba +edu.ba +gov.ba +mil.ba +net.ba +org.ba + +// bb : https://en.wikipedia.org/wiki/.bb +bb +biz.bb +co.bb +com.bb +edu.bb +gov.bb +info.bb +net.bb +org.bb +store.bb +tv.bb + +// bd : https://en.wikipedia.org/wiki/.bd +*.bd + +// be : https://en.wikipedia.org/wiki/.be +// Confirmed by registry 2008-06-08 +be +ac.be + +// bf : https://en.wikipedia.org/wiki/.bf +bf +gov.bf + +// bg : https://en.wikipedia.org/wiki/.bg +// https://www.register.bg/user/static/rules/en/index.html +bg +a.bg +b.bg +c.bg +d.bg +e.bg +f.bg +g.bg +h.bg +i.bg +j.bg +k.bg +l.bg +m.bg +n.bg +o.bg +p.bg +q.bg +r.bg +s.bg +t.bg +u.bg +v.bg +w.bg +x.bg +y.bg +z.bg +0.bg +1.bg +2.bg +3.bg +4.bg +5.bg +6.bg +7.bg +8.bg +9.bg + +// bh : https://en.wikipedia.org/wiki/.bh +bh +com.bh +edu.bh +net.bh +org.bh +gov.bh + +// bi : https://en.wikipedia.org/wiki/.bi +// http://whois.nic.bi/ +bi +co.bi +com.bi +edu.bi +or.bi +org.bi + +// biz : https://en.wikipedia.org/wiki/.biz +biz + +// bj : https://en.wikipedia.org/wiki/.bj +bj +asso.bj +barreau.bj +gouv.bj + +// bm : http://www.bermudanic.bm/dnr-text.txt +bm +com.bm +edu.bm +gov.bm +net.bm +org.bm + +// bn : http://www.bnnic.bn/faqs +bn +com.bn +edu.bn +gov.bn +net.bn +org.bn + +// bo : https://nic.bo/delegacion2015.php#h-1.10 +bo +com.bo +edu.bo +gob.bo +int.bo +org.bo +net.bo +mil.bo +tv.bo +web.bo +// Social Domains +academia.bo +agro.bo +arte.bo +blog.bo +bolivia.bo +ciencia.bo +cooperativa.bo +democracia.bo +deporte.bo +ecologia.bo +economia.bo +empresa.bo +indigena.bo +industria.bo +info.bo +medicina.bo +movimiento.bo +musica.bo +natural.bo +nombre.bo +noticias.bo +patria.bo +politica.bo +profesional.bo +plurinacional.bo +pueblo.bo +revista.bo +salud.bo +tecnologia.bo +tksat.bo +transporte.bo +wiki.bo + +// br : http://registro.br/dominio/categoria.html +// Submitted by registry +br +9guacu.br +abc.br +adm.br +adv.br +agr.br +aju.br +am.br +anani.br +aparecida.br +app.br +arq.br +art.br +ato.br +b.br +barueri.br +belem.br +bhz.br +bib.br +bio.br +blog.br +bmd.br +boavista.br +bsb.br +campinagrande.br +campinas.br +caxias.br +cim.br +cng.br +cnt.br +com.br +contagem.br +coop.br +coz.br +cri.br +cuiaba.br +curitiba.br +def.br +des.br +det.br +dev.br +ecn.br +eco.br +edu.br +emp.br +enf.br +eng.br +esp.br +etc.br +eti.br +far.br +feira.br +flog.br +floripa.br +fm.br +fnd.br +fortal.br +fot.br +foz.br +fst.br +g12.br +geo.br +ggf.br +goiania.br +gov.br +// gov.br 26 states + df https://en.wikipedia.org/wiki/States_of_Brazil +ac.gov.br +al.gov.br +am.gov.br +ap.gov.br +ba.gov.br +ce.gov.br +df.gov.br +es.gov.br +go.gov.br +ma.gov.br +mg.gov.br +ms.gov.br +mt.gov.br +pa.gov.br +pb.gov.br +pe.gov.br +pi.gov.br +pr.gov.br +rj.gov.br +rn.gov.br +ro.gov.br +rr.gov.br +rs.gov.br +sc.gov.br +se.gov.br +sp.gov.br +to.gov.br +gru.br +imb.br +ind.br +inf.br +jab.br +jampa.br +jdf.br +joinville.br +jor.br +jus.br +leg.br +lel.br +log.br +londrina.br +macapa.br +maceio.br +manaus.br +maringa.br +mat.br +med.br +mil.br +morena.br +mp.br +mus.br +natal.br +net.br +niteroi.br +*.nom.br +not.br +ntr.br +odo.br +ong.br +org.br +osasco.br +palmas.br +poa.br +ppg.br +pro.br +psc.br +psi.br +pvh.br +qsl.br +radio.br +rec.br +recife.br +rep.br +ribeirao.br +rio.br +riobranco.br +riopreto.br +salvador.br +sampa.br +santamaria.br +santoandre.br +saobernardo.br +saogonca.br +seg.br +sjc.br +slg.br +slz.br +sorocaba.br +srv.br +taxi.br +tc.br +tec.br +teo.br +the.br +tmp.br +trd.br +tur.br +tv.br +udi.br +vet.br +vix.br +vlog.br +wiki.br +zlg.br + +// bs : http://www.nic.bs/rules.html +bs +com.bs +net.bs +org.bs +edu.bs +gov.bs + +// bt : https://en.wikipedia.org/wiki/.bt +bt +com.bt +edu.bt +gov.bt +net.bt +org.bt + +// bv : No registrations at this time. +// Submitted by registry +bv + +// bw : https://en.wikipedia.org/wiki/.bw +// http://www.gobin.info/domainname/bw.doc +// list of other 2nd level tlds ? +bw +co.bw +org.bw + +// by : https://en.wikipedia.org/wiki/.by +// http://tld.by/rules_2006_en.html +// list of other 2nd level tlds ? +by +gov.by +mil.by +// Official information does not indicate that com.by is a reserved +// second-level domain, but it's being used as one (see www.google.com.by and +// www.yahoo.com.by, for example), so we list it here for safety's sake. +com.by + +// http://hoster.by/ +of.by + +// bz : https://en.wikipedia.org/wiki/.bz +// http://www.belizenic.bz/ +bz +com.bz +net.bz +org.bz +edu.bz +gov.bz + +// ca : https://en.wikipedia.org/wiki/.ca +ca +// ca geographical names +ab.ca +bc.ca +mb.ca +nb.ca +nf.ca +nl.ca +ns.ca +nt.ca +nu.ca +on.ca +pe.ca +qc.ca +sk.ca +yk.ca +// gc.ca: https://en.wikipedia.org/wiki/.gc.ca +// see also: http://registry.gc.ca/en/SubdomainFAQ +gc.ca + +// cat : https://en.wikipedia.org/wiki/.cat +cat + +// cc : https://en.wikipedia.org/wiki/.cc +cc + +// cd : https://en.wikipedia.org/wiki/.cd +// see also: https://www.nic.cd/domain/insertDomain_2.jsp?act=1 +cd +gov.cd + +// cf : https://en.wikipedia.org/wiki/.cf +cf + +// cg : https://en.wikipedia.org/wiki/.cg +cg + +// ch : https://en.wikipedia.org/wiki/.ch +ch + +// ci : https://en.wikipedia.org/wiki/.ci +// http://www.nic.ci/index.php?page=charte +ci +org.ci +or.ci +com.ci +co.ci +edu.ci +ed.ci +ac.ci +net.ci +go.ci +asso.ci +xn--aroport-bya.ci +int.ci +presse.ci +md.ci +gouv.ci + +// ck : https://en.wikipedia.org/wiki/.ck +*.ck +!www.ck + +// cl : https://www.nic.cl +// Confirmed by .CL registry +cl +co.cl +gob.cl +gov.cl +mil.cl + +// cm : https://en.wikipedia.org/wiki/.cm plus bug 981927 +cm +co.cm +com.cm +gov.cm +net.cm + +// cn : https://en.wikipedia.org/wiki/.cn +// Submitted by registry +cn +ac.cn +com.cn +edu.cn +gov.cn +net.cn +org.cn +mil.cn +xn--55qx5d.cn +xn--io0a7i.cn +xn--od0alg.cn +// cn geographic names +ah.cn +bj.cn +cq.cn +fj.cn +gd.cn +gs.cn +gz.cn +gx.cn +ha.cn +hb.cn +he.cn +hi.cn +hl.cn +hn.cn +jl.cn +js.cn +jx.cn +ln.cn +nm.cn +nx.cn +qh.cn +sc.cn +sd.cn +sh.cn +sn.cn +sx.cn +tj.cn +xj.cn +xz.cn +yn.cn +zj.cn +hk.cn +mo.cn +tw.cn + +// co : https://en.wikipedia.org/wiki/.co +// Submitted by registry +co +arts.co +com.co +edu.co +firm.co +gov.co +info.co +int.co +mil.co +net.co +nom.co +org.co +rec.co +web.co + +// com : https://en.wikipedia.org/wiki/.com +com + +// coop : https://en.wikipedia.org/wiki/.coop +coop + +// cr : http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do +cr +ac.cr +co.cr +ed.cr +fi.cr +go.cr +or.cr +sa.cr + +// cu : https://en.wikipedia.org/wiki/.cu +cu +com.cu +edu.cu +org.cu +net.cu +gov.cu +inf.cu + +// cv : https://en.wikipedia.org/wiki/.cv +// cv : http://www.dns.cv/tldcv_portal/do?com=DS;5446457100;111;+PAGE(4000018)+K-CAT-CODIGO(RDOM)+RCNT(100); <- registration rules +cv +com.cv +edu.cv +int.cv +nome.cv +org.cv + +// cw : http://www.una.cw/cw_registry/ +// Confirmed by registry 2013-03-26 +cw +com.cw +edu.cw +net.cw +org.cw + +// cx : https://en.wikipedia.org/wiki/.cx +// list of other 2nd level tlds ? +cx +gov.cx + +// cy : http://www.nic.cy/ +// Submitted by registry Panayiotou Fotia +// namespace policies URL https://www.nic.cy/portal//sites/default/files/symfonia_gia_eggrafi.pdf +cy +ac.cy +biz.cy +com.cy +ekloges.cy +gov.cy +ltd.cy +mil.cy +net.cy +org.cy +press.cy +pro.cy +tm.cy + +// cz : https://en.wikipedia.org/wiki/.cz +cz + +// de : https://en.wikipedia.org/wiki/.de +// Confirmed by registry (with technical +// reservations) 2008-07-01 +de + +// dj : https://en.wikipedia.org/wiki/.dj +dj + +// dk : https://en.wikipedia.org/wiki/.dk +// Confirmed by registry 2008-06-17 +dk + +// dm : https://en.wikipedia.org/wiki/.dm +dm +com.dm +net.dm +org.dm +edu.dm +gov.dm + +// do : https://en.wikipedia.org/wiki/.do +do +art.do +com.do +edu.do +gob.do +gov.do +mil.do +net.do +org.do +sld.do +web.do + +// dz : http://www.nic.dz/images/pdf_nic/charte.pdf +dz +art.dz +asso.dz +com.dz +edu.dz +gov.dz +org.dz +net.dz +pol.dz +soc.dz +tm.dz + +// ec : http://www.nic.ec/reg/paso1.asp +// Submitted by registry +ec +com.ec +info.ec +net.ec +fin.ec +k12.ec +med.ec +pro.ec +org.ec +edu.ec +gov.ec +gob.ec +mil.ec + +// edu : https://en.wikipedia.org/wiki/.edu +edu + +// ee : http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B +ee +edu.ee +gov.ee +riik.ee +lib.ee +med.ee +com.ee +pri.ee +aip.ee +org.ee +fie.ee + +// eg : https://en.wikipedia.org/wiki/.eg +eg +com.eg +edu.eg +eun.eg +gov.eg +mil.eg +name.eg +net.eg +org.eg +sci.eg + +// er : https://en.wikipedia.org/wiki/.er +*.er + +// es : https://www.nic.es/site_ingles/ingles/dominios/index.html +es +com.es +nom.es +org.es +gob.es +edu.es + +// et : https://en.wikipedia.org/wiki/.et +et +com.et +gov.et +org.et +edu.et +biz.et +name.et +info.et +net.et + +// eu : https://en.wikipedia.org/wiki/.eu +eu + +// fi : https://en.wikipedia.org/wiki/.fi +fi +// aland.fi : https://en.wikipedia.org/wiki/.ax +// This domain is being phased out in favor of .ax. As there are still many +// domains under aland.fi, we still keep it on the list until aland.fi is +// completely removed. +// TODO: Check for updates (expected to be phased out around Q1/2009) +aland.fi + +// fj : http://domains.fj/ +// Submitted by registry 2020-02-11 +fj +ac.fj +biz.fj +com.fj +gov.fj +info.fj +mil.fj +name.fj +net.fj +org.fj +pro.fj + +// fk : https://en.wikipedia.org/wiki/.fk +*.fk + +// fm : https://en.wikipedia.org/wiki/.fm +com.fm +edu.fm +net.fm +org.fm +fm + +// fo : https://en.wikipedia.org/wiki/.fo +fo + +// fr : http://www.afnic.fr/ +// domaines descriptifs : https://www.afnic.fr/medias/documents/Cadre_legal/Afnic_Naming_Policy_12122016_VEN.pdf +fr +asso.fr +com.fr +gouv.fr +nom.fr +prd.fr +tm.fr +// domaines sectoriels : https://www.afnic.fr/en/products-and-services/the-fr-tld/sector-based-fr-domains-4.html +aeroport.fr +avocat.fr +avoues.fr +cci.fr +chambagri.fr +chirurgiens-dentistes.fr +experts-comptables.fr +geometre-expert.fr +greta.fr +huissier-justice.fr +medecin.fr +notaires.fr +pharmacien.fr +port.fr +veterinaire.fr + +// ga : https://en.wikipedia.org/wiki/.ga +ga + +// gb : This registry is effectively dormant +// Submitted by registry +gb + +// gd : https://en.wikipedia.org/wiki/.gd +edu.gd +gov.gd +gd + +// ge : http://www.nic.net.ge/policy_en.pdf +ge +com.ge +edu.ge +gov.ge +org.ge +mil.ge +net.ge +pvt.ge + +// gf : https://en.wikipedia.org/wiki/.gf +gf + +// gg : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +gg +co.gg +net.gg +org.gg + +// gh : https://en.wikipedia.org/wiki/.gh +// see also: http://www.nic.gh/reg_now.php +// Although domains directly at second level are not possible at the moment, +// they have been possible for some time and may come back. +gh +com.gh +edu.gh +gov.gh +org.gh +mil.gh + +// gi : http://www.nic.gi/rules.html +gi +com.gi +ltd.gi +gov.gi +mod.gi +edu.gi +org.gi + +// gl : https://en.wikipedia.org/wiki/.gl +// http://nic.gl +gl +co.gl +com.gl +edu.gl +net.gl +org.gl + +// gm : http://www.nic.gm/htmlpages%5Cgm-policy.htm +gm + +// gn : http://psg.com/dns/gn/gn.txt +// Submitted by registry +gn +ac.gn +com.gn +edu.gn +gov.gn +org.gn +net.gn + +// gov : https://en.wikipedia.org/wiki/.gov +gov + +// gp : http://www.nic.gp/index.php?lang=en +gp +com.gp +net.gp +mobi.gp +edu.gp +org.gp +asso.gp + +// gq : https://en.wikipedia.org/wiki/.gq +gq + +// gr : https://grweb.ics.forth.gr/english/1617-B-2005.html +// Submitted by registry +gr +com.gr +edu.gr +net.gr +org.gr +gov.gr + +// gs : https://en.wikipedia.org/wiki/.gs +gs + +// gt : https://www.gt/sitio/registration_policy.php?lang=en +gt +com.gt +edu.gt +gob.gt +ind.gt +mil.gt +net.gt +org.gt + +// gu : http://gadao.gov.gu/register.html +// University of Guam : https://www.uog.edu +// Submitted by uognoc@triton.uog.edu +gu +com.gu +edu.gu +gov.gu +guam.gu +info.gu +net.gu +org.gu +web.gu + +// gw : https://en.wikipedia.org/wiki/.gw +// gw : https://nic.gw/regras/ +gw + +// gy : https://en.wikipedia.org/wiki/.gy +// http://registry.gy/ +gy +co.gy +com.gy +edu.gy +gov.gy +net.gy +org.gy + +// hk : https://www.hkirc.hk +// Submitted by registry +hk +com.hk +edu.hk +gov.hk +idv.hk +net.hk +org.hk +xn--55qx5d.hk +xn--wcvs22d.hk +xn--lcvr32d.hk +xn--mxtq1m.hk +xn--gmqw5a.hk +xn--ciqpn.hk +xn--gmq050i.hk +xn--zf0avx.hk +xn--io0a7i.hk +xn--mk0axi.hk +xn--od0alg.hk +xn--od0aq3b.hk +xn--tn0ag.hk +xn--uc0atv.hk +xn--uc0ay4a.hk + +// hm : https://en.wikipedia.org/wiki/.hm +hm + +// hn : http://www.nic.hn/politicas/ps02,,05.html +hn +com.hn +edu.hn +org.hn +net.hn +mil.hn +gob.hn + +// hr : http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf +hr +iz.hr +from.hr +name.hr +com.hr + +// ht : http://www.nic.ht/info/charte.cfm +ht +com.ht +shop.ht +firm.ht +info.ht +adult.ht +net.ht +pro.ht +org.ht +med.ht +art.ht +coop.ht +pol.ht +asso.ht +edu.ht +rel.ht +gouv.ht +perso.ht + +// hu : http://www.domain.hu/domain/English/sld.html +// Confirmed by registry 2008-06-12 +hu +co.hu +info.hu +org.hu +priv.hu +sport.hu +tm.hu +2000.hu +agrar.hu +bolt.hu +casino.hu +city.hu +erotica.hu +erotika.hu +film.hu +forum.hu +games.hu +hotel.hu +ingatlan.hu +jogasz.hu +konyvelo.hu +lakas.hu +media.hu +news.hu +reklam.hu +sex.hu +shop.hu +suli.hu +szex.hu +tozsde.hu +utazas.hu +video.hu + +// id : https://pandi.id/en/domain/registration-requirements/ +id +ac.id +biz.id +co.id +desa.id +go.id +mil.id +my.id +net.id +or.id +ponpes.id +sch.id +web.id + +// ie : https://en.wikipedia.org/wiki/.ie +ie +gov.ie + +// il : http://www.isoc.org.il/domains/ +// see also: https://en.isoc.org.il/il-cctld/registration-rules +// ISOC-IL (operated by .il Registry) +il +ac.il +co.il +gov.il +idf.il +k12.il +muni.il +net.il +org.il +// xn--4dbrk0ce ("Israel", Hebrew) : IL +xn--4dbrk0ce +// xn--4dbgdty6c.xn--4dbrk0ce. +xn--4dbgdty6c.xn--4dbrk0ce +// xn--5dbhl8d.xn--4dbrk0ce. +xn--5dbhl8d.xn--4dbrk0ce +// xn--8dbq2a.xn--4dbrk0ce. +xn--8dbq2a.xn--4dbrk0ce +// xn--hebda8b.xn--4dbrk0ce. +xn--hebda8b.xn--4dbrk0ce + +// im : https://www.nic.im/ +// Submitted by registry +im +ac.im +co.im +com.im +ltd.co.im +net.im +org.im +plc.co.im +tt.im +tv.im + +// in : https://en.wikipedia.org/wiki/.in +// see also: https://registry.in/policies +// Please note, that nic.in is not an official eTLD, but used by most +// government institutions. +in +5g.in +6g.in +ac.in +ai.in +am.in +bihar.in +biz.in +business.in +ca.in +cn.in +co.in +com.in +coop.in +cs.in +delhi.in +dr.in +edu.in +er.in +firm.in +gen.in +gov.in +gujarat.in +ind.in +info.in +int.in +internet.in +io.in +me.in +mil.in +net.in +nic.in +org.in +pg.in +post.in +pro.in +res.in +travel.in +tv.in +uk.in +up.in +us.in + +// info : https://en.wikipedia.org/wiki/.info +info + +// int : https://en.wikipedia.org/wiki/.int +// Confirmed by registry 2008-06-18 +int +eu.int + +// io : http://www.nic.io/rules.htm +// list of other 2nd level tlds ? +io +com.io + +// iq : http://www.cmc.iq/english/iq/iqregister1.htm +iq +gov.iq +edu.iq +mil.iq +com.iq +org.iq +net.iq + +// ir : http://www.nic.ir/Terms_and_Conditions_ir,_Appendix_1_Domain_Rules +// Also see http://www.nic.ir/Internationalized_Domain_Names +// Two .ir entries added at request of , 2010-04-16 +ir +ac.ir +co.ir +gov.ir +id.ir +net.ir +org.ir +sch.ir +// xn--mgba3a4f16a.ir (.ir, Persian YEH) +xn--mgba3a4f16a.ir +// xn--mgba3a4fra.ir (.ir, Arabic YEH) +xn--mgba3a4fra.ir + +// is : http://www.isnic.is/domain/rules.php +// Confirmed by registry 2008-12-06 +is +net.is +com.is +edu.is +gov.is +org.is +int.is + +// it : https://en.wikipedia.org/wiki/.it +it +gov.it +edu.it +// Reserved geo-names (regions and provinces): +// https://www.nic.it/sites/default/files/archivio/docs/Regulation_assignation_v7.1.pdf +// Regions +abr.it +abruzzo.it +aosta-valley.it +aostavalley.it +bas.it +basilicata.it +cal.it +calabria.it +cam.it +campania.it +emilia-romagna.it +emiliaromagna.it +emr.it +friuli-v-giulia.it +friuli-ve-giulia.it +friuli-vegiulia.it +friuli-venezia-giulia.it +friuli-veneziagiulia.it +friuli-vgiulia.it +friuliv-giulia.it +friulive-giulia.it +friulivegiulia.it +friulivenezia-giulia.it +friuliveneziagiulia.it +friulivgiulia.it +fvg.it +laz.it +lazio.it +lig.it +liguria.it +lom.it +lombardia.it +lombardy.it +lucania.it +mar.it +marche.it +mol.it +molise.it +piedmont.it +piemonte.it +pmn.it +pug.it +puglia.it +sar.it +sardegna.it +sardinia.it +sic.it +sicilia.it +sicily.it +taa.it +tos.it +toscana.it +trentin-sud-tirol.it +xn--trentin-sd-tirol-rzb.it +trentin-sudtirol.it +xn--trentin-sdtirol-7vb.it +trentin-sued-tirol.it +trentin-suedtirol.it +trentino-a-adige.it +trentino-aadige.it +trentino-alto-adige.it +trentino-altoadige.it +trentino-s-tirol.it +trentino-stirol.it +trentino-sud-tirol.it +xn--trentino-sd-tirol-c3b.it +trentino-sudtirol.it +xn--trentino-sdtirol-szb.it +trentino-sued-tirol.it +trentino-suedtirol.it +trentino.it +trentinoa-adige.it +trentinoaadige.it +trentinoalto-adige.it +trentinoaltoadige.it +trentinos-tirol.it +trentinostirol.it +trentinosud-tirol.it +xn--trentinosd-tirol-rzb.it +trentinosudtirol.it +xn--trentinosdtirol-7vb.it +trentinosued-tirol.it +trentinosuedtirol.it +trentinsud-tirol.it +xn--trentinsd-tirol-6vb.it +trentinsudtirol.it +xn--trentinsdtirol-nsb.it +trentinsued-tirol.it +trentinsuedtirol.it +tuscany.it +umb.it +umbria.it +val-d-aosta.it +val-daosta.it +vald-aosta.it +valdaosta.it +valle-aosta.it +valle-d-aosta.it +valle-daosta.it +valleaosta.it +valled-aosta.it +valledaosta.it +vallee-aoste.it +xn--valle-aoste-ebb.it +vallee-d-aoste.it +xn--valle-d-aoste-ehb.it +valleeaoste.it +xn--valleaoste-e7a.it +valleedaoste.it +xn--valledaoste-ebb.it +vao.it +vda.it +ven.it +veneto.it +// Provinces +ag.it +agrigento.it +al.it +alessandria.it +alto-adige.it +altoadige.it +an.it +ancona.it +andria-barletta-trani.it +andria-trani-barletta.it +andriabarlettatrani.it +andriatranibarletta.it +ao.it +aosta.it +aoste.it +ap.it +aq.it +aquila.it +ar.it +arezzo.it +ascoli-piceno.it +ascolipiceno.it +asti.it +at.it +av.it +avellino.it +ba.it +balsan-sudtirol.it +xn--balsan-sdtirol-nsb.it +balsan-suedtirol.it +balsan.it +bari.it +barletta-trani-andria.it +barlettatraniandria.it +belluno.it +benevento.it +bergamo.it +bg.it +bi.it +biella.it +bl.it +bn.it +bo.it +bologna.it +bolzano-altoadige.it +bolzano.it +bozen-sudtirol.it +xn--bozen-sdtirol-2ob.it +bozen-suedtirol.it +bozen.it +br.it +brescia.it +brindisi.it +bs.it +bt.it +bulsan-sudtirol.it +xn--bulsan-sdtirol-nsb.it +bulsan-suedtirol.it +bulsan.it +bz.it +ca.it +cagliari.it +caltanissetta.it +campidano-medio.it +campidanomedio.it +campobasso.it +carbonia-iglesias.it +carboniaiglesias.it +carrara-massa.it +carraramassa.it +caserta.it +catania.it +catanzaro.it +cb.it +ce.it +cesena-forli.it +xn--cesena-forl-mcb.it +cesenaforli.it +xn--cesenaforl-i8a.it +ch.it +chieti.it +ci.it +cl.it +cn.it +co.it +como.it +cosenza.it +cr.it +cremona.it +crotone.it +cs.it +ct.it +cuneo.it +cz.it +dell-ogliastra.it +dellogliastra.it +en.it +enna.it +fc.it +fe.it +fermo.it +ferrara.it +fg.it +fi.it +firenze.it +florence.it +fm.it +foggia.it +forli-cesena.it +xn--forl-cesena-fcb.it +forlicesena.it +xn--forlcesena-c8a.it +fr.it +frosinone.it +ge.it +genoa.it +genova.it +go.it +gorizia.it +gr.it +grosseto.it +iglesias-carbonia.it +iglesiascarbonia.it +im.it +imperia.it +is.it +isernia.it +kr.it +la-spezia.it +laquila.it +laspezia.it +latina.it +lc.it +le.it +lecce.it +lecco.it +li.it +livorno.it +lo.it +lodi.it +lt.it +lu.it +lucca.it +macerata.it +mantova.it +massa-carrara.it +massacarrara.it +matera.it +mb.it +mc.it +me.it +medio-campidano.it +mediocampidano.it +messina.it +mi.it +milan.it +milano.it +mn.it +mo.it +modena.it +monza-brianza.it +monza-e-della-brianza.it +monza.it +monzabrianza.it +monzaebrianza.it +monzaedellabrianza.it +ms.it +mt.it +na.it +naples.it +napoli.it +no.it +novara.it +nu.it +nuoro.it +og.it +ogliastra.it +olbia-tempio.it +olbiatempio.it +or.it +oristano.it +ot.it +pa.it +padova.it +padua.it +palermo.it +parma.it +pavia.it +pc.it +pd.it +pe.it +perugia.it +pesaro-urbino.it +pesarourbino.it +pescara.it +pg.it +pi.it +piacenza.it +pisa.it +pistoia.it +pn.it +po.it +pordenone.it +potenza.it +pr.it +prato.it +pt.it +pu.it +pv.it +pz.it +ra.it +ragusa.it +ravenna.it +rc.it +re.it +reggio-calabria.it +reggio-emilia.it +reggiocalabria.it +reggioemilia.it +rg.it +ri.it +rieti.it +rimini.it +rm.it +rn.it +ro.it +roma.it +rome.it +rovigo.it +sa.it +salerno.it +sassari.it +savona.it +si.it +siena.it +siracusa.it +so.it +sondrio.it +sp.it +sr.it +ss.it +suedtirol.it +xn--sdtirol-n2a.it +sv.it +ta.it +taranto.it +te.it +tempio-olbia.it +tempioolbia.it +teramo.it +terni.it +tn.it +to.it +torino.it +tp.it +tr.it +trani-andria-barletta.it +trani-barletta-andria.it +traniandriabarletta.it +tranibarlettaandria.it +trapani.it +trento.it +treviso.it +trieste.it +ts.it +turin.it +tv.it +ud.it +udine.it +urbino-pesaro.it +urbinopesaro.it +va.it +varese.it +vb.it +vc.it +ve.it +venezia.it +venice.it +verbania.it +vercelli.it +verona.it +vi.it +vibo-valentia.it +vibovalentia.it +vicenza.it +viterbo.it +vr.it +vs.it +vt.it +vv.it + +// je : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +je +co.je +net.je +org.je + +// jm : http://www.com.jm/register.html +*.jm + +// jo : http://www.dns.jo/Registration_policy.aspx +jo +com.jo +org.jo +net.jo +edu.jo +sch.jo +gov.jo +mil.jo +name.jo + +// jobs : https://en.wikipedia.org/wiki/.jobs +jobs + +// jp : https://en.wikipedia.org/wiki/.jp +// http://jprs.co.jp/en/jpdomain.html +// Submitted by registry +jp +// jp organizational type names +ac.jp +ad.jp +co.jp +ed.jp +go.jp +gr.jp +lg.jp +ne.jp +or.jp +// jp prefecture type names +aichi.jp +akita.jp +aomori.jp +chiba.jp +ehime.jp +fukui.jp +fukuoka.jp +fukushima.jp +gifu.jp +gunma.jp +hiroshima.jp +hokkaido.jp +hyogo.jp +ibaraki.jp +ishikawa.jp +iwate.jp +kagawa.jp +kagoshima.jp +kanagawa.jp +kochi.jp +kumamoto.jp +kyoto.jp +mie.jp +miyagi.jp +miyazaki.jp +nagano.jp +nagasaki.jp +nara.jp +niigata.jp +oita.jp +okayama.jp +okinawa.jp +osaka.jp +saga.jp +saitama.jp +shiga.jp +shimane.jp +shizuoka.jp +tochigi.jp +tokushima.jp +tokyo.jp +tottori.jp +toyama.jp +wakayama.jp +yamagata.jp +yamaguchi.jp +yamanashi.jp +xn--4pvxs.jp +xn--vgu402c.jp +xn--c3s14m.jp +xn--f6qx53a.jp +xn--8pvr4u.jp +xn--uist22h.jp +xn--djrs72d6uy.jp +xn--mkru45i.jp +xn--0trq7p7nn.jp +xn--8ltr62k.jp +xn--2m4a15e.jp +xn--efvn9s.jp +xn--32vp30h.jp +xn--4it797k.jp +xn--1lqs71d.jp +xn--5rtp49c.jp +xn--5js045d.jp +xn--ehqz56n.jp +xn--1lqs03n.jp +xn--qqqt11m.jp +xn--kbrq7o.jp +xn--pssu33l.jp +xn--ntsq17g.jp +xn--uisz3g.jp +xn--6btw5a.jp +xn--1ctwo.jp +xn--6orx2r.jp +xn--rht61e.jp +xn--rht27z.jp +xn--djty4k.jp +xn--nit225k.jp +xn--rht3d.jp +xn--klty5x.jp +xn--kltx9a.jp +xn--kltp7d.jp +xn--uuwu58a.jp +xn--zbx025d.jp +xn--ntso0iqx3a.jp +xn--elqq16h.jp +xn--4it168d.jp +xn--klt787d.jp +xn--rny31h.jp +xn--7t0a264c.jp +xn--5rtq34k.jp +xn--k7yn95e.jp +xn--tor131o.jp +xn--d5qv7z876c.jp +// jp geographic type names +// http://jprs.jp/doc/rule/saisoku-1.html +*.kawasaki.jp +*.kitakyushu.jp +*.kobe.jp +*.nagoya.jp +*.sapporo.jp +*.sendai.jp +*.yokohama.jp +!city.kawasaki.jp +!city.kitakyushu.jp +!city.kobe.jp +!city.nagoya.jp +!city.sapporo.jp +!city.sendai.jp +!city.yokohama.jp +// 4th level registration +aisai.aichi.jp +ama.aichi.jp +anjo.aichi.jp +asuke.aichi.jp +chiryu.aichi.jp +chita.aichi.jp +fuso.aichi.jp +gamagori.aichi.jp +handa.aichi.jp +hazu.aichi.jp +hekinan.aichi.jp +higashiura.aichi.jp +ichinomiya.aichi.jp +inazawa.aichi.jp +inuyama.aichi.jp +isshiki.aichi.jp +iwakura.aichi.jp +kanie.aichi.jp +kariya.aichi.jp +kasugai.aichi.jp +kira.aichi.jp +kiyosu.aichi.jp +komaki.aichi.jp +konan.aichi.jp +kota.aichi.jp +mihama.aichi.jp +miyoshi.aichi.jp +nishio.aichi.jp +nisshin.aichi.jp +obu.aichi.jp +oguchi.aichi.jp +oharu.aichi.jp +okazaki.aichi.jp +owariasahi.aichi.jp +seto.aichi.jp +shikatsu.aichi.jp +shinshiro.aichi.jp +shitara.aichi.jp +tahara.aichi.jp +takahama.aichi.jp +tobishima.aichi.jp +toei.aichi.jp +togo.aichi.jp +tokai.aichi.jp +tokoname.aichi.jp +toyoake.aichi.jp +toyohashi.aichi.jp +toyokawa.aichi.jp +toyone.aichi.jp +toyota.aichi.jp +tsushima.aichi.jp +yatomi.aichi.jp +akita.akita.jp +daisen.akita.jp +fujisato.akita.jp +gojome.akita.jp +hachirogata.akita.jp +happou.akita.jp +higashinaruse.akita.jp +honjo.akita.jp +honjyo.akita.jp +ikawa.akita.jp +kamikoani.akita.jp +kamioka.akita.jp +katagami.akita.jp +kazuno.akita.jp +kitaakita.akita.jp +kosaka.akita.jp +kyowa.akita.jp +misato.akita.jp +mitane.akita.jp +moriyoshi.akita.jp +nikaho.akita.jp +noshiro.akita.jp +odate.akita.jp +oga.akita.jp +ogata.akita.jp +semboku.akita.jp +yokote.akita.jp +yurihonjo.akita.jp +aomori.aomori.jp +gonohe.aomori.jp +hachinohe.aomori.jp +hashikami.aomori.jp +hiranai.aomori.jp +hirosaki.aomori.jp +itayanagi.aomori.jp +kuroishi.aomori.jp +misawa.aomori.jp +mutsu.aomori.jp +nakadomari.aomori.jp +noheji.aomori.jp +oirase.aomori.jp +owani.aomori.jp +rokunohe.aomori.jp +sannohe.aomori.jp +shichinohe.aomori.jp +shingo.aomori.jp +takko.aomori.jp +towada.aomori.jp +tsugaru.aomori.jp +tsuruta.aomori.jp +abiko.chiba.jp +asahi.chiba.jp +chonan.chiba.jp +chosei.chiba.jp +choshi.chiba.jp +chuo.chiba.jp +funabashi.chiba.jp +futtsu.chiba.jp +hanamigawa.chiba.jp +ichihara.chiba.jp +ichikawa.chiba.jp +ichinomiya.chiba.jp +inzai.chiba.jp +isumi.chiba.jp +kamagaya.chiba.jp +kamogawa.chiba.jp +kashiwa.chiba.jp +katori.chiba.jp +katsuura.chiba.jp +kimitsu.chiba.jp +kisarazu.chiba.jp +kozaki.chiba.jp +kujukuri.chiba.jp +kyonan.chiba.jp +matsudo.chiba.jp +midori.chiba.jp +mihama.chiba.jp +minamiboso.chiba.jp +mobara.chiba.jp +mutsuzawa.chiba.jp +nagara.chiba.jp +nagareyama.chiba.jp +narashino.chiba.jp +narita.chiba.jp +noda.chiba.jp +oamishirasato.chiba.jp +omigawa.chiba.jp +onjuku.chiba.jp +otaki.chiba.jp +sakae.chiba.jp +sakura.chiba.jp +shimofusa.chiba.jp +shirako.chiba.jp +shiroi.chiba.jp +shisui.chiba.jp +sodegaura.chiba.jp +sosa.chiba.jp +tako.chiba.jp +tateyama.chiba.jp +togane.chiba.jp +tohnosho.chiba.jp +tomisato.chiba.jp +urayasu.chiba.jp +yachimata.chiba.jp +yachiyo.chiba.jp +yokaichiba.chiba.jp +yokoshibahikari.chiba.jp +yotsukaido.chiba.jp +ainan.ehime.jp +honai.ehime.jp +ikata.ehime.jp +imabari.ehime.jp +iyo.ehime.jp +kamijima.ehime.jp +kihoku.ehime.jp +kumakogen.ehime.jp +masaki.ehime.jp +matsuno.ehime.jp +matsuyama.ehime.jp +namikata.ehime.jp +niihama.ehime.jp +ozu.ehime.jp +saijo.ehime.jp +seiyo.ehime.jp +shikokuchuo.ehime.jp +tobe.ehime.jp +toon.ehime.jp +uchiko.ehime.jp +uwajima.ehime.jp +yawatahama.ehime.jp +echizen.fukui.jp +eiheiji.fukui.jp +fukui.fukui.jp +ikeda.fukui.jp +katsuyama.fukui.jp +mihama.fukui.jp +minamiechizen.fukui.jp +obama.fukui.jp +ohi.fukui.jp +ono.fukui.jp +sabae.fukui.jp +sakai.fukui.jp +takahama.fukui.jp +tsuruga.fukui.jp +wakasa.fukui.jp +ashiya.fukuoka.jp +buzen.fukuoka.jp +chikugo.fukuoka.jp +chikuho.fukuoka.jp +chikujo.fukuoka.jp +chikushino.fukuoka.jp +chikuzen.fukuoka.jp +chuo.fukuoka.jp +dazaifu.fukuoka.jp +fukuchi.fukuoka.jp +hakata.fukuoka.jp +higashi.fukuoka.jp +hirokawa.fukuoka.jp +hisayama.fukuoka.jp +iizuka.fukuoka.jp +inatsuki.fukuoka.jp +kaho.fukuoka.jp +kasuga.fukuoka.jp +kasuya.fukuoka.jp +kawara.fukuoka.jp +keisen.fukuoka.jp +koga.fukuoka.jp +kurate.fukuoka.jp +kurogi.fukuoka.jp +kurume.fukuoka.jp +minami.fukuoka.jp +miyako.fukuoka.jp +miyama.fukuoka.jp +miyawaka.fukuoka.jp +mizumaki.fukuoka.jp +munakata.fukuoka.jp +nakagawa.fukuoka.jp +nakama.fukuoka.jp +nishi.fukuoka.jp +nogata.fukuoka.jp +ogori.fukuoka.jp +okagaki.fukuoka.jp +okawa.fukuoka.jp +oki.fukuoka.jp +omuta.fukuoka.jp +onga.fukuoka.jp +onojo.fukuoka.jp +oto.fukuoka.jp +saigawa.fukuoka.jp +sasaguri.fukuoka.jp +shingu.fukuoka.jp +shinyoshitomi.fukuoka.jp +shonai.fukuoka.jp +soeda.fukuoka.jp +sue.fukuoka.jp +tachiarai.fukuoka.jp +tagawa.fukuoka.jp +takata.fukuoka.jp +toho.fukuoka.jp +toyotsu.fukuoka.jp +tsuiki.fukuoka.jp +ukiha.fukuoka.jp +umi.fukuoka.jp +usui.fukuoka.jp +yamada.fukuoka.jp +yame.fukuoka.jp +yanagawa.fukuoka.jp +yukuhashi.fukuoka.jp +aizubange.fukushima.jp +aizumisato.fukushima.jp +aizuwakamatsu.fukushima.jp +asakawa.fukushima.jp +bandai.fukushima.jp +date.fukushima.jp +fukushima.fukushima.jp +furudono.fukushima.jp +futaba.fukushima.jp +hanawa.fukushima.jp +higashi.fukushima.jp +hirata.fukushima.jp +hirono.fukushima.jp +iitate.fukushima.jp +inawashiro.fukushima.jp +ishikawa.fukushima.jp +iwaki.fukushima.jp +izumizaki.fukushima.jp +kagamiishi.fukushima.jp +kaneyama.fukushima.jp +kawamata.fukushima.jp +kitakata.fukushima.jp +kitashiobara.fukushima.jp +koori.fukushima.jp +koriyama.fukushima.jp +kunimi.fukushima.jp +miharu.fukushima.jp +mishima.fukushima.jp +namie.fukushima.jp +nango.fukushima.jp +nishiaizu.fukushima.jp +nishigo.fukushima.jp +okuma.fukushima.jp +omotego.fukushima.jp +ono.fukushima.jp +otama.fukushima.jp +samegawa.fukushima.jp +shimogo.fukushima.jp +shirakawa.fukushima.jp +showa.fukushima.jp +soma.fukushima.jp +sukagawa.fukushima.jp +taishin.fukushima.jp +tamakawa.fukushima.jp +tanagura.fukushima.jp +tenei.fukushima.jp +yabuki.fukushima.jp +yamato.fukushima.jp +yamatsuri.fukushima.jp +yanaizu.fukushima.jp +yugawa.fukushima.jp +anpachi.gifu.jp +ena.gifu.jp +gifu.gifu.jp +ginan.gifu.jp +godo.gifu.jp +gujo.gifu.jp +hashima.gifu.jp +hichiso.gifu.jp +hida.gifu.jp +higashishirakawa.gifu.jp +ibigawa.gifu.jp +ikeda.gifu.jp +kakamigahara.gifu.jp +kani.gifu.jp +kasahara.gifu.jp +kasamatsu.gifu.jp +kawaue.gifu.jp +kitagata.gifu.jp +mino.gifu.jp +minokamo.gifu.jp +mitake.gifu.jp +mizunami.gifu.jp +motosu.gifu.jp +nakatsugawa.gifu.jp +ogaki.gifu.jp +sakahogi.gifu.jp +seki.gifu.jp +sekigahara.gifu.jp +shirakawa.gifu.jp +tajimi.gifu.jp +takayama.gifu.jp +tarui.gifu.jp +toki.gifu.jp +tomika.gifu.jp +wanouchi.gifu.jp +yamagata.gifu.jp +yaotsu.gifu.jp +yoro.gifu.jp +annaka.gunma.jp +chiyoda.gunma.jp +fujioka.gunma.jp +higashiagatsuma.gunma.jp +isesaki.gunma.jp +itakura.gunma.jp +kanna.gunma.jp +kanra.gunma.jp +katashina.gunma.jp +kawaba.gunma.jp +kiryu.gunma.jp +kusatsu.gunma.jp +maebashi.gunma.jp +meiwa.gunma.jp +midori.gunma.jp +minakami.gunma.jp +naganohara.gunma.jp +nakanojo.gunma.jp +nanmoku.gunma.jp +numata.gunma.jp +oizumi.gunma.jp +ora.gunma.jp +ota.gunma.jp +shibukawa.gunma.jp +shimonita.gunma.jp +shinto.gunma.jp +showa.gunma.jp +takasaki.gunma.jp +takayama.gunma.jp +tamamura.gunma.jp +tatebayashi.gunma.jp +tomioka.gunma.jp +tsukiyono.gunma.jp +tsumagoi.gunma.jp +ueno.gunma.jp +yoshioka.gunma.jp +asaminami.hiroshima.jp +daiwa.hiroshima.jp +etajima.hiroshima.jp +fuchu.hiroshima.jp +fukuyama.hiroshima.jp +hatsukaichi.hiroshima.jp +higashihiroshima.hiroshima.jp +hongo.hiroshima.jp +jinsekikogen.hiroshima.jp +kaita.hiroshima.jp +kui.hiroshima.jp +kumano.hiroshima.jp +kure.hiroshima.jp +mihara.hiroshima.jp +miyoshi.hiroshima.jp +naka.hiroshima.jp +onomichi.hiroshima.jp +osakikamijima.hiroshima.jp +otake.hiroshima.jp +saka.hiroshima.jp +sera.hiroshima.jp +seranishi.hiroshima.jp +shinichi.hiroshima.jp +shobara.hiroshima.jp +takehara.hiroshima.jp +abashiri.hokkaido.jp +abira.hokkaido.jp +aibetsu.hokkaido.jp +akabira.hokkaido.jp +akkeshi.hokkaido.jp +asahikawa.hokkaido.jp +ashibetsu.hokkaido.jp +ashoro.hokkaido.jp +assabu.hokkaido.jp +atsuma.hokkaido.jp +bibai.hokkaido.jp +biei.hokkaido.jp +bifuka.hokkaido.jp +bihoro.hokkaido.jp +biratori.hokkaido.jp +chippubetsu.hokkaido.jp +chitose.hokkaido.jp +date.hokkaido.jp +ebetsu.hokkaido.jp +embetsu.hokkaido.jp +eniwa.hokkaido.jp +erimo.hokkaido.jp +esan.hokkaido.jp +esashi.hokkaido.jp +fukagawa.hokkaido.jp +fukushima.hokkaido.jp +furano.hokkaido.jp +furubira.hokkaido.jp +haboro.hokkaido.jp +hakodate.hokkaido.jp +hamatonbetsu.hokkaido.jp +hidaka.hokkaido.jp +higashikagura.hokkaido.jp +higashikawa.hokkaido.jp +hiroo.hokkaido.jp +hokuryu.hokkaido.jp +hokuto.hokkaido.jp +honbetsu.hokkaido.jp +horokanai.hokkaido.jp +horonobe.hokkaido.jp +ikeda.hokkaido.jp +imakane.hokkaido.jp +ishikari.hokkaido.jp +iwamizawa.hokkaido.jp +iwanai.hokkaido.jp +kamifurano.hokkaido.jp +kamikawa.hokkaido.jp +kamishihoro.hokkaido.jp +kamisunagawa.hokkaido.jp +kamoenai.hokkaido.jp +kayabe.hokkaido.jp +kembuchi.hokkaido.jp +kikonai.hokkaido.jp +kimobetsu.hokkaido.jp +kitahiroshima.hokkaido.jp +kitami.hokkaido.jp +kiyosato.hokkaido.jp +koshimizu.hokkaido.jp +kunneppu.hokkaido.jp +kuriyama.hokkaido.jp +kuromatsunai.hokkaido.jp +kushiro.hokkaido.jp +kutchan.hokkaido.jp +kyowa.hokkaido.jp +mashike.hokkaido.jp +matsumae.hokkaido.jp +mikasa.hokkaido.jp +minamifurano.hokkaido.jp +mombetsu.hokkaido.jp +moseushi.hokkaido.jp +mukawa.hokkaido.jp +muroran.hokkaido.jp +naie.hokkaido.jp +nakagawa.hokkaido.jp +nakasatsunai.hokkaido.jp +nakatombetsu.hokkaido.jp +nanae.hokkaido.jp +nanporo.hokkaido.jp +nayoro.hokkaido.jp +nemuro.hokkaido.jp +niikappu.hokkaido.jp +niki.hokkaido.jp +nishiokoppe.hokkaido.jp +noboribetsu.hokkaido.jp +numata.hokkaido.jp +obihiro.hokkaido.jp +obira.hokkaido.jp +oketo.hokkaido.jp +okoppe.hokkaido.jp +otaru.hokkaido.jp +otobe.hokkaido.jp +otofuke.hokkaido.jp +otoineppu.hokkaido.jp +oumu.hokkaido.jp +ozora.hokkaido.jp +pippu.hokkaido.jp +rankoshi.hokkaido.jp +rebun.hokkaido.jp +rikubetsu.hokkaido.jp +rishiri.hokkaido.jp +rishirifuji.hokkaido.jp +saroma.hokkaido.jp +sarufutsu.hokkaido.jp +shakotan.hokkaido.jp +shari.hokkaido.jp +shibecha.hokkaido.jp +shibetsu.hokkaido.jp +shikabe.hokkaido.jp +shikaoi.hokkaido.jp +shimamaki.hokkaido.jp +shimizu.hokkaido.jp +shimokawa.hokkaido.jp +shinshinotsu.hokkaido.jp +shintoku.hokkaido.jp +shiranuka.hokkaido.jp +shiraoi.hokkaido.jp +shiriuchi.hokkaido.jp +sobetsu.hokkaido.jp +sunagawa.hokkaido.jp +taiki.hokkaido.jp +takasu.hokkaido.jp +takikawa.hokkaido.jp +takinoue.hokkaido.jp +teshikaga.hokkaido.jp +tobetsu.hokkaido.jp +tohma.hokkaido.jp +tomakomai.hokkaido.jp +tomari.hokkaido.jp +toya.hokkaido.jp +toyako.hokkaido.jp +toyotomi.hokkaido.jp +toyoura.hokkaido.jp +tsubetsu.hokkaido.jp +tsukigata.hokkaido.jp +urakawa.hokkaido.jp +urausu.hokkaido.jp +uryu.hokkaido.jp +utashinai.hokkaido.jp +wakkanai.hokkaido.jp +wassamu.hokkaido.jp +yakumo.hokkaido.jp +yoichi.hokkaido.jp +aioi.hyogo.jp +akashi.hyogo.jp +ako.hyogo.jp +amagasaki.hyogo.jp +aogaki.hyogo.jp +asago.hyogo.jp +ashiya.hyogo.jp +awaji.hyogo.jp +fukusaki.hyogo.jp +goshiki.hyogo.jp +harima.hyogo.jp +himeji.hyogo.jp +ichikawa.hyogo.jp +inagawa.hyogo.jp +itami.hyogo.jp +kakogawa.hyogo.jp +kamigori.hyogo.jp +kamikawa.hyogo.jp +kasai.hyogo.jp +kasuga.hyogo.jp +kawanishi.hyogo.jp +miki.hyogo.jp +minamiawaji.hyogo.jp +nishinomiya.hyogo.jp +nishiwaki.hyogo.jp +ono.hyogo.jp +sanda.hyogo.jp +sannan.hyogo.jp +sasayama.hyogo.jp +sayo.hyogo.jp +shingu.hyogo.jp +shinonsen.hyogo.jp +shiso.hyogo.jp +sumoto.hyogo.jp +taishi.hyogo.jp +taka.hyogo.jp +takarazuka.hyogo.jp +takasago.hyogo.jp +takino.hyogo.jp +tamba.hyogo.jp +tatsuno.hyogo.jp +toyooka.hyogo.jp +yabu.hyogo.jp +yashiro.hyogo.jp +yoka.hyogo.jp +yokawa.hyogo.jp +ami.ibaraki.jp +asahi.ibaraki.jp +bando.ibaraki.jp +chikusei.ibaraki.jp +daigo.ibaraki.jp +fujishiro.ibaraki.jp +hitachi.ibaraki.jp +hitachinaka.ibaraki.jp +hitachiomiya.ibaraki.jp +hitachiota.ibaraki.jp +ibaraki.ibaraki.jp +ina.ibaraki.jp +inashiki.ibaraki.jp +itako.ibaraki.jp +iwama.ibaraki.jp +joso.ibaraki.jp +kamisu.ibaraki.jp +kasama.ibaraki.jp +kashima.ibaraki.jp +kasumigaura.ibaraki.jp +koga.ibaraki.jp +miho.ibaraki.jp +mito.ibaraki.jp +moriya.ibaraki.jp +naka.ibaraki.jp +namegata.ibaraki.jp +oarai.ibaraki.jp +ogawa.ibaraki.jp +omitama.ibaraki.jp +ryugasaki.ibaraki.jp +sakai.ibaraki.jp +sakuragawa.ibaraki.jp +shimodate.ibaraki.jp +shimotsuma.ibaraki.jp +shirosato.ibaraki.jp +sowa.ibaraki.jp +suifu.ibaraki.jp +takahagi.ibaraki.jp +tamatsukuri.ibaraki.jp +tokai.ibaraki.jp +tomobe.ibaraki.jp +tone.ibaraki.jp +toride.ibaraki.jp +tsuchiura.ibaraki.jp +tsukuba.ibaraki.jp +uchihara.ibaraki.jp +ushiku.ibaraki.jp +yachiyo.ibaraki.jp +yamagata.ibaraki.jp +yawara.ibaraki.jp +yuki.ibaraki.jp +anamizu.ishikawa.jp +hakui.ishikawa.jp +hakusan.ishikawa.jp +kaga.ishikawa.jp +kahoku.ishikawa.jp +kanazawa.ishikawa.jp +kawakita.ishikawa.jp +komatsu.ishikawa.jp +nakanoto.ishikawa.jp +nanao.ishikawa.jp +nomi.ishikawa.jp +nonoichi.ishikawa.jp +noto.ishikawa.jp +shika.ishikawa.jp +suzu.ishikawa.jp +tsubata.ishikawa.jp +tsurugi.ishikawa.jp +uchinada.ishikawa.jp +wajima.ishikawa.jp +fudai.iwate.jp +fujisawa.iwate.jp +hanamaki.iwate.jp +hiraizumi.iwate.jp +hirono.iwate.jp +ichinohe.iwate.jp +ichinoseki.iwate.jp +iwaizumi.iwate.jp +iwate.iwate.jp +joboji.iwate.jp +kamaishi.iwate.jp +kanegasaki.iwate.jp +karumai.iwate.jp +kawai.iwate.jp +kitakami.iwate.jp +kuji.iwate.jp +kunohe.iwate.jp +kuzumaki.iwate.jp +miyako.iwate.jp +mizusawa.iwate.jp +morioka.iwate.jp +ninohe.iwate.jp +noda.iwate.jp +ofunato.iwate.jp +oshu.iwate.jp +otsuchi.iwate.jp +rikuzentakata.iwate.jp +shiwa.iwate.jp +shizukuishi.iwate.jp +sumita.iwate.jp +tanohata.iwate.jp +tono.iwate.jp +yahaba.iwate.jp +yamada.iwate.jp +ayagawa.kagawa.jp +higashikagawa.kagawa.jp +kanonji.kagawa.jp +kotohira.kagawa.jp +manno.kagawa.jp +marugame.kagawa.jp +mitoyo.kagawa.jp +naoshima.kagawa.jp +sanuki.kagawa.jp +tadotsu.kagawa.jp +takamatsu.kagawa.jp +tonosho.kagawa.jp +uchinomi.kagawa.jp +utazu.kagawa.jp +zentsuji.kagawa.jp +akune.kagoshima.jp +amami.kagoshima.jp +hioki.kagoshima.jp +isa.kagoshima.jp +isen.kagoshima.jp +izumi.kagoshima.jp +kagoshima.kagoshima.jp +kanoya.kagoshima.jp +kawanabe.kagoshima.jp +kinko.kagoshima.jp +kouyama.kagoshima.jp +makurazaki.kagoshima.jp +matsumoto.kagoshima.jp +minamitane.kagoshima.jp +nakatane.kagoshima.jp +nishinoomote.kagoshima.jp +satsumasendai.kagoshima.jp +soo.kagoshima.jp +tarumizu.kagoshima.jp +yusui.kagoshima.jp +aikawa.kanagawa.jp +atsugi.kanagawa.jp +ayase.kanagawa.jp +chigasaki.kanagawa.jp +ebina.kanagawa.jp +fujisawa.kanagawa.jp +hadano.kanagawa.jp +hakone.kanagawa.jp +hiratsuka.kanagawa.jp +isehara.kanagawa.jp +kaisei.kanagawa.jp +kamakura.kanagawa.jp +kiyokawa.kanagawa.jp +matsuda.kanagawa.jp +minamiashigara.kanagawa.jp +miura.kanagawa.jp +nakai.kanagawa.jp +ninomiya.kanagawa.jp +odawara.kanagawa.jp +oi.kanagawa.jp +oiso.kanagawa.jp +sagamihara.kanagawa.jp +samukawa.kanagawa.jp +tsukui.kanagawa.jp +yamakita.kanagawa.jp +yamato.kanagawa.jp +yokosuka.kanagawa.jp +yugawara.kanagawa.jp +zama.kanagawa.jp +zushi.kanagawa.jp +aki.kochi.jp +geisei.kochi.jp +hidaka.kochi.jp +higashitsuno.kochi.jp +ino.kochi.jp +kagami.kochi.jp +kami.kochi.jp +kitagawa.kochi.jp +kochi.kochi.jp +mihara.kochi.jp +motoyama.kochi.jp +muroto.kochi.jp +nahari.kochi.jp +nakamura.kochi.jp +nankoku.kochi.jp +nishitosa.kochi.jp +niyodogawa.kochi.jp +ochi.kochi.jp +okawa.kochi.jp +otoyo.kochi.jp +otsuki.kochi.jp +sakawa.kochi.jp +sukumo.kochi.jp +susaki.kochi.jp +tosa.kochi.jp +tosashimizu.kochi.jp +toyo.kochi.jp +tsuno.kochi.jp +umaji.kochi.jp +yasuda.kochi.jp +yusuhara.kochi.jp +amakusa.kumamoto.jp +arao.kumamoto.jp +aso.kumamoto.jp +choyo.kumamoto.jp +gyokuto.kumamoto.jp +kamiamakusa.kumamoto.jp +kikuchi.kumamoto.jp +kumamoto.kumamoto.jp +mashiki.kumamoto.jp +mifune.kumamoto.jp +minamata.kumamoto.jp +minamioguni.kumamoto.jp +nagasu.kumamoto.jp +nishihara.kumamoto.jp +oguni.kumamoto.jp +ozu.kumamoto.jp +sumoto.kumamoto.jp +takamori.kumamoto.jp +uki.kumamoto.jp +uto.kumamoto.jp +yamaga.kumamoto.jp +yamato.kumamoto.jp +yatsushiro.kumamoto.jp +ayabe.kyoto.jp +fukuchiyama.kyoto.jp +higashiyama.kyoto.jp +ide.kyoto.jp +ine.kyoto.jp +joyo.kyoto.jp +kameoka.kyoto.jp +kamo.kyoto.jp +kita.kyoto.jp +kizu.kyoto.jp +kumiyama.kyoto.jp +kyotamba.kyoto.jp +kyotanabe.kyoto.jp +kyotango.kyoto.jp +maizuru.kyoto.jp +minami.kyoto.jp +minamiyamashiro.kyoto.jp +miyazu.kyoto.jp +muko.kyoto.jp +nagaokakyo.kyoto.jp +nakagyo.kyoto.jp +nantan.kyoto.jp +oyamazaki.kyoto.jp +sakyo.kyoto.jp +seika.kyoto.jp +tanabe.kyoto.jp +uji.kyoto.jp +ujitawara.kyoto.jp +wazuka.kyoto.jp +yamashina.kyoto.jp +yawata.kyoto.jp +asahi.mie.jp +inabe.mie.jp +ise.mie.jp +kameyama.mie.jp +kawagoe.mie.jp +kiho.mie.jp +kisosaki.mie.jp +kiwa.mie.jp +komono.mie.jp +kumano.mie.jp +kuwana.mie.jp +matsusaka.mie.jp +meiwa.mie.jp +mihama.mie.jp +minamiise.mie.jp +misugi.mie.jp +miyama.mie.jp +nabari.mie.jp +shima.mie.jp +suzuka.mie.jp +tado.mie.jp +taiki.mie.jp +taki.mie.jp +tamaki.mie.jp +toba.mie.jp +tsu.mie.jp +udono.mie.jp +ureshino.mie.jp +watarai.mie.jp +yokkaichi.mie.jp +furukawa.miyagi.jp +higashimatsushima.miyagi.jp +ishinomaki.miyagi.jp +iwanuma.miyagi.jp +kakuda.miyagi.jp +kami.miyagi.jp +kawasaki.miyagi.jp +marumori.miyagi.jp +matsushima.miyagi.jp +minamisanriku.miyagi.jp +misato.miyagi.jp +murata.miyagi.jp +natori.miyagi.jp +ogawara.miyagi.jp +ohira.miyagi.jp +onagawa.miyagi.jp +osaki.miyagi.jp +rifu.miyagi.jp +semine.miyagi.jp +shibata.miyagi.jp +shichikashuku.miyagi.jp +shikama.miyagi.jp +shiogama.miyagi.jp +shiroishi.miyagi.jp +tagajo.miyagi.jp +taiwa.miyagi.jp +tome.miyagi.jp +tomiya.miyagi.jp +wakuya.miyagi.jp +watari.miyagi.jp +yamamoto.miyagi.jp +zao.miyagi.jp +aya.miyazaki.jp +ebino.miyazaki.jp +gokase.miyazaki.jp +hyuga.miyazaki.jp +kadogawa.miyazaki.jp +kawaminami.miyazaki.jp +kijo.miyazaki.jp +kitagawa.miyazaki.jp +kitakata.miyazaki.jp +kitaura.miyazaki.jp +kobayashi.miyazaki.jp +kunitomi.miyazaki.jp +kushima.miyazaki.jp +mimata.miyazaki.jp +miyakonojo.miyazaki.jp +miyazaki.miyazaki.jp +morotsuka.miyazaki.jp +nichinan.miyazaki.jp +nishimera.miyazaki.jp +nobeoka.miyazaki.jp +saito.miyazaki.jp +shiiba.miyazaki.jp +shintomi.miyazaki.jp +takaharu.miyazaki.jp +takanabe.miyazaki.jp +takazaki.miyazaki.jp +tsuno.miyazaki.jp +achi.nagano.jp +agematsu.nagano.jp +anan.nagano.jp +aoki.nagano.jp +asahi.nagano.jp +azumino.nagano.jp +chikuhoku.nagano.jp +chikuma.nagano.jp +chino.nagano.jp +fujimi.nagano.jp +hakuba.nagano.jp +hara.nagano.jp +hiraya.nagano.jp +iida.nagano.jp +iijima.nagano.jp +iiyama.nagano.jp +iizuna.nagano.jp +ikeda.nagano.jp +ikusaka.nagano.jp +ina.nagano.jp +karuizawa.nagano.jp +kawakami.nagano.jp +kiso.nagano.jp +kisofukushima.nagano.jp +kitaaiki.nagano.jp +komagane.nagano.jp +komoro.nagano.jp +matsukawa.nagano.jp +matsumoto.nagano.jp +miasa.nagano.jp +minamiaiki.nagano.jp +minamimaki.nagano.jp +minamiminowa.nagano.jp +minowa.nagano.jp +miyada.nagano.jp +miyota.nagano.jp +mochizuki.nagano.jp +nagano.nagano.jp +nagawa.nagano.jp +nagiso.nagano.jp +nakagawa.nagano.jp +nakano.nagano.jp +nozawaonsen.nagano.jp +obuse.nagano.jp +ogawa.nagano.jp +okaya.nagano.jp +omachi.nagano.jp +omi.nagano.jp +ookuwa.nagano.jp +ooshika.nagano.jp +otaki.nagano.jp +otari.nagano.jp +sakae.nagano.jp +sakaki.nagano.jp +saku.nagano.jp +sakuho.nagano.jp +shimosuwa.nagano.jp +shinanomachi.nagano.jp +shiojiri.nagano.jp +suwa.nagano.jp +suzaka.nagano.jp +takagi.nagano.jp +takamori.nagano.jp +takayama.nagano.jp +tateshina.nagano.jp +tatsuno.nagano.jp +togakushi.nagano.jp +togura.nagano.jp +tomi.nagano.jp +ueda.nagano.jp +wada.nagano.jp +yamagata.nagano.jp +yamanouchi.nagano.jp +yasaka.nagano.jp +yasuoka.nagano.jp +chijiwa.nagasaki.jp +futsu.nagasaki.jp +goto.nagasaki.jp +hasami.nagasaki.jp +hirado.nagasaki.jp +iki.nagasaki.jp +isahaya.nagasaki.jp +kawatana.nagasaki.jp +kuchinotsu.nagasaki.jp +matsuura.nagasaki.jp +nagasaki.nagasaki.jp +obama.nagasaki.jp +omura.nagasaki.jp +oseto.nagasaki.jp +saikai.nagasaki.jp +sasebo.nagasaki.jp +seihi.nagasaki.jp +shimabara.nagasaki.jp +shinkamigoto.nagasaki.jp +togitsu.nagasaki.jp +tsushima.nagasaki.jp +unzen.nagasaki.jp +ando.nara.jp +gose.nara.jp +heguri.nara.jp +higashiyoshino.nara.jp +ikaruga.nara.jp +ikoma.nara.jp +kamikitayama.nara.jp +kanmaki.nara.jp +kashiba.nara.jp +kashihara.nara.jp +katsuragi.nara.jp +kawai.nara.jp +kawakami.nara.jp +kawanishi.nara.jp +koryo.nara.jp +kurotaki.nara.jp +mitsue.nara.jp +miyake.nara.jp +nara.nara.jp +nosegawa.nara.jp +oji.nara.jp +ouda.nara.jp +oyodo.nara.jp +sakurai.nara.jp +sango.nara.jp +shimoichi.nara.jp +shimokitayama.nara.jp +shinjo.nara.jp +soni.nara.jp +takatori.nara.jp +tawaramoto.nara.jp +tenkawa.nara.jp +tenri.nara.jp +uda.nara.jp +yamatokoriyama.nara.jp +yamatotakada.nara.jp +yamazoe.nara.jp +yoshino.nara.jp +aga.niigata.jp +agano.niigata.jp +gosen.niigata.jp +itoigawa.niigata.jp +izumozaki.niigata.jp +joetsu.niigata.jp +kamo.niigata.jp +kariwa.niigata.jp +kashiwazaki.niigata.jp +minamiuonuma.niigata.jp +mitsuke.niigata.jp +muika.niigata.jp +murakami.niigata.jp +myoko.niigata.jp +nagaoka.niigata.jp +niigata.niigata.jp +ojiya.niigata.jp +omi.niigata.jp +sado.niigata.jp +sanjo.niigata.jp +seiro.niigata.jp +seirou.niigata.jp +sekikawa.niigata.jp +shibata.niigata.jp +tagami.niigata.jp +tainai.niigata.jp +tochio.niigata.jp +tokamachi.niigata.jp +tsubame.niigata.jp +tsunan.niigata.jp +uonuma.niigata.jp +yahiko.niigata.jp +yoita.niigata.jp +yuzawa.niigata.jp +beppu.oita.jp +bungoono.oita.jp +bungotakada.oita.jp +hasama.oita.jp +hiji.oita.jp +himeshima.oita.jp +hita.oita.jp +kamitsue.oita.jp +kokonoe.oita.jp +kuju.oita.jp +kunisaki.oita.jp +kusu.oita.jp +oita.oita.jp +saiki.oita.jp +taketa.oita.jp +tsukumi.oita.jp +usa.oita.jp +usuki.oita.jp +yufu.oita.jp +akaiwa.okayama.jp +asakuchi.okayama.jp +bizen.okayama.jp +hayashima.okayama.jp +ibara.okayama.jp +kagamino.okayama.jp +kasaoka.okayama.jp +kibichuo.okayama.jp +kumenan.okayama.jp +kurashiki.okayama.jp +maniwa.okayama.jp +misaki.okayama.jp +nagi.okayama.jp +niimi.okayama.jp +nishiawakura.okayama.jp +okayama.okayama.jp +satosho.okayama.jp +setouchi.okayama.jp +shinjo.okayama.jp +shoo.okayama.jp +soja.okayama.jp +takahashi.okayama.jp +tamano.okayama.jp +tsuyama.okayama.jp +wake.okayama.jp +yakage.okayama.jp +aguni.okinawa.jp +ginowan.okinawa.jp +ginoza.okinawa.jp +gushikami.okinawa.jp +haebaru.okinawa.jp +higashi.okinawa.jp +hirara.okinawa.jp +iheya.okinawa.jp +ishigaki.okinawa.jp +ishikawa.okinawa.jp +itoman.okinawa.jp +izena.okinawa.jp +kadena.okinawa.jp +kin.okinawa.jp +kitadaito.okinawa.jp +kitanakagusuku.okinawa.jp +kumejima.okinawa.jp +kunigami.okinawa.jp +minamidaito.okinawa.jp +motobu.okinawa.jp +nago.okinawa.jp +naha.okinawa.jp +nakagusuku.okinawa.jp +nakijin.okinawa.jp +nanjo.okinawa.jp +nishihara.okinawa.jp +ogimi.okinawa.jp +okinawa.okinawa.jp +onna.okinawa.jp +shimoji.okinawa.jp +taketomi.okinawa.jp +tarama.okinawa.jp +tokashiki.okinawa.jp +tomigusuku.okinawa.jp +tonaki.okinawa.jp +urasoe.okinawa.jp +uruma.okinawa.jp +yaese.okinawa.jp +yomitan.okinawa.jp +yonabaru.okinawa.jp +yonaguni.okinawa.jp +zamami.okinawa.jp +abeno.osaka.jp +chihayaakasaka.osaka.jp +chuo.osaka.jp +daito.osaka.jp +fujiidera.osaka.jp +habikino.osaka.jp +hannan.osaka.jp +higashiosaka.osaka.jp +higashisumiyoshi.osaka.jp +higashiyodogawa.osaka.jp +hirakata.osaka.jp +ibaraki.osaka.jp +ikeda.osaka.jp +izumi.osaka.jp +izumiotsu.osaka.jp +izumisano.osaka.jp +kadoma.osaka.jp +kaizuka.osaka.jp +kanan.osaka.jp +kashiwara.osaka.jp +katano.osaka.jp +kawachinagano.osaka.jp +kishiwada.osaka.jp +kita.osaka.jp +kumatori.osaka.jp +matsubara.osaka.jp +minato.osaka.jp +minoh.osaka.jp +misaki.osaka.jp +moriguchi.osaka.jp +neyagawa.osaka.jp +nishi.osaka.jp +nose.osaka.jp +osakasayama.osaka.jp +sakai.osaka.jp +sayama.osaka.jp +sennan.osaka.jp +settsu.osaka.jp +shijonawate.osaka.jp +shimamoto.osaka.jp +suita.osaka.jp +tadaoka.osaka.jp +taishi.osaka.jp +tajiri.osaka.jp +takaishi.osaka.jp +takatsuki.osaka.jp +tondabayashi.osaka.jp +toyonaka.osaka.jp +toyono.osaka.jp +yao.osaka.jp +ariake.saga.jp +arita.saga.jp +fukudomi.saga.jp +genkai.saga.jp +hamatama.saga.jp +hizen.saga.jp +imari.saga.jp +kamimine.saga.jp +kanzaki.saga.jp +karatsu.saga.jp +kashima.saga.jp +kitagata.saga.jp +kitahata.saga.jp +kiyama.saga.jp +kouhoku.saga.jp +kyuragi.saga.jp +nishiarita.saga.jp +ogi.saga.jp +omachi.saga.jp +ouchi.saga.jp +saga.saga.jp +shiroishi.saga.jp +taku.saga.jp +tara.saga.jp +tosu.saga.jp +yoshinogari.saga.jp +arakawa.saitama.jp +asaka.saitama.jp +chichibu.saitama.jp +fujimi.saitama.jp +fujimino.saitama.jp +fukaya.saitama.jp +hanno.saitama.jp +hanyu.saitama.jp +hasuda.saitama.jp +hatogaya.saitama.jp +hatoyama.saitama.jp +hidaka.saitama.jp +higashichichibu.saitama.jp +higashimatsuyama.saitama.jp +honjo.saitama.jp +ina.saitama.jp +iruma.saitama.jp +iwatsuki.saitama.jp +kamiizumi.saitama.jp +kamikawa.saitama.jp +kamisato.saitama.jp +kasukabe.saitama.jp +kawagoe.saitama.jp +kawaguchi.saitama.jp +kawajima.saitama.jp +kazo.saitama.jp +kitamoto.saitama.jp +koshigaya.saitama.jp +kounosu.saitama.jp +kuki.saitama.jp +kumagaya.saitama.jp +matsubushi.saitama.jp +minano.saitama.jp +misato.saitama.jp +miyashiro.saitama.jp +miyoshi.saitama.jp +moroyama.saitama.jp +nagatoro.saitama.jp +namegawa.saitama.jp +niiza.saitama.jp +ogano.saitama.jp +ogawa.saitama.jp +ogose.saitama.jp +okegawa.saitama.jp +omiya.saitama.jp +otaki.saitama.jp +ranzan.saitama.jp +ryokami.saitama.jp +saitama.saitama.jp +sakado.saitama.jp +satte.saitama.jp +sayama.saitama.jp +shiki.saitama.jp +shiraoka.saitama.jp +soka.saitama.jp +sugito.saitama.jp +toda.saitama.jp +tokigawa.saitama.jp +tokorozawa.saitama.jp +tsurugashima.saitama.jp +urawa.saitama.jp +warabi.saitama.jp +yashio.saitama.jp +yokoze.saitama.jp +yono.saitama.jp +yorii.saitama.jp +yoshida.saitama.jp +yoshikawa.saitama.jp +yoshimi.saitama.jp +aisho.shiga.jp +gamo.shiga.jp +higashiomi.shiga.jp +hikone.shiga.jp +koka.shiga.jp +konan.shiga.jp +kosei.shiga.jp +koto.shiga.jp +kusatsu.shiga.jp +maibara.shiga.jp +moriyama.shiga.jp +nagahama.shiga.jp +nishiazai.shiga.jp +notogawa.shiga.jp +omihachiman.shiga.jp +otsu.shiga.jp +ritto.shiga.jp +ryuoh.shiga.jp +takashima.shiga.jp +takatsuki.shiga.jp +torahime.shiga.jp +toyosato.shiga.jp +yasu.shiga.jp +akagi.shimane.jp +ama.shimane.jp +gotsu.shimane.jp +hamada.shimane.jp +higashiizumo.shimane.jp +hikawa.shimane.jp +hikimi.shimane.jp +izumo.shimane.jp +kakinoki.shimane.jp +masuda.shimane.jp +matsue.shimane.jp +misato.shimane.jp +nishinoshima.shimane.jp +ohda.shimane.jp +okinoshima.shimane.jp +okuizumo.shimane.jp +shimane.shimane.jp +tamayu.shimane.jp +tsuwano.shimane.jp +unnan.shimane.jp +yakumo.shimane.jp +yasugi.shimane.jp +yatsuka.shimane.jp +arai.shizuoka.jp +atami.shizuoka.jp +fuji.shizuoka.jp +fujieda.shizuoka.jp +fujikawa.shizuoka.jp +fujinomiya.shizuoka.jp +fukuroi.shizuoka.jp +gotemba.shizuoka.jp +haibara.shizuoka.jp +hamamatsu.shizuoka.jp +higashiizu.shizuoka.jp +ito.shizuoka.jp +iwata.shizuoka.jp +izu.shizuoka.jp +izunokuni.shizuoka.jp +kakegawa.shizuoka.jp +kannami.shizuoka.jp +kawanehon.shizuoka.jp +kawazu.shizuoka.jp +kikugawa.shizuoka.jp +kosai.shizuoka.jp +makinohara.shizuoka.jp +matsuzaki.shizuoka.jp +minamiizu.shizuoka.jp +mishima.shizuoka.jp +morimachi.shizuoka.jp +nishiizu.shizuoka.jp +numazu.shizuoka.jp +omaezaki.shizuoka.jp +shimada.shizuoka.jp +shimizu.shizuoka.jp +shimoda.shizuoka.jp +shizuoka.shizuoka.jp +susono.shizuoka.jp +yaizu.shizuoka.jp +yoshida.shizuoka.jp +ashikaga.tochigi.jp +bato.tochigi.jp +haga.tochigi.jp +ichikai.tochigi.jp +iwafune.tochigi.jp +kaminokawa.tochigi.jp +kanuma.tochigi.jp +karasuyama.tochigi.jp +kuroiso.tochigi.jp +mashiko.tochigi.jp +mibu.tochigi.jp +moka.tochigi.jp +motegi.tochigi.jp +nasu.tochigi.jp +nasushiobara.tochigi.jp +nikko.tochigi.jp +nishikata.tochigi.jp +nogi.tochigi.jp +ohira.tochigi.jp +ohtawara.tochigi.jp +oyama.tochigi.jp +sakura.tochigi.jp +sano.tochigi.jp +shimotsuke.tochigi.jp +shioya.tochigi.jp +takanezawa.tochigi.jp +tochigi.tochigi.jp +tsuga.tochigi.jp +ujiie.tochigi.jp +utsunomiya.tochigi.jp +yaita.tochigi.jp +aizumi.tokushima.jp +anan.tokushima.jp +ichiba.tokushima.jp +itano.tokushima.jp +kainan.tokushima.jp +komatsushima.tokushima.jp +matsushige.tokushima.jp +mima.tokushima.jp +minami.tokushima.jp +miyoshi.tokushima.jp +mugi.tokushima.jp +nakagawa.tokushima.jp +naruto.tokushima.jp +sanagochi.tokushima.jp +shishikui.tokushima.jp +tokushima.tokushima.jp +wajiki.tokushima.jp +adachi.tokyo.jp +akiruno.tokyo.jp +akishima.tokyo.jp +aogashima.tokyo.jp +arakawa.tokyo.jp +bunkyo.tokyo.jp +chiyoda.tokyo.jp +chofu.tokyo.jp +chuo.tokyo.jp +edogawa.tokyo.jp +fuchu.tokyo.jp +fussa.tokyo.jp +hachijo.tokyo.jp +hachioji.tokyo.jp +hamura.tokyo.jp +higashikurume.tokyo.jp +higashimurayama.tokyo.jp +higashiyamato.tokyo.jp +hino.tokyo.jp +hinode.tokyo.jp +hinohara.tokyo.jp +inagi.tokyo.jp +itabashi.tokyo.jp +katsushika.tokyo.jp +kita.tokyo.jp +kiyose.tokyo.jp +kodaira.tokyo.jp +koganei.tokyo.jp +kokubunji.tokyo.jp +komae.tokyo.jp +koto.tokyo.jp +kouzushima.tokyo.jp +kunitachi.tokyo.jp +machida.tokyo.jp +meguro.tokyo.jp +minato.tokyo.jp +mitaka.tokyo.jp +mizuho.tokyo.jp +musashimurayama.tokyo.jp +musashino.tokyo.jp +nakano.tokyo.jp +nerima.tokyo.jp +ogasawara.tokyo.jp +okutama.tokyo.jp +ome.tokyo.jp +oshima.tokyo.jp +ota.tokyo.jp +setagaya.tokyo.jp +shibuya.tokyo.jp +shinagawa.tokyo.jp +shinjuku.tokyo.jp +suginami.tokyo.jp +sumida.tokyo.jp +tachikawa.tokyo.jp +taito.tokyo.jp +tama.tokyo.jp +toshima.tokyo.jp +chizu.tottori.jp +hino.tottori.jp +kawahara.tottori.jp +koge.tottori.jp +kotoura.tottori.jp +misasa.tottori.jp +nanbu.tottori.jp +nichinan.tottori.jp +sakaiminato.tottori.jp +tottori.tottori.jp +wakasa.tottori.jp +yazu.tottori.jp +yonago.tottori.jp +asahi.toyama.jp +fuchu.toyama.jp +fukumitsu.toyama.jp +funahashi.toyama.jp +himi.toyama.jp +imizu.toyama.jp +inami.toyama.jp +johana.toyama.jp +kamiichi.toyama.jp +kurobe.toyama.jp +nakaniikawa.toyama.jp +namerikawa.toyama.jp +nanto.toyama.jp +nyuzen.toyama.jp +oyabe.toyama.jp +taira.toyama.jp +takaoka.toyama.jp +tateyama.toyama.jp +toga.toyama.jp +tonami.toyama.jp +toyama.toyama.jp +unazuki.toyama.jp +uozu.toyama.jp +yamada.toyama.jp +arida.wakayama.jp +aridagawa.wakayama.jp +gobo.wakayama.jp +hashimoto.wakayama.jp +hidaka.wakayama.jp +hirogawa.wakayama.jp +inami.wakayama.jp +iwade.wakayama.jp +kainan.wakayama.jp +kamitonda.wakayama.jp +katsuragi.wakayama.jp +kimino.wakayama.jp +kinokawa.wakayama.jp +kitayama.wakayama.jp +koya.wakayama.jp +koza.wakayama.jp +kozagawa.wakayama.jp +kudoyama.wakayama.jp +kushimoto.wakayama.jp +mihama.wakayama.jp +misato.wakayama.jp +nachikatsuura.wakayama.jp +shingu.wakayama.jp +shirahama.wakayama.jp +taiji.wakayama.jp +tanabe.wakayama.jp +wakayama.wakayama.jp +yuasa.wakayama.jp +yura.wakayama.jp +asahi.yamagata.jp +funagata.yamagata.jp +higashine.yamagata.jp +iide.yamagata.jp +kahoku.yamagata.jp +kaminoyama.yamagata.jp +kaneyama.yamagata.jp +kawanishi.yamagata.jp +mamurogawa.yamagata.jp +mikawa.yamagata.jp +murayama.yamagata.jp +nagai.yamagata.jp +nakayama.yamagata.jp +nanyo.yamagata.jp +nishikawa.yamagata.jp +obanazawa.yamagata.jp +oe.yamagata.jp +oguni.yamagata.jp +ohkura.yamagata.jp +oishida.yamagata.jp +sagae.yamagata.jp +sakata.yamagata.jp +sakegawa.yamagata.jp +shinjo.yamagata.jp +shirataka.yamagata.jp +shonai.yamagata.jp +takahata.yamagata.jp +tendo.yamagata.jp +tozawa.yamagata.jp +tsuruoka.yamagata.jp +yamagata.yamagata.jp +yamanobe.yamagata.jp +yonezawa.yamagata.jp +yuza.yamagata.jp +abu.yamaguchi.jp +hagi.yamaguchi.jp +hikari.yamaguchi.jp +hofu.yamaguchi.jp +iwakuni.yamaguchi.jp +kudamatsu.yamaguchi.jp +mitou.yamaguchi.jp +nagato.yamaguchi.jp +oshima.yamaguchi.jp +shimonoseki.yamaguchi.jp +shunan.yamaguchi.jp +tabuse.yamaguchi.jp +tokuyama.yamaguchi.jp +toyota.yamaguchi.jp +ube.yamaguchi.jp +yuu.yamaguchi.jp +chuo.yamanashi.jp +doshi.yamanashi.jp +fuefuki.yamanashi.jp +fujikawa.yamanashi.jp +fujikawaguchiko.yamanashi.jp +fujiyoshida.yamanashi.jp +hayakawa.yamanashi.jp +hokuto.yamanashi.jp +ichikawamisato.yamanashi.jp +kai.yamanashi.jp +kofu.yamanashi.jp +koshu.yamanashi.jp +kosuge.yamanashi.jp +minami-alps.yamanashi.jp +minobu.yamanashi.jp +nakamichi.yamanashi.jp +nanbu.yamanashi.jp +narusawa.yamanashi.jp +nirasaki.yamanashi.jp +nishikatsura.yamanashi.jp +oshino.yamanashi.jp +otsuki.yamanashi.jp +showa.yamanashi.jp +tabayama.yamanashi.jp +tsuru.yamanashi.jp +uenohara.yamanashi.jp +yamanakako.yamanashi.jp +yamanashi.yamanashi.jp + +// ke : http://www.kenic.or.ke/index.php/en/ke-domains/ke-domains +ke +ac.ke +co.ke +go.ke +info.ke +me.ke +mobi.ke +ne.ke +or.ke +sc.ke + +// kg : http://www.domain.kg/dmn_n.html +kg +org.kg +net.kg +com.kg +edu.kg +gov.kg +mil.kg + +// kh : http://www.mptc.gov.kh/dns_registration.htm +*.kh + +// ki : http://www.ki/dns/index.html +ki +edu.ki +biz.ki +net.ki +org.ki +gov.ki +info.ki +com.ki + +// km : https://en.wikipedia.org/wiki/.km +// http://www.domaine.km/documents/charte.doc +km +org.km +nom.km +gov.km +prd.km +tm.km +edu.km +mil.km +ass.km +com.km +// These are only mentioned as proposed suggestions at domaine.km, but +// https://en.wikipedia.org/wiki/.km says they're available for registration: +coop.km +asso.km +presse.km +medecin.km +notaires.km +pharmaciens.km +veterinaire.km +gouv.km + +// kn : https://en.wikipedia.org/wiki/.kn +// http://www.dot.kn/domainRules.html +kn +net.kn +org.kn +edu.kn +gov.kn + +// kp : http://www.kcce.kp/en_index.php +kp +com.kp +edu.kp +gov.kp +org.kp +rep.kp +tra.kp + +// kr : https://en.wikipedia.org/wiki/.kr +// see also: http://domain.nida.or.kr/eng/registration.jsp +kr +ac.kr +co.kr +es.kr +go.kr +hs.kr +kg.kr +mil.kr +ms.kr +ne.kr +or.kr +pe.kr +re.kr +sc.kr +// kr geographical names +busan.kr +chungbuk.kr +chungnam.kr +daegu.kr +daejeon.kr +gangwon.kr +gwangju.kr +gyeongbuk.kr +gyeonggi.kr +gyeongnam.kr +incheon.kr +jeju.kr +jeonbuk.kr +jeonnam.kr +seoul.kr +ulsan.kr + +// kw : https://www.nic.kw/policies/ +// Confirmed by registry +kw +com.kw +edu.kw +emb.kw +gov.kw +ind.kw +net.kw +org.kw + +// ky : http://www.icta.ky/da_ky_reg_dom.php +// Confirmed by registry 2008-06-17 +ky +com.ky +edu.ky +net.ky +org.ky + +// kz : https://en.wikipedia.org/wiki/.kz +// see also: http://www.nic.kz/rules/index.jsp +kz +org.kz +edu.kz +net.kz +gov.kz +mil.kz +com.kz + +// la : https://en.wikipedia.org/wiki/.la +// Submitted by registry +la +int.la +net.la +info.la +edu.la +gov.la +per.la +com.la +org.la + +// lb : https://en.wikipedia.org/wiki/.lb +// Submitted by registry +lb +com.lb +edu.lb +gov.lb +net.lb +org.lb + +// lc : https://en.wikipedia.org/wiki/.lc +// see also: http://www.nic.lc/rules.htm +lc +com.lc +net.lc +co.lc +org.lc +edu.lc +gov.lc + +// li : https://en.wikipedia.org/wiki/.li +li + +// lk : https://www.nic.lk/index.php/domain-registration/lk-domain-naming-structure +lk +gov.lk +sch.lk +net.lk +int.lk +com.lk +org.lk +edu.lk +ngo.lk +soc.lk +web.lk +ltd.lk +assn.lk +grp.lk +hotel.lk +ac.lk + +// lr : http://psg.com/dns/lr/lr.txt +// Submitted by registry +lr +com.lr +edu.lr +gov.lr +org.lr +net.lr + +// ls : http://www.nic.ls/ +// Confirmed by registry +ls +ac.ls +biz.ls +co.ls +edu.ls +gov.ls +info.ls +net.ls +org.ls +sc.ls + +// lt : https://en.wikipedia.org/wiki/.lt +lt +// gov.lt : http://www.gov.lt/index_en.php +gov.lt + +// lu : http://www.dns.lu/en/ +lu + +// lv : http://www.nic.lv/DNS/En/generic.php +lv +com.lv +edu.lv +gov.lv +org.lv +mil.lv +id.lv +net.lv +asn.lv +conf.lv + +// ly : http://www.nic.ly/regulations.php +ly +com.ly +net.ly +gov.ly +plc.ly +edu.ly +sch.ly +med.ly +org.ly +id.ly + +// ma : https://en.wikipedia.org/wiki/.ma +// http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf +ma +co.ma +net.ma +gov.ma +org.ma +ac.ma +press.ma + +// mc : http://www.nic.mc/ +mc +tm.mc +asso.mc + +// md : https://en.wikipedia.org/wiki/.md +md + +// me : https://en.wikipedia.org/wiki/.me +me +co.me +net.me +org.me +edu.me +ac.me +gov.me +its.me +priv.me + +// mg : http://nic.mg/nicmg/?page_id=39 +mg +org.mg +nom.mg +gov.mg +prd.mg +tm.mg +edu.mg +mil.mg +com.mg +co.mg + +// mh : https://en.wikipedia.org/wiki/.mh +mh + +// mil : https://en.wikipedia.org/wiki/.mil +mil + +// mk : https://en.wikipedia.org/wiki/.mk +// see also: http://dns.marnet.net.mk/postapka.php +mk +com.mk +org.mk +net.mk +edu.mk +gov.mk +inf.mk +name.mk + +// ml : http://www.gobin.info/domainname/ml-template.doc +// see also: https://en.wikipedia.org/wiki/.ml +ml +com.ml +edu.ml +gouv.ml +gov.ml +net.ml +org.ml +presse.ml + +// mm : https://en.wikipedia.org/wiki/.mm +*.mm + +// mn : https://en.wikipedia.org/wiki/.mn +mn +gov.mn +edu.mn +org.mn + +// mo : http://www.monic.net.mo/ +mo +com.mo +net.mo +org.mo +edu.mo +gov.mo + +// mobi : https://en.wikipedia.org/wiki/.mobi +mobi + +// mp : http://www.dot.mp/ +// Confirmed by registry 2008-06-17 +mp + +// mq : https://en.wikipedia.org/wiki/.mq +mq + +// mr : https://en.wikipedia.org/wiki/.mr +mr +gov.mr + +// ms : http://www.nic.ms/pdf/MS_Domain_Name_Rules.pdf +ms +com.ms +edu.ms +gov.ms +net.ms +org.ms + +// mt : https://www.nic.org.mt/go/policy +// Submitted by registry +mt +com.mt +edu.mt +net.mt +org.mt + +// mu : https://en.wikipedia.org/wiki/.mu +mu +com.mu +net.mu +org.mu +gov.mu +ac.mu +co.mu +or.mu + +// museum : http://about.museum/naming/ +// http://index.museum/ +museum +academy.museum +agriculture.museum +air.museum +airguard.museum +alabama.museum +alaska.museum +amber.museum +ambulance.museum +american.museum +americana.museum +americanantiques.museum +americanart.museum +amsterdam.museum +and.museum +annefrank.museum +anthro.museum +anthropology.museum +antiques.museum +aquarium.museum +arboretum.museum +archaeological.museum +archaeology.museum +architecture.museum +art.museum +artanddesign.museum +artcenter.museum +artdeco.museum +arteducation.museum +artgallery.museum +arts.museum +artsandcrafts.museum +asmatart.museum +assassination.museum +assisi.museum +association.museum +astronomy.museum +atlanta.museum +austin.museum +australia.museum +automotive.museum +aviation.museum +axis.museum +badajoz.museum +baghdad.museum +bahn.museum +bale.museum +baltimore.museum +barcelona.museum +baseball.museum +basel.museum +baths.museum +bauern.museum +beauxarts.museum +beeldengeluid.museum +bellevue.museum +bergbau.museum +berkeley.museum +berlin.museum +bern.museum +bible.museum +bilbao.museum +bill.museum +birdart.museum +birthplace.museum +bonn.museum +boston.museum +botanical.museum +botanicalgarden.museum +botanicgarden.museum +botany.museum +brandywinevalley.museum +brasil.museum +bristol.museum +british.museum +britishcolumbia.museum +broadcast.museum +brunel.museum +brussel.museum +brussels.museum +bruxelles.museum +building.museum +burghof.museum +bus.museum +bushey.museum +cadaques.museum +california.museum +cambridge.museum +can.museum +canada.museum +capebreton.museum +carrier.museum +cartoonart.museum +casadelamoneda.museum +castle.museum +castres.museum +celtic.museum +center.museum +chattanooga.museum +cheltenham.museum +chesapeakebay.museum +chicago.museum +children.museum +childrens.museum +childrensgarden.museum +chiropractic.museum +chocolate.museum +christiansburg.museum +cincinnati.museum +cinema.museum +circus.museum +civilisation.museum +civilization.museum +civilwar.museum +clinton.museum +clock.museum +coal.museum +coastaldefence.museum +cody.museum +coldwar.museum +collection.museum +colonialwilliamsburg.museum +coloradoplateau.museum +columbia.museum +columbus.museum +communication.museum +communications.museum +community.museum +computer.museum +computerhistory.museum +xn--comunicaes-v6a2o.museum +contemporary.museum +contemporaryart.museum +convent.museum +copenhagen.museum +corporation.museum +xn--correios-e-telecomunicaes-ghc29a.museum +corvette.museum +costume.museum +countryestate.museum +county.museum +crafts.museum +cranbrook.museum +creation.museum +cultural.museum +culturalcenter.museum +culture.museum +cyber.museum +cymru.museum +dali.museum +dallas.museum +database.museum +ddr.museum +decorativearts.museum +delaware.museum +delmenhorst.museum +denmark.museum +depot.museum +design.museum +detroit.museum +dinosaur.museum +discovery.museum +dolls.museum +donostia.museum +durham.museum +eastafrica.museum +eastcoast.museum +education.museum +educational.museum +egyptian.museum +eisenbahn.museum +elburg.museum +elvendrell.museum +embroidery.museum +encyclopedic.museum +england.museum +entomology.museum +environment.museum +environmentalconservation.museum +epilepsy.museum +essex.museum +estate.museum +ethnology.museum +exeter.museum +exhibition.museum +family.museum +farm.museum +farmequipment.museum +farmers.museum +farmstead.museum +field.museum +figueres.museum +filatelia.museum +film.museum +fineart.museum +finearts.museum +finland.museum +flanders.museum +florida.museum +force.museum +fortmissoula.museum +fortworth.museum +foundation.museum +francaise.museum +frankfurt.museum +franziskaner.museum +freemasonry.museum +freiburg.museum +fribourg.museum +frog.museum +fundacio.museum +furniture.museum +gallery.museum +garden.museum +gateway.museum +geelvinck.museum +gemological.museum +geology.museum +georgia.museum +giessen.museum +glas.museum +glass.museum +gorge.museum +grandrapids.museum +graz.museum +guernsey.museum +halloffame.museum +hamburg.museum +handson.museum +harvestcelebration.museum +hawaii.museum +health.museum +heimatunduhren.museum +hellas.museum +helsinki.museum +hembygdsforbund.museum +heritage.museum +histoire.museum +historical.museum +historicalsociety.museum +historichouses.museum +historisch.museum +historisches.museum +history.museum +historyofscience.museum +horology.museum +house.museum +humanities.museum +illustration.museum +imageandsound.museum +indian.museum +indiana.museum +indianapolis.museum +indianmarket.museum +intelligence.museum +interactive.museum +iraq.museum +iron.museum +isleofman.museum +jamison.museum +jefferson.museum +jerusalem.museum +jewelry.museum +jewish.museum +jewishart.museum +jfk.museum +journalism.museum +judaica.museum +judygarland.museum +juedisches.museum +juif.museum +karate.museum +karikatur.museum +kids.museum +koebenhavn.museum +koeln.museum +kunst.museum +kunstsammlung.museum +kunstunddesign.museum +labor.museum +labour.museum +lajolla.museum +lancashire.museum +landes.museum +lans.museum +xn--lns-qla.museum +larsson.museum +lewismiller.museum +lincoln.museum +linz.museum +living.museum +livinghistory.museum +localhistory.museum +london.museum +losangeles.museum +louvre.museum +loyalist.museum +lucerne.museum +luxembourg.museum +luzern.museum +mad.museum +madrid.museum +mallorca.museum +manchester.museum +mansion.museum +mansions.museum +manx.museum +marburg.museum +maritime.museum +maritimo.museum +maryland.museum +marylhurst.museum +media.museum +medical.museum +medizinhistorisches.museum +meeres.museum +memorial.museum +mesaverde.museum +michigan.museum +midatlantic.museum +military.museum +mill.museum +miners.museum +mining.museum +minnesota.museum +missile.museum +missoula.museum +modern.museum +moma.museum +money.museum +monmouth.museum +monticello.museum +montreal.museum +moscow.museum +motorcycle.museum +muenchen.museum +muenster.museum +mulhouse.museum +muncie.museum +museet.museum +museumcenter.museum +museumvereniging.museum +music.museum +national.museum +nationalfirearms.museum +nationalheritage.museum +nativeamerican.museum +naturalhistory.museum +naturalhistorymuseum.museum +naturalsciences.museum +nature.museum +naturhistorisches.museum +natuurwetenschappen.museum +naumburg.museum +naval.museum +nebraska.museum +neues.museum +newhampshire.museum +newjersey.museum +newmexico.museum +newport.museum +newspaper.museum +newyork.museum +niepce.museum +norfolk.museum +north.museum +nrw.museum +nyc.museum +nyny.museum +oceanographic.museum +oceanographique.museum +omaha.museum +online.museum +ontario.museum +openair.museum +oregon.museum +oregontrail.museum +otago.museum +oxford.museum +pacific.museum +paderborn.museum +palace.museum +paleo.museum +palmsprings.museum +panama.museum +paris.museum +pasadena.museum +pharmacy.museum +philadelphia.museum +philadelphiaarea.museum +philately.museum +phoenix.museum +photography.museum +pilots.museum +pittsburgh.museum +planetarium.museum +plantation.museum +plants.museum +plaza.museum +portal.museum +portland.museum +portlligat.museum +posts-and-telecommunications.museum +preservation.museum +presidio.museum +press.museum +project.museum +public.museum +pubol.museum +quebec.museum +railroad.museum +railway.museum +research.museum +resistance.museum +riodejaneiro.museum +rochester.museum +rockart.museum +roma.museum +russia.museum +saintlouis.museum +salem.museum +salvadordali.museum +salzburg.museum +sandiego.museum +sanfrancisco.museum +santabarbara.museum +santacruz.museum +santafe.museum +saskatchewan.museum +satx.museum +savannahga.museum +schlesisches.museum +schoenbrunn.museum +schokoladen.museum +school.museum +schweiz.museum +science.museum +scienceandhistory.museum +scienceandindustry.museum +sciencecenter.museum +sciencecenters.museum +science-fiction.museum +sciencehistory.museum +sciences.museum +sciencesnaturelles.museum +scotland.museum +seaport.museum +settlement.museum +settlers.museum +shell.museum +sherbrooke.museum +sibenik.museum +silk.museum +ski.museum +skole.museum +society.museum +sologne.museum +soundandvision.museum +southcarolina.museum +southwest.museum +space.museum +spy.museum +square.museum +stadt.museum +stalbans.museum +starnberg.museum +state.museum +stateofdelaware.museum +station.museum +steam.museum +steiermark.museum +stjohn.museum +stockholm.museum +stpetersburg.museum +stuttgart.museum +suisse.museum +surgeonshall.museum +surrey.museum +svizzera.museum +sweden.museum +sydney.museum +tank.museum +tcm.museum +technology.museum +telekommunikation.museum +television.museum +texas.museum +textile.museum +theater.museum +time.museum +timekeeping.museum +topology.museum +torino.museum +touch.museum +town.museum +transport.museum +tree.museum +trolley.museum +trust.museum +trustee.museum +uhren.museum +ulm.museum +undersea.museum +university.museum +usa.museum +usantiques.museum +usarts.museum +uscountryestate.museum +usculture.museum +usdecorativearts.museum +usgarden.museum +ushistory.museum +ushuaia.museum +uslivinghistory.museum +utah.museum +uvic.museum +valley.museum +vantaa.museum +versailles.museum +viking.museum +village.museum +virginia.museum +virtual.museum +virtuel.museum +vlaanderen.museum +volkenkunde.museum +wales.museum +wallonie.museum +war.museum +washingtondc.museum +watchandclock.museum +watch-and-clock.museum +western.museum +westfalen.museum +whaling.museum +wildlife.museum +williamsburg.museum +windmill.museum +workshop.museum +york.museum +yorkshire.museum +yosemite.museum +youth.museum +zoological.museum +zoology.museum +xn--9dbhblg6di.museum +xn--h1aegh.museum + +// mv : https://en.wikipedia.org/wiki/.mv +// "mv" included because, contra Wikipedia, google.mv exists. +mv +aero.mv +biz.mv +com.mv +coop.mv +edu.mv +gov.mv +info.mv +int.mv +mil.mv +museum.mv +name.mv +net.mv +org.mv +pro.mv + +// mw : http://www.registrar.mw/ +mw +ac.mw +biz.mw +co.mw +com.mw +coop.mw +edu.mw +gov.mw +int.mw +museum.mw +net.mw +org.mw + +// mx : http://www.nic.mx/ +// Submitted by registry +mx +com.mx +org.mx +gob.mx +edu.mx +net.mx + +// my : http://www.mynic.my/ +// Available strings: https://mynic.my/resources/domains/buying-a-domain/ +my +biz.my +com.my +edu.my +gov.my +mil.my +name.my +net.my +org.my + +// mz : http://www.uem.mz/ +// Submitted by registry +mz +ac.mz +adv.mz +co.mz +edu.mz +gov.mz +mil.mz +net.mz +org.mz + +// na : http://www.na-nic.com.na/ +// http://www.info.na/domain/ +na +info.na +pro.na +name.na +school.na +or.na +dr.na +us.na +mx.na +ca.na +in.na +cc.na +tv.na +ws.na +mobi.na +co.na +com.na +org.na + +// name : has 2nd-level tlds, but there's no list of them +name + +// nc : http://www.cctld.nc/ +nc +asso.nc +nom.nc + +// ne : https://en.wikipedia.org/wiki/.ne +ne + +// net : https://en.wikipedia.org/wiki/.net +net + +// nf : https://en.wikipedia.org/wiki/.nf +nf +com.nf +net.nf +per.nf +rec.nf +web.nf +arts.nf +firm.nf +info.nf +other.nf +store.nf + +// ng : http://www.nira.org.ng/index.php/join-us/register-ng-domain/189-nira-slds +ng +com.ng +edu.ng +gov.ng +i.ng +mil.ng +mobi.ng +name.ng +net.ng +org.ng +sch.ng + +// ni : http://www.nic.ni/ +ni +ac.ni +biz.ni +co.ni +com.ni +edu.ni +gob.ni +in.ni +info.ni +int.ni +mil.ni +net.ni +nom.ni +org.ni +web.ni + +// nl : https://en.wikipedia.org/wiki/.nl +// https://www.sidn.nl/ +// ccTLD for the Netherlands +nl + +// no : https://www.norid.no/en/om-domenenavn/regelverk-for-no/ +// Norid geographical second level domains : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-b/ +// Norid category second level domains : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-c/ +// Norid category second-level domains managed by parties other than Norid : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-d/ +// RSS feed: https://teknisk.norid.no/en/feed/ +no +// Norid category second level domains : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-c/ +fhs.no +vgs.no +fylkesbibl.no +folkebibl.no +museum.no +idrett.no +priv.no +// Norid category second-level domains managed by parties other than Norid : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-d/ +mil.no +stat.no +dep.no +kommune.no +herad.no +// Norid geographical second level domains : https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-b/ +// counties +aa.no +ah.no +bu.no +fm.no +hl.no +hm.no +jan-mayen.no +mr.no +nl.no +nt.no +of.no +ol.no +oslo.no +rl.no +sf.no +st.no +svalbard.no +tm.no +tr.no +va.no +vf.no +// primary and lower secondary schools per county +gs.aa.no +gs.ah.no +gs.bu.no +gs.fm.no +gs.hl.no +gs.hm.no +gs.jan-mayen.no +gs.mr.no +gs.nl.no +gs.nt.no +gs.of.no +gs.ol.no +gs.oslo.no +gs.rl.no +gs.sf.no +gs.st.no +gs.svalbard.no +gs.tm.no +gs.tr.no +gs.va.no +gs.vf.no +// cities +akrehamn.no +xn--krehamn-dxa.no +algard.no +xn--lgrd-poac.no +arna.no +brumunddal.no +bryne.no +bronnoysund.no +xn--brnnysund-m8ac.no +drobak.no +xn--drbak-wua.no +egersund.no +fetsund.no +floro.no +xn--flor-jra.no +fredrikstad.no +hokksund.no +honefoss.no +xn--hnefoss-q1a.no +jessheim.no +jorpeland.no +xn--jrpeland-54a.no +kirkenes.no +kopervik.no +krokstadelva.no +langevag.no +xn--langevg-jxa.no +leirvik.no +mjondalen.no +xn--mjndalen-64a.no +mo-i-rana.no +mosjoen.no +xn--mosjen-eya.no +nesoddtangen.no +orkanger.no +osoyro.no +xn--osyro-wua.no +raholt.no +xn--rholt-mra.no +sandnessjoen.no +xn--sandnessjen-ogb.no +skedsmokorset.no +slattum.no +spjelkavik.no +stathelle.no +stavern.no +stjordalshalsen.no +xn--stjrdalshalsen-sqb.no +tananger.no +tranby.no +vossevangen.no +// communities +afjord.no +xn--fjord-lra.no +agdenes.no +al.no +xn--l-1fa.no +alesund.no +xn--lesund-hua.no +alstahaug.no +alta.no +xn--lt-liac.no +alaheadju.no +xn--laheadju-7ya.no +alvdal.no +amli.no +xn--mli-tla.no +amot.no +xn--mot-tla.no +andebu.no +andoy.no +xn--andy-ira.no +andasuolo.no +ardal.no +xn--rdal-poa.no +aremark.no +arendal.no +xn--s-1fa.no +aseral.no +xn--seral-lra.no +asker.no +askim.no +askvoll.no +askoy.no +xn--asky-ira.no +asnes.no +xn--snes-poa.no +audnedaln.no +aukra.no +aure.no +aurland.no +aurskog-holand.no +xn--aurskog-hland-jnb.no +austevoll.no +austrheim.no +averoy.no +xn--avery-yua.no +balestrand.no +ballangen.no +balat.no +xn--blt-elab.no +balsfjord.no +bahccavuotna.no +xn--bhccavuotna-k7a.no +bamble.no +bardu.no +beardu.no +beiarn.no +bajddar.no +xn--bjddar-pta.no +baidar.no +xn--bidr-5nac.no +berg.no +bergen.no +berlevag.no +xn--berlevg-jxa.no +bearalvahki.no +xn--bearalvhki-y4a.no +bindal.no +birkenes.no +bjarkoy.no +xn--bjarky-fya.no +bjerkreim.no +bjugn.no +bodo.no +xn--bod-2na.no +badaddja.no +xn--bdddj-mrabd.no +budejju.no +bokn.no +bremanger.no +bronnoy.no +xn--brnny-wuac.no +bygland.no +bykle.no +barum.no +xn--brum-voa.no +bo.telemark.no +xn--b-5ga.telemark.no +bo.nordland.no +xn--b-5ga.nordland.no +bievat.no +xn--bievt-0qa.no +bomlo.no +xn--bmlo-gra.no +batsfjord.no +xn--btsfjord-9za.no +bahcavuotna.no +xn--bhcavuotna-s4a.no +dovre.no +drammen.no +drangedal.no +dyroy.no +xn--dyry-ira.no +donna.no +xn--dnna-gra.no +eid.no +eidfjord.no +eidsberg.no +eidskog.no +eidsvoll.no +eigersund.no +elverum.no +enebakk.no +engerdal.no +etne.no +etnedal.no +evenes.no +evenassi.no +xn--eveni-0qa01ga.no +evje-og-hornnes.no +farsund.no +fauske.no +fuossko.no +fuoisku.no +fedje.no +fet.no +finnoy.no +xn--finny-yua.no +fitjar.no +fjaler.no +fjell.no +flakstad.no +flatanger.no +flekkefjord.no +flesberg.no +flora.no +fla.no +xn--fl-zia.no +folldal.no +forsand.no +fosnes.no +frei.no +frogn.no +froland.no +frosta.no +frana.no +xn--frna-woa.no +froya.no +xn--frya-hra.no +fusa.no +fyresdal.no +forde.no +xn--frde-gra.no +gamvik.no +gangaviika.no +xn--ggaviika-8ya47h.no +gaular.no +gausdal.no +gildeskal.no +xn--gildeskl-g0a.no +giske.no +gjemnes.no +gjerdrum.no +gjerstad.no +gjesdal.no +gjovik.no +xn--gjvik-wua.no +gloppen.no +gol.no +gran.no +grane.no +granvin.no +gratangen.no +grimstad.no +grong.no +kraanghke.no +xn--kranghke-b0a.no +grue.no +gulen.no +hadsel.no +halden.no +halsa.no +hamar.no +hamaroy.no +habmer.no +xn--hbmer-xqa.no +hapmir.no +xn--hpmir-xqa.no +hammerfest.no +hammarfeasta.no +xn--hmmrfeasta-s4ac.no +haram.no +hareid.no +harstad.no +hasvik.no +aknoluokta.no +xn--koluokta-7ya57h.no +hattfjelldal.no +aarborte.no +haugesund.no +hemne.no +hemnes.no +hemsedal.no +heroy.more-og-romsdal.no +xn--hery-ira.xn--mre-og-romsdal-qqb.no +heroy.nordland.no +xn--hery-ira.nordland.no +hitra.no +hjartdal.no +hjelmeland.no +hobol.no +xn--hobl-ira.no +hof.no +hol.no +hole.no +holmestrand.no +holtalen.no +xn--holtlen-hxa.no +hornindal.no +horten.no +hurdal.no +hurum.no +hvaler.no +hyllestad.no +hagebostad.no +xn--hgebostad-g3a.no +hoyanger.no +xn--hyanger-q1a.no +hoylandet.no +xn--hylandet-54a.no +ha.no +xn--h-2fa.no +ibestad.no +inderoy.no +xn--indery-fya.no +iveland.no +jevnaker.no +jondal.no +jolster.no +xn--jlster-bya.no +karasjok.no +karasjohka.no +xn--krjohka-hwab49j.no +karlsoy.no +galsa.no +xn--gls-elac.no +karmoy.no +xn--karmy-yua.no +kautokeino.no +guovdageaidnu.no +klepp.no +klabu.no +xn--klbu-woa.no +kongsberg.no +kongsvinger.no +kragero.no +xn--krager-gya.no +kristiansand.no +kristiansund.no +krodsherad.no +xn--krdsherad-m8a.no +kvalsund.no +rahkkeravju.no +xn--rhkkervju-01af.no +kvam.no +kvinesdal.no +kvinnherad.no +kviteseid.no +kvitsoy.no +xn--kvitsy-fya.no +kvafjord.no +xn--kvfjord-nxa.no +giehtavuoatna.no +kvanangen.no +xn--kvnangen-k0a.no +navuotna.no +xn--nvuotna-hwa.no +kafjord.no +xn--kfjord-iua.no +gaivuotna.no +xn--givuotna-8ya.no +larvik.no +lavangen.no +lavagis.no +loabat.no +xn--loabt-0qa.no +lebesby.no +davvesiida.no +leikanger.no +leirfjord.no +leka.no +leksvik.no +lenvik.no +leangaviika.no +xn--leagaviika-52b.no +lesja.no +levanger.no +lier.no +lierne.no +lillehammer.no +lillesand.no +lindesnes.no +lindas.no +xn--linds-pra.no +lom.no +loppa.no +lahppi.no +xn--lhppi-xqa.no +lund.no +lunner.no +luroy.no +xn--lury-ira.no +luster.no +lyngdal.no +lyngen.no +ivgu.no +lardal.no +lerdal.no +xn--lrdal-sra.no +lodingen.no +xn--ldingen-q1a.no +lorenskog.no +xn--lrenskog-54a.no +loten.no +xn--lten-gra.no +malvik.no +masoy.no +xn--msy-ula0h.no +muosat.no +xn--muost-0qa.no +mandal.no +marker.no +marnardal.no +masfjorden.no +meland.no +meldal.no +melhus.no +meloy.no +xn--mely-ira.no +meraker.no +xn--merker-kua.no +moareke.no +xn--moreke-jua.no +midsund.no +midtre-gauldal.no +modalen.no +modum.no +molde.no +moskenes.no +moss.no +mosvik.no +malselv.no +xn--mlselv-iua.no +malatvuopmi.no +xn--mlatvuopmi-s4a.no +namdalseid.no +aejrie.no +namsos.no +namsskogan.no +naamesjevuemie.no +xn--nmesjevuemie-tcba.no +laakesvuemie.no +nannestad.no +narvik.no +narviika.no +naustdal.no +nedre-eiker.no +nes.akershus.no +nes.buskerud.no +nesna.no +nesodden.no +nesseby.no +unjarga.no +xn--unjrga-rta.no +nesset.no +nissedal.no +nittedal.no +nord-aurdal.no +nord-fron.no +nord-odal.no +norddal.no +nordkapp.no +davvenjarga.no +xn--davvenjrga-y4a.no +nordre-land.no +nordreisa.no +raisa.no +xn--risa-5na.no +nore-og-uvdal.no +notodden.no +naroy.no +xn--nry-yla5g.no +notteroy.no +xn--nttery-byae.no +odda.no +oksnes.no +xn--ksnes-uua.no +oppdal.no +oppegard.no +xn--oppegrd-ixa.no +orkdal.no +orland.no +xn--rland-uua.no +orskog.no +xn--rskog-uua.no +orsta.no +xn--rsta-fra.no +os.hedmark.no +os.hordaland.no +osen.no +osteroy.no +xn--ostery-fya.no +ostre-toten.no +xn--stre-toten-zcb.no +overhalla.no +ovre-eiker.no +xn--vre-eiker-k8a.no +oyer.no +xn--yer-zna.no +oygarden.no +xn--ygarden-p1a.no +oystre-slidre.no +xn--ystre-slidre-ujb.no +porsanger.no +porsangu.no +xn--porsgu-sta26f.no +porsgrunn.no +radoy.no +xn--rady-ira.no +rakkestad.no +rana.no +ruovat.no +randaberg.no +rauma.no +rendalen.no +rennebu.no +rennesoy.no +xn--rennesy-v1a.no +rindal.no +ringebu.no +ringerike.no +ringsaker.no +rissa.no +risor.no +xn--risr-ira.no +roan.no +rollag.no +rygge.no +ralingen.no +xn--rlingen-mxa.no +rodoy.no +xn--rdy-0nab.no +romskog.no +xn--rmskog-bya.no +roros.no +xn--rros-gra.no +rost.no +xn--rst-0na.no +royken.no +xn--ryken-vua.no +royrvik.no +xn--ryrvik-bya.no +rade.no +xn--rde-ula.no +salangen.no +siellak.no +saltdal.no +salat.no +xn--slt-elab.no +xn--slat-5na.no +samnanger.no +sande.more-og-romsdal.no +sande.xn--mre-og-romsdal-qqb.no +sande.vestfold.no +sandefjord.no +sandnes.no +sandoy.no +xn--sandy-yua.no +sarpsborg.no +sauda.no +sauherad.no +sel.no +selbu.no +selje.no +seljord.no +sigdal.no +siljan.no +sirdal.no +skaun.no +skedsmo.no +ski.no +skien.no +skiptvet.no +skjervoy.no +xn--skjervy-v1a.no +skierva.no +xn--skierv-uta.no +skjak.no +xn--skjk-soa.no +skodje.no +skanland.no +xn--sknland-fxa.no +skanit.no +xn--sknit-yqa.no +smola.no +xn--smla-hra.no +snillfjord.no +snasa.no +xn--snsa-roa.no +snoasa.no +snaase.no +xn--snase-nra.no +sogndal.no +sokndal.no +sola.no +solund.no +songdalen.no +sortland.no +spydeberg.no +stange.no +stavanger.no +steigen.no +steinkjer.no +stjordal.no +xn--stjrdal-s1a.no +stokke.no +stor-elvdal.no +stord.no +stordal.no +storfjord.no +omasvuotna.no +strand.no +stranda.no +stryn.no +sula.no +suldal.no +sund.no +sunndal.no +surnadal.no +sveio.no +svelvik.no +sykkylven.no +sogne.no +xn--sgne-gra.no +somna.no +xn--smna-gra.no +sondre-land.no +xn--sndre-land-0cb.no +sor-aurdal.no +xn--sr-aurdal-l8a.no +sor-fron.no +xn--sr-fron-q1a.no +sor-odal.no +xn--sr-odal-q1a.no +sor-varanger.no +xn--sr-varanger-ggb.no +matta-varjjat.no +xn--mtta-vrjjat-k7af.no +sorfold.no +xn--srfold-bya.no +sorreisa.no +xn--srreisa-q1a.no +sorum.no +xn--srum-gra.no +tana.no +deatnu.no +time.no +tingvoll.no +tinn.no +tjeldsund.no +dielddanuorri.no +tjome.no +xn--tjme-hra.no +tokke.no +tolga.no +torsken.no +tranoy.no +xn--trany-yua.no +tromso.no +xn--troms-zua.no +tromsa.no +romsa.no +trondheim.no +troandin.no +trysil.no +trana.no +xn--trna-woa.no +trogstad.no +xn--trgstad-r1a.no +tvedestrand.no +tydal.no +tynset.no +tysfjord.no +divtasvuodna.no +divttasvuotna.no +tysnes.no +tysvar.no +xn--tysvr-vra.no +tonsberg.no +xn--tnsberg-q1a.no +ullensaker.no +ullensvang.no +ulvik.no +utsira.no +vadso.no +xn--vads-jra.no +cahcesuolo.no +xn--hcesuolo-7ya35b.no +vaksdal.no +valle.no +vang.no +vanylven.no +vardo.no +xn--vard-jra.no +varggat.no +xn--vrggt-xqad.no +vefsn.no +vaapste.no +vega.no +vegarshei.no +xn--vegrshei-c0a.no +vennesla.no +verdal.no +verran.no +vestby.no +vestnes.no +vestre-slidre.no +vestre-toten.no +vestvagoy.no +xn--vestvgy-ixa6o.no +vevelstad.no +vik.no +vikna.no +vindafjord.no +volda.no +voss.no +varoy.no +xn--vry-yla5g.no +vagan.no +xn--vgan-qoa.no +voagat.no +vagsoy.no +xn--vgsy-qoa0j.no +vaga.no +xn--vg-yiab.no +valer.ostfold.no +xn--vler-qoa.xn--stfold-9xa.no +valer.hedmark.no +xn--vler-qoa.hedmark.no + +// np : http://www.mos.com.np/register.html +*.np + +// nr : http://cenpac.net.nr/dns/index.html +// Submitted by registry +nr +biz.nr +info.nr +gov.nr +edu.nr +org.nr +net.nr +com.nr + +// nu : https://en.wikipedia.org/wiki/.nu +nu + +// nz : https://en.wikipedia.org/wiki/.nz +// Submitted by registry +nz +ac.nz +co.nz +cri.nz +geek.nz +gen.nz +govt.nz +health.nz +iwi.nz +kiwi.nz +maori.nz +mil.nz +xn--mori-qsa.nz +net.nz +org.nz +parliament.nz +school.nz + +// om : https://en.wikipedia.org/wiki/.om +om +co.om +com.om +edu.om +gov.om +med.om +museum.om +net.om +org.om +pro.om + +// onion : https://tools.ietf.org/html/rfc7686 +onion + +// org : https://en.wikipedia.org/wiki/.org +org + +// pa : http://www.nic.pa/ +// Some additional second level "domains" resolve directly as hostnames, such as +// pannet.pa, so we add a rule for "pa". +pa +ac.pa +gob.pa +com.pa +org.pa +sld.pa +edu.pa +net.pa +ing.pa +abo.pa +med.pa +nom.pa + +// pe : https://www.nic.pe/InformeFinalComision.pdf +pe +edu.pe +gob.pe +nom.pe +mil.pe +org.pe +com.pe +net.pe + +// pf : http://www.gobin.info/domainname/formulaire-pf.pdf +pf +com.pf +org.pf +edu.pf + +// pg : https://en.wikipedia.org/wiki/.pg +*.pg + +// ph : http://www.domains.ph/FAQ2.asp +// Submitted by registry +ph +com.ph +net.ph +org.ph +gov.ph +edu.ph +ngo.ph +mil.ph +i.ph + +// pk : http://pk5.pknic.net.pk/pk5/msgNamepk.PK +pk +com.pk +net.pk +edu.pk +org.pk +fam.pk +biz.pk +web.pk +gov.pk +gob.pk +gok.pk +gon.pk +gop.pk +gos.pk +info.pk + +// pl http://www.dns.pl/english/index.html +// Submitted by registry +pl +com.pl +net.pl +org.pl +// pl functional domains (http://www.dns.pl/english/index.html) +aid.pl +agro.pl +atm.pl +auto.pl +biz.pl +edu.pl +gmina.pl +gsm.pl +info.pl +mail.pl +miasta.pl +media.pl +mil.pl +nieruchomosci.pl +nom.pl +pc.pl +powiat.pl +priv.pl +realestate.pl +rel.pl +sex.pl +shop.pl +sklep.pl +sos.pl +szkola.pl +targi.pl +tm.pl +tourism.pl +travel.pl +turystyka.pl +// Government domains +gov.pl +ap.gov.pl +ic.gov.pl +is.gov.pl +us.gov.pl +kmpsp.gov.pl +kppsp.gov.pl +kwpsp.gov.pl +psp.gov.pl +wskr.gov.pl +kwp.gov.pl +mw.gov.pl +ug.gov.pl +um.gov.pl +umig.gov.pl +ugim.gov.pl +upow.gov.pl +uw.gov.pl +starostwo.gov.pl +pa.gov.pl +po.gov.pl +psse.gov.pl +pup.gov.pl +rzgw.gov.pl +sa.gov.pl +so.gov.pl +sr.gov.pl +wsa.gov.pl +sko.gov.pl +uzs.gov.pl +wiih.gov.pl +winb.gov.pl +pinb.gov.pl +wios.gov.pl +witd.gov.pl +wzmiuw.gov.pl +piw.gov.pl +wiw.gov.pl +griw.gov.pl +wif.gov.pl +oum.gov.pl +sdn.gov.pl +zp.gov.pl +uppo.gov.pl +mup.gov.pl +wuoz.gov.pl +konsulat.gov.pl +oirm.gov.pl +// pl regional domains (http://www.dns.pl/english/index.html) +augustow.pl +babia-gora.pl +bedzin.pl +beskidy.pl +bialowieza.pl +bialystok.pl +bielawa.pl +bieszczady.pl +boleslawiec.pl +bydgoszcz.pl +bytom.pl +cieszyn.pl +czeladz.pl +czest.pl +dlugoleka.pl +elblag.pl +elk.pl +glogow.pl +gniezno.pl +gorlice.pl +grajewo.pl +ilawa.pl +jaworzno.pl +jelenia-gora.pl +jgora.pl +kalisz.pl +kazimierz-dolny.pl +karpacz.pl +kartuzy.pl +kaszuby.pl +katowice.pl +kepno.pl +ketrzyn.pl +klodzko.pl +kobierzyce.pl +kolobrzeg.pl +konin.pl +konskowola.pl +kutno.pl +lapy.pl +lebork.pl +legnica.pl +lezajsk.pl +limanowa.pl +lomza.pl +lowicz.pl +lubin.pl +lukow.pl +malbork.pl +malopolska.pl +mazowsze.pl +mazury.pl +mielec.pl +mielno.pl +mragowo.pl +naklo.pl +nowaruda.pl +nysa.pl +olawa.pl +olecko.pl +olkusz.pl +olsztyn.pl +opoczno.pl +opole.pl +ostroda.pl +ostroleka.pl +ostrowiec.pl +ostrowwlkp.pl +pila.pl +pisz.pl +podhale.pl +podlasie.pl +polkowice.pl +pomorze.pl +pomorskie.pl +prochowice.pl +pruszkow.pl +przeworsk.pl +pulawy.pl +radom.pl +rawa-maz.pl +rybnik.pl +rzeszow.pl +sanok.pl +sejny.pl +slask.pl +slupsk.pl +sosnowiec.pl +stalowa-wola.pl +skoczow.pl +starachowice.pl +stargard.pl +suwalki.pl +swidnica.pl +swiebodzin.pl +swinoujscie.pl +szczecin.pl +szczytno.pl +tarnobrzeg.pl +tgory.pl +turek.pl +tychy.pl +ustka.pl +walbrzych.pl +warmia.pl +warszawa.pl +waw.pl +wegrow.pl +wielun.pl +wlocl.pl +wloclawek.pl +wodzislaw.pl +wolomin.pl +wroclaw.pl +zachpomor.pl +zagan.pl +zarow.pl +zgora.pl +zgorzelec.pl + +// pm : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +pm + +// pn : http://www.government.pn/PnRegistry/policies.htm +pn +gov.pn +co.pn +org.pn +edu.pn +net.pn + +// post : https://en.wikipedia.org/wiki/.post +post + +// pr : http://www.nic.pr/index.asp?f=1 +pr +com.pr +net.pr +org.pr +gov.pr +edu.pr +isla.pr +pro.pr +biz.pr +info.pr +name.pr +// these aren't mentioned on nic.pr, but on https://en.wikipedia.org/wiki/.pr +est.pr +prof.pr +ac.pr + +// pro : http://registry.pro/get-pro +pro +aaa.pro +aca.pro +acct.pro +avocat.pro +bar.pro +cpa.pro +eng.pro +jur.pro +law.pro +med.pro +recht.pro + +// ps : https://en.wikipedia.org/wiki/.ps +// http://www.nic.ps/registration/policy.html#reg +ps +edu.ps +gov.ps +sec.ps +plo.ps +com.ps +org.ps +net.ps + +// pt : https://www.dns.pt/en/domain/pt-terms-and-conditions-registration-rules/ +pt +net.pt +gov.pt +org.pt +edu.pt +int.pt +publ.pt +com.pt +nome.pt + +// pw : https://en.wikipedia.org/wiki/.pw +pw +co.pw +ne.pw +or.pw +ed.pw +go.pw +belau.pw + +// py : http://www.nic.py/pautas.html#seccion_9 +// Submitted by registry +py +com.py +coop.py +edu.py +gov.py +mil.py +net.py +org.py + +// qa : http://domains.qa/en/ +qa +com.qa +edu.qa +gov.qa +mil.qa +name.qa +net.qa +org.qa +sch.qa + +// re : http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs +re +asso.re +com.re +nom.re + +// ro : http://www.rotld.ro/ +ro +arts.ro +com.ro +firm.ro +info.ro +nom.ro +nt.ro +org.ro +rec.ro +store.ro +tm.ro +www.ro + +// rs : https://www.rnids.rs/en/domains/national-domains +rs +ac.rs +co.rs +edu.rs +gov.rs +in.rs +org.rs + +// ru : https://cctld.ru/files/pdf/docs/en/rules_ru-rf.pdf +// Submitted by George Georgievsky +ru + +// rw : https://www.ricta.org.rw/sites/default/files/resources/registry_registrar_contract_0.pdf +rw +ac.rw +co.rw +coop.rw +gov.rw +mil.rw +net.rw +org.rw + +// sa : http://www.nic.net.sa/ +sa +com.sa +net.sa +org.sa +gov.sa +med.sa +pub.sa +edu.sa +sch.sa + +// sb : http://www.sbnic.net.sb/ +// Submitted by registry +sb +com.sb +edu.sb +gov.sb +net.sb +org.sb + +// sc : http://www.nic.sc/ +sc +com.sc +gov.sc +net.sc +org.sc +edu.sc + +// sd : http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm +// Submitted by registry +sd +com.sd +net.sd +org.sd +edu.sd +med.sd +tv.sd +gov.sd +info.sd + +// se : https://en.wikipedia.org/wiki/.se +// Submitted by registry +se +a.se +ac.se +b.se +bd.se +brand.se +c.se +d.se +e.se +f.se +fh.se +fhsk.se +fhv.se +g.se +h.se +i.se +k.se +komforb.se +kommunalforbund.se +komvux.se +l.se +lanbib.se +m.se +n.se +naturbruksgymn.se +o.se +org.se +p.se +parti.se +pp.se +press.se +r.se +s.se +t.se +tm.se +u.se +w.se +x.se +y.se +z.se + +// sg : http://www.nic.net.sg/page/registration-policies-procedures-and-guidelines +sg +com.sg +net.sg +org.sg +gov.sg +edu.sg +per.sg + +// sh : http://nic.sh/rules.htm +sh +com.sh +net.sh +gov.sh +org.sh +mil.sh + +// si : https://en.wikipedia.org/wiki/.si +si + +// sj : No registrations at this time. +// Submitted by registry +sj + +// sk : https://en.wikipedia.org/wiki/.sk +// list of 2nd level domains ? +sk + +// sl : http://www.nic.sl +// Submitted by registry +sl +com.sl +net.sl +edu.sl +gov.sl +org.sl + +// sm : https://en.wikipedia.org/wiki/.sm +sm + +// sn : https://en.wikipedia.org/wiki/.sn +sn +art.sn +com.sn +edu.sn +gouv.sn +org.sn +perso.sn +univ.sn + +// so : http://sonic.so/policies/ +so +com.so +edu.so +gov.so +me.so +net.so +org.so + +// sr : https://en.wikipedia.org/wiki/.sr +sr + +// ss : https://registry.nic.ss/ +// Submitted by registry +ss +biz.ss +com.ss +edu.ss +gov.ss +me.ss +net.ss +org.ss +sch.ss + +// st : http://www.nic.st/html/policyrules/ +st +co.st +com.st +consulado.st +edu.st +embaixada.st +mil.st +net.st +org.st +principe.st +saotome.st +store.st + +// su : https://en.wikipedia.org/wiki/.su +su + +// sv : http://www.svnet.org.sv/niveldos.pdf +sv +com.sv +edu.sv +gob.sv +org.sv +red.sv + +// sx : https://en.wikipedia.org/wiki/.sx +// Submitted by registry +sx +gov.sx + +// sy : https://en.wikipedia.org/wiki/.sy +// see also: http://www.gobin.info/domainname/sy.doc +sy +edu.sy +gov.sy +net.sy +mil.sy +com.sy +org.sy + +// sz : https://en.wikipedia.org/wiki/.sz +// http://www.sispa.org.sz/ +sz +co.sz +ac.sz +org.sz + +// tc : https://en.wikipedia.org/wiki/.tc +tc + +// td : https://en.wikipedia.org/wiki/.td +td + +// tel: https://en.wikipedia.org/wiki/.tel +// http://www.telnic.org/ +tel + +// tf : https://en.wikipedia.org/wiki/.tf +tf + +// tg : https://en.wikipedia.org/wiki/.tg +// http://www.nic.tg/ +tg + +// th : https://en.wikipedia.org/wiki/.th +// Submitted by registry +th +ac.th +co.th +go.th +in.th +mi.th +net.th +or.th + +// tj : http://www.nic.tj/policy.html +tj +ac.tj +biz.tj +co.tj +com.tj +edu.tj +go.tj +gov.tj +int.tj +mil.tj +name.tj +net.tj +nic.tj +org.tj +test.tj +web.tj + +// tk : https://en.wikipedia.org/wiki/.tk +tk + +// tl : https://en.wikipedia.org/wiki/.tl +tl +gov.tl + +// tm : http://www.nic.tm/local.html +tm +com.tm +co.tm +org.tm +net.tm +nom.tm +gov.tm +mil.tm +edu.tm + +// tn : http://www.registre.tn/fr/ +// https://whois.ati.tn/ +tn +com.tn +ens.tn +fin.tn +gov.tn +ind.tn +info.tn +intl.tn +mincom.tn +nat.tn +net.tn +org.tn +perso.tn +tourism.tn + +// to : https://en.wikipedia.org/wiki/.to +// Submitted by registry +to +com.to +gov.to +net.to +org.to +edu.to +mil.to + +// tr : https://nic.tr/ +// https://nic.tr/forms/eng/policies.pdf +// https://nic.tr/index.php?USRACTN=PRICELST +tr +av.tr +bbs.tr +bel.tr +biz.tr +com.tr +dr.tr +edu.tr +gen.tr +gov.tr +info.tr +mil.tr +k12.tr +kep.tr +name.tr +net.tr +org.tr +pol.tr +tel.tr +tsk.tr +tv.tr +web.tr +// Used by Northern Cyprus +nc.tr +// Used by government agencies of Northern Cyprus +gov.nc.tr + +// tt : http://www.nic.tt/ +tt +co.tt +com.tt +org.tt +net.tt +biz.tt +info.tt +pro.tt +int.tt +coop.tt +jobs.tt +mobi.tt +travel.tt +museum.tt +aero.tt +name.tt +gov.tt +edu.tt + +// tv : https://en.wikipedia.org/wiki/.tv +// Not listing any 2LDs as reserved since none seem to exist in practice, +// Wikipedia notwithstanding. +tv + +// tw : https://en.wikipedia.org/wiki/.tw +tw +edu.tw +gov.tw +mil.tw +com.tw +net.tw +org.tw +idv.tw +game.tw +ebiz.tw +club.tw +xn--zf0ao64a.tw +xn--uc0atv.tw +xn--czrw28b.tw + +// tz : http://www.tznic.or.tz/index.php/domains +// Submitted by registry +tz +ac.tz +co.tz +go.tz +hotel.tz +info.tz +me.tz +mil.tz +mobi.tz +ne.tz +or.tz +sc.tz +tv.tz + +// ua : https://hostmaster.ua/policy/?ua +// Submitted by registry +ua +// ua 2LD +com.ua +edu.ua +gov.ua +in.ua +net.ua +org.ua +// ua geographic names +// https://hostmaster.ua/2ld/ +cherkassy.ua +cherkasy.ua +chernigov.ua +chernihiv.ua +chernivtsi.ua +chernovtsy.ua +ck.ua +cn.ua +cr.ua +crimea.ua +cv.ua +dn.ua +dnepropetrovsk.ua +dnipropetrovsk.ua +donetsk.ua +dp.ua +if.ua +ivano-frankivsk.ua +kh.ua +kharkiv.ua +kharkov.ua +kherson.ua +khmelnitskiy.ua +khmelnytskyi.ua +kiev.ua +kirovograd.ua +km.ua +kr.ua +krym.ua +ks.ua +kv.ua +kyiv.ua +lg.ua +lt.ua +lugansk.ua +lutsk.ua +lv.ua +lviv.ua +mk.ua +mykolaiv.ua +nikolaev.ua +od.ua +odesa.ua +odessa.ua +pl.ua +poltava.ua +rivne.ua +rovno.ua +rv.ua +sb.ua +sebastopol.ua +sevastopol.ua +sm.ua +sumy.ua +te.ua +ternopil.ua +uz.ua +uzhgorod.ua +vinnica.ua +vinnytsia.ua +vn.ua +volyn.ua +yalta.ua +zaporizhzhe.ua +zaporizhzhia.ua +zhitomir.ua +zhytomyr.ua +zp.ua +zt.ua + +// ug : https://www.registry.co.ug/ +ug +co.ug +or.ug +ac.ug +sc.ug +go.ug +ne.ug +com.ug +org.ug + +// uk : https://en.wikipedia.org/wiki/.uk +// Submitted by registry +uk +ac.uk +co.uk +gov.uk +ltd.uk +me.uk +net.uk +nhs.uk +org.uk +plc.uk +police.uk +*.sch.uk + +// us : https://en.wikipedia.org/wiki/.us +us +dni.us +fed.us +isa.us +kids.us +nsn.us +// us geographic names +ak.us +al.us +ar.us +as.us +az.us +ca.us +co.us +ct.us +dc.us +de.us +fl.us +ga.us +gu.us +hi.us +ia.us +id.us +il.us +in.us +ks.us +ky.us +la.us +ma.us +md.us +me.us +mi.us +mn.us +mo.us +ms.us +mt.us +nc.us +nd.us +ne.us +nh.us +nj.us +nm.us +nv.us +ny.us +oh.us +ok.us +or.us +pa.us +pr.us +ri.us +sc.us +sd.us +tn.us +tx.us +ut.us +vi.us +vt.us +va.us +wa.us +wi.us +wv.us +wy.us +// The registrar notes several more specific domains available in each state, +// such as state.*.us, dst.*.us, etc., but resolution of these is somewhat +// haphazard; in some states these domains resolve as addresses, while in others +// only subdomains are available, or even nothing at all. We include the +// most common ones where it's clear that different sites are different +// entities. +k12.ak.us +k12.al.us +k12.ar.us +k12.as.us +k12.az.us +k12.ca.us +k12.co.us +k12.ct.us +k12.dc.us +k12.de.us +k12.fl.us +k12.ga.us +k12.gu.us +// k12.hi.us Bug 614565 - Hawaii has a state-wide DOE login +k12.ia.us +k12.id.us +k12.il.us +k12.in.us +k12.ks.us +k12.ky.us +k12.la.us +k12.ma.us +k12.md.us +k12.me.us +k12.mi.us +k12.mn.us +k12.mo.us +k12.ms.us +k12.mt.us +k12.nc.us +// k12.nd.us Bug 1028347 - Removed at request of Travis Rosso +k12.ne.us +k12.nh.us +k12.nj.us +k12.nm.us +k12.nv.us +k12.ny.us +k12.oh.us +k12.ok.us +k12.or.us +k12.pa.us +k12.pr.us +// k12.ri.us Removed at request of Kim Cournoyer +k12.sc.us +// k12.sd.us Bug 934131 - Removed at request of James Booze +k12.tn.us +k12.tx.us +k12.ut.us +k12.vi.us +k12.vt.us +k12.va.us +k12.wa.us +k12.wi.us +// k12.wv.us Bug 947705 - Removed at request of Verne Britton +k12.wy.us +cc.ak.us +cc.al.us +cc.ar.us +cc.as.us +cc.az.us +cc.ca.us +cc.co.us +cc.ct.us +cc.dc.us +cc.de.us +cc.fl.us +cc.ga.us +cc.gu.us +cc.hi.us +cc.ia.us +cc.id.us +cc.il.us +cc.in.us +cc.ks.us +cc.ky.us +cc.la.us +cc.ma.us +cc.md.us +cc.me.us +cc.mi.us +cc.mn.us +cc.mo.us +cc.ms.us +cc.mt.us +cc.nc.us +cc.nd.us +cc.ne.us +cc.nh.us +cc.nj.us +cc.nm.us +cc.nv.us +cc.ny.us +cc.oh.us +cc.ok.us +cc.or.us +cc.pa.us +cc.pr.us +cc.ri.us +cc.sc.us +cc.sd.us +cc.tn.us +cc.tx.us +cc.ut.us +cc.vi.us +cc.vt.us +cc.va.us +cc.wa.us +cc.wi.us +cc.wv.us +cc.wy.us +lib.ak.us +lib.al.us +lib.ar.us +lib.as.us +lib.az.us +lib.ca.us +lib.co.us +lib.ct.us +lib.dc.us +// lib.de.us Issue #243 - Moved to Private section at request of Ed Moore +lib.fl.us +lib.ga.us +lib.gu.us +lib.hi.us +lib.ia.us +lib.id.us +lib.il.us +lib.in.us +lib.ks.us +lib.ky.us +lib.la.us +lib.ma.us +lib.md.us +lib.me.us +lib.mi.us +lib.mn.us +lib.mo.us +lib.ms.us +lib.mt.us +lib.nc.us +lib.nd.us +lib.ne.us +lib.nh.us +lib.nj.us +lib.nm.us +lib.nv.us +lib.ny.us +lib.oh.us +lib.ok.us +lib.or.us +lib.pa.us +lib.pr.us +lib.ri.us +lib.sc.us +lib.sd.us +lib.tn.us +lib.tx.us +lib.ut.us +lib.vi.us +lib.vt.us +lib.va.us +lib.wa.us +lib.wi.us +// lib.wv.us Bug 941670 - Removed at request of Larry W Arnold +lib.wy.us +// k12.ma.us contains school districts in Massachusetts. The 4LDs are +// managed independently except for private (PVT), charter (CHTR) and +// parochial (PAROCH) schools. Those are delegated directly to the +// 5LD operators. +pvt.k12.ma.us +chtr.k12.ma.us +paroch.k12.ma.us +// Merit Network, Inc. maintains the registry for =~ /(k12|cc|lib).mi.us/ and the following +// see also: http://domreg.merit.edu +// see also: whois -h whois.domreg.merit.edu help +ann-arbor.mi.us +cog.mi.us +dst.mi.us +eaton.mi.us +gen.mi.us +mus.mi.us +tec.mi.us +washtenaw.mi.us + +// uy : http://www.nic.org.uy/ +uy +com.uy +edu.uy +gub.uy +mil.uy +net.uy +org.uy + +// uz : http://www.reg.uz/ +uz +co.uz +com.uz +net.uz +org.uz + +// va : https://en.wikipedia.org/wiki/.va +va + +// vc : https://en.wikipedia.org/wiki/.vc +// Submitted by registry +vc +com.vc +net.vc +org.vc +gov.vc +mil.vc +edu.vc + +// ve : https://registro.nic.ve/ +// Submitted by registry nic@nic.ve and nicve@conatel.gob.ve +ve +arts.ve +bib.ve +co.ve +com.ve +e12.ve +edu.ve +firm.ve +gob.ve +gov.ve +info.ve +int.ve +mil.ve +net.ve +nom.ve +org.ve +rar.ve +rec.ve +store.ve +tec.ve +web.ve + +// vg : https://en.wikipedia.org/wiki/.vg +vg + +// vi : http://www.nic.vi/newdomainform.htm +// http://www.nic.vi/Domain_Rules/body_domain_rules.html indicates some other +// TLDs are "reserved", such as edu.vi and gov.vi, but doesn't actually say they +// are available for registration (which they do not seem to be). +vi +co.vi +com.vi +k12.vi +net.vi +org.vi + +// vn : https://www.dot.vn/vnnic/vnnic/domainregistration.jsp +vn +com.vn +net.vn +org.vn +edu.vn +gov.vn +int.vn +ac.vn +biz.vn +info.vn +name.vn +pro.vn +health.vn + +// vu : https://en.wikipedia.org/wiki/.vu +// http://www.vunic.vu/ +vu +com.vu +edu.vu +net.vu +org.vu + +// wf : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +wf + +// ws : https://en.wikipedia.org/wiki/.ws +// http://samoanic.ws/index.dhtml +ws +com.ws +net.ws +org.ws +gov.ws +edu.ws + +// yt : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +yt + +// IDN ccTLDs +// When submitting patches, please maintain a sort by ISO 3166 ccTLD, then +// U-label, and follow this format: +// // A-Label ("", [, variant info]) : +// // [sponsoring org] +// U-Label + +// xn--mgbaam7a8h ("Emerat", Arabic) : AE +// http://nic.ae/english/arabicdomain/rules.jsp +xn--mgbaam7a8h + +// xn--y9a3aq ("hye", Armenian) : AM +// ISOC AM (operated by .am Registry) +xn--y9a3aq + +// xn--54b7fta0cc ("Bangla", Bangla) : BD +xn--54b7fta0cc + +// xn--90ae ("bg", Bulgarian) : BG +xn--90ae + +// xn--mgbcpq6gpa1a ("albahrain", Arabic) : BH +xn--mgbcpq6gpa1a + +// xn--90ais ("bel", Belarusian/Russian Cyrillic) : BY +// Operated by .by registry +xn--90ais + +// xn--fiqs8s ("Zhongguo/China", Chinese, Simplified) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +xn--fiqs8s + +// xn--fiqz9s ("Zhongguo/China", Chinese, Traditional) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +xn--fiqz9s + +// xn--lgbbat1ad8j ("Algeria/Al Jazair", Arabic) : DZ +xn--lgbbat1ad8j + +// xn--wgbh1c ("Egypt/Masr", Arabic) : EG +// http://www.dotmasr.eg/ +xn--wgbh1c + +// xn--e1a4c ("eu", Cyrillic) : EU +// https://eurid.eu +xn--e1a4c + +// xn--qxa6a ("eu", Greek) : EU +// https://eurid.eu +xn--qxa6a + +// xn--mgbah1a3hjkrd ("Mauritania", Arabic) : MR +xn--mgbah1a3hjkrd + +// xn--node ("ge", Georgian Mkhedruli) : GE +xn--node + +// xn--qxam ("el", Greek) : GR +// Hellenic Ministry of Infrastructure, Transport, and Networks +xn--qxam + +// xn--j6w193g ("Hong Kong", Chinese) : HK +// https://www.hkirc.hk +// Submitted by registry +// https://www.hkirc.hk/content.jsp?id=30#!/34 +xn--j6w193g +xn--55qx5d.xn--j6w193g +xn--wcvs22d.xn--j6w193g +xn--mxtq1m.xn--j6w193g +xn--gmqw5a.xn--j6w193g +xn--od0alg.xn--j6w193g +xn--uc0atv.xn--j6w193g + +// xn--2scrj9c ("Bharat", Kannada) : IN +// India +xn--2scrj9c + +// xn--3hcrj9c ("Bharat", Oriya) : IN +// India +xn--3hcrj9c + +// xn--45br5cyl ("Bharatam", Assamese) : IN +// India +xn--45br5cyl + +// xn--h2breg3eve ("Bharatam", Sanskrit) : IN +// India +xn--h2breg3eve + +// xn--h2brj9c8c ("Bharot", Santali) : IN +// India +xn--h2brj9c8c + +// xn--mgbgu82a ("Bharat", Sindhi) : IN +// India +xn--mgbgu82a + +// xn--rvc1e0am3e ("Bharatam", Malayalam) : IN +// India +xn--rvc1e0am3e + +// xn--h2brj9c ("Bharat", Devanagari) : IN +// India +xn--h2brj9c + +// xn--mgbbh1a ("Bharat", Kashmiri) : IN +// India +xn--mgbbh1a + +// xn--mgbbh1a71e ("Bharat", Arabic) : IN +// India +xn--mgbbh1a71e + +// xn--fpcrj9c3d ("Bharat", Telugu) : IN +// India +xn--fpcrj9c3d + +// xn--gecrj9c ("Bharat", Gujarati) : IN +// India +xn--gecrj9c + +// xn--s9brj9c ("Bharat", Gurmukhi) : IN +// India +xn--s9brj9c + +// xn--45brj9c ("Bharat", Bengali) : IN +// India +xn--45brj9c + +// xn--xkc2dl3a5ee0h ("India", Tamil) : IN +// India +xn--xkc2dl3a5ee0h + +// xn--mgba3a4f16a ("Iran", Persian) : IR +xn--mgba3a4f16a + +// xn--mgba3a4fra ("Iran", Arabic) : IR +xn--mgba3a4fra + +// xn--mgbtx2b ("Iraq", Arabic) : IQ +// Communications and Media Commission +xn--mgbtx2b + +// xn--mgbayh7gpa ("al-Ordon", Arabic) : JO +// National Information Technology Center (NITC) +// Royal Scientific Society, Al-Jubeiha +xn--mgbayh7gpa + +// xn--3e0b707e ("Republic of Korea", Hangul) : KR +xn--3e0b707e + +// xn--80ao21a ("Kaz", Kazakh) : KZ +xn--80ao21a + +// xn--q7ce6a ("Lao", Lao) : LA +xn--q7ce6a + +// xn--fzc2c9e2c ("Lanka", Sinhalese-Sinhala) : LK +// https://nic.lk +xn--fzc2c9e2c + +// xn--xkc2al3hye2a ("Ilangai", Tamil) : LK +// https://nic.lk +xn--xkc2al3hye2a + +// xn--mgbc0a9azcg ("Morocco/al-Maghrib", Arabic) : MA +xn--mgbc0a9azcg + +// xn--d1alf ("mkd", Macedonian) : MK +// MARnet +xn--d1alf + +// xn--l1acc ("mon", Mongolian) : MN +xn--l1acc + +// xn--mix891f ("Macao", Chinese, Traditional) : MO +// MONIC / HNET Asia (Registry Operator for .mo) +xn--mix891f + +// xn--mix082f ("Macao", Chinese, Simplified) : MO +xn--mix082f + +// xn--mgbx4cd0ab ("Malaysia", Malay) : MY +xn--mgbx4cd0ab + +// xn--mgb9awbf ("Oman", Arabic) : OM +xn--mgb9awbf + +// xn--mgbai9azgqp6j ("Pakistan", Urdu/Arabic) : PK +xn--mgbai9azgqp6j + +// xn--mgbai9a5eva00b ("Pakistan", Urdu/Arabic, variant) : PK +xn--mgbai9a5eva00b + +// xn--ygbi2ammx ("Falasteen", Arabic) : PS +// The Palestinian National Internet Naming Authority (PNINA) +// http://www.pnina.ps +xn--ygbi2ammx + +// xn--90a3ac ("srb", Cyrillic) : RS +// https://www.rnids.rs/en/domains/national-domains +xn--90a3ac +xn--o1ac.xn--90a3ac +xn--c1avg.xn--90a3ac +xn--90azh.xn--90a3ac +xn--d1at.xn--90a3ac +xn--o1ach.xn--90a3ac +xn--80au.xn--90a3ac + +// xn--p1ai ("rf", Russian-Cyrillic) : RU +// https://cctld.ru/files/pdf/docs/en/rules_ru-rf.pdf +// Submitted by George Georgievsky +xn--p1ai + +// xn--wgbl6a ("Qatar", Arabic) : QA +// http://www.ict.gov.qa/ +xn--wgbl6a + +// xn--mgberp4a5d4ar ("AlSaudiah", Arabic) : SA +// http://www.nic.net.sa/ +xn--mgberp4a5d4ar + +// xn--mgberp4a5d4a87g ("AlSaudiah", Arabic, variant) : SA +xn--mgberp4a5d4a87g + +// xn--mgbqly7c0a67fbc ("AlSaudiah", Arabic, variant) : SA +xn--mgbqly7c0a67fbc + +// xn--mgbqly7cvafr ("AlSaudiah", Arabic, variant) : SA +xn--mgbqly7cvafr + +// xn--mgbpl2fh ("sudan", Arabic) : SD +// Operated by .sd registry +xn--mgbpl2fh + +// xn--yfro4i67o Singapore ("Singapore", Chinese) : SG +xn--yfro4i67o + +// xn--clchc0ea0b2g2a9gcd ("Singapore", Tamil) : SG +xn--clchc0ea0b2g2a9gcd + +// xn--ogbpf8fl ("Syria", Arabic) : SY +xn--ogbpf8fl + +// xn--mgbtf8fl ("Syria", Arabic, variant) : SY +xn--mgbtf8fl + +// xn--o3cw4h ("Thai", Thai) : TH +// http://www.thnic.co.th +xn--o3cw4h +xn--12c1fe0br.xn--o3cw4h +xn--12co0c3b4eva.xn--o3cw4h +xn--h3cuzk1di.xn--o3cw4h +xn--o3cyx2a.xn--o3cw4h +xn--m3ch0j3a.xn--o3cw4h +xn--12cfi8ixb8l.xn--o3cw4h + +// xn--pgbs0dh ("Tunisia", Arabic) : TN +// http://nic.tn +xn--pgbs0dh + +// xn--kpry57d ("Taiwan", Chinese, Traditional) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +xn--kpry57d + +// xn--kprw13d ("Taiwan", Chinese, Simplified) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +xn--kprw13d + +// xn--nnx388a ("Taiwan", Chinese, variant) : TW +xn--nnx388a + +// xn--j1amh ("ukr", Cyrillic) : UA +xn--j1amh + +// xn--mgb2ddes ("AlYemen", Arabic) : YE +xn--mgb2ddes + +// xxx : http://icmregistry.com +xxx + +// ye : http://www.y.net.ye/services/domain_name.htm +ye +com.ye +edu.ye +gov.ye +net.ye +mil.ye +org.ye + +// za : https://www.zadna.org.za/content/page/domain-information/ +ac.za +agric.za +alt.za +co.za +edu.za +gov.za +grondar.za +law.za +mil.za +net.za +ngo.za +nic.za +nis.za +nom.za +org.za +school.za +tm.za +web.za + +// zm : https://zicta.zm/ +// Submitted by registry +zm +ac.zm +biz.zm +co.zm +com.zm +edu.zm +gov.zm +info.zm +mil.zm +net.zm +org.zm +sch.zm + +// zw : https://www.potraz.gov.zw/ +// Confirmed by registry 2017-01-25 +zw +ac.zw +co.zw +gov.zw +mil.zw +org.zw + + +// newGTLDs + +// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2022-11-02T15:17:39Z +// This list is auto-generated, don't edit it manually. +// aaa : 2015-02-26 American Automobile Association, Inc. +aaa + +// aarp : 2015-05-21 AARP +aarp + +// abarth : 2015-07-30 Fiat Chrysler Automobiles N.V. +abarth + +// abb : 2014-10-24 ABB Ltd +abb + +// abbott : 2014-07-24 Abbott Laboratories, Inc. +abbott + +// abbvie : 2015-07-30 AbbVie Inc. +abbvie + +// abc : 2015-07-30 Disney Enterprises, Inc. +abc + +// able : 2015-06-25 Able Inc. +able + +// abogado : 2014-04-24 Registry Services, LLC +abogado + +// abudhabi : 2015-07-30 Abu Dhabi Systems and Information Centre +abudhabi + +// academy : 2013-11-07 Binky Moon, LLC +academy + +// accenture : 2014-08-15 Accenture plc +accenture + +// accountant : 2014-11-20 dot Accountant Limited +accountant + +// accountants : 2014-03-20 Binky Moon, LLC +accountants + +// aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG +aco + +// actor : 2013-12-12 Dog Beach, LLC +actor + +// adac : 2015-07-16 Allgemeiner Deutscher Automobil-Club e.V. (ADAC) +adac + +// ads : 2014-12-04 Charleston Road Registry Inc. +ads + +// adult : 2014-10-16 ICM Registry AD LLC +adult + +// aeg : 2015-03-19 Aktiebolaget Electrolux +aeg + +// aetna : 2015-05-21 Aetna Life Insurance Company +aetna + +// afl : 2014-10-02 Australian Football League +afl + +// africa : 2014-03-24 ZA Central Registry NPC trading as Registry.Africa +africa + +// agakhan : 2015-04-23 Fondation Aga Khan (Aga Khan Foundation) +agakhan + +// agency : 2013-11-14 Binky Moon, LLC +agency + +// aig : 2014-12-18 American International Group, Inc. +aig + +// airbus : 2015-07-30 Airbus S.A.S. +airbus + +// airforce : 2014-03-06 Dog Beach, LLC +airforce + +// airtel : 2014-10-24 Bharti Airtel Limited +airtel + +// akdn : 2015-04-23 Fondation Aga Khan (Aga Khan Foundation) +akdn + +// alfaromeo : 2015-07-31 Fiat Chrysler Automobiles N.V. +alfaromeo + +// alibaba : 2015-01-15 Alibaba Group Holding Limited +alibaba + +// alipay : 2015-01-15 Alibaba Group Holding Limited +alipay + +// allfinanz : 2014-07-03 Allfinanz Deutsche Vermögensberatung Aktiengesellschaft +allfinanz + +// allstate : 2015-07-31 Allstate Fire and Casualty Insurance Company +allstate + +// ally : 2015-06-18 Ally Financial Inc. +ally + +// alsace : 2014-07-02 Region Grand Est +alsace + +// alstom : 2015-07-30 ALSTOM +alstom + +// amazon : 2019-12-19 Amazon Registry Services, Inc. +amazon + +// americanexpress : 2015-07-31 American Express Travel Related Services Company, Inc. +americanexpress + +// americanfamily : 2015-07-23 AmFam, Inc. +americanfamily + +// amex : 2015-07-31 American Express Travel Related Services Company, Inc. +amex + +// amfam : 2015-07-23 AmFam, Inc. +amfam + +// amica : 2015-05-28 Amica Mutual Insurance Company +amica + +// amsterdam : 2014-07-24 Gemeente Amsterdam +amsterdam + +// analytics : 2014-12-18 Campus IP LLC +analytics + +// android : 2014-08-07 Charleston Road Registry Inc. +android + +// anquan : 2015-01-08 Beijing Qihu Keji Co., Ltd. +anquan + +// anz : 2015-07-31 Australia and New Zealand Banking Group Limited +anz + +// aol : 2015-09-17 Oath Inc. +aol + +// apartments : 2014-12-11 Binky Moon, LLC +apartments + +// app : 2015-05-14 Charleston Road Registry Inc. +app + +// apple : 2015-05-14 Apple Inc. +apple + +// aquarelle : 2014-07-24 Aquarelle.com +aquarelle + +// arab : 2015-11-12 League of Arab States +arab + +// aramco : 2014-11-20 Aramco Services Company +aramco + +// archi : 2014-02-06 Identity Digital Limited +archi + +// army : 2014-03-06 Dog Beach, LLC +army + +// art : 2016-03-24 UK Creative Ideas Limited +art + +// arte : 2014-12-11 Association Relative à la Télévision Européenne G.E.I.E. +arte + +// asda : 2015-07-31 Wal-Mart Stores, Inc. +asda + +// associates : 2014-03-06 Binky Moon, LLC +associates + +// athleta : 2015-07-30 The Gap, Inc. +athleta + +// attorney : 2014-03-20 Dog Beach, LLC +attorney + +// auction : 2014-03-20 Dog Beach, LLC +auction + +// audi : 2015-05-21 AUDI Aktiengesellschaft +audi + +// audible : 2015-06-25 Amazon Registry Services, Inc. +audible + +// audio : 2014-03-20 XYZ.COM LLC +audio + +// auspost : 2015-08-13 Australian Postal Corporation +auspost + +// author : 2014-12-18 Amazon Registry Services, Inc. +author + +// auto : 2014-11-13 XYZ.COM LLC +auto + +// autos : 2014-01-09 XYZ.COM LLC +autos + +// avianca : 2015-01-08 Avianca Inc. +avianca + +// aws : 2015-06-25 AWS Registry LLC +aws + +// axa : 2013-12-19 AXA Group Operations SAS +axa + +// azure : 2014-12-18 Microsoft Corporation +azure + +// baby : 2015-04-09 XYZ.COM LLC +baby + +// baidu : 2015-01-08 Baidu, Inc. +baidu + +// banamex : 2015-07-30 Citigroup Inc. +banamex + +// bananarepublic : 2015-07-31 The Gap, Inc. +bananarepublic + +// band : 2014-06-12 Dog Beach, LLC +band + +// bank : 2014-09-25 fTLD Registry Services LLC +bank + +// bar : 2013-12-12 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +bar + +// barcelona : 2014-07-24 Municipi de Barcelona +barcelona + +// barclaycard : 2014-11-20 Barclays Bank PLC +barclaycard + +// barclays : 2014-11-20 Barclays Bank PLC +barclays + +// barefoot : 2015-06-11 Gallo Vineyards, Inc. +barefoot + +// bargains : 2013-11-14 Binky Moon, LLC +bargains + +// baseball : 2015-10-29 MLB Advanced Media DH, LLC +baseball + +// basketball : 2015-08-20 Fédération Internationale de Basketball (FIBA) +basketball + +// bauhaus : 2014-04-17 Werkhaus GmbH +bauhaus + +// bayern : 2014-01-23 Bayern Connect GmbH +bayern + +// bbc : 2014-12-18 British Broadcasting Corporation +bbc + +// bbt : 2015-07-23 BB&T Corporation +bbt + +// bbva : 2014-10-02 BANCO BILBAO VIZCAYA ARGENTARIA, S.A. +bbva + +// bcg : 2015-04-02 The Boston Consulting Group, Inc. +bcg + +// bcn : 2014-07-24 Municipi de Barcelona +bcn + +// beats : 2015-05-14 Beats Electronics, LLC +beats + +// beauty : 2015-12-03 XYZ.COM LLC +beauty + +// beer : 2014-01-09 Registry Services, LLC +beer + +// bentley : 2014-12-18 Bentley Motors Limited +bentley + +// berlin : 2013-10-31 dotBERLIN GmbH & Co. KG +berlin + +// best : 2013-12-19 BestTLD Pty Ltd +best + +// bestbuy : 2015-07-31 BBY Solutions, Inc. +bestbuy + +// bet : 2015-05-07 Identity Digital Limited +bet + +// bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited +bharti + +// bible : 2014-06-19 American Bible Society +bible + +// bid : 2013-12-19 dot Bid Limited +bid + +// bike : 2013-08-27 Binky Moon, LLC +bike + +// bing : 2014-12-18 Microsoft Corporation +bing + +// bingo : 2014-12-04 Binky Moon, LLC +bingo + +// bio : 2014-03-06 Identity Digital Limited +bio + +// black : 2014-01-16 Identity Digital Limited +black + +// blackfriday : 2014-01-16 Registry Services, LLC +blackfriday + +// blockbuster : 2015-07-30 Dish DBS Corporation +blockbuster + +// blog : 2015-05-14 Knock Knock WHOIS There, LLC +blog + +// bloomberg : 2014-07-17 Bloomberg IP Holdings LLC +bloomberg + +// blue : 2013-11-07 Identity Digital Limited +blue + +// bms : 2014-10-30 Bristol-Myers Squibb Company +bms + +// bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +bmw + +// bnpparibas : 2014-05-29 BNP Paribas +bnpparibas + +// boats : 2014-12-04 XYZ.COM LLC +boats + +// boehringer : 2015-07-09 Boehringer Ingelheim International GmbH +boehringer + +// bofa : 2015-07-31 Bank of America Corporation +bofa + +// bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +bom + +// bond : 2014-06-05 ShortDot SA +bond + +// boo : 2014-01-30 Charleston Road Registry Inc. +boo + +// book : 2015-08-27 Amazon Registry Services, Inc. +book + +// booking : 2015-07-16 Booking.com B.V. +booking + +// bosch : 2015-06-18 Robert Bosch GMBH +bosch + +// bostik : 2015-05-28 Bostik SA +bostik + +// boston : 2015-12-10 Registry Services, LLC +boston + +// bot : 2014-12-18 Amazon Registry Services, Inc. +bot + +// boutique : 2013-11-14 Binky Moon, LLC +boutique + +// box : 2015-11-12 Intercap Registry Inc. +box + +// bradesco : 2014-12-18 Banco Bradesco S.A. +bradesco + +// bridgestone : 2014-12-18 Bridgestone Corporation +bridgestone + +// broadway : 2014-12-22 Celebrate Broadway, Inc. +broadway + +// broker : 2014-12-11 Dog Beach, LLC +broker + +// brother : 2015-01-29 Brother Industries, Ltd. +brother + +// brussels : 2014-02-06 DNS.be vzw +brussels + +// build : 2013-11-07 Plan Bee LLC +build + +// builders : 2013-11-07 Binky Moon, LLC +builders + +// business : 2013-11-07 Binky Moon, LLC +business + +// buy : 2014-12-18 Amazon Registry Services, Inc. +buy + +// buzz : 2013-10-02 DOTSTRATEGY CO. +buzz + +// bzh : 2014-02-27 Association www.bzh +bzh + +// cab : 2013-10-24 Binky Moon, LLC +cab + +// cafe : 2015-02-11 Binky Moon, LLC +cafe + +// cal : 2014-07-24 Charleston Road Registry Inc. +cal + +// call : 2014-12-18 Amazon Registry Services, Inc. +call + +// calvinklein : 2015-07-30 PVH gTLD Holdings LLC +calvinklein + +// cam : 2016-04-21 Cam Connecting SARL +cam + +// camera : 2013-08-27 Binky Moon, LLC +camera + +// camp : 2013-11-07 Binky Moon, LLC +camp + +// canon : 2014-09-12 Canon Inc. +canon + +// capetown : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +capetown + +// capital : 2014-03-06 Binky Moon, LLC +capital + +// capitalone : 2015-08-06 Capital One Financial Corporation +capitalone + +// car : 2015-01-22 XYZ.COM LLC +car + +// caravan : 2013-12-12 Caravan International, Inc. +caravan + +// cards : 2013-12-05 Binky Moon, LLC +cards + +// care : 2014-03-06 Binky Moon, LLC +care + +// career : 2013-10-09 dotCareer LLC +career + +// careers : 2013-10-02 Binky Moon, LLC +careers + +// cars : 2014-11-13 XYZ.COM LLC +cars + +// casa : 2013-11-21 Registry Services, LLC +casa + +// case : 2015-09-03 Digity, LLC +case + +// cash : 2014-03-06 Binky Moon, LLC +cash + +// casino : 2014-12-18 Binky Moon, LLC +casino + +// catering : 2013-12-05 Binky Moon, LLC +catering + +// catholic : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) +catholic + +// cba : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +cba + +// cbn : 2014-08-22 The Christian Broadcasting Network, Inc. +cbn + +// cbre : 2015-07-02 CBRE, Inc. +cbre + +// cbs : 2015-08-06 CBS Domains Inc. +cbs + +// center : 2013-11-07 Binky Moon, LLC +center + +// ceo : 2013-11-07 CEOTLD Pty Ltd +ceo + +// cern : 2014-06-05 European Organization for Nuclear Research ("CERN") +cern + +// cfa : 2014-08-28 CFA Institute +cfa + +// cfd : 2014-12-11 ShortDot SA +cfd + +// chanel : 2015-04-09 Chanel International B.V. +chanel + +// channel : 2014-05-08 Charleston Road Registry Inc. +channel + +// charity : 2018-04-11 Public Interest Registry +charity + +// chase : 2015-04-30 JPMorgan Chase Bank, National Association +chase + +// chat : 2014-12-04 Binky Moon, LLC +chat + +// cheap : 2013-11-14 Binky Moon, LLC +cheap + +// chintai : 2015-06-11 CHINTAI Corporation +chintai + +// christmas : 2013-11-21 XYZ.COM LLC +christmas + +// chrome : 2014-07-24 Charleston Road Registry Inc. +chrome + +// church : 2014-02-06 Binky Moon, LLC +church + +// cipriani : 2015-02-19 Hotel Cipriani Srl +cipriani + +// circle : 2014-12-18 Amazon Registry Services, Inc. +circle + +// cisco : 2014-12-22 Cisco Technology, Inc. +cisco + +// citadel : 2015-07-23 Citadel Domain LLC +citadel + +// citi : 2015-07-30 Citigroup Inc. +citi + +// citic : 2014-01-09 CITIC Group Corporation +citic + +// city : 2014-05-29 Binky Moon, LLC +city + +// cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc. +cityeats + +// claims : 2014-03-20 Binky Moon, LLC +claims + +// cleaning : 2013-12-05 Binky Moon, LLC +cleaning + +// click : 2014-06-05 Internet Naming Company LLC +click + +// clinic : 2014-03-20 Binky Moon, LLC +clinic + +// clinique : 2015-10-01 The Estée Lauder Companies Inc. +clinique + +// clothing : 2013-08-27 Binky Moon, LLC +clothing + +// cloud : 2015-04-16 Aruba PEC S.p.A. +cloud + +// club : 2013-11-08 Registry Services, LLC +club + +// clubmed : 2015-06-25 Club Méditerranée S.A. +clubmed + +// coach : 2014-10-09 Binky Moon, LLC +coach + +// codes : 2013-10-31 Binky Moon, LLC +codes + +// coffee : 2013-10-17 Binky Moon, LLC +coffee + +// college : 2014-01-16 XYZ.COM LLC +college + +// cologne : 2014-02-05 dotKoeln GmbH +cologne + +// comcast : 2015-07-23 Comcast IP Holdings I, LLC +comcast + +// commbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +commbank + +// community : 2013-12-05 Binky Moon, LLC +community + +// company : 2013-11-07 Binky Moon, LLC +company + +// compare : 2015-10-08 Registry Services, LLC +compare + +// computer : 2013-10-24 Binky Moon, LLC +computer + +// comsec : 2015-01-08 VeriSign, Inc. +comsec + +// condos : 2013-12-05 Binky Moon, LLC +condos + +// construction : 2013-09-16 Binky Moon, LLC +construction + +// consulting : 2013-12-05 Dog Beach, LLC +consulting + +// contact : 2015-01-08 Dog Beach, LLC +contact + +// contractors : 2013-09-10 Binky Moon, LLC +contractors + +// cooking : 2013-11-21 Registry Services, LLC +cooking + +// cookingchannel : 2015-07-02 Lifestyle Domain Holdings, Inc. +cookingchannel + +// cool : 2013-11-14 Binky Moon, LLC +cool + +// corsica : 2014-09-25 Collectivité de Corse +corsica + +// country : 2013-12-19 Internet Naming Company LLC +country + +// coupon : 2015-02-26 Amazon Registry Services, Inc. +coupon + +// coupons : 2015-03-26 Binky Moon, LLC +coupons + +// courses : 2014-12-04 Registry Services, LLC +courses + +// cpa : 2019-06-10 American Institute of Certified Public Accountants +cpa + +// credit : 2014-03-20 Binky Moon, LLC +credit + +// creditcard : 2014-03-20 Binky Moon, LLC +creditcard + +// creditunion : 2015-01-22 DotCooperation LLC +creditunion + +// cricket : 2014-10-09 dot Cricket Limited +cricket + +// crown : 2014-10-24 Crown Equipment Corporation +crown + +// crs : 2014-04-03 Federated Co-operatives Limited +crs + +// cruise : 2015-12-10 Viking River Cruises (Bermuda) Ltd. +cruise + +// cruises : 2013-12-05 Binky Moon, LLC +cruises + +// cuisinella : 2014-04-03 SCHMIDT GROUPE S.A.S. +cuisinella + +// cymru : 2014-05-08 Nominet UK +cymru + +// cyou : 2015-01-22 ShortDot SA +cyou + +// dabur : 2014-02-06 Dabur India Limited +dabur + +// dad : 2014-01-23 Charleston Road Registry Inc. +dad + +// dance : 2013-10-24 Dog Beach, LLC +dance + +// data : 2016-06-02 Dish DBS Corporation +data + +// date : 2014-11-20 dot Date Limited +date + +// dating : 2013-12-05 Binky Moon, LLC +dating + +// datsun : 2014-03-27 NISSAN MOTOR CO., LTD. +datsun + +// day : 2014-01-30 Charleston Road Registry Inc. +day + +// dclk : 2014-11-20 Charleston Road Registry Inc. +dclk + +// dds : 2015-05-07 Registry Services, LLC +dds + +// deal : 2015-06-25 Amazon Registry Services, Inc. +deal + +// dealer : 2014-12-22 Intercap Registry Inc. +dealer + +// deals : 2014-05-22 Binky Moon, LLC +deals + +// degree : 2014-03-06 Dog Beach, LLC +degree + +// delivery : 2014-09-11 Binky Moon, LLC +delivery + +// dell : 2014-10-24 Dell Inc. +dell + +// deloitte : 2015-07-31 Deloitte Touche Tohmatsu +deloitte + +// delta : 2015-02-19 Delta Air Lines, Inc. +delta + +// democrat : 2013-10-24 Dog Beach, LLC +democrat + +// dental : 2014-03-20 Binky Moon, LLC +dental + +// dentist : 2014-03-20 Dog Beach, LLC +dentist + +// desi : 2013-11-14 Desi Networks LLC +desi + +// design : 2014-11-07 Registry Services, LLC +design + +// dev : 2014-10-16 Charleston Road Registry Inc. +dev + +// dhl : 2015-07-23 Deutsche Post AG +dhl + +// diamonds : 2013-09-22 Binky Moon, LLC +diamonds + +// diet : 2014-06-26 XYZ.COM LLC +diet + +// digital : 2014-03-06 Binky Moon, LLC +digital + +// direct : 2014-04-10 Binky Moon, LLC +direct + +// directory : 2013-09-20 Binky Moon, LLC +directory + +// discount : 2014-03-06 Binky Moon, LLC +discount + +// discover : 2015-07-23 Discover Financial Services +discover + +// dish : 2015-07-30 Dish DBS Corporation +dish + +// diy : 2015-11-05 Lifestyle Domain Holdings, Inc. +diy + +// dnp : 2013-12-13 Dai Nippon Printing Co., Ltd. +dnp + +// docs : 2014-10-16 Charleston Road Registry Inc. +docs + +// doctor : 2016-06-02 Binky Moon, LLC +doctor + +// dog : 2014-12-04 Binky Moon, LLC +dog + +// domains : 2013-10-17 Binky Moon, LLC +domains + +// dot : 2015-05-21 Dish DBS Corporation +dot + +// download : 2014-11-20 dot Support Limited +download + +// drive : 2015-03-05 Charleston Road Registry Inc. +drive + +// dtv : 2015-06-04 Dish DBS Corporation +dtv + +// dubai : 2015-01-01 Dubai Smart Government Department +dubai + +// dunlop : 2015-07-02 The Goodyear Tire & Rubber Company +dunlop + +// dupont : 2015-06-25 DuPont Specialty Products USA, LLC +dupont + +// durban : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +durban + +// dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +dvag + +// dvr : 2016-05-26 DISH Technologies L.L.C. +dvr + +// earth : 2014-12-04 Interlink Systems Innovation Institute K.K. +earth + +// eat : 2014-01-23 Charleston Road Registry Inc. +eat + +// eco : 2016-07-08 Big Room Inc. +eco + +// edeka : 2014-12-18 EDEKA Verband kaufmännischer Genossenschaften e.V. +edeka + +// education : 2013-11-07 Binky Moon, LLC +education + +// email : 2013-10-31 Binky Moon, LLC +email + +// emerck : 2014-04-03 Merck KGaA +emerck + +// energy : 2014-09-11 Binky Moon, LLC +energy + +// engineer : 2014-03-06 Dog Beach, LLC +engineer + +// engineering : 2014-03-06 Binky Moon, LLC +engineering + +// enterprises : 2013-09-20 Binky Moon, LLC +enterprises + +// epson : 2014-12-04 Seiko Epson Corporation +epson + +// equipment : 2013-08-27 Binky Moon, LLC +equipment + +// ericsson : 2015-07-09 Telefonaktiebolaget L M Ericsson +ericsson + +// erni : 2014-04-03 ERNI Group Holding AG +erni + +// esq : 2014-05-08 Charleston Road Registry Inc. +esq + +// estate : 2013-08-27 Binky Moon, LLC +estate + +// etisalat : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat) +etisalat + +// eurovision : 2014-04-24 European Broadcasting Union (EBU) +eurovision + +// eus : 2013-12-12 Puntueus Fundazioa +eus + +// events : 2013-12-05 Binky Moon, LLC +events + +// exchange : 2014-03-06 Binky Moon, LLC +exchange + +// expert : 2013-11-21 Binky Moon, LLC +expert + +// exposed : 2013-12-05 Binky Moon, LLC +exposed + +// express : 2015-02-11 Binky Moon, LLC +express + +// extraspace : 2015-05-14 Extra Space Storage LLC +extraspace + +// fage : 2014-12-18 Fage International S.A. +fage + +// fail : 2014-03-06 Binky Moon, LLC +fail + +// fairwinds : 2014-11-13 FairWinds Partners, LLC +fairwinds + +// faith : 2014-11-20 dot Faith Limited +faith + +// family : 2015-04-02 Dog Beach, LLC +family + +// fan : 2014-03-06 Dog Beach, LLC +fan + +// fans : 2014-11-07 ZDNS International Limited +fans + +// farm : 2013-11-07 Binky Moon, LLC +farm + +// farmers : 2015-07-09 Farmers Insurance Exchange +farmers + +// fashion : 2014-07-03 Registry Services, LLC +fashion + +// fast : 2014-12-18 Amazon Registry Services, Inc. +fast + +// fedex : 2015-08-06 Federal Express Corporation +fedex + +// feedback : 2013-12-19 Top Level Spectrum, Inc. +feedback + +// ferrari : 2015-07-31 Fiat Chrysler Automobiles N.V. +ferrari + +// ferrero : 2014-12-18 Ferrero Trading Lux S.A. +ferrero + +// fiat : 2015-07-31 Fiat Chrysler Automobiles N.V. +fiat + +// fidelity : 2015-07-30 Fidelity Brokerage Services LLC +fidelity + +// fido : 2015-08-06 Rogers Communications Canada Inc. +fido + +// film : 2015-01-08 Motion Picture Domain Registry Pty Ltd +film + +// final : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +final + +// finance : 2014-03-20 Binky Moon, LLC +finance + +// financial : 2014-03-06 Binky Moon, LLC +financial + +// fire : 2015-06-25 Amazon Registry Services, Inc. +fire + +// firestone : 2014-12-18 Bridgestone Licensing Services, Inc +firestone + +// firmdale : 2014-03-27 Firmdale Holdings Limited +firmdale + +// fish : 2013-12-12 Binky Moon, LLC +fish + +// fishing : 2013-11-21 Registry Services, LLC +fishing + +// fit : 2014-11-07 Registry Services, LLC +fit + +// fitness : 2014-03-06 Binky Moon, LLC +fitness + +// flickr : 2015-04-02 Flickr, Inc. +flickr + +// flights : 2013-12-05 Binky Moon, LLC +flights + +// flir : 2015-07-23 FLIR Systems, Inc. +flir + +// florist : 2013-11-07 Binky Moon, LLC +florist + +// flowers : 2014-10-09 XYZ.COM LLC +flowers + +// fly : 2014-05-08 Charleston Road Registry Inc. +fly + +// foo : 2014-01-23 Charleston Road Registry Inc. +foo + +// food : 2016-04-21 Lifestyle Domain Holdings, Inc. +food + +// foodnetwork : 2015-07-02 Lifestyle Domain Holdings, Inc. +foodnetwork + +// football : 2014-12-18 Binky Moon, LLC +football + +// ford : 2014-11-13 Ford Motor Company +ford + +// forex : 2014-12-11 Dog Beach, LLC +forex + +// forsale : 2014-05-22 Dog Beach, LLC +forsale + +// forum : 2015-04-02 Fegistry, LLC +forum + +// foundation : 2013-12-05 Public Interest Registry +foundation + +// fox : 2015-09-11 FOX Registry, LLC +fox + +// free : 2015-12-10 Amazon Registry Services, Inc. +free + +// fresenius : 2015-07-30 Fresenius Immobilien-Verwaltungs-GmbH +fresenius + +// frl : 2014-05-15 FRLregistry B.V. +frl + +// frogans : 2013-12-19 OP3FT +frogans + +// frontdoor : 2015-07-02 Lifestyle Domain Holdings, Inc. +frontdoor + +// frontier : 2015-02-05 Frontier Communications Corporation +frontier + +// ftr : 2015-07-16 Frontier Communications Corporation +ftr + +// fujitsu : 2015-07-30 Fujitsu Limited +fujitsu + +// fun : 2016-01-14 Radix FZC +fun + +// fund : 2014-03-20 Binky Moon, LLC +fund + +// furniture : 2014-03-20 Binky Moon, LLC +furniture + +// futbol : 2013-09-20 Dog Beach, LLC +futbol + +// fyi : 2015-04-02 Binky Moon, LLC +fyi + +// gal : 2013-11-07 Asociación puntoGAL +gal + +// gallery : 2013-09-13 Binky Moon, LLC +gallery + +// gallo : 2015-06-11 Gallo Vineyards, Inc. +gallo + +// gallup : 2015-02-19 Gallup, Inc. +gallup + +// game : 2015-05-28 XYZ.COM LLC +game + +// games : 2015-05-28 Dog Beach, LLC +games + +// gap : 2015-07-31 The Gap, Inc. +gap + +// garden : 2014-06-26 Registry Services, LLC +garden + +// gay : 2019-05-23 Top Level Design, LLC +gay + +// gbiz : 2014-07-17 Charleston Road Registry Inc. +gbiz + +// gdn : 2014-07-31 Joint Stock Company "Navigation-information systems" +gdn + +// gea : 2014-12-04 GEA Group Aktiengesellschaft +gea + +// gent : 2014-01-23 Easyhost BV +gent + +// genting : 2015-03-12 Resorts World Inc Pte. Ltd. +genting + +// george : 2015-07-31 Wal-Mart Stores, Inc. +george + +// ggee : 2014-01-09 GMO Internet, Inc. +ggee + +// gift : 2013-10-17 DotGift, LLC +gift + +// gifts : 2014-07-03 Binky Moon, LLC +gifts + +// gives : 2014-03-06 Public Interest Registry +gives + +// giving : 2014-11-13 Public Interest Registry +giving + +// glass : 2013-11-07 Binky Moon, LLC +glass + +// gle : 2014-07-24 Charleston Road Registry Inc. +gle + +// global : 2014-04-17 Dot Global Domain Registry Limited +global + +// globo : 2013-12-19 Globo Comunicação e Participações S.A +globo + +// gmail : 2014-05-01 Charleston Road Registry Inc. +gmail + +// gmbh : 2016-01-29 Binky Moon, LLC +gmbh + +// gmo : 2014-01-09 GMO Internet, Inc. +gmo + +// gmx : 2014-04-24 1&1 Mail & Media GmbH +gmx + +// godaddy : 2015-07-23 Go Daddy East, LLC +godaddy + +// gold : 2015-01-22 Binky Moon, LLC +gold + +// goldpoint : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +goldpoint + +// golf : 2014-12-18 Binky Moon, LLC +golf + +// goo : 2014-12-18 NTT Resonant Inc. +goo + +// goodyear : 2015-07-02 The Goodyear Tire & Rubber Company +goodyear + +// goog : 2014-11-20 Charleston Road Registry Inc. +goog + +// google : 2014-07-24 Charleston Road Registry Inc. +google + +// gop : 2014-01-16 Republican State Leadership Committee, Inc. +gop + +// got : 2014-12-18 Amazon Registry Services, Inc. +got + +// grainger : 2015-05-07 Grainger Registry Services, LLC +grainger + +// graphics : 2013-09-13 Binky Moon, LLC +graphics + +// gratis : 2014-03-20 Binky Moon, LLC +gratis + +// green : 2014-05-08 Identity Digital Limited +green + +// gripe : 2014-03-06 Binky Moon, LLC +gripe + +// grocery : 2016-06-16 Wal-Mart Stores, Inc. +grocery + +// group : 2014-08-15 Binky Moon, LLC +group + +// guardian : 2015-07-30 The Guardian Life Insurance Company of America +guardian + +// gucci : 2014-11-13 Guccio Gucci S.p.a. +gucci + +// guge : 2014-08-28 Charleston Road Registry Inc. +guge + +// guide : 2013-09-13 Binky Moon, LLC +guide + +// guitars : 2013-11-14 XYZ.COM LLC +guitars + +// guru : 2013-08-27 Binky Moon, LLC +guru + +// hair : 2015-12-03 XYZ.COM LLC +hair + +// hamburg : 2014-02-20 Hamburg Top-Level-Domain GmbH +hamburg + +// hangout : 2014-11-13 Charleston Road Registry Inc. +hangout + +// haus : 2013-12-05 Dog Beach, LLC +haus + +// hbo : 2015-07-30 HBO Registry Services, Inc. +hbo + +// hdfc : 2015-07-30 HOUSING DEVELOPMENT FINANCE CORPORATION LIMITED +hdfc + +// hdfcbank : 2015-02-12 HDFC Bank Limited +hdfcbank + +// health : 2015-02-11 DotHealth, LLC +health + +// healthcare : 2014-06-12 Binky Moon, LLC +healthcare + +// help : 2014-06-26 Innovation service Limited +help + +// helsinki : 2015-02-05 City of Helsinki +helsinki + +// here : 2014-02-06 Charleston Road Registry Inc. +here + +// hermes : 2014-07-10 HERMES INTERNATIONAL +hermes + +// hgtv : 2015-07-02 Lifestyle Domain Holdings, Inc. +hgtv + +// hiphop : 2014-03-06 Dot Hip Hop, LLC +hiphop + +// hisamitsu : 2015-07-16 Hisamitsu Pharmaceutical Co.,Inc. +hisamitsu + +// hitachi : 2014-10-31 Hitachi, Ltd. +hitachi + +// hiv : 2014-03-13 Internet Naming Company LLC +hiv + +// hkt : 2015-05-14 PCCW-HKT DataCom Services Limited +hkt + +// hockey : 2015-03-19 Binky Moon, LLC +hockey + +// holdings : 2013-08-27 Binky Moon, LLC +holdings + +// holiday : 2013-11-07 Binky Moon, LLC +holiday + +// homedepot : 2015-04-02 Home Depot Product Authority, LLC +homedepot + +// homegoods : 2015-07-16 The TJX Companies, Inc. +homegoods + +// homes : 2014-01-09 XYZ.COM LLC +homes + +// homesense : 2015-07-16 The TJX Companies, Inc. +homesense + +// honda : 2014-12-18 Honda Motor Co., Ltd. +honda + +// horse : 2013-11-21 Registry Services, LLC +horse + +// hospital : 2016-10-20 Binky Moon, LLC +hospital + +// host : 2014-04-17 Radix FZC +host + +// hosting : 2014-05-29 XYZ.COM LLC +hosting + +// hot : 2015-08-27 Amazon Registry Services, Inc. +hot + +// hoteles : 2015-03-05 Travel Reservations SRL +hoteles + +// hotels : 2016-04-07 Booking.com B.V. +hotels + +// hotmail : 2014-12-18 Microsoft Corporation +hotmail + +// house : 2013-11-07 Binky Moon, LLC +house + +// how : 2014-01-23 Charleston Road Registry Inc. +how + +// hsbc : 2014-10-24 HSBC Global Services (UK) Limited +hsbc + +// hughes : 2015-07-30 Hughes Satellite Systems Corporation +hughes + +// hyatt : 2015-07-30 Hyatt GTLD, L.L.C. +hyatt + +// hyundai : 2015-07-09 Hyundai Motor Company +hyundai + +// ibm : 2014-07-31 International Business Machines Corporation +ibm + +// icbc : 2015-02-19 Industrial and Commercial Bank of China Limited +icbc + +// ice : 2014-10-30 IntercontinentalExchange, Inc. +ice + +// icu : 2015-01-08 ShortDot SA +icu + +// ieee : 2015-07-23 IEEE Global LLC +ieee + +// ifm : 2014-01-30 ifm electronic gmbh +ifm + +// ikano : 2015-07-09 Ikano S.A. +ikano + +// imamat : 2015-08-06 Fondation Aga Khan (Aga Khan Foundation) +imamat + +// imdb : 2015-06-25 Amazon Registry Services, Inc. +imdb + +// immo : 2014-07-10 Binky Moon, LLC +immo + +// immobilien : 2013-11-07 Dog Beach, LLC +immobilien + +// inc : 2018-03-10 Intercap Registry Inc. +inc + +// industries : 2013-12-05 Binky Moon, LLC +industries + +// infiniti : 2014-03-27 NISSAN MOTOR CO., LTD. +infiniti + +// ing : 2014-01-23 Charleston Road Registry Inc. +ing + +// ink : 2013-12-05 Top Level Design, LLC +ink + +// institute : 2013-11-07 Binky Moon, LLC +institute + +// insurance : 2015-02-19 fTLD Registry Services LLC +insurance + +// insure : 2014-03-20 Binky Moon, LLC +insure + +// international : 2013-11-07 Binky Moon, LLC +international + +// intuit : 2015-07-30 Intuit Administrative Services, Inc. +intuit + +// investments : 2014-03-20 Binky Moon, LLC +investments + +// ipiranga : 2014-08-28 Ipiranga Produtos de Petroleo S.A. +ipiranga + +// irish : 2014-08-07 Binky Moon, LLC +irish + +// ismaili : 2015-08-06 Fondation Aga Khan (Aga Khan Foundation) +ismaili + +// ist : 2014-08-28 Istanbul Metropolitan Municipality +ist + +// istanbul : 2014-08-28 Istanbul Metropolitan Municipality +istanbul + +// itau : 2014-10-02 Itau Unibanco Holding S.A. +itau + +// itv : 2015-07-09 ITV Services Limited +itv + +// jaguar : 2014-11-13 Jaguar Land Rover Ltd +jaguar + +// java : 2014-06-19 Oracle Corporation +java + +// jcb : 2014-11-20 JCB Co., Ltd. +jcb + +// jeep : 2015-07-30 FCA US LLC. +jeep + +// jetzt : 2014-01-09 Binky Moon, LLC +jetzt + +// jewelry : 2015-03-05 Binky Moon, LLC +jewelry + +// jio : 2015-04-02 Reliance Industries Limited +jio + +// jll : 2015-04-02 Jones Lang LaSalle Incorporated +jll + +// jmp : 2015-03-26 Matrix IP LLC +jmp + +// jnj : 2015-06-18 Johnson & Johnson Services, Inc. +jnj + +// joburg : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +joburg + +// jot : 2014-12-18 Amazon Registry Services, Inc. +jot + +// joy : 2014-12-18 Amazon Registry Services, Inc. +joy + +// jpmorgan : 2015-04-30 JPMorgan Chase Bank, National Association +jpmorgan + +// jprs : 2014-09-18 Japan Registry Services Co., Ltd. +jprs + +// juegos : 2014-03-20 Internet Naming Company LLC +juegos + +// juniper : 2015-07-30 JUNIPER NETWORKS, INC. +juniper + +// kaufen : 2013-11-07 Dog Beach, LLC +kaufen + +// kddi : 2014-09-12 KDDI CORPORATION +kddi + +// kerryhotels : 2015-04-30 Kerry Trading Co. Limited +kerryhotels + +// kerrylogistics : 2015-04-09 Kerry Trading Co. Limited +kerrylogistics + +// kerryproperties : 2015-04-09 Kerry Trading Co. Limited +kerryproperties + +// kfh : 2014-12-04 Kuwait Finance House +kfh + +// kia : 2015-07-09 KIA MOTORS CORPORATION +kia + +// kids : 2021-08-13 DotKids Foundation Limited +kids + +// kim : 2013-09-23 Identity Digital Limited +kim + +// kinder : 2014-11-07 Ferrero Trading Lux S.A. +kinder + +// kindle : 2015-06-25 Amazon Registry Services, Inc. +kindle + +// kitchen : 2013-09-20 Binky Moon, LLC +kitchen + +// kiwi : 2013-09-20 DOT KIWI LIMITED +kiwi + +// koeln : 2014-01-09 dotKoeln GmbH +koeln + +// komatsu : 2015-01-08 Komatsu Ltd. +komatsu + +// kosher : 2015-08-20 Kosher Marketing Assets LLC +kosher + +// kpmg : 2015-04-23 KPMG International Cooperative (KPMG International Genossenschaft) +kpmg + +// kpn : 2015-01-08 Koninklijke KPN N.V. +kpn + +// krd : 2013-12-05 KRG Department of Information Technology +krd + +// kred : 2013-12-19 KredTLD Pty Ltd +kred + +// kuokgroup : 2015-04-09 Kerry Trading Co. Limited +kuokgroup + +// kyoto : 2014-11-07 Academic Institution: Kyoto Jyoho Gakuen +kyoto + +// lacaixa : 2014-01-09 Fundación Bancaria Caixa d’Estalvis i Pensions de Barcelona, “la Caixa†+lacaixa + +// lamborghini : 2015-06-04 Automobili Lamborghini S.p.A. +lamborghini + +// lamer : 2015-10-01 The Estée Lauder Companies Inc. +lamer + +// lancaster : 2015-02-12 LANCASTER +lancaster + +// lancia : 2015-07-31 Fiat Chrysler Automobiles N.V. +lancia + +// land : 2013-09-10 Binky Moon, LLC +land + +// landrover : 2014-11-13 Jaguar Land Rover Ltd +landrover + +// lanxess : 2015-07-30 LANXESS Corporation +lanxess + +// lasalle : 2015-04-02 Jones Lang LaSalle Incorporated +lasalle + +// lat : 2014-10-16 XYZ.COM LLC +lat + +// latino : 2015-07-30 Dish DBS Corporation +latino + +// latrobe : 2014-06-16 La Trobe University +latrobe + +// law : 2015-01-22 Registry Services, LLC +law + +// lawyer : 2014-03-20 Dog Beach, LLC +lawyer + +// lds : 2014-03-20 IRI Domain Management, LLC +lds + +// lease : 2014-03-06 Binky Moon, LLC +lease + +// leclerc : 2014-08-07 A.C.D. LEC Association des Centres Distributeurs Edouard Leclerc +leclerc + +// lefrak : 2015-07-16 LeFrak Organization, Inc. +lefrak + +// legal : 2014-10-16 Binky Moon, LLC +legal + +// lego : 2015-07-16 LEGO Juris A/S +lego + +// lexus : 2015-04-23 TOYOTA MOTOR CORPORATION +lexus + +// lgbt : 2014-05-08 Identity Digital Limited +lgbt + +// lidl : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +lidl + +// life : 2014-02-06 Binky Moon, LLC +life + +// lifeinsurance : 2015-01-15 American Council of Life Insurers +lifeinsurance + +// lifestyle : 2014-12-11 Lifestyle Domain Holdings, Inc. +lifestyle + +// lighting : 2013-08-27 Binky Moon, LLC +lighting + +// like : 2014-12-18 Amazon Registry Services, Inc. +like + +// lilly : 2015-07-31 Eli Lilly and Company +lilly + +// limited : 2014-03-06 Binky Moon, LLC +limited + +// limo : 2013-10-17 Binky Moon, LLC +limo + +// lincoln : 2014-11-13 Ford Motor Company +lincoln + +// linde : 2014-12-04 Linde Aktiengesellschaft +linde + +// link : 2013-11-14 Nova Registry Ltd +link + +// lipsy : 2015-06-25 Lipsy Ltd +lipsy + +// live : 2014-12-04 Dog Beach, LLC +live + +// living : 2015-07-30 Lifestyle Domain Holdings, Inc. +living + +// llc : 2017-12-14 Identity Digital Limited +llc + +// llp : 2019-08-26 Intercap Registry Inc. +llp + +// loan : 2014-11-20 dot Loan Limited +loan + +// loans : 2014-03-20 Binky Moon, LLC +loans + +// locker : 2015-06-04 Dish DBS Corporation +locker + +// locus : 2015-06-25 Locus Analytics LLC +locus + +// loft : 2015-07-30 Annco, Inc. +loft + +// lol : 2015-01-30 XYZ.COM LLC +lol + +// london : 2013-11-14 Dot London Domains Limited +london + +// lotte : 2014-11-07 Lotte Holdings Co., Ltd. +lotte + +// lotto : 2014-04-10 Identity Digital Limited +lotto + +// love : 2014-12-22 Merchant Law Group LLP +love + +// lpl : 2015-07-30 LPL Holdings, Inc. +lpl + +// lplfinancial : 2015-07-30 LPL Holdings, Inc. +lplfinancial + +// ltd : 2014-09-25 Binky Moon, LLC +ltd + +// ltda : 2014-04-17 InterNetX, Corp +ltda + +// lundbeck : 2015-08-06 H. Lundbeck A/S +lundbeck + +// luxe : 2014-01-09 Registry Services, LLC +luxe + +// luxury : 2013-10-17 Luxury Partners, LLC +luxury + +// macys : 2015-07-31 Macys, Inc. +macys + +// madrid : 2014-05-01 Comunidad de Madrid +madrid + +// maif : 2014-10-02 Mutuelle Assurance Instituteur France (MAIF) +maif + +// maison : 2013-12-05 Binky Moon, LLC +maison + +// makeup : 2015-01-15 XYZ.COM LLC +makeup + +// man : 2014-12-04 MAN SE +man + +// management : 2013-11-07 Binky Moon, LLC +management + +// mango : 2013-10-24 PUNTO FA S.L. +mango + +// map : 2016-06-09 Charleston Road Registry Inc. +map + +// market : 2014-03-06 Dog Beach, LLC +market + +// marketing : 2013-11-07 Binky Moon, LLC +marketing + +// markets : 2014-12-11 Dog Beach, LLC +markets + +// marriott : 2014-10-09 Marriott Worldwide Corporation +marriott + +// marshalls : 2015-07-16 The TJX Companies, Inc. +marshalls + +// maserati : 2015-07-31 Fiat Chrysler Automobiles N.V. +maserati + +// mattel : 2015-08-06 Mattel Sites, Inc. +mattel + +// mba : 2015-04-02 Binky Moon, LLC +mba + +// mckinsey : 2015-07-31 McKinsey Holdings, Inc. +mckinsey + +// med : 2015-08-06 Medistry LLC +med + +// media : 2014-03-06 Binky Moon, LLC +media + +// meet : 2014-01-16 Charleston Road Registry Inc. +meet + +// melbourne : 2014-05-29 The Crown in right of the State of Victoria, represented by its Department of State Development, Business and Innovation +melbourne + +// meme : 2014-01-30 Charleston Road Registry Inc. +meme + +// memorial : 2014-10-16 Dog Beach, LLC +memorial + +// men : 2015-02-26 Exclusive Registry Limited +men + +// menu : 2013-09-11 Dot Menu Registry, LLC +menu + +// merckmsd : 2016-07-14 MSD Registry Holdings, Inc. +merckmsd + +// miami : 2013-12-19 Registry Services, LLC +miami + +// microsoft : 2014-12-18 Microsoft Corporation +microsoft + +// mini : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +mini + +// mint : 2015-07-30 Intuit Administrative Services, Inc. +mint + +// mit : 2015-07-02 Massachusetts Institute of Technology +mit + +// mitsubishi : 2015-07-23 Mitsubishi Corporation +mitsubishi + +// mlb : 2015-05-21 MLB Advanced Media DH, LLC +mlb + +// mls : 2015-04-23 The Canadian Real Estate Association +mls + +// mma : 2014-11-07 MMA IARD +mma + +// mobile : 2016-06-02 Dish DBS Corporation +mobile + +// moda : 2013-11-07 Dog Beach, LLC +moda + +// moe : 2013-11-13 Interlink Systems Innovation Institute K.K. +moe + +// moi : 2014-12-18 Amazon Registry Services, Inc. +moi + +// mom : 2015-04-16 XYZ.COM LLC +mom + +// monash : 2013-09-30 Monash University +monash + +// money : 2014-10-16 Binky Moon, LLC +money + +// monster : 2015-09-11 XYZ.COM LLC +monster + +// mormon : 2013-12-05 IRI Domain Management, LLC +mormon + +// mortgage : 2014-03-20 Dog Beach, LLC +mortgage + +// moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +moscow + +// moto : 2015-06-04 Motorola Trademark Holdings, LLC +moto + +// motorcycles : 2014-01-09 XYZ.COM LLC +motorcycles + +// mov : 2014-01-30 Charleston Road Registry Inc. +mov + +// movie : 2015-02-05 Binky Moon, LLC +movie + +// msd : 2015-07-23 MSD Registry Holdings, Inc. +msd + +// mtn : 2014-12-04 MTN Dubai Limited +mtn + +// mtr : 2015-03-12 MTR Corporation Limited +mtr + +// music : 2021-05-04 DotMusic Limited +music + +// mutual : 2015-04-02 Northwestern Mutual MU TLD Registry, LLC +mutual + +// nab : 2015-08-20 National Australia Bank Limited +nab + +// nagoya : 2013-10-24 GMO Registry, Inc. +nagoya + +// natura : 2015-03-12 NATURA COSMÉTICOS S.A. +natura + +// navy : 2014-03-06 Dog Beach, LLC +navy + +// nba : 2015-07-31 NBA REGISTRY, LLC +nba + +// nec : 2015-01-08 NEC Corporation +nec + +// netbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +netbank + +// netflix : 2015-06-18 Netflix, Inc. +netflix + +// network : 2013-11-14 Binky Moon, LLC +network + +// neustar : 2013-12-05 NeuStar, Inc. +neustar + +// new : 2014-01-30 Charleston Road Registry Inc. +new + +// news : 2014-12-18 Dog Beach, LLC +news + +// next : 2015-06-18 Next plc +next + +// nextdirect : 2015-06-18 Next plc +nextdirect + +// nexus : 2014-07-24 Charleston Road Registry Inc. +nexus + +// nfl : 2015-07-23 NFL Reg Ops LLC +nfl + +// ngo : 2014-03-06 Public Interest Registry +ngo + +// nhk : 2014-02-13 Japan Broadcasting Corporation (NHK) +nhk + +// nico : 2014-12-04 DWANGO Co., Ltd. +nico + +// nike : 2015-07-23 NIKE, Inc. +nike + +// nikon : 2015-05-21 NIKON CORPORATION +nikon + +// ninja : 2013-11-07 Dog Beach, LLC +ninja + +// nissan : 2014-03-27 NISSAN MOTOR CO., LTD. +nissan + +// nissay : 2015-10-29 Nippon Life Insurance Company +nissay + +// nokia : 2015-01-08 Nokia Corporation +nokia + +// northwesternmutual : 2015-06-18 Northwestern Mutual Registry, LLC +northwesternmutual + +// norton : 2014-12-04 NortonLifeLock Inc. +norton + +// now : 2015-06-25 Amazon Registry Services, Inc. +now + +// nowruz : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +nowruz + +// nowtv : 2015-05-14 Starbucks (HK) Limited +nowtv + +// nra : 2014-05-22 NRA Holdings Company, INC. +nra + +// nrw : 2013-11-21 Minds + Machines GmbH +nrw + +// ntt : 2014-10-31 NIPPON TELEGRAPH AND TELEPHONE CORPORATION +ntt + +// nyc : 2014-01-23 The City of New York by and through the New York City Department of Information Technology & Telecommunications +nyc + +// obi : 2014-09-25 OBI Group Holding SE & Co. KGaA +obi + +// observer : 2015-04-30 Dog Beach, LLC +observer + +// office : 2015-03-12 Microsoft Corporation +office + +// okinawa : 2013-12-05 BRregistry, Inc. +okinawa + +// olayan : 2015-05-14 Crescent Holding GmbH +olayan + +// olayangroup : 2015-05-14 Crescent Holding GmbH +olayangroup + +// oldnavy : 2015-07-31 The Gap, Inc. +oldnavy + +// ollo : 2015-06-04 Dish DBS Corporation +ollo + +// omega : 2015-01-08 The Swatch Group Ltd +omega + +// one : 2014-11-07 One.com A/S +one + +// ong : 2014-03-06 Public Interest Registry +ong + +// onl : 2013-09-16 iRegistry GmbH +onl + +// online : 2015-01-15 Radix FZC +online + +// ooo : 2014-01-09 INFIBEAM AVENUES LIMITED +ooo + +// open : 2015-07-31 American Express Travel Related Services Company, Inc. +open + +// oracle : 2014-06-19 Oracle Corporation +oracle + +// orange : 2015-03-12 Orange Brand Services Limited +orange + +// organic : 2014-03-27 Identity Digital Limited +organic + +// origins : 2015-10-01 The Estée Lauder Companies Inc. +origins + +// osaka : 2014-09-04 Osaka Registry Co., Ltd. +osaka + +// otsuka : 2013-10-11 Otsuka Holdings Co., Ltd. +otsuka + +// ott : 2015-06-04 Dish DBS Corporation +ott + +// ovh : 2014-01-16 MédiaBC +ovh + +// page : 2014-12-04 Charleston Road Registry Inc. +page + +// panasonic : 2015-07-30 Panasonic Corporation +panasonic + +// paris : 2014-01-30 City of Paris +paris + +// pars : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +pars + +// partners : 2013-12-05 Binky Moon, LLC +partners + +// parts : 2013-12-05 Binky Moon, LLC +parts + +// party : 2014-09-11 Blue Sky Registry Limited +party + +// passagens : 2015-03-05 Travel Reservations SRL +passagens + +// pay : 2015-08-27 Amazon Registry Services, Inc. +pay + +// pccw : 2015-05-14 PCCW Enterprises Limited +pccw + +// pet : 2015-05-07 Identity Digital Limited +pet + +// pfizer : 2015-09-11 Pfizer Inc. +pfizer + +// pharmacy : 2014-06-19 National Association of Boards of Pharmacy +pharmacy + +// phd : 2016-07-28 Charleston Road Registry Inc. +phd + +// philips : 2014-11-07 Koninklijke Philips N.V. +philips + +// phone : 2016-06-02 Dish DBS Corporation +phone + +// photo : 2013-11-14 Registry Services, LLC +photo + +// photography : 2013-09-20 Binky Moon, LLC +photography + +// photos : 2013-10-17 Binky Moon, LLC +photos + +// physio : 2014-05-01 PhysBiz Pty Ltd +physio + +// pics : 2013-11-14 XYZ.COM LLC +pics + +// pictet : 2014-06-26 Pictet Europe S.A. +pictet + +// pictures : 2014-03-06 Binky Moon, LLC +pictures + +// pid : 2015-01-08 Top Level Spectrum, Inc. +pid + +// pin : 2014-12-18 Amazon Registry Services, Inc. +pin + +// ping : 2015-06-11 Ping Registry Provider, Inc. +ping + +// pink : 2013-10-01 Identity Digital Limited +pink + +// pioneer : 2015-07-16 Pioneer Corporation +pioneer + +// pizza : 2014-06-26 Binky Moon, LLC +pizza + +// place : 2014-04-24 Binky Moon, LLC +place + +// play : 2015-03-05 Charleston Road Registry Inc. +play + +// playstation : 2015-07-02 Sony Interactive Entertainment Inc. +playstation + +// plumbing : 2013-09-10 Binky Moon, LLC +plumbing + +// plus : 2015-02-05 Binky Moon, LLC +plus + +// pnc : 2015-07-02 PNC Domain Co., LLC +pnc + +// pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +pohl + +// poker : 2014-07-03 Identity Digital Limited +poker + +// politie : 2015-08-20 Politie Nederland +politie + +// porn : 2014-10-16 ICM Registry PN LLC +porn + +// pramerica : 2015-07-30 Prudential Financial, Inc. +pramerica + +// praxi : 2013-12-05 Praxi S.p.A. +praxi + +// press : 2014-04-03 Radix FZC +press + +// prime : 2015-06-25 Amazon Registry Services, Inc. +prime + +// prod : 2014-01-23 Charleston Road Registry Inc. +prod + +// productions : 2013-12-05 Binky Moon, LLC +productions + +// prof : 2014-07-24 Charleston Road Registry Inc. +prof + +// progressive : 2015-07-23 Progressive Casualty Insurance Company +progressive + +// promo : 2014-12-18 Identity Digital Limited +promo + +// properties : 2013-12-05 Binky Moon, LLC +properties + +// property : 2014-05-22 Internet Naming Company LLC +property + +// protection : 2015-04-23 XYZ.COM LLC +protection + +// pru : 2015-07-30 Prudential Financial, Inc. +pru + +// prudential : 2015-07-30 Prudential Financial, Inc. +prudential + +// pub : 2013-12-12 Dog Beach, LLC +pub + +// pwc : 2015-10-29 PricewaterhouseCoopers LLP +pwc + +// qpon : 2013-11-14 dotCOOL, Inc. +qpon + +// quebec : 2013-12-19 PointQuébec Inc +quebec + +// quest : 2015-03-26 XYZ.COM LLC +quest + +// racing : 2014-12-04 Premier Registry Limited +racing + +// radio : 2016-07-21 European Broadcasting Union (EBU) +radio + +// read : 2014-12-18 Amazon Registry Services, Inc. +read + +// realestate : 2015-09-11 dotRealEstate LLC +realestate + +// realtor : 2014-05-29 Real Estate Domains LLC +realtor + +// realty : 2015-03-19 Dog Beach, LLC +realty + +// recipes : 2013-10-17 Binky Moon, LLC +recipes + +// red : 2013-11-07 Identity Digital Limited +red + +// redstone : 2014-10-31 Redstone Haute Couture Co., Ltd. +redstone + +// redumbrella : 2015-03-26 Travelers TLD, LLC +redumbrella + +// rehab : 2014-03-06 Dog Beach, LLC +rehab + +// reise : 2014-03-13 Binky Moon, LLC +reise + +// reisen : 2014-03-06 Binky Moon, LLC +reisen + +// reit : 2014-09-04 National Association of Real Estate Investment Trusts, Inc. +reit + +// reliance : 2015-04-02 Reliance Industries Limited +reliance + +// ren : 2013-12-12 ZDNS International Limited +ren + +// rent : 2014-12-04 XYZ.COM LLC +rent + +// rentals : 2013-12-05 Binky Moon, LLC +rentals + +// repair : 2013-11-07 Binky Moon, LLC +repair + +// report : 2013-12-05 Binky Moon, LLC +report + +// republican : 2014-03-20 Dog Beach, LLC +republican + +// rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +rest + +// restaurant : 2014-07-03 Binky Moon, LLC +restaurant + +// review : 2014-11-20 dot Review Limited +review + +// reviews : 2013-09-13 Dog Beach, LLC +reviews + +// rexroth : 2015-06-18 Robert Bosch GMBH +rexroth + +// rich : 2013-11-21 iRegistry GmbH +rich + +// richardli : 2015-05-14 Pacific Century Asset Management (HK) Limited +richardli + +// ricoh : 2014-11-20 Ricoh Company, Ltd. +ricoh + +// ril : 2015-04-02 Reliance Industries Limited +ril + +// rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO +rio + +// rip : 2014-07-10 Dog Beach, LLC +rip + +// rocher : 2014-12-18 Ferrero Trading Lux S.A. +rocher + +// rocks : 2013-11-14 Dog Beach, LLC +rocks + +// rodeo : 2013-12-19 Registry Services, LLC +rodeo + +// rogers : 2015-08-06 Rogers Communications Canada Inc. +rogers + +// room : 2014-12-18 Amazon Registry Services, Inc. +room + +// rsvp : 2014-05-08 Charleston Road Registry Inc. +rsvp + +// rugby : 2016-12-15 World Rugby Strategic Developments Limited +rugby + +// ruhr : 2013-10-02 dotSaarland GmbH +ruhr + +// run : 2015-03-19 Binky Moon, LLC +run + +// rwe : 2015-04-02 RWE AG +rwe + +// ryukyu : 2014-01-09 BRregistry, Inc. +ryukyu + +// saarland : 2013-12-12 dotSaarland GmbH +saarland + +// safe : 2014-12-18 Amazon Registry Services, Inc. +safe + +// safety : 2015-01-08 Safety Registry Services, LLC. +safety + +// sakura : 2014-12-18 SAKURA Internet Inc. +sakura + +// sale : 2014-10-16 Dog Beach, LLC +sale + +// salon : 2014-12-11 Binky Moon, LLC +salon + +// samsclub : 2015-07-31 Wal-Mart Stores, Inc. +samsclub + +// samsung : 2014-04-03 SAMSUNG SDS CO., LTD +samsung + +// sandvik : 2014-11-13 Sandvik AB +sandvik + +// sandvikcoromant : 2014-11-07 Sandvik AB +sandvikcoromant + +// sanofi : 2014-10-09 Sanofi +sanofi + +// sap : 2014-03-27 SAP AG +sap + +// sarl : 2014-07-03 Binky Moon, LLC +sarl + +// sas : 2015-04-02 Research IP LLC +sas + +// save : 2015-06-25 Amazon Registry Services, Inc. +save + +// saxo : 2014-10-31 Saxo Bank A/S +saxo + +// sbi : 2015-03-12 STATE BANK OF INDIA +sbi + +// sbs : 2014-11-07 ShortDot SA +sbs + +// sca : 2014-03-13 SVENSKA CELLULOSA AKTIEBOLAGET SCA (publ) +sca + +// scb : 2014-02-20 The Siam Commercial Bank Public Company Limited ("SCB") +scb + +// schaeffler : 2015-08-06 Schaeffler Technologies AG & Co. KG +schaeffler + +// schmidt : 2014-04-03 SCHMIDT GROUPE S.A.S. +schmidt + +// scholarships : 2014-04-24 Scholarships.com, LLC +scholarships + +// school : 2014-12-18 Binky Moon, LLC +school + +// schule : 2014-03-06 Binky Moon, LLC +schule + +// schwarz : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +schwarz + +// science : 2014-09-11 dot Science Limited +science + +// scot : 2014-01-23 Dot Scot Registry Limited +scot + +// search : 2016-06-09 Charleston Road Registry Inc. +search + +// seat : 2014-05-22 SEAT, S.A. (Sociedad Unipersonal) +seat + +// secure : 2015-08-27 Amazon Registry Services, Inc. +secure + +// security : 2015-05-14 XYZ.COM LLC +security + +// seek : 2014-12-04 Seek Limited +seek + +// select : 2015-10-08 Registry Services, LLC +select + +// sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A. +sener + +// services : 2014-02-27 Binky Moon, LLC +services + +// ses : 2015-07-23 SES +ses + +// seven : 2015-08-06 Seven West Media Ltd +seven + +// sew : 2014-07-17 SEW-EURODRIVE GmbH & Co KG +sew + +// sex : 2014-11-13 ICM Registry SX LLC +sex + +// sexy : 2013-09-11 Internet Naming Company LLC +sexy + +// sfr : 2015-08-13 Societe Francaise du Radiotelephone - SFR +sfr + +// shangrila : 2015-09-03 Shangriâ€La International Hotel Management Limited +shangrila + +// sharp : 2014-05-01 Sharp Corporation +sharp + +// shaw : 2015-04-23 Shaw Cablesystems G.P. +shaw + +// shell : 2015-07-30 Shell Information Technology International Inc +shell + +// shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +shia + +// shiksha : 2013-11-14 Identity Digital Limited +shiksha + +// shoes : 2013-10-02 Binky Moon, LLC +shoes + +// shop : 2016-04-08 GMO Registry, Inc. +shop + +// shopping : 2016-03-31 Binky Moon, LLC +shopping + +// shouji : 2015-01-08 Beijing Qihu Keji Co., Ltd. +shouji + +// show : 2015-03-05 Binky Moon, LLC +show + +// showtime : 2015-08-06 CBS Domains Inc. +showtime + +// silk : 2015-06-25 Amazon Registry Services, Inc. +silk + +// sina : 2015-03-12 Sina Corporation +sina + +// singles : 2013-08-27 Binky Moon, LLC +singles + +// site : 2015-01-15 Radix FZC +site + +// ski : 2015-04-09 Identity Digital Limited +ski + +// skin : 2015-01-15 XYZ.COM LLC +skin + +// sky : 2014-06-19 Sky International AG +sky + +// skype : 2014-12-18 Microsoft Corporation +skype + +// sling : 2015-07-30 DISH Technologies L.L.C. +sling + +// smart : 2015-07-09 Smart Communications, Inc. (SMART) +smart + +// smile : 2014-12-18 Amazon Registry Services, Inc. +smile + +// sncf : 2015-02-19 Société Nationale des Chemins de fer Francais S N C F +sncf + +// soccer : 2015-03-26 Binky Moon, LLC +soccer + +// social : 2013-11-07 Dog Beach, LLC +social + +// softbank : 2015-07-02 SoftBank Group Corp. +softbank + +// software : 2014-03-20 Dog Beach, LLC +software + +// sohu : 2013-12-19 Sohu.com Limited +sohu + +// solar : 2013-11-07 Binky Moon, LLC +solar + +// solutions : 2013-11-07 Binky Moon, LLC +solutions + +// song : 2015-02-26 Amazon Registry Services, Inc. +song + +// sony : 2015-01-08 Sony Corporation +sony + +// soy : 2014-01-23 Charleston Road Registry Inc. +soy + +// spa : 2019-09-19 Asia Spa and Wellness Promotion Council Limited +spa + +// space : 2014-04-03 Radix FZC +space + +// sport : 2017-11-16 Global Association of International Sports Federations (GAISF) +sport + +// spot : 2015-02-26 Amazon Registry Services, Inc. +spot + +// srl : 2015-05-07 InterNetX, Corp +srl + +// stada : 2014-11-13 STADA Arzneimittel AG +stada + +// staples : 2015-07-30 Staples, Inc. +staples + +// star : 2015-01-08 Star India Private Limited +star + +// statebank : 2015-03-12 STATE BANK OF INDIA +statebank + +// statefarm : 2015-07-30 State Farm Mutual Automobile Insurance Company +statefarm + +// stc : 2014-10-09 Saudi Telecom Company +stc + +// stcgroup : 2014-10-09 Saudi Telecom Company +stcgroup + +// stockholm : 2014-12-18 Stockholms kommun +stockholm + +// storage : 2014-12-22 XYZ.COM LLC +storage + +// store : 2015-04-09 Radix FZC +store + +// stream : 2016-01-08 dot Stream Limited +stream + +// studio : 2015-02-11 Dog Beach, LLC +studio + +// study : 2014-12-11 Registry Services, LLC +study + +// style : 2014-12-04 Binky Moon, LLC +style + +// sucks : 2014-12-22 Vox Populi Registry Ltd. +sucks + +// supplies : 2013-12-19 Binky Moon, LLC +supplies + +// supply : 2013-12-19 Binky Moon, LLC +supply + +// support : 2013-10-24 Binky Moon, LLC +support + +// surf : 2014-01-09 Registry Services, LLC +surf + +// surgery : 2014-03-20 Binky Moon, LLC +surgery + +// suzuki : 2014-02-20 SUZUKI MOTOR CORPORATION +suzuki + +// swatch : 2015-01-08 The Swatch Group Ltd +swatch + +// swiss : 2014-10-16 Swiss Confederation +swiss + +// sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet +sydney + +// systems : 2013-11-07 Binky Moon, LLC +systems + +// tab : 2014-12-04 Tabcorp Holdings Limited +tab + +// taipei : 2014-07-10 Taipei City Government +taipei + +// talk : 2015-04-09 Amazon Registry Services, Inc. +talk + +// taobao : 2015-01-15 Alibaba Group Holding Limited +taobao + +// target : 2015-07-31 Target Domain Holdings, LLC +target + +// tatamotors : 2015-03-12 Tata Motors Ltd +tatamotors + +// tatar : 2014-04-24 Limited Liability Company "Coordination Center of Regional Domain of Tatarstan Republic" +tatar + +// tattoo : 2013-08-30 Top Level Design, LLC +tattoo + +// tax : 2014-03-20 Binky Moon, LLC +tax + +// taxi : 2015-03-19 Binky Moon, LLC +taxi + +// tci : 2014-09-12 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +tci + +// tdk : 2015-06-11 TDK Corporation +tdk + +// team : 2015-03-05 Binky Moon, LLC +team + +// tech : 2015-01-30 Radix FZC +tech + +// technology : 2013-09-13 Binky Moon, LLC +technology + +// temasek : 2014-08-07 Temasek Holdings (Private) Limited +temasek + +// tennis : 2014-12-04 Binky Moon, LLC +tennis + +// teva : 2015-07-02 Teva Pharmaceutical Industries Limited +teva + +// thd : 2015-04-02 Home Depot Product Authority, LLC +thd + +// theater : 2015-03-19 Binky Moon, LLC +theater + +// theatre : 2015-05-07 XYZ.COM LLC +theatre + +// tiaa : 2015-07-23 Teachers Insurance and Annuity Association of America +tiaa + +// tickets : 2015-02-05 XYZ.COM LLC +tickets + +// tienda : 2013-11-14 Binky Moon, LLC +tienda + +// tiffany : 2015-01-30 Tiffany and Company +tiffany + +// tips : 2013-09-20 Binky Moon, LLC +tips + +// tires : 2014-11-07 Binky Moon, LLC +tires + +// tirol : 2014-04-24 punkt Tirol GmbH +tirol + +// tjmaxx : 2015-07-16 The TJX Companies, Inc. +tjmaxx + +// tjx : 2015-07-16 The TJX Companies, Inc. +tjx + +// tkmaxx : 2015-07-16 The TJX Companies, Inc. +tkmaxx + +// tmall : 2015-01-15 Alibaba Group Holding Limited +tmall + +// today : 2013-09-20 Binky Moon, LLC +today + +// tokyo : 2013-11-13 GMO Registry, Inc. +tokyo + +// tools : 2013-11-21 Binky Moon, LLC +tools + +// top : 2014-03-20 .TOP Registry +top + +// toray : 2014-12-18 Toray Industries, Inc. +toray + +// toshiba : 2014-04-10 TOSHIBA Corporation +toshiba + +// total : 2015-08-06 TOTAL SE +total + +// tours : 2015-01-22 Binky Moon, LLC +tours + +// town : 2014-03-06 Binky Moon, LLC +town + +// toyota : 2015-04-23 TOYOTA MOTOR CORPORATION +toyota + +// toys : 2014-03-06 Binky Moon, LLC +toys + +// trade : 2014-01-23 Elite Registry Limited +trade + +// trading : 2014-12-11 Dog Beach, LLC +trading + +// training : 2013-11-07 Binky Moon, LLC +training + +// travel : 2015-10-09 Dog Beach, LLC +travel + +// travelchannel : 2015-07-02 Lifestyle Domain Holdings, Inc. +travelchannel + +// travelers : 2015-03-26 Travelers TLD, LLC +travelers + +// travelersinsurance : 2015-03-26 Travelers TLD, LLC +travelersinsurance + +// trust : 2014-10-16 Internet Naming Company LLC +trust + +// trv : 2015-03-26 Travelers TLD, LLC +trv + +// tube : 2015-06-11 Latin American Telecom LLC +tube + +// tui : 2014-07-03 TUI AG +tui + +// tunes : 2015-02-26 Amazon Registry Services, Inc. +tunes + +// tushu : 2014-12-18 Amazon Registry Services, Inc. +tushu + +// tvs : 2015-02-19 T V SUNDRAM IYENGAR & SONS LIMITED +tvs + +// ubank : 2015-08-20 National Australia Bank Limited +ubank + +// ubs : 2014-12-11 UBS AG +ubs + +// unicom : 2015-10-15 China United Network Communications Corporation Limited +unicom + +// university : 2014-03-06 Binky Moon, LLC +university + +// uno : 2013-09-11 Radix FZC +uno + +// uol : 2014-05-01 UBN INTERNET LTDA. +uol + +// ups : 2015-06-25 UPS Market Driver, Inc. +ups + +// vacations : 2013-12-05 Binky Moon, LLC +vacations + +// vana : 2014-12-11 Lifestyle Domain Holdings, Inc. +vana + +// vanguard : 2015-09-03 The Vanguard Group, Inc. +vanguard + +// vegas : 2014-01-16 Dot Vegas, Inc. +vegas + +// ventures : 2013-08-27 Binky Moon, LLC +ventures + +// verisign : 2015-08-13 VeriSign, Inc. +verisign + +// versicherung : 2014-03-20 tldbox GmbH +versicherung + +// vet : 2014-03-06 Dog Beach, LLC +vet + +// viajes : 2013-10-17 Binky Moon, LLC +viajes + +// video : 2014-10-16 Dog Beach, LLC +video + +// vig : 2015-05-14 VIENNA INSURANCE GROUP AG Wiener Versicherung Gruppe +vig + +// viking : 2015-04-02 Viking River Cruises (Bermuda) Ltd. +viking + +// villas : 2013-12-05 Binky Moon, LLC +villas + +// vin : 2015-06-18 Binky Moon, LLC +vin + +// vip : 2015-01-22 Registry Services, LLC +vip + +// virgin : 2014-09-25 Virgin Enterprises Limited +virgin + +// visa : 2015-07-30 Visa Worldwide Pte. Limited +visa + +// vision : 2013-12-05 Binky Moon, LLC +vision + +// viva : 2014-11-07 Saudi Telecom Company +viva + +// vivo : 2015-07-31 Telefonica Brasil S.A. +vivo + +// vlaanderen : 2014-02-06 DNS.be vzw +vlaanderen + +// vodka : 2013-12-19 Registry Services, LLC +vodka + +// volkswagen : 2015-05-14 Volkswagen Group of America Inc. +volkswagen + +// volvo : 2015-11-12 Volvo Holding Sverige Aktiebolag +volvo + +// vote : 2013-11-21 Monolith Registry LLC +vote + +// voting : 2013-11-13 Valuetainment Corp. +voting + +// voto : 2013-11-21 Monolith Registry LLC +voto + +// voyage : 2013-08-27 Binky Moon, LLC +voyage + +// vuelos : 2015-03-05 Travel Reservations SRL +vuelos + +// wales : 2014-05-08 Nominet UK +wales + +// walmart : 2015-07-31 Wal-Mart Stores, Inc. +walmart + +// walter : 2014-11-13 Sandvik AB +walter + +// wang : 2013-10-24 Zodiac Wang Limited +wang + +// wanggou : 2014-12-18 Amazon Registry Services, Inc. +wanggou + +// watch : 2013-11-14 Binky Moon, LLC +watch + +// watches : 2014-12-22 Identity Digital Limited +watches + +// weather : 2015-01-08 International Business Machines Corporation +weather + +// weatherchannel : 2015-03-12 International Business Machines Corporation +weatherchannel + +// webcam : 2014-01-23 dot Webcam Limited +webcam + +// weber : 2015-06-04 Saint-Gobain Weber SA +weber + +// website : 2014-04-03 Radix FZC +website + +// wedding : 2014-04-24 Registry Services, LLC +wedding + +// weibo : 2015-03-05 Sina Corporation +weibo + +// weir : 2015-01-29 Weir Group IP Limited +weir + +// whoswho : 2014-02-20 Who's Who Registry +whoswho + +// wien : 2013-10-28 punkt.wien GmbH +wien + +// wiki : 2013-11-07 Top Level Design, LLC +wiki + +// williamhill : 2014-03-13 William Hill Organization Limited +williamhill + +// win : 2014-11-20 First Registry Limited +win + +// windows : 2014-12-18 Microsoft Corporation +windows + +// wine : 2015-06-18 Binky Moon, LLC +wine + +// winners : 2015-07-16 The TJX Companies, Inc. +winners + +// wme : 2014-02-13 William Morris Endeavor Entertainment, LLC +wme + +// wolterskluwer : 2015-08-06 Wolters Kluwer N.V. +wolterskluwer + +// woodside : 2015-07-09 Woodside Petroleum Limited +woodside + +// work : 2013-12-19 Registry Services, LLC +work + +// works : 2013-11-14 Binky Moon, LLC +works + +// world : 2014-06-12 Binky Moon, LLC +world + +// wow : 2015-10-08 Amazon Registry Services, Inc. +wow + +// wtc : 2013-12-19 World Trade Centers Association, Inc. +wtc + +// wtf : 2014-03-06 Binky Moon, LLC +wtf + +// xbox : 2014-12-18 Microsoft Corporation +xbox + +// xerox : 2014-10-24 Xerox DNHC LLC +xerox + +// xfinity : 2015-07-09 Comcast IP Holdings I, LLC +xfinity + +// xihuan : 2015-01-08 Beijing Qihu Keji Co., Ltd. +xihuan + +// xin : 2014-12-11 Elegant Leader Limited +xin + +// xn--11b4c3d : 2015-01-15 VeriSign Sarl +xn--11b4c3d + +// xn--1ck2e1b : 2015-02-26 Amazon Registry Services, Inc. +xn--1ck2e1b + +// xn--1qqw23a : 2014-01-09 Guangzhou YU Wei Information Technology Co., Ltd. +xn--1qqw23a + +// xn--30rr7y : 2014-06-12 Excellent First Limited +xn--30rr7y + +// xn--3bst00m : 2013-09-13 Eagle Horizon Limited +xn--3bst00m + +// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED OY +xn--3ds443g + +// xn--3pxu8k : 2015-01-15 VeriSign Sarl +xn--3pxu8k + +// xn--42c2d9a : 2015-01-15 VeriSign Sarl +xn--42c2d9a + +// xn--45q11c : 2013-11-21 Zodiac Gemini Ltd +xn--45q11c + +// xn--4gbrim : 2013-10-04 Helium TLDs Ltd +xn--4gbrim + +// xn--55qw42g : 2013-11-08 China Organizational Name Administration Center +xn--55qw42g + +// xn--55qx5d : 2013-11-14 China Internet Network Information Center (CNNIC) +xn--55qx5d + +// xn--5su34j936bgsg : 2015-09-03 Shangriâ€La International Hotel Management Limited +xn--5su34j936bgsg + +// xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited +xn--5tzm5g + +// xn--6frz82g : 2013-09-23 Identity Digital Limited +xn--6frz82g + +// xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited +xn--6qq986b3xl + +// xn--80adxhks : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +xn--80adxhks + +// xn--80aqecdr1a : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) +xn--80aqecdr1a + +// xn--80asehdb : 2013-07-14 CORE Association +xn--80asehdb + +// xn--80aswg : 2013-07-14 CORE Association +xn--80aswg + +// xn--8y0a063a : 2015-03-26 China United Network Communications Corporation Limited +xn--8y0a063a + +// xn--9dbq2a : 2015-01-15 VeriSign Sarl +xn--9dbq2a + +// xn--9et52u : 2014-06-12 RISE VICTORY LIMITED +xn--9et52u + +// xn--9krt00a : 2015-03-12 Sina Corporation +xn--9krt00a + +// xn--b4w605ferd : 2014-08-07 Temasek Holdings (Private) Limited +xn--b4w605ferd + +// xn--bck1b9a5dre4c : 2015-02-26 Amazon Registry Services, Inc. +xn--bck1b9a5dre4c + +// xn--c1avg : 2013-11-14 Public Interest Registry +xn--c1avg + +// xn--c2br7g : 2015-01-15 VeriSign Sarl +xn--c2br7g + +// xn--cck2b3b : 2015-02-26 Amazon Registry Services, Inc. +xn--cck2b3b + +// xn--cckwcxetd : 2019-12-19 Amazon Registry Services, Inc. +xn--cckwcxetd + +// xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD +xn--cg4bki + +// xn--czr694b : 2014-01-16 Internet DotTrademark Organisation Limited +xn--czr694b + +// xn--czrs0t : 2013-12-19 Binky Moon, LLC +xn--czrs0t + +// xn--czru2d : 2013-11-21 Zodiac Aquarius Limited +xn--czru2d + +// xn--d1acj3b : 2013-11-20 The Foundation for Network Initiatives “The Smart Internet†+xn--d1acj3b + +// xn--eckvdtc9d : 2014-12-18 Amazon Registry Services, Inc. +xn--eckvdtc9d + +// xn--efvy88h : 2014-08-22 Guangzhou YU Wei Information Technology Co., Ltd. +xn--efvy88h + +// xn--fct429k : 2015-04-09 Amazon Registry Services, Inc. +xn--fct429k + +// xn--fhbei : 2015-01-15 VeriSign Sarl +xn--fhbei + +// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED OY +xn--fiq228c5hs + +// xn--fiq64b : 2013-10-14 CITIC Group Corporation +xn--fiq64b + +// xn--fjq720a : 2014-05-22 Binky Moon, LLC +xn--fjq720a + +// xn--flw351e : 2014-07-31 Charleston Road Registry Inc. +xn--flw351e + +// xn--fzys8d69uvgm : 2015-05-14 PCCW Enterprises Limited +xn--fzys8d69uvgm + +// xn--g2xx48c : 2015-01-30 Nawang Heli(Xiamen) Network Service Co., LTD. +xn--g2xx48c + +// xn--gckr3f0f : 2015-02-26 Amazon Registry Services, Inc. +xn--gckr3f0f + +// xn--gk3at1e : 2015-10-08 Amazon Registry Services, Inc. +xn--gk3at1e + +// xn--hxt814e : 2014-05-15 Zodiac Taurus Limited +xn--hxt814e + +// xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry +xn--i1b6b1a6a2e + +// xn--imr513n : 2014-12-11 Internet DotTrademark Organisation Limited +xn--imr513n + +// xn--io0a7i : 2013-11-14 China Internet Network Information Center (CNNIC) +xn--io0a7i + +// xn--j1aef : 2015-01-15 VeriSign Sarl +xn--j1aef + +// xn--jlq480n2rg : 2019-12-19 Amazon Registry Services, Inc. +xn--jlq480n2rg + +// xn--jlq61u9w7b : 2015-01-08 Nokia Corporation +xn--jlq61u9w7b + +// xn--jvr189m : 2015-02-26 Amazon Registry Services, Inc. +xn--jvr189m + +// xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V. +xn--kcrx77d1x4a + +// xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd +xn--kput3i + +// xn--mgba3a3ejt : 2014-11-20 Aramco Services Company +xn--mgba3a3ejt + +// xn--mgba7c0bbn0a : 2015-05-14 Crescent Holding GmbH +xn--mgba7c0bbn0a + +// xn--mgbaakc7dvf : 2015-09-03 Emirates Telecommunications Corporation (trading as Etisalat) +xn--mgbaakc7dvf + +// xn--mgbab2bd : 2013-10-31 CORE Association +xn--mgbab2bd + +// xn--mgbca7dzdo : 2015-07-30 Abu Dhabi Systems and Information Centre +xn--mgbca7dzdo + +// xn--mgbi4ecexp : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) +xn--mgbi4ecexp + +// xn--mgbt3dhd : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +xn--mgbt3dhd + +// xn--mk1bu44c : 2015-01-15 VeriSign Sarl +xn--mk1bu44c + +// xn--mxtq1m : 2014-03-06 Net-Chinese Co., Ltd. +xn--mxtq1m + +// xn--ngbc5azd : 2013-07-13 International Domain Registry Pty. Ltd. +xn--ngbc5azd + +// xn--ngbe9e0a : 2014-12-04 Kuwait Finance House +xn--ngbe9e0a + +// xn--ngbrx : 2015-11-12 League of Arab States +xn--ngbrx + +// xn--nqv7f : 2013-11-14 Public Interest Registry +xn--nqv7f + +// xn--nqv7fs00ema : 2013-11-14 Public Interest Registry +xn--nqv7fs00ema + +// xn--nyqy26a : 2014-11-07 Stable Tone Limited +xn--nyqy26a + +// xn--otu796d : 2017-08-06 Jiang Yu Liang Cai Technology Company Limited +xn--otu796d + +// xn--p1acf : 2013-12-12 Rusnames Limited +xn--p1acf + +// xn--pssy2u : 2015-01-15 VeriSign Sarl +xn--pssy2u + +// xn--q9jyb4c : 2013-09-17 Charleston Road Registry Inc. +xn--q9jyb4c + +// xn--qcka1pmc : 2014-07-31 Charleston Road Registry Inc. +xn--qcka1pmc + +// xn--rhqv96g : 2013-09-11 Stable Tone Limited +xn--rhqv96g + +// xn--rovu88b : 2015-02-26 Amazon Registry Services, Inc. +xn--rovu88b + +// xn--ses554g : 2014-01-16 KNET Co., Ltd. +xn--ses554g + +// xn--t60b56a : 2015-01-15 VeriSign Sarl +xn--t60b56a + +// xn--tckwe : 2015-01-15 VeriSign Sarl +xn--tckwe + +// xn--tiq49xqyj : 2015-10-21 Pontificium Consilium de Comunicationibus Socialibus (PCCS) (Pontifical Council for Social Communication) +xn--tiq49xqyj + +// xn--unup4y : 2013-07-14 Binky Moon, LLC +xn--unup4y + +// xn--vermgensberater-ctb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +xn--vermgensberater-ctb + +// xn--vermgensberatung-pwb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +xn--vermgensberatung-pwb + +// xn--vhquv : 2013-08-27 Binky Moon, LLC +xn--vhquv + +// xn--vuq861b : 2014-10-16 Beijing Tele-info Network Technology Co., Ltd. +xn--vuq861b + +// xn--w4r85el8fhu5dnra : 2015-04-30 Kerry Trading Co. Limited +xn--w4r85el8fhu5dnra + +// xn--w4rs40l : 2015-07-30 Kerry Trading Co. Limited +xn--w4rs40l + +// xn--xhq521b : 2013-11-14 Guangzhou YU Wei Information Technology Co., Ltd. +xn--xhq521b + +// xn--zfr164b : 2013-11-08 China Organizational Name Administration Center +xn--zfr164b + +// xyz : 2013-12-05 XYZ.COM LLC +xyz + +// yachts : 2014-01-09 XYZ.COM LLC +yachts + +// yahoo : 2015-04-02 Oath Inc. +yahoo + +// yamaxun : 2014-12-18 Amazon Registry Services, Inc. +yamaxun + +// yandex : 2014-04-10 Yandex Europe B.V. +yandex + +// yodobashi : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +yodobashi + +// yoga : 2014-05-29 Registry Services, LLC +yoga + +// yokohama : 2013-12-12 GMO Registry, Inc. +yokohama + +// you : 2015-04-09 Amazon Registry Services, Inc. +you + +// youtube : 2014-05-01 Charleston Road Registry Inc. +youtube + +// yun : 2015-01-08 Beijing Qihu Keji Co., Ltd. +yun + +// zappos : 2015-06-25 Amazon Registry Services, Inc. +zappos + +// zara : 2014-11-07 Industria de Diseño Textil, S.A. (INDITEX, S.A.) +zara + +// zero : 2014-12-18 Amazon Registry Services, Inc. +zero + +// zip : 2014-05-08 Charleston Road Registry Inc. +zip + +// zone : 2013-11-14 Binky Moon, LLC +zone + +// zuerich : 2014-11-07 Kanton Zürich (Canton of Zurich) +zuerich + + +// ===END ICANN DOMAINS=== +// ===BEGIN PRIVATE DOMAINS=== +// (Note: these are in alphabetical order by company name) + +// 1GB LLC : https://www.1gb.ua/ +// Submitted by 1GB LLC +cc.ua +inf.ua +ltd.ua + +// 611coin : https://611project.org/ +611.to + +// Aaron Marais' Gitlab pages: https://lab.aaronleem.co.za +// Submitted by Aaron Marais +graphox.us + +// accesso Technology Group, plc. : https://accesso.com/ +// Submitted by accesso Team +*.devcdnaccesso.com + +// Acorn Labs : https://acorn.io +// Submitted by Craig Jellick +*.on-acorn.io + +// Adobe : https://www.adobe.com/ +// Submitted by Ian Boston and Lars Trieloff +adobeaemcloud.com +*.dev.adobeaemcloud.com +hlx.live +adobeaemcloud.net +hlx.page +hlx3.page + +// Agnat sp. z o.o. : https://domena.pl +// Submitted by Przemyslaw Plewa +beep.pl + +// Airkit : https://www.airkit.com/ +// Submitted by Grant Cooksey +airkitapps.com +airkitapps-au.com +airkitapps.eu + +// Aiven: https://aiven.io/ +// Submitted by Etienne Stalmans +aivencloud.com + +// alboto.ca : http://alboto.ca +// Submitted by Anton Avramov +barsy.ca + +// Alces Software Ltd : http://alces-software.com +// Submitted by Mark J. Titorenko +*.compute.estate +*.alces.network + +// all-inkl.com : https://all-inkl.com +// Submitted by Werner Kaltofen +kasserver.com + +// Altervista: https://www.altervista.org +// Submitted by Carlo Cannas +altervista.org + +// alwaysdata : https://www.alwaysdata.com +// Submitted by Cyril +alwaysdata.net + +// Amaze Software : https://amaze.co +// Submitted by Domain Admin +myamaze.net + +// Amazon : https://www.amazon.com/ +// Submitted by AWS Security +// Subsections of Amazon/subsidiaries will appear until "concludes" tag + +// Amazon CloudFront +// Submitted by Donavan Miller +// Reference: 54144616-fd49-4435-8535-19c6a601bdb3 +cloudfront.net + +// Amazon EC2 +// Submitted by Luke Wells +// Reference: 4c38fa71-58ac-4768-99e5-689c1767e537 +*.compute.amazonaws.com +*.compute-1.amazonaws.com +*.compute.amazonaws.com.cn +us-east-1.amazonaws.com + +// Amazon S3 +// Submitted by Luke Wells +// Reference: d068bd97-f0a9-4838-a6d8-954b622ef4ae +s3.cn-north-1.amazonaws.com.cn +s3.dualstack.ap-northeast-1.amazonaws.com +s3.dualstack.ap-northeast-2.amazonaws.com +s3.ap-northeast-2.amazonaws.com +s3-website.ap-northeast-2.amazonaws.com +s3.dualstack.ap-south-1.amazonaws.com +s3.ap-south-1.amazonaws.com +s3-website.ap-south-1.amazonaws.com +s3.dualstack.ap-southeast-1.amazonaws.com +s3.dualstack.ap-southeast-2.amazonaws.com +s3.dualstack.ca-central-1.amazonaws.com +s3.ca-central-1.amazonaws.com +s3-website.ca-central-1.amazonaws.com +s3.dualstack.eu-central-1.amazonaws.com +s3.eu-central-1.amazonaws.com +s3-website.eu-central-1.amazonaws.com +s3.dualstack.eu-west-1.amazonaws.com +s3.dualstack.eu-west-2.amazonaws.com +s3.eu-west-2.amazonaws.com +s3-website.eu-west-2.amazonaws.com +s3.dualstack.eu-west-3.amazonaws.com +s3.eu-west-3.amazonaws.com +s3-website.eu-west-3.amazonaws.com +s3.amazonaws.com +s3-ap-northeast-1.amazonaws.com +s3-ap-northeast-2.amazonaws.com +s3-ap-south-1.amazonaws.com +s3-ap-southeast-1.amazonaws.com +s3-ap-southeast-2.amazonaws.com +s3-ca-central-1.amazonaws.com +s3-eu-central-1.amazonaws.com +s3-eu-west-1.amazonaws.com +s3-eu-west-2.amazonaws.com +s3-eu-west-3.amazonaws.com +s3-external-1.amazonaws.com +s3-fips-us-gov-west-1.amazonaws.com +s3-sa-east-1.amazonaws.com +s3-us-east-2.amazonaws.com +s3-us-gov-west-1.amazonaws.com +s3-us-west-1.amazonaws.com +s3-us-west-2.amazonaws.com +s3-website-ap-northeast-1.amazonaws.com +s3-website-ap-southeast-1.amazonaws.com +s3-website-ap-southeast-2.amazonaws.com +s3-website-eu-west-1.amazonaws.com +s3-website-sa-east-1.amazonaws.com +s3-website-us-east-1.amazonaws.com +s3-website-us-west-1.amazonaws.com +s3-website-us-west-2.amazonaws.com +s3.dualstack.sa-east-1.amazonaws.com +s3.dualstack.us-east-1.amazonaws.com +s3.dualstack.us-east-2.amazonaws.com +s3.us-east-2.amazonaws.com +s3-website.us-east-2.amazonaws.com + +// AWS Cloud9 +// Submitted by: AWS Security +// Reference: 2b6dfa9a-3a7f-4367-b2e7-0321e77c0d59 +vfs.cloud9.af-south-1.amazonaws.com +webview-assets.cloud9.af-south-1.amazonaws.com +vfs.cloud9.ap-east-1.amazonaws.com +webview-assets.cloud9.ap-east-1.amazonaws.com +vfs.cloud9.ap-northeast-1.amazonaws.com +webview-assets.cloud9.ap-northeast-1.amazonaws.com +vfs.cloud9.ap-northeast-2.amazonaws.com +webview-assets.cloud9.ap-northeast-2.amazonaws.com +vfs.cloud9.ap-northeast-3.amazonaws.com +webview-assets.cloud9.ap-northeast-3.amazonaws.com +vfs.cloud9.ap-south-1.amazonaws.com +webview-assets.cloud9.ap-south-1.amazonaws.com +vfs.cloud9.ap-southeast-1.amazonaws.com +webview-assets.cloud9.ap-southeast-1.amazonaws.com +vfs.cloud9.ap-southeast-2.amazonaws.com +webview-assets.cloud9.ap-southeast-2.amazonaws.com +vfs.cloud9.ca-central-1.amazonaws.com +webview-assets.cloud9.ca-central-1.amazonaws.com +vfs.cloud9.eu-central-1.amazonaws.com +webview-assets.cloud9.eu-central-1.amazonaws.com +vfs.cloud9.eu-north-1.amazonaws.com +webview-assets.cloud9.eu-north-1.amazonaws.com +vfs.cloud9.eu-south-1.amazonaws.com +webview-assets.cloud9.eu-south-1.amazonaws.com +vfs.cloud9.eu-west-1.amazonaws.com +webview-assets.cloud9.eu-west-1.amazonaws.com +vfs.cloud9.eu-west-2.amazonaws.com +webview-assets.cloud9.eu-west-2.amazonaws.com +vfs.cloud9.eu-west-3.amazonaws.com +webview-assets.cloud9.eu-west-3.amazonaws.com +vfs.cloud9.me-south-1.amazonaws.com +webview-assets.cloud9.me-south-1.amazonaws.com +vfs.cloud9.sa-east-1.amazonaws.com +webview-assets.cloud9.sa-east-1.amazonaws.com +vfs.cloud9.us-east-1.amazonaws.com +webview-assets.cloud9.us-east-1.amazonaws.com +vfs.cloud9.us-east-2.amazonaws.com +webview-assets.cloud9.us-east-2.amazonaws.com +vfs.cloud9.us-west-1.amazonaws.com +webview-assets.cloud9.us-west-1.amazonaws.com +vfs.cloud9.us-west-2.amazonaws.com +webview-assets.cloud9.us-west-2.amazonaws.com + +// AWS Elastic Beanstalk +// Submitted by Luke Wells +// Reference: aa202394-43a0-4857-b245-8db04549137e +cn-north-1.eb.amazonaws.com.cn +cn-northwest-1.eb.amazonaws.com.cn +elasticbeanstalk.com +ap-northeast-1.elasticbeanstalk.com +ap-northeast-2.elasticbeanstalk.com +ap-northeast-3.elasticbeanstalk.com +ap-south-1.elasticbeanstalk.com +ap-southeast-1.elasticbeanstalk.com +ap-southeast-2.elasticbeanstalk.com +ca-central-1.elasticbeanstalk.com +eu-central-1.elasticbeanstalk.com +eu-west-1.elasticbeanstalk.com +eu-west-2.elasticbeanstalk.com +eu-west-3.elasticbeanstalk.com +sa-east-1.elasticbeanstalk.com +us-east-1.elasticbeanstalk.com +us-east-2.elasticbeanstalk.com +us-gov-west-1.elasticbeanstalk.com +us-west-1.elasticbeanstalk.com +us-west-2.elasticbeanstalk.com + +// (AWS) Elastic Load Balancing +// Submitted by Luke Wells +// Reference: 12a3d528-1bac-4433-a359-a395867ffed2 +*.elb.amazonaws.com.cn +*.elb.amazonaws.com + +// AWS Global Accelerator +// Submitted by Daniel Massaguer +// Reference: d916759d-a08b-4241-b536-4db887383a6a +awsglobalaccelerator.com + +// eero +// Submitted by Yue Kang +// Reference: 264afe70-f62c-4c02-8ab9-b5281ed24461 +eero.online +eero-stage.online + +// concludes Amazon + +// Amune : https://amune.org/ +// Submitted by Team Amune +t3l3p0rt.net +tele.amune.org + +// Apigee : https://apigee.com/ +// Submitted by Apigee Security Team +apigee.io + +// Apphud : https://apphud.com +// Submitted by Alexander Selivanov +siiites.com + +// Appspace : https://www.appspace.com +// Submitted by Appspace Security Team +appspacehosted.com +appspaceusercontent.com + +// Appudo UG (haftungsbeschränkt) : https://www.appudo.com +// Submitted by Alexander Hochbaum +appudo.net + +// Aptible : https://www.aptible.com/ +// Submitted by Thomas Orozco +on-aptible.com + +// ASEINet : https://www.aseinet.com/ +// Submitted by Asei SEKIGUCHI +user.aseinet.ne.jp +gv.vc +d.gv.vc + +// Asociación Amigos de la Informática "Euskalamiga" : http://encounter.eus/ +// Submitted by Hector Martin +user.party.eus + +// Association potager.org : https://potager.org/ +// Submitted by Lunar +pimienta.org +poivron.org +potager.org +sweetpepper.org + +// ASUSTOR Inc. : http://www.asustor.com +// Submitted by Vincent Tseng +myasustor.com + +// Atlassian : https://atlassian.com +// Submitted by Sam Smyth +cdn.prod.atlassian-dev.net + +// Authentick UG (haftungsbeschränkt) : https://authentick.net +// Submitted by Lukas Reschke +translated.page + +// AVM : https://avm.de +// Submitted by Andreas Weise +myfritz.net + +// AVStack Pte. Ltd. : https://avstack.io +// Submitted by Jasper Hugo +onavstack.net + +// AW AdvisorWebsites.com Software Inc : https://advisorwebsites.com +// Submitted by James Kennedy +*.awdev.ca +*.advisor.ws + +// AZ.pl sp. z.o.o: https://az.pl +// Submitted by Krzysztof Wolski +ecommerce-shop.pl + +// b-data GmbH : https://www.b-data.io +// Submitted by Olivier Benz +b-data.io + +// backplane : https://www.backplane.io +// Submitted by Anthony Voutas +backplaneapp.io + +// Balena : https://www.balena.io +// Submitted by Petros Angelatos +balena-devices.com + +// University of Banja Luka : https://unibl.org +// Domains for Republic of Srpska administrative entity. +// Submitted by Marko Ivanovic +rs.ba + +// Banzai Cloud +// Submitted by Janos Matyas +*.banzai.cloud +app.banzaicloud.io +*.backyards.banzaicloud.io + +// BASE, Inc. : https://binc.jp +// Submitted by Yuya NAGASAWA +base.ec +official.ec +buyshop.jp +fashionstore.jp +handcrafted.jp +kawaiishop.jp +supersale.jp +theshop.jp +shopselect.net +base.shop + +// BeagleBoard.org Foundation : https://beagleboard.org +// Submitted by Jason Kridner +beagleboard.io + +// Beget Ltd +// Submitted by Lev Nekrasov +*.beget.app + +// BetaInABox +// Submitted by Adrian +betainabox.com + +// BinaryLane : http://www.binarylane.com +// Submitted by Nathan O'Sullivan +bnr.la + +// Bitbucket : http://bitbucket.org +// Submitted by Andy Ortlieb +bitbucket.io + +// Blackbaud, Inc. : https://www.blackbaud.com +// Submitted by Paul Crowder +blackbaudcdn.net + +// Blatech : http://www.blatech.net +// Submitted by Luke Bratch +of.je + +// Blue Bite, LLC : https://bluebite.com +// Submitted by Joshua Weiss +bluebite.io + +// Boomla : https://boomla.com +// Submitted by Tibor Halter +boomla.net + +// Boutir : https://www.boutir.com +// Submitted by Eric Ng Ka Ka +boutir.com + +// Boxfuse : https://boxfuse.com +// Submitted by Axel Fontaine +boxfuse.io + +// bplaced : https://www.bplaced.net/ +// Submitted by Miroslav Bozic +square7.ch +bplaced.com +bplaced.de +square7.de +bplaced.net +square7.net + +// Brendly : https://brendly.rs +// Submitted by Dusan Radovanovic +shop.brendly.rs + +// BrowserSafetyMark +// Submitted by Dave Tharp +browsersafetymark.io + +// Bytemark Hosting : https://www.bytemark.co.uk +// Submitted by Paul Cammish +uk0.bigv.io +dh.bytemark.co.uk +vm.bytemark.co.uk + +// Caf.js Labs LLC : https://www.cafjs.com +// Submitted by Antonio Lain +cafjs.com + +// callidomus : https://www.callidomus.com/ +// Submitted by Marcus Popp +mycd.eu + +// Carrd : https://carrd.co +// Submitted by AJ +drr.ac +uwu.ai +carrd.co +crd.co +ju.mp + +// CentralNic : http://www.centralnic.com/names/domains +// Submitted by registry +ae.org +br.com +cn.com +com.de +com.se +de.com +eu.com +gb.net +hu.net +jp.net +jpn.com +mex.com +ru.com +sa.com +se.net +uk.com +uk.net +us.com +za.bz +za.com + +// No longer operated by CentralNic, these entries should be adopted and/or removed by current operators +// Submitted by Gavin Brown +ar.com +hu.com +kr.com +no.com +qc.com +uy.com + +// Africa.com Web Solutions Ltd : https://registry.africa.com +// Submitted by Gavin Brown +africa.com + +// iDOT Services Limited : http://www.domain.gr.com +// Submitted by Gavin Brown +gr.com + +// Radix FZC : http://domains.in.net +// Submitted by Gavin Brown +in.net +web.in + +// US REGISTRY LLC : http://us.org +// Submitted by Gavin Brown +us.org + +// co.com Registry, LLC : https://registry.co.com +// Submitted by Gavin Brown +co.com + +// Roar Domains LLC : https://roar.basketball/ +// Submitted by Gavin Brown +aus.basketball +nz.basketball + +// BRS Media : https://brsmedia.com/ +// Submitted by Gavin Brown +radio.am +radio.fm + +// c.la : http://www.c.la/ +c.la + +// certmgr.org : https://certmgr.org +// Submitted by B. Blechschmidt +certmgr.org + +// Cityhost LLC : https://cityhost.ua +// Submitted by Maksym Rivtin +cx.ua + +// Civilized Discourse Construction Kit, Inc. : https://www.discourse.org/ +// Submitted by Rishabh Nambiar & Michael Brown +discourse.group +discourse.team + +// Clever Cloud : https://www.clever-cloud.com/ +// Submitted by Quentin Adam +cleverapps.io + +// Clerk : https://www.clerk.dev +// Submitted by Colin Sidoti +clerk.app +clerkstage.app +*.lcl.dev +*.lclstage.dev +*.stg.dev +*.stgstage.dev + +// ClickRising : https://clickrising.com/ +// Submitted by Umut Gumeli +clickrising.net + +// Cloud66 : https://www.cloud66.com/ +// Submitted by Khash Sajadi +c66.me +cloud66.ws +cloud66.zone + +// CloudAccess.net : https://www.cloudaccess.net/ +// Submitted by Pawel Panek +jdevcloud.com +wpdevcloud.com +cloudaccess.host +freesite.host +cloudaccess.net + +// cloudControl : https://www.cloudcontrol.com/ +// Submitted by Tobias Wilken +cloudcontrolled.com +cloudcontrolapp.com + +// Cloudera, Inc. : https://www.cloudera.com/ +// Submitted by Kedarnath Waikar +*.cloudera.site + +// Cloudflare, Inc. : https://www.cloudflare.com/ +// Submitted by Cloudflare Team +pages.dev +trycloudflare.com +workers.dev + +// Clovyr : https://clovyr.io +// Submitted by Patrick Nielsen +wnext.app + +// co.ca : http://registry.co.ca/ +co.ca + +// Co & Co : https://co-co.nl/ +// Submitted by Govert Versluis +*.otap.co + +// i-registry s.r.o. : http://www.i-registry.cz/ +// Submitted by Martin Semrad +co.cz + +// CDN77.com : http://www.cdn77.com +// Submitted by Jan Krpes +c.cdn77.org +cdn77-ssl.net +r.cdn77.net +rsc.cdn77.org +ssl.origin.cdn77-secure.org + +// Cloud DNS Ltd : http://www.cloudns.net +// Submitted by Aleksander Hristov +cloudns.asia +cloudns.biz +cloudns.club +cloudns.cc +cloudns.eu +cloudns.in +cloudns.info +cloudns.org +cloudns.pro +cloudns.pw +cloudns.us + +// CNPY : https://cnpy.gdn +// Submitted by Angelo Gladding +cnpy.gdn + +// Codeberg e. V. : https://codeberg.org +// Submitted by Moritz Marquardt +codeberg.page + +// CoDNS B.V. +co.nl +co.no + +// Combell.com : https://www.combell.com +// Submitted by Thomas Wouters +webhosting.be +hosting-cluster.nl + +// Coordination Center for TLD RU and XN--P1AI : https://cctld.ru/en/domains/domens_ru/reserved/ +// Submitted by George Georgievsky +ac.ru +edu.ru +gov.ru +int.ru +mil.ru +test.ru + +// COSIMO GmbH : http://www.cosimo.de +// Submitted by Rene Marticke +dyn.cosidns.de +dynamisches-dns.de +dnsupdater.de +internet-dns.de +l-o-g-i-n.de +dynamic-dns.info +feste-ip.net +knx-server.net +static-access.net + +// Craynic, s.r.o. : http://www.craynic.com/ +// Submitted by Ales Krajnik +realm.cz + +// Cryptonomic : https://cryptonomic.net/ +// Submitted by Andrew Cady +*.cryptonomic.net + +// Cupcake : https://cupcake.io/ +// Submitted by Jonathan Rudenberg +cupcake.is + +// Curv UG : https://curv-labs.de/ +// Submitted by Marvin Wiesner +curv.dev + +// Customer OCI - Oracle Dyn https://cloud.oracle.com/home https://dyn.com/dns/ +// Submitted by Gregory Drake +// Note: This is intended to also include customer-oci.com due to wildcards implicitly including the current label +*.customer-oci.com +*.oci.customer-oci.com +*.ocp.customer-oci.com +*.ocs.customer-oci.com + +// cyon GmbH : https://www.cyon.ch/ +// Submitted by Dominic Luechinger +cyon.link +cyon.site + +// Danger Science Group: https://dangerscience.com/ +// Submitted by Skylar MacDonald +fnwk.site +folionetwork.site +platform0.app + +// Daplie, Inc : https://daplie.com +// Submitted by AJ ONeal +daplie.me +localhost.daplie.me + +// Datto, Inc. : https://www.datto.com/ +// Submitted by Philipp Heckel +dattolocal.com +dattorelay.com +dattoweb.com +mydatto.com +dattolocal.net +mydatto.net + +// Dansk.net : http://www.dansk.net/ +// Submitted by Anani Voule +biz.dk +co.dk +firm.dk +reg.dk +store.dk + +// dappnode.io : https://dappnode.io/ +// Submitted by Abel Boldu / DAppNode Team +dyndns.dappnode.io + +// dapps.earth : https://dapps.earth/ +// Submitted by Daniil Burdakov +*.dapps.earth +*.bzz.dapps.earth + +// Dark, Inc. : https://darklang.com +// Submitted by Paul Biggar +builtwithdark.com + +// DataDetect, LLC. : https://datadetect.com +// Submitted by Andrew Banchich +demo.datadetect.com +instance.datadetect.com + +// Datawire, Inc : https://www.datawire.io +// Submitted by Richard Li +edgestack.me + +// DDNS5 : https://ddns5.com +// Submitted by Cameron Elliott +ddns5.com + +// Debian : https://www.debian.org/ +// Submitted by Peter Palfrader / Debian Sysadmin Team +debian.net + +// Deno Land Inc : https://deno.com/ +// Submitted by Luca Casonato +deno.dev +deno-staging.dev + +// deSEC : https://desec.io/ +// Submitted by Peter Thomassen +dedyn.io + +// Deta: https://www.deta.sh/ +// Submitted by Aavash Shrestha +deta.app +deta.dev + +// Diher Solutions : https://diher.solutions +// Submitted by Didi Hermawan +*.rss.my.id +*.diher.solutions + +// Discord Inc : https://discord.com +// Submitted by Sahn Lam +discordsays.com +discordsez.com + +// DNS Africa Ltd https://dns.business +// Submitted by Calvin Browne +jozi.biz + +// DNShome : https://www.dnshome.de/ +// Submitted by Norbert Auler +dnshome.de + +// DotArai : https://www.dotarai.com/ +// Submitted by Atsadawat Netcharadsang +online.th +shop.th + +// DrayTek Corp. : https://www.draytek.com/ +// Submitted by Paul Fang +drayddns.com + +// DreamCommerce : https://shoper.pl/ +// Submitted by Konrad Kotarba +shoparena.pl + +// DreamHost : http://www.dreamhost.com/ +// Submitted by Andrew Farmer +dreamhosters.com + +// Drobo : http://www.drobo.com/ +// Submitted by Ricardo Padilha +mydrobo.com + +// Drud Holdings, LLC. : https://www.drud.com/ +// Submitted by Kevin Bridges +drud.io +drud.us + +// DuckDNS : http://www.duckdns.org/ +// Submitted by Richard Harper +duckdns.org + +// Bip : https://bip.sh +// Submitted by Joel Kennedy +bip.sh + +// bitbridge.net : Submitted by Craig Welch, abeliidev@gmail.com +bitbridge.net + +// dy.fi : http://dy.fi/ +// Submitted by Heikki Hannikainen +dy.fi +tunk.org + +// DynDNS.com : http://www.dyndns.com/services/dns/dyndns/ +dyndns-at-home.com +dyndns-at-work.com +dyndns-blog.com +dyndns-free.com +dyndns-home.com +dyndns-ip.com +dyndns-mail.com +dyndns-office.com +dyndns-pics.com +dyndns-remote.com +dyndns-server.com +dyndns-web.com +dyndns-wiki.com +dyndns-work.com +dyndns.biz +dyndns.info +dyndns.org +dyndns.tv +at-band-camp.net +ath.cx +barrel-of-knowledge.info +barrell-of-knowledge.info +better-than.tv +blogdns.com +blogdns.net +blogdns.org +blogsite.org +boldlygoingnowhere.org +broke-it.net +buyshouses.net +cechire.com +dnsalias.com +dnsalias.net +dnsalias.org +dnsdojo.com +dnsdojo.net +dnsdojo.org +does-it.net +doesntexist.com +doesntexist.org +dontexist.com +dontexist.net +dontexist.org +doomdns.com +doomdns.org +dvrdns.org +dyn-o-saur.com +dynalias.com +dynalias.net +dynalias.org +dynathome.net +dyndns.ws +endofinternet.net +endofinternet.org +endoftheinternet.org +est-a-la-maison.com +est-a-la-masion.com +est-le-patron.com +est-mon-blogueur.com +for-better.biz +for-more.biz +for-our.info +for-some.biz +for-the.biz +forgot.her.name +forgot.his.name +from-ak.com +from-al.com +from-ar.com +from-az.net +from-ca.com +from-co.net +from-ct.com +from-dc.com +from-de.com +from-fl.com +from-ga.com +from-hi.com +from-ia.com +from-id.com +from-il.com +from-in.com +from-ks.com +from-ky.com +from-la.net +from-ma.com +from-md.com +from-me.org +from-mi.com +from-mn.com +from-mo.com +from-ms.com +from-mt.com +from-nc.com +from-nd.com +from-ne.com +from-nh.com +from-nj.com +from-nm.com +from-nv.com +from-ny.net +from-oh.com +from-ok.com +from-or.com +from-pa.com +from-pr.com +from-ri.com +from-sc.com +from-sd.com +from-tn.com +from-tx.com +from-ut.com +from-va.com +from-vt.com +from-wa.com +from-wi.com +from-wv.com +from-wy.com +ftpaccess.cc +fuettertdasnetz.de +game-host.org +game-server.cc +getmyip.com +gets-it.net +go.dyndns.org +gotdns.com +gotdns.org +groks-the.info +groks-this.info +ham-radio-op.net +here-for-more.info +hobby-site.com +hobby-site.org +home.dyndns.org +homedns.org +homeftp.net +homeftp.org +homeip.net +homelinux.com +homelinux.net +homelinux.org +homeunix.com +homeunix.net +homeunix.org +iamallama.com +in-the-band.net +is-a-anarchist.com +is-a-blogger.com +is-a-bookkeeper.com +is-a-bruinsfan.org +is-a-bulls-fan.com +is-a-candidate.org +is-a-caterer.com +is-a-celticsfan.org +is-a-chef.com +is-a-chef.net +is-a-chef.org +is-a-conservative.com +is-a-cpa.com +is-a-cubicle-slave.com +is-a-democrat.com +is-a-designer.com +is-a-doctor.com +is-a-financialadvisor.com +is-a-geek.com +is-a-geek.net +is-a-geek.org +is-a-green.com +is-a-guru.com +is-a-hard-worker.com +is-a-hunter.com +is-a-knight.org +is-a-landscaper.com +is-a-lawyer.com +is-a-liberal.com +is-a-libertarian.com +is-a-linux-user.org +is-a-llama.com +is-a-musician.com +is-a-nascarfan.com +is-a-nurse.com +is-a-painter.com +is-a-patsfan.org +is-a-personaltrainer.com +is-a-photographer.com +is-a-player.com +is-a-republican.com +is-a-rockstar.com +is-a-socialist.com +is-a-soxfan.org +is-a-student.com +is-a-teacher.com +is-a-techie.com +is-a-therapist.com +is-an-accountant.com +is-an-actor.com +is-an-actress.com +is-an-anarchist.com +is-an-artist.com +is-an-engineer.com +is-an-entertainer.com +is-by.us +is-certified.com +is-found.org +is-gone.com +is-into-anime.com +is-into-cars.com +is-into-cartoons.com +is-into-games.com +is-leet.com +is-lost.org +is-not-certified.com +is-saved.org +is-slick.com +is-uberleet.com +is-very-bad.org +is-very-evil.org +is-very-good.org +is-very-nice.org +is-very-sweet.org +is-with-theband.com +isa-geek.com +isa-geek.net +isa-geek.org +isa-hockeynut.com +issmarterthanyou.com +isteingeek.de +istmein.de +kicks-ass.net +kicks-ass.org +knowsitall.info +land-4-sale.us +lebtimnetz.de +leitungsen.de +likes-pie.com +likescandy.com +merseine.nu +mine.nu +misconfused.org +mypets.ws +myphotos.cc +neat-url.com +office-on-the.net +on-the-web.tv +podzone.net +podzone.org +readmyblog.org +saves-the-whales.com +scrapper-site.net +scrapping.cc +selfip.biz +selfip.com +selfip.info +selfip.net +selfip.org +sells-for-less.com +sells-for-u.com +sells-it.net +sellsyourhome.org +servebbs.com +servebbs.net +servebbs.org +serveftp.net +serveftp.org +servegame.org +shacknet.nu +simple-url.com +space-to-rent.com +stuff-4-sale.org +stuff-4-sale.us +teaches-yoga.com +thruhere.net +traeumtgerade.de +webhop.biz +webhop.info +webhop.net +webhop.org +worse-than.tv +writesthisblog.com + +// ddnss.de : https://www.ddnss.de/ +// Submitted by Robert Niedziela +ddnss.de +dyn.ddnss.de +dyndns.ddnss.de +dyndns1.de +dyn-ip24.de +home-webserver.de +dyn.home-webserver.de +myhome-server.de +ddnss.org + +// Definima : http://www.definima.com/ +// Submitted by Maxence Bitterli +definima.net +definima.io + +// DigitalOcean App Platform : https://www.digitalocean.com/products/app-platform/ +// Submitted by Braxton Huggins +ondigitalocean.app + +// DigitalOcean Spaces : https://www.digitalocean.com/products/spaces/ +// Submitted by Robin H. Johnson +*.digitaloceanspaces.com + +// dnstrace.pro : https://dnstrace.pro/ +// Submitted by Chris Partridge +bci.dnstrace.pro + +// Dynu.com : https://www.dynu.com/ +// Submitted by Sue Ye +ddnsfree.com +ddnsgeek.com +giize.com +gleeze.com +kozow.com +loseyourip.com +ooguy.com +theworkpc.com +casacam.net +dynu.net +accesscam.org +camdvr.org +freeddns.org +mywire.org +webredirect.org +myddns.rocks +blogsite.xyz + +// dynv6 : https://dynv6.com +// Submitted by Dominik Menke +dynv6.net + +// E4YOU spol. s.r.o. : https://e4you.cz/ +// Submitted by Vladimir Dudr +e4.cz + +// Easypanel : https://easypanel.io +// Submitted by Andrei Canta +easypanel.app +easypanel.host + +// Elementor : Elementor Ltd. +// Submitted by Anton Barkan +elementor.cloud +elementor.cool + +// En root‽ : https://en-root.org +// Submitted by Emmanuel Raviart +en-root.fr + +// Enalean SAS: https://www.enalean.com +// Submitted by Thomas Cottier +mytuleap.com +tuleap-partners.com + +// Encoretivity AB: https://encore.dev +// Submitted by André Eriksson +encr.app +encoreapi.com + +// ECG Robotics, Inc: https://ecgrobotics.org +// Submitted by +onred.one +staging.onred.one + +// encoway GmbH : https://www.encoway.de +// Submitted by Marcel Daus +eu.encoway.cloud + +// EU.org https://eu.org/ +// Submitted by Pierre Beyssac +eu.org +al.eu.org +asso.eu.org +at.eu.org +au.eu.org +be.eu.org +bg.eu.org +ca.eu.org +cd.eu.org +ch.eu.org +cn.eu.org +cy.eu.org +cz.eu.org +de.eu.org +dk.eu.org +edu.eu.org +ee.eu.org +es.eu.org +fi.eu.org +fr.eu.org +gr.eu.org +hr.eu.org +hu.eu.org +ie.eu.org +il.eu.org +in.eu.org +int.eu.org +is.eu.org +it.eu.org +jp.eu.org +kr.eu.org +lt.eu.org +lu.eu.org +lv.eu.org +mc.eu.org +me.eu.org +mk.eu.org +mt.eu.org +my.eu.org +net.eu.org +ng.eu.org +nl.eu.org +no.eu.org +nz.eu.org +paris.eu.org +pl.eu.org +pt.eu.org +q-a.eu.org +ro.eu.org +ru.eu.org +se.eu.org +si.eu.org +sk.eu.org +tr.eu.org +uk.eu.org +us.eu.org + +// Eurobyte : https://eurobyte.ru +// Submitted by Evgeniy Subbotin +eurodir.ru + +// Evennode : http://www.evennode.com/ +// Submitted by Michal Kralik +eu-1.evennode.com +eu-2.evennode.com +eu-3.evennode.com +eu-4.evennode.com +us-1.evennode.com +us-2.evennode.com +us-3.evennode.com +us-4.evennode.com + +// eDirect Corp. : https://hosting.url.com.tw/ +// Submitted by C.S. chang +twmail.cc +twmail.net +twmail.org +mymailer.com.tw +url.tw + +// Fabrica Technologies, Inc. : https://www.fabrica.dev/ +// Submitted by Eric Jiang +onfabrica.com + +// Facebook, Inc. +// Submitted by Peter Ruibal +apps.fbsbx.com + +// FAITID : https://faitid.org/ +// Submitted by Maxim Alzoba +// https://www.flexireg.net/stat_info +ru.net +adygeya.ru +bashkiria.ru +bir.ru +cbg.ru +com.ru +dagestan.ru +grozny.ru +kalmykia.ru +kustanai.ru +marine.ru +mordovia.ru +msk.ru +mytis.ru +nalchik.ru +nov.ru +pyatigorsk.ru +spb.ru +vladikavkaz.ru +vladimir.ru +abkhazia.su +adygeya.su +aktyubinsk.su +arkhangelsk.su +armenia.su +ashgabad.su +azerbaijan.su +balashov.su +bashkiria.su +bryansk.su +bukhara.su +chimkent.su +dagestan.su +east-kazakhstan.su +exnet.su +georgia.su +grozny.su +ivanovo.su +jambyl.su +kalmykia.su +kaluga.su +karacol.su +karaganda.su +karelia.su +khakassia.su +krasnodar.su +kurgan.su +kustanai.su +lenug.su +mangyshlak.su +mordovia.su +msk.su +murmansk.su +nalchik.su +navoi.su +north-kazakhstan.su +nov.su +obninsk.su +penza.su +pokrovsk.su +sochi.su +spb.su +tashkent.su +termez.su +togliatti.su +troitsk.su +tselinograd.su +tula.su +tuva.su +vladikavkaz.su +vladimir.su +vologda.su + +// Fancy Bits, LLC : http://getchannels.com +// Submitted by Aman Gupta +channelsdvr.net +u.channelsdvr.net + +// Fastly Inc. : http://www.fastly.com/ +// Submitted by Fastly Security +edgecompute.app +fastly-terrarium.com +fastlylb.net +map.fastlylb.net +freetls.fastly.net +map.fastly.net +a.prod.fastly.net +global.prod.fastly.net +a.ssl.fastly.net +b.ssl.fastly.net +global.ssl.fastly.net + +// Fastmail : https://www.fastmail.com/ +// Submitted by Marc Bradshaw +*.user.fm + +// FASTVPS EESTI OU : https://fastvps.ru/ +// Submitted by Likhachev Vasiliy +fastvps-server.com +fastvps.host +myfast.host +fastvps.site +myfast.space + +// Fedora : https://fedoraproject.org/ +// submitted by Patrick Uiterwijk +fedorainfracloud.org +fedorapeople.org +cloud.fedoraproject.org +app.os.fedoraproject.org +app.os.stg.fedoraproject.org + +// FearWorks Media Ltd. : https://fearworksmedia.co.uk +// submitted by Keith Fairley +conn.uk +copro.uk +hosp.uk + +// Fermax : https://fermax.com/ +// submitted by Koen Van Isterdael +mydobiss.com + +// FH Muenster : https://www.fh-muenster.de +// Submitted by Robin Naundorf +fh-muenster.io + +// Filegear Inc. : https://www.filegear.com +// Submitted by Jason Zhu +filegear.me +filegear-au.me +filegear-de.me +filegear-gb.me +filegear-ie.me +filegear-jp.me +filegear-sg.me + +// Firebase, Inc. +// Submitted by Chris Raynor +firebaseapp.com + +// Firewebkit : https://www.firewebkit.com +// Submitted by Majid Qureshi +fireweb.app + +// FLAP : https://www.flap.cloud +// Submitted by Louis Chemineau +flap.id + +// FlashDrive : https://flashdrive.io +// Submitted by Eric Chan +onflashdrive.app +fldrv.com + +// fly.io: https://fly.io +// Submitted by Kurt Mackey +fly.dev +edgeapp.net +shw.io + +// Flynn : https://flynn.io +// Submitted by Jonathan Rudenberg +flynnhosting.net + +// Forgerock : https://www.forgerock.com +// Submitted by Roderick Parr +forgeblocks.com +id.forgerock.io + +// Framer : https://www.framer.com +// Submitted by Koen Rouwhorst +framer.app +framercanvas.com +framer.media +framer.photos +framer.website +framer.wiki + +// Frusky MEDIA&PR : https://www.frusky.de +// Submitted by Victor Pupynin +*.frusky.de + +// RavPage : https://www.ravpage.co.il +// Submitted by Roni Horowitz +ravpage.co.il + +// Frederik Braun https://frederik-braun.com +// Submitted by Frederik Braun +0e.vc + +// Freebox : http://www.freebox.fr +// Submitted by Romain Fliedel +freebox-os.com +freeboxos.com +fbx-os.fr +fbxos.fr +freebox-os.fr +freeboxos.fr + +// freedesktop.org : https://www.freedesktop.org +// Submitted by Daniel Stone +freedesktop.org + +// freemyip.com : https://freemyip.com +// Submitted by Cadence +freemyip.com + +// FunkFeuer - Verein zur Förderung freier Netze : https://www.funkfeuer.at +// Submitted by Daniel A. Maierhofer +wien.funkfeuer.at + +// Futureweb OG : http://www.futureweb.at +// Submitted by Andreas Schnederle-Wagner +*.futurecms.at +*.ex.futurecms.at +*.in.futurecms.at +futurehosting.at +futuremailing.at +*.ex.ortsinfo.at +*.kunden.ortsinfo.at +*.statics.cloud + +// GDS : https://www.gov.uk/service-manual/technology/managing-domain-names +// Submitted by Stephen Ford +independent-commission.uk +independent-inquest.uk +independent-inquiry.uk +independent-panel.uk +independent-review.uk +public-inquiry.uk +royal-commission.uk +campaign.gov.uk +service.gov.uk + +// CDDO : https://www.gov.uk/guidance/get-an-api-domain-on-govuk +// Submitted by Jamie Tanna +api.gov.uk + +// Gehirn Inc. : https://www.gehirn.co.jp/ +// Submitted by Kohei YOSHIDA +gehirn.ne.jp +usercontent.jp + +// Gentlent, Inc. : https://www.gentlent.com +// Submitted by Tom Klein +gentapps.com +gentlentapis.com +lab.ms +cdn-edges.net + +// Ghost Foundation : https://ghost.org +// Submitted by Matt Hanley +ghost.io + +// GignoSystemJapan: http://gsj.bz +// Submitted by GignoSystemJapan +gsj.bz + +// GitHub, Inc. +// Submitted by Patrick Toomey +githubusercontent.com +githubpreview.dev +github.io + +// GitLab, Inc. +// Submitted by Alex Hanselka +gitlab.io + +// Gitplac.si - https://gitplac.si +// Submitted by Aljaž Starc +gitapp.si +gitpage.si + +// Glitch, Inc : https://glitch.com +// Submitted by Mads Hartmann +glitch.me + +// Global NOG Alliance : https://nogalliance.org/ +// Submitted by Sander Steffann +nog.community + +// Globe Hosting SRL : https://www.globehosting.com/ +// Submitted by Gavin Brown +co.ro +shop.ro + +// GMO Pepabo, Inc. : https://pepabo.com/ +// Submitted by Hosting Div +lolipop.io +angry.jp +babyblue.jp +babymilk.jp +backdrop.jp +bambina.jp +bitter.jp +blush.jp +boo.jp +boy.jp +boyfriend.jp +but.jp +candypop.jp +capoo.jp +catfood.jp +cheap.jp +chicappa.jp +chillout.jp +chips.jp +chowder.jp +chu.jp +ciao.jp +cocotte.jp +coolblog.jp +cranky.jp +cutegirl.jp +daa.jp +deca.jp +deci.jp +digick.jp +egoism.jp +fakefur.jp +fem.jp +flier.jp +floppy.jp +fool.jp +frenchkiss.jp +girlfriend.jp +girly.jp +gloomy.jp +gonna.jp +greater.jp +hacca.jp +heavy.jp +her.jp +hiho.jp +hippy.jp +holy.jp +hungry.jp +icurus.jp +itigo.jp +jellybean.jp +kikirara.jp +kill.jp +kilo.jp +kuron.jp +littlestar.jp +lolipopmc.jp +lolitapunk.jp +lomo.jp +lovepop.jp +lovesick.jp +main.jp +mods.jp +mond.jp +mongolian.jp +moo.jp +namaste.jp +nikita.jp +nobushi.jp +noor.jp +oops.jp +parallel.jp +parasite.jp +pecori.jp +peewee.jp +penne.jp +pepper.jp +perma.jp +pigboat.jp +pinoko.jp +punyu.jp +pupu.jp +pussycat.jp +pya.jp +raindrop.jp +readymade.jp +sadist.jp +schoolbus.jp +secret.jp +staba.jp +stripper.jp +sub.jp +sunnyday.jp +thick.jp +tonkotsu.jp +under.jp +upper.jp +velvet.jp +verse.jp +versus.jp +vivian.jp +watson.jp +weblike.jp +whitesnow.jp +zombie.jp +heteml.net + +// GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/ +// Submitted by Tom Whitwell +cloudapps.digital +london.cloudapps.digital + +// GOV.UK Pay : https://www.payments.service.gov.uk/ +// Submitted by Richard Baker +pymnt.uk + +// UKHomeOffice : https://www.gov.uk/government/organisations/home-office +// Submitted by Jon Shanks +homeoffice.gov.uk + +// GlobeHosting, Inc. +// Submitted by Zoltan Egresi +ro.im + +// GoIP DNS Services : http://www.goip.de +// Submitted by Christian Poulter +goip.de + +// Google, Inc. +// Submitted by Eduardo Vela +run.app +a.run.app +web.app +*.0emm.com +appspot.com +*.r.appspot.com +codespot.com +googleapis.com +googlecode.com +pagespeedmobilizer.com +publishproxy.com +withgoogle.com +withyoutube.com +*.gateway.dev +cloud.goog +translate.goog +*.usercontent.goog +cloudfunctions.net +blogspot.ae +blogspot.al +blogspot.am +blogspot.ba +blogspot.be +blogspot.bg +blogspot.bj +blogspot.ca +blogspot.cf +blogspot.ch +blogspot.cl +blogspot.co.at +blogspot.co.id +blogspot.co.il +blogspot.co.ke +blogspot.co.nz +blogspot.co.uk +blogspot.co.za +blogspot.com +blogspot.com.ar +blogspot.com.au +blogspot.com.br +blogspot.com.by +blogspot.com.co +blogspot.com.cy +blogspot.com.ee +blogspot.com.eg +blogspot.com.es +blogspot.com.mt +blogspot.com.ng +blogspot.com.tr +blogspot.com.uy +blogspot.cv +blogspot.cz +blogspot.de +blogspot.dk +blogspot.fi +blogspot.fr +blogspot.gr +blogspot.hk +blogspot.hr +blogspot.hu +blogspot.ie +blogspot.in +blogspot.is +blogspot.it +blogspot.jp +blogspot.kr +blogspot.li +blogspot.lt +blogspot.lu +blogspot.md +blogspot.mk +blogspot.mr +blogspot.mx +blogspot.my +blogspot.nl +blogspot.no +blogspot.pe +blogspot.pt +blogspot.qa +blogspot.re +blogspot.ro +blogspot.rs +blogspot.ru +blogspot.se +blogspot.sg +blogspot.si +blogspot.sk +blogspot.sn +blogspot.td +blogspot.tw +blogspot.ug +blogspot.vn + +// Goupile : https://goupile.fr +// Submitted by Niels Martignene +goupile.fr + +// Government of the Netherlands: https://www.government.nl +// Submitted by +gov.nl + +// Group 53, LLC : https://www.group53.com +// Submitted by Tyler Todd +awsmppl.com + +// GünstigBestellen : https://günstigbestellen.de +// Submitted by Furkan Akkoc +xn--gnstigbestellen-zvb.de +xn--gnstigliefern-wob.de + +// Hakaran group: http://hakaran.cz +// Submitted by Arseniy Sokolov +fin.ci +free.hr +caa.li +ua.rs +conf.se + +// Handshake : https://handshake.org +// Submitted by Mike Damm +hs.zone +hs.run + +// Hashbang : https://hashbang.sh +hashbang.sh + +// Hasura : https://hasura.io +// Submitted by Shahidh K Muhammed +hasura.app +hasura-app.io + +// Heilbronn University of Applied Sciences - Faculty Informatics (GitLab Pages): https://www.hs-heilbronn.de +// Submitted by Richard Zowalla +pages.it.hs-heilbronn.de + +// Hepforge : https://www.hepforge.org +// Submitted by David Grellscheid +hepforge.org + +// Heroku : https://www.heroku.com/ +// Submitted by Tom Maher +herokuapp.com +herokussl.com + +// Hibernating Rhinos +// Submitted by Oren Eini +ravendb.cloud +ravendb.community +ravendb.me +development.run +ravendb.run + +// home.pl S.A.: https://home.pl +// Submitted by Krzysztof Wolski +homesklep.pl + +// Hong Kong Productivity Council: https://www.hkpc.org/ +// Submitted by SECaaS Team +secaas.hk + +// Hoplix : https://www.hoplix.com +// Submitted by Danilo De Franco +hoplix.shop + + +// HOSTBIP REGISTRY : https://www.hostbip.com/ +// Submitted by Atanunu Igbunuroghene +orx.biz +biz.gl +col.ng +firm.ng +gen.ng +ltd.ng +ngo.ng +edu.scot +sch.so + +// HostyHosting (hostyhosting.com) +hostyhosting.io + +// Häkkinen.fi +// Submitted by Eero Häkkinen +xn--hkkinen-5wa.fi + +// Ici la Lune : http://www.icilalune.com/ +// Submitted by Simon Morvan +*.moonscale.io +moonscale.net + +// iki.fi +// Submitted by Hannu Aronsson +iki.fi + +// iliad italia: https://www.iliad.it +// Submitted by Marios Makassikis +ibxos.it +iliadboxos.it + +// Impertrix Solutions : +// Submitted by Zhixiang Zhao +impertrixcdn.com +impertrix.com + +// Incsub, LLC: https://incsub.com/ +// Submitted by Aaron Edwards +smushcdn.com +wphostedmail.com +wpmucdn.com +tempurl.host +wpmudev.host + +// Individual Network Berlin e.V. : https://www.in-berlin.de/ +// Submitted by Christian Seitz +dyn-berlin.de +in-berlin.de +in-brb.de +in-butter.de +in-dsl.de +in-dsl.net +in-dsl.org +in-vpn.de +in-vpn.net +in-vpn.org + +// info.at : http://www.info.at/ +biz.at +info.at + +// info.cx : http://info.cx +// Submitted by Jacob Slater +info.cx + +// Interlegis : http://www.interlegis.leg.br +// Submitted by Gabriel Ferreira +ac.leg.br +al.leg.br +am.leg.br +ap.leg.br +ba.leg.br +ce.leg.br +df.leg.br +es.leg.br +go.leg.br +ma.leg.br +mg.leg.br +ms.leg.br +mt.leg.br +pa.leg.br +pb.leg.br +pe.leg.br +pi.leg.br +pr.leg.br +rj.leg.br +rn.leg.br +ro.leg.br +rr.leg.br +rs.leg.br +sc.leg.br +se.leg.br +sp.leg.br +to.leg.br + +// intermetrics GmbH : https://pixolino.com/ +// Submitted by Wolfgang Schwarz +pixolino.com + +// Internet-Pro, LLP: https://netangels.ru/ +// Submitted by Vasiliy Sheredeko +na4u.ru + +// iopsys software solutions AB : https://iopsys.eu/ +// Submitted by Roman Azarenko +iopsys.se + +// IPiFony Systems, Inc. : https://www.ipifony.com/ +// Submitted by Matthew Hardeman +ipifony.net + +// IServ GmbH : https://iserv.de +// Submitted by Mario Hoberg +iservschule.de +mein-iserv.de +schulplattform.de +schulserver.de +test-iserv.de +iserv.dev + +// I-O DATA DEVICE, INC. : http://www.iodata.com/ +// Submitted by Yuji Minagawa +iobb.net + +// Jelastic, Inc. : https://jelastic.com/ +// Submitted by Ihor Kolodyuk +mel.cloudlets.com.au +cloud.interhostsolutions.be +users.scale.virtualcloud.com.br +mycloud.by +alp1.ae.flow.ch +appengine.flow.ch +es-1.axarnet.cloud +diadem.cloud +vip.jelastic.cloud +jele.cloud +it1.eur.aruba.jenv-aruba.cloud +it1.jenv-aruba.cloud +keliweb.cloud +cs.keliweb.cloud +oxa.cloud +tn.oxa.cloud +uk.oxa.cloud +primetel.cloud +uk.primetel.cloud +ca.reclaim.cloud +uk.reclaim.cloud +us.reclaim.cloud +ch.trendhosting.cloud +de.trendhosting.cloud +jele.club +amscompute.com +clicketcloud.com +dopaas.com +hidora.com +paas.hosted-by-previder.com +rag-cloud.hosteur.com +rag-cloud-ch.hosteur.com +jcloud.ik-server.com +jcloud-ver-jpc.ik-server.com +demo.jelastic.com +kilatiron.com +paas.massivegrid.com +jed.wafaicloud.com +lon.wafaicloud.com +ryd.wafaicloud.com +j.scaleforce.com.cy +jelastic.dogado.eu +fi.cloudplatform.fi +demo.datacenter.fi +paas.datacenter.fi +jele.host +mircloud.host +paas.beebyte.io +sekd1.beebyteapp.io +jele.io +cloud-fr1.unispace.io +jc.neen.it +cloud.jelastic.open.tim.it +jcloud.kz +upaas.kazteleport.kz +cloudjiffy.net +fra1-de.cloudjiffy.net +west1-us.cloudjiffy.net +jls-sto1.elastx.net +jls-sto2.elastx.net +jls-sto3.elastx.net +faststacks.net +fr-1.paas.massivegrid.net +lon-1.paas.massivegrid.net +lon-2.paas.massivegrid.net +ny-1.paas.massivegrid.net +ny-2.paas.massivegrid.net +sg-1.paas.massivegrid.net +jelastic.saveincloud.net +nordeste-idc.saveincloud.net +j.scaleforce.net +jelastic.tsukaeru.net +sdscloud.pl +unicloud.pl +mircloud.ru +jelastic.regruhosting.ru +enscaled.sg +jele.site +jelastic.team +orangecloud.tn +j.layershift.co.uk +phx.enscaled.us +mircloud.us + +// Jino : https://www.jino.ru +// Submitted by Sergey Ulyashin +myjino.ru +*.hosting.myjino.ru +*.landing.myjino.ru +*.spectrum.myjino.ru +*.vps.myjino.ru + +// Jotelulu S.L. : https://jotelulu.com +// Submitted by Daniel Fariña +jotelulu.cloud + +// Joyent : https://www.joyent.com/ +// Submitted by Brian Bennett +*.triton.zone +*.cns.joyent.com + +// JS.ORG : http://dns.js.org +// Submitted by Stefan Keim +js.org + +// KaasHosting : http://www.kaashosting.nl/ +// Submitted by Wouter Bakker +kaas.gg +khplay.nl + +// Kakao : https://www.kakaocorp.com/ +// Submitted by JaeYoong Lee +ktistory.com + +// Kapsi : https://kapsi.fi +// Submitted by Tomi Juntunen +kapsi.fi + +// Keyweb AG : https://www.keyweb.de +// Submitted by Martin Dannehl +keymachine.de + +// KingHost : https://king.host +// Submitted by Felipe Keller Braz +kinghost.net +uni5.net + +// KnightPoint Systems, LLC : http://www.knightpoint.com/ +// Submitted by Roy Keene +knightpoint.systems + +// KoobinEvent, SL: https://www.koobin.com +// Submitted by Iván Oliva +koobin.events + +// KUROKU LTD : https://kuroku.ltd/ +// Submitted by DisposaBoy +oya.to + +// Katholieke Universiteit Leuven: https://www.kuleuven.be +// Submitted by Abuse KU Leuven +kuleuven.cloud +ezproxy.kuleuven.be + +// .KRD : http://nic.krd/data/krd/Registration%20Policy.pdf +co.krd +edu.krd + +// Krellian Ltd. : https://krellian.com +// Submitted by Ben Francis +krellian.net +webthings.io + +// LCube - Professional hosting e.K. : https://www.lcube-webhosting.de +// Submitted by Lars Laehn +git-repos.de +lcube-server.de +svn-repos.de + +// Leadpages : https://www.leadpages.net +// Submitted by Greg Dallavalle +leadpages.co +lpages.co +lpusercontent.com + +// Lelux.fi : https://lelux.fi/ +// Submitted by Lelux Admin +lelux.site + +// Lifetime Hosting : https://Lifetime.Hosting/ +// Submitted by Mike Fillator +co.business +co.education +co.events +co.financial +co.network +co.place +co.technology + +// Lightmaker Property Manager, Inc. : https://app.lmpm.com/ +// Submitted by Greg Holland +app.lmpm.com + +// linkyard ldt: https://www.linkyard.ch/ +// Submitted by Mario Siegenthaler +linkyard.cloud +linkyard-cloud.ch + +// Linode : https://linode.com +// Submitted by +members.linode.com +*.nodebalancer.linode.com +*.linodeobjects.com +ip.linodeusercontent.com + +// LiquidNet Ltd : http://www.liquidnetlimited.com/ +// Submitted by Victor Velchev +we.bs + +// Localcert : https://localcert.dev +// Submitted by Lann Martin +*.user.localcert.dev + +// localzone.xyz +// Submitted by Kenny Niehage +localzone.xyz + +// Log'in Line : https://www.loginline.com/ +// Submitted by Rémi Mach +loginline.app +loginline.dev +loginline.io +loginline.services +loginline.site + +// Lokalized : https://lokalized.nl +// Submitted by Noah Taheij +servers.run + +// Lõhmus Family, The +// Submitted by Heiki Lõhmus +lohmus.me + +// LubMAN UMCS Sp. z o.o : https://lubman.pl/ +// Submitted by Ireneusz Maliszewski +krasnik.pl +leczna.pl +lubartow.pl +lublin.pl +poniatowa.pl +swidnik.pl + +// Lug.org.uk : https://lug.org.uk +// Submitted by Jon Spriggs +glug.org.uk +lug.org.uk +lugs.org.uk + +// Lukanet Ltd : https://lukanet.com +// Submitted by Anton Avramov +barsy.bg +barsy.co.uk +barsyonline.co.uk +barsycenter.com +barsyonline.com +barsy.club +barsy.de +barsy.eu +barsy.in +barsy.info +barsy.io +barsy.me +barsy.menu +barsy.mobi +barsy.net +barsy.online +barsy.org +barsy.pro +barsy.pub +barsy.ro +barsy.shop +barsy.site +barsy.support +barsy.uk + +// Magento Commerce +// Submitted by Damien Tournoud +*.magentosite.cloud + +// May First - People Link : https://mayfirst.org/ +// Submitted by Jamie McClelland +mayfirst.info +mayfirst.org + +// Mail.Ru Group : https://hb.cldmail.ru +// Submitted by Ilya Zaretskiy +hb.cldmail.ru + +// Mail Transfer Platform : https://www.neupeer.com +// Submitted by Li Hui +cn.vu + +// Maze Play: https://www.mazeplay.com +// Submitted by Adam Humpherys +mazeplay.com + +// mcpe.me : https://mcpe.me +// Submitted by Noa Heyl +mcpe.me + +// McHost : https://mchost.ru +// Submitted by Evgeniy Subbotin +mcdir.me +mcdir.ru +mcpre.ru +vps.mcdir.ru + +// Mediatech : https://mediatech.by +// Submitted by Evgeniy Kozhuhovskiy +mediatech.by +mediatech.dev + +// Medicom Health : https://medicomhealth.com +// Submitted by Michael Olson +hra.health + +// Memset hosting : https://www.memset.com +// Submitted by Tom Whitwell +miniserver.com +memset.net + +// Messerli Informatik AG : https://www.messerli.ch/ +// Submitted by Ruben Schmidmeister +messerli.app + +// MetaCentrum, CESNET z.s.p.o. : https://www.metacentrum.cz/en/ +// Submitted by ZdenÄ›k Å ustr +*.cloud.metacentrum.cz +custom.metacentrum.cz + +// MetaCentrum, CESNET z.s.p.o. : https://www.metacentrum.cz/en/ +// Submitted by Radim JanÄa +flt.cloud.muni.cz +usr.cloud.muni.cz + +// Meteor Development Group : https://www.meteor.com/hosting +// Submitted by Pierre Carrier +meteorapp.com +eu.meteorapp.com + +// Michau Enterprises Limited : http://www.co.pl/ +co.pl + +// Microsoft Corporation : http://microsoft.com +// Submitted by Public Suffix List Admin +*.azurecontainer.io +azurewebsites.net +azure-mobile.net +cloudapp.net +azurestaticapps.net +1.azurestaticapps.net +2.azurestaticapps.net +centralus.azurestaticapps.net +eastasia.azurestaticapps.net +eastus2.azurestaticapps.net +westeurope.azurestaticapps.net +westus2.azurestaticapps.net + +// minion.systems : http://minion.systems +// Submitted by Robert Böttinger +csx.cc + +// Mintere : https://mintere.com/ +// Submitted by Ben Aubin +mintere.site + +// MobileEducation, LLC : https://joinforte.com +// Submitted by Grayson Martin +forte.id + +// Mozilla Corporation : https://mozilla.com +// Submitted by Ben Francis +mozilla-iot.org + +// Mozilla Foundation : https://mozilla.org/ +// Submitted by glob +bmoattachments.org + +// MSK-IX : https://www.msk-ix.ru/ +// Submitted by Khannanov Roman +net.ru +org.ru +pp.ru + +// Mythic Beasts : https://www.mythic-beasts.com +// Submitted by Paul Cammish +hostedpi.com +customer.mythic-beasts.com +caracal.mythic-beasts.com +fentiger.mythic-beasts.com +lynx.mythic-beasts.com +ocelot.mythic-beasts.com +oncilla.mythic-beasts.com +onza.mythic-beasts.com +sphinx.mythic-beasts.com +vs.mythic-beasts.com +x.mythic-beasts.com +yali.mythic-beasts.com +cust.retrosnub.co.uk + +// Nabu Casa : https://www.nabucasa.com +// Submitted by Paulus Schoutsen +ui.nabu.casa + +// Net at Work Gmbh : https://www.netatwork.de +// Submitted by Jan Jaeschke +cloud.nospamproxy.com + +// Netlify : https://www.netlify.com +// Submitted by Jessica Parsons +netlify.app + +// Neustar Inc. +// Submitted by Trung Tran +4u.com + +// ngrok : https://ngrok.com/ +// Submitted by Alan Shreve +ngrok.io + +// Nimbus Hosting Ltd. : https://www.nimbushosting.co.uk/ +// Submitted by Nicholas Ford +nh-serv.co.uk + +// NFSN, Inc. : https://www.NearlyFreeSpeech.NET/ +// Submitted by Jeff Wheelhouse +nfshost.com + +// Noop : https://noop.app +// Submitted by Nathaniel Schweinberg +*.developer.app +noop.app + +// Northflank Ltd. : https://northflank.com/ +// Submitted by Marco Suter +*.northflank.app +*.build.run +*.code.run +*.database.run +*.migration.run + +// Noticeable : https://noticeable.io +// Submitted by Laurent Pellegrino +noticeable.news + +// Now-DNS : https://now-dns.com +// Submitted by Steve Russell +dnsking.ch +mypi.co +n4t.co +001www.com +ddnslive.com +myiphost.com +forumz.info +16-b.it +32-b.it +64-b.it +soundcast.me +tcp4.me +dnsup.net +hicam.net +now-dns.net +ownip.net +vpndns.net +dynserv.org +now-dns.org +x443.pw +now-dns.top +ntdll.top +freeddns.us +crafting.xyz +zapto.xyz + +// nsupdate.info : https://www.nsupdate.info/ +// Submitted by Thomas Waldmann +nsupdate.info +nerdpol.ovh + +// No-IP.com : https://noip.com/ +// Submitted by Deven Reza +blogsyte.com +brasilia.me +cable-modem.org +ciscofreak.com +collegefan.org +couchpotatofries.org +damnserver.com +ddns.me +ditchyourip.com +dnsfor.me +dnsiskinky.com +dvrcam.info +dynns.com +eating-organic.net +fantasyleague.cc +geekgalaxy.com +golffan.us +health-carereform.com +homesecuritymac.com +homesecuritypc.com +hopto.me +ilovecollege.info +loginto.me +mlbfan.org +mmafan.biz +myactivedirectory.com +mydissent.net +myeffect.net +mymediapc.net +mypsx.net +mysecuritycamera.com +mysecuritycamera.net +mysecuritycamera.org +net-freaks.com +nflfan.org +nhlfan.net +no-ip.ca +no-ip.co.uk +no-ip.net +noip.us +onthewifi.com +pgafan.net +point2this.com +pointto.us +privatizehealthinsurance.net +quicksytes.com +read-books.org +securitytactics.com +serveexchange.com +servehumour.com +servep2p.com +servesarcasm.com +stufftoread.com +ufcfan.org +unusualperson.com +workisboring.com +3utilities.com +bounceme.net +ddns.net +ddnsking.com +gotdns.ch +hopto.org +myftp.biz +myftp.org +myvnc.com +no-ip.biz +no-ip.info +no-ip.org +noip.me +redirectme.net +servebeer.com +serveblog.net +servecounterstrike.com +serveftp.com +servegame.com +servehalflife.com +servehttp.com +serveirc.com +serveminecraft.net +servemp3.com +servepics.com +servequake.com +sytes.net +webhop.me +zapto.org + +// NodeArt : https://nodeart.io +// Submitted by Konstantin Nosov +stage.nodeart.io + +// Nucleos Inc. : https://nucleos.com +// Submitted by Piotr Zduniak +pcloud.host + +// NYC.mn : http://www.information.nyc.mn +// Submitted by Matthew Brown +nyc.mn + +// Observable, Inc. : https://observablehq.com +// Submitted by Mike Bostock +static.observableusercontent.com + +// Octopodal Solutions, LLC. : https://ulterius.io/ +// Submitted by Andrew Sampson +cya.gg + +// OMG.LOL : +// Submitted by Adam Newbold +omg.lol + +// Omnibond Systems, LLC. : https://www.omnibond.com +// Submitted by Cole Estep +cloudycluster.net + +// OmniWe Limited: https://omniwe.com +// Submitted by Vicary Archangel +omniwe.site + +// One.com: https://www.one.com/ +// Submitted by Jacob Bunk Nielsen +123hjemmeside.dk +123hjemmeside.no +123homepage.it +123kotisivu.fi +123minsida.se +123miweb.es +123paginaweb.pt +123sait.ru +123siteweb.fr +123webseite.at +123webseite.de +123website.be +123website.ch +123website.lu +123website.nl +service.one +simplesite.com +simplesite.com.br +simplesite.gr +simplesite.pl + +// One Fold Media : http://www.onefoldmedia.com/ +// Submitted by Eddie Jones +nid.io + +// Open Social : https://www.getopensocial.com/ +// Submitted by Alexander Varwijk +opensocial.site + +// OpenCraft GmbH : http://opencraft.com/ +// Submitted by Sven Marnach +opencraft.hosting + +// OpenResearch GmbH: https://openresearch.com/ +// Submitted by Philipp Schmid +orsites.com + +// Opera Software, A.S.A. +// Submitted by Yngve Pettersen +operaunite.com + +// Orange : https://www.orange.com +// Submitted by Alexandre Linte +tech.orange + +// Oursky Limited : https://authgear.com/, https://skygear.io/ +// Submitted by Authgear Team , Skygear Developer +authgear-staging.com +authgearapps.com +skygearapp.com + +// OutSystems +// Submitted by Duarte Santos +outsystemscloud.com + +// OVHcloud: https://ovhcloud.com +// Submitted by Vincent Cassé +*.webpaas.ovh.net +*.hosting.ovh.net + +// OwnProvider GmbH: http://www.ownprovider.com +// Submitted by Jan Moennich +ownprovider.com +own.pm + +// OwO : https://whats-th.is/ +// Submitted by Dean Sheather +*.owo.codes + +// OX : http://www.ox.rs +// Submitted by Adam Grand +ox.rs + +// oy.lc +// Submitted by Charly Coste +oy.lc + +// Pagefog : https://pagefog.com/ +// Submitted by Derek Myers +pgfog.com + +// Pagefront : https://www.pagefronthq.com/ +// Submitted by Jason Kriss +pagefrontapp.com + +// PageXL : https://pagexl.com +// Submitted by Yann Guichard +pagexl.com + +// Paywhirl, Inc : https://paywhirl.com/ +// Submitted by Daniel Netzer +*.paywhirl.com + +// pcarrier.ca Software Inc: https://pcarrier.ca/ +// Submitted by Pierre Carrier +bar0.net +bar1.net +bar2.net +rdv.to + +// .pl domains (grandfathered) +art.pl +gliwice.pl +krakow.pl +poznan.pl +wroc.pl +zakopane.pl + +// Pantheon Systems, Inc. : https://pantheon.io/ +// Submitted by Gary Dylina +pantheonsite.io +gotpantheon.com + +// Peplink | Pepwave : http://peplink.com/ +// Submitted by Steve Leung +mypep.link + +// Perspecta : https://perspecta.com/ +// Submitted by Kenneth Van Alstyne +perspecta.cloud + +// PE Ulyanov Kirill Sergeevich : https://airy.host +// Submitted by Kirill Ulyanov +lk3.ru + +// Planet-Work : https://www.planet-work.com/ +// Submitted by Frédéric VANNIÈRE +on-web.fr + +// Platform.sh : https://platform.sh +// Submitted by Nikola Kotur +bc.platform.sh +ent.platform.sh +eu.platform.sh +us.platform.sh +*.platformsh.site +*.tst.site + +// Platter: https://platter.dev +// Submitted by Patrick Flor +platter-app.com +platter-app.dev +platterp.us + +// Plesk : https://www.plesk.com/ +// Submitted by Anton Akhtyamov +pdns.page +plesk.page +pleskns.com + +// Port53 : https://port53.io/ +// Submitted by Maximilian Schieder +dyn53.io + +// Porter : https://porter.run/ +// Submitted by Rudraksh MK +onporter.run + +// Positive Codes Technology Company : http://co.bn/faq.html +// Submitted by Zulfais +co.bn + +// Postman, Inc : https://postman.com +// Submitted by Rahul Dhawan +postman-echo.com +pstmn.io +mock.pstmn.io +httpbin.org + +//prequalifyme.today : https://prequalifyme.today +//Submitted by DeepakTiwari deepak@ivylead.io +prequalifyme.today + +// prgmr.com : https://prgmr.com/ +// Submitted by Sarah Newman +xen.prgmr.com + +// priv.at : http://www.nic.priv.at/ +// Submitted by registry +priv.at + +// privacytools.io : https://www.privacytools.io/ +// Submitted by Jonah Aragon +prvcy.page + +// Protocol Labs : https://protocol.ai/ +// Submitted by Michael Burns +*.dweb.link + +// Protonet GmbH : http://protonet.io +// Submitted by Martin Meier +protonet.io + +// Publication Presse Communication SARL : https://ppcom.fr +// Submitted by Yaacov Akiba Slama +chirurgiens-dentistes-en-france.fr +byen.site + +// pubtls.org: https://www.pubtls.org +// Submitted by Kor Nielsen +pubtls.org + +// PythonAnywhere LLP: https://www.pythonanywhere.com +// Submitted by Giles Thomas +pythonanywhere.com +eu.pythonanywhere.com + +// QOTO, Org. +// Submitted by Jeffrey Phillips Freeman +qoto.io + +// Qualifio : https://qualifio.com/ +// Submitted by Xavier De Cock +qualifioapp.com + +// QuickBackend: https://www.quickbackend.com +// Submitted by Dani Biro +qbuser.com + +// Rad Web Hosting: https://radwebhosting.com +// Submitted by Scott Claeys +cloudsite.builders + +// Redgate Software: https://red-gate.com +// Submitted by Andrew Farries +instances.spawn.cc + +// Redstar Consultants : https://www.redstarconsultants.com/ +// Submitted by Jons Slemmer +instantcloud.cn + +// Russian Academy of Sciences +// Submitted by Tech Support +ras.ru + +// QA2 +// Submitted by Daniel Dent (https://www.danieldent.com/) +qa2.com + +// QCX +// Submitted by Cassandra Beelen +qcx.io +*.sys.qcx.io + +// QNAP System Inc : https://www.qnap.com +// Submitted by Nick Chang +dev-myqnapcloud.com +alpha-myqnapcloud.com +myqnapcloud.com + +// Quip : https://quip.com +// Submitted by Patrick Linehan +*.quipelements.com + +// Qutheory LLC : http://qutheory.io +// Submitted by Jonas Schwartz +vapor.cloud +vaporcloud.io + +// Rackmaze LLC : https://www.rackmaze.com +// Submitted by Kirill Pertsev +rackmaze.com +rackmaze.net + +// Rakuten Games, Inc : https://dev.viberplay.io +// Submitted by Joshua Zhang +g.vbrplsbx.io + +// Rancher Labs, Inc : https://rancher.com +// Submitted by Vincent Fiduccia +*.on-k3s.io +*.on-rancher.cloud +*.on-rio.io + +// Read The Docs, Inc : https://www.readthedocs.org +// Submitted by David Fischer +readthedocs.io + +// Red Hat, Inc. OpenShift : https://openshift.redhat.com/ +// Submitted by Tim Kramer +rhcloud.com + +// Render : https://render.com +// Submitted by Anurag Goel +app.render.com +onrender.com + +// Repl.it : https://repl.it +// Submitted by Lincoln Bergeson +firewalledreplit.co +id.firewalledreplit.co +repl.co +id.repl.co +repl.run + +// Resin.io : https://resin.io +// Submitted by Tim Perry +resindevice.io +devices.resinstaging.io + +// RethinkDB : https://www.rethinkdb.com/ +// Submitted by Chris Kastorff +hzc.io + +// Revitalised Limited : http://www.revitalised.co.uk +// Submitted by Jack Price +wellbeingzone.eu +wellbeingzone.co.uk + +// Rico Developments Limited : https://adimo.co +// Submitted by Colin Brown +adimo.co.uk + +// Riseup Networks : https://riseup.net +// Submitted by Micah Anderson +itcouldbewor.se + +// Rochester Institute of Technology : http://www.rit.edu/ +// Submitted by Jennifer Herting +git-pages.rit.edu + +// Rocky Enterprise Software Foundation : https://resf.org +// Submitted by Neil Hanlon +rocky.page + +// Rusnames Limited: http://rusnames.ru/ +// Submitted by Sergey Zotov +xn--90amc.xn--p1acf +xn--j1aef.xn--p1acf +xn--j1ael8b.xn--p1acf +xn--h1ahn.xn--p1acf +xn--j1adp.xn--p1acf +xn--c1avg.xn--p1acf +xn--80aaa0cvac.xn--p1acf +xn--h1aliz.xn--p1acf +xn--90a1af.xn--p1acf +xn--41a.xn--p1acf + +// Salesforce.com, Inc. https://salesforce.com/ +// Submitted by Michael Biven +*.builder.code.com +*.dev-builder.code.com +*.stg-builder.code.com + +// Sandstorm Development Group, Inc. : https://sandcats.io/ +// Submitted by Asheesh Laroia +sandcats.io + +// SBE network solutions GmbH : https://www.sbe.de/ +// Submitted by Norman Meilick +logoip.de +logoip.com + +// Scaleway : https://www.scaleway.com/ +// Submitted by Rémy Léone +fr-par-1.baremetal.scw.cloud +fr-par-2.baremetal.scw.cloud +nl-ams-1.baremetal.scw.cloud +fnc.fr-par.scw.cloud +functions.fnc.fr-par.scw.cloud +k8s.fr-par.scw.cloud +nodes.k8s.fr-par.scw.cloud +s3.fr-par.scw.cloud +s3-website.fr-par.scw.cloud +whm.fr-par.scw.cloud +priv.instances.scw.cloud +pub.instances.scw.cloud +k8s.scw.cloud +k8s.nl-ams.scw.cloud +nodes.k8s.nl-ams.scw.cloud +s3.nl-ams.scw.cloud +s3-website.nl-ams.scw.cloud +whm.nl-ams.scw.cloud +k8s.pl-waw.scw.cloud +nodes.k8s.pl-waw.scw.cloud +s3.pl-waw.scw.cloud +s3-website.pl-waw.scw.cloud +scalebook.scw.cloud +smartlabeling.scw.cloud +dedibox.fr + +// schokokeks.org GbR : https://schokokeks.org/ +// Submitted by Hanno Böck +schokokeks.net + +// Scottish Government: https://www.gov.scot +// Submitted by Martin Ellis +gov.scot +service.gov.scot + +// Scry Security : http://www.scrysec.com +// Submitted by Shante Adam +scrysec.com + +// Securepoint GmbH : https://www.securepoint.de +// Submitted by Erik Anders +firewall-gateway.com +firewall-gateway.de +my-gateway.de +my-router.de +spdns.de +spdns.eu +firewall-gateway.net +my-firewall.org +myfirewall.org +spdns.org + +// Seidat : https://www.seidat.com +// Submitted by Artem Kondratev +seidat.net + +// Sellfy : https://sellfy.com +// Submitted by Yuriy Romadin +sellfy.store + +// Senseering GmbH : https://www.senseering.de +// Submitted by Felix Mönckemeyer +senseering.net + +// Sendmsg: https://www.sendmsg.co.il +// Submitted by Assaf Stern +minisite.ms + +// Service Magnet : https://myservicemagnet.com +// Submitted by Dave Sanders +magnet.page + +// Service Online LLC : http://drs.ua/ +// Submitted by Serhii Bulakh +biz.ua +co.ua +pp.ua + +// Shift Crypto AG : https://shiftcrypto.ch +// Submitted by alex +shiftcrypto.dev +shiftcrypto.io + +// ShiftEdit : https://shiftedit.net/ +// Submitted by Adam Jimenez +shiftedit.io + +// Shopblocks : http://www.shopblocks.com/ +// Submitted by Alex Bowers +myshopblocks.com + +// Shopify : https://www.shopify.com +// Submitted by Alex Richter +myshopify.com + +// Shopit : https://www.shopitcommerce.com/ +// Submitted by Craig McMahon +shopitsite.com + +// shopware AG : https://shopware.com +// Submitted by Jens Küper +shopware.store + +// Siemens Mobility GmbH +// Submitted by Oliver Graebner +mo-siemens.io + +// SinaAppEngine : http://sae.sina.com.cn/ +// Submitted by SinaAppEngine +1kapp.com +appchizi.com +applinzi.com +sinaapp.com +vipsinaapp.com + +// Siteleaf : https://www.siteleaf.com/ +// Submitted by Skylar Challand +siteleaf.net + +// Skyhat : http://www.skyhat.io +// Submitted by Shante Adam +bounty-full.com +alpha.bounty-full.com +beta.bounty-full.com + +// Small Technology Foundation : https://small-tech.org +// Submitted by Aral Balkan +small-web.org + +// Smoove.io : https://www.smoove.io/ +// Submitted by Dan Kozak +vp4.me + +// Snowflake Inc : https://www.snowflake.com/ +// Submitted by Faith Olapade +streamlitapp.com + +// Snowplow Analytics : https://snowplowanalytics.com/ +// Submitted by Ian Streeter +try-snowplow.com + +// SourceHut : https://sourcehut.org +// Submitted by Drew DeVault +srht.site + +// Stackhero : https://www.stackhero.io +// Submitted by Adrien Gillon +stackhero-network.com + +// Staclar : https://staclar.com +// Submitted by Q Misell +musician.io +// Submitted by Matthias Merkel +novecore.site + +// staticland : https://static.land +// Submitted by Seth Vincent +static.land +dev.static.land +sites.static.land + +// Storebase : https://www.storebase.io +// Submitted by Tony Schirmer +storebase.store + +// Strategic System Consulting (eApps Hosting): https://www.eapps.com/ +// Submitted by Alex Oancea +vps-host.net +atl.jelastic.vps-host.net +njs.jelastic.vps-host.net +ric.jelastic.vps-host.net + +// Sony Interactive Entertainment LLC : https://sie.com/ +// Submitted by David Coles +playstation-cloud.com + +// SourceLair PC : https://www.sourcelair.com +// Submitted by Antonis Kalipetis +apps.lair.io +*.stolos.io + +// SpaceKit : https://www.spacekit.io/ +// Submitted by Reza Akhavan +spacekit.io + +// SpeedPartner GmbH: https://www.speedpartner.de/ +// Submitted by Stefan Neufeind +customer.speedpartner.de + +// Spreadshop (sprd.net AG) : https://www.spreadshop.com/ +// Submitted by Martin Breest +myspreadshop.at +myspreadshop.com.au +myspreadshop.be +myspreadshop.ca +myspreadshop.ch +myspreadshop.com +myspreadshop.de +myspreadshop.dk +myspreadshop.es +myspreadshop.fi +myspreadshop.fr +myspreadshop.ie +myspreadshop.it +myspreadshop.net +myspreadshop.nl +myspreadshop.no +myspreadshop.pl +myspreadshop.se +myspreadshop.co.uk + +// Standard Library : https://stdlib.com +// Submitted by Jacob Lee +api.stdlib.com + +// Storj Labs Inc. : https://storj.io/ +// Submitted by Philip Hutchins +storj.farm + +// Studenten Net Twente : http://www.snt.utwente.nl/ +// Submitted by Silke Hofstra +utwente.io + +// Student-Run Computing Facility : https://www.srcf.net/ +// Submitted by Edwin Balani +soc.srcf.net +user.srcf.net + +// Sub 6 Limited: http://www.sub6.com +// Submitted by Dan Miller +temp-dns.com + +// Supabase : https://supabase.io +// Submitted by Inian Parameshwaran +supabase.co +supabase.in +supabase.net +su.paba.se + +// Symfony, SAS : https://symfony.com/ +// Submitted by Fabien Potencier +*.s5y.io +*.sensiosite.cloud + +// Syncloud : https://syncloud.org +// Submitted by Boris Rybalkin +syncloud.it + +// Synology, Inc. : https://www.synology.com/ +// Submitted by Rony Weng +dscloud.biz +direct.quickconnect.cn +dsmynas.com +familyds.com +diskstation.me +dscloud.me +i234.me +myds.me +synology.me +dscloud.mobi +dsmynas.net +familyds.net +dsmynas.org +familyds.org +vpnplus.to +direct.quickconnect.to + +// Tabit Technologies Ltd. : https://tabit.cloud/ +// Submitted by Oren Agiv +tabitorder.co.il + +// TAIFUN Software AG : http://taifun-software.de +// Submitted by Bjoern Henke +taifun-dns.de + +// Tailscale Inc. : https://www.tailscale.com +// Submitted by David Anderson +beta.tailscale.net +ts.net + +// TASK geographical domains (www.task.gda.pl/uslugi/dns) +gda.pl +gdansk.pl +gdynia.pl +med.pl +sopot.pl + +// team.blue https://team.blue +// Submitted by Cedric Dubois +site.tb-hosting.com + +// Teckids e.V. : https://www.teckids.org +// Submitted by Dominik George +edugit.io +s3.teckids.org + +// Telebit : https://telebit.cloud +// Submitted by AJ ONeal +telebit.app +telebit.io +*.telebit.xyz + +// Thingdust AG : https://thingdust.com/ +// Submitted by Adrian Imboden +*.firenet.ch +*.svc.firenet.ch +reservd.com +thingdustdata.com +cust.dev.thingdust.io +cust.disrec.thingdust.io +cust.prod.thingdust.io +cust.testing.thingdust.io +reservd.dev.thingdust.io +reservd.disrec.thingdust.io +reservd.testing.thingdust.io + +// ticket i/O GmbH : https://ticket.io +// Submitted by Christian Franke +tickets.io + +// Tlon.io : https://tlon.io +// Submitted by Mark Staarink +arvo.network +azimuth.network +tlon.network + +// Tor Project, Inc. : https://torproject.org +// Submitted by Antoine Beaupré +bloxcms.com +townnews-staging.com + +// TradableBits: https://tradablebits.com +// Submitted by Dmitry Khrisanov dmitry@tradablebits.com +tbits.me + +// TrafficPlex GmbH : https://www.trafficplex.de/ +// Submitted by Phillipp Röll +12hp.at +2ix.at +4lima.at +lima-city.at +12hp.ch +2ix.ch +4lima.ch +lima-city.ch +trafficplex.cloud +de.cool +12hp.de +2ix.de +4lima.de +lima-city.de +1337.pictures +clan.rip +lima-city.rocks +webspace.rocks +lima.zone + +// TransIP : https://www.transip.nl +// Submitted by Rory Breuk +*.transurl.be +*.transurl.eu +*.transurl.nl + +// TransIP: https://www.transip.nl +// Submitted by Cedric Dubois +site.transip.me + +// TuxFamily : http://tuxfamily.org +// Submitted by TuxFamily administrators +tuxfamily.org + +// TwoDNS : https://www.twodns.de/ +// Submitted by TwoDNS-Support +dd-dns.de +diskstation.eu +diskstation.org +dray-dns.de +draydns.de +dyn-vpn.de +dynvpn.de +mein-vigor.de +my-vigor.de +my-wan.de +syno-ds.de +synology-diskstation.de +synology-ds.de + +// Typedream : https://typedream.com +// Submitted by Putri Karunia +typedream.app + +// Typeform : https://www.typeform.com +// Submitted by Sergi Ferriz +pro.typeform.com + +// Uberspace : https://uberspace.de +// Submitted by Moritz Werner +uber.space +*.uberspace.de + +// UDR Limited : http://www.udr.hk.com +// Submitted by registry +hk.com +hk.org +ltd.hk +inc.hk + +// UNIVERSAL DOMAIN REGISTRY : https://www.udr.org.yt/ +// see also: whois -h whois.udr.org.yt help +// Submitted by Atanunu Igbunuroghene +name.pm +sch.tf +biz.wf +sch.wf +org.yt + +// United Gameserver GmbH : https://united-gameserver.de +// Submitted by Stefan Schwarz +virtualuser.de +virtual-user.de + +// Upli : https://upli.io +// Submitted by Lenny Bakkalian +upli.io + +// urown.net : https://urown.net +// Submitted by Hostmaster +urown.cloud +dnsupdate.info + +// .US +// Submitted by Ed Moore +lib.de.us + +// VeryPositive SIA : http://very.lv +// Submitted by Danko Aleksejevs +2038.io + +// Vercel, Inc : https://vercel.com/ +// Submitted by Connor Davis +vercel.app +vercel.dev +now.sh + +// Viprinet Europe GmbH : http://www.viprinet.com +// Submitted by Simon Kissel +router.management + +// Virtual-Info : https://www.virtual-info.info/ +// Submitted by Adnan RIHAN +v-info.info + +// Voorloper.com: https://voorloper.com +// Submitted by Nathan van Bakel +voorloper.cloud + +// Voxel.sh DNS : https://voxel.sh/dns/ +// Submitted by Mia Rehlinger +neko.am +nyaa.am +be.ax +cat.ax +es.ax +eu.ax +gg.ax +mc.ax +us.ax +xy.ax +nl.ci +xx.gl +app.gp +blog.gt +de.gt +to.gt +be.gy +cc.hn +blog.kg +io.kg +jp.kg +tv.kg +uk.kg +us.kg +de.ls +at.md +de.md +jp.md +to.md +indie.porn +vxl.sh +ch.tc +me.tc +we.tc +nyan.to +at.vg +blog.vu +dev.vu +me.vu + +// V.UA Domain Administrator : https://domain.v.ua/ +// Submitted by Serhii Rostilo +v.ua + +// Vultr Objects : https://www.vultr.com/products/object-storage/ +// Submitted by Niels Maumenee +*.vultrobjects.com + +// Waffle Computer Inc., Ltd. : https://docs.waffleinfo.com +// Submitted by Masayuki Note +wafflecell.com + +// WebHare bv: https://www.webhare.com/ +// Submitted by Arnold Hendriks +*.webhare.dev + +// WebHotelier Technologies Ltd: https://www.webhotelier.net/ +// Submitted by Apostolos Tsakpinis +reserve-online.net +reserve-online.com +bookonline.app +hotelwithflight.com + +// WeDeploy by Liferay, Inc. : https://www.wedeploy.com +// Submitted by Henrique Vicente +wedeploy.io +wedeploy.me +wedeploy.sh + +// Western Digital Technologies, Inc : https://www.wdc.com +// Submitted by Jung Jin +remotewd.com + +// WIARD Enterprises : https://wiardweb.com +// Submitted by Kidd Hustle +pages.wiardweb.com + +// Wikimedia Labs : https://wikitech.wikimedia.org +// Submitted by Arturo Borrero Gonzalez +wmflabs.org +toolforge.org +wmcloud.org + +// WISP : https://wisp.gg +// Submitted by Stepan Fedotov +panel.gg +daemon.panel.gg + +// Wizard Zines : https://wizardzines.com +// Submitted by Julia Evans +messwithdns.com + +// WoltLab GmbH : https://www.woltlab.com +// Submitted by Tim Düsterhus +woltlab-demo.com +myforum.community +community-pro.de +diskussionsbereich.de +community-pro.net +meinforum.net + +// Woods Valldata : https://www.woodsvalldata.co.uk/ +// Submitted by Chris Whittle +affinitylottery.org.uk +raffleentry.org.uk +weeklylottery.org.uk + +// WP Engine : https://wpengine.com/ +// Submitted by Michael Smith +// Submitted by Brandon DuRette +wpenginepowered.com +js.wpenginepowered.com + +// Wix.com, Inc. : https://www.wix.com +// Submitted by Shahar Talmi +wixsite.com +editorx.io + +// XenonCloud GbR: https://xenoncloud.net +// Submitted by Julian Uphoff +half.host + +// XnBay Technology : http://www.xnbay.com/ +// Submitted by XnBay Developer +xnbay.com +u2.xnbay.com +u2-local.xnbay.com + +// XS4ALL Internet bv : https://www.xs4all.nl/ +// Submitted by Daniel Mostertman +cistron.nl +demon.nl +xs4all.space + +// Yandex.Cloud LLC: https://cloud.yandex.com +// Submitted by Alexander Lodin +yandexcloud.net +storage.yandexcloud.net +website.yandexcloud.net + +// YesCourse Pty Ltd : https://yescourse.com +// Submitted by Atul Bhouraskar +official.academy + +// Yola : https://www.yola.com/ +// Submitted by Stefano Rivera +yolasite.com + +// Yombo : https://yombo.net +// Submitted by Mitch Schwenk +ybo.faith +yombo.me +homelink.one +ybo.party +ybo.review +ybo.science +ybo.trade + +// Yunohost : https://yunohost.org +// Submitted by Valentin Grimaud +ynh.fr +nohost.me +noho.st + +// ZaNiC : http://www.za.net/ +// Submitted by registry +za.net +za.org + +// Zine EOOD : https://zine.bg/ +// Submitted by Martin Angelov +bss.design + +// Zitcom A/S : https://www.zitcom.dk +// Submitted by Emil Stahl +basicserver.io +virtualserver.io +enterprisecloud.nu + +// ===END PRIVATE DOMAINS=== +END_BUILTIN_DATA +1; diff --git a/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Utils.pm b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Utils.pm new file mode 100644 index 000000000000..d2de26aabc4a --- /dev/null +++ b/cpan/IO-Socket-SSL/lib/IO/Socket/SSL/Utils.pm @@ -0,0 +1,792 @@ + +package IO::Socket::SSL::Utils; +use strict; +use warnings; +use Carp 'croak'; +use Net::SSLeay; + +# old versions of Exporter do not export 'import' yet +require Exporter; +*import = \&Exporter::import; + +our $VERSION = '2.015'; +our @EXPORT = qw( + PEM_file2cert PEM_file2certs PEM_string2cert PEM_cert2file PEM_certs2file PEM_cert2string + PEM_file2key PEM_string2key PEM_key2file PEM_key2string + KEY_free CERT_free + KEY_create_rsa CERT_asHash CERT_create +); + +sub PEM_file2cert { + my $file = shift; + my $bio = Net::SSLeay::BIO_new_file($file,'r') or + croak "cannot read $file: $!"; + my $cert = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + $cert or croak "cannot parse $file as PEM X509 cert: ". + Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); + return $cert; +} + +sub PEM_cert2file { + my ($cert,$file) = @_; + my $string = Net::SSLeay::PEM_get_string_X509($cert) + or croak("cannot get string from cert"); + open( my $fh,'>',$file ) or croak("cannot write $file: $!"); + print $fh $string; +} + +use constant PEM_R_NO_START_LINE => 108; +sub PEM_file2certs { + my $file = shift; + my $bio = Net::SSLeay::BIO_new_file($file,'r') or + croak "cannot read $file: $!"; + my @certs; + while (1) { + if (my $cert = Net::SSLeay::PEM_read_bio_X509($bio)) { + push @certs, $cert; + } else { + Net::SSLeay::BIO_free($bio); + my $error = Net::SSLeay::ERR_get_error(); + last if ($error & 0xfff) == PEM_R_NO_START_LINE && @certs; + croak "cannot parse $file as PEM X509 cert: " . + Net::SSLeay::ERR_error_string($error); + } + } + return @certs; +} + +sub PEM_certs2file { + my $file = shift; + open( my $fh,'>',$file ) or croak("cannot write $file: $!"); + for my $cert (@_) { + my $string = Net::SSLeay::PEM_get_string_X509($cert) + or croak("cannot get string from cert"); + print $fh $string; + } +} + + +sub PEM_string2cert { + my $string = shift; + my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); + Net::SSLeay::BIO_write($bio,$string); + my $cert = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + $cert or croak "cannot parse string as PEM X509 cert: ". + Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); + return $cert; +} + +sub PEM_cert2string { + my $cert = shift; + return Net::SSLeay::PEM_get_string_X509($cert) + || croak("cannot get string from cert"); +} + +sub PEM_file2key { + my $file = shift; + my $bio = Net::SSLeay::BIO_new_file($file,'r') or + croak "cannot read $file: $!"; + my $key = Net::SSLeay::PEM_read_bio_PrivateKey($bio); + Net::SSLeay::BIO_free($bio); + $key or croak "cannot parse $file as PEM private key: ". + Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); + return $key; +} + +sub PEM_key2file { + my ($key,$file) = @_; + my $string = Net::SSLeay::PEM_get_string_PrivateKey($key) + or croak("cannot get string from key"); + open( my $fh,'>',$file ) or croak("cannot write $file: $!"); + print $fh $string; +} + +sub PEM_string2key { + my $string = shift; + my $bio = Net::SSLeay::BIO_new( Net::SSLeay::BIO_s_mem()); + Net::SSLeay::BIO_write($bio,$string); + my $key = Net::SSLeay::PEM_read_bio_PrivateKey($bio); + Net::SSLeay::BIO_free($bio); + $key or croak "cannot parse string as PEM private key: ". + Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()); + return $key; +} + +sub PEM_key2string { + my $key = shift; + return Net::SSLeay::PEM_get_string_PrivateKey($key) + || croak("cannot get string from key"); +} + +sub CERT_free { + Net::SSLeay::X509_free($_) for @_; +} + +sub KEY_free { + Net::SSLeay::EVP_PKEY_free($_) for @_; +} + +sub KEY_create_rsa { + my $bits = shift || 2048; + my $key = Net::SSLeay::EVP_PKEY_new(); + my $rsa = Net::SSLeay::RSA_generate_key($bits, 0x10001); # 0x10001 = RSA_F4 + Net::SSLeay::EVP_PKEY_assign_RSA($key,$rsa); + return $key; +} + +if (defined &Net::SSLeay::EC_KEY_generate_key) { + push @EXPORT,'KEY_create_ec'; + *KEY_create_ec = sub { + my $curve = shift || 'prime256v1'; + my $key = Net::SSLeay::EVP_PKEY_new(); + my $ec = Net::SSLeay::EC_KEY_generate_key($curve); + Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + return $key; + } +} + +# extract information from cert +my %gen2i = qw( OTHERNAME 0 EMAIL 1 DNS 2 X400 3 DIRNAME 4 EDIPARTY 5 URI 6 IP 7 RID 8 ); +my %i2gen = reverse %gen2i; +sub CERT_asHash { + my $cert = shift; + my $digest_name = shift || 'sha256'; + + my %hash = ( + version => Net::SSLeay::X509_get_version($cert), + not_before => _asn1t2t(Net::SSLeay::X509_get_notBefore($cert)), + not_after => _asn1t2t(Net::SSLeay::X509_get_notAfter($cert)), + serial => Net::SSLeay::P_ASN1_INTEGER_get_dec( + Net::SSLeay::X509_get_serialNumber($cert)), + signature_alg => Net::SSLeay::OBJ_obj2txt ( + Net::SSLeay::P_X509_get_signature_alg($cert)), + crl_uri => [ Net::SSLeay::P_X509_get_crl_distribution_points($cert) ], + keyusage => [ Net::SSLeay::P_X509_get_key_usage($cert) ], + extkeyusage => { + oid => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,0) ], + nid => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,1) ], + sn => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,2) ], + ln => [ Net::SSLeay::P_X509_get_ext_key_usage($cert,3) ], + }, + "pubkey_digest_$digest_name" => Net::SSLeay::X509_pubkey_digest( + $cert,_digest($digest_name)), + "x509_digest_$digest_name" => Net::SSLeay::X509_digest( + $cert,_digest($digest_name)), + "fingerprint_$digest_name" => Net::SSLeay::X509_get_fingerprint( + $cert,$digest_name), + ); + + for([ subject => Net::SSLeay::X509_get_subject_name($cert) ], + [ issuer => Net::SSLeay::X509_get_issuer_name($cert) ]) { + my ($what,$subj) = @$_; + my %subj; + for ( 0..Net::SSLeay::X509_NAME_entry_count($subj)-1 ) { + my $e = Net::SSLeay::X509_NAME_get_entry($subj,$_); + my $k = Net::SSLeay::OBJ_obj2txt( + Net::SSLeay::X509_NAME_ENTRY_get_object($e)); + my $v = Net::SSLeay::P_ASN1_STRING_get( + Net::SSLeay::X509_NAME_ENTRY_get_data($e)); + if (!exists $subj{$k}) { + $subj{$k} = $v; + } elsif (!ref $subj{$k}) { + $subj{$k} = [ $subj{$k}, $v ]; + } else { + push @{$subj{$k}}, $v; + } + } + $hash{$what} = \%subj; + } + + + if ( my @names = Net::SSLeay::X509_get_subjectAltNames($cert) ) { + my $alt = $hash{subjectAltNames} = []; + while (my ($t,$v) = splice(@names,0,2)) { + $t = $i2gen{$t} || die "unknown type $t in subjectAltName"; + if ( $t eq 'IP' ) { + if (length($v) == 4) { + $v = join('.',unpack("CCCC",$v)); + } elsif ( length($v) == 16 ) { + my @v = unpack("nnnnnnnn",$v); + my ($best0,$last0); + for(my $i=0;$i<@v;$i++) { + if ($v[$i] == 0) { + if ($last0) { + $last0->[1] = $i; + $last0->[2]++; + $best0 = $last0 if ++$last0->[2]>$best0->[2]; + } else { + $last0 = [ $i,$i,0 ]; + $best0 ||= $last0; + } + } else { + $last0 = undef; + } + } + if ($best0) { + $v = ''; + $v .= join(':', map { sprintf( "%x",$_) } @v[0..$best0->[0]-1]) if $best0->[0]>0; + $v .= '::'; + $v .= join(':', map { sprintf( "%x",$_) } @v[$best0->[1]+1..$#v]) if $best0->[1]<$#v; + } else { + $v = join(':', map { sprintf( "%x",$_) } @v); + } + } + } + push @$alt,[$t,$v] + } + } + + my @ext; + for( 0..Net::SSLeay::X509_get_ext_count($cert)-1 ) { + my $e = Net::SSLeay::X509_get_ext($cert,$_); + my $o = Net::SSLeay::X509_EXTENSION_get_object($e); + my $nid = Net::SSLeay::OBJ_obj2nid($o); + push @ext, { + oid => Net::SSLeay::OBJ_obj2txt($o), + nid => ( $nid > 0 ) ? $nid : undef, + sn => ( $nid > 0 ) ? Net::SSLeay::OBJ_nid2sn($nid) : undef, + critical => Net::SSLeay::X509_EXTENSION_get_critical($e), + data => Net::SSLeay::X509V3_EXT_print($e), + } + } + $hash{ext} = \@ext; + + if ( defined(&Net::SSLeay::P_X509_get_ocsp_uri)) { + $hash{ocsp_uri} = [ Net::SSLeay::P_X509_get_ocsp_uri($cert) ]; + } else { + $hash{ocsp_uri} = []; + for( @ext ) { + $_->{sn} or next; + $_->{sn} eq 'authorityInfoAccess' or next; + push @{ $hash{ocsp_uri}}, $_->{data} =~m{\bOCSP - URI:(\S+)}g; + } + } + + return \%hash; +} + +sub CERT_create { + my %args = @_%2 ? %{ shift() } : @_; + + my $cert = Net::SSLeay::X509_new(); + my $digest_name = delete $args{digest} || 'sha256'; + + Net::SSLeay::ASN1_INTEGER_set( + Net::SSLeay::X509_get_serialNumber($cert), + delete $args{serial} || rand(2**32), + ); + + # version default to 2 (V3) + Net::SSLeay::X509_set_version($cert, + delete $args{version} || 2 ); + + # not_before default to now + Net::SSLeay::ASN1_TIME_set( + Net::SSLeay::X509_get_notBefore($cert), + delete $args{not_before} || time() + ); + + # not_after default to now+365 days + Net::SSLeay::ASN1_TIME_set( + Net::SSLeay::X509_get_notAfter($cert), + delete $args{not_after} || time() + 365*86400 + ); + + # set subject + my $subj_e = Net::SSLeay::X509_get_subject_name($cert); + my $subj = delete $args{subject} || { + organizationName => 'IO::Socket::SSL', + commonName => 'IO::Socket::SSL Test' + }; + + while ( my ($k,$v) = each %$subj ) { + # Not everything we get is nice - try with MBSTRING_UTF8 first and if it + # fails try V_ASN1_T61STRING and finally V_ASN1_OCTET_STRING + for (ref($v) ? @$v : ($v)) { + Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,0x1000,$_,-1,0) + or Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,20,$_,-1,0) + or Net::SSLeay::X509_NAME_add_entry_by_txt($subj_e,$k,4,$_,-1,0) + or croak("failed to add entry for $k - ". + Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error())); + } + } + + my @ext = ( + &Net::SSLeay::NID_subject_key_identifier => 'hash', + &Net::SSLeay::NID_authority_key_identifier => 'keyid', + ); + if ( my $altsubj = delete $args{subjectAltNames} ) { + push @ext, + &Net::SSLeay::NID_subject_alt_name => + join(',', map { "$_->[0]:$_->[1]" } @$altsubj) + } + + my $key = delete $args{key} || KEY_create_rsa(); + Net::SSLeay::X509_set_pubkey($cert,$key); + + my $is = delete $args{issuer}; + my $issuer_cert = delete $args{issuer_cert} || $is && $is->[0] || $cert; + my $issuer_key = delete $args{issuer_key} || $is && $is->[1] || $key; + + my %purpose; + if (my $p = delete $args{purpose}) { + if (!ref($p)) { + $purpose{lc($2)} = (!$1 || $1 eq '+') ? 1:0 + while $p =~m{([+-]?)(\w+)}g; + } elsif (ref($p) eq 'ARRAY') { + for(@$p) { + m{^([+-]?)(\w+)$} or die "invalid entry in purpose: $_"; + $purpose{lc($2)} = (!$1 || $1 eq '+') ? 1:0 + } + } else { + while( my ($k,$v) = each %$p) { + $purpose{lc($k)} = ($v && $v ne '-')?1:0; + } + } + } + if (delete $args{CA}) { + # add defaults for CA + %purpose = ( + ca => 1, sslca => 1, emailca => 1, objca => 1, + %purpose + ); + } + if (!%purpose) { + %purpose = (server => 1, client => 1); + } + + my (%key_usage,%ext_key_usage,%cert_type,%basic_constraints); + + my %dS = ( digitalSignature => \%key_usage ); + my %kE = ( keyEncipherment => \%key_usage ); + my %CA = ( 'CA:TRUE' => \%basic_constraints, %dS, keyCertSign => \%key_usage ); + my @disable; + for( + [ client => { %dS, %kE, clientAuth => \%ext_key_usage, client => \%cert_type } ], + [ server => { %dS, %kE, serverAuth => \%ext_key_usage, server => \%cert_type } ], + [ email => { %dS, %kE, emailProtection => \%ext_key_usage, email => \%cert_type } ], + [ objsign => { %dS, %kE, codeSigning => \%ext_key_usage, objsign => \%cert_type } ], + + [ CA => { %CA }], + [ sslCA => { %CA, sslCA => \%cert_type }], + [ emailCA => { %CA, emailCA => \%cert_type }], + [ objCA => { %CA, objCA => \%cert_type }], + + [ emailProtection => { %dS, %kE, emailProtection => \%ext_key_usage, email => \%cert_type } ], + [ codeSigning => { %dS, %kE, codeSigning => \%ext_key_usage, objsign => \%cert_type } ], + + [ timeStamping => { timeStamping => \%ext_key_usage } ], + [ digitalSignature => { digitalSignature => \%key_usage } ], + [ nonRepudiation => { nonRepudiation => \%key_usage } ], + [ keyEncipherment => { keyEncipherment => \%key_usage } ], + [ dataEncipherment => { dataEncipherment => \%key_usage } ], + [ keyAgreement => { keyAgreement => \%key_usage } ], + [ keyCertSign => { keyCertSign => \%key_usage } ], + [ cRLSign => { cRLSign => \%key_usage } ], + [ encipherOnly => { encipherOnly => \%key_usage } ], + [ decipherOnly => { decipherOnly => \%key_usage } ], + [ clientAuth => { clientAuth => \%ext_key_usage } ], + [ serverAuth => { serverAuth => \%ext_key_usage } ], + ) { + exists $purpose{lc($_->[0])} or next; + if (delete $purpose{lc($_->[0])}) { + while (my($k,$h) = each %{$_->[1]}) { + $h->{$k} = 1; + } + } else { + push @disable, $_->[1]; + } + } + die "unknown purpose ".join(",",keys %purpose) if %purpose; + for(@disable) { + while (my($k,$h) = each %$_) { + delete $h->{$k}; + } + } + + if (%basic_constraints) { + push @ext,&Net::SSLeay::NID_basic_constraints, + => join(",",'critical', sort keys %basic_constraints); + } else { + push @ext, &Net::SSLeay::NID_basic_constraints => 'critical,CA:FALSE'; + } + push @ext,&Net::SSLeay::NID_key_usage + => join(",",'critical', sort keys %key_usage) if %key_usage; + push @ext,&Net::SSLeay::NID_netscape_cert_type + => join(",",sort keys %cert_type) if %cert_type; + push @ext,&Net::SSLeay::NID_ext_key_usage + => join(",",sort keys %ext_key_usage) if %ext_key_usage; + Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert, @ext); + + my %have_ext; + for(my $i=0;$i<@ext;$i+=2) { + $have_ext{ $ext[$i] }++ + } + for my $ext (@{ $args{ext} || [] }) { + my $nid = $ext->{nid} + || $ext->{sn} && Net::SSLeay::OBJ_sn2nid($ext->{sn}) + || croak "cannot determine NID of extension"; + $have_ext{$nid} and next; + my $val = $ext->{data}; + if ($nid == 177) { + # authorityInfoAccess: + # OpenSSL i2v does not output the same way as expected by i2v :( + for (split(/\n/,$val)) { + s{ - }{;}; # "OCSP - URI:..." -> "OCSP;URI:..." + $_ = "critical,$_" if $ext->{critical}; + Net::SSLeay::P_X509_add_extensions($cert,$issuer_cert,$nid,$_); + } + } else { + $val = "critical,$val" if $ext->{critical}; + Net::SSLeay::P_X509_add_extensions($cert, $issuer_cert, $nid, $val); + } + } + + Net::SSLeay::X509_set_issuer_name($cert, + Net::SSLeay::X509_get_subject_name($issuer_cert)); + Net::SSLeay::X509_sign($cert,$issuer_key,_digest($digest_name)); + + return ($cert,$key); +} + + + +if ( defined &Net::SSLeay::ASN1_TIME_timet ) { + *_asn1t2t = \&Net::SSLeay::ASN1_TIME_timet +} else { + require Time::Local; + my %mon2i = qw( + Jan 0 Feb 1 Mar 2 Apr 3 May 4 Jun 5 + Jul 6 Aug 7 Sep 8 Oct 9 Nov 10 Dec 11 + ); + *_asn1t2t = sub { + my $t = Net::SSLeay::P_ASN1_TIME_put2string( shift ); + my ($mon,$d,$h,$m,$s,$y,$tz) = split(/[\s:]+/,$t); + defined( $mon = $mon2i{$mon} ) or die "invalid month in $t"; + $tz ||= $y =~s{^(\d+)([A-Z]\S*)}{$1} && $2; + if ( ! $tz ) { + return Time::Local::timelocal($s,$m,$h,$d,$mon,$y) + } elsif ( $tz eq 'GMT' ) { + return Time::Local::timegm($s,$m,$h,$d,$mon,$y) + } else { + die "unexpected TZ $tz from ASN1_TIME_print"; + } + } +} + +{ + my %digest; + sub _digest { + my $digest_name = shift; + return $digest{$digest_name} ||= do { + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::EVP_get_digestbyname($digest_name) + or die "Digest algorithm $digest_name is not available"; + }; + } +} + + +1; + +__END__ + +=head1 NAME + +IO::Socket::SSL::Utils -- loading, storing, creating certificates and keys + +=head1 SYNOPSIS + + use IO::Socket::SSL::Utils; + + $cert = PEM_file2cert('cert.pem'); # load certificate from file + my $hash = CERT_asHash($cert); # get details from certificate + PEM_cert2file($cert,'cert.pem'); # write certificate to file + CERT_free($cert); # free memory within OpenSSL + + @certs = PEM_file2certs('chain.pem'); # load multiple certificates from file + PEM_certs2file('chain.pem', @certs); # write multiple certificates to file + CERT_free(@certs); # free memory for all within OpenSSL + + my $cert = PEM_string2cert($pem); # load certificate from PEM string + $pem = PEM_cert2string($cert); # convert certificate to PEM string + + $key = KEY_create_rsa(2048); # create new 2048-bit RSA key + PEM_key2file($key,"key.pem"); # and write it to file + KEY_free($key); # free memory within OpenSSL + + +=head1 DESCRIPTION + +This module provides various utility functions to work with certificates and +private keys, shielding some of the complexity of the underlying Net::SSLeay and +OpenSSL. + +=head1 FUNCTIONS + +=over 4 + +=item * + +Functions converting between string or file and certificates and keys. +They croak if the operation cannot be completed. + +=over 8 + +=item PEM_file2cert(file) -> cert + +=item PEM_cert2file(cert,file) + +=item PEM_file2certs(file) -> @certs + +=item PEM_certs2file(file,@certs) + +=item PEM_string2cert(string) -> cert + +=item PEM_cert2string(cert) -> string + +=item PEM_file2key(file) -> key + +=item PEM_key2file(key,file) + +=item PEM_string2key(string) -> key + +=item PEM_key2string(key) -> string + +=back + +=item * + +Functions for cleaning up. +Each loaded or created cert and key must be freed to not leak memory. + +=over 8 + +=item CERT_free(@certs) + +=item KEY_free(@keys) + +=back + +=item * KEY_create_rsa(bits) -> key + +Creates an RSA key pair, bits defaults to 2048. + +=item * KEY_create_ec(curve) -> key + +Creates an EC key, curve defaults to C. + +=item * CERT_asHash(cert,[digest_algo]) -> hash + +Extracts the information from the certificate into a hash and uses the given +digest_algo (default: SHA-256) to determine digest of pubkey and cert. +The resulting hash contains: + +=over 8 + +=item subject + +Hash with the parts of the subject, e.g. commonName, countryName, +organizationName, stateOrProvinceName, localityName. If there are multiple +values for any of these parts the hash value will be an array ref with the +values in order instead of just a scalar. + +=item subjectAltNames + +Array with list of alternative names. Each entry in the list is of +C<[type,value]>, where C can be OTHERNAME, EMAIL, DNS, X400, DIRNAME, +EDIPARTY, URI, IP or RID. + +=item issuer + +Hash with the parts of the issuer, e.g. commonName, countryName, +organizationName, stateOrProvinceName, localityName. If there are multiple +values for any of these parts the hash value will be an array ref with the +values in order instead of just a scalar. + +=item not_before, not_after + +The time frame, where the certificate is valid, as time_t, e.g. can be converted +with localtime or similar functions. + +=item serial + +The serial number + +=item crl_uri + +List of URIs for CRL distribution. + +=item ocsp_uri + +List of URIs for revocation checking using OCSP. + +=item keyusage + +List of keyUsage information in the certificate. + +=item extkeyusage + +List of extended key usage information from the certificate. Each entry in +this list consists of a hash with oid, nid, ln and sn. + +=item pubkey_digest_xxx + +Binary digest of the pubkey using the given digest algorithm, e.g. +pubkey_digest_sha256 if (the default) SHA-256 was used. + +=item x509_digest_xxx + +Binary digest of the X.509 certificate using the given digest algorithm, e.g. +x509_digest_sha256 if (the default) SHA-256 was used. + +=item fingerprint_xxx + +Fingerprint of the certificate using the given digest algorithm, e.g. +fingerprint_sha256 if (the default) SHA-256 was used. Contrary to digest_* this +is an ASCII string with a list if hexadecimal numbers, e.g. +"73:59:75:5C:6D...". + +=item signature_alg + +Algorithm used to sign certificate, e.g. C. + +=item ext + +List of extensions. +Each entry in the list is a hash with oid, nid, sn, critical flag (boolean) and +data (string representation given by X509V3_EXT_print). + +=item version + +Certificate version, usually 2 (x509v3) + +=back + +=item * CERT_create(hash) -> (cert,key) + +Creates a certificate based on the given hash. +If the issuer is not specified the certificate will be self-signed. +The following keys can be given: + +=over 8 + +=item subject + +Hash with the parts of the subject, e.g. commonName, countryName, ... as +described in C. +Default points to IO::Socket::SSL. + +=item not_before + +A time_t value when the certificate starts to be valid. Defaults to current +time. + +=item not_after + +A time_t value when the certificate ends to be valid. Defaults to current +time plus one 365 days. + +=item serial + +The serial number. If not given a random number will be used. + +=item version + +The version of the certificate, default 2 (x509v3). + +=item CA true|false + +If true declare certificate as CA, defaults to false. + +=item purpose string|array|hash + +Set the purpose of the certificate. +The different purposes can be given as a string separated by non-word character, +as array or hash. With string or array each purpose can be prefixed with '+' +(enable) or '-' (disable) and same can be done with the value when given as a +hash. By default enabling the purpose is assumed. + +If the CA option is given and true the defaults "ca,sslca,emailca,objca" are +assumed, but can be overridden with explicit purpose. +If the CA option is given and false the defaults "server,client" are assumed. +If no CA option and no purpose is given it defaults to "server,client". + +Purpose affects basicConstraints, keyUsage, extKeyUsage and netscapeCertType. +The following purposes are defined (case is not important): + + client + server + email + objsign + + CA + sslCA + emailCA + objCA + + emailProtection + codeSigning + timeStamping + + digitalSignature + nonRepudiation + keyEncipherment + dataEncipherment + keyAgreement + keyCertSign + cRLSign + encipherOnly + decipherOnly + +Examples: + + # root-CA for SSL certificates + purpose => 'sslCA' # or CA => 1 + + # server certificate and CA (typically self-signed) + purpose => 'sslCA,server' + + # client certificate + purpose => 'client', + + +=item ext [{ sn => .., data => ... }, ... ] + +List of extensions. The type of the extension can be specified as name with +C or as NID with C and the data with C. These data must be in the +same syntax as expected within openssl.cnf, e.g. something like +C. Additionally the critical flag can be set with +C 1>. + +=item key key + +use given key as key for certificate, otherwise a new one will be generated and +returned + +=item issuer_cert cert + +set issuer for new certificate + +=item issuer_key key + +sign new certificate with given key + +=item issuer [ cert, key ] + +Instead of giving issuer_key and issuer_cert as separate arguments they can be +given both together. + +=item digest algorithm + +specify the algorithm used to sign the certificate, default SHA-256. + +=back + +=back + +=head1 AUTHOR + +Steffen Ullrich diff --git a/cpan/IO-Socket-SSL/t/01loadmodule.t b/cpan/IO-Socket-SSL/t/01loadmodule.t new file mode 100644 index 000000000000..db9137026c8f --- /dev/null +++ b/cpan/IO-Socket-SSL/t/01loadmodule.t @@ -0,0 +1,22 @@ +use strict; +use warnings; +no warnings 'once'; +use Test::More; + +plan tests => 3; + +ok( eval { require IO::Socket::SSL },"loaded"); + +diag( sprintf( "openssl version compiled=0x%0x linked=0x%0x -- %s", + Net::SSLeay::OPENSSL_VERSION_NUMBER(), + Net::SSLeay::SSLeay(), + Net::SSLeay::SSLeay_version(0))); + +diag( sprintf( "Net::SSLeay version=%s", $Net::SSLeay::VERSION)); +diag( sprintf( "parent %s version=%s", $_, $_->VERSION)) + for (@IO::Socket::SSL::ISA); + +IO::Socket::SSL->import(':debug1'); +is( $IO::Socket::SSL::DEBUG,1, "IO::Socket::SSL::DEBUG 1"); +is( $Net::SSLeay::trace,1, "Net::SSLeay::trace 1"); + diff --git a/cpan/IO-Socket-SSL/t/acceptSSL-timeout.t b/cpan/IO-Socket-SSL/t/acceptSSL-timeout.t new file mode 100644 index 000000000000..1185fdf60f9a --- /dev/null +++ b/cpan/IO-Socket-SSL/t/acceptSSL-timeout.t @@ -0,0 +1,72 @@ +use strict; +use warnings; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..15\n"; + +# first use SSL client +{ + my ($server,$saddr) = create_listen_socket(); + ok(1, "listening \@$saddr" ); + my $srv = fork_sub( 'server',$server ); + close($server); + fd_grep_ok( 'Waiting', $srv ); + my $cl = fork_sub( 'client_ssl',$saddr ); + fd_grep_ok( 'Connect from',$srv ); + fd_grep_ok( 'Connected', $cl ); + fd_grep_ok( 'SSL Handshake OK', $srv ); + fd_grep_ok( 'Hi!', $cl ); +} + +# then try bad non-SSL client +{ + my ($server,$saddr) = create_listen_socket(); + ok(1, "listening \@$saddr" ); + my $srv = fork_sub( 'server',$server ); + close($server); + fd_grep_ok( 'Waiting', $srv ); + my $cl = fork_sub( 'client_no_ssl',$saddr ); + fd_grep_ok( 'Connect from',$srv ); + fd_grep_ok( 'Connected', $cl ); + fd_grep_ok( 'SSL Handshake FAILED', $srv ); +} + + +sub server { + my $server = shift; + print "Waiting\n"; + my $client = $server->accept || die "accept failed: $!"; + print "Connect from ".$client->peerhost.':'.$client->peerport."\n"; + if ( IO::Socket::SSL->start_SSL( $client, + SSL_server => 1, + Timeout => 5, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + )) { + print "SSL Handshake OK\n"; + print $client "Hi!\n"; + } else { + print "SSL Handshake FAILED - $!\n" + } +} + +sub client_no_ssl { + my $saddr = shift; + my $c = IO::Socket::INET->new( $saddr ) || die "connect failed: $!"; + print "Connected\n"; + while ( sysread( $c,my $buf,8000 )) {} +} + +sub client_ssl { + my $saddr = shift; + my $c = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 0 + ) || die "connect failed: $!|$SSL_ERROR"; + print "Connected\n"; + while ( sysread( $c,my $buf,8000 )) { print $buf } +} diff --git a/cpan/IO-Socket-SSL/t/alpn.t b/cpan/IO-Socket-SSL/t/alpn.t new file mode 100644 index 000000000000..e767460ee65e --- /dev/null +++ b/cpan/IO-Socket-SSL/t/alpn.t @@ -0,0 +1,76 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/alpn.t' + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# check if we have ALPN available +# if it is available +if ( ! IO::Socket::SSL->can_alpn ) { + print "1..0 # Skipped: ALPN not available in Net::SSLeay\n"; + exit; +} + +print "1..5\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $addr = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + SSL_alpn_protocols => [qw(one two)], +) || do { + ok(0,"server creation failed: $!"); + exit; +}; +ok(1,"Server Initialization at $addr"); + +# add server port to addr +$addr = "$addr:".$server->sockport; +print "# server at $addr\n"; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + Domain => AF_INET, + SSL_verify_mode => 0, + SSL_alpn_protocols => [qw(two three)], + ) or do { + ok(0,"connect failed: ".IO::Socket::SSL->errstr()); + exit; + }; + ok(1,"client connected" ); + my $proto = $to_server->alpn_selected; + ok($proto eq "two","negotiated $proto"); +} else { ###### Server + my $to_client = $server->accept or do { + ok(0,"accept failed: ".$server->errstr()); + kill(9,$pid); + exit; + }; + ok(1,"Server accepted" ); + my $proto = $to_client->alpn_selected; + ok($proto eq "two","negotiated $proto"); + wait; +} + +sub ok { + my $ok = shift; + print $ok ? '' : 'not ', "ok # [$ID] @_\n"; +} diff --git a/cpan/IO-Socket-SSL/t/auto_verify_hostname.t b/cpan/IO-Socket-SSL/t/auto_verify_hostname.t new file mode 100644 index 000000000000..eea937b2b44b --- /dev/null +++ b/cpan/IO-Socket-SSL/t/auto_verify_hostname.t @@ -0,0 +1,87 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use Test::More; + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +plan tests => 1 + 7 + 4 + 7*2 + 4; +my @tests = qw( + example.com www FAIL + server.local ldap OK + server.local www FAIL + bla.server.local www OK + www7.other.local www OK + www7.other.local ldap FAIL + bla.server.local ldap OK +); + + + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + ReuseAddr => 1, + SSL_server => 1, + SSL_cert_file => "t/certs/server-wildcard.pem", + SSL_key_file => "t/certs/server-wildcard.pem", +); +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +ok( $server, "Server Initialization"); +exit if !$server; +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + while (1) { + my $csock = $server->accept || next; + print $csock "hallo\n"; + } +} + +close($server); +IO::Socket::SSL::default_ca('t/certs/test-ca.pem'); +for( my $i=0;$i<@tests;$i+=3 ) { + my ($name,$scheme,$result) = @tests[$i,$i+1,$i+2]; + my $cl = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_verifycn_scheme => $scheme, + SSL_verifycn_name => $name, + ); + if ( $result eq 'FAIL' ) { + ok( !$cl, "connection to $name/$scheme failed" ); + } else { + ok( $cl, "connection to $name/$scheme succeeded" ); + } + $cl || next; + is( <$cl>, "hallo\n", "received hallo" ); +} + +for( my $i=0;$i<@tests;$i+=3 ) { + my ($name,$scheme,$result) = @tests[$i,$i+1,$i+2]; + my $cl = IO::Socket::INET->new($saddr); + ok( $cl, "tcp connect" ); + $cl = IO::Socket::SSL->start_SSL( $cl, + SSL_verify_mode => 1, + SSL_verifycn_scheme => $scheme, + SSL_verifycn_name => $name, + ); + if ( $result eq 'FAIL' ) { + ok( !$cl, "ssl upgrade of connection to $name/$scheme failed" ); + } else { + ok( $cl, "ssl upgrade of connection to $name/$scheme succeeded" ); + } + $cl || next; + is( <$cl>, "hallo\n", "received hallo" ); +} + +kill(9,$pid); +wait; + diff --git a/cpan/IO-Socket-SSL/t/cert_formats.t b/cpan/IO-Socket-SSL/t/cert_formats.t new file mode 100644 index 000000000000..e35d0a8c11c4 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/cert_formats.t @@ -0,0 +1,76 @@ +use strict; +use warnings; +use Test::More; +use IO::Socket::SSL; +use File::Temp 'tempfile'; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my $srv = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + Listen => 10, +); +plan skip_all => "server creation failed: $!" if ! $srv; +my $saddr = $srv->sockhost.':'.$srv->sockport; + +my ($fh,$pemfile) = tempfile(); +my $master = $$; +END { unlink($pemfile) if $$ == $master }; +for ('t/certs/server-cert.pem','t/certs/server-key.pem') { + open( my $pf,'<',$_ ) or die "open $_: $!"; + print $fh do { local $/; <$pf> }; +} +close($fh); + +my @tests = ( + 'PEM' => { + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + }, + 'PEM_one_file' => { + SSL_cert_file => $pemfile, + }, + 'PEM_keyenc' => { + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.enc', + SSL_passwd_cb => sub { "bluebell" }, + }, + 'DER' => { + SSL_cert_file => 't/certs/server-cert.der', + SSL_key_file => 't/certs/server-key.der', + }, + 'PKCS12' => { + SSL_cert_file => 't/certs/server.p12', + }, + 'PKCS12_enc' => { + SSL_cert_file => 't/certs/server_enc.p12', + SSL_passwd_cb => sub { "bluebell" }, + }, +); +plan tests => @tests/2; + +while (my ($name,$sslargs) = splice(@tests,0,2)) { + defined(my $pid = fork()) or die "fork failed: $!"; + if ($pid == 0) { + # child = server + my $cl = $srv->accept or die "accept $!"; + if (!IO::Socket::SSL->start_SSL($cl, + SSL_server => 1, + Timeout => 10, + %$sslargs + )) { + diag("start_SSL failed: $SSL_ERROR"); + } + exit(0); + } else { + # parent = client + my $cl = IO::Socket::INET->new($saddr) or die "connect: $!"; + if (!IO::Socket::SSL->start_SSL($cl, + SSL_verify_mode => 0 + )) { + fail("[$name] ssl connect failed: $SSL_ERROR"); + } else { + pass("[$name] ssl connect success"); + } + wait; + } +} diff --git a/cpan/IO-Socket-SSL/t/cert_no_file.t b/cpan/IO-Socket-SSL/t/cert_no_file.t new file mode 100644 index 000000000000..8d531bf838c0 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/cert_no_file.t @@ -0,0 +1,107 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/nonblock.t' + +# Tests the use if SSL_cert instead of SSL_cert_file +# because Net::SSLeay does not implement the necessary functions +# to create an X509 from file/string (PEM_read_bio_X509) I just +# create a server with SSL_cert_file and get the X509 from it using +# Net::SSLeay::get_certificate. +# Test should also test if SSL_cert is an array of X509* +# and if SSL_key is an EVP_PKEY* but with the current function in +# Net::SSLeay I don't see a way to test it + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +use Test::More tests => 9; +Test::More->builder->use_numbers(0); +Test::More->builder->no_ending(1); + +my $ID = 'server'; +my %server_args = ( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + SSL_server => 1, + SSL_verify_mode => 0x00, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_key_file => "t/certs/client-key.pem", +); + +my ($x509,@server); +foreach my $test ( 1,2,3 ) { + my %args = %server_args; + my $spec; + if ( $test == 1 ) { + # 1st test: create server with SSL_cert_file + $args{SSL_cert_file} = "t/certs/client-cert.pem"; + $spec = 'Using SSL_cert_file'; + } elsif ( $test == 2 ) { + # 2nd test: use x509 from previous server + # with SSL_cert instead of SSL_cert_file + $args{SSL_cert} = $x509; + $spec = 'Using SSL_cert'; + } elsif ( $test == 3 ) { + # 3rd test: empty SSL_cert, so that default + # SSL_cert_file gets not used + # server creation should fail + $spec = 'Empty SSL_cert'; + $args{SSL_cert} = undef; + } + + # create server + my $server = IO::Socket::SSL->new( %args ) || do { + fail( "$spec: $!" ); + next; + }; + + my $saddr = $server->sockhost.':'.$server->sockport; + pass("Server Initialization $spec"); + push @server,$server; + + # then connect to it from a child + defined( my $pid = fork() ) || die $!; + if ( $pid == 0 ) { + close($server); + $ID = 'client'; + + my $to_server = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 0x00, + ); + if ( $test == 3 ) { + ok( !$to_server, "$spec: connect succeeded" ); + exit; + } elsif ( ! $to_server ) { + fail("connect failed: $!"); + exit; + } + pass( "client connected $spec" ); + <$to_server>; # wait for close from parent + exit; + } + + my $to_client = $server->accept; + if ( $test == 3 ) { + ok( !$to_client, "$spec: accept succeeded" ); + } elsif ( ! $to_client ) { + kill(9,$pid); + fail("$spec: accept failed: $!"); + exit; + } else { + pass( "Server accepted $spec" ); + # save the X509 certificate from the server + $x509 ||= Net::SSLeay::get_certificate($to_client->_get_ssl_object); + } + + close($to_client) if $to_client; + wait; +} + diff --git a/cpan/IO-Socket-SSL/t/certs/client-cert.pem b/cpan/IO-Socket-SSL/t/certs/client-cert.pem new file mode 100644 index 000000000000..ab7194504ae8 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/certs/client-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQjCCAiqgAwIBAgIFANIO7CcwDQYJKoZIhvcNAQELBQAwIjEgMB4GA1UEAwwX +SU86OlNvY2tldDo6U1NMIERlbW8gQ0EwHhcNMjIxMjExMTk1MzQxWhcNMzIxMjA4 +MTk1MzQxWjAXMRUwEwYDVQQDDAxjbGllbnQubG9jYWwwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC0i9404R22VBv1ZHGNN5TNeCHxMmAxKHPzkoof/CMF +UzSrmwzvYP0k1EygbRKbrA40eOX775G4Jp/DU6fRs0aAamPO0eT+Y10fXrUkE+/x +AFwW36vPFkwuprkatzyqqAOr9GHnSrFlzgM4uV0WbJNC2H6SovSYAOk30C8TiMIy +pSdC5VkiZUWC/nekioEB90hmqU+An2b5y1oSHI9uwO0S+TLcilWkFCmUKXPxEUOj +l/Wg7fB2W2L6pHpcuztqpZluSd+cZ6m820PUxbQKB3YD5ZrZT+RNjb+cpVTlqByn +kWq83PxcPU8vTk8NESCNBuk7CiR/k3qrhCU/3NxiD/hBAgMBAAGjgYkwgYYwHQYD +VR0OBBYEFNcCOPQC8C+uv+36vcovBvILRyELMB8GA1UdIwQYMBaAFEnT2LwqEtZv +wVkEbtlv/7SmEt9cMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBEGCWCG +SAGG+EIBAQQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF +AAOCAQEAM7Qb36dynl4/suJACh6dpBlZ89NQOah7RrJZahL1cA/81MBlkN/MRIYW +jlZwmgggoyCzpMCmHdFb+/DHA8qFJs7Q7arHJeFgYOCe5TIFMDZSCoShXqe97Ncc +ISfdpBpITvh0l63nABibKvrUAacTsEdmKxPml81gkaxHiNR86z1uIZIZ4h6yX7Pa +VNX7mLXK2hxifvoXGTCsFjaSrn8Vr3rEdUHGrhO6jMtn84g6l8p+4uTVk+PYeveQ +VLZVyWXshojs6oSBMl7IxxmaddIwNZodEvsRToC9ZVKbCBGmU0DPLBjyCqUJcGt4 +pmdA4se0gfWovTvy5YzfsOOCqUkp7w== +-----END CERTIFICATE----- diff --git a/cpan/IO-Socket-SSL/t/certs/client-key.enc b/cpan/IO-Socket-SSL/t/certs/client-key.enc new file mode 100644 index 000000000000..5b87740c4700 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/certs/client-key.enc @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtIveNOEdtlQb9WRxjTeUzXgh8TJgMShz85KKH/wjBVM0q5sM +72D9JNRMoG0Sm6wONHjl+++RuCafw1On0bNGgGpjztHk/mNdH161JBPv8QBcFt+r +zxZMLqa5Grc8qqgDq/Rh50qxZc4DOLldFmyTQth+kqL0mADpN9AvE4jCMqUnQuVZ +ImVFgv53pIqBAfdIZqlPgJ9m+ctaEhyPbsDtEvky3IpVpBQplClz8RFDo5f1oO3w +dlti+qR6XLs7aqWZbknfnGepvNtD1MW0Cgd2A+Wa2U/kTY2/nKVU5agcp5FqvNz8 +XD1PL05PDREgjQbpOwokf5N6q4QlP9zcYg/4QQIDAQABAoIBABXes/jalI1toJHf +/AfHxe8COHVVvXRy8qG8fF4NviXC25hWcLGOAXgMvef4cma4R6O4Sd6T2WZRymxA +Fc3nbhi32nV29CrS+TinsaBISHo8aYtNRovwJuQHRtibPd5ruf8iPBpG8Fh1RSth +u8qPtiJkpGdplSCVCqsbvRocCK8W4WSya/NCq/sq7j4Th0OTPJV/2oUDnn7SYTJV +f8fg7X+NIcymeNDkiOz2jwyEtH26sKQpECdLDR6Huk9crVes/2bhbuTocIarCb8r +BGImlZ7l0brfpwor7gXrY5DPPVMSYW+UEz3c63qSp97bVnja5CLiZStCol1Q9/6M +nhY5zJkCgYEA5r+n17K4+zHNP5uuywbqrxa2jxhpOeFYrYqFtr2F+phhUM/G5taV +whcgwrvqc08mmcL8FnG6uDbx3wWkFjHTwFQLbLgn1lytRINMPSMfXmXJ84MB2mtM +5nu40+BMd3TYapJexnd2QVb6ToldA6/QN28/1/0lYYdCAy4fIbyopJkCgYEAyE3P +8cGPtAiIncNIp+GU8Z07LLK2+uJZUZ8SNY6BU7rKJThbb6EfQ6AWXmbhibr2qmwk +H45guzlflT0PIiWmVvvx3ETlZu6qsVVX/XDWfAdNDGwm9zK1IEFOnf8zc+G/Miip +oR9OLxBqAz89WeHPLTbOZYdJHlbOtrJtImlEEekCgYEAnGtLUfK7Zrypz/avFL4J +lMsm0fXQTwYtYObIIcpz6h4lyewvfwfz2PBoqtlL4wLCvfTpgiVyV7IXYAGo68q3 +KmdOn1Ju3udQJWOD6OXIO+twbPxf4zpdlNhFwIsKCuhQVF4IlS0iIsTdRSPkw70I +vqtRcg8OqgBQhWtcezgycfECgYEAxPzheFxnuyJ5WM3o8lHDbSq4O2k20t0wAjly +awFO5s1YZ+pY4huO567U0NpVDGK2mzvm+rHHJ9lwyxBVhbuJLxpv7bRD90rYy7Wm +5zTFewyjFYh3ebyArMwNSQzlyR1GL0oWKMLk3RxDZhYXfAG7AjhYGzlFC3VLrhkj +gygLLaECgYEAvMxiWTZ+1knOAt2ajtlEEKuEh5Ez0NVcclhkcZGbE/SFo6Zw0U+B +WV8rZ74SyFcRNznk/zd/Kcvbe7sH7w823Te/UI5QiU3IUmlYFUEGHxChaIxGm/1n +mQlvAjaIK3TPGVpY/BGptJEWTrFlH9HH11tHAiEkFFZhzkYQLjg9cZM= +-----END RSA PRIVATE KEY----- diff --git a/cpan/IO-Socket-SSL/t/certs/client-key.pem b/cpan/IO-Socket-SSL/t/certs/client-key.pem new file mode 100644 index 000000000000..d1aca16d4e9a --- /dev/null +++ b/cpan/IO-Socket-SSL/t/certs/client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC0i9404R22VBv1 +ZHGNN5TNeCHxMmAxKHPzkoof/CMFUzSrmwzvYP0k1EygbRKbrA40eOX775G4Jp/D +U6fRs0aAamPO0eT+Y10fXrUkE+/xAFwW36vPFkwuprkatzyqqAOr9GHnSrFlzgM4 +uV0WbJNC2H6SovSYAOk30C8TiMIypSdC5VkiZUWC/nekioEB90hmqU+An2b5y1oS +HI9uwO0S+TLcilWkFCmUKXPxEUOjl/Wg7fB2W2L6pHpcuztqpZluSd+cZ6m820PU +xbQKB3YD5ZrZT+RNjb+cpVTlqBynkWq83PxcPU8vTk8NESCNBuk7CiR/k3qrhCU/ +3NxiD/hBAgMBAAECggEAFd6z+NqUjW2gkd/8B8fF7wI4dVW9dHLyobx8Xg2+JcLb +mFZwsY4BeAy95/hyZrhHo7hJ3pPZZlHKbEAVzeduGLfadXb0KtL5OKexoEhIejxp +i01Gi/Am5AdG2Js93mu5/yI8GkbwWHVFK2G7yo+2ImSkZ2mVIJUKqxu9GhwIrxbh +ZLJr80Kr+yruPhOHQ5M8lX/ahQOeftJhMlV/x+Dtf40hzKZ40OSI7PaPDIS0fbqw +pCkQJ0sNHoe6T1ytV6z/ZuFu5OhwhqsJvysEYiaVnuXRut+nCivuBetjkM89UxJh +b5QTPdzrepKn3ttWeNrkIuJlK0KiXVD3/oyeFjnMmQKBgQDmv6fXsrj7Mc0/m67L +BuqvFraPGGk54VitioW2vYX6mGFQz8bm1pXCFyDCu+pzTyaZwvwWcbq4NvHfBaQW +MdPAVAtsuCfWXK1Eg0w9Ix9eZcnzgwHaa0zme7jT4Ex3dNhqkl7Gd3ZBVvpOiV0D +r9A3bz/X/SVhh0IDLh8hvKikmQKBgQDITc/xwY+0CIidw0in4ZTxnTsssrb64llR +nxI1joFTusolOFtvoR9DoBZeZuGJuvaqbCQfjmC7OV+VPQ8iJaZW+/HcROVm7qqx +VVf9cNZ8B00MbCb3MrUgQU6d/zNz4b8yKKmhH04vEGoDPz1Z4c8tNs5lh0keVs62 +sm0iaUQR6QKBgQCca0tR8rtmvKnP9q8UvgmUyybR9dBPBi1g5sghynPqHiXJ7C9/ +B/PY8Giq2UvjAsK99OmCJXJXshdgAajryrcqZ06fUm7e51AlY4Po5cg763Bs/F/j +Ol2U2EXAiwoK6FBUXgiVLSIixN1FI+TDvQi+q1FyDw6qAFCFa1x7ODJx8QKBgQDE +/OF4XGe7InlYzejyUcNtKrg7aTbS3TACOXJrAU7mzVhn6ljiG47nrtTQ2lUMYrab +O+b6sccn2XDLEFWFu4kvGm/ttEP3StjLtabnNMV7DKMViHd5vICszA1JDOXJHUYv +ShYowuTdHENmFhd8AbsCOFgbOUULdUuuGSODKAstoQKBgQC8zGJZNn7WSc4C3ZqO +2UQQq4SHkTPQ1VxyWGRxkZsT9IWjpnDRT4FZXytnvhLIVxE3OeT/N38py9t7uwfv +DzbdN79QjlCJTchSaVgVQQYfEKFojEab/WeZCW8CNogrdM8ZWlj8Eam0kRZOsWUf +0cfXW0cCISQUVmHORhAuOD1xkw== +-----END PRIVATE KEY----- diff --git a/cpan/IO-Socket-SSL/t/certs/create-certs.pl b/cpan/IO-Socket-SSL/t/certs/create-certs.pl new file mode 100644 index 000000000000..f0282274551a --- /dev/null +++ b/cpan/IO-Socket-SSL/t/certs/create-certs.pl @@ -0,0 +1,133 @@ +use strict; +use warnings; +use IO::Socket::SSL::Utils; +use Net::SSLeay; + +my $dir = "./"; +my $now = time(); +my $later = $now + 10*365*86400; + +Net::SSLeay::SSLeay_add_ssl_algorithms(); +my $sha256 = Net::SSLeay::EVP_get_digestbyname('sha256') or die; +my $printfp = sub { + my ($w,$cert) = @_; + print $w.' sha256$'.unpack('H*',Net::SSLeay::X509_digest($cert, $sha256))."\n" +}; + +my %time_valid = (not_before => $now, not_after => $later); + +my @ca = CERT_create( + CA => 1, + subject => { CN => 'IO::Socket::SSL Demo CA' }, + %time_valid, +); +save('test-ca.pem',PEM_cert2string($ca[0])); + +my @server = CERT_create( + CA => 0, + subject => { CN => 'server.local' }, + subjectAltNames => [ [ DNS => 'server.local' ], [ IP => '127.0.0.1' ] ], + purpose => 'server', + issuer => \@ca, + %time_valid, +); +save('server-cert.pem',PEM_cert2string($server[0])); +save('server-key.pem',PEM_key2string($server[1])); +$printfp->(server => $server[0]); + +@server = CERT_create( + CA => 0, + subject => { CN => 'server2.local' }, + subjectAltNames => [ [ DNS => 'server2.local' ], [ IP => '127.0.0.1' ] ], + purpose => 'server', + issuer => \@ca, + %time_valid, +); +save('server2-cert.pem',PEM_cert2string($server[0])); +save('server2-key.pem',PEM_key2string($server[1])); +$printfp->(server2 => $server[0]); + +@server = CERT_create( + CA => 0, + subject => { CN => 'server-ecc.local' }, + subjectAltNames => [ [ DNS => 'server-ecc.local' ], [ IP => '127.0.0.1' ] ], + purpose => 'server', + issuer => \@ca, + key => KEY_create_ec(), + %time_valid, +); +save('server-ecc-cert.pem',PEM_cert2string($server[0])); +save('server-ecc-key.pem',PEM_key2string($server[1])); +$printfp->('server-ecc' => $server[0]); + + +my @client = CERT_create( + CA => 0, + subject => { CN => 'client.local' }, + purpose => 'client', + issuer => \@ca, + %time_valid, +); +save('client-cert.pem',PEM_cert2string($client[0])); +save('client-key.pem',PEM_key2string($client[1])); +$printfp->(client => $client[0]); + +my @swc = CERT_create( + CA => 0, + subject => { CN => 'server.local' }, + purpose => 'server', + issuer => \@ca, + subjectAltNames => [ + [ DNS => '*.server.local' ], + [ IP => '127.0.0.1' ], + [ DNS => 'www*.other.local' ], + [ DNS => 'smtp.mydomain.local' ], + [ DNS => 'xn--lwe-sna.idntest.local' ] + ], + %time_valid, +); +save('server-wildcard.pem',PEM_cert2string($swc[0]),PEM_key2string($swc[1])); + + +my @subca = CERT_create( + CA => 1, + issuer => \@ca, + subject => { CN => 'IO::Socket::SSL Demo Sub CA' }, + %time_valid, +); +save('test-subca.pem',PEM_cert2string($subca[0])); +@server = CERT_create( + CA => 0, + subject => { CN => 'server.local' }, + subjectAltNames => [ [ DNS => 'server.local' ], [ IP => '127.0.0.1' ] ], + purpose => 'server', + issuer => \@subca, + %time_valid, +); +save('sub-server.pem',PEM_cert2string($server[0]).PEM_key2string($server[1])); + + + +my @cap = CERT_create( + CA => 1, + subject => { CN => 'IO::Socket::SSL::Intercept' }, + %time_valid, +); +save('proxyca.pem',PEM_cert2string($cap[0]).PEM_key2string($cap[1])); + +sub save { + my $file = shift; + open(my $fd,'>',$dir.$file) or die $!; + print $fd @_; +} + +system(< 9; +Test::More->builder->use_numbers(0); +Test::More->builder->no_ending(1); + +$SIG{'CHLD'} = "IGNORE"; + +IO::Socket::SSL::context_init(SSL_verify_mode => 0x01); + +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 1, +) or do { + plan skip_all => "Bail out!". + "Setup of test IO::Socket::INET client and server failed. All the rest of". + "the tests in this suite will fail also unless you change the values in". + "ssl_settings.req in the t/ directory."; +}; +pass("server create"); + +{ + package MyClass; + use IO::Socket::SSL; + our @ISA = "IO::Socket::SSL"; +} + +my $saddr = $server->sockhost.':'.$server->sockport; +unless (fork) { + close $server; + my $client = IO::Socket::INET->new($saddr); + ok( MyClass->start_SSL($client, SSL_verify_mode => 0), "ssl upgrade"); + is( ref( $client ), "MyClass", "class MyClass"); + ok( $client->issuer_name, "issuer_name"); + ok( $client->subject_name, "subject_name"); + ok( $client->opened, "opened"); + print $client "Ok to close\n"; + close $client; + exit(0); +} + +my $contact = $server->accept; +my $socket_to_ssl = IO::Socket::SSL::socketToSSL($contact, { + SSL_server => 1, + SSL_verify_mode => 0, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', +}); +ok( $socket_to_ssl, "socketToSSL"); +<$contact>; +close $contact; +close $server; + +bless $contact, "MyClass"; +ok( !IO::Socket::SSL::socket_to_SSL($contact, SSL_server => 1), "socket_to_SSL"); +is( ref($contact), "MyClass", "upgrade is MyClass"); diff --git a/cpan/IO-Socket-SSL/t/connectSSL-timeout.t b/cpan/IO-Socket-SSL/t/connectSSL-timeout.t new file mode 100644 index 000000000000..ec8c96867917 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/connectSSL-timeout.t @@ -0,0 +1,72 @@ +use strict; +use warnings; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..16\n"; + + +{ + # first use SSL client + my ($server,$saddr) = create_listen_socket(); + ok( 1, "listening \@$saddr" ); + my $srv = fork_sub( 'server','ssl',$server ); + close($server); + fd_grep_ok( 'Waiting', $srv ); + my $cl = fork_sub( 'client',$saddr ); + fd_grep_ok( 'Connect from',$srv ); + fd_grep_ok( 'Connected', $cl ); + fd_grep_ok( 'Server SSL Handshake OK', $srv ); + fd_grep_ok( 'Client SSL Handshake OK', $cl ); + fd_grep_ok( 'Hi!', $cl ); +} + +{ + # then try bad non-SSL client + my ($server,$saddr) = create_listen_socket(); + ok( 1, "listening \@$saddr" ); + my $srv = fork_sub( 'server','nossl',$server ); + close($server); + fd_grep_ok( 'Waiting', $srv ); + my $cl = fork_sub( 'client',$saddr ); + fd_grep_ok( 'Connect from',$srv ); + fd_grep_ok( 'Connected', $cl ); + fd_grep_ok( 'Client SSL Handshake FAILED', $cl ); +} + + +sub server { + my ($behavior,$server) = @_; + print "Waiting\n"; + my $client = $server->accept || die "accept failed: $!"; + print "Connect from ".$client->peerhost.':'.$client->peerport."\n"; + if ( $behavior eq 'ssl' ) { + if ( IO::Socket::SSL->start_SSL( $client, + SSL_server => 1, + Timeout => 30, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + )) { + print "Server SSL Handshake OK\n"; + print $client "Hi!\n"; + } + } else { + while ( sysread( $client, my $buf,8000 )) {} + } +} + +sub client { + my $saddr = shift; + my $c = IO::Socket::INET->new( $saddr ) || die "connect failed: $!"; + print "Connected\n"; + if ( IO::Socket::SSL->start_SSL( $c, + Timeout => 5, + SSL_ca_file => 't/certs/test-ca.pem', + )) { + print "Client SSL Handshake OK\n"; + print <$c> + } else { + print "Client SSL Handshake FAILED - $SSL_ERROR\n"; + } +} diff --git a/cpan/IO-Socket-SSL/t/core.t b/cpan/IO-Socket-SSL/t/core.t new file mode 100644 index 000000000000..e194811d8b71 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/core.t @@ -0,0 +1,325 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/core.t' + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use Errno qw( EWOULDBLOCK EAGAIN ); + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +use Test::More; +Test::More->builder->use_numbers(0); +Test::More->builder->no_ending(1); + +my $CAN_NONBLOCK = eval "use 5.006; use IO::Select; 1"; +my $CAN_PEEK = &Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x0090601f; + +my $numtests = 40; +$numtests+=5 if $CAN_NONBLOCK; +$numtests+=3 if $CAN_PEEK; + +plan tests => $numtests; + +# We need to detect the best TLS version supported by the server since we can +# not offer SSLv23 for for a reliable SSL_error_trap because of how the old +# SSLv2 compatible works. On the other side we can no longer rely on all systems +# supporting TLS 1.0 either. +my $tls_version; +for(qw(TLSv1_2 TLSv1_1 TLSv1)) { + my $method = sprintf("Net::SSLeay::CTX_%s_new",lc($_)); + next if ! defined &$method; + $tls_version = $_; + last; +} +die "no TLS support" if ! $tls_version; + +my $error_trapped = 0; +my $localip = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $localip, + LocalPort => 0, + Listen => 2, + Timeout => 30, + ReuseAddr => 1, + SSL_verify_mode => 0x00, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_version => $tls_version, + SSL_error_trap => sub { + my $self = shift; + print $self "This server is SSL only"; + $error_trapped = 1; + $self->close; + }, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.enc", + SSL_passwd_cb => sub { return "bluebell" }, +); + +ok( $server, "Server Initialization"); +$server or exit; + +ok( fileno( $server), "Server Fileno Check"); + +my $saddr = $localip.':'.$server->sockport; + + +unless (fork) { + close $server; + my $client = IO::Socket::INET->new( + PeerAddr => $saddr, + LocalAddr => $localip, + ); + print $client "Test\n"; + is( <$client>, "This server is SSL only", "Client non-SSL connection"); + close $client; + + $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + LocalAddr => $localip, + Domain => AF_INET, + SSL_verify_mode => 0x01, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_use_cert => 1, + SSL_cert_file => "t/certs/client-cert.pem", + SSL_key_file => "t/certs/client-key.enc", + SSL_passwd_cb => sub { return "opossum" }, + SSL_verify_callback => \&verify_sub, + ); + + + sub verify_sub { + my ($ok, $ctx_store, $cert, $error) = @_; + $ok && $ctx_store && $cert && !$error or do { + fail("client failure in verify_sub"); + exit; + }; + like( $cert, qr/IO::Socket::SSL Demo CA/, "Client Verify-sub Check"); + return 1; + } + + + $client || (print("not ok #client failure\n") && exit); + ok( $client, "Client Initialization"); + + $client->fileno() || print "not "; + ok( $client->fileno(), "Client Fileno Check"); + +# $client->untaint() if ($HAVE_SCALAR_UTIL); # In the future... + + ok( $client->dump_peer_certificate(), "Client Peer Certificate Check"); + + ok( $client->peer_certificate("issuer"), "Client Peer Certificate Issuer Check"); + + ok( $client->get_cipher(), "Client Cipher Check"); + + $client->syswrite('00waaaanf00', 7, 2); + + if ($CAN_PEEK) { + my $buffer; + $client->read($buffer,2); + is( $buffer, "ok", "Client Peek Check"); + } + + $client->print("Test\n"); + $client->printf("\$%.2f\n%d\n%c\n%s", + 1.0444442342, + 4.0, + ord("y"), + "Test\nBeaver\nBeaver\n"); + + my $buffer="\0\0aaaaaaaaaaaaaaaaaaaa"; + $client->sysread($buffer, 7, 2); + is( $buffer, "\0\0waaaanf", "Client Sysread Check"); + + +## The future... +# if ($HAVE_SCALAR_UTIL) { +# print "not " if (is_tainted($buffer)); +# &ok("client"); +# } + + my @array = $client->getline(); + is( $array[0], "Test\n", "Client Getline Check"); + + is( $client->getc, "\$", "Client Getc Check"); + + @array = $client->getlines; + is( scalar @array, 6, "Client Getlines Check 1"); + + is( $array[0], "1.04\n", "Client Getlines Check 2"); + + is( $array[1], "4\n", "Client Getlines Check 3"); + + is( $array[2], "y\n", "Client Getlines Check 4"); + + is( join("", @array[3..5]), + "Test\nBeaver\nBeaver\n", + "Client Getlines Check 5"); + + ok( !<$client>, "Client Finished Reading Check"); + + $client->close(SSL_no_shutdown => 1); + + my $client_2 = IO::Socket::INET->new( + PeerAddr => $saddr, + LocalAddr => $localip + ); + ok( $client_2, "Second Client Initialization"); + + $client_2 = IO::Socket::SSL->new_from_fd($client_2->fileno, '+<>', + SSL_reuse_ctx => $client); + ok( $client_2, "Client Init from Fileno Check"); + $buffer = <$client_2>; + + is( $buffer, "Boojums\n", "Client (fileno) Readline Check"); + $client_2->close(SSL_ctx_free => 1); + + if ($CAN_NONBLOCK) { + my $client_3 = IO::Socket::SSL->new( + PeerAddr => $saddr, + LocalAddr => $localip, + Domain => AF_INET, + SSL_verify_mode => 0x01, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_use_cert => 1, + SSL_cert_file => "t/certs/client-cert.pem", + SSL_key_file => "t/certs/client-key.enc", + SSL_passwd_cb => sub { return "opossum" }, + Blocking => 0, + ); + + ok( $client_3, "Client Nonblocking Check 1"); + close $client_3; + + my $client_4 = IO::Socket::SSL->new( + PeerAddr => $saddr, + LocalAddr => $localip, + Domain => AF_INET, + SSL_reuse_ctx => $client_3, + Blocking => 0 + ); + ok( $client_4, "Client Nonblocking Check 2"); + $client_3->close(SSL_ctx_free => 1); + } + + exit(0); +} + +my $client = $server->accept; + +ok( $error_trapped, "Server non-SSL Client Check"); + +if ($client && $client->opened) { + fail("client stayed alive"); + exit; +} +ok( !$client, "Server Kill-client Check"); + +($client, my $peer) = $server->accept; +ok( $client, "Server Client Accept Check"); +$client or exit; + +ok( $peer, "Accept returning peer address check."); + +ok( fileno($client), "Server Client Fileno Check"); + +my $buffer; + +if ($CAN_PEEK) { + $client->peek($buffer, 7, 2); + is( $buffer, "\0\0waaaanf","Server Peek Check"); + + is( $client->pending(), 7, "Server Pending Check"); + + print $client "ok"; +} + +sysread($client, $buffer, 7, 2); +is( $buffer, "\0\0waaaanf", "Server Sysread Check"); + +my @array = scalar <$client>; +is( $array[0], "Test\n", "Server Getline Check"); + +is( getc($client), "\$", "Server Getc Check"); + +@array = map { scalar <$client> } (0..5); +is( scalar @array, 6, "Server Getlines Check 1"); + +is( $array[0], "1.04\n", "Server Getlines Check 2"); + +is( $array[1], "4\n", "Server Getlines Check 3"); + +is( $array[2], "y\n", "Server Getlines Check 4"); + +is( join("", @array[3..5]), "Test\nBeaver\nBeaver\n", "Server Getlines Check 5"); + +syswrite($client, '00waaaanf00', 7, 2); +print($client "Test\n"); +printf $client "\$%.2f\n%d\n%c\n%s", (1.0444442342, 4.0, ord("y"), "Test\nBeaver\nBeaver\n"); + +close $client; + +($client, $peer) = $server->accept or do { + fail("client creation failed"); + exit; +}; +is( inet_ntoa((unpack_sockaddr_in($peer))[1]), $localip, "Peer address check"); + +if ($CAN_NONBLOCK) { + $client->blocking(0); + $client->read($buffer, 20, 0); + is( $SSL_ERROR, SSL_WANT_READ, "Server Nonblocking Check 1"); +} + +ok( $client->opened, "Server Client Opened Check 1"); + +print $client "Boojums\n"; + +close($client); + +${*$client}{'_SSL_opened'} = 1; +ok( !$client->opened, "Server Client Opened Check 2"); +${*$client}{'_SSL_opened'} = 0; + +if ($CAN_NONBLOCK) { + $client = $server->accept; + ok( $client->opened, "Server Nonblocking Check 2"); + close $client; + + $server->blocking(0); + IO::Select->new($server)->can_read(30); + $client = $server->accept; + while ( ! $client ) { + #DEBUG( "$!,$SSL_ERROR" ); + if ( $! == EWOULDBLOCK || $! == EAGAIN ) { + if ( $SSL_ERROR == SSL_WANT_WRITE ) { + IO::Select->new( $server->opening )->can_write(30); + } else { + IO::Select->new( $server->opening )->can_read(30); + } + } else { + last + } + $client = $server->accept; + } + + ok( $client->opened, "Server Nonblocking Check 3"); + close $client; +} + +$server->close(SSL_ctx_free => 1); +wait; + + +## The future.... +#sub is_tainted { +# my $arg = shift; +# my $nada = substr($arg, 0, 0); +# local $@; +# eval {eval "# $nada"}; +# return length($@); +#} diff --git a/cpan/IO-Socket-SSL/t/dhe.t b/cpan/IO-Socket-SSL/t/dhe.t new file mode 100644 index 000000000000..6cdba0f988d7 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/dhe.t @@ -0,0 +1,65 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/dhe.t' + +# This tests the use of Diffie Hellman Key Exchange (DHE) + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..3\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $addr = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + ReuseAddr => 1, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", + SSL_cipher_list => 'DH:!aNULL', # allow only DH ciphers +) || do { + notok($!); + exit +}; +ok("Server Initialization"); + +# add server port to addr +$addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + Domain => AF_INET, + SSL_verify_mode => 0 ) || do { + notok( "connect failed: $SSL_ERROR" ); + exit + }; + ok( "client connected" ); + +} else { ###### Server + + my $to_client = $server->accept || do { + notok( "accept failed: $SSL_ERROR" ); + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + wait; +} + +sub ok { print "ok # [$ID] @_\n"; } +sub notok { print "not ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/ecdhe.t b/cpan/IO-Socket-SSL/t/ecdhe.t new file mode 100644 index 000000000000..ae42dfefe7b5 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/ecdhe.t @@ -0,0 +1,85 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/ecdhe.t' + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my $can_ecdh = IO::Socket::SSL->can_ecdh; +if (! $can_ecdh) { + print "1..0 # Skipped: no support for ecdh with this openssl/Net::SSLeay\n"; + exit +} + +$|=1; +print "1..4\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $addr = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + ReuseAddr => 1, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", + (defined &Net::SSLeay::CTX_set1_groups_list || defined &Net::SSLeay::CTX_set1_curves_list) + ? (SSL_ecdh_curve => 'prime256v1' ) : (), +) || do { + notok($!); + exit +}; +ok("Server Initialization"); + +# add server port to addr +$addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + Domain => AF_INET, + (defined &Net::SSLeay::CTX_set1_groups_list || defined &Net::SSLeay::CTX_set1_curves_list) + ? (SSL_ecdh_curve => 'prime256v1' ) : (), + SSL_verify_mode => 0 ) || do { + notok( "connect failed: $SSL_ERROR" ); + exit + }; + ok( "client connected" ); + + my $protocol = $to_server->get_sslversion; + if ($protocol eq 'TLSv1_3') { + # + ok("# SKIP TLSv1.3 doesn't advertize key exchange in a chipher name"); + } else { + my $cipher = $to_server->get_cipher(); + if ( $cipher !~m/^ECDHE-/ ) { + notok("bad key exchange: $cipher"); + exit; + } + ok("ecdh key exchange: $cipher"); + } + +} else { ###### Server + + my $to_client = $server->accept || do { + notok( "accept failed: $SSL_ERROR" ); + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + wait; +} + +sub ok { print "ok # [$ID] @_\n"; } +sub notok { print "not ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/external/fingerprint.pl b/cpan/IO-Socket-SSL/t/external/fingerprint.pl new file mode 100644 index 000000000000..39cb0eea1c0a --- /dev/null +++ b/cpan/IO-Socket-SSL/t/external/fingerprint.pl @@ -0,0 +1,135 @@ +# to update fingerprints in this file: +# perl -e 'do q[./t/external/fingerprint.pl]; update_fingerprints()' + +use strict; +use warnings; +use IO::Socket::SSL; + +# --- BEGIN-FINGERPRINTS ---- +my $fingerprints= [ + { + _ => 'this should give us OCSP stapling', + fingerprint => 'sha1$pub$39d64bbaea90c6035e25ff990ba4ce565350bac5', + host => 'www.chksum.de', + ocsp => { + staple => 1 + }, + port => 443 + }, + { + _ => 'no OCSP stapling', + fingerprint => 'sha1$pub$c8ba0806b887fc15e9d98e73107a17150f847bbf', + host => 'www.bild.de', + ocsp => { + staple => 0 + }, + port => 443, + subject_hash_ca => '3513523f' + }, + { + _ => 'this is revoked', + fingerprint => 'sha1$pub$f0f0c49b8a04a2dd2110e10f7806c97d87d0b26f', + host => 'revoked.grc.com', + ocsp => { + revoked => 1 + }, + port => 443 + }, + { + fingerprint => 'sha1$pub$7397f9dea15c007ad1eabe7a0c895ccac60389b1', + host => 'www.yahoo.com', + port => 443, + subject_hash_ca => '244b5494' + }, + { + fingerprint => 'sha1$pub$c40d9bc2496fa2db198b27b6c1f94d1c703e7039', + host => 'www.comdirect.de', + port => 443, + subject_hash_ca => '062cdee6' + }, + { + fingerprint => 'sha1$pub$26907a3f3088cf57264f7a0f083767e400ea871e', + host => 'meine.deutsche-bank.de', + port => 443, + subject_hash_ca => '607986c7' + }, + { + fingerprint => 'sha1$pub$232e02961a493a2e528460d0d3c0720a8f533428', + host => 'www.twitter.com', + port => 443, + subject_hash_ca => '3513523f' + }, + { + fingerprint => 'sha1$pub$12b35a6d540bcba5f9ff055fdcc5af0dac67fc73', + host => 'www.facebook.com', + port => 443, + subject_hash_ca => '244b5494' + }, + { + fingerprint => 'sha1$pub$6ad05c9dd77463152389f755cb6a81c41c33c987', + host => 'www.live.com', + port => 443, + subject_hash_ca => '3513523f' + } +] +; +# --- END-FINGERPRINTS ---- + + +sub update_fingerprints { + my $changed; + for my $fp (@$fingerprints) { + my $cl = IO::Socket::INET->new( + PeerHost => $fp->{host}, + PeerPort => $fp->{port} || 443, + Timeout => 10, + ); + my $root; + if (!$cl) { + warn "E $fp->{host}:$fp->{port} - TCP connect failed: $!\n"; + } elsif (!IO::Socket::SSL->start_SSL($cl, + Timeout => 10, + SSL_ocsp_mode => 0, + SSL_hostname => $fp->{host}, + SSL_verify_callback => sub { + my ($cert,$depth) = @_[4,5]; + $root ||= $cert; + return 1; + } + )) { + warn "E $fp->{host}:$fp->{port} - SSL handshake failed: $SSL_ERROR\n"; + } else { + my $sha1 = $cl->get_fingerprint('sha1',undef,1); + if ($sha1 eq $fp->{fingerprint}) { + warn "N $fp->{host}:$fp->{port} - fingerprint as expected\n"; + } else { + warn "W $fp->{host}:$fp->{port} - fingerprint changed from $fp->{fingerprint} to $sha1\n"; + $fp->{fingerprint} = $sha1; + $changed++; + } + if ($root and $fp->{subject_hash_ca}) { + my $hash = sprintf("%08x",Net::SSLeay::X509_subject_name_hash($root)); + if ($fp->{subject_hash_ca} eq $hash) { + warn "N $fp->{host}:$fp->{port} - subject_hash_ca as expected\n"; + } else { + warn "N $fp->{host}:$fp->{port} - subject_hash_ca changed from $fp->{subject_hash_ca} to $hash\n"; + $fp->{subject_hash_ca} = $hash; + $changed++; + } + } + } + } + if ($changed) { + require Data::Dumper; + open(my $fh,'<',__FILE__) or die $!; + my $pl = do { local $/; <$fh> }; + my $new = 'my $fingerprints= '.Data::Dumper->new([$fingerprints])->Terse(1)->Quotekeys(0)->Sortkeys(1)->Dump().";\n"; + $pl =~ s{^(# --- BEGIN-FINGERPRINTS ----\s*\n)(.*)^(# --- END-FINGERPRINTS ----\s*\n)}{$1$new$3}ms + or die "did not find BEGIN and END markers in ".__FILE__; + open($fh,'>',__FILE__) or die $!; + print $fh $pl; + warn __FILE__." updated\n"; + } +} + +$fingerprints; diff --git a/cpan/IO-Socket-SSL/t/external/ocsp.t b/cpan/IO-Socket-SSL/t/external/ocsp.t new file mode 100644 index 000000000000..bb42fd01ddb9 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/external/ocsp.t @@ -0,0 +1,184 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use IO::Socket::SSL; +#$Net::SSLeay::trace=3; + +plan skip_all => "no OCSP support" if ! IO::Socket::SSL->can_ocsp; + +my $fingerprints = do './fingerprint.pl' + || do './t/external/fingerprint.pl' + || die "no fingerprints for sites"; +my @tests = grep { $_->{ocsp} } @$fingerprints; + +plan tests => 0+@tests; + +my $timeout = 10; +my $proxy = ( $ENV{http_proxy} || '' ) + =~m{^(?:\w+://)?([\w\-.:\[\]]+:\d+)/?$} && $1; +my $have_httptiny = eval { require HTTP::Tiny }; +my $ipclass = 'IO::Socket::INET'; +for( qw( IO::Socket::IP IO::Socket::INET6 )) { + eval { require $_ } or next; + $ipclass = $_; + last; +} + + +TEST: +for my $test (@tests) { + my $tcp_connect = sub { + if ( ! $proxy ) { + # direct connection + return $ipclass->new( + PeerAddr => $test->{host}, + PeerPort => $test->{port}, + Timeout => $timeout, + ) || die "tcp connect to $test->{host}:$test->{port} failed: $!"; + } + my $cl = $ipclass->new( + PeerAddr => $proxy, + Timeout => $timeout, + ) || die "tcp connect to proxy $proxy failed: $!"; + + # try to establish tunnel via proxy with CONNECT + { + local $SIG{ALRM} = sub { + die "proxy HTTP tunnel creation timed out" }; + alarm($timeout); + print $cl "CONNECT $test->{host}:$test->{port} HTTP/1.0\r\n\r\n"; + my $reply = ''; + while (<$cl>) { + $reply .= $_; + last if m{\A\r?\n\Z}; + } + alarm(0); + $reply =~m{\AHTTP/1\.[01] 200\b} or + die "unexpected response from proxy: $reply"; + } + return $cl; + }; + + SKIP: { + # first check fingerprint in case of SSL interception + my $cl = eval { &$tcp_connect } or skip "TCP connect#1 failed: $@",1; + diag("tcp connect to $test->{host}:$test->{port} ok"); + skip "SSL upgrade w/o validation failed: $SSL_ERROR",1 + if ! IO::Socket::SSL->start_SSL($cl, + SSL_hostname => $test->{host}, + SSL_verify_mode => 0 + ); + my $pubkey_fp = $test->{fingerprint} =~m{\$pub\$}; + skip "fingerprints do not match",1 + if $cl->get_fingerprint('sha1',undef,$pubkey_fp) ne $test->{fingerprint}; + diag("fingerprint matches"); + + # then check if we can use the default CA path for successful + # validation without OCSP yet + $cl = eval { &$tcp_connect } or skip "TCP connect#2 failed: $@",1; + skip "SSL upgrade w/o OCSP failed: $SSL_ERROR",1 + if ! IO::Socket::SSL->start_SSL($cl, + SSL_hostname => $test->{host}, + SSL_ocsp_mode => SSL_OCSP_NO_STAPLE + ); + diag("validation with default CA w/o OCSP ok"); + + # check with default settings + $cl = eval { &$tcp_connect } or skip "TCP connect#3 failed: $@",1; + my $ok = IO::Socket::SSL->start_SSL($cl, SSL_hostname => $test->{host}); + my $err = !$ok && $SSL_ERROR; + if (!$ok && !$test->{ocsp}{revoked}) { + fail("SSL upgrade with OCSP stapling failed: $err"); + next TEST; + } + + # we got usable stapling if _SSL_ocsp_verify is defined + if ($test->{ocsp}{staple}) { + if ( ! ${*$cl}{_SSL_ocsp_verify}) { + fail("did not get expected OCSP response with stapling"); + next TEST; + } else { + diag("got stapled response as expected"); + } + } + + if (!$err && !$${*$cl}{_SSL_ocsp_verify} && $have_httptiny) { + # use OCSP resolver to resolve remaining certs, should be at most one + my $ocsp_resolver = $cl->ocsp_resolver; + my %rq = $ocsp_resolver->requests; + if (keys(%rq)>1) { + fail("got more open OCSP requests (".keys(%rq). + ") than expected(1) in default mode"); + next TEST; + } + $err = $ocsp_resolver->resolve_blocking(timeout => $timeout); + } + + if ($test->{ocsp}{revoked}) { + if ($err =~m/revoked/) { + my $where = ${*$cl}{_SSL_ocsp_verify} ? 'stapled':'asked OCSP server'; + pass("revoked as expected ($where)"); + } elsif ($err =~m/OCSP_basic_verify:certificate verify error/) { + # badly signed OCSP record + pass("maybe revoked, but got OCSP verification error: $SSL_ERROR"); + } elsif ($err =~m/response not yet valid or expired/) { + pass("maybe revoked, but got not yet valid/expired response from OCSP server"); + } elsif ($err) { + # some other error + pass("maybe revoked, but got error: $err"); + } elsif (!$have_httptiny && !$test->{ocsp}{staple}) { + # could not check because HTTP::Tiny is missing + pass("maybe revoked, but could not check because HTTP::Tiny is missing"); + } else { + fail("expected revoked but connection ok"); + } + next TEST; + + } elsif ($err) { + if ($err =~m/revoked/) { + fail("expected ok but revoked"); + } else { + pass("probably ok, but got $err"); + } + next TEST; + } + + diag("validation with default CA with OCSP defaults ok"); + + # now check with full chain + $cl = eval { &$tcp_connect } or skip "TCP connect#4 failed: $@",1; + my $cache = IO::Socket::SSL::OCSP_Cache->new; + if (! IO::Socket::SSL->start_SSL($cl, + SSL_hostname => $test->{host}, + SSL_ocsp_mode => SSL_OCSP_FULL_CHAIN, + SSL_ocsp_cache => $cache + )) { + skip "unexpected fail of SSL connect: $SSL_ERROR",1 + } + my $chain_size = $cl->peer_certificates; + if ( my $ocsp_resolver = $have_httptiny && $cl->ocsp_resolver ) { + # there should be no hard error after resolving - unless an + # intermediate certificate got revoked which I don't hope + $err = $ocsp_resolver->resolve_blocking(timeout => $timeout); + if ($err) { + fail("fatal error in OCSP resolver: $err"); + next TEST; + } + # we should now either have soft errors or the OCSP cache should + # have chain_size entries + if ( ! $ocsp_resolver->soft_error ) { + my $cache_size = keys(%$cache)-1; + if ($cache_size!=$chain_size) { + fail("cache_size($cache_size) != chain_size($chain_size)"); + next TEST; + } + } + diag("validation with default CA with OCSP full chain ok"); + } + + done: + pass("OCSP tests $test->{host}:$test->{port} ok"); + } +} diff --git a/cpan/IO-Socket-SSL/t/external/usable_ca.t b/cpan/IO-Socket-SSL/t/external/usable_ca.t new file mode 100644 index 000000000000..bf61c63e4e8c --- /dev/null +++ b/cpan/IO-Socket-SSL/t/external/usable_ca.t @@ -0,0 +1,154 @@ +use strict; +use warnings; +use Test::More; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; + +my $ipclass = 'IO::Socket::INET'; +for( qw( IO::Socket::IP IO::Socket::INET6 )) { + eval { require $_ } or next; + $ipclass = $_; + last; +} + +my $fingerprints = do './fingerprint.pl' + || do './t/external/fingerprint.pl' + || die "no fingerprints for sites"; +my @tests = grep { $_->{subject_hash_ca} } @$fingerprints; + +my %ca = IO::Socket::SSL::default_ca(); +plan skip_all => "no default CA store found" if ! %ca; + +my %have_ca; +# some systems seems to have junk in the CA stores +# so better wrap it into eval +eval { + for my $f ( + ( $ca{SSL_ca_file} ? ($ca{SSL_ca_file}) : ()), + ( $ca{SSL_ca_path} ? glob("$ca{SSL_ca_path}/*") :()), + ) { + open( my $fh,'<',$f ) or next; + my $pem; + while (<$fh>) { + if ( m{^--+END} ) { + my $cert = PEM_string2cert($pem.$_); + $pem = undef; + $cert or next; + my $hash = Net::SSLeay::X509_subject_name_hash($cert); + $have_ca{sprintf("%08x",$hash)} = 1; + } elsif ( m{^--+BEGIN (TRUSTED |X509 |)CERTIFICATE-+} ) { + $pem = $_; + } elsif ( $pem ) { + $pem .= $_; + } + } + } +}; +diag( "found ".(0+keys %have_ca)." CA certs"); +plan skip_all => "no CA certs found" if ! %have_ca; + +my $proxy = ( $ENV{https_proxy} || $ENV{http_proxy} || '' ) + =~m{^(?:\w+://)?([\w\-.:\[\]]+:\d+)/?$} && $1; + +my @cap = ('SSL_verifycn_name'); +push @cap, 'SSL_hostname' if IO::Socket::SSL->can_client_sni(); +plan tests => (1+@cap)*@tests; + +for my $test (@tests) { + my $host = $test->{host}; + my $port = $test->{port} || 443; + my $fp = $test->{fingerprint}; + my $ca_hash = $test->{subject_hash_ca}; + + SKIP: { + + # first check if we have the CA in store + skip "no root CA $ca_hash for $host in store",1+@cap + if ! $have_ca{$ca_hash}; + diag("have root CA for $host in store"); + + # then build inet connections for later SSL upgrades + my @cl; + for my $cap ('fp','nocn',@cap,'noca') { + my $cl; + if ( ! $proxy ) { + # direct connection + $cl = $ipclass->new( + PeerAddr => $host, + PeerPort => $port, + Timeout => 15, + ) + } elsif ( $cl = $ipclass->new( + PeerAddr => $proxy, + Timeout => 15 + )) { + # try to establish tunnel via proxy with CONNECT + my $reply = ''; + if ( eval { + local $SIG{ALRM} = sub { die "timed out" }; + alarm(15); + print $cl "CONNECT $host:443 HTTP/1.0\r\n\r\n"; + while (<$cl>) { + $reply .= $_; + last if m{\A\r?\n\Z}; + } + $reply =~m{\AHTTP/1\.[01] 200\b} or + die "unexpected response from proxy: $reply"; + }) { + } else { + $cl = undef + } + } + + skip "cannot connect to $host:443 with $ipclass: $!",1+@cap + if ! $cl; + push @cl,$cl; + } + + diag(int(@cl)." connections to $host ok"); + + # check if we have SSL interception by comparing the fingerprint we get + my $cl = shift(@cl); + skip "ssl upgrade failed even without verification",1+@cap + if ! IO::Socket::SSL->start_SSL($cl, SSL_verify_mode => 0 ); + my $pubkey_fp = $test->{fingerprint} =~m{\$pub\$}; + my $clfp = $cl->get_fingerprint('sha1',undef,$pubkey_fp); + skip "fingerprint mismatch ($clfp) - probably SSL interception or certificate changed",1+@cap + if $clfp ne $fp; + diag("fingerprint $host matches"); + + # check if it can verify against builtin CA store + $cl = shift(@cl); + if ( ! IO::Socket::SSL->start_SSL($cl)) { + skip "ssl upgrade failed with builtin CA store",1+@cap; + } + diag("check $host against builtin CA store ok"); + + for my $cap (@cap) { + my $cl = shift(@cl); + # try to upgrade with SSL using default CA path + if ( IO::Socket::SSL->start_SSL($cl, + SSL_verify_mode => 1, + SSL_verifycn_scheme => 'http', + $cap => $host, + )) { + pass("SSL upgrade $host with default CA and $cap"); + } elsif ( $SSL_ERROR =~m{verify failed} ) { + fail("SSL upgrade $host with default CA and $cap: $SSL_ERROR"); + } else { + pass("SSL upgrade $host with default CA and $cap failed but not because of verify problem: $SSL_ERROR"); + } + } + + # it should fail when we use no default ca, even on OS X + # https://hynek.me/articles/apple-openssl-verification-surprises/ + $cl = shift(@cl); + if ( IO::Socket::SSL->start_SSL($cl, SSL_ca_file => \'' )) { + fail("SSL upgrade $host with no CA succeeded"); + } elsif ( $SSL_ERROR =~m{verify failed} ) { + pass("SSL upgrade $host with no CA failed"); + } else { + pass("SSL upgrade $host with no CA failed but not because of verify problem: $SSL_ERROR"); + } + } +} diff --git a/cpan/IO-Socket-SSL/t/io-socket-inet6.t b/cpan/IO-Socket-SSL/t/io-socket-inet6.t new file mode 100644 index 000000000000..da8a6c225345 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/io-socket-inet6.t @@ -0,0 +1,100 @@ +#!perl + +# make sure IO::Socket::IP will not be used +BEGIN { + if ( eval { require Acme::Override::INET }) { + print "1..0 # Skipped: will not work with Acme::Override::INET installed\n"; + exit + } + $INC{'IO/Socket/IP.pm'} = undef +} + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# check first if we have loaded IO::Socket::IP, as if so we won't need or use +# IO::Socket::INET6 +if( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::IP" ) { + print "1..0 # Skipped: using IO::Socket::IP instead\n"; + exit; +} + +# check if we have loaded INET6, IO::Socket::SSL should do it by itself +# if it is available +unless( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::INET6" ) { + # not available or IO::Socket::SSL forgot to load it + if ( ! eval { require IO::Socket::INET6 } ) { + print "1..0 # Skipped: no IO::Socket::INET6 available\n"; + } elsif ( ! eval { IO::Socket::INET6->VERSION(2.62) } ) { + print "1..0 # Skipped: no IO::Socket::INET6 available\n"; + } else { + print "1..1\nnot ok # automatic use of INET6\n"; + } + exit +} + +my $addr = '::1'; +# check if we can use ::1, e.g. if the computer has IPv6 enabled +if ( ! IO::Socket::INET6->new( + Listen => 10, + LocalAddr => $addr, +)) { + print "1..0 # no IPv6 enabled on this computer\n"; + exit +} + +$|=1; +print "1..3\n"; +print "# IO::Socket::INET6 version=$IO::Socket::INET6::VERSION\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", +) || do { + notok($!); + exit +}; +ok("Server Initialization at $addr"); + +# add server port to addr +$addr = "[$addr]:".$server->sockport; +print "# server at $addr\n"; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + SSL_verify_mode => 0, + ) || do { + notok( "connect failed: ".IO::Socket::SSL->errstr() ); + exit + }; + ok( "client connected" ); + +} else { ###### Server + + my $to_client = $server->accept || do { + notok( "accept failed: ".$server->errstr() ); + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + wait; +} + +sub ok { print "ok # [$ID] @_\n"; } +sub notok { print "not ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/io-socket-ip.t b/cpan/IO-Socket-SSL/t/io-socket-ip.t new file mode 100644 index 000000000000..60873083bbd6 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/io-socket-ip.t @@ -0,0 +1,92 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/dhe.t' + +# make sure IO::Socket::INET6 will not be used +BEGIN { $INC{'IO/Socket/INET6.pm'} = undef } + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# check if we have loaded IO::Socket::IP, IO::Socket::SSL should do it by +# itself if it is available +unless( IO::Socket::SSL->CAN_IPV6 eq "IO::Socket::IP" ) { + # not available or IO::Socket::SSL forgot to load it + if ( ! eval { + require IO::Socket::IP; + IO::Socket::IP->VERSION(0.31) + }) { + print "1..0 # Skipped: usable IO::Socket::IP is not available\n"; + } elsif (! defined &IO::Socket::SSL::_getnameinfo) { + print "1..0 # Skipped: no IPv6 support despite IO::Socket::IP\n"; + } else { + print "1..1\nnot ok # automatic use of IO::Socket::IP\n"; + } + exit +} + +my $addr = '::1'; +# check if we can use ::1, e.g. if the computer has IPv6 enabled +if ( ! IO::Socket::IP->new( + Listen => 10, + LocalAddr => $addr, +)) { + print "1..0 # no IPv6 enabled on this computer\n"; + exit +} + +$|=1; +print "1..3\n"; +print "# IO::Socket::IP version=$IO::Socket::IP::VERSION\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", +) || do { + notok($!); + exit +}; +ok("Server Initialization at $addr"); + +# add server port to addr +$addr = "[$addr]:".$server->sockport; +print "# server at $addr\n"; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + SSL_verify_mode => 0 + ) || do { + notok( "connect failed: ".IO::Socket::SSL->errstr() ); + exit + }; + ok( "client connected" ); + +} else { ###### Server + + my $to_client = $server->accept || do { + notok( "accept failed: ".$server->errstr() ); + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + wait; +} + +sub ok { print "ok # [$ID] @_\n"; } +sub notok { print "not ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/memleak_bad_handshake.t b/cpan/IO-Socket-SSL/t/memleak_bad_handshake.t new file mode 100644 index 000000000000..cef03f98f28d --- /dev/null +++ b/cpan/IO-Socket-SSL/t/memleak_bad_handshake.t @@ -0,0 +1,99 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/nonblock.t' + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Select; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my $getsize; +if ( -f "/proc/$$/statm" ) { + $getsize = sub { + my $pid = shift; + open( my $fh,'<', "/proc/$pid/statm"); + my $line = <$fh>; + return (split(' ',$line))[0] * 4; + }; +} elsif ( ! grep { $^O =~m{$_}i } qw( MacOS VOS vmesa riscos amigaos mswin32) ) { + $getsize = sub { + my $pid = shift; + open( my $ps,'-|',"ps -o vsize -p $pid 2>/dev/null" ) or return; + $ps && <$ps> or return; # header + return int(<$ps>); # size + }; +} else { + print "1..0 # Skipped: ps not implemented on this platform\n"; + exit +} + +if ( $^O =~m{aix}i ) { + print "1..0 # Skipped: might hang, see https://rt.cpan.org/Ticket/Display.html?id=72170\n"; + exit +} + + +$|=1; +if ( ! $getsize->($$) ) { + print "1..0 # Skipped: no usable ps\n"; + exit; +} + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 200, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', +); + +my $saddr = $server->sockhost.':'.$server->sockport; +defined( my $pid = fork()) or die "fork failed: $!"; +if ( $pid == 0 ) { + # server + while (1) { + # socket accept, client handshake and client close + $server->accept; + } + exit(0); +} + + +close($server); +# plain non-SSL connect and close w/o sending data +for(1..100) { + IO::Socket::INET->new( $saddr ) or next; +} +my $size100 = $getsize->($pid); +if ( ! $size100 ) { + print "1..0 # Skipped: cannot get size of child process\n"; + goto done; +} + +for(100..200) { + IO::Socket::INET->new( $saddr ) or next; +} +my $size200 = $getsize->($pid); + +for(200..300) { + IO::Socket::INET->new( $saddr ) or next; +} +my $size300 = $getsize->($pid); +if ($size100>$size200 or $size200<$size300) {; + print "1..0 # skipped - do we measure the right thing?\n"; + goto done; +} + +print "1..1\n"; +print "not " if $size100 < $size200 and $size200 < $size300; +print "ok # check memleak failed handshake ($size100,$size200,$size300)\n"; + +done: +kill(9,$pid); +wait; +exit; + + diff --git a/cpan/IO-Socket-SSL/t/mitm.t b/cpan/IO-Socket-SSL/t/mitm.t new file mode 100644 index 000000000000..044268f4335d --- /dev/null +++ b/cpan/IO-Socket-SSL/t/mitm.t @@ -0,0 +1,121 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Socket::SSL::Intercept; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +print "1..8\n"; + +my @pid; +END { kill 9,@pid } + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + Listen => 10, +); +ok($server,"server ssl socket"); +my $saddr = $server->sockhost.':'.$server->sockport; +defined( my $pid = fork ) or die $!; +exit( server()) if ! $pid; # child -> server() +push @pid,$pid; +close($server); + +my $proxy = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 10, + Reuse => 1, +); +sys_ok($proxy,"proxy tcp socket"); +my $paddr = $proxy->sockhost.':'.$proxy->sockport; +defined( $pid = fork ) or die $!; +exit( proxy()) if ! $pid; # child -> proxy() +push @pid,$pid; +close($proxy); + +# connect to server, check certificate +my $cl = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_ca_file => 't/certs/test-ca.pem', +); +ssl_ok($cl,"ssl connected to server"); +ok( $cl->peer_certificate('subject') =~ m{server\.local}, "subject w/o mitm"); +ok( $cl->peer_certificate('issuer') =~ m{IO::Socket::SSL Demo CA}, + "issuer w/o mitm"); + +# connect to proxy, check certificate +$cl = IO::Socket::SSL->new( + PeerAddr => $paddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_ca_file => 't/certs/proxyca.pem', +); +ssl_ok($cl,"ssl connected to proxy"); +ok( $cl->peer_certificate('subject') =~ m{server\.local}, "subject w/ mitm"); +ok( $cl->peer_certificate('issuer') =~ m{IO::Socket::SSL::Intercept}, + "issuer w/ mitm"); + + +sub server { + while (1) { + my $cl = $server->accept or next; + sleep(1); + } +} + +sub proxy { + my $mitm = IO::Socket::SSL::Intercept->new( + proxy_cert_file => 't/certs/proxyca.pem', + proxy_key_file => 't/certs/proxyca.pem', + ); + while (1) { + my $toc = $proxy->accept or next; + my $tos = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_ca_file => 't/certs/test-ca.pem', + ) or die "failed connect to server: $!, $SSL_ERROR"; + my ($cert,$key) = $mitm->clone_cert($tos->peer_certificate); + $toc = IO::Socket::SSL->start_SSL( $toc, + SSL_server => 1, + SSL_cert => $cert, + SSL_key => $key, + ) or die "ssl upgrade client failed: $SSL_ERROR"; + sleep(1); + } +} + +sub ok { + my ($what,$msg) = @_; + print "not " if ! $what; + print "ok # $msg\n"; +} +sub sys_ok { + my ($what,$msg) = @_; + if ( $what ) { + print "ok # $msg\n"; + } else { + print "not ok # $msg - $!\n"; + exit + } +} + +sub ssl_ok { + my ($what,$msg) = @_; + if ( $what ) { + print "ok # $msg\n"; + } else { + print "not ok # $msg - $SSL_ERROR\n"; + exit + } +} diff --git a/cpan/IO-Socket-SSL/t/multiple-cert-rsa-ecc.t b/cpan/IO-Socket-SSL/t/multiple-cert-rsa-ecc.t new file mode 100644 index 000000000000..aacedaa31780 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/multiple-cert-rsa-ecc.t @@ -0,0 +1,108 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +if ( ! IO::Socket::SSL->can_server_sni() + or ! IO::Socket::SSL->can_client_sni()) { + print "1..0 # skipped because no full SNI support - openssl/Net::SSleay too old\n"; + exit; +} + +if ( ! IO::Socket::SSL->can_multi_cert() ) { + print "1..0 # no support for multiple certificate types\n"; + exit; +} + +print "1..12\n"; + +my %certs = ( + SSL_cert_file => { + '' => 't/certs/server-cert.pem', + '%ecc' => "t/certs/server-ecc-cert.pem", + 'server2.local' => 't/certs/server2-cert.pem', + }, + SSL_key_file => { + '' => 't/certs/server-key.pem', + '%ecc' => 't/certs/server-ecc-key.pem', + 'server2.local' => 't/certs/server2-key.pem', + } +); + +my (%k2fp,%fp2k); +Net::SSLeay::SSLeay_add_ssl_algorithms(); +my $sha256 = Net::SSLeay::EVP_get_digestbyname('sha256') or die; +for (keys %{ $certs{SSL_cert_file} }) { + my $cert = PEM_file2cert($certs{SSL_cert_file}{$_}); + my $fp = 'sha256$'.unpack('H*',Net::SSLeay::X509_digest($cert, $sha256)); + $k2fp{$_} = $fp; + $fp2k{$fp} = $_; +} + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + Listen => 2, + ReuseAddr => 1, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_honor_cipher_order => 0, + SSL_cipher_list => 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA', + %certs, +); + +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +print "ok # Server Initialization\n"; +my $saddr = $server->sockhost.':'.$server->sockport; + +my @tests = ( + [ 'foo.bar', 'ECDHE-ECDSA-AES128-SHA', '%ecc' ], + [ 'foo.bar', 'ECDHE-RSA-AES128-SHA', '' ], + [ 'foo.bar', 'ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA', '' ], + [ 'foo.bar', 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA', '%ecc' ], + [ 'server2.local', 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA', 'server2.local' ], + [ 'server2.local', 'ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA', 'server2.local' ], + [ 'server2.local', 'ECDHE-ECDSA-AES128-SHA', 'FAIL' ], + [ undef, 'ECDHE-ECDSA-AES128-SHA', '%ecc' ], + [ undef, 'ECDHE-RSA-AES128-SHA', '' ], + [ undef, 'ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA', '' ], + [ undef, 'ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA', '%ecc' ], +); + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + + for my $test (@tests) { + my ($host,$ciphers,$expect) = @$test; + my $what = ($host || ''). " $ciphers | expect='$expect'"; + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 0, + SSL_hostname => $host, + SSL_ca_file => 't/certs/test-ca.pem', + SSL_cipher_list => $ciphers, + # don't use TLS 1.3 since the ciphers there don't specifify the + # authentication mechanism + SSL_version => 'SSLv23:!TLSv1_3', + ); + + my $fp = $client ? $fp2k{$client->get_fingerprint('sha256')} : 'FAIL'; + $fp = '???' if ! defined $fp; + my $cipher = $client ? $client->get_cipher() : ''; + print "not " if $fp ne $expect; + print "ok # fingerprint match - $what - got='$fp' -- $cipher\n"; + } + exit; +} + +for my $host (@tests) { + $server->accept or next; +} +wait; diff --git a/cpan/IO-Socket-SSL/t/nonblock.t b/cpan/IO-Socket-SSL/t/nonblock.t new file mode 100644 index 000000000000..9f51deeb9671 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/nonblock.t @@ -0,0 +1,407 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/nonblock.t' + + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Select; +use Errno qw( EWOULDBLOCK EAGAIN EINPROGRESS); +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +if ( ! eval "use 5.006; use IO::Select; return 1" ) { + print "1..0 # Skipped: no support for nonblocking sockets\n"; + exit; +} + +$|=1; +print "1..27\n"; + +my $START = time(); + +# first create simple non-blocking tcp-server +my $ID = 'server'; +my $server = IO::Socket::INET->new( + Blocking => 0, + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, +); + +print "not ok: $!\n", exit if !$server; # Address in use? +ok("Server Initialization"); + +my $saddr = $server->sockhost.':'.$server->sockport; +my $ssock = $server->sockname; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + + ############################################################ + # CLIENT == child process + ############################################################ + + close($server); + $ID = 'client'; + + # fast: try connect_SSL immediately after sending plain text + # connect_SSL should fail on the first attempt because server + # is not ready yet + # slow: wait before calling connect_SSL + # connect_SSL should succeed, because server was already waiting + + for my $test ( 'fast','slow' ) { + + # initial socket is unconnected, tcp, nonblocking + my $to_server = IO::Socket::INET->new( Proto => 'tcp', Blocking => 0 ); + + # nonblocking connect of tcp socket + while (1) { + connect($to_server,$ssock ) && last; + if ( $!{EINPROGRESS} ) { + diag( 'connect in progress' ); + IO::Select->new( $to_server )->can_write(30) && next; + print "not "; + last; + } elsif ( $!{EWOULDBLOCK} || $!{EAGAIN} ) { + diag( 'connect not yet completed'); + # just wait + select(undef,undef,undef,0.1); + next; + } elsif ( $!{EISCONN} ) { + diag('claims that socket is already connected'); + # found on Mac OS X, dunno why it does not tell me that + # the connect succeeded before + last; + } + diag( 'connect failed: '.$! ); + print "not "; + last; + } + ok( "client tcp connect" ); + + # work around (older?) systems where IO::Socket::INET + # cannot do non-blocking connect by forcing non-blocking + # again (we want to test non-blocking behavior of IO::Socket::SSL, + # not IO::Socket::INET) + $to_server->blocking(0); + + # send some plain text on non-ssl socket + my $pmsg = 'plaintext'; + while ( $pmsg ne '' ) { + my $w = syswrite( $to_server,$pmsg ); + if ( ! defined $w ) { + if ( ! $!{EWOULDBLOCK} && ! $!{EAGAIN} ) { + diag("syswrite failed with $!"); + print "not "; + last; + } + IO::Select->new($to_server)->can_write(30) or do { + diag("failed to get write ready"); + print "not "; + last; + }; + } elsif ( $w>0 ) { + diag("wrote $w bytes"); + substr($pmsg,0,$w,''); + } else { + die "syswrite returned 0"; + } + } + ok( "write plain text" ); + + # let server catch up, so that it awaits my connection + # so that connect_SSL does not have to wait + sleep(5) if ( $test eq 'slow' ); + + # upgrade to SSL socket w/o connection yet + if ( ! IO::Socket::SSL->start_SSL( $to_server, + SSL_startHandshake => 0, + SSL_verify_mode => 0, + SSL_key_file => "t/certs/server-key.enc", + SSL_passwd_cb => sub { return "bluebell" }, + )) { + diag( 'start_SSL return undef' ); + print "not "; + } elsif ( !UNIVERSAL::isa( $to_server,'IO::Socket::SSL' ) ) { + diag( 'failed to upgrade socket' ); + print "not "; + } + ok( "upgrade client to IO::Socket::SSL" ); + + # SSL handshake thru connect_SSL + # if $test eq 'fast' we expect one failed attempt because server + # did not call accept_SSL yet + my $attempts = 0; + while ( 1 ) { + $to_server->connect_SSL && last; + diag( $SSL_ERROR ); + if ( $SSL_ERROR == SSL_WANT_READ ) { + $attempts++; + IO::Select->new($to_server)->can_read(30) && next; # retry if can read + } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { + IO::Select->new($to_server)->can_write(30) && next; # retry if can write + } + diag( "failed to connect: $@" ); + print "not "; + last; + } + ok( "connected" ); + + if ( $test ne 'slow' ) { + print "not " if !$attempts; + ok( "nonblocking connect with $attempts attempts" ); + } + + # send some data + # we send up to 500000 bytes, server reads first 10 bytes and then sleeps + # before reading more. In total server only reads 30000 bytes + # the sleep will cause the internal buffers to fill up so that the syswrite + # should return with EWOULDBLOCK+SSL_WANT_WRITE. + # the socket close should cause EPIPE or ECONNRESET + + my $msg = "1234567890"; + $attempts = 0; + my $bytes_send = 0; + + # set send buffer to 8192 so it will definitely fail writing all 500000 bytes in it + # beware that linux allocates twice as much (see tcp(7)) + # AIX seems to get very slow if you set the sndbuf on localhost, so don't to it + # https://rt.cpan.org/Public/Bug/Display.html?id=72305 + if ( $^O !~m/aix/i ) { + eval q{ + setsockopt( $to_server, SOL_SOCKET, SO_SNDBUF, pack( "I",8192 )); + diag( "sndbuf=".unpack( "I",getsockopt( $to_server, SOL_SOCKET, SO_SNDBUF ))); + }; + } + + # This test is too much dependant on OS + my $test_might_fail = 1; + + my $can; + WRITE: + for( my $i=0;$i<50000;$i++ ) { + my $offset = 0; + my $sel_server = IO::Select->new($to_server); + while (1) { + if ($can && !$sel_server->$can(15)) { + if ( $bytes_send > 30000 ) { + diag("fail $can, but limit reached. Assume connection closed"); + } else { + diag("fail $can"); + print "not "; + } + last WRITE; + } + + my $n = syswrite( $to_server,$msg,length($msg)-$offset,$offset ); + if ( !defined($n) ) { + diag( "\$!=$! \$SSL_ERROR=$SSL_ERROR send=$bytes_send" ); + if ( $! == EWOULDBLOCK || $! == EAGAIN ) { + if ( $SSL_ERROR == SSL_WANT_WRITE ) { + diag( 'wait for write' ); + $can = 'can_write'; + $attempts++; + } elsif ( $SSL_ERROR == SSL_WANT_READ ) { + diag( 'wait for read' ); + $can = 'can_read'; + } else { + $can = 'can_write'; + } + } elsif ( $bytes_send > 30000 ) { + diag( "connection closed" ); + last WRITE; + } + next; + } elsif ( $n == 0 ) { + diag( "connection closed" ); + last WRITE; + } elsif ( $n<0 ) { + diag( "syswrite returned $n!" ); + print "not "; + last WRITE; + } + + $bytes_send += $n; + if ( $n + $offset == 10 ) { + last + } else { + $offset += $n; + diag( "partial write of $n new offset=$offset" ); + } + } + } + ok( "syswrite" ); + + if ( ! $attempts && $test_might_fail ) { + ok( "write attempts failed, but OK nevertheless because we know it can fail" ); + } else { + print "not " if !$attempts; + ok( "multiple write attempts" ); + } + + print "not " if $bytes_send < 30000; + ok( "30000 bytes send" ); + } + +} else { + + ############################################################ + # SERVER == parent process + ############################################################ + + # pendant to tests in client. Where client is slow (sleep + # between plain text sending and connect_SSL) I need to + # be fast and where client is fast I need to be slow (sleep + # between receiving plain text and accept_SSL) + + foreach my $test ( 'slow','fast' ) { + + # accept a connection + my $can_read = IO::Select->new( $server )->can_read(30); + diag("tcp server socket is ".($can_read? "ready" : "NOT ready")); + my $from_client = $server->accept or print "not "; + ok( "tcp accept" ); + $from_client || do { + diag( "failed to tcp accept: $!" ); + next; + }; + + # make client non-blocking! + $from_client->blocking(0); + + # read plain text data + my $buf = ''; + while ( length($buf) <9 ) { + sysread( $from_client, $buf,9-length($buf),length($buf) ) && next; + die "sysread failed: $!" if $! != EWOULDBLOCK && $! != EAGAIN; + IO::Select->new( $from_client )->can_read(30); + } + $buf eq 'plaintext' || print "not "; + ok( "received plain text" ); + + # upgrade socket to IO::Socket::SSL + # no handshake yet + if ( ! IO::Socket::SSL->start_SSL( $from_client, + SSL_startHandshake => 0, + SSL_server => 1, + SSL_verify_mode => 0x00, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_use_cert => 1, + SSL_cert_file => "t/certs/client-cert.pem", + SSL_key_file => "t/certs/client-key.enc", + SSL_passwd_cb => sub { return "opossum" }, + )) { + diag( 'start_SSL return undef' ); + print "not "; + } elsif ( !UNIVERSAL::isa( $from_client,'IO::Socket::SSL' ) ) { + diag( 'failed to upgrade socket' ); + print "not "; + } + ok( "upgrade to_client to IO::Socket::SSL" ); + + sleep(5) if $test eq 'slow'; # wait until client calls connect_SSL + + # SSL handshake thru accept_SSL + # if test is 'fast' (e.g. client is 'slow') we expect the first + # accept_SSL attempt to fail because client did not call connect_SSL yet + my $attempts = 0; + while ( 1 ) { + $from_client->accept_SSL && last; + if ( $SSL_ERROR == SSL_WANT_READ ) { + $attempts++; + IO::Select->new($from_client)->can_read(30) && next; # retry if can read + } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { + $attempts++; + IO::Select->new($from_client)->can_write(30) && next; # retry if can write + } else { + diag( "failed to ssl accept ($test): $@" ); + print "not "; + last; + } + } + ok( "ssl accept handshake done" ); + + if ( $test eq 'fast' ) { + print "not " if !$attempts; + ok( "nonblocking accept_SSL with $attempts attempts" ); + } + + # reading 10 bytes + # then sleeping so that buffers from client to server gets + # filled up and clients receives EWOULDBLOCK+SSL_WANT_WRITE + + IO::Select->new( $from_client )->can_read(30); + ( sysread( $from_client, $buf,10 ) == 10 ) || print "not "; + #diag($buf); + ok( "received client message" ); + + sleep(5); + my $bytes_received = 10; + + # read up to 30000 bytes from client, then close the socket + my $can; + READ: + while ( ( my $diff = 30000 - $bytes_received ) > 0 ) { + if ( $can && ! IO::Select->new($from_client)->$can(30)) { + diag("failed $can"); + print "not "; + last READ; + } + my $n = sysread( $from_client,my $buf,$diff ); + if ( !defined($n) ) { + diag( "\$!=$! \$SSL_ERROR=$SSL_ERROR" ); + if ( $! == EWOULDBLOCK || $! == EAGAIN ) { + if ( $SSL_ERROR == SSL_WANT_READ ) { + $attempts++; + $can = 'can_read'; + } elsif ( $SSL_ERROR == SSL_WANT_WRITE ) { + $attempts++; + $can = 'can_write'; + } else { + $can = 'can_read'; + } + } else { + print "not "; + last READ; + } + next; + } elsif ( $n == 0 ) { + diag( "connection closed" ); + last READ; + } elsif ( $n<0 ) { + diag( "sysread returned $n!" ); + print "not "; + last READ; + } + + $bytes_received += $n; + #diag( "read of $n bytes total $bytes_received" ); + } + + diag( "read $bytes_received ($attempts r/w attempts)" ); + close($from_client); + } + + # wait until client exits + wait; +} + +exit; + + + +sub ok { unshift @_, "ok # "; goto &_out } +sub diag { unshift @_, "# "; goto &_out } +sub _out { + my $prefix = shift; + printf "%s [%04d.%s:%03d] %s\n", + $prefix, + time() - $START, + $ID, + (caller())[2], + "@_"; +} diff --git a/cpan/IO-Socket-SSL/t/npn.t b/cpan/IO-Socket-SSL/t/npn.t new file mode 100644 index 000000000000..4f029f8be4fc --- /dev/null +++ b/cpan/IO-Socket-SSL/t/npn.t @@ -0,0 +1,81 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/dhe.t' + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# check if we have NPN available +# if it is available +if ( ! IO::Socket::SSL->can_npn ) { + print "1..0 # Skipped: NPN not available in Net::SSLeay\n"; + exit +} + +$|=1; +print "1..5\n"; + +# first create simple ssl-server +my $ID = 'server'; +my $addr = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + SSL_version => 'SSLv23:!TLSv1_3', # NPN does not exist in TLSv1.3 + # https://github.com/openssl/openssl/issues/3665 + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + SSL_npn_protocols => [qw(one two)], +) || do { + ok(0,$!); + exit +}; +ok(1,"Server Initialization at $addr"); + +# add server port to addr +$addr = "$addr:".$server->sockport; +print "# server at $addr\n"; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( !$pid ) { ###### Client + + $ID = 'client'; + close($server); + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + Domain => AF_INET, + SSL_verify_mode => 0, + SSL_npn_protocols => [qw(two three)], + ) or do { + ok(0, "connect failed: ".IO::Socket::SSL->errstr() ); + exit + }; + ok(1,"client connected" ); + my $proto = $to_server->next_proto_negotiated; + ok($proto eq 'two',"negotiated $proto"); + + +} else { ###### Server + + my $to_client = $server->accept or do { + ok(0,"accept failed: ".$server->errstr() ); + kill(9,$pid); + exit; + }; + ok(1,"Server accepted" ); + my $proto = $to_client->next_proto_negotiated; + ok($proto eq 'two',"negotiated $proto"); + wait; +} + +sub ok { + my $ok = shift; + print $ok ? '' : 'not ', "ok # [$ID] @_\n"; +} diff --git a/cpan/IO-Socket-SSL/t/plain_upgrade_downgrade.t b/cpan/IO-Socket-SSL/t/plain_upgrade_downgrade.t new file mode 100644 index 000000000000..fcb95b2aa48b --- /dev/null +++ b/cpan/IO-Socket-SSL/t/plain_upgrade_downgrade.t @@ -0,0 +1,155 @@ +use strict; +use warnings; +use Socket; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +use Test::More; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# create listener +IO::Socket::SSL::default_ca('t/certs/test-ca.pem'); +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + # start as plain and upgrade later + SSL_startHandshake => 0, +) || die "not ok #tcp listen failed: $!\n"; +my $saddr = $server->sockhost.':'.$server->sockport; +#diag("listen at $saddr"); + +# fork child for server +defined( my $pid = fork() ) || die $!; +if ( ! $pid ) { + $SIG{ALRM} = sub { die "server timed out" }; + while (1) { + alarm(30); + my $cl = $server->accept; + diag("server accepted new client"); + #${*$cl}{_SSL_ctx} or die "accepted socket has no SSL context"; + ${*$cl}{_SSL_object} and die "accepted socket is already SSL"; + + # try to find out if we start with TLS immediately (peek gets data from + # client hello) or have some plain data initially (peek gets these + # plain data) + diag("wait for initial data from client"); + my $buf = ''; + while (length($buf)<3) { + vec(my $rin='',fileno($cl),1) = 1; + my $rv = select($rin,undef,undef,10); + die "timeout waiting for data from client" if ! $rv; + die "something wrong: $!" if $rv<0; + $cl->peek($buf,3); + $buf eq '' and die "eof from client"; + diag("got 0x".unpack("H*",$buf)." from client"); + } + + if ($buf eq "end") { + # done + diag("client requested end of tests"); + exit(0); + } + + if ($buf eq 'foo') { + # initial plain dialog + diag("server: got plain data at start of connection"); + read($cl,$buf,3) or die "failed to read"; + $buf eq 'foo' or die "read($buf) different from peek"; + print $cl "bar"; # reply + } + + # now we upgrade to TLS + diag("server: TLS upgrade"); + $cl->accept_SSL or die "failed to SSL upgrade server side: $SSL_ERROR"; + ${*$cl}{_SSL_object} or die "no SSL object after accept_SSL"; + read($cl,$buf,6) or die "failed to ssl read"; + $buf eq 'sslfoo' or die "wrong data received from client '$buf'"; + print $cl "sslbar"; + + # now we downgrade from TLS to plain and try to exchange some data + diag("server: TLS downgrade"); + $cl->stop_SSL or die "failed to stop SSL"; + ${*$cl}{_SSL_object} and die "still SSL object after stop_SSL"; + read($cl,$buf,3); + $buf eq 'foo' or die "wrong data received from client '$buf'"; + print $cl "bar"; + + # now we upgrade again to TLS + diag("server: TLS upgrade#2"); + $cl->accept_SSL or die "failed to SSL upgrade server side"; + ${*$cl}{_SSL_object} or die "no SSL object after accept_SSL"; + read($cl,$buf,6) or die "failed to ssl read"; + $buf eq 'sslfoo' or die "wrong data received from client '$buf'"; + print $cl "sslbar"; + } +} + +# client +close($server); # close server in client +$SIG{ALRM} = sub { die "client timed out" }; + +plan tests => 15; + +for my $test ( + [qw(newINET start_SSL stop_SSL start_SSL)], + [qw(newSSL stop_SSL connect_SSL)], + [qw(newSSL:0 connect_SSL stop_SSL connect_SSL)], + [qw(newSSL:0 start_SSL stop_SSL connect_SSL)], +) { + my $cl; + diag("-- test: @$test"); + for my $act (@$test) { + if (eval { + if ($act =~m{newSSL(?::(.*))?$} ) { + $cl = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + defined($1) ? (SSL_startHandshake => $1):(), + ) or die "failed to connect: $!|$SSL_ERROR"; + if ( ! defined($1) || $1 ) { + ${*$cl}{_SSL_object} or die "no SSL object"; + } else { + ${*$cl}{_SSL_object} and die "have SSL object"; + } + } elsif ($act eq 'newINET') { + $cl = IO::Socket::INET->new($saddr) + or die "failed to connect: $!"; + } elsif ($act eq 'stop_SSL') { + $cl->stop_SSL or die "stop_SSL failed: $SSL_ERROR"; + ${*$cl}{_SSL_object} and + die "still having SSL object after stop_SSL"; + } elsif ($act eq 'connect_SSL') { + $cl->connect_SSL or die "connect_SSL failed: $SSL_ERROR"; + ${*$cl}{_SSL_object} or die "no SSL object after connect_SSL"; + } elsif ($act eq 'start_SSL') { + IO::Socket::SSL->start_SSL($cl) or + die "start_SSL failed: $SSL_ERROR"; + ${*$cl}{_SSL_object} or die "no SSL object after start_SSL"; + } else { + die "unknown action $act" + } + if (${*$cl}{_SSL_object}) { + print $cl "sslfoo"; + read($cl, my $buf,6); + $buf eq 'sslbar' or die "wrong response with ssl: $buf"; + } else { + print $cl "foo"; + read($cl, my $buf,3); + $buf eq 'bar' or die "wrong response without ssl: $buf"; + } + }) { + pass($act); + } else { + fail("$act: $@"); + last; # slip rest + } + } +} + +# make server exit +alarm(10); +my $cl = IO::Socket::INET->new($saddr); +print $cl "end" if $cl; +wait; diff --git a/cpan/IO-Socket-SSL/t/protocol_version.t b/cpan/IO-Socket-SSL/t/protocol_version.t new file mode 100644 index 000000000000..0e0fe441ec88 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/protocol_version.t @@ -0,0 +1,143 @@ +#!perl + +use strict; +use warnings; +use Test::More; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +plan skip_all => "Test::More has no done_testing" + if !defined &done_testing; + +$|=1; + +my $XDEBUG = 0; +my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3); + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + SSL_server => 1, + SSL_startHandshake => 0, + SSL_version => 'SSLv23', # allow SSLv3 too + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', +) or BAIL_OUT("cannot listen on localhost: $!"); +print "not ok\n", exit if !$server; +my $saddr = $server->sockhost().':'.$server->sockport(); +$XDEBUG && diag("server at $saddr"); + +defined( my $pid = fork() ) or BAIL_OUT("fork failed: $!"); +if ($pid == 0) { + close($server); + my $check = sub { + my ($ver,$expect) = @_; + $XDEBUG && diag("try $ver, expect $expect"); + # Hoping that this isn't necessary, but just in case we get a TCP + # failure rather than SSL failure, wiping the previous value here + # seems like it might be a useful precaution: + $SSL_ERROR = ''; + + my $cl = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_startHandshake => 0, + SSL_verify_mode => 0, + SSL_version => $ver, + ) or do { + # Might bail out before the starttls if we provide a known-unsupported + # version, for example SSLv3 on openssl 1.0.2+ + if($SSL_ERROR =~ /$ver not supported|null ssl method passed/) { + $XDEBUG && diag("SSL connect failed with $ver: $SSL_ERROR"); + return; + } + die "connection with $ver failed: $! (SSL error: $SSL_ERROR)"; + }; + $XDEBUG && diag("TCP connected"); + print $cl "starttls $ver $expect\n"; + <$cl>; + if (!$cl->connect_SSL) { + $XDEBUG && diag("SSL upgrade failed with $ver: $SSL_ERROR"); + return; + } + $XDEBUG && diag("SSL connect done"); + return $cl->get_sslversion(); + }; + my $stop = sub { + my $cl = IO::Socket::INET->new($saddr) or return; + print $cl "quit\n"; + }; + + # find out the best protocol version the server can + my %supported; + my $ver = $check->('SSLv23','') or die "connect to server failed: $!"; + $XDEBUG && diag("best protocol version: $ver"); + + for (@versions, 'foo') { + $supported{$_} = 1; + $ver eq $_ and last; + } + die "best protocol version server supports is $ver" if $supported{foo}; + + # Check if the OpenSSL was compiled without support for specific protocols + for(qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3)) { + if ( ! $check->($_,'')) { + diag("looks like OpenSSL was compiled without $_ support"); + delete $supported{$_}; + } + } + + for my $ver (@versions) { + next if ! $supported{$ver}; + # requesting only this version should be done with this version + $check->($ver,$ver); + # requesting SSLv23 and disallowing anything better should give $ver too + my $sslver = "SSLv23"; + for(reverse grep { $supported{$_} } @versions) { + last if $_ eq $ver; + $sslver .= ":!$_"; + } + $check->($sslver,$ver); + } + + $stop->(); + exit(0); +} + +vec( my $vs = '',fileno($server),1) = 1; +while (select( my $rvs = $vs,undef,undef,15 )) { + $XDEBUG && diag("got read event"); + my $cl = $server->accept or do { + $XDEBUG && diag("accept failed: $!"); + next; + }; + $XDEBUG && diag("TCP accept done"); + my $cmd = <$cl>; + $XDEBUG && diag("got command $cmd"); + my ($ver,$expect) = $cmd =~m{^starttls (\S+) (\S*)} or do { + $XDEBUG && diag("finish"); + done_testing() if $cmd =~m/^quit/; + last; + }; + print $cl "ok\n"; + $cl->accept_SSL() or do { + $XDEBUG && diag("accept_SSL failed: $SSL_ERROR"); + if ($expect) { + fail("accept $ver"); + } else { + diag("failed to accept $ver"); + } + next; + }; + $XDEBUG && diag("SSL accept done"); + if ($expect) { + is($cl->get_sslversion,$expect,"accept $ver with $expect"); + } else { + pass("accept $ver with any, got ".$cl->get_sslversion); + } + close($cl); +} + +wait; diff --git a/cpan/IO-Socket-SSL/t/public_suffix_lib.pl b/cpan/IO-Socket-SSL/t/public_suffix_lib.pl new file mode 100644 index 000000000000..db5427b9d118 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/public_suffix_lib.pl @@ -0,0 +1,221 @@ +use strict; +use warnings; +use Test::More; +use utf8; + +my $ps; +sub run_with_lib { + my @idnlib = @_; + my %require = ( + 'URI::_idna' => 0, + 'Net::LibIDN' => 0, + 'Net::IDN::Encode' => 0, + map { $_ => 1 } @idnlib, + ); + + my %block; + my $can_idn; + while ( my ($lib,$load) = each %require ) { + if ( $load ) { + $can_idn = eval "require $lib"; + } else { + $lib =~s{::}{/}g; + $block{"$lib.pm"} = 1; + } + } + unshift @INC, sub { + return sub {0} if $block{$_[1]}; + return; + }; + + require IO::Socket::SSL::PublicSuffix; + + plan tests => 79; + + + # all one-level, but co.uk two-level + $ps = IO::Socket::SSL::PublicSuffix->from_string("*\nco.uk"); + ok($ps,"create two-level"); + minimal_private_suffix('com','','com'); + minimal_private_suffix('bar.com','','bar.com'); + minimal_private_suffix('www.bar.com','www','bar.com'); + minimal_private_suffix('www.foo.bar.com','www.foo','bar.com'); + minimal_private_suffix('uk','','uk'); + minimal_private_suffix('co.uk','','co.uk'); + minimal_private_suffix('www.co.uk','','www.co.uk'); + minimal_private_suffix('www.bar.co.uk','www','bar.co.uk'); + minimal_private_suffix('www.foo.bar.co.uk','www.foo','bar.co.uk'); + minimal_private_suffix('bl.uk','','bl.uk'); + minimal_private_suffix('www.bl.uk','www','bl.uk'); + minimal_private_suffix('www.bar.bl.uk','www.bar','bl.uk'); + minimal_private_suffix('www.foo.bar.bl.uk','www.foo.bar','bl.uk'); + + + $ps = IO::Socket::SSL::PublicSuffix->default(min_suffix => 0); + # taken from Mozilla::PublicSuffix 0.1.18 t/01-psuffix.t ------ + # Obviously invalid input: + is public_suffix(undef), undef; + is public_suffix(''), undef; + is public_suffix([]), undef; + + # Mixed case: + is public_suffix('COM'), 'com'; + is public_suffix('example.COM'), 'com'; + is public_suffix('WwW.example.COM'), 'com'; + is public_suffix('123bar.com'), 'com'; + is public_suffix('foo.123bar.com'), 'com'; + + if(0) { + # behaves different + # - we return '' instead of undef if unknown extension + # - we return com with *.com + # Leading dot: + is public_suffix('.com'), undef; + is public_suffix('.example'), undef; + is public_suffix('.example.com'), undef; + is public_suffix('.example.example'), undef; + + # Unlisted TLD: + is public_suffix('example'), undef; + is public_suffix('example.example'), undef; + is public_suffix('b.example.example'), undef; + is public_suffix('a.b.example.example'), undef; + + # Listed, but non-Internet, TLD: + is public_suffix('local'), undef; + is public_suffix('example.local'), undef; + is public_suffix('b.example.local'), undef; + is public_suffix('a.b.example.local'), undef; + } else { + # Leading dot: + is public_suffix('.com'), 'com'; + is public_suffix('.example'), ''; + is public_suffix('.example.com'), 'com'; + is public_suffix('.example.example'), ''; + + # Unlisted TLD: + is public_suffix('example'), ''; + is public_suffix('example.example'), ''; + is public_suffix('b.example.example'), ''; + is public_suffix('a.b.example.example'), ''; + + # Listed, but non-Internet, TLD: + is public_suffix('local'), ''; + is public_suffix('example.local'), ''; + is public_suffix('b.example.local'), ''; + is public_suffix('a.b.example.local'), ''; + } + + # TLD with only one rule: + is public_suffix('biz'), 'biz'; + is public_suffix('domain.biz'), 'biz'; + is public_suffix('b.domain.biz'), 'biz'; + is public_suffix('a.b.domain.biz'), 'biz'; + + # TLD with some two-level rules: + is public_suffix('com'), 'com'; + is public_suffix('example.com'), 'com'; + is public_suffix('b.example.com'), 'com'; + is public_suffix('a.b.example.com'), 'com'; + + # uk.com is not in the ICANN part of the list + if(0) { + is public_suffix('uk.com'), 'uk.com'; + is public_suffix('example.uk.com'), 'uk.com'; + is public_suffix('b.example.uk.com'), 'uk.com'; + is public_suffix('a.b.example.uk.com'), 'uk.com'; + } + is public_suffix('test.ac'), 'ac'; + + # TLD with only one (wildcard) rule: + if(0) { + # we return '' not undef + is public_suffix('bd'), undef; + } else { + is public_suffix('bd'), ''; + } + is public_suffix('c.bd'), 'c.bd'; + is public_suffix('b.c.bd'), 'c.bd'; + is public_suffix('a.b.c.bd'), 'c.bd'; + + # More complex suffixes: + is public_suffix('jp'), 'jp'; + is public_suffix('test.jp'), 'jp'; + is public_suffix('www.test.jp'), 'jp'; + is public_suffix('ac.jp'), 'ac.jp'; + is public_suffix('test.ac.jp'), 'ac.jp'; + is public_suffix('www.test.ac.jp'), 'ac.jp'; + is public_suffix('kyoto.jp'), 'kyoto.jp'; + is public_suffix('c.kyoto.jp'), 'kyoto.jp'; + is public_suffix('b.c.kyoto.jp'), 'kyoto.jp'; + is public_suffix('a.b.c.kyoto.jp'), 'kyoto.jp'; + is public_suffix('ayabe.kyoto.jp'), 'ayabe.kyoto.jp'; + is public_suffix('test.kobe.jp'), 'test.kobe.jp'; # Wildcard rule. + is public_suffix('www.test.kobe.jp'), 'test.kobe.jp'; # Wildcard rule. + is public_suffix('city.kobe.jp'), 'kobe.jp'; # Exception rule. + is public_suffix('www.city.kobe.jp'), 'kobe.jp'; # Identity rule. + + # TLD with a wildcard rule and exceptions: + if(0) { + # we return '' not undef + is public_suffix('ck'), undef; + } else { + is public_suffix('ck'), ''; + } + is public_suffix('test.ck'), 'test.ck'; + is public_suffix('b.test.ck'), 'test.ck'; + is public_suffix('a.b.test.ck'), 'test.ck'; + is public_suffix('www.ck'), 'ck'; + is public_suffix('www.www.ck'), 'ck'; + + # US K12: + is public_suffix('us'), 'us'; + is public_suffix('test.us'), 'us'; + is public_suffix('www.test.us'), 'us'; + is public_suffix('ak.us'), 'ak.us'; + is public_suffix('test.ak.us'), 'ak.us'; + is public_suffix('www.test.ak.us'), 'ak.us'; + is public_suffix('k12.ak.us'), 'k12.ak.us'; + is public_suffix('test.k12.ak.us'), 'k12.ak.us'; + is public_suffix('www.test.k12.ak.us'), 'k12.ak.us'; + + # Domains and gTLDs with characters outside the ASCII range: + SKIP: { + if ( $can_idn ) { + is public_suffix('test.敎育.hk'), '敎育.hk'; + is public_suffix('ਭਾਰਤ.ਭਾਰਤ'), 'ਭਾਰਤ'; + } else { + skip "no IDN support with @idnlib",2 + } + } +} + + +sub minimal_private_suffix { + my $host = shift; + if ( @_ == 2 ) { + my ($rest,$suffix) = @_; + my @r = $ps->public_suffix($host,+1); + if ( $r[0] eq $rest and $r[1] eq $suffix ) { + pass("$host -> $rest + $suffix"); + } else { + fail("$host -> $r[0]($rest) + $r[1]($suffix)"); + } + } elsif ( @_ == 1 ) { + my ($expect_suffix) = @_; + my $got_suffix = $ps->public_suffix($host,+1); + is( $got_suffix,$expect_suffix, "$host -> suffix=$expect_suffix"); + } else { + die "@_"; + } +} + +sub public_suffix { + my $host = shift; + my $suffix = $ps->public_suffix($host); + return $suffix; +} + +1; + + diff --git a/cpan/IO-Socket-SSL/t/public_suffix_lib_encode_idn.t b/cpan/IO-Socket-SSL/t/public_suffix_lib_encode_idn.t new file mode 100644 index 000000000000..ed4d4e2db5bc --- /dev/null +++ b/cpan/IO-Socket-SSL/t/public_suffix_lib_encode_idn.t @@ -0,0 +1,6 @@ +use strict; +use warnings; +use FindBin; + +require "$FindBin::Bin/public_suffix_lib.pl"; +run_with_lib( 'Net::IDN::Encode' ); diff --git a/cpan/IO-Socket-SSL/t/public_suffix_lib_libidn.t b/cpan/IO-Socket-SSL/t/public_suffix_lib_libidn.t new file mode 100644 index 000000000000..70b0b782a532 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/public_suffix_lib_libidn.t @@ -0,0 +1,6 @@ +use strict; +use warnings; +use FindBin; + +require "$FindBin::Bin/public_suffix_lib.pl"; +run_with_lib( 'Net::LibIDN' ); diff --git a/cpan/IO-Socket-SSL/t/public_suffix_lib_uri.t b/cpan/IO-Socket-SSL/t/public_suffix_lib_uri.t new file mode 100644 index 000000000000..eb5f332c4342 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/public_suffix_lib_uri.t @@ -0,0 +1,6 @@ +use strict; +use warnings; +use FindBin; + +require "$FindBin::Bin/public_suffix_lib.pl"; +run_with_lib( 'URI::_idna' ); diff --git a/cpan/IO-Socket-SSL/t/public_suffix_ssl.t b/cpan/IO-Socket-SSL/t/public_suffix_ssl.t new file mode 100644 index 000000000000..18981f80504c --- /dev/null +++ b/cpan/IO-Socket-SSL/t/public_suffix_ssl.t @@ -0,0 +1,101 @@ +use strict; +use warnings; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +use Test::More; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my @tests = qw( + fail:com|* + ok:com|com + fail:googleapis.com|*.com + ok:googleapis.com|googleapis.com + ok:ajax.googleapis.com|*.googleapis.com + ok:s3.amazonaws.com|s3.amazonaws.com + ok:foo.s3.amazonaws.com|*.s3.amazonaws.com + fail:google.com|*.com + ok:google.com|google.com + ok:www.google.com|*.google.com + ok:www.bar.com|*.bar.com + ok:www.foo.bar.com|*.foo.bar.com + ok:www.foo.co.uk|*.foo.co.uk + fail:www.co.uk|*.co.uk + fail:co.uk|*.uk + ok:bl.uk|bl.uk + ok:www.bl.uk|*.bl.uk + fail:bar.kobe.jp|*.kobe.jp + fail:foo.bar.kobe.jp|*.bar.kobe.jp + ok:www.foo.bar.kobe.jp|*.foo.bar.kobe.jp + fail:city.kobe.jp|*.kobe.jp + ok:city.kobe.jp|city.kobe.jp + ok:www.city.kobe.jp|*.city.kobe.jp + fail:nodomain|* + fail:foo.nodomain|*.nodomain + ok:www.foo.nodomain|*.foo.nodomain +); + +$|=1; +plan tests => 0+@tests; + +# create listener +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, +) || die "not ok #tcp listen failed: $!\n"; +my $saddr = $server->sockhost.':'.$server->sockport; +#diag("listen at $saddr"); + +# create CA - certificates will be created on demand +my ($cacert,$cakey) = CERT_create( CA => 1 ); + +defined( my $pid = fork() ) || die $!; +if ( ! $pid ) { + while (@tests) { + my $cl = $server->accept or next; + shift(@tests); # only for counting + # client initially sends line with expected CN + defined( my $cn = <$cl> ) or do { + warn "failed to get expected name from client, remaining ".(0+@tests); + next; + }; + chop($cn); + print $cl "ok\n"; + my ($cert,$key) = CERT_create( + subject => { CN => $cn }, + issuer => [ $cacert,$cakey ], + key => $cakey, # reuse to speed up + ); + #diag("created cert for $cn"); + <$cl> if IO::Socket::SSL->start_SSL($cl, + SSL_server => 1, + SSL_cert => $cert, + SSL_key => $key, + ); + } + exit(0); +} + +# if anything blocks - this will at least finish the test +alarm(60); +$SIG{ALRM} = sub { die "test takes too long" }; + +close($server); +for my $test (@tests) { + my ($expect,$host,$cn) = $test=~m{^(ok|fail):(\S+)\|(\S+)} or die $test; + my $cl = IO::Socket::INET->new($saddr) or die "failed to connect: $!"; + print $cl "$cn\n"; + <$cl>; + my $sslok = IO::Socket::SSL->start_SSL($cl, + SSL_verifycn_name => $host, + SSL_verifycn_scheme => 'http', + SSL_ca => [$cacert], + ); + if ( ! $sslok ) { + is( $sslok?1:0, $expect eq 'ok' ? 1:0, "ssl $host against $cn -> $expect ($SSL_ERROR)"); + } else { + is( $sslok?1:0, $expect eq 'ok' ? 1:0, "ssl $host against $cn -> $expect"); + } +} + + diff --git a/cpan/IO-Socket-SSL/t/readline.t b/cpan/IO-Socket-SSL/t/readline.t new file mode 100644 index 000000000000..45dcc3ac1e55 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/readline.t @@ -0,0 +1,171 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/readline.t' + +# This tests the behavior of readline with the variety of +# cases with $/: +# $/ undef - read all +# $/ '' - read up to next nonempty line: .*?\n\n+ +# $/ s - read up to string s +# $/ \$num - read $num bytes +# scalar context - get first match +# array context - get all matches + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my @tests; +push @tests, [ + "multi\nple\n\n1234567890line\n\n\n\nbla\n\nblubb\n\nblip", + sub { + my $c = shift; + local $/ = "\n\n"; + my $b; + ($b=<$c>) eq "multi\nple\n\n" || die "LFLF failed ($b)"; + $/ = \"10"; + ($b=<$c>) eq "1234567890" || die "\\size failed ($b)"; + $/ = ''; + ($b=<$c>) eq "line\n\n\n\n" || die "'' failed ($b)"; + my @c = <$c>; + die "'' @ failed: @c" unless $c[0] eq "bla\n\n" && + $c[1] eq "blubb\n\n" && + $c[2] eq "blip" && @c == 3; + }, +]; + +push @tests, [ + "some\nstring\nwith\nsome\nlines\nwhatever", + sub { + my $c = shift; + local $/ = "\n"; + my $b; + ($b=<$c>) eq "some\n" || die "LF failed ($b)"; + $/ = undef; + ($b=<$c>) eq "string\nwith\nsome\nlines\nwhatever" || die "undef failed ($b)"; + }, +]; + +push @tests, [ + "some\nstring\nwith\nsome\nlines\nwhatever", + sub { + my $c = shift; + local $/ = "\n"; + my @c = <$c>; + die "LF @ failed: @c" unless $c[0] eq "some\n" && + $c[1] eq "string\n" && $c[2] eq "with\n" && $c[3] eq "some\n" && + $c[4] eq "lines\n" && $c[5] eq "whatever" && @c == 6; + + }, +]; + +push @tests, [ + "some\nstring\nwith\nsome\nlines\nwhatever", + sub { + my $c = shift; + local $/; + my @c = <$c>; + die "undef @ failed: @c" unless + $c[0] eq "some\nstring\nwith\nsome\nlines\nwhatever" + && @c == 1; + + }, +]; + +push @tests, [ + "1234567890", + sub { + my $c = shift; + local $/ = \2; + my @c = <$c>; + die "\\2 @ failed: @c" unless + $c[0] eq '12' && $c[1] eq '34' && $c[2] eq '56' && + $c[3] eq '78' && $c[4] eq '90' && @c == 5; + + }, +]; + +push @tests, [ + [ "bla\n","0","blubb\n","no newline" ], + sub { + my $c = shift; + my $l = <$c>; + $l eq "bla\n" or die "'bla\\n' failed"; + $l = <$c>; + $l eq "0blubb\n" or die "'0blubb\\n' failed"; + $l = <$c>; + $l eq "no newline" or die "'no newline' failed"; + }, +]; + +$|=1; +print "1..".(1+3*@tests)."\n"; + + +# first create simple ssl-server +my $ID = 'server'; +my $addr = '127.0.0.1'; +my $server = IO::Socket::SSL->new( + LocalAddr => $addr, + Listen => 2, + ReuseAddr => 1, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", +) || do { + notok($!); + exit +}; +ok("Server Initialization"); + +# add server port to addr +$addr.= ':'.(sockaddr_in( getsockname( $server )))[0]; + +my $pid = fork(); +if ( !defined $pid ) { + die $!; # fork failed + +} elsif ( $pid ) { ###### Server + + foreach my $test (@tests) { + my $to_client = $server->accept || do { + notok( "accept failed: ".$server->errstr() ); + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + $to_client->autoflush; + my $t = $test->[0]; + $t = [$t] if ! ref($t); + for(@$t) { + $to_client->print($_); + select(undef,undef,undef,0.1); + } + } + wait; + exit; +} + +$ID = 'client'; +close($server); +my $testid = "Test00"; +foreach my $test (@tests) { + my $to_server = IO::Socket::SSL->new( + PeerAddr => $addr, + Domain => AF_INET, + SSL_verify_mode => 0 ) || do { + notok( "connect failed: ".IO::Socket::SSL->errstr() ); + exit + }; + ok( "client connected" ); + eval { $test->[1]( $to_server ) }; + $@ ? notok( "$testid $@" ) : ok( $testid ); + $testid++ +} + + + +sub ok { print "ok # [$ID] @_\n"; } +sub notok { print "not ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/session_cache.t b/cpan/IO-Socket-SSL/t/session_cache.t new file mode 100644 index 000000000000..7a43c62daeff --- /dev/null +++ b/cpan/IO-Socket-SSL/t/session_cache.t @@ -0,0 +1,81 @@ +my $DEBUG = 0; + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +my $numtests = 11; +print "1..$numtests\n"; + +my $ctx = IO::Socket::SSL::SSL_Context->new( + SSL_ca_file => "t/certs/test-ca.pem", + SSL_session_cache_size => 3, +); + +my $cache = $ctx->{session_cache} or do { + print "not ok \# Context init\n"; + exit; +}; +ok("Context init"); + +my $dump_cache = $DEBUG ? sub { diag($cache->_dump) } : sub {}; + +print "not " if $cache->{room} != 3; +ok("0 entries in cache, room for 3 more"); +&$dump_cache; + +$cache->add_session("bogus", 0); +print "not " if $cache->{ghead}[1] ne 'bogus'; +ok("cache head at 'bogus'"); +&$dump_cache; + +$cache->add_session("bogus1", 0); +print "not " if $cache->{room} != 1; +ok("two entries in cache, room for 1 more"); +print "not " if $cache->{ghead}[1] ne 'bogus1'; +ok("cache head at 'bogus1'"); +&$dump_cache; + +$cache->get_session("bogus"); +print "not " if $cache->{ghead}[1] ne 'bogus'; +ok("get_session moves cache head to 'bogus'"); +&$dump_cache; + +$cache->add_session("bogus", 0); +print "not " if $cache->{room} != 0; +ok("3 entries in cache, room for no more"); +&$dump_cache; + +# add another bogus and bogus1 should be removed to make room +print "not " if ! $cache->{shead}{bogus1}; +ok("bogus1 still in cache"); +&$dump_cache; + +$cache->add_session("bogus", 0); +print "not " if $cache->{room} != 0; +ok("still 3 entries in cache, room for no more"); +&$dump_cache; + +print "not " if $cache->{shead}{bogus1}; +ok("bogus1 removed from cache to make room"); + +# when removing 'bogus' the cache should be empty again +$cache->del_session('bogus'); +print "not " if $cache->{room} != 3; +ok("0 entries in cache, room for 3"); +&$dump_cache; + + +sub ok { + my $line = (caller)[2]; + print "ok # $_[0]\n"; +} +sub diag { + my $msg = shift; + $msg =~s{^}{ # }mg; + print STDERR $msg; +} diff --git a/cpan/IO-Socket-SSL/t/session_ticket.t b/cpan/IO-Socket-SSL/t/session_ticket.t new file mode 100644 index 000000000000..f1bb2e503b40 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/session_ticket.t @@ -0,0 +1,184 @@ +use strict; +use warnings; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +use Test::More; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + + +$|=1; +plan skip_all => 'no support for session ticket key callback' + if ! IO::Socket::SSL->can_ticket_keycb; + +plan tests => 6; + +# create two servers with the same session ticket callback +my (@server,@saddr); +for (1,2) { + my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + ) or die "failed to create listener: $!"; + push @server,{ fd => $server }; + push @saddr, $server->sockhost.':'.$server->sockport; + diag("listen at $saddr[-1]"); +} + +# create some self signed certificate +my ($cert,$key) = CERT_create(CA => 1, + subject => { CN => 'ca' }, +); +my ($client_cert,$client_key) = CERT_create( + issuer => [ $cert,$key], + subject => { CN => 'client' }, + purpose => { client => 1 } +); +my ($server_cert,$server_key) = CERT_create( + issuer => [ $cert,$key], + subject => { CN => 'server' }, + subjectAltNames => [ + [ DNS => 'server' ], + [ IP => $saddr[0]=~m{^(.*):} && $1 ], + [ IP => $saddr[1]=~m{^(.*):} && $1 ], + ], + purpose => { server => 1 } +); + + +defined( my $pid = fork() ) || die $!; +exit(_server()) if ! $pid; +@server = (); + + + +# if anything blocks - this will at least finish the test +alarm(60); +$SIG{ALRM} = sub { die "test takes too long" }; +END{ kill 9,$pid if $pid }; + +my $clctx = IO::Socket::SSL::SSL_Context->new( + SSL_session_cache_size => 10, + SSL_cert => $client_cert, + SSL_key => $client_key, + SSL_ca => [ $cert ], + + # LibreSSL has currently no support for TLS 1.3 session handling + # therefore enforce TLS 1.2 + Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") ? + (SSL_version => 'TLSv1_2') : + # versions of Net::SSLeay with support for SESSION_up_ref have also the + # other functionality needed for proper TLS 1.3 session handling + defined(&Net::SSLeay::SESSION_up_ref) ? () + : (SSL_version => 'SSLv23:!TLSv1_3:!SSLv3:!SSLv2'), +); + +my $client = sub { + my ($i,$expect_reuse,$desc) = @_; + my $cl = IO::Socket::SSL->new( + PeerAddr => $saddr[$i], + SSL_reuse_ctx => $clctx, + SSL_session_key => 'server', # single key for both @saddr + ); + <$cl>; # read something, incl. TLS 1.3 ticket + my $reuse = $cl && Net::SSLeay::session_reused($cl->_get_ssl_object); + diag("connect to $i: ". ($cl + ? "success reuse=$reuse version=".$cl->get_sslversion() + : "error: $!,$SSL_ERROR" + )); + is($reuse,$expect_reuse,$desc); + close($cl); +}; + + +$client->(0,0,"no initial session -> no reuse"); +$client->(0,1,"reuse with the next session and secret[0]"); +$client->(1,1,"reuse even though server changed, since they share ticket secret"); +$client->(1,0,"reports non-reuse since server1 changed secret to secret[1]"); +$client->(0,0,"reports non-reuse on server0 since got ticket with secret[1] in last step"); +$client->(0,1,"reuse again since got ticket with secret[0] in last step"); + + +sub _server { + + # create the secrets for handling session tickets + my @secrets; + for(qw(key1 key2)) { + my $name = pack("a16",$_); + Net::SSLeay::RAND_bytes(my $key,32); + push @secrets, [ $key,$name ]; + } + + my $get_ticket_key = sub { + my (undef,$name) = @_; + if (!defined $name) { + print "creating new ticket $secrets[0][1]\n"; + return @{$secrets[0]}; + } + for(my $i=0;$i<@secrets;$i++) { + next if $secrets[$i][1] ne $name; + if ($i == 0) { + print "using current ticket secret\n"; + return @{$secrets[0]}; + } else { + print "using non-current ticket secret\n"; + return ($secrets[0][0],$secrets[$i][1]); + } + } + print "unknown ticket key name\n"; + return; + }; + + # create the SSL context + for(@server) { + $_->{sslctx} = IO::Socket::SSL::SSL_Context->new( + SSL_server => 1, + SSL_cert => $server_cert, + SSL_key => $server_key, + SSL_ca => [ $cert ], + SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + SSL_ticket_keycb => $get_ticket_key, + SSL_session_id_context => 'foobar', + ) or die "failed to create SSL context: $SSL_ERROR"; + } + + my $rin = ''; + vec($rin,fileno($_->{fd}),1) = 1 for @server; + while (1) { + select(my $rout = $rin,undef,undef,10) + or die "select failed or timed out: $!"; + for(my $i=0;$i<@server;$i++) { + next if ! vec($rout,fileno($server[$i]{fd}),1); + + alarm(10); + local $SIG{ALRM} = sub { die "server[$i] timed out" }; + print "access to server[$i]\n"; + + my $cl = $server[$i]{fd}->accept or do { + print "failed to TCP accept: $!\n"; + last; + }; + IO::Socket::SSL->start_SSL($cl, + SSL_server => 1, + SSL_reuse_ctx => $server[$i]{sslctx} + ) or do { + print "failed to SSL accept: $SSL_ERROR\n"; + last; + }; + + print $cl "hi\n"; + my $reuse = Net::SSLeay::session_reused($cl->_get_ssl_object); + print "server[$i] reused=$reuse\n"; + + # after access to server[1] rotate the secrets + if ($i == 1) { + print "rotate secrets\n"; + push @secrets, shift(@secrets); + } + close($cl); + alarm(0); + last; + } + } + exit(0); +} diff --git a/cpan/IO-Socket-SSL/t/sessions.t b/cpan/IO-Socket-SSL/t/sessions.t new file mode 100644 index 000000000000..f9a3e30fc459 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/sessions.t @@ -0,0 +1,168 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/core.t' + +my $DEBUG = 0; + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +my $numtests = 17; +print "1..$numtests\n"; + +my $what = 'server'; +my @servers = map { + IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + ) +} (1..3); + +if ( grep { !$_ } @servers > 0 ) { + print "not ok # Server init\n"; + exit; +} +ok("Server initialization"); + +my @saddr = map { $_->sockhost.':'.$_->sockport } @servers; +defined(my $pid = fork()) or die "fork failed: $!"; +if ($pid == 0) { + server(); + exit(0); +} +client(); +wait; + +sub client { + $what = 'client'; + @servers = (); + my $ctx = IO::Socket::SSL::SSL_Context->new( + SSL_ca_file => "t/certs/test-ca.pem", + # make cache large enough since we get multiple tickets with TLS 1.3 + SSL_session_cache_size => 100, + # LibreSSL has currently no support for TLS 1.3 session handling + # therefore enforce TLS 1.2 + Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") ? + (SSL_version => 'TLSv1_2') : + # versions of Net::SSLeay with support for SESSION_up_ref have also the + # other functionality needed for proper TLS 1.3 session handling + defined(&Net::SSLeay::SESSION_up_ref) ? () : + (SSL_version => 'SSLv23:!TLSv1_3:!SSLv3:!SSLv2'), + ); + + my $cache = $ctx->{session_cache} or do { + print "not ok \# Context init\n"; + exit; + }; + ok("Context init"); + my $dump_cache = $DEBUG ? sub { diag($cache->_dump) } : sub {}; + + IO::Socket::SSL::set_default_context($ctx); + my @clients; + push @clients, IO::Socket::SSL->new(PeerAddr => $saddr[0], Domain => AF_INET); + push @clients, IO::Socket::SSL->new(PeerAddr => $saddr[1], Domain => AF_INET); + my $sock3 = IO::Socket::INET->new($saddr[2]); + push @clients, IO::Socket::SSL->start_SSL($sock3); + + if ( grep { !$_ } @clients >0 ) { + print "not ok \# Client init $SSL_ERROR\n"; + exit; + } + ok("Client init, version=".$clients[0]->get_sslversion); + + for(@clients) { + <$_>; # read ping + print $_ "pong!\n"; + } + &$dump_cache; + + print "not " if $cache->{room} >97; + ok(">=3 entries in cache: ". (100- $cache->{room})); + for(@saddr) { + $cache->{shead}{$_} or print "not "; + ok("$_ in cache"); + } + $cache->{ghead}[1] eq $saddr[2] or print "not "; + ok("latest ($saddr[2]) on top of cache"); + + for (0..2) { + # check if current session is cached + $cache->get_session($saddr[$_], + Net::SSLeay::get_session($clients[$_]->_get_ssl_object)) + or print "not "; + ok("session in client $_"); + close $clients[$_]; + } + + # check if sessions get reused + @clients = map { IO::Socket::SSL->new(PeerAddr => $_, Domain => AF_INET) } + @saddr; + for(@clients) { + print "not " if ! $_->get_session_reused; + ok("client $_ reused"); + <$_>; # read ping + print $_ "pong!\n"; + } + &$dump_cache; +} + +sub server { + my @ctx = map { + IO::Socket::SSL::SSL_Context->new( + SSL_server => 1, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", + SSL_ca_file => "t/certs/test-ca.pem", + ); + } @servers; + my @clients; + my $accept_all = sub { + @clients = map { undef } @servers; + for(my $i=0; $i<@servers; $i++) { + my $cl = $servers[$i]->accept or next; + IO::Socket::SSL->start_SSL($cl, + SSL_server => 1, + SSL_reuse_ctx => $ctx[$i] + ) or next; + $clients[$i] = $cl; + } + }; + &$accept_all; + if ( grep { !$_ } @clients > 0 ) { + print "not ok \# Client init\n"; + exit; + } + + ok("Client init"); + for(@clients) { + print $_ "ping!\n"; + <$_>; # read pong + } + ok("Server send pong, received ping"); + close($_) for @clients; + + &$accept_all; + for(@clients) { + print $_ "ping!\n"; + <$_>; # read pong + } + ok("Client again init + write + read"); +} + + + +sub ok { + my $line = (caller)[2]; + print "ok # [$what]:$line $_[0]\n"; +} +sub diag { + my $msg = shift; + $msg =~s{^}{ # [$what] }mg; + print STDERR $msg; +} diff --git a/cpan/IO-Socket-SSL/t/set_curves.t b/cpan/IO-Socket-SSL/t/set_curves.t new file mode 100644 index 000000000000..08e8ea9ca019 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/set_curves.t @@ -0,0 +1,75 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +my $set_groups_list = + defined &Net::SSLeay::CTX_set1_groups_list ? \&Net::SSLeay::CTX_set1_groups_list : + defined &Net::SSLeay::CTX_set1_curves_list ? \&Net::SSLeay::CTX_set1_curves_list : + do { + print "1..0 # no support for CTX_set1_curves_list or CTX_set1_groups_list\n"; + exit; + }; + +print "1..6\n"; +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + Listen => 2, + ReuseAddr => 1, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => 't/certs/server-cert.pem', + SSL_key_file => 't/certs/server-key.pem', + SSL_cipher_list => 'ECDHE', + SSL_ecdh_curve => 'P-521:P-384', +); + +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +print "ok # Server Initialization\n"; +my $saddr = $server->sockhost.':'.$server->sockport; + +my @tests = ( + [ 1,'P-521' ], + [ 1,'P-384' ], + [ 0,'P-256' ], + [ 1,'P-384:P-521' ], + [ 1,'P-256:P-384:P-521' ], +); + +defined( my $pid = fork() ) || die $!; +if (!$pid) { + close($server); + for my $t (@tests) { + my (undef,$curves) = @$t; + my $cl = IO::Socket::SSL->new( + PeerAddr => $saddr, + SSL_verify_mode => 1, + SSL_ca_file => 't/certs/test-ca.pem', + SSL_ecdh_curve => $curves, + ) or next; + <$cl>; + } + exit; +} + +for my $t (@tests) { + my ($expect_ok,$curves) = @$t; + my $csock = $server->accept; + if ($csock && $expect_ok) { + print "ok # expect success $curves\n"; + } elsif (!$csock && !$expect_ok) { + print "ok # expect fail $curves: $SSL_ERROR\n"; + } elsif ($csock) { + print "not ok # expect fail $curves\n"; + } else { + print "not ok # expect success $curves: $SSL_ERROR\n"; + } + close($csock) if $csock; +} +wait; diff --git a/cpan/IO-Socket-SSL/t/signal-readline.t b/cpan/IO-Socket-SSL/t/signal-readline.t new file mode 100644 index 000000000000..9730aefaea81 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/signal-readline.t @@ -0,0 +1,70 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +if ( $^O =~m{mswin32}i ) { + print "1..0 # Skipped: signals not relevant on this platform\n"; + exit +} + +print "1..9\n"; + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => "t/certs/server-wildcard.pem", + SSL_key_file => "t/certs/server-wildcard.pem", +); +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +ok("Server Initialization"); +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + + $SIG{HUP} = sub { ok("got hup") }; + + close($server); + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 0 + ) || print "not "; + ok( "client ssl connect" ); + + my $line = <$client>; + print "not " if $line ne "foobar\n"; + ok("got line"); + + exit; +} + +my $csock = $server->accept; +ok("accept"); + +syswrite($csock,"foo") or print "not "; +ok("wrote foo"); +sleep(1); + +kill HUP => $pid or print "not "; +ok("send hup"); +sleep(1); + +syswrite($csock,"bar\n") or print "not "; +ok("wrote bar\\n"); + +wait; +ok("wait: $?"); + + + +sub ok { print "ok #$_[0]\n"; } diff --git a/cpan/IO-Socket-SSL/t/sni.t b/cpan/IO-Socket-SSL/t/sni.t new file mode 100644 index 000000000000..0c8d5df17b25 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/sni.t @@ -0,0 +1,94 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +if ( ! IO::Socket::SSL->can_server_sni() ) { + print "1..0 # skipped because no server side SNI support - openssl/Net::SSleay too old\n"; + exit; +} + +if ( ! IO::Socket::SSL->can_client_sni() ) { + print "1..0 # skipped because no client side SNI support - openssl/Net::SSleay too old\n"; + exit; +} + +print "1..17\n"; +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + Listen => 2, + ReuseAddr => 1, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => { + 'server.local' => 't/certs/server-cert.pem', + 'server2.local' => 't/certs/server2-cert.pem', + 'smtp.mydomain.local' => "t/certs/server-wildcard.pem", + '' => "t/certs/server-wildcard.pem", + }, + SSL_key_file => { + 'server.local' => 't/certs/server-key.pem', + 'server2.local' => 't/certs/server2-key.pem', + 'smtp.mydomain.local' => "t/certs/server-wildcard.pem", + '' => "t/certs/server-wildcard.pem", + }, +); + +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +print "ok # Server Initialization\n"; +my $saddr = $server->sockhost.':'.$server->sockport; + +# www13.other.local should match default '' +# all other should match the specific entries +my @tests = qw( + server.local + server2.local + smtp.mydomain.local + www13.other.local +); + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + + for my $host (@tests) { + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_hostname => $host, + SSL_ca_file => 't/certs/test-ca.pem', + ); + if ($client) { + print "ok # client ssl connect $host\n"; + $client->verify_hostname($host,'http') or print "not "; + print "ok # client verify hostname in cert $host\n"; + # wait for server to send something to make sure finished accept + <$client>; + } else { + print "not ok # client ssl connect $host - $SSL_ERROR\n"; + print "ok # skip connect failed\n"; + } + } + exit; +} + +for my $host (@tests) { + my $csock = $server->accept; + if ($csock) { + print "ok # server accept\n"; + my $name = $csock->get_servername; + print "not " if ! $name or $name ne $host; + print "ok # server got SNI name $host\n"; + print $csock "hi\n"; + } else { + print "not ok # server accept - $SSL_ERROR\n"; + print "ok # skip accept failed\n"; + } +} +wait; diff --git a/cpan/IO-Socket-SSL/t/sni_verify.t b/cpan/IO-Socket-SSL/t/sni_verify.t new file mode 100644 index 000000000000..4b92b91a02aa --- /dev/null +++ b/cpan/IO-Socket-SSL/t/sni_verify.t @@ -0,0 +1,97 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +if ( ! IO::Socket::SSL->can_server_sni() ) { + print "1..0 # skipped because no server side SNI support - openssl/Net::SSleay too old\n"; + exit; +} + +if ( ! IO::Socket::SSL->can_client_sni() ) { + print "1..0 # skipped because no client side SNI support - openssl/Net::SSleay too old\n"; + exit; +} + +print "1..17\n"; +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + Listen => 2, + ReuseAddr => 1, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => { + 'server.local' => 't/certs/server-cert.pem', + 'server2.local' => 't/certs/server2-cert.pem', + 'smtp.mydomain.local' => "t/certs/server-wildcard.pem", + '' => "t/certs/server-wildcard.pem", + }, + SSL_key_file => { + 'server.local' => 't/certs/server-key.pem', + 'server2.local' => 't/certs/server2-key.pem', + 'smtp.mydomain.local' => "t/certs/server-wildcard.pem", + '' => "t/certs/server-wildcard.pem", + }, + SSL_verify_mode => 1 +); + +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +print "ok # Server Initialization\n"; +my $saddr = $server->sockhost.':'.$server->sockport; + +# www13.other.local should match default '' +# all other should match the specific entries +my @tests = qw( + server.local + server2.local + smtp.mydomain.local + www13.other.local +); + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + + for my $host (@tests) { + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 1, + SSL_hostname => $host, + SSL_ca_file => 't/certs/test-ca.pem', + SSL_cert_file => 't/certs/client-cert.pem', + SSL_key_file => 't/certs/client-key.pem', + ); + if ($client) { + print "ok # client ssl connect $host\n"; + $client->verify_hostname($host,'http') or print "not "; + print "ok # client verify hostname in cert $host\n"; + # wait for server to send something to make sure finished accept + <$client>; + } else { + print "not ok # client ssl connect $host - $SSL_ERROR\n"; + print "ok # skip connect failed\n"; + } + } + exit; +} + +for my $host (@tests) { + my $csock = $server->accept; + if ($csock) { + print "ok # server accept\n"; + my $name = $csock->get_servername; + print "not " if ! $name or $name ne $host; + print "ok # server got SNI name $host\n"; + print $csock "hi\n"; + } else { + print "not ok # server accept - $SSL_ERROR\n"; + print "ok # skip accept failed\n"; + } +} +wait; diff --git a/cpan/IO-Socket-SSL/t/start-stopssl.t b/cpan/IO-Socket-SSL/t/start-stopssl.t new file mode 100644 index 000000000000..6e48a8b3aa8c --- /dev/null +++ b/cpan/IO-Socket-SSL/t/start-stopssl.t @@ -0,0 +1,114 @@ +#!perl + +use strict; +use warnings; +use IO::Socket::INET; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +my @tests = qw( start stop start close ); +print "1..16\n"; + +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, +) || die "not ok #tcp listen failed: $!\n"; +print "ok #listen\n"; +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +$pid ? server():client(); +wait; +exit(0); + + +sub client { + close($server); + my $client = IO::Socket::INET->new($saddr) or + die "not ok #client connect: $!\n"; + $client->autoflush; + print "ok #client connect\n"; + + for my $test (@tests) { + alarm(15); + #print STDERR "begin test $test\n"; + if ( $test eq 'start' ) { + print $client "start\n"; + sleep(1); # avoid race condition, if client calls start but server is not yet available + + #print STDERR ">>$$(client) start\n"; + IO::Socket::SSL->start_SSL($client, SSL_verify_mode => 0 ) + || die "not ok #client::start_SSL: $SSL_ERROR\n"; + #print STDERR "<<$$(client) start\n"; + print "ok # client::start_SSL\n"; + + ref($client) eq "IO::Socket::SSL" or print "not "; + print "ok # client::class=".ref($client)."\n"; + + } elsif ( $test eq 'stop' ) { + print $client "stop\n"; + $client->stop_SSL || die "not ok #client::stop_SSL\n"; + print "ok # client::stop_SSL\n"; + + ref($client) eq "IO::Socket::INET" or print "not "; + print "ok # client::class=".ref($client)."\n"; + + } elsif ( $test eq 'close' ) { + print $client "close\n"; + my $class = ref($client); + $client->close || die "not ok # client::close\n"; + print "ok # client::close\n"; + + ref($client) eq $class or print "not "; + print "ok # client::class=".ref($client)."\n"; + last; + } + #print STDERR "cont test $test\n"; + + defined( my $line = <$client> ) or return; + die "'$line'" if $line ne "OK\n"; + } +} + + +sub server { + my $client = $server->accept || die $!; + $client->autoflush; + while (1) { + alarm(15); + defined( my $line = <$client> ) or last; + chomp($line); + if ( $line eq 'start' ) { + #print STDERR ">>$$ start\n"; + IO::Socket::SSL->start_SSL( $client, + SSL_server => 1, + SSL_cert_file => "t/certs/client-cert.pem", + SSL_key_file => "t/certs/client-key.pem" + ) || die "not ok #server::start_SSL: $SSL_ERROR\n"; + #print STDERR "<<$$ start\n"; + + ref($client) eq "IO::Socket::SSL" or print "not "; + print "ok # server::class=".ref($client)."\n"; + print $client "OK\n"; + + } elsif ( $line eq 'stop' ) { + $client->stop_SSL || die "not ok #server::stop_SSL\n"; + print "ok #server::stop_SSL\n"; + + ref($client) eq "IO::Socket::INET" or print "not "; + print "ok # class=".ref($client)."\n"; + print $client "OK\n"; + + } elsif ( $line eq 'close' ) { + my $class = ref($client); + $client->close || die "not ok #server::close\n"; + print "ok #server::close\n"; + + ref($client) eq $class or print "not "; + print "ok # class=".ref($client)."\n"; + last; + } + } +} diff --git a/cpan/IO-Socket-SSL/t/startssl-failed.t b/cpan/IO-Socket-SSL/t/startssl-failed.t new file mode 100644 index 000000000000..aa8a84a5880e --- /dev/null +++ b/cpan/IO-Socket-SSL/t/startssl-failed.t @@ -0,0 +1,79 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Select; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..9\n"; + +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, +); +print("not ok\n"),exit if !$server; +ok("Server Initialization"); +my $saddr = $server->sockhost.':'.$server->sockport; + + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + client(); +} else { + server(); + #kill(9,$pid); + wait; +} + + +sub client { + close($server); + my $client = IO::Socket::INET->new($saddr) + or return fail("client tcp connect"); + ok("client tcp connect"); + + IO::Socket::SSL->start_SSL($client, SSL_verify_mode => 0) and + return fail('start ssl should fail'); + ok("startssl client failed: $SSL_ERROR"); + + UNIVERSAL::isa($client,'IO::Socket::INET') or + return fail('downgrade socket after error'); + ok('downgrade socket after error'); + + print $client "foo\n" or return fail("send to server: $!"); + ok("send to server"); + my $l; + while (defined($l = <$client>)) { + if ( $l =~m{bar\n} ) { + return ok('client receive non-ssl data'); + } + } + fail("receive non-ssl data"); +} + +sub server { + my $csock = $server->accept or return fail('tcp accept'); + ok('tcp accept'); + print $csock "This is no SSL handshake\n"; + ok('send non-ssl data'); + + alarm(10); + my $l; + while (defined( $l = <$csock>)) { + if ($l =~m{foo\n} ) { + print $csock "bar\n"; + return ok("received non-ssl data"); + } + #warn "XXXXXXXXX $l"; + } + fail('no data from client'.$!); +} + + +sub ok { print "ok #$_[0]\n"; return 1 } +sub fail { print "not ok #$_[0]\n"; return } diff --git a/cpan/IO-Socket-SSL/t/startssl.t b/cpan/IO-Socket-SSL/t/startssl.t new file mode 100644 index 000000000000..a54a3abeaaca --- /dev/null +++ b/cpan/IO-Socket-SSL/t/startssl.t @@ -0,0 +1,131 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +use IO::Select; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..21\n"; + +my $getfp = do { + my (%file2fp); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + my $sha256 = Net::SSLeay::EVP_get_digestbyname('sha256') or die; + sub { + my $file = shift; + return $file2fp{$file} ||= do { + my $cert = PEM_file2cert($file); + 'sha256$'.unpack('H*',Net::SSLeay::X509_digest($cert, $sha256)); + }; + } +}; + + +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, +); +print "not ok\n", exit if !$server; +ok("Server Initialization"); + +print "not " if (!defined fileno($server)); +ok("Server Fileno Check"); + +my $saddr = $server->sockhost.':'.$server->sockport; +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + + close($server); + my $client = IO::Socket::INET->new($saddr) || print "not "; + ok( "client tcp connect" ); + + unless ( IO::Socket::SSL->start_SSL( $client, + SSL_verify_mode => 0, + SSL_cert_file => "t/certs/client-cert.pem", + SSL_key_file => "t/certs/client-key.enc", + SSL_passwd_cb => sub { return "opossum" } + )) { + #DEBUG( $SSL_ERROR ); + print "not "; + } + ok( "sslify client" ); + + UNIVERSAL::isa( $client,'IO::Socket::SSL' ) || print "not "; + ok( 'client reblessed as IO::Socket::SSL' ); + + $client->sock_certificate('subject') =~ /client\.local/ or print "not "; + ok("client local certificate subject"); + $client->sock_certificate('issuer') =~ /IO::Socket::SSL Demo CA/ or print "not "; + ok("client local certificate issuer"); + $client->get_fingerprint('sha256',$client->sock_certificate) + eq $getfp->('t/certs/client-cert.pem') + or print "not "; + ok("client local certificate fingerprint"); + + $client->peer_certificate('subject') =~ /server\.local/ or print "not "; + ok("client peer certificate subject"); + $client->peer_certificate('issuer') =~ /IO::Socket::SSL Demo CA/ or print "not "; + ok("client peer certificate issuer"); + $client->get_fingerprint() + eq $getfp->('t/certs/server-cert.pem') + or print "not "; + ok("client peer certificate fingerprint"); + + print $client "hannibal\n"; + + exit; +} + +my $csock = $server->accept || print "not "; +ok( "tcp accept" ); + + +IO::Socket::SSL->start_SSL( $csock, + SSL_server => 1, + SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.enc", + SSL_passwd_cb => sub { return "bluebell" }, +) || print "not "; +#DEBUG( $IO::Socket::SSL::ERROR ); +ok( 'sslify server' ); + +UNIVERSAL::isa( $csock,'IO::Socket::SSL' ) || print "not "; +ok( 'server reblessed as IO::Socket::SSL' ); + +$csock->sock_certificate('subject') =~ /server\.local/ or print "not "; +ok("server local certificate subject"); +$csock->sock_certificate('issuer') =~ /IO::Socket::SSL Demo CA/ or print "not "; +ok("server local certificate issuer"); +$csock->get_fingerprint('sha256',$csock->sock_certificate) + eq $getfp->('t/certs/server-cert.pem') + or print "not "; +ok("server local certificate fingerprint"); + +$csock->peer_certificate('subject') =~ /client\.local/ or print "not "; +ok("server peer certificate subject"); +$csock->peer_certificate('issuer') =~ /IO::Socket::SSL Demo CA/ or print "not "; +ok("server peer certificate issuer"); +$csock->get_fingerprint() + eq $getfp->('t/certs/client-cert.pem') + or print "not "; +ok("server peer certificate fingerprint"); + + +my $l = <$csock>; +#DEBUG($l); +print "not " if $l ne "hannibal\n"; +ok( "received client message" ); + +wait; + + + +sub ok { print "ok #$_[0]\n"; } diff --git a/cpan/IO-Socket-SSL/t/sysread_write.t b/cpan/IO-Socket-SSL/t/sysread_write.t new file mode 100644 index 000000000000..b8967bca7a2c --- /dev/null +++ b/cpan/IO-Socket-SSL/t/sysread_write.t @@ -0,0 +1,143 @@ +#!perl +# Before `make install' is performed this script should be runnable with +# `make test'. After `make install' it should work as `perl t/sysread_write.t' + +# This tests that sysread/syswrite behave different to read/write, e.g. +# that the latter ones are blocking until they read/write everything while +# the sys* function also can read/write partial data. + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..9\n"; + +################################################################# +# create Server socket before forking client, so that it is +# guaranteed to be listening +################################################################# + +# first create simple ssl-server +my $ID = 'server'; +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + SSL_cert_file => "t/certs/server-cert.pem", + SSL_key_file => "t/certs/server-key.pem", +); +print "not ok: $!\n", exit if !$server; +ok("Server Initialization"); + +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + + ############################################################ + # CLIENT == child process + ############################################################ + + close($server); + $ID = 'client'; + + my $to_server = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_ca_file => "t/certs/test-ca.pem", + ) || do { + print "not ok: connect failed: $!\n"; + exit + }; + + ok( "client connected" ); + + # write 512 byte, server reads it in 66 byte chunks which + # should cause at least the last read to be less then 66 bytes + # (and not block). + alarm(10); + $SIG{ALRM} = sub { + print "not ok: timed out\n"; + exit; + }; + #DEBUG( "send 2x512 byte" ); + unless ( syswrite( $to_server, 'x' x 512 ) == 512 + and syswrite( $to_server, 'x' x 512 ) == 512 ) { + print "not ok: write to small: $!\n"; + exit; + } + + sysread( $to_server,my $ack,1 ) || print "not "; + ok( "received ack" ); + + alarm(0); + ok( "send in time" ); + + # make a syswrite with a buffer length greater than the + # ssl message block size (16k for sslv3). It should send + # only a partial packet of 16k + my $n = syswrite( $to_server, 'x' x 18000 ); + #DEBUG( "send $n bytes" ); + print "not " if $n != 16384; + ok( "partial write in syswrite" ); + + # but write should send everything because it does ssl_write_all + $n = $to_server->write( 'x' x 18000 ); + #DEBUG( "send $n bytes" ); + print "not " if $n != 18000; + ok( "full write in write ($n)" ); + + exit; + +} else { + + ############################################################ + # SERVER == parent process + ############################################################ + + my $to_client = $server->accept || do { + print "not ok: accept failed: $!\n"; + kill(9,$pid); + exit; + }; + ok( "Server accepted" ); + + my $total = 1024; + my $partial; + while ( $total > 0 ) { + #DEBUG( "reading 66 of $total bytes pending=".$to_client->pending() ); + my $n = sysread( $to_client, my $buf,66 ); + #DEBUG( "read $n bytes" ); + if ( !$n ) { + print "not ok: read failed: $!\n"; + kill(9,$pid); + exit; + } elsif ( $n != 66 ) { + $partial++; + } + $total -= $n; + } + print "not " if !$partial; + ok( "partial read in sysread" ); + + # send ack back + print "not " if !syswrite( $to_client, 'x' ); + ok( "send ack back" ); + + # just read so that the writes will not block + $to_client->read( my $buf,18000 ); + $to_client->read( $buf,18000 ); + + + # wait until client exits + wait; +} + +exit; + + +sub ok { print "ok # [$ID] @_\n"; } diff --git a/cpan/IO-Socket-SSL/t/testlib.pl b/cpan/IO-Socket-SSL/t/testlib.pl new file mode 100644 index 000000000000..b3f342cd53ec --- /dev/null +++ b/cpan/IO-Socket-SSL/t/testlib.pl @@ -0,0 +1,191 @@ +use strict; +use warnings; +use IO::Socket; +use IO::Socket::SSL; +use Config; + +############################################################################ +# +# small test lib for common tasks: +# adapted from t/testlib.pl in Net::SIP package +# +############################################################################ + +unless ( $Config::Config{d_fork} || $Config::Config{d_pseudofork} || + (($^O eq 'MSWin32' || $^O eq 'NetWare') and + $Config::Config{useithreads} and + $Config::Config{ccflags} =~ /-DPERL_IMPLICIT_SYS/) ) { + print "1..0 # Skipped: fork not implemented on this platform\n"; + exit +} + +# let IO errors result in EPIPE instead of crashing the test +$SIG{PIPE} = 'IGNORE'; + +# small implementations if not used from Test::More (09_fdleak.t) +if ( ! defined &ok ) { + no strict 'refs'; + *{'ok'} = sub { + my ($bool,$desc) = @_; + print $bool ? "ok ":"not ok ", '# ',$desc || '',"\n"; + }; + *{'diag'} = sub { print "# @_\n"; }; + *{'like'} = sub { + my ( $data,$rx,$desc ) = @_; + ok( $data =~ $rx ? 1:0, $desc ); + }; +} + +$SIG{ __DIE__ } = sub { + return if $^S; # Ignore from within evals + ok( 0,"@_" ); + killall(); + exit(1); +}; + +############################################################################ +# kill all process collected by fork_sub +# Args: ?$signal +# $signal: signal to use, default 9 +# Returns: NONE +############################################################################ +my @pids; +sub killall { + my $sig = shift || 9; + kill $sig, @pids; + #diag( "killed @pids with $sig" ); + while ( wait() >= 0 ) {} # collect all + @pids = (); +} + + +############################################################################ +# fork named sub with args and provide fd into subs STDOUT +# Args: ($name,@args) +# $name: name or ref to sub, if name it will be used for debugging +# @args: arguments for sub +# Returns: $fh +# $fh: file handle to read STDOUT of sub +############################################################################ +my %fd2name; # associated sub-name for file descriptor to subs STDOUT +sub fork_sub { + my ($name,@arg) = @_; + my $sub = ref($name) ? $name : UNIVERSAL::can( 'main',$name ) || die; + pipe( my $rh, my $wh ) || die $!; + defined( my $pid = fork() ) || die $!; + if ( ! $pid ) { + # CHILD, exec sub + $SIG{ __DIE__ } = undef; + close($rh); + local *STDOUT = local *STDERR = $wh; + $wh->autoflush; + print "OK\n"; + $sub->(@arg); + exit(0); + } + + push @pids,$pid; + close( $wh ); + $fd2name{$rh} = $name; + fd_grep_ok( 'OK',10,$rh ) || die 'startup failed'; + return $rh; +} + +############################################################################ +# grep within fd's for specified regex or substring +# Args: ($pattern,[ $timeout ],@fd) +# $pattern: regex or substring +# $timeout: how many seconds to wait for pattern, default 10 +# @fd: which fds to search, usually fds from fork_sub(..) +# Returns: $rv| ($rv,$name) +# $rv: matched text if pattern is found, else undef +# $name: name for file handle +############################################################################ +my %fd2buf; # already read data from fd +sub fd_grep { + my $pattern = shift; + my $timeout = 10; + $timeout = shift if !ref($_[0]); + my @fd = @_; + $pattern = qr{\Q$pattern} if ! UNIVERSAL::isa( $pattern,'Regexp' ); + my $name = join( "|", map { $fd2name{$_} || "$_" } @fd ); + #diag( "look for $pattern in $name" ); + my @bad = wantarray ? ( undef,$name ):(undef); + @fd || return @bad; + my $rin = ''; + map { $_->blocking(0); vec( $rin,fileno($_),1 ) = 1 } @fd; + my $end = defined( $timeout ) ? time() + $timeout : undef; + + while (@fd) { + + # check existing buf from previous reads + foreach my $fd (@fd) { + my $buf = \$fd2buf{$fd}; + $$buf || next; + if ( $$buf =~s{\A(?:.*?)($pattern)}{}s ) { + #diag( "found" ); + return wantarray ? ( $1,$name ) : $1; + } + } + + # if not found try to read new data + $timeout = $end - time() if $end; + return @bad if $timeout < 0; + select( my $rout = $rin,undef,undef,$timeout ); + $rout || return @bad; # not found + foreach my $fd (@fd) { + my $name = $fd2name{$fd} || "$fd"; + my $buf = \$fd2buf{$fd}; + my $fn = fileno($fd); + my $n; + if ( defined ($fn)) { + vec( $rout,$fn,1 ) || next; + my $l = $$buf && length($$buf) || 0; + $n = sysread( $fd,$$buf,8192,$l ); + } + if ( ! $n ) { + #diag( "$name >CLOSED<" ); + delete $fd2buf{$fd}; + @fd = grep { $_ != $fd } @fd; + close($fd); + next; + } + diag( "$name >> ".substr( $$buf,-$n ). "<<" ); + } + } + return @bad; +} + +############################################################################ +# like Test::Simple::ok, but based on fd_grep, same as +# ok( fd_grep( pattern,... ), "[$subname] $pattern" ) +# Args: ($pattern,[ $timeout ],@fd) - see fd_grep +# Returns: $rv - like in fd_grep +# Comment: if !$rv and wantarray says void it will die() +############################################################################ +sub fd_grep_ok { + my $pattern = shift; + my ($rv,$name) = fd_grep( $pattern, @_ ); + local $Test::Builder::Level = $Test::Builder::Level || 0 +1; + ok( $rv,"[$name] $pattern" ); + die "fatal error" if !$rv && ! defined wantarray; + return $rv; +} + + +############################################################################ +# create socket on IP +# return socket and ip:port +############################################################################ +sub create_listen_socket { + my ($addr,$port,$proto) = @_; + $addr ||= '127.0.0.1'; + my $sock = IO::Socket::INET->new( + LocalAddr => $addr, + $port ? ( LocalPort => $port, Reuse => 1 ) : (), + Listen => 10, + ) || die $!; + ($port,$addr) = unpack_sockaddr_in( getsockname($sock) ); + return wantarray ? ( $sock, inet_ntoa($addr).':'.$port ) : $sock; +} +1; diff --git a/cpan/IO-Socket-SSL/t/verify_fingerprint.t b/cpan/IO-Socket-SSL/t/verify_fingerprint.t new file mode 100644 index 000000000000..9eba3394f42e --- /dev/null +++ b/cpan/IO-Socket-SSL/t/verify_fingerprint.t @@ -0,0 +1,115 @@ +use strict; +use warnings; +use Test::More; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; +use File::Temp 'tempfile'; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +plan tests => 13; + +my ($ca1,$cakey1) = CERT_create( CA => 1, subject => { CN => 'ca1' }); +my ($cert1,$key1) = CERT_create( + subject => { CN => 'cert1' }, + subjectAltNames => [ [ DNS => 'cert1' ], [ IP => '127.0.0.1' ] ], + issuer => [ $ca1,$cakey1 ] +); +my ($ca2,$cakey2) = CERT_create( CA => 1, subject => { CN => 'ca2' }); +my ($ica2,$icakey2) = CERT_create( + CA => 1, + subject => { CN => 'ica2' }, + issuer => [ $ca2,$cakey2 ] +); +my ($cert2,$key2) = CERT_create( + subject => { CN => 'cert2' }, + subjectAltNames => [ [ DNS => 'cert2' ], [ IP => '127.0.0.1' ] ], + issuer => [ $ica2,$icakey2 ] +); + +my ($saddr1,$fp1) = _server([$cert1],$key1); +my ($saddr2,$fp2,$ifp2) = _server([$cert2,$ica2],$key2); +my $fp1pub = $fp1->[1]; +$_ = $_->[0] for($fp1,$fp2,$ifp2); + +for my $test ( + [ $saddr1, undef, $fp1, "accept fp1 for saddr1", 1 ], + [ $saddr1, undef, $fp1pub, "accept fp1 pubkey for saddr1", 1 ], + [ $saddr2, undef, $fp2, "accept fp2 for saddr2", 1 ], + [ $saddr2, undef, $ifp2, "reject ifp2 for saddr2", 0 ], + [ $saddr1, undef, $fp2, "reject fp2 for saddr1", 0 ], + [ $saddr2, undef, $fp1, "reject fp1 for saddr2", 0 ], + [ $saddr1, undef, [$fp1,$fp2], "accept fp1|fp2 for saddr1", 1 ], + [ $saddr2, undef, [$fp1,$fp2], "accept fp1|fp2 for saddr2", 1 ], + [ $saddr2, [$ca1], $fp2, "accept fp2 for saddr2 even if ca1 given", 1 ], + [ $saddr2, [$ca2], undef, "accept ca2 for saddr2", 1 ], + [ $saddr1, [$ca2], undef, "reject ca2 for saddr1", 0 ], + [ $saddr1, [$ca1,$ca2], undef, "accept ca[12] for saddr1", 1 ], + (defined &Net::SSLeay::X509_V_FLAG_PARTIAL_CHAIN ? + [ $saddr1, [$cert1], undef, "accept leaf cert1 as trust anchor for saddr1", 1 ] : + [ $saddr1, [$cert1], undef, "reject leaf cert1 as trust anchor for saddr1", 0 ] + ) +) { + my ($saddr,$certs,$fp,$what,$expect) = @$test; + my $cafile; + my $cl = IO::Socket::INET->new( $saddr ) or die $!; + syswrite($cl,"X",1); + my $ok = IO::Socket::SSL->start_SSL($cl, + SSL_verify_mode => 1, + SSL_fingerprint => $fp, + SSL_ca => $certs, + SSL_ca_file => undef, + SSL_ca_path => undef, + ); + ok( ($ok?1:0) == ($expect?1:0),$what); +} + +# Notify server children to exit by connecting and disconnecting immediately, +# kill only if they will not exit. +alarm(10); +my @child; +END { kill 9,@child } +IO::Socket::INET->new($saddr1); +IO::Socket::INET->new($saddr2); +while ( @child && ( my $pid = waitpid(-1,0))>0 ) { + @child = grep { $_ != $pid } @child +} + + +sub _server { + my ($certs,$key) = @_; + my $sock = IO::Socket::INET->new( LocalAddr => '0.0.0.0', Listen => 10 ) + or die $!; + defined( my $pid = fork()) or die $!; + if ( $pid ) { + push @child,$pid; + my $saddr = '127.0.0.1:'.$sock->sockport; + close($sock); + return ( + $saddr, + map { [ + 'sha1$'.Net::SSLeay::X509_get_fingerprint($_,'sha1'), + 'sha1$pub$'.unpack("H*",Net::SSLeay::X509_pubkey_digest($_, + Net::SSLeay::EVP_get_digestbyname('sha1'))) + ]} @$certs + ); + } + + # The chain certificates will be added without increasing reference counter + # and will be destroyed at close of context, so we better have a common + # context between all start_SSL. + my $ctx = IO::Socket::SSL::SSL_Context->new( + SSL_server => 1, + SSL_cert => $certs, + SSL_key => $key + ); + while (1) { + #local $IO::Socket::SSL::DEBUG=10; + my $cl = $sock->accept or next; + sysread($cl,my $buf,1) || last; + IO::Socket::SSL->start_SSL($cl, + SSL_server => 1, + SSL_reuse_ctx => $ctx, + ); + } + exit(0); +} diff --git a/cpan/IO-Socket-SSL/t/verify_hostname.t b/cpan/IO-Socket-SSL/t/verify_hostname.t new file mode 100644 index 000000000000..0a5dceac2505 --- /dev/null +++ b/cpan/IO-Socket-SSL/t/verify_hostname.t @@ -0,0 +1,157 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +# if we have an IDN library max the IDN tests too +my $can_idn = eval { require Encode } && ( + eval { require Net::LibIDN } + || eval { require Net::IDN::Encode } + || eval { require URI; URI->VERSION(1.50) } +); + +$|=1; +my $max = 42; +$max+=3 if $can_idn; +print "1..$max\n"; + +my $server = IO::Socket::INET->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + ReuseAddr => 1, +); +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +ok("Server Initialization"); +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_verify_mode => 0 + ) || print "not "; + ok( "client ssl connect" ); + + my $issuer = $client->peer_certificate( 'issuer' ); + print "not " if $issuer !~m{IO::Socket::SSL Demo CA}; + ok("issuer"); + + my $cn = $client->peer_certificate( 'cn' ); + print "not " unless $cn eq "server.local"; + ok("cn"); + + my @alt = $client->peer_certificate( 'subjectAltNames' ); + my @want = ( + GEN_DNS() => '*.server.local', + GEN_IPADD() => '127.0.0.1', + GEN_DNS() => 'www*.other.local', + GEN_DNS() => 'smtp.mydomain.local', + GEN_DNS() => 'xn--lwe-sna.idntest.local', + ); + while (@want) { + my ($typ,$text) = splice(@want,0,2); + my $data = ($typ == GEN_IPADD() ) ? inet_aton($text):$text; + my ($th,$dh) = splice(@alt,0,2); + $th == $typ and $dh eq $data or print "not "; + ok( $text ); + } + @alt and print "not "; + ok( 'no more altSubjectNames' ); + + my @tests = ( + '127.0.0.1' => [qw( smtp ldap www)], + 'server.local' => [qw(smtp ldap)], + 'blafasel.server.local' => [qw(smtp ldap www)], + 'lala.blafasel.server.local' => [], + 'www.other.local' => [qw()], + 'www-13.other.local' => [qw(www)], + 'www-13.lala.other.local' => [], + 'smtp.mydomain.local' => [qw(smtp ldap www)], + 'xn--lwe-sna.idntest.local' => [qw(smtp ldap www)], + 'smtp.mydomain.localizing.useless.local' => [], + ); + if ( $can_idn ) { + # check IDN handling + my $loewe = "l\366we.idntest.local"; + push @tests, ( $loewe => [qw(smtp ldap www)] ); + } + + while (@tests) { + my ($host,$expect) = splice(@tests,0,2); + my %expect = map { $_=>1 } @$expect; + for my $typ (qw( smtp ldap www)) { + my $is = $client->verify_hostname( $host, $typ ) ? 'pass':'fail'; + my $want = $expect{$typ} ? 'pass':'fail'; + print "not " if $is ne $want; + ok( "$want $host $typ" ); + } + } + exit; +} + +my $accept = sub { + my $csock = $server->accept; + IO::Socket::SSL->start_SSL($csock, + SSL_server => 1, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_cert_file => "t/certs/server-wildcard.pem", + SSL_key_file => "t/certs/server-wildcard.pem", + ); +}; + +my $csock = &$accept; +wait; + +# try with implicit checking +# Should succeed +defined( $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_verify_mode => 1, + SSL_verifycn_scheme => 'www', + SSL_verifycn_name => 'www.server.local' + ) || print "not "; + ok("implicit hostname check www.server.local"); + exit; +} +$csock = &$accept; +wait; + +# Should fail +defined( $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + if (IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_ca_file => "t/certs/test-ca.pem", + SSL_verify_mode => 1, + SSL_verifycn_scheme => 'www', + SSL_verifycn_name => 'does.not.match.server.local' + )) { + print "not "; + } elsif ($SSL_ERROR !~ /hostname verification failed/) { + print "# wrong error(should be hostname verification failed): $SSL_ERROR\n"; + print "not "; + } + ok("implicit hostname check does.not.match.server.local"); + exit; +} +$csock = &$accept; +wait; + + + +sub ok { print "ok #$_[0]\n"; } diff --git a/cpan/IO-Socket-SSL/t/verify_hostname_standalone.t b/cpan/IO-Socket-SSL/t/verify_hostname_standalone.t new file mode 100644 index 000000000000..673a46ac803e --- /dev/null +++ b/cpan/IO-Socket-SSL/t/verify_hostname_standalone.t @@ -0,0 +1,219 @@ +use strict; +use warnings; +use Test::More; +use IO::Socket::SSL; +use IO::Socket::SSL::Utils; + +my @tests = tests(); +plan tests => 0+@tests; + +my ($ca,$key) = CERT_create( CA => 1); +for my $test (@tests) { + SKIP: { + my ($expect_match,$hostname,$cn,$san_dns,$san_ip) = @$test; + my (@san,$ip6); + push @san, map { [ "DNS", $_ ] } $san_dns =~m{([^,\s]+)}g if $san_dns; + for( ($san_ip||'') =~m{([^,\s]+)}g ) { + if ( my @h = m{^x(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})(.{4})$}) { + $_ = join(':',@h); + $ip6 = 1; + } + push @san, [ "IP", $_ ]; + } + my $idn = $hostname =~m{[^a-zA-Z0-9_.\-]}; + + my $diag = "$hostname: cn=$cn san=". + join(",", map { "$_->[0]:$_->[1]" } @san); + $diag =~s{([\\\x00-\x1f\x7f-\xff])}{ sprintf("\\x%02x",ord($1)) }esg; + + if ($ip6 && !IO::Socket::SSL->can_ipv6) { + skip "no IPv6 support - $diag",1; + } + if ($idn && ! eval { IO::Socket::SSL::idn_to_ascii("fo") }) { + skip "no IDNA library installed - $diag",1 + } + + + my %cert = ( + subject => length($cn) ? { CN => $cn }:{}, + @san ? ( subjectAltNames => \@san ):(), + issuer_cert => $ca, + issuer_key => $key, + key => $key + ); + my $cert; + eval { ($cert) = CERT_create(%cert) }; + if ($@) { + skip "failed to create cert: $diag\n$@",1 + } + + #diag($diag); + my $match = IO::Socket::SSL::verify_hostname_of_cert($hostname,$cert,'www')||0; + if ( $match == $expect_match ) { + pass("$expect_match|$diag"); + } else { + fail("$match != $expect_match |$diag"); + #warn PEM_cert2string($cert); + } + + CERT_free($cert); + } +} + + + +# based on +# https://raw.githubusercontent.com/adobe/chromium/master/net/base/x509_certificate_unittest.cc +# 16.5.2014 +# +# format: [ expect_match, hostname, CN, san_dns, san_ip ] + +sub tests {( + [ 1, 'foo.com', 'foo.com' ], + [ 1, 'f', 'f' ], + [ 0, 'h', 'i' ], + [ 1, 'bar.foo.com', '*.foo.com' ], + [ 1, 'www.test.fr', 'common.name', '*.test.com,*.test.co.uk,*.test.de,*.test.fr' ], + [ 1, 'wwW.tESt.fr', 'common.name', ',*.*,*.test.de,*.test.FR,www' ], + [ 0, 'f.uk', '.uk' ], + [ 0, 'w.bar.foo.com', '?.bar.foo.com' ], + [ 0, 'www.foo.com', '(www|ftp).foo.com' ], + [ 0, 'www.foo.com', "www.foo.com\0" ], + +# CERT_create just strips everything after \0 so we get not the expected +# certificate and thus cannot run this test +# [ 0, 'www.foo.com', '', "www.foo.com\0*.foo.com,\0,\0" ], + + [ 0, 'www.house.example', 'ww.house.example' ], + [ 0, 'test.org', '', 'www.test.org,*.test.org,*.org' ], + [ 0, 'w.bar.foo.com', 'w*.bar.foo.com' ], + [ 0, 'www.bar.foo.com', 'ww*ww.bar.foo.com' ], + [ 0, 'wwww.bar.foo.com', 'ww*ww.bar.foo.com' ], + [ 1, 'wwww.bar.foo.com', 'w*w.bar.foo.com' ], + [ 0, 'wwww.bar.foo.com', 'w*w.bar.foo.c0m' ], + [ 1, 'WALLY.bar.foo.com', 'wa*.bar.foo.com' ], + [ 1, 'wally.bar.foo.com', '*Ly.bar.foo.com' ], + +# disabled test: we don't accept URL encoded hostnames +# [ 1, 'ww%57.foo.com', '', 'www.foo.com' ], + +# disabled test: & is not allowed in hostname - and CN should not +# allow URL encoding +# [ 1, 'www&.foo.com', 'www%26.foo.com' ], + + # Common name must not be used if subject alternative name was provided. + [ 0, 'www.test.co.jp', 'www.test.co.jp', '*.test.de,*.jp,www.test.co.uk,www.*.co.jp' ], + [ 0, 'www.bar.foo.com', 'www.bar.foo.com', '*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com,' ], + +# I think they got this test wrong +# common name should not be checked only if SAN contains DNS names +# so in this case common name should be checked -> match +# corrected test therefore +# [ 0, 'www.bath.org', 'www.bath.org', '', '20.30.40.50' ], + [ 1, 'www.bath.org', 'www.bath.org', '', '20.30.40.50' ], + + [ 0, '66.77.88.99', 'www.bath.org', 'www.bath.org' ], + + # IDN tests + [ 1, 'xn--poema-9qae5a.com.br', 'xn--poema-9qae5a.com.br' ], + [ 1, 'www.xn--poema-9qae5a.com.br', '*.xn--poema-9qae5a.com.br' ], + [ 0, 'xn--poema-9qae5a.com.br', '', '*.xn--poema-9qae5a.com.br,xn--poema-*.com.br,xn--*-9qae5a.com.br,*--poema-9qae5a.com.br' ], + +# There should be no *.com.br certificates and public suffix catches this. +# So this example is bad and we change it to .foo.com.br +# [ 1, 'xn--poema-9qae5a.com.br', '*.com.br' ], + [ 1, 'xn--poema-9qae5a.foo.com.br', '*.foo.com.br' ], + + # The following are adapted from the examples quoted from + # http://tools.ietf.org/html/rfc6125#section-6.4.3 + # (e.g., *.example.com would match foo.example.com but + # not bar.foo.example.com or example.com). + [ 1, 'foo.example.com', '*.example.com' ], + [ 0, 'bar.foo.example.com', '*.example.com' ], + [ 0, 'example.com', '*.example.com' ], + # (e.g., baz*.example.net and *baz.example.net and b*z.example.net would + # be taken to match baz1.example.net and foobaz.example.net and + # buzz.example.net, respectively) + [ 1, 'baz1.example.net', 'baz*.example.net' ], + [ 1, 'foobaz.example.net', '*baz.example.net' ], + [ 1, 'buzz.example.net', 'b*z.example.net' ], + # Wildcards should not be valid unless there are at least three name + # components. + +# There should be no *.co.uk certificates and public suffix catches this. +# So change example to *.foo.com instead +# [ 1, 'h.co.uk', '*.co.uk' ], + [ 1, 'h.foo.com', '*.foo.com' ], + [ 0, 'foo.com', '*.com' ], + [ 0, 'foo.us', '*.us' ], + [ 0, 'foo', '*' ], + # Multiple wildcards are not valid. + [ 0, 'foo.example.com', '*.*.com' ], + [ 0, 'foo.bar.example.com', '*.bar.*.com' ], + # Absolute vs relative DNS name tests. Although not explicitly specified + # in RFC 6125, absolute reference names (those ending in a .) should + # match either absolute or relative presented names. + [ 1, 'foo.com', 'foo.com.' ], + [ 1, 'foo.com.', 'foo.com' ], + [ 1, 'foo.com.', 'foo.com.' ], + [ 1, 'f', 'f.' ], + [ 1, 'f.', 'f' ], + [ 1, 'f.', 'f.' ], + [ 1, 'www-3.bar.foo.com', '*.bar.foo.com.' ], + [ 1, 'www-3.bar.foo.com.', '*.bar.foo.com' ], + [ 1, 'www-3.bar.foo.com.', '*.bar.foo.com.' ], + [ 0, '.', '.' ], + [ 0, 'example.com', '*.com.' ], + [ 0, 'example.com.', '*.com' ], + [ 0, 'example.com.', '*.com.' ], + [ 0, 'foo.', '*.' ], + # IP addresses in common name; IPv4 only. + [ 1, '127.0.0.1', '127.0.0.1' ], + [ 1, '192.168.1.1', '192.168.1.1' ], + +# we expect proper IP and not this junk, so we will not allow these +# [ 1, '676768', '0.10.83.160' ], +# [ 1, '1.2.3', '1.2.0.3' ], + [ 0, '192.169.1.1', '192.168.1.1' ], + [ 0, '12.19.1.1', '12.19.1.1/255.255.255.0' ], + [ 0, 'FEDC:ba98:7654:3210:FEDC:BA98:7654:3210', 'FEDC:BA98:7654:3210:FEDC:ba98:7654:3210' ], + [ 0, '1111:2222:3333:4444:5555:6666:7777:8888', '1111:2222:3333:4444:5555:6666:7777:8888' ], + [ 0, '::192.9.5.5', '[::192.9.5.5]' ], + # No wildcard matching in valid IP addresses + [ 0, '::192.9.5.5', '*.9.5.5' ], + [ 0, '2010:836B:4179::836B:4179', '*:836B:4179::836B:4179' ], + [ 0, '192.168.1.11', '*.168.1.11' ], + [ 0, 'FEDC:BA98:7654:3210:FEDC:BA98:7654:3210', '*.]' ], + # IP addresses in subject alternative name (common name ignored) + [ 1, '10.1.2.3', '', '', '10.1.2.3' ], +# we expect proper IP and not this junk, so we will not allow this +# [ 1, '14.15', '', '', '14.0.0.15' ], + +# according to RFC2818 common name should be checked if no DNS entries in SAN +# so this must match if we match IP in common name -> changed expected result +# [ 0, '10.1.2.7', '10.1.2.7', '', '10.1.2.6,10.1.2.8' ], + [ 1, '10.1.2.7', '10.1.2.7', '', '10.1.2.6,10.1.2.8' ], + + [ 0, '10.1.2.8', '10.20.2.8', 'foo' ], + [ 1, '::4.5.6.7', '', '', 'x00000000000000000000000004050607' ], + [ 0, '::6.7.8.9', '::6.7.8.9', '::6.7.8.9', 'x00000000000000000000000006070808,x0000000000000000000000000607080a,xff000000000000000000000006070809,6.7.8.9' ], + [ 1, 'FE80::200:f8ff:fe21:67cf', 'no.common.name', '', 'x00000000000000000000000006070808,xfe800000000000000200f8fffe2167cf,xff0000000000000000000000060708ff,10.0.0.1' ], + # Numeric only hostnames (none of these are considered valid IP addresses). + [ 0, '12345.6', '12345.6' ], + [ 0, '121.2.3.512', '', '1*1.2.3.512,*1.2.3.512,1*.2.3.512,*.2.3.512', '121.2.3.0'], + [ 0, '1.2.3.4.5.6', '*.2.3.4.5.6' ], + +# IP address should not be matched against SAN DNS entry -> skip test +# [ 1, '1.2.3.4.5', '', '1.2.3.4.5' ], + + # Invalid host names. + +# this cert cannot be created currently +# [ 0, "junk)(£)\$*!\@~\0", "junk)(£)\$*!\@~\0" ], + + [ 0, 'www.*.com', 'www.*.com' ], + [ 0, 'w$w.f.com', 'w$w.f.com' ], + [ 0, 'nocolonallowed:example', '', 'nocolonallowed:example' ], + [ 0, 'www-1.[::FFFF:129.144.52.38]', '*.[::FFFF:129.144.52.38]' ], + [ 0, '[::4.5.6.9]', '', '', 'x00000000000000000000000004050609' ], +)} diff --git a/cpan/IO-Socket-SSL/t/verify_partial_chain.t b/cpan/IO-Socket-SSL/t/verify_partial_chain.t new file mode 100644 index 000000000000..524fc4b7707e --- /dev/null +++ b/cpan/IO-Socket-SSL/t/verify_partial_chain.t @@ -0,0 +1,54 @@ +#!perl + +use strict; +use warnings; +use Net::SSLeay; +use Socket; +use IO::Socket::SSL; + +if (!IO::Socket::SSL->can_partial_chain) { + print "1..0 # no support for X509_V_FLAG_PARTIAL_CHAIN\n"; + exit(0); +} + +do './testlib.pl' || do './t/testlib.pl' || die "no testlib"; + +$|=1; +print "1..3\n"; + +my $server = IO::Socket::SSL->new( + LocalAddr => '127.0.0.1', + LocalPort => 0, + Listen => 2, + ReuseAddr => 1, + SSL_cert_file => "t/certs/sub-server.pem", + SSL_key_file => "t/certs/sub-server.pem", +); +warn "\$!=$!, \$\@=$@, S\$SSL_ERROR=$SSL_ERROR" if ! $server; +print "not ok\n", exit if !$server; +ok("Server Initialization"); +my $saddr = $server->sockhost.':'.$server->sockport; + +defined( my $pid = fork() ) || die $!; +if ( $pid == 0 ) { + close($server); + my $client = IO::Socket::SSL->new( + PeerAddr => $saddr, + Domain => AF_INET, + SSL_ca_file => "t/certs/test-subca.pem", + ) or print "not "; + ok( "client ssl connect" ); + if ($client) { + my $issuer = $client->peer_certificate( 'issuer' ); + print "not " if $issuer !~m{IO::Socket::SSL Demo Sub CA}; + ok("issuer"); + } else { + ok("skip issuer check since no client"); + } + exit; +} + +my $csock = $server->accept; +wait; + +sub ok { print "ok #$_[0]\n"; } diff --git a/cpan/Net-SSLeay/Makefile.PL b/cpan/Net-SSLeay/Makefile.PL new file mode 100644 index 000000000000..f157035a02de --- /dev/null +++ b/cpan/Net-SSLeay/Makefile.PL @@ -0,0 +1,486 @@ +use 5.008001; +use utf8; +use strict; +use warnings; + +use Config; +use English qw( $OSNAME -no_match_vars ); +use ExtUtils::MakeMaker; +use File::Basename (); +use File::Spec; +use File::Spec::Functions qw(catfile); +use Symbol qw(gensym); +use Text::Wrap; + +# According to http://cpanwiki.grango.org/wiki/CPANAuthorNotes, the ideal +# behaviour to exhibit when a prerequisite does not exist is to use exit code 0 +# to ensure smoke testers stop immediately without reporting a FAIL; in all +# other environments, we want to fail more loudly +use constant { + MISSING_PREREQ => ( $ENV{AUTOMATED_TESTING} ? 0 : 1 ), + UNSUPPORTED_LIBSSL => ( $ENV{AUTOMATED_TESTING} ? 0 : 1 ), +}; + +# Error messages displayed with alert() will be this many columns wide +use constant ALERT_WIDTH => 78; + +# Define this to one if you want to link the openssl libraries statically into +# the Net-SSLeay loadable object on Windows +my $win_link_statically = 0; + +my $tests = prompt( + "Do you want to run external tests?\n". + "These tests *will* *fail* if you do not have network connectivity.", + 'n', +) =~ /^y/i ? 't/*/*.t t/*/*/*.t' : 't/local/*.t t/handle/local/*.t'; + +my %eumm_args = ( + NAME => 'Net::SSLeay', + ABSTRACT => 'Perl bindings for OpenSSL and LibreSSL', + LICENSE => 'artistic_2', + AUTHOR => [ + 'Sampo Kellomäki ', + 'Florian Ragwitz ', + 'Mike McCauley ', + 'Chris Novakovic ', + 'Tuure Vartiainen ', + 'Heikki Vatiainen ' + ], + VERSION_FROM => 'lib/Net/SSLeay.pm', + MIN_PERL_VERSION => '5.8.1', + CONFIGURE_REQUIRES => { + 'English' => '0', + 'ExtUtils::MakeMaker' => '0', + 'File::Spec::Functions' => '0', + 'Text::Wrap' => '0', + 'constant' => '0', + }, + TEST_REQUIRES => { + 'Carp' => '0', + 'Config' => '0', + 'Cwd' => '0', + 'English' => '0', + 'File::Basename' => '0', + 'File::Spec::Functions' => '0', + 'Scalar::Util' => '0', + 'SelectSaver' => '0', + 'Socket' => '0', + 'Storable' => '0', + 'Test::Builder' => '0', + 'Test::More' => '0.60_01', + 'base' => '0', + }, + PREREQ_PM => { + 'MIME::Base64' => '0', + }, + test => { TESTS => $tests }, + clean => { FILES => join ' ', map fixpath($_), qw( + makecert.out + makecert.err + sslecho.log + tcpecho.log + t/local/ptr_cast_test + examples/cert.pem + examples/key.pem + examples/key.pem.e + examples/*.0 + ) }, + META_MERGE => { + "meta-spec" => { version => 2 }, + dynamic_config => 0, + resources => { + repository => { + type => 'git', + url => 'git://github.com/radiator-software/p5-net-ssleay.git', + web => 'https://github.com/radiator-software/p5-net-ssleay', + }, + bugtracker => { + web => 'https://github.com/radiator-software/p5-net-ssleay/issues', + }, + }, + no_index => { directory => [ qw(helper_script examples) ] }, + prereqs => { + develop => { + requires => { + 'Test::Pod::Coverage' => '1.00', + 'Test::Kwalitee' => '1.00', + }, + }, + }, + }, + ssleay(), +); + +# See if integers are only 32 bits long. If they are, add a flag to +# CCFLAGS. Since OpenSSL 1.1.0, a growing number of APIs are using 64 +# bit integers. This causes a problem if Perl is compiled without 64 +# bit integers. DEFINE is not used because Makefile.PL command line +# DEFINE argument is used for enabling compile time PR1 +# etc. debugging. +# +# Note: 32bit integers are treated as the non-default case. When you +# use this define, do it so that 64bit case is the default whenever +# possible. This is safer for future library and Net::SSLeay releases. +$eumm_args{CCFLAGS} = "-DNET_SSLEAY_32BIT_INT_PERL $Config{ccflags}" if !defined $Config{use64bitint} || $Config{use64bitint} ne 'define'; + +# This can go when EU::MM older than 6.58 are gone +$eumm_args{AUTHOR} = join(', ', @{$eumm_args{AUTHOR}}) unless eval { ExtUtils::MakeMaker->VERSION(6.58); }; + +# This can go when EU::MM older than 6.64 are gone +delete $eumm_args{TEST_REQUIRES} unless eval { ExtUtils::MakeMaker->VERSION(6.64); }; + +$eumm_args{DEFINE} = '-DUSE_PPPORT_H' unless $ENV{PERL_CORE}; + +WriteMakefile(%eumm_args); + +sub MY::postamble { +<<"MAKE"; +SSLeay$Config{'obj_ext'} : constants.c + +MAKE +} + +sub ssleay { + my $prefix = find_openssl_prefix(); + my $exec = find_openssl_exec($prefix); + unless (defined $exec && -x $exec) { + print <{inc_path} ) { + my $detail = + 'The libssl header files are required to build Net-SSLeay, but ' + . 'they are missing from ' . $prefix . '. They would typically ' + . 'reside in ' . catfile( $prefix, 'include', 'openssl' ) . '.'; + + if ( $OSNAME eq 'linux' ) { + $detail .= + "\n\n" + . 'If you are using the version of OpenSSL/LibreSSL packaged ' + . 'by your Linux distribution, you may need to install the ' + . 'corresponding "development" package via your package ' + . 'manager (e.g. libssl-dev for OpenSSL on Debian and Ubuntu, ' + . 'or openssl-devel for OpenSSL on Red Hat Enterprise Linux ' + . 'and Fedora).'; + } + + alert( 'Could not find libssl headers', $detail ); + + exit MISSING_PREREQ; + } + + check_openssl_version($prefix, $exec); + my %args = ( + CCCDLFLAGS => $opts->{cccdlflags}, + OPTIMIZE => $opts->{optimize}, + INC => qq{-I"$opts->{inc_path}"}, + LIBS => join(' ', (map '-L'.maybe_quote($_), @{$opts->{lib_paths}}), (map {"-l$_"} @{$opts->{lib_links}})), + ); + # From HMBRAND to handle multple version of OPENSSL installed + if (my $lp = join " " => map '-L'.maybe_quote($_), @{$opts->{lib_paths} || []}) + { + ($args{uc $_} = $Config{$_}) =~ s/-L/$lp -L/ for qw(lddlflags ldflags); + } + %args; +} + +sub maybe_quote { $_[0] =~ / / ? qq{"$_[0]"} : $_[0] } + +sub ssleay_get_build_opts { + my ($prefix) = @_; + + my $opts = { + lib_links => [], + cccdlflags => '', + }; + + my @try_includes = ( + 'include' => sub { 1 }, + 'inc32' => sub { $OSNAME eq 'MSWin32' }, + ); + + while ( + !defined $opts->{inc_path} + && defined( my $dir = shift @try_includes ) + && defined( my $cond = shift @try_includes ) + ) { + if ( $cond->() && (-f "$prefix/$dir/openssl/ssl.h" + || -f "$prefix/$dir/ssl.h")) { + $opts->{inc_path} = "$prefix/$dir"; + } + } + + # Directory order matters. With macOS Monterey a poisoned dylib is + # returned if the directory exists without the desired + # library. See GH-329 for more information. With Strawberry Perl + # 5.26 and later the paths must be in different order or the link + # phase fails. + my @try_lib_paths = ( + ["$prefix/lib64", "$prefix/lib", "$prefix/out32dll", $prefix] => sub {$OSNAME eq 'darwin' }, + [$prefix, "$prefix/lib64", "$prefix/lib", "$prefix/out32dll"] => sub { 1 }, + ); + + while ( + !defined $opts->{lib_paths} + && defined( my $dirs = shift @try_lib_paths ) + && defined( my $cond = shift @try_lib_paths ) + ) { + if ( $cond->() ) { + foreach my $dir (@{$dirs}) { + push @{$opts->{lib_paths}}, $dir if -d $dir; + } + } + } + + print <{lib_paths} }, "$prefix/lib/VC/static" if -d "$prefix/lib/VC/static"; + } + else { + push @{ $opts->{lib_paths} }, "$prefix/lib/VC" if -d "$prefix/lib/VC"; + } + + my $found = 0; + my @pairs = (); + # Library names depend on the compiler + @pairs = (['eay32','ssl32'],['crypto.dll','ssl.dll'],['crypto','ssl']) if $Config{cc} =~ /gcc/; + @pairs = (['libeay32','ssleay32'],['libeay32MD','ssleay32MD'],['libeay32MT','ssleay32MT'],['libcrypto','libssl'],['crypto','ssl']) if $Config{cc} =~ /cl/; + for my $dir (@{$opts->{lib_paths}}) { + for my $p (@pairs) { + $found = 1 if ($Config{cc} =~ /gcc/ && -f "$dir/lib$p->[0].a" && -f "$dir/lib$p->[1].a"); + $found = 1 if ($Config{cc} =~ /cl/ && -f "$dir/$p->[0].lib" && -f "$dir/$p->[1].lib"); + if ($found) { + $opts->{lib_links} = [$p->[0], $p->[1], 'crypt32']; # Some systems need this system lib crypt32 too + $opts->{lib_paths} = [$dir]; + last; + } + } + } + if (!$found) { + #fallback to the old behaviour + push @{ $opts->{lib_links} }, qw( libeay32MD ssleay32MD libeay32 ssleay32 libssl32 crypt32); + } + } + elsif ($^O eq 'VMS') { + if (-r 'sslroot:[000000]openssl.cnf') { # openssl.org source install + @{ $opts->{lib_paths} } = 'SSLLIB'; + @{ $opts->{lib_links} } = qw( ssl_libssl32.olb ssl_libcrypto32.olb ); + } + elsif (-r 'ssl111$root:[000000]openssl.cnf') { # VSI SSL111 install + @{ $opts->{lib_paths} } = 'SYS$SHARE'; + @{ $opts->{lib_links} } = qw( SSL111$LIBSSL_SHR32 SSL111$LIBCRYPTO_SHR32 ); + } + elsif (-r 'ssl1$root:[000000]openssl.cnf') { # VSI or HPE SSL1 install + @{ $opts->{lib_paths} } = 'SYS$SHARE'; + @{ $opts->{lib_links} } = qw( SSL1$LIBSSL_SHR32 SSL1$LIBCRYPTO_SHR32 ); + } + elsif (-r 'ssl$root:[000000]openssl.cnf') { # HP install + @{ $opts->{lib_paths} } = 'SYS$SHARE'; + @{ $opts->{lib_links} } = qw( SSL$LIBSSL_SHR32 SSL$LIBCRYPTO_SHR32 ); + } + @{ $opts->{lib_links} } = map { $_ =~ s/32\b//g } @{ $opts->{lib_links} } if $Config{use64bitall}; + } + else { + push @{ $opts->{lib_links} }, qw( ssl crypto z ); + + if (($Config{cc} =~ /aCC/i) && $^O eq 'hpux') { + print "*** Enabling HPUX aCC options (+e)\n"; + $opts->{optimize} = '+e -O2 -g'; + } + + if ( (($Config{ccname} || $Config{cc}) eq 'gcc') && ($Config{cccdlflags} =~ /-fpic/) ) { + print "*** Enabling gcc -fPIC optimization\n"; + $opts->{cccdlflags} .= '-fPIC'; + } + } + return $opts; +} + +my $other_try = 0; +my @nopath; +sub check_no_path { # On OS/2 it would be typically on default paths + my $p; + if (not($other_try++) and $] >= 5.008001) { + use ExtUtils::MM; + my $mm = MM->new(); + my ($list) = $mm->ext("-lssl"); + return unless $list =~ /-lssl\b/; + for $p (split /\Q$Config{path_sep}/, $ENV{PATH}) { + @nopath = ("$p/openssl$Config{_exe}", # exe name + '.') # dummy lib path + if -x "$p/openssl$Config{_exe}" + } + } + @nopath; +} + +sub find_openssl_prefix { + my ($dir) = @_; + + if (defined $ENV{OPENSSL_PREFIX}) { + return $ENV{OPENSSL_PREFIX}; + } + + my @guesses = ( + '/home/linuxbrew/.linuxbrew/opt/openssl/bin/openssl' => '/home/linuxbrew/.linuxbrew/opt/openssl', # LinuxBrew openssl + '/opt/homebrew/opt/openssl/bin/openssl' => '/opt/homebrew/opt/openssl', # macOS ARM homebrew + '/usr/local/opt/openssl/bin/openssl' => '/usr/local/opt/openssl', # OSX homebrew openssl + '/usr/local/bin/openssl' => '/usr/local', # OSX homebrew openssl + '/opt/local/bin/openssl' => '/opt/local', # Macports openssl + '/usr/bin/openssl' => '/usr', + '/usr/sbin/openssl' => '/usr', + '/opt/ssl/bin/openssl' => '/opt/ssl', + '/opt/ssl/sbin/openssl' => '/opt/ssl', + '/usr/local/ssl/bin/openssl' => '/usr/local/ssl', + '/usr/local/openssl/bin/openssl' => '/usr/local/openssl', + '/apps/openssl/std/bin/openssl' => '/apps/openssl/std', + '/usr/sfw/bin/openssl' => '/usr/sfw', # Open Solaris + 'C:\OpenSSL\bin\openssl.exe' => 'C:\OpenSSL', + 'C:\OpenSSL-Win32\bin\openssl.exe' => 'C:\OpenSSL-Win32', + $Config{prefix} . '\bin\openssl.exe' => $Config{prefix}, # strawberry perl + $Config{prefix} . '\..\c\bin\openssl.exe' => $Config{prefix} . '\..\c', # strawberry perl + '/sslexe/openssl.exe' => '/sslroot', # VMS, openssl.org + '/ssl111$exe/openssl.exe' => '/ssl111$root',# VMS, VSI install + '/ssl1$exe/openssl.exe' => '/ssl1$root',# VMS, VSI or HPE install + '/ssl$exe/openssl.exe' => '/ssl$root', # VMS, HP install + ); + + while (my $k = shift @guesses + and my $v = shift @guesses) { + if ( -x $k ) { + return $v; + } + } + (undef, $dir) = check_no_path() + and return $dir; + + return; +} + +sub find_openssl_exec { + my ($prefix) = @_; + + my $exe_path; + for my $subdir (qw( bin sbin out32dll x86_64_exe ia64_exe alpha_exe )) { + my $path = File::Spec->catfile($prefix, $subdir, "openssl$Config{_exe}"); + if ( -x $path ) { + return $path; + } + } + ($prefix) = check_no_path() + and return $prefix; + return; +} + +sub check_openssl_version { + my ($prefix, $exec) = @_; + my ( $output, $libssl, $major, $minor, $letter ); + + { + my $pipe = gensym(); + open($pipe, qq{"$exec" version |}) + or die "Could not execute $exec"; + $output = <$pipe>; + chomp $output; + close $pipe; + + if ( ($major, $minor, $letter) = $output =~ /^OpenSSL\s+(\d+\.\d+)\.(\d+)([a-z]?)/ ) { + print "*** Found OpenSSL-${major}.${minor}${letter} installed in $prefix\n"; + $libssl = 'openssl'; + } elsif ( ($major, $minor) = $output =~ /^LibreSSL\s+(\d+\.\d+)(?:\.(\d+))?/ ) { + # LibreSSL 2.0.x releases only identify themselves as "LibreSSL 2.0", + # with no patch release number + if ( !defined $minor ) { + $minor = "x"; + } + print "*** Found LibreSSL-${major}.${minor} installed in $prefix\n"; + $libssl = 'libressl'; + } else { + die < 1) { + print <catdir(''); + $text =~ s{\b/}{$sep}g; + return $text; +} + +sub alert { + my ( $err, $detail ) = @_; + + local $Text::Wrap::columns = ALERT_WIDTH - 4; + + print "\n"; + + print '*' x ALERT_WIDTH, "\n"; + print '* ', uc($err), ' ' x ( ALERT_WIDTH - length($err) - 4 ), ' *', "\n"; + print '*', ' ' x ( ALERT_WIDTH - 2 ), '*', "\n"; + + for ( split /\n/, Text::Wrap::wrap( '', '', $detail ) ) { + print '* ', $_, ' ' x ( ALERT_WIDTH - length($_) - 4 ), ' *', "\n"; + } + + print '*' x ALERT_WIDTH, "\n"; +} diff --git a/cpan/Net-SSLeay/SSLeay.xs b/cpan/Net-SSLeay/SSLeay.xs new file mode 100644 index 000000000000..1cbeebadf1e9 --- /dev/null +++ b/cpan/Net-SSLeay/SSLeay.xs @@ -0,0 +1,7949 @@ +/* SSLeay.xs - Perl module for using Eric Young's implementation of SSL + * + * Copyright (c) 1996-2003 Sampo Kellomäki + * Copyright (c) 2005-2010 Florian Ragwitz + * Copyright (c) 2005-2018 Mike McCauley + * Copyright (c) 2018- Chris Novakovic + * Copyright (c) 2018- Tuure Vartiainen + * Copyright (c) 2018- Heikki Vatiainen + * + * All rights reserved. + * + * Change data removed. See Changes + * + * This module is released under the terms of the Artistic License 2.0. For + * details, see the LICENSE file. + */ + +/* #### + * #### PLEASE READ THE FOLLOWING RULES BEFORE YOU START EDITING THIS FILE! #### + * #### + * + * Function naming conventions: + * + * 1/ never change the already existing function names (all calling convention) in a way + * that may cause backward incompatibility (e.g. add ALIAS with old name if necessary) + * + * 2/ it is recommended to keep the original openssl function names for functions that are: + * + * 1:1 wrappers to the original openssl functions + * see for example: X509_get_issuer_name(cert) >> Net::SSLeay::X509_get_issuer_name($cert) + * + * nearly 1:1 wrappers implementing only necessary "glue" e.g. buffer handling + * see for example: RAND_seed(buf,len) >> Net::SSLeay::RAND_seed($buf) + * + * 3/ OpenSSL functions starting with "SSL_" are added into SSLeay.xs with "SLL_" prefix + * (e.g. SSL_CTX_new) but keep in mind that they will be available in Net::SSLeay without + * "SSL_" prefix (e.g. Net::SSLeay::CTX_new) - keep this for all new functions + * + * 4/ The names of functions which do not fit rule 2/ (which means they implement some non + * trivial code around original openssl function or do more complex tasks) should be + * prefixed with "P_" - see for example: P_ASN1_TIME_set_isotime + * + * 5/ Exceptions from rules above: + * functions that are part or wider set of already existing function not following this rule + * for example: there already exists: PEM_get_string_X509_CRL + PEM_get_string_X509_REQ and you want + * to add PEM_get_string_SOMETHING - then no need to follow 3/ (do not prefix with "P_") + * + * Support for different Perl versions, libssl implementations, platforms, and compilers: + * + * 1/ Net-SSLeay has a version support policy for Perl and OpenSSL/LibreSSL (described in the + * "Prerequisites" section in the README file). The test suite must pass when run on any + * of those version combinations. + * + * 2/ Fix all compiler warnings - we expect 100% clean build + * + * 3/ If you add a function which is available since certain openssl version + * use proper #ifdefs to assure that SSLeay.xs will compile also with older versions + * which are missing this function + * + * 4/ Even warnings arising from different use of "const" in different openssl versions + * needs to be hanled with #ifdefs - see for example: X509_NAME_add_entry_by_txt + * + * 5/ avoid using global C variables (it is very likely to break thread-safetyness) + * use rather global MY_CXT structure + * + * 6/ avoid using any UNIX/POSIX specific functions, keep in mind that SSLeay.xs must + * compile also on non-UNIX platforms like MS Windows and others + * + * 7/ avoid using c++ comments "//" (or other c++ features accepted by some c compiler) + * even if your compiler can handle them without warnings + * + * Passing test suite: + * + * 1/ any changes to SSLeay.xs must not introduce a failure of existing test suite + * + * 2/ it is strongly recommended to create test(s) for newly added function(s), especially + * when the new function is not only a 1:1 wrapper but contains a complex code + * + * 3/ it is mandatory to add a documentation for all newly added functions into SSLeay.pod + * otherwise t/local/02_pod_coverage.t fail (and you will be asked to add some doc into + * your patch) + * + * Preferred code layout: + * + * 1/ for simple 1:1 XS wrappers use: + * + * a/ functions with short "signature" (short list of args): + * + * long + * SSL_set_tmp_dh(SSL *ssl,DH *dh) + * + * b/ functions with long "signature" (long list of args): + * simply when approach a/ does not fit to 120 columns + * + * void + * SSL_any_functions(library_flag,function_name,reason,file_name,line) + * int library_flag + * int function_name + * int reason + * char *file_name + * int line + * + * 2/ for XS functions with full implementation use identation like this: + * + * int + * RAND_bytes(buf, num) + * SV *buf + * int num + * PREINIT: + * int rc; + * unsigned char *random; + * CODE: + * / * some code here * / + * RETVAL = rc; + * OUTPUT: + * RETVAL + * + * + * Runtime debugging: + * + * with TRACE(level,fmt,...) you can output debug messages. + * it behaves the same as + * warn sprintf($msg,...) if $Net::SSLeay::trace>=$level + * would do in Perl (e.g. it is using also the $Net::SSLeay::trace variable) + * + * + * THE LAST RULE: + * + * The fact that some parts of SSLeay.xs do not follow the rules above is not + * a reason why any new code can also break these rules in the same way + * + */ + +/* Prevent warnings about strncpy from Windows compilers */ +#define _CRT_SECURE_NO_DEPRECATE + +#ifdef __cplusplus +extern "C" { +#endif +#include "EXTERN.h" +#include "perl.h" +#include "XSUB.h" +#include +#ifdef USE_PPPORT_H +# define NEED_newRV_noinc +# define NEED_sv_2pv_flags +# define NEED_my_snprintf +# include "ppport.h" +#endif +#ifdef __cplusplus +} +#endif + +/* OpenSSL-0.9.3a has some strange warning about this in + * openssl/des.h + */ +#undef _ + +/* Sigh: openssl 1.0 has + typedef void *BLOCK; +which conflicts with perls + typedef struct block BLOCK; +*/ +#define BLOCK OPENSSL_BLOCK +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_COMP +#include /* openssl-0.9.6a forgets to include this */ +#endif +#ifndef OPENSSL_NO_MD2 +#include +#endif +#ifndef OPENSSL_NO_MD4 +#include +#endif +#ifndef OPENSSL_NO_MD5 +#include /* openssl-SNAP-20020227 does not automatically include this */ +#endif +#if OPENSSL_VERSION_NUMBER >= 0x00905000L +#include +#endif +#include +#include +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +/* requires 0.9.7+ */ +#ifndef OPENSSL_NO_ENGINE +#include +#endif +#endif +#ifdef OPENSSL_FIPS +#include +#endif +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#include +#endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif +#undef BLOCK + +/* Beginning with OpenSSL 3.0.0-alpha17, SSL_CTX_get_options() and + * related functions return uint64_t instead of long. For this reason + * constant() in constant.c and Net::SSLeay must also be able to + * return 64bit constants. However, this creates a problem with Perls + * that have only 32 bit integers. The define below helps with + * handling this API change. + */ +#if (OPENSSL_VERSION_NUMBER < 0x30000000L) || defined(NET_SSLEAY_32BIT_INT_PERL) +#define NET_SSLEAY_32BIT_CONSTANTS +#endif + +/* Debugging output - to enable use: + * + * perl Makefile.PL DEFINE=-DSHOW_XS_DEBUG + * make + * + */ + +#ifdef SHOW_XS_DEBUG +#define PR1(s) fprintf(stderr,s); +#define PR2(s,t) fprintf(stderr,s,t); +#define PR3(s,t,u) fprintf(stderr,s,t,u); +#define PR4(s,t,u,v) fprintf(stderr,s,t,u,v); +#else +#define PR1(s) +#define PR2(s,t) +#define PR3(s,t,u) +#define PR4(s,t,u,v) +#endif + +static void TRACE(int level,char *msg,...) { + va_list args; + SV *trace = get_sv("Net::SSLeay::trace",0); + if (trace && SvIOK(trace) && SvIV(trace)>=level) { + char buf[4096]; + va_start(args,msg); + vsnprintf(buf,4095,msg,args); + warn("%s",buf); + va_end(args); + } +} + +#include "constants.c" + +/* ============= thread-safety related stuff ============== */ + +#define MY_CXT_KEY "Net::SSLeay::_guts" XS_VERSION + +typedef struct { + HV* global_cb_data; + UV tid; +} my_cxt_t; +START_MY_CXT + +#ifdef USE_ITHREADS +static perl_mutex LIB_init_mutex; +#if OPENSSL_VERSION_NUMBER < 0x10100000L +static perl_mutex *GLOBAL_openssl_mutex = NULL; +#endif +#endif +static int LIB_initialized; + +UV get_my_thread_id(void) /* returns threads->tid() value */ +{ + dSP; + UV tid = 0; +#ifdef USE_ITHREADS + int count = 0; + + ENTER; + SAVETMPS; + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSVpv("threads", 0))); + PUTBACK; + count = call_method("tid", G_SCALAR|G_EVAL); + SPAGAIN; + /* Caution: recent perls do not appear support threads->tid() */ + if (SvTRUE(ERRSV) || count != 1) + { + /* if compatible threads not loaded or an error occurs return 0 */ + tid = 0; + } + else + tid = (UV)POPi; + PUTBACK; + FREETMPS; + LEAVE; +#endif + + return tid; +} + +/* IMPORTANT NOTE: + * openssl locking was implemented according to http://www.openssl.org/docs/crypto/threads.html + * we implement both static and dynamic locking as described on URL above + * locking is supported when OPENSSL_THREADS macro is defined which means openssl-0.9.7 or newer + * we intentionally do not implement cleanup of openssl's threading as it causes troubles + * with apache-mpm-worker+mod_perl+mod_ssl+net-ssleay + */ +#if defined(USE_ITHREADS) && defined(OPENSSL_THREADS) + + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +static void openssl_locking_function(int mode, int type, const char *file, int line) +{ + PR3("openssl_locking_function %d %d\n", mode, type); + + if (!GLOBAL_openssl_mutex) return; + if (mode & CRYPTO_LOCK) + MUTEX_LOCK(&GLOBAL_openssl_mutex[type]); + else + MUTEX_UNLOCK(&GLOBAL_openssl_mutex[type]); +} + +#if OPENSSL_VERSION_NUMBER < 0x10000000L +static unsigned long openssl_threadid_func(void) +{ + dMY_CXT; + return (unsigned long)(MY_CXT.tid); +} +#else +void openssl_threadid_func(CRYPTO_THREADID *id) +{ + dMY_CXT; + CRYPTO_THREADID_set_numeric(id, (unsigned long)(MY_CXT.tid)); +} +#endif + +struct CRYPTO_dynlock_value +{ + perl_mutex mutex; +}; + +struct CRYPTO_dynlock_value * openssl_dynlocking_create_function (const char *file, int line) +{ + struct CRYPTO_dynlock_value *retval; + New(0, retval, 1, struct CRYPTO_dynlock_value); + if (!retval) return NULL; + MUTEX_INIT(&retval->mutex); + return retval; +} + +void openssl_dynlocking_lock_function (int mode, struct CRYPTO_dynlock_value *l, const char *file, int line) +{ + if (!l) return; + if (mode & CRYPTO_LOCK) + MUTEX_LOCK(&l->mutex); + else + MUTEX_UNLOCK(&l->mutex); +} + +void openssl_dynlocking_destroy_function (struct CRYPTO_dynlock_value *l, const char *file, int line) +{ + if (!l) return; + MUTEX_DESTROY(&l->mutex); + Safefree(l); +} +#endif + +void openssl_threads_init(void) +{ + int i; + + PR1("STARTED: openssl_threads_init\n"); + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* initialize static locking */ + if ( !CRYPTO_get_locking_callback() ) { +#if OPENSSL_VERSION_NUMBER < 0x10000000L + if ( !CRYPTO_get_id_callback() ) { +#else + if ( !CRYPTO_THREADID_get_callback() ) { +#endif + PR2("openssl_threads_init static locking %d\n", CRYPTO_num_locks()); + New(0, GLOBAL_openssl_mutex, CRYPTO_num_locks(), perl_mutex); + if (!GLOBAL_openssl_mutex) return; + for (i=0; i= 0x1000000fL +static void handler_list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg) +{ + /* taken from apps/dgst.c */ + const char *mname; + if (!m) return; /* Skip aliases */ + mname = OBJ_nid2ln(EVP_MD_type(m)); + if (strcmp(from, mname)) return; /* Skip shortnames */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) return; /* Skip clones */ +#endif + if (strchr(mname, ' ')) mname= EVP_MD_name(m); + av_push(arg, newSVpv(mname,0)); +} +#endif + +/* ============= callbacks - basic info ============= + * + * PLEASE READ THIS BEFORE YOU ADD ANY NEW CALLBACK!! + * + * There are basically 2 types of callbacks used in SSLeay: + * + * 1/ "one-time" callbacks - these are created+used+destroyed within one perl function implemented in XS. + * These callbacks use a special C structure simple_cb_data_t to pass necessary data. + * There are 2 related helper functions: simple_cb_data_new() + simple_cb_data_free() + * For example see implementation of these functions: + * - RSA_generate_key + * - PEM_read_bio_PrivateKey + * + * 2/ "advanced" callbacks - these are setup/destroyed by one function but used by another function. These + * callbacks use global hash MY_CXT.global_cb_data to store perl functions + data to be uset at callback time. + * There are 2 related helper functions: cb_data_advanced_put() + cb_data_advanced_get() for manipulating + * global hash MY_CXT.global_cb_data which work like this: + * cb_data_advanced_put(, "data_name", dataSV) + * >>> + * global_cb_data->{"ptr_"}->{"data_name"} = dataSV) + * or + * data = cb_data_advanced_get(, "data_name") + * >>> + * my $data = global_cb_data->{"ptr_"}->{"data_name"} + * For example see implementation of these functions: + * - SSL_CTX_set_verify + * - SSL_set_verify + * - SSL_CTX_set_cert_verify_callback + * - SSL_CTX_set_default_passwd_cb + * - SSL_CTX_set_default_passwd_cb_userdata + * - SSL_set_session_secret_cb + * + * If you want to add a new callback: + * - you very likely need a new function "your_callback_name_invoke()" + * - decide whether your case fits case 1/ or 2/ (and implement likewise existing functions) + * - try to avoid adding a new style of callback implementation (or ask Net::SSLeay maintainers before) + * + */ + +/* ============= callback stuff - generic functions============== */ + +struct _ssleay_cb_t { + SV* func; + SV* data; +}; +typedef struct _ssleay_cb_t simple_cb_data_t; + +simple_cb_data_t* simple_cb_data_new(SV* func, SV* data) +{ + simple_cb_data_t* cb; + New(0, cb, 1, simple_cb_data_t); + if (cb) { + SvREFCNT_inc(func); + SvREFCNT_inc(data); + cb->func = func; + cb->data = (data == &PL_sv_undef) ? NULL : data; + } + return cb; +} + +void simple_cb_data_free(simple_cb_data_t* cb) +{ + if (cb) { + if (cb->func) { + SvREFCNT_dec(cb->func); + cb->func = NULL; + } + if (cb->data) { + SvREFCNT_dec(cb->data); + cb->data = NULL; + } + } + Safefree(cb); +} + +int cb_data_advanced_put(const void *ptr, const char* data_name, SV* data) +{ + HV * L2HV; + SV ** svtmp; + int len; + char key_name[500]; + dMY_CXT; + + len = my_snprintf(key_name, sizeof(key_name), "ptr_%p", ptr); + if (len == sizeof(key_name)) return 0; /* error - key_name too short*/ + + /* get or create level-2 hash */ + svtmp = hv_fetch(MY_CXT.global_cb_data, key_name, strlen(key_name), 0); + if (svtmp == NULL) { + L2HV = newHV(); + hv_store(MY_CXT.global_cb_data, key_name, strlen(key_name), newRV_noinc((SV*)L2HV), 0); + } + else { + if (!SvOK(*svtmp) || !SvROK(*svtmp)) return 0; +#if defined(MUTABLE_PTR) + L2HV = (HV*)MUTABLE_PTR(SvRV(*svtmp)); +#else + L2HV = (HV*)(SvRV(*svtmp)); +#endif + } + + /* first delete already stored value */ + hv_delete(L2HV, data_name, strlen(data_name), G_DISCARD); + if (data!=NULL) { + if (SvOK(data)) + hv_store(L2HV, data_name, strlen(data_name), data, 0); + else + /* we're not storing data so discard it */ + SvREFCNT_dec(data); + } + + return 1; +} + +SV* cb_data_advanced_get(const void *ptr, const char* data_name) +{ + HV * L2HV; + SV ** svtmp; + int len; + char key_name[500]; + dMY_CXT; + + len = my_snprintf(key_name, sizeof(key_name), "ptr_%p", ptr); + if (len == sizeof(key_name)) return &PL_sv_undef; /* return undef on error - key_name too short*/ + + /* get level-2 hash */ + svtmp = hv_fetch(MY_CXT.global_cb_data, key_name, strlen(key_name), 0); + if (svtmp == NULL) return &PL_sv_undef; + if (!SvOK(*svtmp)) return &PL_sv_undef; + if (!SvROK(*svtmp)) return &PL_sv_undef; +#if defined(MUTABLE_PTR) + L2HV = (HV*)MUTABLE_PTR(SvRV(*svtmp)); +#else + L2HV = (HV*)(SvRV(*svtmp)); +#endif + + /* get stored data */ + svtmp = hv_fetch(L2HV, data_name, strlen(data_name), 0); + if (svtmp == NULL) return &PL_sv_undef; + if (!SvOK(*svtmp)) return &PL_sv_undef; + + return *svtmp; +} + +int cb_data_advanced_drop(const void *ptr) +{ + int len; + char key_name[500]; + dMY_CXT; + + len = my_snprintf(key_name, sizeof(key_name), "ptr_%p", ptr); + if (len == sizeof(key_name)) return 0; /* error - key_name too short*/ + + hv_delete(MY_CXT.global_cb_data, key_name, strlen(key_name), G_DISCARD); + return 1; +} + +/* ============= callback stuff - invoke functions ============== */ + +static int ssleay_verify_callback_invoke (int ok, X509_STORE_CTX* x509_store) +{ + dSP; + SSL* ssl; + int count = -1, res; + SV *cb_func; + + PR1("STARTED: ssleay_verify_callback_invoke\n"); + ssl = X509_STORE_CTX_get_ex_data(x509_store, SSL_get_ex_data_X509_STORE_CTX_idx()); + cb_func = cb_data_advanced_get(ssl, "ssleay_verify_callback!!func"); + + if (!SvOK(cb_func)) { + SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl); + cb_func = cb_data_advanced_get(ssl_ctx, "ssleay_verify_callback!!func"); + } + + if (!SvOK(cb_func)) + croak("Net::SSLeay: verify_callback called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PR2("verify callback glue ok=%d\n", ok); + + PUSHMARK(sp); + EXTEND( sp, 2 ); + PUSHs( sv_2mortal(newSViv(ok)) ); + PUSHs( sv_2mortal(newSViv(PTR2IV(x509_store))) ); + PUTBACK; + + PR1("About to call verify callback.\n"); + count = call_sv(cb_func, G_SCALAR); + PR1("Returned from verify callback.\n"); + + SPAGAIN; + + if (count != 1) + croak ( "Net::SSLeay: verify_callback perl function did not return a scalar.\n"); + + res = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +static int ssleay_ctx_passwd_cb_invoke(char *buf, int size, int rwflag, void *userdata) +{ + dSP; + int count = -1; + char *res; + SV *cb_func, *cb_data; + + PR1("STARTED: ssleay_ctx_passwd_cb_invoke\n"); + cb_func = cb_data_advanced_get(userdata, "ssleay_ctx_passwd_cb!!func"); + cb_data = cb_data_advanced_get(userdata, "ssleay_ctx_passwd_cb!!data"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ctx_passwd_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(sp); + XPUSHs(sv_2mortal(newSViv(rwflag))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + count = call_sv( cb_func, G_SCALAR ); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: ssleay_ctx_passwd_cb_invoke perl function did not return a scalar.\n"); + + res = POPp; + + if (res == NULL) { + *buf = '\0'; + } else { + strncpy(buf, res, size); + buf[size - 1] = '\0'; + } + + PUTBACK; + FREETMPS; + LEAVE; + + return strlen(buf); +} + +#if OPENSSL_VERSION_NUMBER >= 0x1010006fL /* In OpenSSL 1.1.0 but actually called for $ssl from 1.1.0f */ +#ifndef LIBRESSL_VERSION_NUMBER +#ifndef OPENSSL_IS_BORINGSSL +static int ssleay_ssl_passwd_cb_invoke(char *buf, int size, int rwflag, void *userdata) +{ + dSP; + int count = -1; + char *res; + SV *cb_func, *cb_data; + + PR1("STARTED: ssleay_ssl_passwd_cb_invoke\n"); + cb_func = cb_data_advanced_get(userdata, "ssleay_ssl_passwd_cb!!func"); + cb_data = cb_data_advanced_get(userdata, "ssleay_ssl_passwd_cb!!data"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ssl_passwd_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(sp); + XPUSHs(sv_2mortal(newSViv(rwflag))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + count = call_sv( cb_func, G_SCALAR ); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: ssleay_ssl_passwd_cb_invoke perl function did not return a scalar.\n"); + + res = POPp; + + if (res == NULL) { + *buf = '\0'; + } else { + strncpy(buf, res, size); + buf[size - 1] = '\0'; + } + + PUTBACK; + FREETMPS; + LEAVE; + + return strlen(buf); +} +#endif /* !BoringSSL */ +#endif /* !LibreSSL */ +#endif /* >= 1.1.0f */ + +int ssleay_ctx_cert_verify_cb_invoke(X509_STORE_CTX* x509_store_ctx, void* data) +{ + dSP; + int count = -1; + int res; + SV * cb_func, *cb_data; + void *ptr; + SSL *ssl; + + PR1("STARTED: ssleay_ctx_cert_verify_cb_invoke\n"); +#if OPENSSL_VERSION_NUMBER < 0x0090700fL + ssl = X509_STORE_CTX_get_ex_data(x509_store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + ptr = (void*) SSL_get_SSL_CTX(ssl); +#else + ssl = NULL; + ptr = (void*) data; +#endif + + cb_func = cb_data_advanced_get(ptr, "ssleay_ctx_cert_verify_cb!!func"); + cb_data = cb_data_advanced_get(ptr, "ssleay_ctx_cert_verify_cb!!data"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ctx_cert_verify_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(x509_store_ctx)))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + count = call_sv(cb_func, G_SCALAR); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: ssleay_ctx_cert_verify_cb_invoke perl function did not return a scalar.\n"); + + res = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + +int tlsext_servername_callback_invoke(SSL *ssl, int *ad, void *arg) +{ + dSP; + int count = -1; + int res; + SV * cb_func, *cb_data; + + PR1("STARTED: tlsext_servername_callback_invoke\n"); + + cb_func = cb_data_advanced_get(arg, "tlsext_servername_callback!!func"); + cb_data = cb_data_advanced_get(arg, "tlsext_servername_callback!!data"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: tlsext_servername_callback_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + count = call_sv(cb_func, G_SCALAR); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: tlsext_servername_callback_invoke perl function did not return a scalar.\n"); + + res = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_TLSEXT) + +int tlsext_status_cb_invoke(SSL *ssl, void *arg) +{ + dSP; + SV *cb_func, *cb_data; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + int len,res,nres = -1; + const unsigned char *p = NULL; + OCSP_RESPONSE *ocsp_response = NULL; + + cb_func = cb_data_advanced_get(ctx, "tlsext_status_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "tlsext_status_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: tlsext_status_cb_invoke called, but not set to point to any perl function.\n"); + + len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); + if (p) ocsp_response = d2i_OCSP_RESPONSE(NULL, &p, len); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + PUSHs( sv_2mortal(newSViv(PTR2IV(ocsp_response))) ); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + nres = call_sv(cb_func, G_SCALAR); + if (ocsp_response) OCSP_RESPONSE_free(ocsp_response); + + SPAGAIN; + + if (nres != 1) + croak("Net::SSLeay: tlsext_status_cb_invoke perl function did not return a scalar.\n"); + + res = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +int session_ticket_ext_cb_invoke(SSL *ssl, const unsigned char *data, int len, void *arg) +{ + dSP; + SV *cb_func, *cb_data; + int res,nres = -1; + + cb_func = cb_data_advanced_get(arg, "session_ticket_ext_cb!!func"); + cb_data = cb_data_advanced_get(arg, "session_ticket_ext_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: session_ticket_ext_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVpvn((const char *)data, len))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + nres = call_sv(cb_func, G_SCALAR); + + SPAGAIN; + + if (nres != 1) + croak("Net::SSLeay: session_ticket_ext_cb_invoke perl function did not return a scalar.\n"); + + res = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +#endif + +#if defined(SSL_F_SSL_SET_HELLO_EXTENSION) || defined(SSL_F_SSL_SET_SESSION_TICKET_EXT) + +int ssleay_session_secret_cb_invoke(SSL* s, void* secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, + const SSL_CIPHER **cipher, void *arg) +{ + dSP; + int count = -1, res, i; + AV *ciphers = newAV(); + SV *pref_cipher = sv_newmortal(); + SV * cb_func, *cb_data; + SV * secretsv; + + PR1("STARTED: ssleay_session_secret_cb_invoke\n"); + cb_func = cb_data_advanced_get(arg, "ssleay_session_secret_cb!!func"); + cb_data = cb_data_advanced_get(arg, "ssleay_session_secret_cb!!data"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ctx_passwd_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + secretsv = sv_2mortal( newSVpv(secret, *secret_len)); + XPUSHs(secretsv); + for (i=0; i= 0x10100000L + { + /* Use any new master secret set by the callback function in secret */ + STRLEN newsecretlen; + char* newsecretdata = SvPV(secretsv, newsecretlen); + memcpy(secret, newsecretdata, newsecretlen); + } +#endif + } + + PUTBACK; + FREETMPS; + LEAVE; + + return res; +} + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_PSK) +#define NET_SSLEAY_CAN_PSK_CLIENT_CALLBACK + +unsigned int ssleay_set_psk_client_callback_invoke(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len) +{ + dSP; + int count = -1; + char *identity_val, *psk_val; + unsigned int psk_len = 0; + BIGNUM *psk_bn = NULL; + SV * cb_func; + SV * hintsv; + /* this n_a is required for building with old perls: */ + STRLEN n_a; + + PR1("STARTED: ssleay_set_psk_client_callback_invoke\n"); + cb_func = cb_data_advanced_get(ssl, "ssleay_set_psk_client_callback!!func"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_set_psk_client_callback_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + if (hint != NULL) { + hintsv = sv_2mortal( newSVpv(hint, strlen(hint))); + XPUSHs(hintsv); + } + + PUTBACK; + + count = call_sv( cb_func, G_ARRAY ); + + SPAGAIN; + + if (count != 2) + croak ("Net::SSLeay: ssleay_set_psk_client_callback_invoke perl function did not return 2 values.\n"); + + psk_val = POPpx; + identity_val = POPpx; + + my_snprintf(identity, max_identity_len, "%s", identity_val); + + if (BN_hex2bn(&psk_bn, psk_val) > 0) { + if (BN_num_bytes(psk_bn) <= max_psk_len) { + psk_len = BN_bn2bin(psk_bn, psk); + } + BN_free(psk_bn); + } + + PUTBACK; + FREETMPS; + LEAVE; + + return psk_len; +} + +unsigned int ssleay_ctx_set_psk_client_callback_invoke(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len) +{ + dSP; + SSL_CTX *ctx; + int count = -1; + char *identity_val, *psk_val; + unsigned int psk_len = 0; + BIGNUM *psk_bn = NULL; + SV * cb_func; + SV * hintsv; + /* this n_a is required for building with old perls: */ + STRLEN n_a; + + ctx = SSL_get_SSL_CTX(ssl); + + PR1("STARTED: ssleay_ctx_set_psk_client_callback_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_set_psk_client_callback!!func"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ctx_set_psk_client_callback_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + if (hint != NULL) { + hintsv = sv_2mortal( newSVpv(hint, strlen(hint))); + XPUSHs(hintsv); + } + + PUTBACK; + + count = call_sv( cb_func, G_ARRAY ); + + SPAGAIN; + + if (count != 2) + croak ("Net::SSLeay: ssleay_ctx_set_psk_client_callback_invoke perl function did not return 2 values.\n"); + + psk_val = POPpx; + identity_val = POPpx; + + my_snprintf(identity, max_identity_len, "%s", identity_val); + + if (BN_hex2bn(&psk_bn, psk_val) > 0) { + if (BN_num_bytes(psk_bn) <= max_psk_len) { + psk_len = BN_bn2bin(psk_bn, psk); + } + BN_free(psk_bn); + } + + PUTBACK; + FREETMPS; + LEAVE; + + return psk_len; +} + +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG)) || (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)) + +int next_proto_helper_AV2protodata(AV * list, unsigned char *out) +{ + int i, last_index, ptr = 0; + last_index = av_len(list); + if (last_index<0) return 0; + for(i=0; i<=last_index; i++) { + char *p = SvPV_nolen(*av_fetch(list, i, 0)); + size_t len = strlen(p); + if (len>255) return 0; + if (out) { + /* if out == NULL we only calculate the length of output */ + out[ptr] = (unsigned char)len; + strncpy((char*)out+ptr+1, p, len); + } + ptr += strlen(p) + 1; + } + return ptr; +} + +int next_proto_helper_protodata2AV(AV * list, const unsigned char *in, unsigned int inlen) +{ + unsigned int i = 0; + unsigned char il; + if (!list || inlen<2) return 0; + while (i inlen) return 0; + av_push(list, newSVpv((const char*)in+i, il)); + i += il; + } + return 1; +} + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) && !defined(LIBRESSL_VERSION_NUMBER) + +int next_proto_select_cb_invoke(SSL *ssl, unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg) +{ + SV *cb_func, *cb_data; + unsigned char *next_proto_data; + size_t next_proto_len; + int next_proto_status; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + /* this n_a is required for building with old perls: */ + STRLEN n_a; + + PR1("STARTED: next_proto_select_cb_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "next_proto_select_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "next_proto_select_cb!!data"); + /* clear last_status value = store undef */ + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", NULL); + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", NULL); + + if (SvROK(cb_func) && (SvTYPE(SvRV(cb_func)) == SVt_PVCV)) { + int count = -1; + AV *list = newAV(); + SV *tmpsv; + dSP; + + if (!next_proto_helper_protodata2AV(list, in, inlen)) return SSL_TLSEXT_ERR_ALERT_FATAL; + + ENTER; + SAVETMPS; + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newRV_inc((SV*)list))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + count = call_sv( cb_func, G_ARRAY ); + SPAGAIN; + if (count != 2) + croak ("Net::SSLeay: next_proto_select_cb_invoke perl function did not return 2 values.\n"); + next_proto_data = (unsigned char*)POPpx; + next_proto_status = POPi; + + next_proto_len = strlen((const char*)next_proto_data); + if (next_proto_len<=255) { + /* store last_status + last_negotiated into global hash */ + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", newSViv(next_proto_status)); + tmpsv = newSVpv((const char*)next_proto_data, next_proto_len); + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", tmpsv); + *out = (unsigned char *)SvPVX(tmpsv); + *outlen = next_proto_len; + } + + PUTBACK; + FREETMPS; + LEAVE; + + return next_proto_len>255 ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK; + } + else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) { + next_proto_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), NULL); + Newx(next_proto_data, next_proto_len, unsigned char); + if (!next_proto_data) return SSL_TLSEXT_ERR_ALERT_FATAL; + next_proto_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), next_proto_data); + + next_proto_status = SSL_select_next_proto(out, outlen, in, inlen, next_proto_data, next_proto_len); + Safefree(next_proto_data); + if (next_proto_status != OPENSSL_NPN_NEGOTIATED) { + *outlen = *in; + *out = (unsigned char *)in+1; + } + + /* store last_status + last_negotiated into global hash */ + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_status", newSViv(next_proto_status)); + cb_data_advanced_put(ssl, "next_proto_select_cb!!last_negotiated", newSVpv((const char*)*out, *outlen)); + return SSL_TLSEXT_ERR_OK; + } + return SSL_TLSEXT_ERR_ALERT_FATAL; +} + +int next_protos_advertised_cb_invoke(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg_unused) +{ + SV *cb_func, *cb_data; + unsigned char *protodata = NULL; + unsigned short protodata_len = 0; + SV *tmpsv; + AV *tmpav; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + PR1("STARTED: next_protos_advertised_cb_invoke"); + cb_func = cb_data_advanced_get(ctx, "next_protos_advertised_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "next_protos_advertised_cb!!data"); + + if (SvROK(cb_func) && (SvTYPE(SvRV(cb_func)) == SVt_PVCV)) { + int count = -1; + dSP; + ENTER; + SAVETMPS; + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + count = call_sv( cb_func, G_SCALAR ); + SPAGAIN; + if (count != 1) + croak ("Net::SSLeay: next_protos_advertised_cb_invoke perl function did not return scalar value.\n"); + tmpsv = POPs; + if (SvOK(tmpsv) && SvROK(tmpsv) && (SvTYPE(SvRV(tmpsv)) == SVt_PVAV)) { + tmpav = (AV*)SvRV(tmpsv); + protodata_len = next_proto_helper_AV2protodata(tmpav, NULL); + Newx(protodata, protodata_len, unsigned char); + if (protodata) next_proto_helper_AV2protodata(tmpav, protodata); + } + PUTBACK; + FREETMPS; + LEAVE; + } + else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) { + tmpav = (AV*)SvRV(cb_data); + protodata_len = next_proto_helper_AV2protodata(tmpav, NULL); + Newx(protodata, protodata_len, unsigned char); + if (protodata) next_proto_helper_AV2protodata(tmpav, protodata); + } + if (protodata) { + tmpsv = newSVpv((const char*)protodata, protodata_len); + Safefree(protodata); + cb_data_advanced_put(ssl, "next_protos_advertised_cb!!last_advertised", tmpsv); + *out = (unsigned char *)SvPVX(tmpsv); + *outlen = protodata_len; + return SSL_TLSEXT_ERR_OK; + } + return SSL_TLSEXT_ERR_ALERT_FATAL; +} + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) + +int alpn_select_cb_invoke(SSL *ssl, const unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg) +{ + SV *cb_func, *cb_data; + unsigned char *alpn_data; + size_t alpn_len; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + PR1("STARTED: alpn_select_cb_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "alpn_select_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "alpn_select_cb!!data"); + + if (SvROK(cb_func) && (SvTYPE(SvRV(cb_func)) == SVt_PVCV)) { + int count = -1; + AV *list = newAV(); + SV *tmpsv; + SV *alpn_data_sv; + dSP; + + if (!next_proto_helper_protodata2AV(list, in, inlen)) return SSL_TLSEXT_ERR_ALERT_FATAL; + + ENTER; + SAVETMPS; + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newRV_inc((SV*)list))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + count = call_sv( cb_func, G_ARRAY ); + SPAGAIN; + if (count != 1) + croak ("Net::SSLeay: alpn_select_cb perl function did not return exactly 1 value.\n"); + alpn_data_sv = POPs; + if (SvOK(alpn_data_sv)) { + alpn_data = (unsigned char*)SvPV_nolen(alpn_data_sv); + alpn_len = strlen((const char*)alpn_data); + if (alpn_len <= 255) { + tmpsv = newSVpv((const char*)alpn_data, alpn_len); + *out = (unsigned char *)SvPVX(tmpsv); + *outlen = alpn_len; + } + } else { + alpn_data = NULL; + alpn_len = 0; + } + PUTBACK; + FREETMPS; + LEAVE; + + if (alpn_len>255) return SSL_TLSEXT_ERR_ALERT_FATAL; + return alpn_data ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK; + } + else if (SvROK(cb_data) && (SvTYPE(SvRV(cb_data)) == SVt_PVAV)) { + int status; + + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), NULL); + Newx(alpn_data, alpn_len, unsigned char); + if (!alpn_data) return SSL_TLSEXT_ERR_ALERT_FATAL; + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(cb_data), alpn_data); + + /* This is the same function that is used for NPN. */ + status = SSL_select_next_proto((unsigned char **)out, outlen, in, inlen, alpn_data, alpn_len); + Safefree(alpn_data); + if (status != OPENSSL_NPN_NEGOTIATED) { + *outlen = *in; + *out = in+1; + } + return status == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK; + } + return SSL_TLSEXT_ERR_ALERT_FATAL; +} + +#endif + +int pem_password_cb_invoke(char *buf, int bufsize, int rwflag, void *data) { + dSP; + char *str; + int count = -1; + size_t str_len = 0; + simple_cb_data_t* cb = (simple_cb_data_t*)data; + /* this n_a is required for building with old perls: */ + STRLEN n_a; + + PR1("STARTED: pem_password_cb_invoke\n"); + if (cb->func && SvOK(cb->func)) { + ENTER; + SAVETMPS; + + PUSHMARK(sp); + + XPUSHs(sv_2mortal( newSViv(bufsize-1) )); + XPUSHs(sv_2mortal( newSViv(rwflag) )); + if (cb->data) XPUSHs( cb->data ); + + PUTBACK; + + count = call_sv( cb->func, G_SCALAR ); + + SPAGAIN; + + buf[0] = 0; /* start with an empty password */ + if (count != 1) { + croak("Net::SSLeay: pem_password_cb_invoke perl function did not return a scalar.\n"); + } + else { + str = POPpx; + str_len = strlen(str); + if (str_len+1 < bufsize) { + strcpy(buf, str); + } + else { + str_len = 0; + warn("Net::SSLeay: pem_password_cb_invoke password too long\n"); + } + } + + PUTBACK; + FREETMPS; + LEAVE; + } + return str_len; +} + +void ssleay_RSA_generate_key_cb_invoke(int i, int n, void* data) +{ + dSP; + int count = -1; + simple_cb_data_t* cb = (simple_cb_data_t*)data; + + /* PR1("STARTED: ssleay_RSA_generate_key_cb_invoke\n"); / * too noisy */ + if (cb->func && SvOK(cb->func)) { + ENTER; + SAVETMPS; + + PUSHMARK(sp); + + XPUSHs(sv_2mortal( newSViv(i) )); + XPUSHs(sv_2mortal( newSViv(n) )); + if (cb->data) XPUSHs( cb->data ); + + PUTBACK; + + count = call_sv( cb->func, G_VOID|G_DISCARD ); + + if (count != 0) + croak ("Net::SSLeay: ssleay_RSA_generate_key_cb_invoke " + "perl function did return something in void context.\n"); + + SPAGAIN; + FREETMPS; + LEAVE; + } +} + +void ssleay_info_cb_invoke(const SSL *ssl, int where, int ret) +{ + dSP; + SV *cb_func, *cb_data; + + cb_func = cb_data_advanced_get((void*)ssl, "ssleay_info_cb!!func"); + cb_data = cb_data_advanced_get((void*)ssl, "ssleay_info_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: ssleay_info_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSViv(where)) ); + XPUSHs(sv_2mortal(newSViv(ret)) ); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + PUTBACK; + FREETMPS; + LEAVE; +} + +void ssleay_ctx_info_cb_invoke(const SSL *ssl, int where, int ret) +{ + dSP; + SV *cb_func, *cb_data; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_info_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_info_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: ssleay_ctx_info_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSViv(where)) ); + XPUSHs(sv_2mortal(newSViv(ret)) ); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + PUTBACK; + FREETMPS; + LEAVE; +} + +void ssleay_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) +{ + dSP; + SV *cb_func, *cb_data; + + cb_func = cb_data_advanced_get(ssl, "ssleay_msg_cb!!func"); + cb_data = cb_data_advanced_get(ssl, "ssleay_msg_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: ssleay_msg_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(write_p))); + XPUSHs(sv_2mortal(newSViv(version))); + XPUSHs(sv_2mortal(newSViv(content_type))); + XPUSHs(sv_2mortal(newSVpv((const char*)buf, len))); + XPUSHs(sv_2mortal(newSViv(len))); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + PUTBACK; + FREETMPS; + LEAVE; +} + +void ssleay_ctx_msg_cb_invoke(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg) +{ + dSP; + SV *cb_func, *cb_data; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + cb_func = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "ssleay_ctx_msg_cb!!data"); + + if ( ! SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak ("Net::SSLeay: ssleay_ctx_msg_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(write_p))); + XPUSHs(sv_2mortal(newSViv(version))); + XPUSHs(sv_2mortal(newSViv(content_type))); + XPUSHs(sv_2mortal(newSVpv((const char*)buf, len))); + XPUSHs(sv_2mortal(newSViv(len))); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVsv(cb_data))); + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + PUTBACK; + FREETMPS; + LEAVE; +} + +/* + * Support for tlsext_ticket_key_cb_invoke was already in 0.9.8 but it was + * broken in various ways during the various 1.0.0* versions. + * Better enable it only starting with 1.0.1. +*/ +#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) && OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) +#define NET_SSLEAY_CAN_TICKET_KEY_CB + +int tlsext_ticket_key_cb_invoke( + SSL *ssl, + unsigned char *key_name, + unsigned char *iv, + EVP_CIPHER_CTX *ectx, + HMAC_CTX *hctx, + int enc +){ + + dSP; + int count,usable_rv_count,hmac_key_len = 0; + SV *cb_func, *cb_data; + STRLEN svlen; + unsigned char key[48]; /* key[0..15] aes, key[16..32] or key[16..48] hmac */ + unsigned char name[16]; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + PR1("STARTED: tlsext_ticket_key_cb_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!func"); + cb_data = cb_data_advanced_get(ctx, "tlsext_ticket_key_cb!!data"); + + if (!SvROK(cb_func) || (SvTYPE(SvRV(cb_func)) != SVt_PVCV)) + croak("callback must be a code reference"); + + ENTER; + SAVETMPS; + PUSHMARK(SP); + + XPUSHs(sv_2mortal(newSVsv(cb_data))); + + if (!enc) { + /* call as getkey(data,this_name) -> (key,current_name) */ + XPUSHs(sv_2mortal(newSVpv((const char *)key_name,16))); + } else { + /* call as getkey(data) -> (key,current_name) */ + } + + PUTBACK; + + count = call_sv( cb_func, G_ARRAY ); + + SPAGAIN; + + if (count>2) + croak("too much return values - only (name,key) should be returned"); + + usable_rv_count = 0; + if (count>0) { + SV *sname = POPs; + if (SvOK(sname)) { + unsigned char *pname = (unsigned char *)SvPV(sname,svlen); + if (svlen > 16) + croak("name must be at at most 16 bytes, got %d",(int)svlen); + if (svlen == 0) + croak("name should not be empty"); + OPENSSL_cleanse(name, 16); + memcpy(name,pname,svlen); + usable_rv_count++; + } + } + if (count>1) { + SV *skey = POPs; + if (SvOK(skey)) { + unsigned char *pkey = (unsigned char *)SvPV(skey,svlen); + if (svlen != 32 && svlen != 48) + croak("key must be 32 or 48 random bytes, got %d",(int)svlen); + hmac_key_len = (int)svlen - 16; + memcpy(key,pkey,(int)svlen); + usable_rv_count++; + } + } + + PUTBACK; + FREETMPS; + LEAVE; + + if (!enc && usable_rv_count == 0) { + TRACE(2,"no key returned for ticket"); + return 0; + } + if (usable_rv_count != 2) + croak("key functions needs to return (key,name)"); + + if (enc) { + /* encrypt ticket information with given key */ + RAND_bytes(iv, 16); + EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); + HMAC_Init_ex(hctx,key+16,hmac_key_len,EVP_sha256(),NULL); + memcpy(key_name,name,16); + return 1; + + } else { + HMAC_Init_ex(hctx,key+16,hmac_key_len,EVP_sha256(),NULL); + EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, key, iv); + + if (memcmp(name,key_name,16) == 0) + return 1; /* current key was used */ + else + return 2; /* different key was used, need to be renewed */ + } +} + +#endif + +int ssleay_ssl_ctx_sess_new_cb_invoke(struct ssl_st *ssl, SSL_SESSION *sess) +{ + dSP; + int count, remove; + SSL_CTX *ctx; + SV *cb_func; + + PR1("STARTED: ssleay_ssl_ctx_sess_new_cb_invoke\n"); + ctx = SSL_get_SSL_CTX(ssl); + cb_func = cb_data_advanced_get(ctx, "ssleay_ssl_ctx_sess_new_cb!!func"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ssl_ctx_sess_new_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(sp); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSViv(PTR2IV(sess)))); + PUTBACK; + + count = call_sv(cb_func, G_SCALAR); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: ssleay_ssl_ctx_sess_new_cb_invoke perl function did not return a scalar\n"); + + remove = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + + return remove; +} + +void ssleay_ssl_ctx_sess_remove_cb_invoke(SSL_CTX *ctx, SSL_SESSION *sess) +{ + dSP; + SV *cb_func; + + PR1("STARTED: ssleay_ssl_ctx_sess_remove_cb_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "ssleay_ssl_ctx_sess_remove_cb!!func"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssleay_ssl_ctx_sess_remove_cb_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(sp); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ctx)))); + XPUSHs(sv_2mortal(newSViv(PTR2IV(sess)))); + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + + PUTBACK; + FREETMPS; + LEAVE; +} + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +int ossl_provider_do_all_cb_invoke(OSSL_PROVIDER *provider, void *cbdata) { + dSP; + int ret = 1; + int count = -1; + simple_cb_data_t *cb = cbdata; + + PR1("STARTED: ossl_provider_do_all_cb_invoke\n"); + if (cb->func && SvOK(cb->func)) { + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(provider)))); + if (cb->data) XPUSHs(cb->data); + + PUTBACK; + + count = call_sv(cb->func, G_SCALAR); + + SPAGAIN; + + if (count != 1) + croak("Net::SSLeay: ossl_provider_do_all_cb_invoke perl function did not return a scalar\n"); + + ret = POPi; + + PUTBACK; + FREETMPS; + LEAVE; + } + + return ret; +} +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101001 && !defined(LIBRESSL_VERSION_NUMBER) +void ssl_ctx_keylog_cb_func_invoke(const SSL *ssl, const char *line) +{ + dSP; + SV *cb_func, *cb_data; + SSL_CTX *ctx = SSL_get_SSL_CTX(ssl); + + PR1("STARTED: ssl_ctx_keylog_cb_func_invoke\n"); + cb_func = cb_data_advanced_get(ctx, "ssleay_ssl_ctx_keylog_callback!!func"); + + if(!SvOK(cb_func)) + croak ("Net::SSLeay: ssl_ctx_keylog_cb_func_invoke called, but not set to point to any perl function.\n"); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(sv_2mortal(newSViv(PTR2IV(ssl)))); + XPUSHs(sv_2mortal(newSVpv(line, 0))); + + PUTBACK; + + call_sv(cb_func, G_VOID); + + SPAGAIN; + PUTBACK; + FREETMPS; + LEAVE; + + return; +} +#endif + +/* ============= end of callback stuff, begin helper functions ============== */ + +time_t ASN1_TIME_timet(ASN1_TIME *asn1t, time_t *gmtoff) { + struct tm t; + const char *p = (const char*) asn1t->data; + size_t msec = 0, tz = 0, i, l; + time_t result; + int adj = 0; + + if (asn1t->type == V_ASN1_UTCTIME) { + if (asn1t->length<12 || asn1t->length>17) return 0; + if (asn1t->length>12) tz = 12; + } else { + if (asn1t->length<14) return 0; + if (asn1t->length>14) { + if (p[14] == '.') { + msec = 14; + for(i=msec+1;ilength && p[i]>='0' && p[i]<='9';i++) ; + if (ilength) tz = i; + } else { + tz = 14; + } + } + } + + l = msec ? msec : tz ? tz : asn1t->length; + for(i=0;i'9') return 0; + } + + /* extract data and time */ + OPENSSL_cleanse(&t, sizeof(t)); + if (asn1t->type == V_ASN1_UTCTIME) { /* YY - two digit year */ + t.tm_year = (p[0]-'0')*10 + (p[1]-'0'); + if (t.tm_year < 70) t.tm_year += 100; + i=2; + } else { /* YYYY */ + t.tm_year = (p[0]-'0')*1000 + (p[1]-'0')*100 + (p[2]-'0')*10 + p[3]-'0'; + t.tm_year -= 1900; + i=4; + } + t.tm_mon = (p[i+0]-'0')*10 + (p[i+1]-'0') -1; /* MM, starts with 0 in tm */ + t.tm_mday = (p[i+2]-'0')*10 + (p[i+3]-'0'); /* DD */ + t.tm_hour = (p[i+4]-'0')*10 + (p[i+5]-'0'); /* hh */ + t.tm_min = (p[i+6]-'0')*10 + (p[i+7]-'0'); /* mm */ + t.tm_sec = (p[i+8]-'0')*10 + (p[i+9]-'0'); /* ss */ + + /* skip msec, because time_t does not support it */ + + if (tz) { + /* TZ is 'Z' or [+-]DDDD and after TZ the string must stop*/ + if (p[tz] == 'Z') { + if (asn1t->length>tz+1 ) return 0; + } else if (asn1t->lengthlength>tz+5 ) return 0; + for(i=tz+1;i'9') return 0; + } + adj = ((p[tz+1]-'0')*10 + (p[tz+2]-'0'))*3600 + + ((p[tz+3]-'0')*10 + (p[tz+4]-'0'))*60; + if (p[tz]=='+') adj*= -1; /* +0500: subtract 5 hours to get UTC */ + } + } + + result = mktime(&t); + if (result == -1) return 0; /* broken time */ + result += adj; + if (gmtoff && *gmtoff == -1) { + *gmtoff = result - mktime(gmtime(&result)); + result += *gmtoff; + } else { + result += result - mktime(gmtime(&result)); + } + return result; +} + +X509 * find_issuer(X509 *cert,X509_STORE *store, STACK_OF(X509) *chain) { + int i; + X509 *issuer = NULL; + + /* search first in the chain */ + if (chain) { + for(i=0;i= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + +unsigned long +OpenSSL_version_num() + +const char * +OpenSSL_version(t=OPENSSL_VERSION) + int t + +#endif /* OpenSSL 1.1.0 */ + +#if (OPENSSL_VERSION_MAJOR >= 3) + +unsigned int +OPENSSL_version_major() + +unsigned int +OPENSSL_version_minor() + +unsigned int +OPENSSL_version_patch() + +const char * +OPENSSL_version_pre_release() + +const char * +OPENSSL_version_build_metadata() + +const char * +OPENSSL_info(int t) + +#endif + +#define REM1 "============= SSL CONTEXT functions ==============" + +SSL_CTX * +SSL_CTX_new() + CODE: + RETVAL = SSL_CTX_new (SSLv23_method()); + OUTPUT: + RETVAL + + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#ifndef OPENSSL_NO_SSL2 + +SSL_CTX * +SSL_CTX_v2_new() + CODE: + RETVAL = SSL_CTX_new (SSLv2_method()); + OUTPUT: + RETVAL + +#endif +#endif +#ifndef OPENSSL_NO_SSL3 + +SSL_CTX * +SSL_CTX_v3_new() + CODE: + RETVAL = SSL_CTX_new (SSLv3_method()); + OUTPUT: + RETVAL + +#endif + +SSL_CTX * +SSL_CTX_v23_new() + CODE: + RETVAL = SSL_CTX_new (SSLv23_method()); + OUTPUT: + RETVAL + +SSL_CTX * +SSL_CTX_tlsv1_new() + CODE: + RETVAL = SSL_CTX_new (TLSv1_method()); + OUTPUT: + RETVAL + +#ifdef SSL_TXT_TLSV1_1 + +SSL_CTX * +SSL_CTX_tlsv1_1_new() + CODE: + RETVAL = SSL_CTX_new (TLSv1_1_method()); + OUTPUT: + RETVAL + +#endif + +#ifdef SSL_TXT_TLSV1_2 + +SSL_CTX * +SSL_CTX_tlsv1_2_new() + CODE: + RETVAL = SSL_CTX_new (TLSv1_2_method()); + OUTPUT: + RETVAL + +#endif + +SSL_CTX * +SSL_CTX_new_with_method(meth) + SSL_METHOD * meth + CODE: + RETVAL = SSL_CTX_new (meth); + OUTPUT: + RETVAL + +void +SSL_CTX_free(ctx) + SSL_CTX * ctx + CODE: + SSL_CTX_free(ctx); + cb_data_advanced_drop(ctx); /* clean callback related data from global hash */ + +int +SSL_CTX_add_session(ctx,ses) + SSL_CTX * ctx + SSL_SESSION * ses + +int +SSL_CTX_remove_session(ctx,ses) + SSL_CTX * ctx + SSL_SESSION * ses + +void +SSL_CTX_flush_sessions(ctx,tm) + SSL_CTX * ctx + long tm + +int +SSL_CTX_set_default_verify_paths(ctx) + SSL_CTX * ctx + +int +SSL_CTX_load_verify_locations(ctx,CAfile,CApath) + SSL_CTX * ctx + char * CAfile + char * CApath + CODE: + RETVAL = SSL_CTX_load_verify_locations (ctx, + CAfile?(*CAfile?CAfile:NULL):NULL, + CApath?(*CApath?CApath:NULL):NULL + ); + OUTPUT: + RETVAL + +void +SSL_CTX_set_verify(ctx,mode,callback=&PL_sv_undef) + SSL_CTX * ctx + int mode + SV * callback + CODE: + + /* Former versions of SSLeay checked if the callback was a true boolean value + * and didn't call it if it was false. Therefor some people set the callback + * to '0' if they don't want to use it (IO::Socket::SSL for example). Therefor + * we don't execute the callback if it's value isn't something true to retain + * backwards compatibility. + */ + + if (callback==NULL || !SvOK(callback) || !SvTRUE(callback)) { + SSL_CTX_set_verify(ctx, mode, NULL); + cb_data_advanced_put(ctx, "ssleay_verify_callback!!func", NULL); + } else { + cb_data_advanced_put(ctx, "ssleay_verify_callback!!func", newSVsv(callback)); + SSL_CTX_set_verify(ctx, mode, &ssleay_verify_callback_invoke); + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(LIBRESSL_VERSION_NUMBER) + +void +SSL_CTX_set_security_level(SSL_CTX * ctx, int level) + +int +SSL_CTX_get_security_level(SSL_CTX * ctx) + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101007L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) + +size_t +SSL_CTX_get_num_tickets(SSL_CTX *ctx) + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101003L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */ + +void +SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) + +#endif + +void +SSL_CTX_sess_set_new_cb(ctx, callback) + SSL_CTX * ctx + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_sess_set_new_cb(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_sess_new_cb!!func", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_sess_new_cb!!func", newSVsv(callback)); + SSL_CTX_sess_set_new_cb(ctx, &ssleay_ssl_ctx_sess_new_cb_invoke); + } + +void +SSL_CTX_sess_set_remove_cb(ctx, callback) + SSL_CTX * ctx + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_sess_set_remove_cb(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_sess_remove_cb!!func", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_sess_remove_cb!!func", newSVsv(callback)); + SSL_CTX_sess_set_remove_cb(ctx, &ssleay_ssl_ctx_sess_remove_cb_invoke); + } + +int +SSL_get_error(s,ret) + SSL * s + int ret + +#define REM10 "============= SSL functions ==============" + +SSL * +SSL_new(ctx) + SSL_CTX * ctx + +void +SSL_free(s) + SSL * s + CODE: + SSL_free(s); + cb_data_advanced_drop(s); /* clean callback related data from global hash */ + +#if 0 /* this seems to be gone in 0.9.0 */ +void +SSL_debug(file) + char * file + +#endif + +int +SSL_accept(s) + SSL * s + +void +SSL_clear(s) + SSL * s + +int +SSL_connect(s) + SSL * s + + +#if defined(WIN32) + +int +SSL_set_fd(s,fd) + SSL * s + perl_filehandle_t fd + CODE: + RETVAL = SSL_set_fd(s,_get_osfhandle(fd)); + OUTPUT: + RETVAL + +int +SSL_set_rfd(s,fd) + SSL * s + perl_filehandle_t fd + CODE: + RETVAL = SSL_set_rfd(s,_get_osfhandle(fd)); + OUTPUT: + RETVAL + +int +SSL_set_wfd(s,fd) + SSL * s + perl_filehandle_t fd + CODE: + RETVAL = SSL_set_wfd(s,_get_osfhandle(fd)); + OUTPUT: + RETVAL + +#else + +int +SSL_set_fd(s,fd) + SSL * s + perl_filehandle_t fd + +int +SSL_set_rfd(s,fd) + SSL * s + perl_filehandle_t fd + +int +SSL_set_wfd(s,fd) + SSL * s + perl_filehandle_t fd + +#endif + +int +SSL_get_fd(s) + SSL * s + +void +SSL_read(s,max=32768) + SSL * s + int max + PREINIT: + char *buf; + int got; + int succeeded = 1; + PPCODE: + New(0, buf, max, char); + + got = SSL_read(s, buf, max); + if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) + succeeded = 0; + + /* If in list context, return 2-item list: + * first return value: data gotten, or undef on error (got<0) + * second return value: result from SSL_read() + */ + if (GIMME_V==G_ARRAY) { + EXTEND(SP, 2); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(newSViv(got))); + + /* If in scalar or void context, return data gotten, or undef on error. */ + } else { + EXTEND(SP, 1); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + } + + Safefree(buf); + +void +SSL_peek(s,max=32768) + SSL * s + int max + PREINIT: + char *buf; + int got; + int succeeded = 1; + PPCODE: + New(0, buf, max, char); + + got = SSL_peek(s, buf, max); + if (got <= 0 && SSL_ERROR_ZERO_RETURN != SSL_get_error(s, got)) + succeeded = 0; + + /* If in list context, return 2-item list: + * first return value: data gotten, or undef on error (got<0) + * second return value: result from SSL_peek() + */ + if (GIMME_V==G_ARRAY) { + EXTEND(SP, 2); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + PUSHs(sv_2mortal(newSViv(got))); + + /* If in scalar or void context, return data gotten, or undef on error. */ + } else { + EXTEND(SP, 1); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, got) : newSV(0))); + } + Safefree(buf); + +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */ + +void +SSL_read_ex(s,max=32768) + SSL * s + int max + PREINIT: + char *buf; + size_t readbytes; + int succeeded; + PPCODE: + Newx(buf, max, char); + + succeeded = SSL_read_ex(s, buf, max, &readbytes); + + /* Return 2-item list: + * first return value: data gotten, or undef on error + * second return value: result from SSL_read_ex() + */ + EXTEND(SP, 2); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, readbytes) : newSV(0))); + PUSHs(sv_2mortal(newSViv(succeeded))); + + Safefree(buf); + + +void +SSL_peek_ex(s,max=32768) + SSL * s + int max + PREINIT: + char *buf; + size_t readbytes; + int succeeded; + PPCODE: + Newx(buf, max, char); + + succeeded = SSL_peek_ex(s, buf, max, &readbytes); + + /* Return 2-item list: + * first return value: data gotten, or undef on error + * second return value: result from SSL_peek_ex() + */ + EXTEND(SP, 2); + PUSHs(sv_2mortal(succeeded ? newSVpvn(buf, readbytes) : newSV(0))); + PUSHs(sv_2mortal(newSViv(succeeded))); + + Safefree(buf); + +void +SSL_write_ex(s,buf) + SSL * s + PREINIT: + STRLEN len; + size_t written; + int succeeded; + INPUT: + char * buf = SvPV( ST(1), len); + PPCODE: + succeeded = SSL_write_ex(s, buf, len, &written); + + /* Return 2-item list: + * first return value: data gotten, or undef on error + * second return value: result from SSL_read_ex() + */ + EXTEND(SP, 2); + PUSHs(sv_2mortal(newSVuv(written))); + PUSHs(sv_2mortal(newSViv(succeeded))); + +#endif + +int +SSL_write(s,buf) + SSL * s + PREINIT: + STRLEN len; + INPUT: + char * buf = SvPV( ST(1), len); + CODE: + RETVAL = SSL_write (s, buf, (int)len); + OUTPUT: + RETVAL + +int +SSL_write_partial(s,from,count,buf) + SSL * s + int from + int count + PREINIT: + STRLEN ulen; + IV len; + INPUT: + char * buf = SvPV( ST(3), ulen); + CODE: + /* + if (SvROK( ST(3) )) { + SV* t = SvRV( ST(3) ); + buf = SvPV( t, len); + } else + buf = SvPV( ST(3), len); + */ + PR4("write_partial from=%d count=%d len=%lu\n",from,count,ulen); + /*PR2("buf='%s'\n",&buf[from]); / * too noisy */ + len = (IV)ulen; + len -= from; + if (len < 0) { + croak("from beyound end of buffer"); + RETVAL = -1; + } else + RETVAL = SSL_write (s, &(buf[from]), (count<=len)?count:len); + OUTPUT: + RETVAL + +int +SSL_use_RSAPrivateKey(s,rsa) + SSL * s + RSA * rsa + +int +SSL_use_RSAPrivateKey_ASN1(s,d,len) + SSL * s + unsigned char * d + long len + +int +SSL_use_RSAPrivateKey_file(s,file,type) + SSL * s + char * file + int type + +int +SSL_CTX_use_RSAPrivateKey_file(ctx,file,type) + SSL_CTX * ctx + char * file + int type + +int +SSL_use_PrivateKey(s,pkey) + SSL * s + EVP_PKEY * pkey + +int +SSL_use_PrivateKey_ASN1(pk,s,d,len) + int pk + SSL * s + unsigned char * d + long len + +int +SSL_use_PrivateKey_file(s,file,type) + SSL * s + char * file + int type + +int +SSL_CTX_use_PrivateKey_file(ctx,file,type) + SSL_CTX * ctx + char * file + int type + +int +SSL_use_certificate(s,x) + SSL * s + X509 * x + +int +SSL_use_certificate_ASN1(s,d,len) + SSL * s + unsigned char * d + long len + +int +SSL_use_certificate_file(s,file,type) + SSL * s + char * file + int type + +int +SSL_CTX_use_certificate_file(ctx,file,type) + SSL_CTX * ctx + char * file + int type + +const char * +SSL_state_string(s) + SSL * s + +const char * +SSL_rstate_string(s) + SSL * s + +const char * +SSL_state_string_long(s) + SSL * s + +const char * +SSL_rstate_string_long(s) + SSL * s + + +long +SSL_get_time(ses) + SSL_SESSION * ses + +long +SSL_set_time(ses,t) + SSL_SESSION * ses + long t + +long +SSL_get_timeout(ses) + SSL_SESSION * ses + +long +SSL_set_timeout(ses,t) + SSL_SESSION * ses + long t + +void +SSL_copy_session_id(to,from) + SSL * to + SSL * from + +void +SSL_set_read_ahead(s,yes=1) + SSL * s + int yes + +int +SSL_get_read_ahead(s) + SSL * s + +int +SSL_pending(s) + SSL * s + +#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.0 */ + +int +SSL_has_pending(s) + SSL * s + +#endif + +int +SSL_CTX_set_cipher_list(s,str) + SSL_CTX * s + char * str + +void +SSL_get_ciphers(s) + SSL * s + PREINIT: + STACK_OF(SSL_CIPHER) *sk = NULL; + const SSL_CIPHER *c; + int i; + PPCODE: + sk = SSL_get_ciphers(s); + if( sk == NULL ) { + XSRETURN_EMPTY; + } + for (i=0; i= 0x10101001L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_SESSION_is_resumable(ses) + SSL_SESSION * ses + +SSL_SESSION * +SSL_SESSION_dup(sess) + SSL_SESSION * sess + +#endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */ + +void +SSL_set_post_handshake_auth(SSL *ssl, int val) + +int +SSL_verify_client_post_handshake(SSL *ssl) + +#endif + +void +i2d_SSL_SESSION(sess) + SSL_SESSION * sess + PPCODE: + STRLEN len; + unsigned char *pc,*pi; + if (!(len = i2d_SSL_SESSION(sess,NULL))) croak("invalid SSL_SESSION"); + Newx(pc,len,unsigned char); + if (!pc) croak("out of memory"); + pi = pc; + i2d_SSL_SESSION(sess,&pi); + XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); + Safefree(pc); + + +SSL_SESSION * +d2i_SSL_SESSION(pv) + SV *pv + CODE: + RETVAL = NULL; + if (SvPOK(pv)) { + const unsigned char *p; + STRLEN len; + p = (unsigned char*)SvPV(pv,len); + RETVAL = d2i_SSL_SESSION(NULL,&p,len); + } + OUTPUT: + RETVAL + +#if (OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + +int +SSL_SESSION_up_ref(sess) + SSL_SESSION * sess + +#endif + +int +SSL_set_session(to,ses) + SSL * to + SSL_SESSION * ses + +#define REM30 "SSLeay-0.9.0 defines these as macros. I expand them here for safety's sake" + +SSL_SESSION * +SSL_get_session(s) + SSL * s + ALIAS: + SSL_get0_session = 1 + +SSL_SESSION * +SSL_get1_session(s) + SSL * s + +X509 * +SSL_get_certificate(s) + SSL * s + +SSL_CTX * +SSL_get_SSL_CTX(s) + SSL * s + +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL + +SSL_CTX * +SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) + +#endif + +long +SSL_ctrl(ssl,cmd,larg,parg) + SSL * ssl + int cmd + long larg + char * parg + +long +SSL_CTX_ctrl(ctx,cmd,larg,parg) + SSL_CTX * ctx + int cmd + long larg + char * parg + +#ifdef NET_SSLEAY_32BIT_CONSTANTS + +long +SSL_get_options(ssl) + SSL * ssl + +long +SSL_set_options(ssl,op) + SSL * ssl + long op + +long +SSL_CTX_get_options(ctx) + SSL_CTX * ctx + +long +SSL_CTX_set_options(ctx,op) + SSL_CTX * ctx + long op + +#else + +uint64_t +SSL_get_options(ssl) + SSL * ssl + +uint64_t +SSL_set_options(ssl,op) + SSL * ssl + uint64_t op + +uint64_t +SSL_CTX_get_options(ctx) + SSL_CTX * ctx + +uint64_t +SSL_CTX_set_options(ctx,op) + SSL_CTX * ctx + uint64_t op + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + +struct lhash_st_SSL_SESSION * +SSL_CTX_sessions(ctx) + SSL_CTX * ctx + +#else + +LHASH * +SSL_CTX_sessions(ctx) + SSL_CTX * ctx + CODE: + /* NOTE: This should be deprecated. Corresponding macro was removed from ssl.h as of 0.9.2 */ + if (ctx == NULL) croak("NULL SSL context passed as argument."); + RETVAL = ctx -> sessions; + OUTPUT: + RETVAL + +#endif + +unsigned long +SSL_CTX_sess_number(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_connect(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_connect_good(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_connect_renegotiate(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_accept(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_accept_renegotiate(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_accept_good(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_hits(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_cb_hits(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_misses(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_timeouts(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_cache_full(ctx) + SSL_CTX * ctx + +int +SSL_CTX_sess_get_cache_size(ctx) + SSL_CTX * ctx + +long +SSL_CTX_sess_set_cache_size(ctx,size) + SSL_CTX * ctx + int size + +int +SSL_want(s) + SSL * s + + # OpenSSL 1.1.1 documents SSL_in_init and the related functions as + # returning 0 or 1. However, older versions and e.g. LibreSSL may + # return other values than 1 which we fold to 1. +int +SSL_in_before(s) + SSL * s + CODE: + RETVAL = SSL_in_before(s) == 0 ? 0 : 1; + OUTPUT: + RETVAL + +int +SSL_is_init_finished(s) + SSL * s + CODE: + RETVAL = SSL_is_init_finished(s) == 0 ? 0 : 1; + OUTPUT: + RETVAL + +int +SSL_in_init(s) + SSL * s + CODE: + RETVAL = SSL_in_init(s) == 0 ? 0 : 1; + OUTPUT: + RETVAL + +int +SSL_in_connect_init(s) + SSL * s + CODE: + RETVAL = SSL_in_connect_init(s) == 0 ? 0 : 1; + OUTPUT: + RETVAL + +int +SSL_in_accept_init(s) + SSL * s + CODE: + RETVAL = SSL_in_accept_init(s) == 0 ? 0 : 1; + OUTPUT: + RETVAL + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +int +SSL_state(s) + SSL * s + +int +SSL_get_state(ssl) + SSL * ssl + CODE: + RETVAL = SSL_state(ssl); + OUTPUT: + RETVAL + + +#else +int +SSL_state(s) + SSL * s + CODE: + RETVAL = SSL_get_state(s); + OUTPUT: + RETVAL + + +int +SSL_get_state(s) + SSL * s + +#endif +#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) + +long +SSL_set_tlsext_host_name(SSL *ssl, const char *name) + +const char * +SSL_get_servername(const SSL *s, int type=TLSEXT_NAMETYPE_host_name) + +int +SSL_get_servername_type(const SSL *s) + +void +SSL_CTX_set_tlsext_servername_callback(ctx,callback=&PL_sv_undef,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_tlsext_servername_callback(ctx, NULL); + SSL_CTX_set_tlsext_servername_arg(ctx, NULL); + cb_data_advanced_put(ctx, "tlsext_servername_callback!!data", NULL); + cb_data_advanced_put(ctx, "tlsext_servername_callback!!func", NULL); + } else { + cb_data_advanced_put(ctx, "tlsext_servername_callback!!data", newSVsv(data)); + cb_data_advanced_put(ctx, "tlsext_servername_callback!!func", newSVsv(callback)); + SSL_CTX_set_tlsext_servername_callback(ctx, &tlsext_servername_callback_invoke); + SSL_CTX_set_tlsext_servername_arg(ctx, (void*)ctx); + } + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x1010006fL /* In OpenSSL 1.1.0 but actually called for $ssl starting from 1.1.0f */ +#ifndef LIBRESSL_VERSION_NUMBER +#ifndef OPENSSL_IS_BORINGSSL +void +SSL_set_default_passwd_cb(ssl,callback=&PL_sv_undef) + SSL * ssl + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_set_default_passwd_cb(ssl, NULL); + SSL_set_default_passwd_cb_userdata(ssl, NULL); + cb_data_advanced_put(ssl, "ssleay_ssl_passwd_cb!!func", NULL); + } + else { + cb_data_advanced_put(ssl, "ssleay_ssl_passwd_cb!!func", newSVsv(callback)); + SSL_set_default_passwd_cb_userdata(ssl, (void*)ssl); + SSL_set_default_passwd_cb(ssl, &ssleay_ssl_passwd_cb_invoke); + } + +void +SSL_set_default_passwd_cb_userdata(ssl,data=&PL_sv_undef) + SSL * ssl + SV * data + CODE: + /* SSL_set_default_passwd_cb_userdata is set in SSL_set_default_passwd_cb */ + if (data==NULL || !SvOK(data)) { + cb_data_advanced_put(ssl, "ssleay_ssl_passwd_cb!!data", NULL); + } + else { + cb_data_advanced_put(ssl, "ssleay_ssl_passwd_cb!!data", newSVsv(data)); + } + +#endif /* !BoringSSL */ +#endif /* !LibreSSL */ +#endif /* >= 1.1.0f */ + +#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(LIBRESSL_VERSION_NUMBER) + +void +SSL_set_security_level(SSL * ssl, int level) + +int +SSL_get_security_level(SSL * ssl) + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101007L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_set_num_tickets(SSL *ssl, size_t num_tickets) + +size_t +SSL_get_num_tickets(SSL *ssl) + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10101003L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_set_ciphersuites(SSL *ssl, const char *str) + +#endif + +const BIO_METHOD * +BIO_f_ssl() + +const BIO_METHOD * +BIO_s_mem() + +unsigned long +ERR_get_error() + +unsigned long +ERR_peek_error() + +void +ERR_put_error(lib,func,reason,file,line) + int lib + int func + int reason + char * file + int line + +void +ERR_clear_error() + +char * +ERR_error_string(error,buf=NULL) + unsigned long error + char * buf + CODE: + RETVAL = ERR_error_string(error,buf); + OUTPUT: + RETVAL + +void +SSL_load_error_strings() + +void +ERR_load_crypto_strings() + +int +SSL_FIPS_mode_set(int onoff) + CODE: +#ifdef USE_ITHREADS + MUTEX_LOCK(&LIB_init_mutex); +#endif +#ifdef OPENSSL_FIPS + RETVAL = FIPS_mode_set(onoff); + if (!RETVAL) + { + ERR_load_crypto_strings(); + ERR_print_errors_fp(stderr); + } +#else + RETVAL = 1; + fprintf(stderr, "SSL_FIPS_mode_set not available: OpenSSL not compiled with FIPS support\n"); +#endif +#ifdef USE_ITHREADS + MUTEX_UNLOCK(&LIB_init_mutex); +#endif + OUTPUT: + RETVAL + + +int +SSL_library_init() + ALIAS: + SSLeay_add_ssl_algorithms = 1 + OpenSSL_add_ssl_algorithms = 2 + add_ssl_algorithms = 3 + CODE: +#ifdef USE_ITHREADS + MUTEX_LOCK(&LIB_init_mutex); +#endif + RETVAL = 0; + if (!LIB_initialized) { + RETVAL = SSL_library_init(); + LIB_initialized = 1; + } +#ifdef USE_ITHREADS + MUTEX_UNLOCK(&LIB_init_mutex); +#endif + OUTPUT: + RETVAL + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +#define REM5 "NOTE: requires 0.9.7+" +#ifndef OPENSSL_NO_ENGINE + +void +ENGINE_load_builtin_engines() + +void +ENGINE_register_all_complete() + +ENGINE* +ENGINE_by_id(id) + char * id + +int +ENGINE_set_default(e, flags) + ENGINE * e + int flags + +#endif /* OPENSSL_NO_ENGINE */ +#endif + +void +ERR_load_SSL_strings() + +void +ERR_load_RAND_strings() + +int +RAND_bytes(buf, num) + SV *buf + int num + PREINIT: + int rc; + unsigned char *random; + CODE: + New(0, random, num, unsigned char); + rc = RAND_bytes(random, num); + sv_setpvn(buf, (const char*)random, num); + Safefree(random); + RETVAL = rc; + OUTPUT: + RETVAL + +#if OPENSSL_VERSION_NUMBER >= 0x10101001L && !defined(LIBRESSL_VERSION_NUMBER) + +int +RAND_priv_bytes(buf, num) + SV *buf + int num + PREINIT: + int rc; + unsigned char *random; + CODE: + New(0, random, num, unsigned char); + rc = RAND_priv_bytes(random, num); + sv_setpvn(buf, (const char*)random, num); + Safefree(random); + RETVAL = rc; + OUTPUT: + RETVAL + +#endif + +int +RAND_pseudo_bytes(buf, num) + SV *buf + int num + PREINIT: + int rc; + unsigned char *random; + CODE: + New(0, random, num, unsigned char); + rc = RAND_pseudo_bytes(random, num); + sv_setpvn(buf, (const char*)random, num); + Safefree(random); + RETVAL = rc; + OUTPUT: + RETVAL + +void +RAND_add(buf, num, entropy) + SV *buf + int num + double entropy + PREINIT: + STRLEN len; + CODE: + RAND_add((const void *)SvPV(buf, len), num, entropy); + +int +RAND_poll() + +int +RAND_status() + +SV * +RAND_file_name(num) + size_t num + PREINIT: + char *buf; + CODE: + Newxz(buf, num, char); + if (!RAND_file_name(buf, num)) { + Safefree(buf); + XSRETURN_UNDEF; + } + RETVAL = newSVpv(buf, 0); + Safefree(buf); + OUTPUT: + RETVAL + +void +RAND_seed(buf) + PREINIT: + STRLEN len; + INPUT: + char * buf = SvPV( ST(1), len); + CODE: + RAND_seed (buf, (int)len); + +void +RAND_cleanup() + +int +RAND_load_file(file_name, how_much) + char * file_name + int how_much + +int +RAND_write_file(file_name) + char * file_name + +#define REM40 "Minimal X509 stuff..., this is a bit ugly and should be put in its own modules Net::SSLeay::X509.pm" + +#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2050000fL) + +int +X509_check_host(X509 *cert, const char *name, unsigned int flags = 0, SV *peername = &PL_sv_undef) + PREINIT: + char *c_peername = NULL; + CODE: + RETVAL = X509_check_host(cert, name, 0, flags, (items == 4) ? &c_peername : NULL); + if (items == 4) + sv_setpv(peername, c_peername); + OUTPUT: + RETVAL + CLEANUP: + if (c_peername) + OPENSSL_free(c_peername); + +int +X509_check_email(X509 *cert, const char *address, unsigned int flags = 0) + CODE: + RETVAL = X509_check_email(cert, address, 0, flags); + OUTPUT: + RETVAL + +int +X509_check_ip(X509 *cert, SV *address, unsigned int flags = 0) + PREINIT: + unsigned char *c_address; + size_t addresslen; + CODE: + c_address = (unsigned char *)SvPV(address, addresslen); + RETVAL = X509_check_ip(cert, c_address, addresslen, flags); + OUTPUT: + RETVAL + +int +X509_check_ip_asc(X509 *cert, const char *address, unsigned int flags = 0) + +#endif + +X509_NAME* +X509_get_issuer_name(cert) + X509 * cert + +X509_NAME* +X509_get_subject_name(cert) + X509 * cert + +void * +X509_get_ex_data(cert,idx) + X509 * cert + int idx + +int +X509_get_ex_new_index(argl,argp=NULL,new_func=NULL,dup_func=NULL,free_func=NULL) + long argl + void * argp + CRYPTO_EX_new * new_func + CRYPTO_EX_dup * dup_func + CRYPTO_EX_free * free_func + +void * +X509_get_app_data(cert) + X509 * cert + CODE: + RETVAL = X509_get_ex_data(cert,0); + OUTPUT: + RETVAL + +int +X509_set_ex_data(cert,idx,data) + X509 * cert + int idx + void * data + +int +X509_set_app_data(cert,arg) + X509 * cert + char * arg + CODE: + RETVAL = X509_set_ex_data(cert,0,arg); + OUTPUT: + RETVAL + +int +X509_set_issuer_name(X509 *x, X509_NAME *name) + +int +X509_set_subject_name(X509 *x, X509_NAME *name) + +int +X509_set_version(X509 *x, long version) + +int +X509_set_pubkey(X509 *x, EVP_PKEY *pkey) + +long +X509_get_version(X509 *x) + +EVP_PKEY * +X509_get_pubkey(X509 *x) + +ASN1_INTEGER * +X509_get_serialNumber(X509 *x) + +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2080100fL) + +const ASN1_INTEGER * +X509_get0_serialNumber(const X509 *x) + +#endif + +int +X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) + +int +X509_certificate_type(X509 *x, EVP_PKEY *pubkey=NULL); + +int +X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) + +int +X509_verify(X509 *x, EVP_PKEY *r) + +X509_NAME * +X509_NAME_new() + +unsigned long +X509_NAME_hash(X509_NAME *name) + +void +X509_NAME_oneline(name) + X509_NAME * name + PREINIT: + char * buf; + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + if ((buf = X509_NAME_oneline(name, NULL, 0))) { + sv_setpvn( ST(0), buf, strlen(buf)); + OPENSSL_free(buf); /* mem was allocated by openssl */ + } + +void +X509_NAME_print_ex(name,flags=XN_FLAG_RFC2253,utf8_decode=0) + X509_NAME * name + unsigned long flags + int utf8_decode + PREINIT: + char * buf; + BIO * bp; + int n, i, ident=0; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp) { + if (X509_NAME_print_ex(bp, name, ident, flags)) { + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) { + sv_setpvn(ST(0), buf, i); + if (utf8_decode) sv_utf8_decode(ST(0)); + } + Safefree(buf); + } + } + BIO_free(bp); + } + +void +X509_NAME_get_text_by_NID(name,nid) + X509_NAME * name + int nid + PREINIT: + char* buf; + int length; + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + length = X509_NAME_get_text_by_NID(name, nid, NULL, 0); + + if (length>=0) { + New(0, buf, length+1, char); + if (X509_NAME_get_text_by_NID(name, nid, buf, length + 1)>=0) + sv_setpvn( ST(0), buf, length); + Safefree(buf); + } + +#if OPENSSL_VERSION_NUMBER >= 0x0090500fL +#define REM17 "requires 0.9.5+" + +int +X509_NAME_add_entry_by_NID(name,nid,type,bytes,loc=-1,set=0) + X509_NAME *name + int nid + int type + int loc + int set + PREINIT: + STRLEN len; + INPUT: + unsigned char *bytes = (unsigned char *)SvPV(ST(3), len); + CODE: + RETVAL = X509_NAME_add_entry_by_NID(name,nid,type,bytes,len,loc,set); + OUTPUT: + RETVAL + +int +X509_NAME_add_entry_by_OBJ(name,obj,type,bytes,loc=-1,set=0) + X509_NAME *name + ASN1_OBJECT *obj + int type + int loc + int set + PREINIT: + STRLEN len; + INPUT: + unsigned char *bytes = (unsigned char *)SvPV(ST(3), len); + CODE: + RETVAL = X509_NAME_add_entry_by_OBJ(name,obj,type,bytes,len,loc,set); + OUTPUT: + RETVAL + +int +X509_NAME_add_entry_by_txt(name,field,type,bytes,loc=-1,set=0) + X509_NAME *name + char *field + int type + int loc + int set + PREINIT: + STRLEN len; + INPUT: + unsigned char *bytes = (unsigned char *)SvPV(ST(3), len); + CODE: + RETVAL = X509_NAME_add_entry_by_txt(name,field,type,bytes,len,loc,set); + OUTPUT: + RETVAL + +#endif + +int +X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) + +int +X509_NAME_entry_count(X509_NAME *name) + +X509_NAME_ENTRY * +X509_NAME_get_entry(X509_NAME *name, int loc) + +ASN1_STRING * +X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) + +ASN1_OBJECT * +X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) + +void +X509_CRL_free(X509_CRL *x) + +X509_CRL * +X509_CRL_new() + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +#define REM19 "requires 0.9.7+" + +int +X509_CRL_set_version(X509_CRL *x, long version) + +int +X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) + +int +X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm) + +int +X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm) + +int +X509_CRL_sort(X509_CRL *x) + +#endif + +long +X509_CRL_get_version(X509_CRL *x) + +X509_NAME * +X509_CRL_get_issuer(X509_CRL *x) + +ASN1_TIME * +X509_CRL_get_lastUpdate(X509_CRL *x) + +ASN1_TIME * +X509_CRL_get_nextUpdate(X509_CRL *x) + +int +X509_CRL_verify(X509_CRL *a, EVP_PKEY *r) + +int +X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +#define REM20 "requires 0.9.7+" + +int +P_X509_CRL_set_serial(crl,crl_number) + X509_CRL *crl + ASN1_INTEGER * crl_number; + CODE: + RETVAL = 0; + if (crl && crl_number) + if (X509_CRL_add1_ext_i2d(crl, NID_crl_number, crl_number, 0, 0)) RETVAL = 1; + OUTPUT: + RETVAL + +ASN1_INTEGER * +P_X509_CRL_get_serial(crl) + X509_CRL *crl + INIT: + int i; + CODE: + RETVAL = (ASN1_INTEGER *)X509_CRL_get_ext_d2i(crl, NID_crl_number, &i, NULL); + if (!RETVAL || i==-1) XSRETURN_UNDEF; + OUTPUT: + RETVAL + +void +P_X509_CRL_add_revoked_serial_hex(crl,serial_hex,rev_time,reason_code=0,comp_time=NULL) + X509_CRL *crl + char * serial_hex + ASN1_TIME *rev_time + long reason_code + ASN1_TIME *comp_time + PREINIT: + BIGNUM *bn = NULL; + ASN1_INTEGER *sn; + X509_REVOKED *rev; + ASN1_ENUMERATED *rsn = NULL; + int rv; + PPCODE: + rv=0; + rev = X509_REVOKED_new(); + if (rev) { + if (BN_hex2bn(&bn, serial_hex)) { + sn = BN_to_ASN1_INTEGER(bn, NULL); + if (sn) { + X509_REVOKED_set_serialNumber(rev, sn); + ASN1_INTEGER_free(sn); + rv = 1; + } + BN_free(bn); + } + } + if (!rv) XSRETURN_IV(0); + + if (!rev_time) XSRETURN_IV(0); + if (!X509_REVOKED_set_revocationDate(rev, rev_time)) XSRETURN_IV(0); + + if(reason_code) { + rv = 0; + rsn = ASN1_ENUMERATED_new(); + if (rsn) { + if (ASN1_ENUMERATED_set(rsn, reason_code)) + if (X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rsn, 0, 0)) + rv=1; + ASN1_ENUMERATED_free(rsn); + } + if (!rv) XSRETURN_IV(0); + } + + if(comp_time) { + X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0); + } + + if(!X509_CRL_add0_revoked(crl, rev)) XSRETURN_IV(0); + XSRETURN_IV(1); + +#endif + +X509_REQ * +X509_REQ_new() + +void +X509_REQ_free(X509_REQ *x) + +X509_NAME * +X509_REQ_get_subject_name(X509_REQ *x) + +int +X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) + +int +X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) + +EVP_PKEY * +X509_REQ_get_pubkey(X509_REQ *x) + +int +X509_REQ_sign(X509_REQ *x, EVP_PKEY *pk, const EVP_MD *md) + +int +X509_REQ_verify(X509_REQ *x, EVP_PKEY *r) + +int +X509_REQ_set_version(X509_REQ *x, long version) + +long +X509_REQ_get_version(X509_REQ *x) + +int +X509_REQ_get_attr_count(const X509_REQ *req); + +int +X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos=-1) + +int +X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj, int lastpos=-1) + +int +X509_REQ_add1_attr_by_NID(req,nid,type,bytes) + X509_REQ *req + int nid + int type + PREINIT: + STRLEN len; + INPUT: + unsigned char *bytes = (unsigned char *)SvPV(ST(3), len); + CODE: + RETVAL = X509_REQ_add1_attr_by_NID(req,nid,type,bytes,len); + OUTPUT: + RETVAL + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +#define REM21 "requires 0.9.7+" + +void +P_X509_REQ_get_attr(req,n) + X509_REQ *req + int n + INIT: + X509_ATTRIBUTE * att; + int count, i; + ASN1_STRING * s; + ASN1_TYPE * t; + PPCODE: + att = X509_REQ_get_attr(req,n); + count = X509_ATTRIBUTE_count(att); + for (i=0; ivalue.asn1_string; + XPUSHs(sv_2mortal(newSViv(PTR2IV(s)))); + } + +#endif + +int +P_X509_REQ_add_extensions(x,...) + X509_REQ *x + PREINIT: + int i=1; + int nid; + char *data; + X509_EXTENSION *ex; + STACK_OF(X509_EXTENSION) *stack; + CODE: + if (items>1) { + RETVAL = 1; + stack = sk_X509_EXTENSION_new_null(); + while(i+11) { + RETVAL = 1; + while(i+11) { + RETVAL = 1; + while(i+1= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) /* OpenSSL 1.1.0-pre5, LibreSSL 2.7.0 */ + +X509 * +X509_STORE_CTX_get0_cert(x509_store_ctx) + X509_STORE_CTX *x509_store_ctx + +#endif + +STACK_OF(X509) * +X509_STORE_CTX_get1_chain(x509_store_ctx) + X509_STORE_CTX *x509_store_ctx + + +int +X509_STORE_CTX_get_ex_new_index(argl,argp=NULL,new_func=NULL,dup_func=NULL,free_func=NULL) + long argl + void * argp + CRYPTO_EX_new * new_func + CRYPTO_EX_dup * dup_func + CRYPTO_EX_free * free_func + +void * +X509_STORE_CTX_get_ex_data(x509_store_ctx,idx) + X509_STORE_CTX * x509_store_ctx + int idx + +void * +X509_STORE_CTX_get_app_data(x509_store_ctx) + X509_STORE_CTX * x509_store_ctx + CODE: + RETVAL = X509_STORE_CTX_get_ex_data(x509_store_ctx,0); + OUTPUT: + RETVAL + +void +X509_get_fingerprint(cert,type) + X509 * cert + char * type + PREINIT: + const EVP_MD *digest_tp = NULL; + unsigned char digest[EVP_MAX_MD_SIZE]; + unsigned int dsz, k = 0; + char text[EVP_MAX_MD_SIZE * 3 + 1]; + CODE: +#ifndef OPENSSL_NO_MD5 + if (!k && !strcmp(type,"md5")) { + k = 1; digest_tp = EVP_md5(); + } +#endif + if (!k && !strcmp(type,"sha1")) { + k = 1; digest_tp = EVP_sha1(); + } +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL +#ifndef OPENSSL_NO_SHA256 + if (!k && !strcmp(type,"sha256")) { + k = 1; digest_tp = EVP_sha256(); + } +#endif +#endif + if (!k && !strcmp(type,"ripemd160")) { + k = 1; digest_tp = EVP_ripemd160(); + } + if (!k) /* Default digest */ + digest_tp = EVP_sha1(); + if ( digest_tp == NULL ) { + /* Out of memory */ + XSRETURN_UNDEF; + } + if (!X509_digest(cert, digest_tp, digest, &dsz)) { + /* Out of memory */ + XSRETURN_UNDEF; + } + text[0] = '\0'; + for(k=0; k= 0 + && (subjAltNameExt = X509_get_ext(cert, i)) + && (subjAltNameDNs = X509V3_EXT_d2i(subjAltNameExt))) + { + num_gnames = sk_GENERAL_NAME_num(subjAltNameDNs); + + for (j = 0; j < num_gnames; j++) + { + subjAltNameDN = sk_GENERAL_NAME_value(subjAltNameDNs, j); + + switch (subjAltNameDN->type) + { + case GEN_OTHERNAME: + EXTEND(SP, 2); + count++; + PUSHs(sv_2mortal(newSViv(subjAltNameDN->type))); + PUSHs(sv_2mortal(newSVpv((const char*)ASN1_STRING_data(subjAltNameDN->d.otherName->value->value.utf8string), ASN1_STRING_length(subjAltNameDN->d.otherName->value->value.utf8string)))); + break; + + case GEN_EMAIL: + case GEN_DNS: + case GEN_URI: + EXTEND(SP, 2); + count++; + PUSHs(sv_2mortal(newSViv(subjAltNameDN->type))); + PUSHs(sv_2mortal(newSVpv((const char*)ASN1_STRING_data(subjAltNameDN->d.ia5), ASN1_STRING_length(subjAltNameDN->d.ia5)))); + break; + + case GEN_DIRNAME: + { + char * buf = X509_NAME_oneline(subjAltNameDN->d.dirn, NULL, 0); + EXTEND(SP, 2); + count++; + PUSHs(sv_2mortal(newSViv(subjAltNameDN->type))); + PUSHs(sv_2mortal(newSVpv((buf), strlen((buf))))); + } + break; + + case GEN_RID: + { + char buf[2501]; /* Much more than what's suggested on OBJ_obj2txt manual page */ + int len = OBJ_obj2txt(buf, sizeof(buf), subjAltNameDN->d.rid, 1); + if (len < 0 || len > (int)((sizeof(buf) - 1))) + break; /* Skip bad or overly long RID */ + EXTEND(SP, 2); + count++; + PUSHs(sv_2mortal(newSViv(subjAltNameDN->type))); + PUSHs(sv_2mortal(newSVpv(buf, 0))); + } + break; + + case GEN_IPADD: + EXTEND(SP, 2); + count++; + PUSHs(sv_2mortal(newSViv(subjAltNameDN->type))); + PUSHs(sv_2mortal(newSVpv((const char*)subjAltNameDN->d.ip->data, subjAltNameDN->d.ip->length))); + break; + + } + } + sk_GENERAL_NAME_pop_free(subjAltNameDNs, GENERAL_NAME_free); + } + XSRETURN(count * 2); + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + +void +P_X509_get_crl_distribution_points(cert) + X509 * cert + INIT: + GENERAL_NAMES *gnames; + GENERAL_NAME *gn; + STACK_OF(DIST_POINT) *points; + DIST_POINT *p; + int i, j; + PPCODE: + points = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL); + if (points) + for (i = 0; i < sk_DIST_POINT_num(points); i++) { + p = sk_DIST_POINT_value(points, i); + if (!p->distpoint) + continue; + if (p->distpoint->type == 0) { + /* full name */ + gnames = p->distpoint->name.fullname; + for (j = 0; j < sk_GENERAL_NAME_num(gnames); j++) { + gn = sk_GENERAL_NAME_value(gnames, j); + + if (gn->type == GEN_URI) { + XPUSHs(sv_2mortal(newSVpv((char*)ASN1_STRING_data(gn->d.ia5),ASN1_STRING_length(gn->d.ia5)))); + } + } + } + else { + /* relative name - not supported */ + /* XXX-TODO: the code below is just an idea; do not enable it without proper test case + BIO *bp; + char *buf; + int n; + X509_NAME ntmp; + ntmp.entries = p->distpoint->name.relativename; + bp = BIO_new(BIO_s_mem()); + if (bp) { + X509_NAME_print_ex(bp, &ntmp, 0, XN_FLAG_RFC2253); + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + j = BIO_read(bp,buf,n); + if (j>=0 && j<=n) XPUSHs(sv_2mortal(newSVpvn(buf,j))); + Safefree(buf); + } + BIO_free(bp); + } + */ + } + } + +void +P_X509_get_ocsp_uri(cert) + X509 * cert + PPCODE: + AUTHORITY_INFO_ACCESS *info; + int i; + info = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL); + if (!info) XSRETURN_UNDEF; + + for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { + ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i); + if (OBJ_obj2nid(ad->method) == NID_ad_OCSP + && ad->location->type == GEN_URI) { + XPUSHs(sv_2mortal(newSVpv( + (char*)ASN1_STRING_data(ad->location->d.uniformResourceIdentifier), + ASN1_STRING_length(ad->location->d.uniformResourceIdentifier) + ))); + if (GIMME == G_SCALAR) break; /* get only first */ + } + } + + +void +P_X509_get_ext_key_usage(cert,format=0) + X509 * cert + int format + PREINIT: + EXTENDED_KEY_USAGE *extusage; + int i, nid; + char buffer[100]; /* openssl doc: a buffer length of 80 should be more than enough to handle any OID encountered in practice */ + ASN1_OBJECT *o; + PPCODE: + extusage = X509_get_ext_d2i(cert, NID_ext_key_usage, NULL, NULL); + for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { + o = sk_ASN1_OBJECT_value(extusage,i); + nid = OBJ_obj2nid(o); + OBJ_obj2txt(buffer, sizeof(buffer)-1, o, 1); + if(format==0) + XPUSHs(sv_2mortal(newSVpv(buffer,0))); /* format 0: oid */ + else if(format==1 && nid>0) + XPUSHs(sv_2mortal(newSViv(nid))); /* format 1: nid */ + else if(format==2 && nid>0) + XPUSHs(sv_2mortal(newSVpv(OBJ_nid2sn(nid),0))); /* format 2: shortname */ + else if(format==3 && nid>0) + XPUSHs(sv_2mortal(newSVpv(OBJ_nid2ln(nid),0))); /* format 3: longname */ + } + +#endif + +void +P_X509_get_key_usage(cert) + X509 * cert + INIT: + ASN1_BIT_STRING * u; + PPCODE: + u = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL); + if (u) { + if (ASN1_BIT_STRING_get_bit(u,0)) XPUSHs(sv_2mortal(newSVpv("digitalSignature",0))); + if (ASN1_BIT_STRING_get_bit(u,1)) XPUSHs(sv_2mortal(newSVpv("nonRepudiation",0))); + if (ASN1_BIT_STRING_get_bit(u,2)) XPUSHs(sv_2mortal(newSVpv("keyEncipherment",0))); + if (ASN1_BIT_STRING_get_bit(u,3)) XPUSHs(sv_2mortal(newSVpv("dataEncipherment",0))); + if (ASN1_BIT_STRING_get_bit(u,4)) XPUSHs(sv_2mortal(newSVpv("keyAgreement",0))); + if (ASN1_BIT_STRING_get_bit(u,5)) XPUSHs(sv_2mortal(newSVpv("keyCertSign",0))); + if (ASN1_BIT_STRING_get_bit(u,6)) XPUSHs(sv_2mortal(newSVpv("cRLSign",0))); + if (ASN1_BIT_STRING_get_bit(u,7)) XPUSHs(sv_2mortal(newSVpv("encipherOnly",0))); + if (ASN1_BIT_STRING_get_bit(u,8)) XPUSHs(sv_2mortal(newSVpv("decipherOnly",0))); + } + +void +P_X509_get_netscape_cert_type(cert) + X509 * cert + INIT: + ASN1_BIT_STRING * u; + PPCODE: + u = X509_get_ext_d2i(cert, NID_netscape_cert_type, NULL, NULL); + if (u) { + if (ASN1_BIT_STRING_get_bit(u,0)) XPUSHs(sv_2mortal(newSVpv("client",0))); + if (ASN1_BIT_STRING_get_bit(u,1)) XPUSHs(sv_2mortal(newSVpv("server",0))); + if (ASN1_BIT_STRING_get_bit(u,2)) XPUSHs(sv_2mortal(newSVpv("email",0))); + if (ASN1_BIT_STRING_get_bit(u,3)) XPUSHs(sv_2mortal(newSVpv("objsign",0))); + if (ASN1_BIT_STRING_get_bit(u,4)) XPUSHs(sv_2mortal(newSVpv("reserved",0))); + if (ASN1_BIT_STRING_get_bit(u,5)) XPUSHs(sv_2mortal(newSVpv("sslCA",0))); + if (ASN1_BIT_STRING_get_bit(u,6)) XPUSHs(sv_2mortal(newSVpv("emailCA",0))); + if (ASN1_BIT_STRING_get_bit(u,7)) XPUSHs(sv_2mortal(newSVpv("objCA",0))); + } + +int +X509_get_ext_by_NID(x,nid,loc=-1) + X509* x + int nid + int loc + +X509_EXTENSION * +X509_get_ext(x,loc) + X509* x + int loc + +int +X509_EXTENSION_get_critical(X509_EXTENSION *ex) + +ASN1_OCTET_STRING * +X509_EXTENSION_get_data(X509_EXTENSION *ne) + +ASN1_OBJECT * +X509_EXTENSION_get_object(X509_EXTENSION *ex) + +int +X509_get_ext_count(X509 *x) + +int +X509_CRL_get_ext_count(X509_CRL *x) + +int +X509_CRL_get_ext_by_NID(x,ni,loc=-1) + X509_CRL* x + int ni + int loc + +X509_EXTENSION * +X509_CRL_get_ext(x,loc) + X509_CRL* x + int loc + +void +X509V3_EXT_print(ext,flags=0,utf8_decode=0) + X509_EXTENSION * ext + unsigned long flags + int utf8_decode + PREINIT: + BIO * bp; + char * buf; + int i, n; + int indent=0; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp) { + if(X509V3_EXT_print(bp,ext,flags,indent)) { + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) { + sv_setpvn(ST(0), buf, i); + if (utf8_decode) sv_utf8_decode(ST(0)); + } + Safefree(buf); + } + } + BIO_free(bp); + } + +void * +X509V3_EXT_d2i(ext) + X509_EXTENSION *ext + +X509_STORE_CTX * +X509_STORE_CTX_new() + +int +X509_STORE_CTX_init(ctx, store=NULL, x509=NULL, chain=NULL) + X509_STORE_CTX * ctx + X509_STORE * store + X509 * x509 + STACK_OF(X509) * chain + +void +X509_STORE_CTX_free(ctx) + X509_STORE_CTX * ctx + +int +X509_verify_cert(x509_store_ctx) + X509_STORE_CTX * x509_store_ctx + +int +X509_STORE_CTX_get_error(x509_store_ctx) + X509_STORE_CTX * x509_store_ctx + +int +X509_STORE_CTX_get_error_depth(x509_store_ctx) + X509_STORE_CTX * x509_store_ctx + +int +X509_STORE_CTX_set_ex_data(x509_store_ctx,idx,data) + X509_STORE_CTX * x509_store_ctx + int idx + void * data + +int +X509_STORE_CTX_set_app_data(x509_store_ctx,arg) + X509_STORE_CTX * x509_store_ctx + char * arg + CODE: + RETVAL = X509_STORE_CTX_set_ex_data(x509_store_ctx,0,arg); + OUTPUT: + RETVAL + +void +X509_STORE_CTX_set_error(x509_store_ctx,s) + X509_STORE_CTX * x509_store_ctx + int s + +void +X509_STORE_CTX_set_cert(x509_store_ctx,x) + X509_STORE_CTX * x509_store_ctx + X509 * x + +X509_STORE * +X509_STORE_new() + +void +X509_STORE_free(store) + X509_STORE * store + +X509_LOOKUP * +X509_STORE_add_lookup(store, method) + X509_STORE * store + X509_LOOKUP_METHOD * method + +int +X509_STORE_add_cert(ctx, x) + X509_STORE *ctx + X509 *x + +int +X509_STORE_add_crl(ctx, x) + X509_STORE *ctx + X509_CRL *x + +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL + +void +X509_STORE_set_flags(ctx, flags) + X509_STORE *ctx + long flags + +void +X509_STORE_set_purpose(ctx, purpose) + X509_STORE *ctx + int purpose + +void +X509_STORE_set_trust(ctx, trust) + X509_STORE *ctx + int trust + +int +X509_STORE_set1_param(ctx, pm) + X509_STORE *ctx + X509_VERIFY_PARAM *pm + +#endif + +X509_LOOKUP_METHOD * +X509_LOOKUP_hash_dir() + +void +X509_LOOKUP_add_dir(lookup, dir, type) + X509_LOOKUP * lookup + char * dir + int type + +int +X509_load_cert_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + +int +X509_load_crl_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + +int +X509_load_cert_crl_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + +const char * +X509_verify_cert_error_string(n) + long n + +ASN1_INTEGER * +ASN1_INTEGER_new() + +void +ASN1_INTEGER_free(ASN1_INTEGER *i) + +int +ASN1_INTEGER_set(ASN1_INTEGER *i, long val) + +long +ASN1_INTEGER_get(ASN1_INTEGER *a) + +void +P_ASN1_INTEGER_set_hex(i,str) + ASN1_INTEGER * i + char * str + INIT: + BIGNUM *bn; + int rv = 1; + PPCODE: + bn = BN_new(); + if (!BN_hex2bn(&bn, str)) XSRETURN_IV(0); + if (!BN_to_ASN1_INTEGER(bn, i)) rv = 0; + BN_free(bn); + XSRETURN_IV(rv); + +void +P_ASN1_INTEGER_set_dec(i,str) + ASN1_INTEGER * i + char * str + INIT: + BIGNUM *bn; + int rv = 1; + PPCODE: + bn = BN_new(); + if (!BN_dec2bn(&bn, str)) XSRETURN_IV(0); + if (!BN_to_ASN1_INTEGER(bn, i)) rv = 0; + BN_free(bn); + XSRETURN_IV(rv); + +void +P_ASN1_INTEGER_get_hex(i) + ASN1_INTEGER * i + INIT: + BIGNUM *bn; + char *result; + PPCODE: + bn = BN_new(); + if (!bn) XSRETURN_UNDEF; + ASN1_INTEGER_to_BN(i, bn); + result = BN_bn2hex(bn); + BN_free(bn); + if (!result) XSRETURN_UNDEF; + XPUSHs(sv_2mortal(newSVpv((const char*)result, strlen(result)))); + OPENSSL_free(result); + +void +P_ASN1_INTEGER_get_dec(i) + ASN1_INTEGER * i + INIT: + BIGNUM *bn; + char *result; + PPCODE: + bn = BN_new(); + if (!bn) XSRETURN_UNDEF; + ASN1_INTEGER_to_BN(i, bn); + result = BN_bn2dec(bn); + BN_free(bn); + if (!result) XSRETURN_UNDEF; + XPUSHs(sv_2mortal(newSVpv((const char*)result, strlen(result)))); + OPENSSL_free(result); + +void +P_ASN1_STRING_get(s,utf8_decode=0) + ASN1_STRING * s + int utf8_decode + PREINIT: + SV * u8; + PPCODE: + u8 = newSVpv((const char*)ASN1_STRING_data(s), ASN1_STRING_length(s)); + if (utf8_decode) sv_utf8_decode(u8); + XPUSHs(sv_2mortal(u8)); + +ASN1_TIME * +X509_get_notBefore(cert) + X509 * cert + +ASN1_TIME * +X509_get_notAfter(cert) + X509 * cert + +ASN1_TIME * +X509_gmtime_adj(s, adj) + ASN1_TIME * s + long adj + +ASN1_TIME * +ASN1_TIME_set(s,t) + ASN1_TIME *s + time_t t + +void +ASN1_TIME_free(s) + ASN1_TIME *s + +time_t +ASN1_TIME_timet(s) + ASN1_TIME *s + CODE: + RETVAL = ASN1_TIME_timet(s,NULL); + OUTPUT: + RETVAL + +ASN1_TIME * +ASN1_TIME_new() + +void +P_ASN1_TIME_put2string(tm) + ASN1_TIME * tm + PREINIT: + BIO *bp=NULL; + int i=0; + char buffer[256]; + ALIAS: + P_ASN1_UTCTIME_put2string = 1 + CODE: + ST(0) = sv_newmortal(); /* undef retval to start with */ + if (tm) { + bp = BIO_new(BIO_s_mem()); + if (bp) { + ASN1_TIME_print(bp,tm); + i = BIO_read(bp,buffer,255); + buffer[i] = '\0'; + if (i>0) + sv_setpvn(ST(0), buffer, i); + BIO_free(bp); + } + } + +#if OPENSSL_VERSION_NUMBER >= 0x0090705f +#define REM15 "NOTE: requires 0.9.7e+" + +void +P_ASN1_TIME_get_isotime(tm) + ASN1_TIME *tm + PREINIT: + ASN1_GENERALIZEDTIME *tmp = NULL; + char buf[256]; + CODE: + buf[0] = '\0'; + /* ASN1_TIME_to_generalizedtime is buggy on pre-0.9.7e */ + ASN1_TIME_to_generalizedtime(tm,&tmp); + if (tmp) { + if (ASN1_GENERALIZEDTIME_check(tmp)) { + if (strlen((char*)tmp->data)>=14 && strlen((char*)tmp->data)<200) { + strcpy (buf,"yyyy-mm-ddThh:mm:ss"); + strncpy(buf, (char*)tmp->data, 4); + strncpy(buf+5, (char*)tmp->data+4, 2); + strncpy(buf+8, (char*)tmp->data+6, 2); + strncpy(buf+11,(char*)tmp->data+8, 2); + strncpy(buf+14,(char*)tmp->data+10,2); + strncpy(buf+17,(char*)tmp->data+12,2); + if (strlen((char*)tmp->data)>14) strcat(buf+19,(char*)tmp->data+14); + } + } + ASN1_GENERALIZEDTIME_free(tmp); + } + ST(0) = sv_newmortal(); + sv_setpv(ST(0), buf); + +void +P_ASN1_TIME_set_isotime(tm,str) + ASN1_TIME *tm + const char *str + PREINIT: + ASN1_TIME t; + char buf[256]; + int i,rv; + CODE: + if (!tm) XSRETURN_UNDEF; + /* we support only "2012-03-22T23:55:33" or "2012-03-22T23:55:33Z" or "2012-03-22T23:55:33" */ + if (strlen(str) < 19) XSRETURN_UNDEF; + for (i=0; i<4; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + for (i=5; i<7; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + for (i=8; i<10; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + for (i=11; i<13; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + for (i=14; i<16; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + for (i=17; i<19; i++) if ((str[i] > '9') || (str[i] < '0')) XSRETURN_UNDEF; + strncpy(buf, str, 4); + strncpy(buf+4, str+5, 2); + strncpy(buf+6, str+8, 2); + strncpy(buf+8, str+11, 2); + strncpy(buf+10, str+14, 2); + strncpy(buf+12, str+17, 2); + buf[14] = '\0'; + if (strlen(str)>19 && strlen(str)<200) strcat(buf,str+19); + + /* WORKAROUND: ASN1_TIME_set_string() not available in 0.9.8 !!!*/ + /* in 1.0.0 we would simply: rv = ASN1_TIME_set_string(tm,buf); */ + t.length = strlen(buf); + t.data = (unsigned char *)buf; + t.flags = 0; + t.type = V_ASN1_UTCTIME; + if (!ASN1_TIME_check(&t)) { + t.type = V_ASN1_GENERALIZEDTIME; + if (!ASN1_TIME_check(&t)) XSRETURN_UNDEF; + } + tm->type = t.type; + tm->flags = t.flags; + if (!ASN1_STRING_set(tm,t.data,t.length)) XSRETURN_UNDEF; + rv = 1; + + /* end of ASN1_TIME_set_string() reimplementation */ + + ST(0) = sv_newmortal(); + sv_setiv(ST(0), rv); /* 1 = success, undef = failure */ + +#endif + +int +EVP_PKEY_copy_parameters(to,from) + EVP_PKEY * to + EVP_PKEY * from + +EVP_PKEY * +EVP_PKEY_new() + +void +EVP_PKEY_free(EVP_PKEY *pkey) + +int +EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) + +int +EVP_PKEY_bits(EVP_PKEY *pkey) + +int +EVP_PKEY_size(EVP_PKEY *pkey) + +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL + +int +EVP_PKEY_id(const EVP_PKEY *pkey) + +#endif + +void +PEM_get_string_X509(x509) + X509 * x509 + PREINIT: + BIO *bp; + int i, n; + char *buf; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp && x509) { + PEM_write_bio_X509(bp,x509); + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) sv_setpvn(ST(0), buf, i); + Safefree(buf); + } + BIO_free(bp); + } + +void +PEM_get_string_X509_REQ(x509_req) + X509_REQ * x509_req + PREINIT: + BIO *bp; + int i, n; + char *buf; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp && x509_req) { + PEM_write_bio_X509_REQ(bp,x509_req); + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) sv_setpvn(ST(0), buf, i); + Safefree(buf); + } + BIO_free(bp); + } + +void +PEM_get_string_X509_CRL(x509_crl) + X509_CRL * x509_crl + PREINIT: + BIO *bp; + int i, n; + char *buf; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp && x509_crl) { + PEM_write_bio_X509_CRL(bp,x509_crl); + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) sv_setpvn(ST(0), buf, i); + Safefree(buf); + } + BIO_free(bp); + } + +void +PEM_get_string_PrivateKey(pk,passwd=NULL,enc_alg=NULL) + EVP_PKEY * pk + char * passwd + const EVP_CIPHER * enc_alg + PREINIT: + BIO *bp; + int i, n; + char *buf; + size_t passwd_len = 0; + pem_password_cb * cb = NULL; + void * u = NULL; + CODE: + ST(0) = sv_newmortal(); /* undef to start with */ + bp = BIO_new(BIO_s_mem()); + if (bp && pk) { + if (passwd) passwd_len = strlen(passwd); + if (passwd_len>0) { + /* encrypted key */ + if (!enc_alg) + PEM_write_bio_PrivateKey(bp,pk,EVP_des_cbc(),(unsigned char *)passwd,passwd_len,cb,u); + else + PEM_write_bio_PrivateKey(bp,pk,enc_alg,(unsigned char *)passwd,passwd_len,cb,u); + } + else { + /* unencrypted key */ + PEM_write_bio_PrivateKey(bp,pk,NULL,(unsigned char *)passwd,passwd_len,cb,u); + } + n = BIO_ctrl_pending(bp); + New(0, buf, n, char); + if (buf) { + i = BIO_read(bp,buf,n); + if (i>=0 && i<=n) sv_setpvn(ST(0), buf, i); + Safefree(buf); + } + BIO_free(bp); + } + +int +CTX_use_PKCS12_file(ctx, file, password=NULL) + SSL_CTX *ctx + char *file + char *password + PREINIT: + PKCS12 *p12; + EVP_PKEY *private_key; + X509 *certificate; + FILE *fp; + CODE: + RETVAL = 0; + if ((fp = fopen (file, "rb"))) { +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + OPENSSL_add_all_algorithms_noconf(); +#else + OpenSSL_add_all_algorithms(); +#endif + if ((p12 = d2i_PKCS12_fp(fp, NULL))) { + if (PKCS12_parse(p12, password, &private_key, &certificate, NULL)) { + if (private_key) { + if (SSL_CTX_use_PrivateKey(ctx, private_key)) RETVAL = 1; + EVP_PKEY_free(private_key); + } + if (certificate) { + if (SSL_CTX_use_certificate(ctx, certificate)) RETVAL = 1; + X509_free(certificate); + } + } + PKCS12_free(p12); + } + if (!RETVAL) ERR_print_errors_fp(stderr); + fclose(fp); + } + OUTPUT: + RETVAL + +void +P_PKCS12_load_file(file, load_chain=0, password=NULL) + char *file + int load_chain + char *password + PREINIT: + PKCS12 *p12; + EVP_PKEY *private_key = NULL; + X509 *certificate = NULL; + STACK_OF(X509) *cachain = NULL; + X509 *x; + FILE *fp; + int i, result; + PPCODE: + if ((fp = fopen (file, "rb"))) { +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + OPENSSL_add_all_algorithms_noconf(); +#else + OpenSSL_add_all_algorithms(); +#endif + if ((p12 = d2i_PKCS12_fp(fp, NULL))) { + if(load_chain) + result= PKCS12_parse(p12, password, &private_key, &certificate, &cachain); + else + result= PKCS12_parse(p12, password, &private_key, &certificate, NULL); + if (result) { + if (private_key) + XPUSHs(sv_2mortal(newSViv(PTR2IV(private_key)))); + else + XPUSHs(sv_2mortal(newSVpv(NULL,0))); /* undef */ + if (certificate) + XPUSHs(sv_2mortal(newSViv(PTR2IV(certificate)))); + else + XPUSHs(sv_2mortal(newSVpv(NULL,0))); /* undef */ + if (cachain) { + for (i=0; i= 0x00905000L + +void +RIPEMD160(data) + PREINIT: + STRLEN len; + unsigned char md[RIPEMD160_DIGEST_LENGTH]; + INPUT: + unsigned char * data = (unsigned char *) SvPV( ST(0), len); + CODE: + if (RIPEMD160(data,len,md)) { + XSRETURN_PVN((char *) md, RIPEMD160_DIGEST_LENGTH); + } else { + XSRETURN_UNDEF; + } + +#endif + +#if !defined(OPENSSL_NO_SHA) + +void +SHA1(data) + PREINIT: + STRLEN len; + unsigned char md[SHA_DIGEST_LENGTH]; + INPUT: + unsigned char * data = (unsigned char *) SvPV( ST(0), len); + CODE: + if (SHA1(data,len,md)) { + XSRETURN_PVN((char *) md, SHA_DIGEST_LENGTH); + } else { + XSRETURN_UNDEF; + } + +#endif +#if !defined(OPENSSL_NO_SHA256) && OPENSSL_VERSION_NUMBER >= 0x0090800fL + +void +SHA256(data) + PREINIT: + STRLEN len; + unsigned char md[SHA256_DIGEST_LENGTH]; + INPUT: + unsigned char * data = (unsigned char *) SvPV( ST(0), len); + CODE: + if (SHA256(data,len,md)) { + XSRETURN_PVN((char *) md, SHA256_DIGEST_LENGTH); + } else { + XSRETURN_UNDEF; + } + +#endif +#if !defined(OPENSSL_NO_SHA512) && OPENSSL_VERSION_NUMBER >= 0x0090800fL + +void +SHA512(data) + PREINIT: + STRLEN len; + unsigned char md[SHA512_DIGEST_LENGTH]; + INPUT: + unsigned char * data = (unsigned char *) SvPV( ST(0), len); + CODE: + if (SHA512(data,len,md)) { + XSRETURN_PVN((char *) md, SHA512_DIGEST_LENGTH); + } else { + XSRETURN_UNDEF; + } + +#endif + +#ifndef OPENSSL_NO_SSL2 +#if OPENSSL_VERSION_NUMBER < 0x10000000L + +const SSL_METHOD * +SSLv2_method() + +#endif +#endif + +#ifndef OPENSSL_NO_SSL3 + +const SSL_METHOD * +SSLv3_method() + +#endif + +const SSL_METHOD * +SSLv23_method() + +const SSL_METHOD * +SSLv23_server_method() + +const SSL_METHOD * +SSLv23_client_method() + +const SSL_METHOD * +TLSv1_method() + +const SSL_METHOD * +TLSv1_server_method() + +const SSL_METHOD * +TLSv1_client_method() + +#ifdef SSL_TXT_TLSV1_1 + +const SSL_METHOD * +TLSv1_1_method() + +const SSL_METHOD * +TLSv1_1_server_method() + +const SSL_METHOD * +TLSv1_1_client_method() + +#endif + +#ifdef SSL_TXT_TLSV1_2 + +const SSL_METHOD * +TLSv1_2_method() + +const SSL_METHOD * +TLSv1_2_server_method() + +const SSL_METHOD * +TLSv1_2_client_method() + +#endif + + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x20020002L) + +const SSL_METHOD * +TLS_method() + +const SSL_METHOD * +TLS_server_method() + +const SSL_METHOD * +TLS_client_method() + +#endif /* OpenSSL 1.1.0 or LibreSSL 2.2.2 */ + + +#if (OPENSSL_VERSION_NUMBER >= 0x10100002L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2060000fL) + +int +SSL_CTX_set_min_proto_version(ctx, version) + SSL_CTX * ctx + int version + +int +SSL_CTX_set_max_proto_version(ctx, version) + SSL_CTX * ctx + int version + +int +SSL_set_min_proto_version(ssl, version) + SSL * ssl + int version + +int +SSL_set_max_proto_version(ssl, version) + SSL * ssl + int version + +#endif /* OpenSSL 1.1.0-pre2 or LibreSSL 2.6.0 */ + + +#if OPENSSL_VERSION_NUMBER >= 0x1010007fL && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_CTX_get_min_proto_version(ctx) + SSL_CTX * ctx + +int +SSL_CTX_get_max_proto_version(ctx) + SSL_CTX * ctx + +int +SSL_get_min_proto_version(ssl) + SSL * ssl + +int +SSL_get_max_proto_version(ssl) + SSL * ssl + +#endif /* OpenSSL 1.1.0g */ + + +#if OPENSSL_VERSION_NUMBER < 0x10000000L + +int +SSL_set_ssl_method(ssl, method) + SSL * ssl + SSL_METHOD * method + +#else + +int +SSL_set_ssl_method(ssl, method) + SSL * ssl + const SSL_METHOD * method + +#endif + +const SSL_METHOD * +SSL_get_ssl_method(ssl) + SSL * ssl + +#define REM_AUTOMATICALLY_GENERATED_1_09 + +BIO * +BIO_new_buffer_ssl_connect(ctx) + SSL_CTX * ctx + +BIO * +BIO_new_file(filename,mode) + char * filename + char * mode + +BIO * +BIO_new_ssl(ctx,client) + SSL_CTX * ctx + int client + +BIO * +BIO_new_ssl_connect(ctx) + SSL_CTX * ctx + +BIO * +BIO_new(type) + BIO_METHOD * type; + +int +BIO_free(bio) + BIO * bio; + +void +BIO_read(s,max=32768) + BIO * s + int max + PREINIT: + char *buf = NULL; + int got; + CODE: + New(0, buf, max, char); + ST(0) = sv_newmortal(); /* Undefined to start with */ + if ((got = BIO_read(s, buf, max)) >= 0) + sv_setpvn( ST(0), buf, got); + Safefree(buf); + +int +BIO_write(s,buf) + BIO * s + PREINIT: + STRLEN len; + INPUT: + char * buf = SvPV( ST(1), len); + CODE: + RETVAL = BIO_write (s, buf, (int)len); + OUTPUT: + RETVAL + +int +BIO_eof(s) + BIO * s + +int +BIO_pending(s) + BIO * s + +int +BIO_wpending(s) + BIO * s + +int +BIO_ssl_copy_session_id(to,from) + BIO * to + BIO * from + +void +BIO_ssl_shutdown(ssl_bio) + BIO * ssl_bio + +int +SSL_add_client_CA(ssl,x) + SSL * ssl + X509 * x + +const char * +SSL_alert_desc_string(value) + int value + +const char * +SSL_alert_desc_string_long(value) + int value + +const char * +SSL_alert_type_string(value) + int value + +const char * +SSL_alert_type_string_long(value) + int value + +long +SSL_callback_ctrl(ssl,i,fp) + SSL * ssl + int i + callback_no_ret * fp + +int +SSL_check_private_key(ctx) + SSL * ctx + +# /* buf and size were required with Net::SSLeay 1.88 and earlier. */ +# /* With OpenSSL 0.9.8l and older compile can warn about discarded const. */ +void +SSL_CIPHER_description(const SSL_CIPHER *cipher, char *unused_buf=NULL, int unused_size=0) + PREINIT: + char *description; + char buf[512]; + PPCODE: + description = SSL_CIPHER_description(cipher, buf, sizeof(buf)); + if(description == NULL) { + XSRETURN_EMPTY; + } + XPUSHs(sv_2mortal(newSVpv(description, 0))); + +const char * +SSL_CIPHER_get_name(const SSL_CIPHER *c) + +int +SSL_CIPHER_get_bits(c, ...) + const SSL_CIPHER * c + CODE: + int alg_bits; + RETVAL = SSL_CIPHER_get_bits(c, &alg_bits); + if (items > 2) croak("SSL_CIPHER_get_bits: Need to call with one or two parameters"); + if (items > 1) sv_setsv(ST(1), sv_2mortal(newSViv(alg_bits))); + OUTPUT: + RETVAL + +const char * +SSL_CIPHER_get_version(const SSL_CIPHER *cipher) + +#ifndef OPENSSL_NO_COMP + +int +SSL_COMP_add_compression_method(id,cm) + int id + COMP_METHOD * cm + +#endif + +int +SSL_CTX_add_client_CA(ctx,x) + SSL_CTX * ctx + X509 * x + +long +SSL_CTX_callback_ctrl(ctx,i,fp) + SSL_CTX * ctx + int i + callback_no_ret * fp + +int +SSL_CTX_check_private_key(ctx) + SSL_CTX * ctx + +void * +SSL_CTX_get_ex_data(ssl,idx) + SSL_CTX * ssl + int idx + +int +SSL_CTX_get_quiet_shutdown(ctx) + SSL_CTX * ctx + +long +SSL_CTX_get_timeout(ctx) + SSL_CTX * ctx + +int +SSL_CTX_get_verify_depth(ctx) + SSL_CTX * ctx + +int +SSL_CTX_get_verify_mode(ctx) + SSL_CTX * ctx + +void +SSL_CTX_set_cert_store(ctx,store) + SSL_CTX * ctx + X509_STORE * store + +X509_STORE * +SSL_CTX_get_cert_store(ctx) + SSL_CTX * ctx + +void +SSL_CTX_set_cert_verify_callback(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_cert_verify_callback(ctx, NULL, NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_cert_verify_cb!!func", NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_cert_verify_cb!!data", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ctx_cert_verify_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "ssleay_ctx_cert_verify_cb!!data", newSVsv(data)); +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + SSL_CTX_set_cert_verify_callback(ctx, ssleay_ctx_cert_verify_cb_invoke, ctx); +#else + SSL_CTX_set_cert_verify_callback(ctx, ssleay_ctx_cert_verify_cb_invoke, (char*)ctx); +#endif + } + +X509_NAME_STACK * +SSL_CTX_get_client_CA_list(ctx) + SSL_CTX *ctx + +void +SSL_CTX_set_client_CA_list(ctx,list) + SSL_CTX * ctx + X509_NAME_STACK * list + +void +SSL_CTX_set_default_passwd_cb(ctx,callback=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_default_passwd_cb(ctx, NULL); + SSL_CTX_set_default_passwd_cb_userdata(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_passwd_cb!!func", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ctx_passwd_cb!!func", newSVsv(callback)); + SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)ctx); + SSL_CTX_set_default_passwd_cb(ctx, &ssleay_ctx_passwd_cb_invoke); + } + +void +SSL_CTX_set_default_passwd_cb_userdata(ctx,data=&PL_sv_undef) + SSL_CTX * ctx + SV * data + CODE: + /* SSL_CTX_set_default_passwd_cb_userdata is set in SSL_CTX_set_default_passwd_cb */ + if (data==NULL || !SvOK(data)) { + cb_data_advanced_put(ctx, "ssleay_ctx_passwd_cb!!data", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ctx_passwd_cb!!data", newSVsv(data)); + } + +int +SSL_CTX_set_ex_data(ssl,idx,data) + SSL_CTX * ssl + int idx + void * data + +int +SSL_CTX_set_purpose(s,purpose) + SSL_CTX * s + int purpose + +void +SSL_CTX_set_quiet_shutdown(ctx,mode) + SSL_CTX * ctx + int mode + +#if OPENSSL_VERSION_NUMBER < 0x10000000L + +int +SSL_CTX_set_ssl_version(ctx,meth) + SSL_CTX * ctx + SSL_METHOD * meth + +#else + +int +SSL_CTX_set_ssl_version(ctx,meth) + SSL_CTX * ctx + const SSL_METHOD * meth + +#endif + +long +SSL_CTX_set_timeout(ctx,t) + SSL_CTX * ctx + long t + +int +SSL_CTX_set_trust(s,trust) + SSL_CTX * s + int trust + +void +SSL_CTX_set_verify_depth(ctx,depth) + SSL_CTX * ctx + int depth + +int +SSL_CTX_use_certificate(ctx,x) + SSL_CTX * ctx + X509 * x + +int +SSL_CTX_use_certificate_chain_file(ctx,file) + SSL_CTX * ctx + const char * file + + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_use_certificate_chain_file(ssl,file) + SSL * ssl + const char * file + +#endif /* OpenSSL 1.1.0 */ + +int +SSL_CTX_use_PrivateKey(ctx,pkey) + SSL_CTX * ctx + EVP_PKEY * pkey + +int +SSL_CTX_use_RSAPrivateKey(ctx,rsa) + SSL_CTX * ctx + RSA * rsa + +int +SSL_do_handshake(s) + SSL * s + +SSL * +SSL_dup(ssl) + SSL * ssl + +const SSL_CIPHER * +SSL_get_current_cipher(s) + SSL * s + +long +SSL_get_default_timeout(s) + SSL * s + +void * +SSL_get_ex_data(ssl,idx) + SSL * ssl + int idx + +size_t +SSL_get_finished(ssl,buf,count=2*EVP_MAX_MD_SIZE) + SSL *ssl + SV *buf + size_t count + PREINIT: + unsigned char *finished; + size_t finished_len; + CODE: + Newx(finished, count, unsigned char); + finished_len = SSL_get_finished(ssl, finished, count); + if (count > finished_len) + count = finished_len; + sv_setpvn(buf, (const char *)finished, count); + Safefree(finished); + RETVAL = finished_len; + OUTPUT: + RETVAL + +size_t +SSL_get_peer_finished(ssl,buf,count=2*EVP_MAX_MD_SIZE) + SSL *ssl + SV *buf + size_t count + PREINIT: + unsigned char *finished; + size_t finished_len; + CODE: + Newx(finished, count, unsigned char); + finished_len = SSL_get_peer_finished(ssl, finished, count); + if (count > finished_len) + count = finished_len; + sv_setpvn(buf, (const char *)finished, count); + Safefree(finished); + RETVAL = finished_len; + OUTPUT: + RETVAL + +int +SSL_get_quiet_shutdown(ssl) + SSL * ssl + +int +SSL_get_shutdown(ssl) + SSL * ssl + +int +SSL_get_verify_depth(s) + SSL * s + +int +SSL_get_verify_mode(s) + SSL * s + +long +SSL_get_verify_result(ssl) + SSL * ssl + +int +SSL_renegotiate(s) + SSL * s + +#if OPENSSL_VERSION_NUMBER < 0x10000000L + +int +SSL_SESSION_cmp(a,b) + SSL_SESSION * a + SSL_SESSION * b + +#endif + +void * +SSL_SESSION_get_ex_data(ss,idx) + SSL_SESSION * ss + int idx + +long +SSL_SESSION_get_time(s) + SSL_SESSION * s + +long +SSL_SESSION_get_timeout(s) + SSL_SESSION * s + +int +SSL_SESSION_print_fp(fp,ses) + FILE * fp + SSL_SESSION * ses + +int +SSL_SESSION_set_ex_data(ss,idx,data) + SSL_SESSION * ss + int idx + void * data + +long +SSL_SESSION_set_time(s,t) + SSL_SESSION * s + long t + +long +SSL_SESSION_set_timeout(s,t) + SSL_SESSION * s + long t + +void +SSL_set_accept_state(s) + SSL * s + +void +sk_X509_NAME_free(sk) + X509_NAME_STACK *sk + +int +sk_X509_NAME_num(sk) + X509_NAME_STACK *sk + +X509_NAME * +sk_X509_NAME_value(sk,i) + X509_NAME_STACK *sk + int i + +X509_NAME_STACK * +SSL_get_client_CA_list(s) + SSL * s + +void +SSL_set_client_CA_list(s,list) + SSL * s + X509_NAME_STACK * list + +void +SSL_set_connect_state(s) + SSL * s + +int +SSL_set_ex_data(ssl,idx,data) + SSL * ssl + int idx + void * data + + +void +SSL_set_info_callback(ssl,callback,data=&PL_sv_undef) + SSL * ssl + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_set_info_callback(ssl, NULL); + cb_data_advanced_put(ssl, "ssleay_info_cb!!func", NULL); + cb_data_advanced_put(ssl, "ssleay_info_cb!!data", NULL); + } else { + cb_data_advanced_put(ssl, "ssleay_info_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ssl, "ssleay_info_cb!!data", newSVsv(data)); + SSL_set_info_callback(ssl, ssleay_info_cb_invoke); + } + +void +SSL_CTX_set_info_callback(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_info_callback(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_info_cb!!func", NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_info_cb!!data", NULL); + } else { + cb_data_advanced_put(ctx, "ssleay_ctx_info_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "ssleay_ctx_info_cb!!data", newSVsv(data)); + SSL_CTX_set_info_callback(ctx, ssleay_ctx_info_cb_invoke); + } + +void +SSL_set_msg_callback(ssl,callback,data=&PL_sv_undef) + SSL * ssl + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_set_msg_callback(ssl, NULL); + cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", NULL); + cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", NULL); + } else { + cb_data_advanced_put(ssl, "ssleay_msg_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ssl, "ssleay_msg_cb!!data", newSVsv(data)); + SSL_set_msg_callback(ssl, ssleay_msg_cb_invoke); + } + +void +SSL_CTX_set_msg_callback(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_msg_callback(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", NULL); + } else { + cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "ssleay_ctx_msg_cb!!data", newSVsv(data)); + SSL_CTX_set_msg_callback(ctx, ssleay_ctx_msg_cb_invoke); + } + + +#if OPENSSL_VERSION_NUMBER >= 0x10101001 && !defined(LIBRESSL_VERSION_NUMBER) + +void +SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SV *callback) + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_keylog_callback(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_keylog_callback!!func", NULL); + } else { + cb_data_advanced_put(ctx, "ssleay_ssl_ctx_keylog_callback!!func", newSVsv(callback)); + SSL_CTX_set_keylog_callback(ctx, ssl_ctx_keylog_cb_func_invoke); + } + +SV * +SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) + CODE: + SV *func = cb_data_advanced_get(ctx, "ssleay_ssl_ctx_keylog_callback!!func"); + /* without increment the reference will go away and ssl_ctx_keylog_cb_func_invoke croaks */ + SvREFCNT_inc(func); + RETVAL = func; + OUTPUT: + RETVAL + +#endif + + +int +SSL_set_purpose(s,purpose) + SSL * s + int purpose + +void +SSL_set_quiet_shutdown(ssl,mode) + SSL * ssl + int mode + +void +SSL_set_shutdown(ssl,mode) + SSL * ssl + int mode + +int +SSL_set_trust(s,trust) + SSL * s + int trust + +void +SSL_set_verify_depth(s,depth) + SSL * s + int depth + +void +SSL_set_verify_result(ssl,v) + SSL * ssl + long v + +int +SSL_shutdown(s) + SSL * s + +const char * +SSL_get_version(ssl) + const SSL * ssl + +int +SSL_version(ssl) + SSL * ssl + +#if OPENSSL_VERSION_NUMBER >= 0x10100006L && !defined(LIBRESSL_VERSION_NUMBER) /* 1.1.0-pre6 */ + +int +SSL_client_version(ssl) + const SSL * ssl + +int +SSL_is_dtls(ssl) + const SSL * ssl + +#endif + +#define REM_MANUALLY_ADDED_1_09 + +X509_NAME_STACK * +SSL_load_client_CA_file(file) + const char * file + +int +SSL_add_file_cert_subjects_to_stack(stackCAs,file) + X509_NAME_STACK * stackCAs + const char * file + +#ifndef WIN32 +#ifndef VMS +#ifndef MAC_OS_pre_X + +int +SSL_add_dir_cert_subjects_to_stack(stackCAs,dir) + X509_NAME_STACK * stackCAs + const char * dir + +#endif +#endif +#endif + +int +SSL_CTX_get_ex_new_index(argl,argp=NULL,new_func=NULL,dup_func=NULL,free_func=NULL) + long argl + void * argp + CRYPTO_EX_new * new_func + CRYPTO_EX_dup * dup_func + CRYPTO_EX_free * free_func + +int +SSL_CTX_set_session_id_context(ctx,sid_ctx,sid_ctx_len) + SSL_CTX * ctx + const unsigned char * sid_ctx + unsigned int sid_ctx_len + +int +SSL_set_session_id_context(ssl,sid_ctx,sid_ctx_len) + SSL * ssl + const unsigned char * sid_ctx + unsigned int sid_ctx_len + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +void +SSL_CTX_set_tmp_rsa_callback(ctx, cb) + SSL_CTX * ctx + cb_ssl_int_int_ret_RSA * cb + +void +SSL_set_tmp_rsa_callback(ssl, cb) + SSL * ssl + cb_ssl_int_int_ret_RSA * cb + +#endif + +void +SSL_CTX_set_tmp_dh_callback(ctx, dh) + SSL_CTX * ctx + cb_ssl_int_int_ret_DH * dh + +void +SSL_set_tmp_dh_callback(ssl,dh) + SSL * ssl + cb_ssl_int_int_ret_DH * dh + +int +SSL_get_ex_new_index(argl,argp=NULL,new_func=NULL,dup_func=NULL,free_func=NULL) + long argl + void * argp + CRYPTO_EX_new * new_func + CRYPTO_EX_dup * dup_func + CRYPTO_EX_free * free_func + +int +SSL_SESSION_get_ex_new_index(argl,argp=NULL,new_func=NULL,dup_func=NULL,free_func=NULL) + long argl + void * argp + CRYPTO_EX_new * new_func + CRYPTO_EX_dup * dup_func + CRYPTO_EX_free * free_func + +#define REM_SEMIAUTOMATIC_MACRO_GEN_1_09 + +long +SSL_clear_num_renegotiations(ssl) + SSL * ssl + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_add_extra_chain_cert(ctx,x509) + SSL_CTX * ctx + X509 * x509 + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char*)x509); + OUTPUT: + RETVAL + +void * +SSL_CTX_get_app_data(ctx) + SSL_CTX * ctx + CODE: + RETVAL = SSL_CTX_get_ex_data(ctx,0); + OUTPUT: + RETVAL + +long +SSL_CTX_get_mode(ctx) + SSL_CTX * ctx + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_get_read_ahead(ctx) + SSL_CTX * ctx + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_get_session_cache_mode(ctx) + SSL_CTX * ctx + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL); + OUTPUT: + RETVAL + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +long +SSL_CTX_need_tmp_RSA(ctx) + SSL_CTX * ctx + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL); + OUTPUT: + RETVAL + +#endif + +int +SSL_CTX_set_app_data(ctx,arg) + SSL_CTX * ctx + char * arg + CODE: + RETVAL = SSL_CTX_set_ex_data(ctx,0,arg); + OUTPUT: + RETVAL + +long +SSL_CTX_set_mode(ctx,op) + SSL_CTX * ctx + long op + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_set_read_ahead(ctx,m) + SSL_CTX * ctx + long m + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_set_session_cache_mode(ctx,m) + SSL_CTX * ctx + long m + CODE: + RETVAL = SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL); + OUTPUT: + RETVAL + +long +SSL_CTX_set_tmp_dh(ctx,dh) + SSL_CTX * ctx + DH * dh + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +long +SSL_CTX_set_tmp_rsa(ctx,rsa) + SSL_CTX * ctx + RSA * rsa + +#endif + +#if OPENSSL_VERSION_NUMBER > 0x10000000L && !defined OPENSSL_NO_EC + +EC_KEY * +EC_KEY_new_by_curve_name(nid) + int nid + +void +EC_KEY_free(key) + EC_KEY * key + +long +SSL_CTX_set_tmp_ecdh(ctx,ecdh) + SSL_CTX * ctx + EC_KEY * ecdh + +int +EVP_PKEY_assign_EC_KEY(pkey,key) + EVP_PKEY * pkey + EC_KEY * key + + +EC_KEY * +EC_KEY_generate_key(curve) + SV *curve; + CODE: + EC_GROUP *group = NULL; + EC_KEY *eckey = NULL; + int nid; + + RETVAL = 0; + if (SvIOK(curve)) { + nid = SvIV(curve); + } else { + nid = OBJ_sn2nid(SvPV_nolen(curve)); +#if OPENSSL_VERSION_NUMBER > 0x10002000L + if (!nid) nid = EC_curve_nist2nid(SvPV_nolen(curve)); +#endif + if (!nid) croak("unknown curve %s",SvPV_nolen(curve)); + } + + group = EC_GROUP_new_by_curve_name(nid); + if (!group) croak("unknown curve nid=%d",nid); + EC_GROUP_set_asn1_flag(group,OPENSSL_EC_NAMED_CURVE); + + eckey = EC_KEY_new(); + if ( eckey + && EC_KEY_set_group(eckey, group) + && EC_KEY_generate_key(eckey)) { + RETVAL = eckey; + } else { + if (eckey) EC_KEY_free(eckey); + } + if (group) EC_GROUP_free(group); + + OUTPUT: + RETVAL + + +#ifdef SSL_CTRL_SET_ECDH_AUTO + +long +SSL_CTX_set_ecdh_auto(ctx,onoff) + SSL_CTX * ctx + int onoff + +long +SSL_set_ecdh_auto(ssl,onoff) + SSL * ssl + int onoff + +#endif + +#ifdef SSL_CTRL_SET_CURVES_LIST + +long +SSL_CTX_set1_curves_list(ctx,list) + SSL_CTX * ctx + char * list + +long +SSL_set1_curves_list(ssl,list) + SSL * ssl + char * list + +#endif + +#if SSL_CTRL_SET_GROUPS_LIST + +long +SSL_CTX_set1_groups_list(ctx,list) + SSL_CTX * ctx + char * list + +long +SSL_set1_groups_list(ssl,list) + SSL * ssl + char * list + +#endif + + + +#endif + +void * +SSL_get_app_data(s) + SSL * s + CODE: + RETVAL = SSL_get_ex_data(s,0); + OUTPUT: + RETVAL + +int +SSL_get_cipher_bits(s,np=NULL) + SSL * s + int * np + CODE: + RETVAL = SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np); + OUTPUT: + RETVAL + +long +SSL_get_mode(ssl) + SSL * ssl + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL); + OUTPUT: + RETVAL + +void +SSL_set_state(ssl,state) + SSL * ssl + int state + CODE: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + /* not available */ +#elif defined(OPENSSL_NO_SSL_INTERN) + SSL_set_state(ssl,state); +#else + ssl->state = state; +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +long +SSL_need_tmp_RSA(ssl) + SSL * ssl + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL); + OUTPUT: + RETVAL + + +#endif + +long +SSL_num_renegotiations(ssl) + SSL * ssl + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL); + OUTPUT: + RETVAL + +void * +SSL_SESSION_get_app_data(ses) + SSL_SESSION * ses + CODE: + RETVAL = SSL_SESSION_get_ex_data(ses,0); + OUTPUT: + RETVAL + +long +SSL_session_reused(ssl) + SSL * ssl + +int +SSL_SESSION_set_app_data(s,a) + SSL_SESSION * s + void * a + CODE: + RETVAL = SSL_SESSION_set_ex_data(s,0,(char *)a); + OUTPUT: + RETVAL + +int +SSL_set_app_data(s,arg) + SSL * s + void * arg + CODE: + RETVAL = SSL_set_ex_data(s,0,(char *)arg); + OUTPUT: + RETVAL + +long +SSL_set_mode(ssl,op) + SSL * ssl + long op + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL); + OUTPUT: + RETVAL + +int +SSL_set_pref_cipher(s,n) + SSL * s + const char * n + CODE: + RETVAL = SSL_set_cipher_list(s,n); + OUTPUT: + RETVAL + +long +SSL_set_tmp_dh(ssl,dh) + SSL * ssl + DH * dh + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +long +SSL_set_tmp_rsa(ssl,rsa) + SSL * ssl + char * rsa + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa); + OUTPUT: + RETVAL + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL + +RSA * +RSA_generate_key(bits,ee,perl_cb=&PL_sv_undef,perl_data=&PL_sv_undef) + int bits + unsigned long ee + SV* perl_cb + SV* perl_data + PREINIT: + simple_cb_data_t* cb_data = NULL; + CODE: + /* openssl 0.9.8 deprecated RSA_generate_key. */ + /* This equivalent was contributed by Brian Fraser for Android, */ + /* but was not portable to old OpenSSLs where RSA_generate_key_ex is not available. */ + /* It should now be more versatile. */ + /* as of openssl 1.1.0-pre1 it is not possible anymore to generate the BN_GENCB structure directly. */ + /* instead BN_EGNCB_new() has to be used. */ + int rc; + RSA * ret; + BIGNUM *e; + e = BN_new(); + if(!e) + croak("Net::SSLeay: RSA_generate_key perl function could not create BN structure.\n"); + BN_set_word(e, ee); + cb_data = simple_cb_data_new(perl_cb, perl_data); + + ret = RSA_new(); + if(!ret) { + simple_cb_data_free(cb_data); + BN_free(e); + croak("Net::SSLeay: RSA_generate_key perl function could not create RSA structure.\n"); + } +#if (OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + BN_GENCB *new_cb; + new_cb = BN_GENCB_new(); + if(!new_cb) { + simple_cb_data_free(cb_data); + BN_free(e); + RSA_free(ret); + croak("Net::SSLeay: RSA_generate_key perl function could not create BN_GENCB structure.\n"); + } + BN_GENCB_set_old(new_cb, ssleay_RSA_generate_key_cb_invoke, cb_data); + rc = RSA_generate_key_ex(ret, bits, e, new_cb); + BN_GENCB_free(new_cb); +#else + BN_GENCB new_cb; + BN_GENCB_set_old(&new_cb, ssleay_RSA_generate_key_cb_invoke, cb_data); + rc = RSA_generate_key_ex(ret, bits, e, &new_cb); +#endif + simple_cb_data_free(cb_data); + BN_free(e); + if (rc == -1 || ret == NULL) { + if (ret) RSA_free(ret); + croak("Net::SSLeay: Couldn't generate RSA key"); + } + e = NULL; + RETVAL = ret; + OUTPUT: + RETVAL + +#else + +RSA * +RSA_generate_key(bits,e,perl_cb=&PL_sv_undef,perl_data=&PL_sv_undef) + int bits + unsigned long e + SV* perl_cb + SV* perl_data + PREINIT: + simple_cb_data_t* cb = NULL; + CODE: + cb = simple_cb_data_new(perl_cb, perl_data); + RETVAL = RSA_generate_key(bits, e, ssleay_RSA_generate_key_cb_invoke, cb); + simple_cb_data_free(cb); + OUTPUT: + RETVAL + +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + +void +RSA_get_key_parameters(rsa) + RSA * rsa +PPCODE: +{ + /* Caution: returned list consists of SV pointers to BIGNUMs, which would need to be blessed as Crypt::OpenSSL::Bignum for further use */ + XPUSHs(bn2sv(rsa->n)); + XPUSHs(bn2sv(rsa->e)); + XPUSHs(bn2sv(rsa->d)); + XPUSHs(bn2sv(rsa->p)); + XPUSHs(bn2sv(rsa->q)); + XPUSHs(bn2sv(rsa->dmp1)); + XPUSHs(bn2sv(rsa->dmq1)); + XPUSHs(bn2sv(rsa->iqmp)); +} + +#endif + +void +RSA_free(r) + RSA * r + +X509 * +X509_new() + +void +X509_free(a) + X509 * a + +X509_CRL * +d2i_X509_CRL_bio(BIO *bp,void *unused=NULL) + +X509_REQ * +d2i_X509_REQ_bio(BIO *bp,void *unused=NULL) + +X509 * +d2i_X509_bio(BIO *bp,void *unused=NULL) + +DH * +PEM_read_bio_DHparams(bio,x=NULL,cb=NULL,u=NULL) + BIO * bio + void * x + pem_password_cb * cb + void * u + +X509_CRL * +PEM_read_bio_X509_CRL(bio,x=NULL,cb=NULL,u=NULL) + BIO * bio + void * x + pem_password_cb * cb + void * u + +X509 * +PEM_read_bio_X509(BIO *bio,void *x=NULL,void *cb=NULL,void *u=NULL) + +STACK_OF(X509_INFO) * +PEM_X509_INFO_read_bio(bio, stack=NULL, cb=NULL, u=NULL) + BIO * bio + STACK_OF(X509_INFO) * stack + pem_password_cb * cb + void * u + +int +sk_X509_INFO_num(stack) + STACK_OF(X509_INFO) * stack + +X509_INFO * +sk_X509_INFO_value(stack, index) + const STACK_OF(X509_INFO) * stack + int index + +void +sk_X509_INFO_free(stack) + STACK_OF(X509_INFO) * stack + +STACK_OF(X509) * +sk_X509_new_null() + +void +sk_X509_free(stack) + STACK_OF(X509) * stack + +int +sk_X509_push(stack, data) + STACK_OF(X509) * stack + X509 * data + +X509 * +sk_X509_pop(stack) + STACK_OF(X509) * stack + +X509 * +sk_X509_shift(stack) + STACK_OF(X509) * stack + +int +sk_X509_unshift(stack,x509) + STACK_OF(X509) * stack + X509 * x509 + +int +sk_X509_insert(stack,x509,index) + STACK_OF(X509) * stack + X509 * x509 + int index + +X509 * +sk_X509_delete(stack,index) + STACK_OF(X509) * stack + int index + +X509 * +sk_X509_value(stack,index) + STACK_OF(X509) * stack + int index + +int +sk_X509_num(stack) + STACK_OF(X509) * stack + +X509 * +P_X509_INFO_get_x509(info) + X509_INFO * info + CODE: + RETVAL = info->x509; + OUTPUT: + RETVAL + +X509_REQ * +PEM_read_bio_X509_REQ(BIO *bio,void *x=NULL,pem_password_cb *cb=NULL,void *u=NULL) + +EVP_PKEY * +PEM_read_bio_PrivateKey(bio,perl_cb=&PL_sv_undef,perl_data=&PL_sv_undef) + BIO *bio + SV* perl_cb + SV* perl_data + PREINIT: + simple_cb_data_t* cb = NULL; + CODE: + RETVAL = 0; + if (SvOK(perl_cb)) { + /* setup our callback */ + cb = simple_cb_data_new(perl_cb, perl_data); + RETVAL = PEM_read_bio_PrivateKey(bio, NULL, pem_password_cb_invoke, (void*)cb); + simple_cb_data_free(cb); + } + else if (!SvOK(perl_cb) && SvOK(perl_data) && SvPOK(perl_data)) { + /* use perl_data as the password */ + RETVAL = PEM_read_bio_PrivateKey(bio, NULL, NULL, SvPVX(perl_data)); + } + else if (!SvOK(perl_cb) && !SvOK(perl_data)) { + /* will trigger default password callback */ + RETVAL = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + } + OUTPUT: + RETVAL + +void +DH_free(dh) + DH * dh + +long +SSL_total_renegotiations(ssl) + SSL * ssl + CODE: + RETVAL = SSL_ctrl(ssl,SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL); + OUTPUT: + RETVAL + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) +void +SSL_SESSION_get_master_key(s) + SSL_SESSION * s + PREINIT: + size_t master_key_length; + unsigned char* master_key; + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + master_key_length = SSL_SESSION_get_master_key(s, 0, 0); /* get the length */ + New(0, master_key, master_key_length, unsigned char); + SSL_SESSION_get_master_key(s, master_key, master_key_length); + sv_setpvn(ST(0), (const char*)master_key, master_key_length); + Safefree(master_key); + +#else +void +SSL_SESSION_get_master_key(s) + SSL_SESSION * s + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + sv_setpvn(ST(0), (const char*)s->master_key, s->master_key_length); + +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +void +SSL_SESSION_set_master_key(s,key) + SSL_SESSION * s + PREINIT: + STRLEN len; + INPUT: + char * key = SvPV(ST(1), len); + CODE: + memcpy(s->master_key, key, len); + s->master_key_length = len; + +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + +void +SSL_get_client_random(s) + SSL * s + PREINIT: + size_t random_length; + unsigned char* random_data; + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + random_length = SSL_get_client_random(s, 0, 0); /* get the length */ + New(0, random_data, random_length, unsigned char); + SSL_get_client_random(s, random_data, random_length); + sv_setpvn(ST(0), (const char*)random_data, random_length); + Safefree(random_data); + +#else + +void +SSL_get_client_random(s) + SSL * s + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + sv_setpvn(ST(0), (const char*)s->s3->client_random, SSL3_RANDOM_SIZE); + +#endif + +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + +void +SSL_get_server_random(s) + SSL * s + PREINIT: + size_t random_length; + unsigned char* random_data; + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + random_length = SSL_get_server_random(s, 0, 0); /* get the length */ + New(0, random_data, random_length, unsigned char); + SSL_get_server_random(s, random_data, random_length); + sv_setpvn(ST(0), (const char*)random_data, random_length); + Safefree(random_data); + +#else + +void +SSL_get_server_random(s) + SSL * s + CODE: + ST(0) = sv_newmortal(); /* Undefined to start with */ + sv_setpvn(ST(0), (const char*)s->s3->server_random, SSL3_RANDOM_SIZE); + +#endif + +int +SSL_get_keyblock_size(s) + SSL * s + CODE: +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + const SSL_CIPHER *ssl_cipher; + int cipher = NID_undef, digest = NID_undef, mac_secret_size = 0; + const EVP_CIPHER *c = NULL; + const EVP_MD *h = NULL; + + ssl_cipher = SSL_get_current_cipher(s); + if (ssl_cipher) + cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher); + if (cipher != NID_undef) + c = EVP_get_cipherbynid(cipher); + + if (ssl_cipher) + digest = SSL_CIPHER_get_digest_nid(ssl_cipher); + if (digest != NID_undef) /* No digest if e.g., AEAD cipher */ + h = EVP_get_digestbynid(digest); + if (h) + mac_secret_size = EVP_MD_size(h); + + RETVAL = -1; + if (c) + RETVAL = 2 * (EVP_CIPHER_key_length(c) + mac_secret_size + + EVP_CIPHER_iv_length(c)); +#else + if (s == NULL || + s->enc_read_ctx == NULL || + s->enc_read_ctx->cipher == NULL || + s->read_hash == NULL) + { + RETVAL = -1; + } + else + { + const EVP_CIPHER *c; + const EVP_MD *h; + int md_size = -1; + c = s->enc_read_ctx->cipher; +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + h = NULL; + if (s->s3) + md_size = s->s3->tmp.new_mac_secret_size; +#elif OPENSSL_VERSION_NUMBER >= 0x00909000L + h = EVP_MD_CTX_md(s->read_hash); + md_size = EVP_MD_size(h); +#else + h = s->read_hash; + md_size = EVP_MD_size(h); +#endif + /* No digest if e.g., AEAD cipher */ + RETVAL = (md_size >= 0) ? (2 * (EVP_CIPHER_key_length(c) + + md_size + + EVP_CIPHER_iv_length(c))) + : -1; + } +#endif + + OUTPUT: + RETVAL + + + +#if defined(SSL_F_SSL_SET_HELLO_EXTENSION) +int +SSL_set_hello_extension(s, type, data) + SSL * s + int type + PREINIT: + STRLEN len; + INPUT: + char * data = SvPV( ST(2), len); + CODE: + RETVAL = SSL_set_hello_extension(s, type, data, len); + OUTPUT: + RETVAL + +#endif + +#if defined(SSL_F_SSL_SET_HELLO_EXTENSION) || defined(SSL_F_SSL_SET_SESSION_TICKET_EXT) + +void +SSL_set_session_secret_cb(s,callback=&PL_sv_undef,data=&PL_sv_undef) + SSL * s + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_set_session_secret_cb(s, NULL, NULL); + cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", NULL); + cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", NULL); + } + else { + cb_data_advanced_put(s, "ssleay_session_secret_cb!!func", newSVsv(callback)); + cb_data_advanced_put(s, "ssleay_session_secret_cb!!data", newSVsv(data)); + SSL_set_session_secret_cb(s, (tls_session_secret_cb_fn)&ssleay_session_secret_cb_invoke, s); + } + +#endif + +#ifdef NET_SSLEAY_CAN_PSK_CLIENT_CALLBACK + +void +SSL_set_psk_client_callback(s,callback=&PL_sv_undef) + SSL * s + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_set_psk_client_callback(s, NULL); + cb_data_advanced_put(s, "ssleay_set_psk_client_callback!!func", NULL); + } + else { + cb_data_advanced_put(s, "ssleay_set_psk_client_callback!!func", newSVsv(callback)); + SSL_set_psk_client_callback(s, ssleay_set_psk_client_callback_invoke); + } + +void +SSL_CTX_set_psk_client_callback(ctx,callback=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_psk_client_callback(ctx, NULL); + cb_data_advanced_put(ctx, "ssleay_ctx_set_psk_client_callback!!func", NULL); + } + else { + cb_data_advanced_put(ctx, "ssleay_ctx_set_psk_client_callback!!func", newSVsv(callback)); + SSL_CTX_set_psk_client_callback(ctx, ssleay_ctx_set_psk_client_callback_invoke); + } + +#endif + +#ifdef NET_SSLEAY_CAN_TICKET_KEY_CB + +void +SSL_CTX_set_tlsext_ticket_getkey_cb(ctx,callback=&PL_sv_undef,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_tlsext_ticket_key_cb(ctx, NULL); + cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", NULL); + cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", NULL); + } + else { + cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "tlsext_ticket_key_cb!!data", newSVsv(data)); + SSL_CTX_set_tlsext_ticket_key_cb(ctx, &tlsext_ticket_key_cb_invoke); + } + + +#endif + + +#if OPENSSL_VERSION_NUMBER < 0x0090700fL +#define REM11 "NOTE: before 0.9.7" + +int EVP_add_digest(EVP_MD *digest) + +#else + +int EVP_add_digest(const EVP_MD *digest) + +#endif + +#ifndef OPENSSL_NO_SHA + +const EVP_MD *EVP_sha1() + +#endif +#if !defined(OPENSSL_NO_SHA256) && OPENSSL_VERSION_NUMBER >= 0x0090800fL + +const EVP_MD *EVP_sha256() + +#endif +#if !defined(OPENSSL_NO_SHA512) && OPENSSL_VERSION_NUMBER >= 0x0090800fL + +const EVP_MD *EVP_sha512() + +#endif +void OpenSSL_add_all_digests() + +const EVP_MD * EVP_get_digestbyname(const char *name) + +int EVP_MD_type(const EVP_MD *md) + +int EVP_MD_size(const EVP_MD *md) + +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL + +SV* +P_EVP_MD_list_all() + INIT: + AV * results; + CODE: + results = (AV *)sv_2mortal((SV *)newAV()); + EVP_MD_do_all_sorted(handler_list_md_fn, results); + RETVAL = newRV((SV *)results); + OUTPUT: + RETVAL + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL +#define REM16 "NOTE: requires 0.9.7+" + +const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx) + +EVP_MD_CTX *EVP_MD_CTX_create() + +int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) + +int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + +void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) + +void +EVP_DigestUpdate(ctx,data) + PREINIT: + STRLEN len; + INPUT: + EVP_MD_CTX *ctx = INT2PTR(EVP_MD_CTX *, SvIV(ST(0))); + unsigned char *data = (unsigned char *) SvPV(ST(1), len); + CODE: + XSRETURN_IV(EVP_DigestUpdate(ctx,data,len)); + +void +EVP_DigestFinal(ctx) + EVP_MD_CTX *ctx + INIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + CODE: + if (EVP_DigestFinal(ctx,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + else + XSRETURN_UNDEF; + +void +EVP_DigestFinal_ex(ctx) + EVP_MD_CTX *ctx + INIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + CODE: + if (EVP_DigestFinal_ex(ctx,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + else + XSRETURN_UNDEF; + +void +EVP_Digest(...) + PREINIT: + STRLEN len; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + INPUT: + unsigned char *data = (unsigned char *) SvPV(ST(0), len); + EVP_MD *type = INT2PTR(EVP_MD *, SvIV(ST(1))); + ENGINE *impl = (items>2 && SvOK(ST(2))) ? INT2PTR(ENGINE *, SvIV(ST(2))) : NULL; + CODE: + if (EVP_Digest(data,len,md,&md_size,type,impl)) + XSRETURN_PVN((char *)md, md_size); + else + XSRETURN_UNDEF; + +#endif + +const EVP_CIPHER * +EVP_get_cipherbyname(const char *name) + +void +OpenSSL_add_all_algorithms() + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + +void +OPENSSL_add_all_algorithms_noconf() + +void +OPENSSL_add_all_algorithms_conf() + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000003L + +int +SSL_CTX_set1_param(ctx, vpm) + SSL_CTX * ctx + X509_VERIFY_PARAM *vpm + +int +SSL_set1_param(ctx, vpm) + SSL * ctx + X509_VERIFY_PARAM *vpm + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL + +X509_VERIFY_PARAM * +X509_VERIFY_PARAM_new() + +void +X509_VERIFY_PARAM_free(param) + X509_VERIFY_PARAM *param + +int +X509_VERIFY_PARAM_inherit(to, from) + X509_VERIFY_PARAM *to + X509_VERIFY_PARAM *from + +int +X509_VERIFY_PARAM_set1(to, from) + X509_VERIFY_PARAM *to + X509_VERIFY_PARAM *from + +int +X509_VERIFY_PARAM_set1_name(param, name) + X509_VERIFY_PARAM *param + const char *name + +int +X509_VERIFY_PARAM_set_flags(param, flags) + X509_VERIFY_PARAM *param + unsigned long flags + +#if OPENSSL_VERSION_NUMBER >= 0x0090801fL +#define REM13 "NOTE: requires 0.9.8a+" + +int +X509_VERIFY_PARAM_clear_flags(param, flags) + X509_VERIFY_PARAM *param + unsigned long flags + +unsigned long +X509_VERIFY_PARAM_get_flags(param) + X509_VERIFY_PARAM *param + +#endif + +int +X509_VERIFY_PARAM_set_purpose(param, purpose) + X509_VERIFY_PARAM *param + int purpose + +int +X509_VERIFY_PARAM_set_trust(param, trust) + X509_VERIFY_PARAM *param + int trust + +void +X509_VERIFY_PARAM_set_depth(param, depth) + X509_VERIFY_PARAM *param + int depth + +void +X509_VERIFY_PARAM_set_time(param, t) + X509_VERIFY_PARAM *param + time_t t + +int +X509_VERIFY_PARAM_add0_policy(param, policy) + X509_VERIFY_PARAM *param + ASN1_OBJECT *policy + +int +X509_VERIFY_PARAM_set1_policies(param, policies) + X509_VERIFY_PARAM *param + STACK_OF(ASN1_OBJECT) *policies + +int +X509_VERIFY_PARAM_get_depth(param) + X509_VERIFY_PARAM *param + +int +X509_VERIFY_PARAM_add0_table(param) + X509_VERIFY_PARAM *param + +const X509_VERIFY_PARAM * +X509_VERIFY_PARAM_lookup(name) + const char *name + +void +X509_VERIFY_PARAM_table_cleanup() + +#if (OPENSSL_VERSION_NUMBER >= 0x10002001L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) /* OpenSSL 1.0.2-beta1, LibreSSL 2.7.0 */ + +X509_VERIFY_PARAM * +SSL_CTX_get0_param(ctx) + SSL_CTX * ctx + +X509_VERIFY_PARAM * +SSL_get0_param(ssl) + SSL * ssl + +int +X509_VERIFY_PARAM_set1_host(param, name) + X509_VERIFY_PARAM *param + PREINIT: + STRLEN namelen; + INPUT: + const char * name = SvPV(ST(1), namelen); + CODE: + RETVAL = X509_VERIFY_PARAM_set1_host(param, name, namelen); + OUTPUT: + RETVAL + +int +X509_VERIFY_PARAM_set1_email(param, email) + X509_VERIFY_PARAM *param + PREINIT: + STRLEN emaillen; + INPUT: + const char * email = SvPV(ST(1), emaillen); + CODE: + RETVAL = X509_VERIFY_PARAM_set1_email(param, email, emaillen); + OUTPUT: + RETVAL + +int +X509_VERIFY_PARAM_set1_ip(param, ip) + X509_VERIFY_PARAM *param + PREINIT: + STRLEN iplen; + INPUT: + const unsigned char * ip = (const unsigned char *)SvPV(ST(1), iplen); + CODE: + RETVAL = X509_VERIFY_PARAM_set1_ip(param, ip, iplen); + OUTPUT: + RETVAL + +int +X509_VERIFY_PARAM_set1_ip_asc(param, ipasc) + X509_VERIFY_PARAM *param + const char *ipasc + +#endif /* OpenSSL 1.0.2-beta1, LibreSSL 2.7.0 */ + +#if (OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) /* OpenSSL 1.0.2-beta2, LibreSSL 2.7.0 */ + +int +X509_VERIFY_PARAM_add1_host(param, name) + X509_VERIFY_PARAM *param + PREINIT: + STRLEN namelen; + INPUT: + const char * name = SvPV(ST(1), namelen); + CODE: + RETVAL = X509_VERIFY_PARAM_add1_host(param, name, namelen); + OUTPUT: + RETVAL + +void +X509_VERIFY_PARAM_set_hostflags(param, flags) + X509_VERIFY_PARAM *param + unsigned int flags + +char * +X509_VERIFY_PARAM_get0_peername(param) + X509_VERIFY_PARAM *param + +#endif /* OpenSSL 1.0.2-beta2, LibreSSL 2.7.0 */ + +void +X509_policy_tree_free(tree) + X509_POLICY_TREE *tree + +int +X509_policy_tree_level_count(tree) + X509_POLICY_TREE *tree + +X509_POLICY_LEVEL * +X509_policy_tree_get0_level(tree, i) + X509_POLICY_TREE *tree + int i + +STACK_OF(X509_POLICY_NODE) * +X509_policy_tree_get0_policies(tree) + X509_POLICY_TREE *tree + +STACK_OF(X509_POLICY_NODE) * +X509_policy_tree_get0_user_policies(tree) + X509_POLICY_TREE *tree + +int +X509_policy_level_node_count(level) + X509_POLICY_LEVEL *level + +X509_POLICY_NODE * +X509_policy_level_get0_node(level, i) + X509_POLICY_LEVEL *level + int i + +const ASN1_OBJECT * +X509_policy_node_get0_policy(node) + const X509_POLICY_NODE *node + +STACK_OF(POLICYQUALINFO) * +X509_policy_node_get0_qualifiers(node) + X509_POLICY_NODE *node + +const X509_POLICY_NODE * +X509_policy_node_get0_parent(node) + const X509_POLICY_NODE *node + +#endif + +ASN1_OBJECT * +OBJ_dup(o) + ASN1_OBJECT *o + +ASN1_OBJECT * +OBJ_nid2obj(n) + int n + +const char * +OBJ_nid2ln(n) + int n + +const char * +OBJ_nid2sn(n) + int n + +int +OBJ_obj2nid(o) + ASN1_OBJECT *o + +ASN1_OBJECT * +OBJ_txt2obj(s, no_name=0) + const char *s + int no_name + +void +OBJ_obj2txt(a, no_name=0) + ASN1_OBJECT *a + int no_name + PREINIT: + char buf[100]; /* openssl doc: a buffer length of 80 should be more than enough to handle any OID encountered in practice */ + int len; + CODE: + len = OBJ_obj2txt(buf, sizeof(buf), a, no_name); + ST(0) = sv_newmortal(); + sv_setpvn(ST(0), buf, len); + +#if OPENSSL_VERSION_NUMBER < 0x0090700fL +#define REM14 "NOTE: before 0.9.7" + +int +OBJ_txt2nid(s) + char *s + +#else + +int +OBJ_txt2nid(s) + const char *s + +#endif + +int +OBJ_ln2nid(s) + const char *s + +int +OBJ_sn2nid(s) + const char *s + +int +OBJ_cmp(a, b) + ASN1_OBJECT *a + ASN1_OBJECT *b + +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + +void +X509_pubkey_digest(data,type) + const X509 *data + const EVP_MD *type + PREINIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + PPCODE: + if (X509_pubkey_digest(data,type,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + else + XSRETURN_UNDEF; + +#endif + +void +X509_digest(data,type) + const X509 *data + const EVP_MD *type + PREINIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + PPCODE: + if (X509_digest(data,type,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + XSRETURN_UNDEF; + +void +X509_CRL_digest(data,type) + const X509_CRL *data + const EVP_MD *type + PREINIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + PPCODE: + if (X509_CRL_digest(data,type,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + XSRETURN_UNDEF; + +void +X509_REQ_digest(data,type) + const X509_REQ *data + const EVP_MD *type + PREINIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + PPCODE: + if (X509_REQ_digest(data,type,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + XSRETURN_UNDEF; + +void +X509_NAME_digest(data,type) + const X509_NAME *data + const EVP_MD *type + PREINIT: + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size; + PPCODE: + if (X509_NAME_digest(data,type,md,&md_size)) + XSRETURN_PVN((char *)md, md_size); + XSRETURN_UNDEF; + +unsigned long +X509_subject_name_hash(X509 *x) + +unsigned long +X509_issuer_name_hash(X509 *a) + +unsigned long +X509_issuer_and_serial_hash(X509 *a) + +ASN1_OBJECT * +P_X509_get_signature_alg(x) + X509 * x + CODE: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + RETVAL = (X509_get0_tbs_sigalg(x)->algorithm); +#else + RETVAL = (x->cert_info->signature->algorithm); +#endif + OUTPUT: + RETVAL + +ASN1_OBJECT * +P_X509_get_pubkey_alg(x) + X509 * x + PREINIT: + CODE: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + { + X509_ALGOR * algor; + X509_PUBKEY_get0_param(0, 0, 0, &algor, X509_get_X509_PUBKEY(x)); + RETVAL = (algor->algorithm); + } +#else + RETVAL = (x->cert_info->key->algor->algorithm); +#endif + OUTPUT: + RETVAL + +void +X509_get_X509_PUBKEY(x) + const X509 *x + PPCODE: + X509_PUBKEY *pkey; + STRLEN len; + unsigned char *pc, *pi; + if (!(pkey = X509_get_X509_PUBKEY(x))) croak("invalid certificate"); + if (!(len = i2d_X509_PUBKEY(pkey, NULL))) croak("invalid certificate public key"); + Newx(pc,len,unsigned char); + if (!pc) croak("out of memory"); + pi = pc; + i2d_X509_PUBKEY(pkey, &pi); + if (pi-pc != len) croak("invalid encoded length"); + XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); + Safefree(pc); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) && !defined(LIBRESSL_VERSION_NUMBER) + +int +SSL_CTX_set_next_protos_advertised_cb(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + RETVAL = 1; + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_next_protos_advertised_cb(ctx, NULL, NULL); + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!func", NULL); + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!data", NULL); + PR1("SSL_CTX_set_next_protos_advertised_cb - undef\n"); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVAV)) { + /* callback param array ref like ['proto1','proto2'] */ + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!func", NULL); + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!data", newSVsv(callback)); + SSL_CTX_set_next_protos_advertised_cb(ctx, next_protos_advertised_cb_invoke, ctx); + PR2("SSL_CTX_set_next_protos_advertised_cb - simple ctx=%p\n",ctx); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) { + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "next_protos_advertised_cb!!data", newSVsv(data)); + SSL_CTX_set_next_protos_advertised_cb(ctx, next_protos_advertised_cb_invoke, ctx); + PR2("SSL_CTX_set_next_protos_advertised_cb - advanced ctx=%p\n",ctx); + } + else { + RETVAL = 0; + } + OUTPUT: + RETVAL + +int +SSL_CTX_set_next_proto_select_cb(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + RETVAL = 1; + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_next_proto_select_cb(ctx, NULL, NULL); + cb_data_advanced_put(ctx, "next_proto_select_cb!!func", NULL); + cb_data_advanced_put(ctx, "next_proto_select_cb!!data", NULL); + PR1("SSL_CTX_set_next_proto_select_cb - undef\n"); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVAV)) { + /* callback param array ref like ['proto1','proto2'] */ + cb_data_advanced_put(ctx, "next_proto_select_cb!!func", NULL); + cb_data_advanced_put(ctx, "next_proto_select_cb!!data", newSVsv(callback)); + SSL_CTX_set_next_proto_select_cb(ctx, next_proto_select_cb_invoke, ctx); + PR2("SSL_CTX_set_next_proto_select_cb - simple ctx=%p\n",ctx); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) { + cb_data_advanced_put(ctx, "next_proto_select_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "next_proto_select_cb!!data", newSVsv(data)); + SSL_CTX_set_next_proto_select_cb(ctx, next_proto_select_cb_invoke, ctx); + PR2("SSL_CTX_set_next_proto_select_cb - advanced ctx=%p\n",ctx); + } + else { + RETVAL = 0; + } + OUTPUT: + RETVAL + +void +P_next_proto_negotiated(s) + const SSL *s + PREINIT: + const unsigned char *data; + unsigned int len; + PPCODE: + SSL_get0_next_proto_negotiated(s, &data, &len); + XPUSHs(sv_2mortal(newSVpv((char *)data, len))); + +void +P_next_proto_last_status(s) + const SSL *s + PPCODE: + XPUSHs(sv_2mortal(newSVsv(cb_data_advanced_get((void*)s, "next_proto_select_cb!!last_status")))); + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + +#if !defined(OPENSSL_NO_TLSEXT) + +int +SSL_set_tlsext_status_type(SSL *ssl,int cmd) + +long +SSL_set_tlsext_status_ocsp_resp(ssl,staple) + SSL * ssl + PREINIT: + char * p; + STRLEN staplelen; + INPUT: + char * staple = SvPV( ST(1), staplelen); + CODE: + /* OpenSSL will free the memory */ + New(0, p, staplelen, char); + memcpy(p, staple, staplelen); + RETVAL = SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,staplelen,(void *)p); + OUTPUT: + RETVAL + +int +SSL_CTX_set_tlsext_status_cb(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + RETVAL = 1; + if (callback==NULL || !SvOK(callback)) { + cb_data_advanced_put(ctx, "tlsext_status_cb!!func", NULL); + cb_data_advanced_put(ctx, "tlsext_status_cb!!data", NULL); + SSL_CTX_set_tlsext_status_cb(ctx, NULL); + } else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) { + cb_data_advanced_put(ctx, "tlsext_status_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "tlsext_status_cb!!data", newSVsv(data)); + SSL_CTX_set_tlsext_status_cb(ctx, tlsext_status_cb_invoke); + } else { + croak("argument must be code reference"); + } + OUTPUT: + RETVAL + +int +SSL_set_session_ticket_ext_cb(ssl,callback,data=&PL_sv_undef) + SSL * ssl + SV * callback + SV * data + CODE: + RETVAL = 1; + if (callback==NULL || !SvOK(callback)) { + cb_data_advanced_put(ssl, "session_ticket_ext_cb!!func", NULL); + cb_data_advanced_put(ssl, "session_ticket_ext_cb!!data", NULL); + SSL_set_session_ticket_ext_cb(ssl, NULL, NULL); + } else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) { + cb_data_advanced_put(ssl, "session_ticket_ext_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ssl, "session_ticket_ext_cb!!data", newSVsv(data)); + SSL_set_session_ticket_ext_cb(ssl, (tls_session_ticket_ext_cb_fn)&session_ticket_ext_cb_invoke, ssl); + } else { + croak("argument must be code reference"); + } + OUTPUT: + RETVAL + +int +SSL_set_session_ticket_ext(ssl,ticket) + SSL *ssl + PREINIT: + unsigned char * p; + STRLEN ticketlen; + INPUT: + unsigned char * ticket = (unsigned char *)SvPV( ST(1), ticketlen); + CODE: + RETVAL = 0; + if (ticketlen > 0) { + Newx(p, ticketlen, unsigned char); + if (!p) + croak("Net::SSLeay: set_session_ticket_ext could not allocate memory.\n"); + memcpy(p, ticket, ticketlen); + RETVAL = SSL_set_session_ticket_ext(ssl, p, ticketlen); + Safefree(p); + } + OUTPUT: + RETVAL + +#endif + +OCSP_RESPONSE * +d2i_OCSP_RESPONSE(pv) + SV *pv + CODE: + RETVAL = NULL; + if (SvPOK(pv)) { + const unsigned char *p; + STRLEN len; + p = (unsigned char*)SvPV(pv,len); + RETVAL = d2i_OCSP_RESPONSE(NULL,&p,len); + } + OUTPUT: + RETVAL + +void +i2d_OCSP_RESPONSE(r) + OCSP_RESPONSE * r + PPCODE: + STRLEN len; + unsigned char *pc,*pi; + if (!(len = i2d_OCSP_RESPONSE(r,NULL))) croak("invalid OCSP response"); + Newx(pc,len,unsigned char); + if (!pc) croak("out of memory"); + pi = pc; + i2d_OCSP_RESPONSE(r,&pi); + XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); + Safefree(pc); + +void +OCSP_RESPONSE_free(r) + OCSP_RESPONSE * r + + +OCSP_REQUEST * +d2i_OCSP_REQUEST(pv) + SV *pv + CODE: + RETVAL = NULL; + if (SvPOK(pv)) { + const unsigned char *p; + STRLEN len; + p = (unsigned char*)SvPV(pv,len); + RETVAL = d2i_OCSP_REQUEST(NULL,&p,len); + } + OUTPUT: + RETVAL + +void +i2d_OCSP_REQUEST(r) + OCSP_REQUEST * r + PPCODE: + STRLEN len; + unsigned char *pc,*pi; + if (!(len = i2d_OCSP_REQUEST(r,NULL))) croak("invalid OCSP request"); + Newx(pc,len,unsigned char); + if (!pc) croak("out of memory"); + pi = pc; + i2d_OCSP_REQUEST(r,&pi); + XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); + Safefree(pc); + + +void +OCSP_REQUEST_free(r) + OCSP_REQUEST * r + + +const char * +OCSP_response_status_str(long status) + +long +OCSP_response_status(OCSP_RESPONSE *r) + +void +SSL_OCSP_cert2ids(ssl,...) + SSL *ssl + PPCODE: + SSL_CTX *ctx; + X509_STORE *store; + STACK_OF(X509) *chain; + X509 *cert,*issuer; + OCSP_CERTID *id; + int i; + STRLEN len; + unsigned char *pi; + + if (!ssl) croak("not a SSL object"); + ctx = SSL_get_SSL_CTX(ssl); + if (!ctx) croak("invalid SSL object - no context"); + store = SSL_CTX_get_cert_store(ctx); + chain = SSL_get_peer_cert_chain(ssl); + + for(i=0;i= 0) + sir = OCSP_resp_get0(bsr,first); + } + + if (sir) + { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + status = OCSP_single_get0_status(sir, &revocationReason, &revocationTime, &thisupdate, &nextupdate); +#else + status = sir->certStatus->type; + if (status == V_OCSP_CERTSTATUS_REVOKED) + revocationTime = sir->certStatus->value.revoked->revocationTime; + thisupdate = sir->thisUpdate; + nextupdate = sir->nextUpdate; +#endif + if (status == V_OCSP_CERTSTATUS_REVOKED) { + error = "certificate status is revoked"; + } else if (status != V_OCSP_CERTSTATUS_GOOD) { + error = "certificate status is unknown"; + } + else if (!OCSP_check_validity(thisupdate, nextupdate, 0, -1)) { + error = "response not yet valid or expired"; + } + } else { + error = "cannot find entry for certificate in OCSP response"; + } + + end: + if (want_array) { + AV *idav = newAV(); + if (!idsv) { + /* getall: create new SV with OCSP_CERTID */ + unsigned char *pi,*pc; +#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) + int len = i2d_OCSP_CERTID((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sir),NULL); +#else + int len = i2d_OCSP_CERTID(sir->certId,NULL); +#endif + if(!len) continue; + Newx(pc,len,unsigned char); + if (!pc) croak("out of memory"); + pi = pc; +#if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) + i2d_OCSP_CERTID((OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sir),&pi); +#else + i2d_OCSP_CERTID(sir->certId,&pi); +#endif + idsv = newSVpv((char*)pc,len); + Safefree(pc); + } else { + /* reuse idsv from ST(..), but increment refcount */ + idsv = SvREFCNT_inc(idsv); + } + av_push(idav, idsv); + av_push(idav, error ? newSVpv(error,0) : newSV(0)); + if (sir) { + HV *details = newHV(); + av_push(idav,newRV_noinc((SV*)details)); + hv_store(details,"statusType",10, + newSViv(status),0); + if (nextupdate) hv_store(details,"nextUpdate",10, + newSViv(ASN1_TIME_timet(nextupdate, &gmtoff)),0); + if (thisupdate) hv_store(details,"thisUpdate",10, + newSViv(ASN1_TIME_timet(thisupdate, &gmtoff)),0); + if (status == V_OCSP_CERTSTATUS_REVOKED) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + OCSP_REVOKEDINFO *rev = sir->certStatus->value.revoked; + revocationReason = ASN1_ENUMERATED_get(rev->revocationReason); +#endif + hv_store(details,"revocationTime",14,newSViv(ASN1_TIME_timet(revocationTime, &gmtoff)),0); + hv_store(details,"revocationReason",16,newSViv(revocationReason),0); + hv_store(details,"revocationReason_str",20,newSVpv( + OCSP_crl_reason_str(revocationReason),0),0); + } + } + XPUSHs(sv_2mortal(newRV_noinc((SV*)idav))); + } else if (!error) { + /* compute lowest nextUpdate */ + time_t nu = ASN1_TIME_timet(nextupdate, &gmtoff); + if (!nextupd || nextupd>nu) nextupd = nu; + } + + if (certid) OCSP_CERTID_free(certid); + if (error && !want_array) { + OCSP_BASICRESP_free(bsr); + croak("%s", error); + } + } + OCSP_BASICRESP_free(bsr); + if (!want_array) + XPUSHs(sv_2mortal(newSViv(nextupd))); + + + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) + +int +SSL_CTX_set_alpn_select_cb(ctx,callback,data=&PL_sv_undef) + SSL_CTX * ctx + SV * callback + SV * data + CODE: + RETVAL = 1; + if (callback==NULL || !SvOK(callback)) { + SSL_CTX_set_alpn_select_cb(ctx, NULL, NULL); + cb_data_advanced_put(ctx, "alpn_select_cb!!func", NULL); + cb_data_advanced_put(ctx, "alpn_select_cb!!data", NULL); + PR1("SSL_CTX_set_alpn_select_cb - undef\n"); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVAV)) { + /* callback param array ref like ['proto1','proto2'] */ + cb_data_advanced_put(ctx, "alpn_select_cb!!func", NULL); + cb_data_advanced_put(ctx, "alpn_select_cb!!data", newSVsv(callback)); + SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb_invoke, ctx); + PR2("SSL_CTX_set_alpn_select_cb - simple ctx=%p\n",ctx); + } + else if (SvROK(callback) && (SvTYPE(SvRV(callback)) == SVt_PVCV)) { + cb_data_advanced_put(ctx, "alpn_select_cb!!func", newSVsv(callback)); + cb_data_advanced_put(ctx, "alpn_select_cb!!data", newSVsv(data)); + SSL_CTX_set_alpn_select_cb(ctx, alpn_select_cb_invoke, ctx); + PR2("SSL_CTX_set_alpn_select_cb - advanced ctx=%p\n",ctx); + } + else { + RETVAL = 0; + } + OUTPUT: + RETVAL + +int +SSL_CTX_set_alpn_protos(ctx,data=&PL_sv_undef) + SSL_CTX * ctx + SV * data + PREINIT: + unsigned char *alpn_data; + unsigned char alpn_len; + + CODE: + RETVAL = -1; + + if (!SvROK(data) || (SvTYPE(SvRV(data)) != SVt_PVAV)) + croak("Net::SSLeay: CTX_set_alpn_protos needs a single array reference.\n"); + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), NULL); + Newx(alpn_data, alpn_len, unsigned char); + if (!alpn_data) + croak("Net::SSLeay: CTX_set_alpn_protos could not allocate memory.\n"); + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), alpn_data); + RETVAL = SSL_CTX_set_alpn_protos(ctx, alpn_data, alpn_len); + Safefree(alpn_data); + + OUTPUT: + RETVAL + +int +SSL_set_alpn_protos(ssl,data=&PL_sv_undef) + SSL * ssl + SV * data + PREINIT: + unsigned char *alpn_data; + unsigned char alpn_len; + + CODE: + RETVAL = -1; + + if (!SvROK(data) || (SvTYPE(SvRV(data)) != SVt_PVAV)) + croak("Net::SSLeay: set_alpn_protos needs a single array reference.\n"); + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), NULL); + Newx(alpn_data, alpn_len, unsigned char); + if (!alpn_data) + croak("Net::SSLeay: set_alpn_protos could not allocate memory.\n"); + alpn_len = next_proto_helper_AV2protodata((AV*)SvRV(data), alpn_data); + RETVAL = SSL_set_alpn_protos(ssl, alpn_data, alpn_len); + Safefree(alpn_data); + + OUTPUT: + RETVAL + +void +P_alpn_selected(s) + const SSL *s + PREINIT: + const unsigned char *data; + unsigned int len; + PPCODE: + SSL_get0_alpn_selected(s, &data, &len); + XPUSHs(sv_2mortal(newSVpv((char *)data, len))); + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + +void +SSL_export_keying_material(ssl, outlen, label, context=&PL_sv_undef) + SSL * ssl + int outlen + SV * context + PREINIT: + unsigned char * out; + STRLEN llen; + STRLEN contextlen = 0; + char *context_arg = NULL; + int use_context = 0; + int ret; + INPUT: + char * label = SvPV( ST(2), llen); + PPCODE: + Newx(out, outlen, unsigned char); + + if (context != &PL_sv_undef) { + use_context = 1; + context_arg = SvPV( ST(3), contextlen); + } + ret = SSL_export_keying_material(ssl, out, outlen, label, llen, (unsigned char*)context_arg, contextlen, use_context); + PUSHs(sv_2mortal(ret>0 ? newSVpvn((const char *)out, outlen) : newSV(0))); + EXTEND(SP, 1); + Safefree(out); + +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + +OSSL_LIB_CTX * +OSSL_LIB_CTX_get0_global_default() + + +OSSL_PROVIDER * +OSSL_PROVIDER_load(SV *libctx, const char *name) + CODE: + OSSL_LIB_CTX *ctx = NULL; + if (libctx != &PL_sv_undef) + ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx)); + RETVAL = OSSL_PROVIDER_load(ctx, name); + if (RETVAL == NULL) + XSRETURN_UNDEF; + OUTPUT: + RETVAL + +OSSL_PROVIDER * +OSSL_PROVIDER_try_load(SV *libctx, const char *name, int retain_fallbacks) + CODE: + OSSL_LIB_CTX *ctx = NULL; + if (libctx != &PL_sv_undef) + ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx)); + RETVAL = OSSL_PROVIDER_try_load(ctx, name, retain_fallbacks); + if (RETVAL == NULL) + XSRETURN_UNDEF; + OUTPUT: + RETVAL + +int +OSSL_PROVIDER_unload(OSSL_PROVIDER *prov) + +int +OSSL_PROVIDER_available(SV *libctx, const char *name) + CODE: + OSSL_LIB_CTX *ctx = NULL; + if (libctx != &PL_sv_undef) + ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx)); + RETVAL = OSSL_PROVIDER_available(ctx, name); + OUTPUT: + RETVAL + +int +OSSL_PROVIDER_do_all(SV *libctx, SV *perl_cb, SV *perl_cbdata = &PL_sv_undef) + PREINIT: + simple_cb_data_t* cbdata = NULL; + CODE: + OSSL_LIB_CTX *ctx = NULL; + if (libctx != &PL_sv_undef) + ctx = INT2PTR(OSSL_LIB_CTX *, SvIV(libctx)); + + /* setup our callback */ + cbdata = simple_cb_data_new(perl_cb, perl_cbdata); + RETVAL = OSSL_PROVIDER_do_all(ctx, ossl_provider_do_all_cb_invoke, cbdata); + simple_cb_data_free(cbdata); + OUTPUT: + RETVAL + +const char * +OSSL_PROVIDER_get0_name(const OSSL_PROVIDER *prov) + +int +OSSL_PROVIDER_self_test(const OSSL_PROVIDER *prov) + +#endif + +#define REM_EOF "/* EOF - SSLeay.xs */" diff --git a/cpan/Net-SSLeay/constants.c b/cpan/Net-SSLeay/constants.c new file mode 100644 index 000000000000..23e8e9146c34 --- /dev/null +++ b/cpan/Net-SSLeay/constants.c @@ -0,0 +1,7454 @@ +/* + * This file is automatically generated - do not manually modify it. + * + * To add or remove a constant, edit helper_script/constants.txt, then run + * helper_script/update-exported-constants. + */ + +#ifdef NET_SSLEAY_32BIT_CONSTANTS +static double +#else +static uint64_t +#endif +constant (const char *name, size_t len) { + /* Initially switch on the length of the name. */ + switch (len) { + case 5: + /* Names all of length 5. */ + /* RSA_3 ST_OK */ + /* Offset 0 gives the best switch position. */ + switch (*name++) { + case 'R': + if (!memcmp(name, "SA_3", 4)) { + /* R */ + +#ifdef RSA_3 + return RSA_3; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "T_OK", 4)) { + /* S */ + +#ifdef SSL_ST_OK + return SSL_ST_OK; +#else + goto not_there; +#endif + + } + break; + } + break; + case 6: + /* Names all of length 6. */ + /* OP_ALL RSA_F4 */ + /* Offset 0 gives the best switch position. */ + switch (*name++) { + case 'O': + if (!memcmp(name, "P_ALL", 5)) { + /* O */ + +#ifdef SSL_OP_ALL + return SSL_OP_ALL; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SA_F4", 5)) { + /* R */ + +#ifdef RSA_F4 + return RSA_F4; +#else + goto not_there; +#endif + + } + break; + } + break; + case 7: + /* Names all of length 7. */ + /* CB_EXIT CB_LOOP CB_READ GEN_DNS GEN_RID GEN_URI NID_dsa NID_md2 NID_md5 + NID_rc4 NID_rsa NID_sha NOTHING READING ST_INIT WRITING */ + /* Offset 4 gives the best switch position. */ + switch (name[4]) { + case 'D': + if (!memcmp(name, "GEN_DNS", 7)) { + /* ^ */ + +#ifdef GEN_DNS + return GEN_DNS; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "CB_READ", 7)) { + /* ^ */ + +#ifdef SSL_CB_READ + return SSL_CB_READ; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "NOTHING", 7)) { + /* ^ */ + +#ifdef SSL_NOTHING + return SSL_NOTHING; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "READING", 7)) { + /* ^ */ + +#ifdef SSL_READING + return SSL_READING; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "WRITING", 7)) { + /* ^ */ + +#ifdef SSL_WRITING + return SSL_WRITING; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "ST_INIT", 7)) { + /* ^ */ + +#ifdef SSL_ST_INIT + return SSL_ST_INIT; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "CB_LOOP", 7)) { + /* ^ */ + +#ifdef SSL_CB_LOOP + return SSL_CB_LOOP; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "GEN_RID", 7)) { + /* ^ */ + +#ifdef GEN_RID + return GEN_RID; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "GEN_URI", 7)) { + /* ^ */ + +#ifdef GEN_URI + return GEN_URI; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "CB_EXIT", 7)) { + /* ^ */ + +#ifdef SSL_CB_EXIT + return SSL_CB_EXIT; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_dsa", 7)) { + /* ^ */ + +#ifdef NID_dsa + return NID_dsa; +#else + goto not_there; +#endif + + } + break; + case 'm': + if (!memcmp(name, "NID_md2", 7)) { + /* ^ */ + +#ifdef NID_md2 + return NID_md2; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_md5", 7)) { + /* ^ */ + +#ifdef NID_md5 + return NID_md5; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_rc4", 7)) { + /* ^ */ + +#ifdef NID_rc4 + return NID_rc4; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rsa", 7)) { + /* ^ */ + +#ifdef NID_rsa + return NID_rsa; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_sha", 7)) { + /* ^ */ + +#ifdef NID_sha + return NID_sha; +#else + goto not_there; +#endif + + } + break; + } + break; + case 8: + /* Names all of length 8. */ + /* CB_ALERT CB_WRITE F_READ_N GEN_X400 NID_X500 NID_X509 NID_mdc2 NID_name + NID_pkcs NID_sha1 */ + /* Offset 5 gives the best switch position. */ + switch (name[5]) { + case '4': + if (!memcmp(name, "GEN_X400", 8)) { + /* ^ */ + +#ifdef GEN_X400 + return GEN_X400; +#else + goto not_there; +#endif + + } + break; + case '5': + if (!memcmp(name, "NID_X500", 8)) { + /* ^ */ + +#ifdef NID_X500 + return NID_X500; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_X509", 8)) { + /* ^ */ + +#ifdef NID_X509 + return NID_X509; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "F_READ_N", 8)) { + /* ^ */ + +#ifdef SSL_F_READ_N + return SSL_F_READ_N; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "CB_ALERT", 8)) { + /* ^ */ + +#ifdef SSL_CB_ALERT + return SSL_CB_ALERT; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "CB_WRITE", 8)) { + /* ^ */ + +#ifdef SSL_CB_WRITE + return SSL_CB_WRITE; +#else + goto not_there; +#endif + + } + break; + case 'a': + if (!memcmp(name, "NID_name", 8)) { + /* ^ */ + +#ifdef NID_name + return NID_name; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_mdc2", 8)) { + /* ^ */ + +#ifdef NID_mdc2 + return NID_mdc2; +#else + goto not_there; +#endif + + } + break; + case 'h': + if (!memcmp(name, "NID_sha1", 8)) { + /* ^ */ + +#ifdef NID_sha1 + return NID_sha1; +#else + goto not_there; +#endif + + } + break; + case 'k': + if (!memcmp(name, "NID_pkcs", 8)) { + /* ^ */ + +#ifdef NID_pkcs + return NID_pkcs; +#else + goto not_there; +#endif + + } + break; + } + break; + case 9: + /* Names all of length 9. */ + /* ERROR_SSL EVP_PK_DH EVP_PK_EC F_SSL_NEW GEN_EMAIL GEN_IPADD NID_dsa_2 + NID_id_ad NID_id_ce NID_id_kp NID_id_pe NID_pbes2 NID_pkcs3 NID_pkcs7 + NID_pkcs9 NID_sxnet NID_title NID_undef ST_ACCEPT ST_BEFORE X509_V_OK */ + /* Offset 8 gives the best switch position. */ + switch (name[8]) { + case '2': + if (!memcmp(name, "NID_dsa_", 8)) { + /* 2 */ + +#ifdef NID_dsa_2 + return NID_dsa_2; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_pbes", 8)) { + /* 2 */ + +#ifdef NID_pbes2 + return NID_pbes2; +#else + goto not_there; +#endif + + } + break; + case '3': + if (!memcmp(name, "NID_pkcs", 8)) { + /* 3 */ + +#ifdef NID_pkcs3 + return NID_pkcs3; +#else + goto not_there; +#endif + + } + break; + case '7': + if (!memcmp(name, "NID_pkcs", 8)) { + /* 7 */ + +#ifdef NID_pkcs7 + return NID_pkcs7; +#else + goto not_there; +#endif + + } + break; + case '9': + if (!memcmp(name, "NID_pkcs", 8)) { + /* 9 */ + +#ifdef NID_pkcs9 + return NID_pkcs9; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "EVP_PK_E", 8)) { + /* C */ + +#ifdef EVP_PK_EC + return EVP_PK_EC; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "GEN_IPAD", 8)) { + /* D */ + +#ifdef GEN_IPADD + return GEN_IPADD; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "ST_BEFOR", 8)) { + /* E */ + +#ifdef SSL_ST_BEFORE + return SSL_ST_BEFORE; +#else + goto not_there; +#endif + + } + break; + case 'H': + if (!memcmp(name, "EVP_PK_D", 8)) { + /* H */ + +#ifdef EVP_PK_DH + return EVP_PK_DH; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "X509_V_O", 8)) { + /* K */ + +#ifdef X509_V_OK + return X509_V_OK; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "ERROR_SS", 8)) { + /* L */ + +#ifdef SSL_ERROR_SSL + return SSL_ERROR_SSL; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "GEN_EMAI", 8)) { + /* L */ + +#ifdef GEN_EMAIL + return GEN_EMAIL; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "ST_ACCEP", 8)) { + /* T */ + +#ifdef SSL_ST_ACCEPT + return SSL_ST_ACCEPT; +#else + goto not_there; +#endif + + } + break; + case 'W': + if (!memcmp(name, "F_SSL_NE", 8)) { + /* W */ + +#ifdef SSL_F_SSL_NEW + return SSL_F_SSL_NEW; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_id_a", 8)) { + /* d */ + +#ifdef NID_id_ad + return NID_id_ad; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_id_c", 8)) { + /* e */ + +#ifdef NID_id_ce + return NID_id_ce; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_id_p", 8)) { + /* e */ + +#ifdef NID_id_pe + return NID_id_pe; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_titl", 8)) { + /* e */ + +#ifdef NID_title + return NID_title; +#else + goto not_there; +#endif + + } + break; + case 'f': + if (!memcmp(name, "NID_unde", 8)) { + /* f */ + +#ifdef NID_undef + return NID_undef; +#else + goto not_there; +#endif + + } + break; + case 'p': + if (!memcmp(name, "NID_id_k", 8)) { + /* p */ + +#ifdef NID_id_kp + return NID_id_kp; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_sxne", 8)) { + /* t */ + +#ifdef NID_sxnet + return NID_sxnet; +#else + goto not_there; +#endif + + } + break; + } + break; + case 10: + /* Names all of length 10. */ + /* ERROR_NONE EVP_PKS_EC EVP_PK_DSA EVP_PK_RSA F_SSL_READ NID_bf_cbc + NID_bf_ecb NID_crlBag NID_keyBag NID_ms_efs NID_ms_sgc NID_ns_sgc + NID_pbmac1 NID_rc4_40 NID_rsadsi R_X509_LIB SSLEAY_DIR ST_CONNECT */ + /* Offset 9 gives the best switch position. */ + switch (name[9]) { + case '0': + if (!memcmp(name, "NID_rc4_4", 9)) { + /* 0 */ + +#ifdef NID_rc4_40 + return NID_rc4_40; +#else + goto not_there; +#endif + + } + break; + case '1': + if (!memcmp(name, "NID_pbmac", 9)) { + /* 1 */ + +#ifdef NID_pbmac1 + return NID_pbmac1; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "EVP_PK_DS", 9)) { + /* A */ + +#ifdef EVP_PK_DSA + return EVP_PK_DSA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "EVP_PK_RS", 9)) { + /* A */ + +#ifdef EVP_PK_RSA + return EVP_PK_RSA; +#else + goto not_there; +#endif + + } + break; + case 'B': + if (!memcmp(name, "R_X509_LI", 9)) { + /* B */ + +#ifdef SSL_R_X509_LIB + return SSL_R_X509_LIB; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "EVP_PKS_E", 9)) { + /* C */ + +#ifdef EVP_PKS_EC + return EVP_PKS_EC; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "F_SSL_REA", 9)) { + /* D */ + +#ifdef SSL_F_SSL_READ + return SSL_F_SSL_READ; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "ERROR_NON", 9)) { + /* E */ + +#ifdef SSL_ERROR_NONE + return SSL_ERROR_NONE; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSLEAY_DI", 9)) { + /* R */ + +#ifdef SSLEAY_DIR + return SSLEAY_DIR; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "ST_CONNEC", 9)) { + /* T */ + +#ifdef SSL_ST_CONNECT + return SSL_ST_CONNECT; +#else + goto not_there; +#endif + + } + break; + case 'b': + if (!memcmp(name, "NID_bf_ec", 9)) { + /* b */ + +#ifdef NID_bf_ecb + return NID_bf_ecb; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_bf_cb", 9)) { + /* c */ + +#ifdef NID_bf_cbc + return NID_bf_cbc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_ms_sg", 9)) { + /* c */ + +#ifdef NID_ms_sgc + return NID_ms_sgc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_ns_sg", 9)) { + /* c */ + +#ifdef NID_ns_sgc + return NID_ns_sgc; +#else + goto not_there; +#endif + + } + break; + case 'g': + if (!memcmp(name, "NID_crlBa", 9)) { + /* g */ + +#ifdef NID_crlBag + return NID_crlBag; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_keyBa", 9)) { + /* g */ + +#ifdef NID_keyBag + return NID_keyBag; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_rsads", 9)) { + /* i */ + +#ifdef NID_rsadsi + return NID_rsadsi; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_ms_ef", 9)) { + /* s */ + +#ifdef NID_ms_efs + return NID_ms_efs; +#else + goto not_there; +#endif + + } + break; + } + break; + case 11: + /* Names all of length 11. */ + /* EVP_PKS_DSA EVP_PKS_RSA EVP_PKT_ENC EVP_PKT_EXP GEN_DIRNAME NID_ad_OCSP + NID_certBag NID_des_cbc NID_des_ecb NID_des_ede NID_ext_req NID_id_pkix + NID_rc2_cbc NID_rc2_ecb NID_rc5_cbc NID_rc5_ecb NID_surname NID_x509Crl + OPENSSL_DIR OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 R_BAD_STATE SSL3_MT_CCS + VERIFY_NONE VERIFY_PEER X509_LOOKUP */ + /* Offset 9 gives the best switch position. */ + switch (name[9]) { + case 'C': + if (!memcmp(name, "SSL3_MT_CCS", 11)) { + /* ^ */ + +#ifdef SSL3_MT_CCS + return SSL3_MT_CCS; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "VERIFY_PEER", 11)) { + /* ^ */ + +#ifdef SSL_VERIFY_PEER + return SSL_VERIFY_PEER; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "OPENSSL_DIR", 11)) { + /* ^ */ + +#ifdef OPENSSL_DIR + return OPENSSL_DIR; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "GEN_DIRNAME", 11)) { + /* ^ */ + +#ifdef GEN_DIRNAME + return GEN_DIRNAME; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "EVP_PKT_ENC", 11)) { + /* ^ */ + +#ifdef EVP_PKT_ENC + return EVP_PKT_ENC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "VERIFY_NONE", 11)) { + /* ^ */ + +#ifdef SSL_VERIFY_NONE + return SSL_VERIFY_NONE; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "EVP_PKS_DSA", 11)) { + /* ^ */ + +#ifdef EVP_PKS_DSA + return EVP_PKS_DSA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "EVP_PKS_RSA", 11)) { + /* ^ */ + +#ifdef EVP_PKS_RSA + return EVP_PKS_RSA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_ad_OCSP", 11)) { + /* ^ */ + +#ifdef NID_ad_OCSP + return NID_ad_OCSP; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "R_BAD_STATE", 11)) { + /* ^ */ + +#ifdef SSL_R_BAD_STATE + return SSL_R_BAD_STATE; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "X509_LOOKUP", 11)) { + /* ^ */ + +#ifdef SSL_X509_LOOKUP + return SSL_X509_LOOKUP; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "EVP_PKT_EXP", 11)) { + /* ^ */ + +#ifdef EVP_PKT_EXP + return EVP_PKT_EXP; +#else + goto not_there; +#endif + + } + break; + case 'a': + if (!memcmp(name, "NID_certBag", 11)) { + /* ^ */ + +#ifdef NID_certBag + return NID_certBag; +#else + goto not_there; +#endif + + } + break; + case 'b': + if (!memcmp(name, "NID_des_cbc", 11)) { + /* ^ */ + +#ifdef NID_des_cbc + return NID_des_cbc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc2_cbc", 11)) { + /* ^ */ + +#ifdef NID_rc2_cbc + return NID_rc2_cbc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc5_cbc", 11)) { + /* ^ */ + +#ifdef NID_rc5_cbc + return NID_rc5_cbc; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_des_ecb", 11)) { + /* ^ */ + +#ifdef NID_des_ecb + return NID_des_ecb; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc2_ecb", 11)) { + /* ^ */ + +#ifdef NID_rc2_ecb + return NID_rc2_ecb; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc5_ecb", 11)) { + /* ^ */ + +#ifdef NID_rc5_ecb + return NID_rc5_ecb; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_des_ede", 11)) { + /* ^ */ + +#ifdef NID_des_ede + return NID_des_ede; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_ext_req", 11)) { + /* ^ */ + +#ifdef NID_ext_req + return NID_ext_req; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_id_pkix", 11)) { + /* ^ */ + +#ifdef NID_id_pkix + return NID_id_pkix; +#else + goto not_there; +#endif + + } + break; + case 'm': + if (!memcmp(name, "NID_surname", 11)) { + /* ^ */ + +#ifdef NID_surname + return NID_surname; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_x509Crl", 11)) { + /* ^ */ + +#ifdef NID_x509Crl + return NID_x509Crl; +#else + goto not_there; +#endif + + } + break; + case 'v': + if (!memcmp(name, "OP_NO_SSLv2", 11)) { + /* ^ */ + +#ifdef SSL_OP_NO_SSLv2 + return SSL_OP_NO_SSLv2; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_SSLv3", 11)) { + /* ^ */ + +#ifdef SSL_OP_NO_SSLv3 + return SSL_OP_NO_SSLv3; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_TLSv1", 11)) { + /* ^ */ + +#ifdef SSL_OP_NO_TLSv1 + return SSL_OP_NO_TLSv1; +#else + goto not_there; +#endif + + } + break; + } + break; + case 12: + /* Names all of length 12. */ + /* EVP_PKT_EXCH EVP_PKT_SIGN FILETYPE_PEM F_SSL_SET_FD GEN_EDIPARTY + MBSTRING_ASC MBSTRING_BMP NID_bf_cfb64 NID_bf_ofb64 NID_des_ede3 + NID_desx_cbc NID_idea_cbc NID_idea_ecb NID_initials NID_md5_sha1 + NID_netscape OP_NO_TICKET R_PEER_ERROR R_SHORT_READ SSL2_VERSION + SSL3_VERSION ST_READ_BODY TLS1_VERSION */ + /* Offset 10 gives the best switch position. */ + switch (name[10]) { + case '6': + if (!memcmp(name, "NID_bf_cfb64", 12)) { + /* ^ */ + +#ifdef NID_bf_cfb64 + return NID_bf_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_bf_ofb64", 12)) { + /* ^ */ + +#ifdef NID_bf_ofb64 + return NID_bf_ofb64; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "R_SHORT_READ", 12)) { + /* ^ */ + +#ifdef SSL_R_SHORT_READ + return SSL_R_SHORT_READ; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "EVP_PKT_EXCH", 12)) { + /* ^ */ + +#ifdef EVP_PKT_EXCH + return EVP_PKT_EXCH; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "ST_READ_BODY", 12)) { + /* ^ */ + +#ifdef SSL_ST_READ_BODY + return SSL_ST_READ_BODY; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "FILETYPE_PEM", 12)) { + /* ^ */ + +#ifdef SSL_FILETYPE_PEM + return SSL_FILETYPE_PEM; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_TICKET", 12)) { + /* ^ */ + +#ifdef SSL_OP_NO_TICKET + return SSL_OP_NO_TICKET; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "F_SSL_SET_FD", 12)) { + /* ^ */ + +#ifdef SSL_F_SSL_SET_FD + return SSL_F_SSL_SET_FD; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "EVP_PKT_SIGN", 12)) { + /* ^ */ + +#ifdef EVP_PKT_SIGN + return EVP_PKT_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "MBSTRING_BMP", 12)) { + /* ^ */ + +#ifdef MBSTRING_BMP + return MBSTRING_BMP; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "R_PEER_ERROR", 12)) { + /* ^ */ + +#ifdef SSL_R_PEER_ERROR + return SSL_R_PEER_ERROR; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL2_VERSION", 12)) { + /* ^ */ + +#ifdef SSL2_VERSION + return SSL2_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_VERSION", 12)) { + /* ^ */ + +#ifdef SSL3_VERSION + return SSL3_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "TLS1_VERSION", 12)) { + /* ^ */ + +#ifdef TLS1_VERSION + return TLS1_VERSION; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "MBSTRING_ASC", 12)) { + /* ^ */ + +#ifdef MBSTRING_ASC + return MBSTRING_ASC; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "GEN_EDIPARTY", 12)) { + /* ^ */ + +#ifdef GEN_EDIPARTY + return GEN_EDIPARTY; +#else + goto not_there; +#endif + + } + break; + case 'a': + if (!memcmp(name, "NID_md5_sha1", 12)) { + /* ^ */ + +#ifdef NID_md5_sha1 + return NID_md5_sha1; +#else + goto not_there; +#endif + + } + break; + case 'b': + if (!memcmp(name, "NID_desx_cbc", 12)) { + /* ^ */ + +#ifdef NID_desx_cbc + return NID_desx_cbc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_idea_cbc", 12)) { + /* ^ */ + +#ifdef NID_idea_cbc + return NID_idea_cbc; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_idea_ecb", 12)) { + /* ^ */ + +#ifdef NID_idea_ecb + return NID_idea_ecb; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_des_ede3", 12)) { + /* ^ */ + +#ifdef NID_des_ede3 + return NID_des_ede3; +#else + goto not_there; +#endif + + } + break; + case 'l': + if (!memcmp(name, "NID_initials", 12)) { + /* ^ */ + +#ifdef NID_initials + return NID_initials; +#else + goto not_there; +#endif + + } + break; + case 'p': + if (!memcmp(name, "NID_netscape", 12)) { + /* ^ */ + +#ifdef NID_netscape + return NID_netscape; +#else + goto not_there; +#endif + + } + break; + } + break; + case 13: + /* Names all of length 13. */ + /* CB_READ_ALERT ERROR_SYSCALL FILETYPE_ASN1 F_SSL_SET_RFD F_SSL_SET_WFD + GEN_OTHERNAME MBSTRING_FLAG MBSTRING_UNIV MBSTRING_UTF8 NID_OCSP_sign + NID_algorithm NID_cast5_cbc NID_cast5_ecb NID_code_sign NID_delta_crl + NID_des_cfb64 NID_des_ofb64 NID_givenName NID_id_pbkdf2 NID_id_qt_cps + NID_key_usage NID_rc2_cfb64 NID_rc2_ofb64 NID_rc5_cfb64 NID_rc5_ofb64 + NID_ripemd160 NID_secretBag OP_NO_TLSv1_1 OP_NO_TLSv1_2 OP_NO_TLSv1_3 + OP_TLS_D5_BUG SENT_SHUTDOWN SSL2_MT_ERROR SSL3_RT_ALERT SSLEAY_CFLAGS + XN_FLAG_FN_LN XN_FLAG_FN_SN */ + /* Offset 12 gives the best switch position. */ + switch (name[12]) { + case '0': + if (!memcmp(name, "NID_ripemd16", 12)) { + /* 0 */ + +#ifdef NID_ripemd160 + return NID_ripemd160; +#else + goto not_there; +#endif + + } + break; + case '1': + if (!memcmp(name, "FILETYPE_ASN", 12)) { + /* 1 */ + +#ifdef SSL_FILETYPE_ASN1 + return SSL_FILETYPE_ASN1; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_TLSv1_", 12)) { + /* 1 */ + +#ifdef SSL_OP_NO_TLSv1_1 + return SSL_OP_NO_TLSv1_1; +#else + goto not_there; +#endif + + } + break; + case '2': + if (!memcmp(name, "NID_id_pbkdf", 12)) { + /* 2 */ + +#ifdef NID_id_pbkdf2 + return NID_id_pbkdf2; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_TLSv1_", 12)) { + /* 2 */ + +#ifdef SSL_OP_NO_TLSv1_2 + return SSL_OP_NO_TLSv1_2; +#else + goto not_there; +#endif + + } + break; + case '3': + if (!memcmp(name, "OP_NO_TLSv1_", 12)) { + /* 3 */ + +#ifdef SSL_OP_NO_TLSv1_3 + return SSL_OP_NO_TLSv1_3; +#else + goto not_there; +#endif + + } + break; + case '4': + if (!memcmp(name, "NID_des_cfb6", 12)) { + /* 4 */ + +#ifdef NID_des_cfb64 + return NID_des_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_des_ofb6", 12)) { + /* 4 */ + +#ifdef NID_des_ofb64 + return NID_des_ofb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc2_cfb6", 12)) { + /* 4 */ + +#ifdef NID_rc2_cfb64 + return NID_rc2_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc2_ofb6", 12)) { + /* 4 */ + +#ifdef NID_rc2_ofb64 + return NID_rc2_ofb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc5_cfb6", 12)) { + /* 4 */ + +#ifdef NID_rc5_cfb64 + return NID_rc5_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc5_ofb6", 12)) { + /* 4 */ + +#ifdef NID_rc5_ofb64 + return NID_rc5_ofb64; +#else + goto not_there; +#endif + + } + break; + case '8': + if (!memcmp(name, "MBSTRING_UTF", 12)) { + /* 8 */ + +#ifdef MBSTRING_UTF8 + return MBSTRING_UTF8; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "F_SSL_SET_RF", 12)) { + /* D */ + +#ifdef SSL_F_SSL_SET_RFD + return SSL_F_SSL_SET_RFD; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SSL_SET_WF", 12)) { + /* D */ + +#ifdef SSL_F_SSL_SET_WFD + return SSL_F_SSL_SET_WFD; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "GEN_OTHERNAM", 12)) { + /* E */ + +#ifdef GEN_OTHERNAME + return GEN_OTHERNAME; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "MBSTRING_FLA", 12)) { + /* G */ + +#ifdef MBSTRING_FLAG + return MBSTRING_FLAG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_TLS_D5_BU", 12)) { + /* G */ + +#ifdef SSL_OP_TLS_D5_BUG + return SSL_OP_TLS_D5_BUG; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "ERROR_SYSCAL", 12)) { + /* L */ + +#ifdef SSL_ERROR_SYSCALL + return SSL_ERROR_SYSCALL; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "SENT_SHUTDOW", 12)) { + /* N */ + +#ifdef SSL_SENT_SHUTDOWN + return SSL_SENT_SHUTDOWN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_FN_L", 12)) { + /* N */ + +#ifdef XN_FLAG_FN_LN + return XN_FLAG_FN_LN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_FN_S", 12)) { + /* N */ + +#ifdef XN_FLAG_FN_SN + return XN_FLAG_FN_SN; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL2_MT_ERRO", 12)) { + /* R */ + +#ifdef SSL2_MT_ERROR + return SSL2_MT_ERROR; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "SSLEAY_CFLAG", 12)) { + /* S */ + +#ifdef SSLEAY_CFLAGS + return SSLEAY_CFLAGS; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "CB_READ_ALER", 12)) { + /* T */ + +#ifdef SSL_CB_READ_ALERT + return SSL_CB_READ_ALERT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_RT_ALER", 12)) { + /* T */ + +#ifdef SSL3_RT_ALERT + return SSL3_RT_ALERT; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "MBSTRING_UNI", 12)) { + /* V */ + +#ifdef MBSTRING_UNIV + return MBSTRING_UNIV; +#else + goto not_there; +#endif + + } + break; + case 'b': + if (!memcmp(name, "NID_cast5_ec", 12)) { + /* b */ + +#ifdef NID_cast5_ecb + return NID_cast5_ecb; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_cast5_cb", 12)) { + /* c */ + +#ifdef NID_cast5_cbc + return NID_cast5_cbc; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_givenNam", 12)) { + /* e */ + +#ifdef NID_givenName + return NID_givenName; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_key_usag", 12)) { + /* e */ + +#ifdef NID_key_usage + return NID_key_usage; +#else + goto not_there; +#endif + + } + break; + case 'g': + if (!memcmp(name, "NID_secretBa", 12)) { + /* g */ + +#ifdef NID_secretBag + return NID_secretBag; +#else + goto not_there; +#endif + + } + break; + case 'l': + if (!memcmp(name, "NID_delta_cr", 12)) { + /* l */ + +#ifdef NID_delta_crl + return NID_delta_crl; +#else + goto not_there; +#endif + + } + break; + case 'm': + if (!memcmp(name, "NID_algorith", 12)) { + /* m */ + +#ifdef NID_algorithm + return NID_algorithm; +#else + goto not_there; +#endif + + } + break; + case 'n': + if (!memcmp(name, "NID_OCSP_sig", 12)) { + /* n */ + +#ifdef NID_OCSP_sign + return NID_OCSP_sign; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_code_sig", 12)) { + /* n */ + +#ifdef NID_code_sign + return NID_code_sign; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_id_qt_cp", 12)) { + /* s */ + +#ifdef NID_id_qt_cps + return NID_id_qt_cps; +#else + goto not_there; +#endif + + } + break; + } + break; + case 14: + /* Names all of length 14. */ + /* CB_ACCEPT_EXIT CB_ACCEPT_LOOP CB_WRITE_ALERT F_CLIENT_HELLO + F_SERVER_HELLO F_SSL_CERT_NEW NID_commonName NID_crl_number + NID_crl_reason NID_dsaWithSHA NID_idea_cfb64 NID_idea_ofb64 + NID_localKeyID NID_md5WithRSA NID_ms_ext_req NID_pkcs7_data + NID_rc2_40_cbc NID_rc2_64_cbc NID_time_stamp OPENSSL_CFLAGS + OP_NO_SSL_MASK R_BAD_CHECKSUM R_NO_PUBLICKEY R_NULL_SSL_CTX + SESS_CACHE_OFF SSL3_RT_HEADER SSLEAY_VERSION ST_READ_HEADER + TLS1_1_VERSION TLS1_2_VERSION TLS1_3_VERSION X509_TRUST_TSA + XN_FLAG_COMPAT XN_FLAG_DN_REV XN_FLAG_FN_OID XN_FLAG_SPC_EQ */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case '4': + if (!memcmp(name, "NID_idea_cfb6", 13)) { + /* 4 */ + +#ifdef NID_idea_cfb64 + return NID_idea_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_idea_ofb6", 13)) { + /* 4 */ + +#ifdef NID_idea_ofb64 + return NID_idea_ofb64; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "NID_dsaWithSH", 13)) { + /* A */ + +#ifdef NID_dsaWithSHA + return NID_dsaWithSHA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_md5WithRS", 13)) { + /* A */ + +#ifdef NID_md5WithRSA + return NID_md5WithRSA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_TRUST_TS", 13)) { + /* A */ + +#ifdef X509_TRUST_TSA + return X509_TRUST_TSA; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "NID_localKeyI", 13)) { + /* D */ + +#ifdef NID_localKeyID + return NID_localKeyID; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_FN_OI", 13)) { + /* D */ + +#ifdef XN_FLAG_FN_OID + return XN_FLAG_FN_OID; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "SESS_CACHE_OF", 13)) { + /* F */ + +#ifdef SSL_SESS_CACHE_OFF + return SSL_SESS_CACHE_OFF; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "OP_NO_SSL_MAS", 13)) { + /* K */ + +#ifdef SSL_OP_NO_SSL_MASK + return SSL_OP_NO_SSL_MASK; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "R_BAD_CHECKSU", 13)) { + /* M */ + +#ifdef SSL_R_BAD_CHECKSUM + return SSL_R_BAD_CHECKSUM; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "SSLEAY_VERSIO", 13)) { + /* N */ + +#ifdef SSLEAY_VERSION + return SSLEAY_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "TLS1_1_VERSIO", 13)) { + /* N */ + +#ifdef TLS1_1_VERSION + return TLS1_1_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "TLS1_2_VERSIO", 13)) { + /* N */ + +#ifdef TLS1_2_VERSION + return TLS1_2_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "TLS1_3_VERSIO", 13)) { + /* N */ + +#ifdef TLS1_3_VERSION + return TLS1_3_VERSION; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "F_CLIENT_HELL", 13)) { + /* O */ + +#ifdef SSL_F_CLIENT_HELLO + return SSL_F_CLIENT_HELLO; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SERVER_HELL", 13)) { + /* O */ + +#ifdef SSL_F_SERVER_HELLO + return SSL_F_SERVER_HELLO; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "CB_ACCEPT_LOO", 13)) { + /* P */ + +#ifdef SSL_CB_ACCEPT_LOOP + return SSL_CB_ACCEPT_LOOP; +#else + goto not_there; +#endif + + } + break; + case 'Q': + if (!memcmp(name, "XN_FLAG_SPC_E", 13)) { + /* Q */ + +#ifdef XN_FLAG_SPC_EQ + return XN_FLAG_SPC_EQ; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL3_RT_HEADE", 13)) { + /* R */ + +#ifdef SSL3_RT_HEADER + return SSL3_RT_HEADER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "ST_READ_HEADE", 13)) { + /* R */ + +#ifdef SSL_ST_READ_HEADER + return SSL_ST_READ_HEADER; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "OPENSSL_CFLAG", 13)) { + /* S */ + +#ifdef OPENSSL_CFLAGS + return OPENSSL_CFLAGS; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "CB_ACCEPT_EXI", 13)) { + /* T */ + +#ifdef SSL_CB_ACCEPT_EXIT + return SSL_CB_ACCEPT_EXIT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "CB_WRITE_ALER", 13)) { + /* T */ + +#ifdef SSL_CB_WRITE_ALERT + return SSL_CB_WRITE_ALERT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_COMPA", 13)) { + /* T */ + +#ifdef XN_FLAG_COMPAT + return XN_FLAG_COMPAT; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "XN_FLAG_DN_RE", 13)) { + /* V */ + +#ifdef XN_FLAG_DN_REV + return XN_FLAG_DN_REV; +#else + goto not_there; +#endif + + } + break; + case 'W': + if (!memcmp(name, "F_SSL_CERT_NE", 13)) { + /* W */ + +#ifdef SSL_F_SSL_CERT_NEW + return SSL_F_SSL_CERT_NEW; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "R_NULL_SSL_CT", 13)) { + /* X */ + +#ifdef SSL_R_NULL_SSL_CTX + return SSL_R_NULL_SSL_CTX; +#else + goto not_there; +#endif + + } + break; + case 'Y': + if (!memcmp(name, "R_NO_PUBLICKE", 13)) { + /* Y */ + +#ifdef SSL_R_NO_PUBLICKEY + return SSL_R_NO_PUBLICKEY; +#else + goto not_there; +#endif + + } + break; + case 'a': + if (!memcmp(name, "NID_pkcs7_dat", 13)) { + /* a */ + +#ifdef NID_pkcs7_data + return NID_pkcs7_data; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_rc2_40_cb", 13)) { + /* c */ + +#ifdef NID_rc2_40_cbc + return NID_rc2_40_cbc; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rc2_64_cb", 13)) { + /* c */ + +#ifdef NID_rc2_64_cbc + return NID_rc2_64_cbc; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_commonNam", 13)) { + /* e */ + +#ifdef NID_commonName + return NID_commonName; +#else + goto not_there; +#endif + + } + break; + case 'n': + if (!memcmp(name, "NID_crl_reaso", 13)) { + /* n */ + +#ifdef NID_crl_reason + return NID_crl_reason; +#else + goto not_there; +#endif + + } + break; + case 'p': + if (!memcmp(name, "NID_time_stam", 13)) { + /* p */ + +#ifdef NID_time_stamp + return NID_time_stamp; +#else + goto not_there; +#endif + + } + break; + case 'q': + if (!memcmp(name, "NID_ms_ext_re", 13)) { + /* q */ + +#ifdef NID_ms_ext_req + return NID_ms_ext_req; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_crl_numbe", 13)) { + /* r */ + +#ifdef NID_crl_number + return NID_crl_number; +#else + goto not_there; +#endif + + } + break; + } + break; + case 15: + /* Names all of length 15. */ + /* CB_CONNECT_EXIT CB_CONNECT_LOOP ERROR_WANT_READ F_WRITE_PENDING + MODE_AUTO_RETRY NID_cast5_cfb64 NID_cast5_ofb64 NID_client_auth + NID_countryName NID_des_ede_cbc NID_description NID_dnQualifier + NID_dsaWithSHA1 NID_info_access NID_mdc2WithRSA NID_ms_code_com + NID_ms_code_ind NID_ms_ctl_sign NID_server_auth NID_sha1WithRSA + OPENSSL_VERSION OP_NO_QUERY_MTU R_NO_PRIVATEKEY R_UNKNOWN_STATE + SESS_CACHE_BOTH SSLEAY_BUILT_ON SSLEAY_PLATFORM XN_FLAG_FN_MASK + XN_FLAG_FN_NONE XN_FLAG_ONELINE XN_FLAG_RFC2253 */ + /* Offset 14 gives the best switch position. */ + switch (name[14]) { + case '1': + if (!memcmp(name, "NID_dsaWithSHA", 14)) { + /* 1 */ + +#ifdef NID_dsaWithSHA1 + return NID_dsaWithSHA1; +#else + goto not_there; +#endif + + } + break; + case '3': + if (!memcmp(name, "XN_FLAG_RFC225", 14)) { + /* 3 */ + +#ifdef XN_FLAG_RFC2253 + return XN_FLAG_RFC2253; +#else + goto not_there; +#endif + + } + break; + case '4': + if (!memcmp(name, "NID_cast5_cfb6", 14)) { + /* 4 */ + +#ifdef NID_cast5_cfb64 + return NID_cast5_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_cast5_ofb6", 14)) { + /* 4 */ + +#ifdef NID_cast5_ofb64 + return NID_cast5_ofb64; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "NID_mdc2WithRS", 14)) { + /* A */ + +#ifdef NID_mdc2WithRSA + return NID_mdc2WithRSA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_sha1WithRS", 14)) { + /* A */ + +#ifdef NID_sha1WithRSA + return NID_sha1WithRSA; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "ERROR_WANT_REA", 14)) { + /* D */ + +#ifdef SSL_ERROR_WANT_READ + return SSL_ERROR_WANT_READ; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "R_UNKNOWN_STAT", 14)) { + /* E */ + +#ifdef SSL_R_UNKNOWN_STATE + return SSL_R_UNKNOWN_STATE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_FN_NON", 14)) { + /* E */ + +#ifdef XN_FLAG_FN_NONE + return XN_FLAG_FN_NONE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_ONELIN", 14)) { + /* E */ + +#ifdef XN_FLAG_ONELINE + return XN_FLAG_ONELINE; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "F_WRITE_PENDIN", 14)) { + /* G */ + +#ifdef SSL_F_WRITE_PENDING + return SSL_F_WRITE_PENDING; +#else + goto not_there; +#endif + + } + break; + case 'H': + if (!memcmp(name, "SESS_CACHE_BOT", 14)) { + /* H */ + +#ifdef SSL_SESS_CACHE_BOTH + return SSL_SESS_CACHE_BOTH; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "XN_FLAG_FN_MAS", 14)) { + /* K */ + +#ifdef XN_FLAG_FN_MASK + return XN_FLAG_FN_MASK; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "SSLEAY_PLATFOR", 14)) { + /* M */ + +#ifdef SSLEAY_PLATFORM + return SSLEAY_PLATFORM; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "OPENSSL_VERSIO", 14)) { + /* N */ + +#ifdef OPENSSL_VERSION + return OPENSSL_VERSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSLEAY_BUILT_O", 14)) { + /* N */ + +#ifdef SSLEAY_BUILT_ON + return SSLEAY_BUILT_ON; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "CB_CONNECT_LOO", 14)) { + /* P */ + +#ifdef SSL_CB_CONNECT_LOOP + return SSL_CB_CONNECT_LOOP; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "CB_CONNECT_EXI", 14)) { + /* T */ + +#ifdef SSL_CB_CONNECT_EXIT + return SSL_CB_CONNECT_EXIT; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "OP_NO_QUERY_MT", 14)) { + /* U */ + +#ifdef SSL_OP_NO_QUERY_MTU + return SSL_OP_NO_QUERY_MTU; +#else + goto not_there; +#endif + + } + break; + case 'Y': + if (!memcmp(name, "MODE_AUTO_RETR", 14)) { + /* Y */ + +#ifdef SSL_MODE_AUTO_RETRY + return SSL_MODE_AUTO_RETRY; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_NO_PRIVATEKE", 14)) { + /* Y */ + +#ifdef SSL_R_NO_PRIVATEKEY + return SSL_R_NO_PRIVATEKEY; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_des_ede_cb", 14)) { + /* c */ + +#ifdef NID_des_ede_cbc + return NID_des_ede_cbc; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_ms_code_in", 14)) { + /* d */ + +#ifdef NID_ms_code_ind + return NID_ms_code_ind; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_countryNam", 14)) { + /* e */ + +#ifdef NID_countryName + return NID_countryName; +#else + goto not_there; +#endif + + } + break; + case 'h': + if (!memcmp(name, "NID_client_aut", 14)) { + /* h */ + +#ifdef NID_client_auth + return NID_client_auth; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_server_aut", 14)) { + /* h */ + +#ifdef NID_server_auth + return NID_server_auth; +#else + goto not_there; +#endif + + } + break; + case 'm': + if (!memcmp(name, "NID_ms_code_co", 14)) { + /* m */ + +#ifdef NID_ms_code_com + return NID_ms_code_com; +#else + goto not_there; +#endif + + } + break; + case 'n': + if (!memcmp(name, "NID_descriptio", 14)) { + /* n */ + +#ifdef NID_description + return NID_description; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_ms_ctl_sig", 14)) { + /* n */ + +#ifdef NID_ms_ctl_sign + return NID_ms_ctl_sign; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_dnQualifie", 14)) { + /* r */ + +#ifdef NID_dnQualifier + return NID_dnQualifier; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_info_acces", 14)) { + /* s */ + +#ifdef NID_info_access + return NID_info_access; +#else + goto not_there; +#endif + + } + break; + } + break; + case 16: + /* Names all of length 16. */ + /* ERROR_WANT_WRITE NID_des_ede3_cbc NID_friendlyName NID_hmacWithSHA1 + NID_localityName NID_pkcs7_digest NID_pkcs7_signed NID_serialNumber + OPENSSL_BUILT_ON OPENSSL_CPU_INFO OPENSSL_PLATFORM OP_EPHEMERAL_RSA + OP_PKCS1_CHECK_1 OP_PKCS1_CHECK_2 OP_SINGLE_DH_USE R_BAD_MAC_DECODE + R_NO_CIPHER_LIST SSL3_MT_FINISHED X509_PURPOSE_ANY X509_TRUST_EMAIL + XN_FLAG_FN_ALIGN XN_FLAG_SEP_MASK */ + /* Offset 15 gives the best switch position. */ + switch (name[15]) { + case '1': + if (!memcmp(name, "NID_hmacWithSHA", 15)) { + /* 1 */ + +#ifdef NID_hmacWithSHA1 + return NID_hmacWithSHA1; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_PKCS1_CHECK_", 15)) { + /* 1 */ + +#ifdef SSL_OP_PKCS1_CHECK_1 + return SSL_OP_PKCS1_CHECK_1; +#else + goto not_there; +#endif + + } + break; + case '2': + if (!memcmp(name, "OP_PKCS1_CHECK_", 15)) { + /* 2 */ + +#ifdef SSL_OP_PKCS1_CHECK_2 + return SSL_OP_PKCS1_CHECK_2; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "OP_EPHEMERAL_RS", 15)) { + /* A */ + +#ifdef SSL_OP_EPHEMERAL_RSA + return SSL_OP_EPHEMERAL_RSA; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "SSL3_MT_FINISHE", 15)) { + /* D */ + +#ifdef SSL3_MT_FINISHED + return SSL3_MT_FINISHED; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "ERROR_WANT_WRIT", 15)) { + /* E */ + +#ifdef SSL_ERROR_WANT_WRITE + return SSL_ERROR_WANT_WRITE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_SINGLE_DH_US", 15)) { + /* E */ + +#ifdef SSL_OP_SINGLE_DH_USE + return SSL_OP_SINGLE_DH_USE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_BAD_MAC_DECOD", 15)) { + /* E */ + +#ifdef SSL_R_BAD_MAC_DECODE + return SSL_R_BAD_MAC_DECODE; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "XN_FLAG_SEP_MAS", 15)) { + /* K */ + +#ifdef XN_FLAG_SEP_MASK + return XN_FLAG_SEP_MASK; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "X509_TRUST_EMAI", 15)) { + /* L */ + +#ifdef X509_TRUST_EMAIL + return X509_TRUST_EMAIL; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "OPENSSL_PLATFOR", 15)) { + /* M */ + +#ifdef OPENSSL_PLATFORM + return OPENSSL_PLATFORM; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "OPENSSL_BUILT_O", 15)) { + /* N */ + +#ifdef OPENSSL_BUILT_ON + return OPENSSL_BUILT_ON; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_FN_ALIG", 15)) { + /* N */ + +#ifdef XN_FLAG_FN_ALIGN + return XN_FLAG_FN_ALIGN; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "OPENSSL_CPU_INF", 15)) { + /* O */ + +#ifdef OPENSSL_CPU_INFO + return OPENSSL_CPU_INFO; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "R_NO_CIPHER_LIS", 15)) { + /* T */ + +#ifdef SSL_R_NO_CIPHER_LIST + return SSL_R_NO_CIPHER_LIST; +#else + goto not_there; +#endif + + } + break; + case 'Y': + if (!memcmp(name, "X509_PURPOSE_AN", 15)) { + /* Y */ + +#ifdef X509_PURPOSE_ANY + return X509_PURPOSE_ANY; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_des_ede3_cb", 15)) { + /* c */ + +#ifdef NID_des_ede3_cbc + return NID_des_ede3_cbc; +#else + goto not_there; +#endif + + } + break; + case 'd': + if (!memcmp(name, "NID_pkcs7_signe", 15)) { + /* d */ + +#ifdef NID_pkcs7_signed + return NID_pkcs7_signed; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_friendlyNam", 15)) { + /* e */ + +#ifdef NID_friendlyName + return NID_friendlyName; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_localityNam", 15)) { + /* e */ + +#ifdef NID_localityName + return NID_localityName; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_serialNumbe", 15)) { + /* r */ + +#ifdef NID_serialNumber + return NID_serialNumber; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_pkcs7_diges", 15)) { + /* t */ + +#ifdef NID_pkcs7_digest + return NID_pkcs7_digest; +#else + goto not_there; +#endif + + } + break; + } + break; + case 17: + /* Names all of length 17. */ + /* CB_HANDSHAKE_DONE ERROR_WANT_ACCEPT ERROR_ZERO_RETURN F_D2I_SSL_SESSION + F_I2D_SSL_SESSION F_SSL_SESSION_NEW NID_ad_ca_issuers NID_des_ede_cfb64 + NID_des_ede_ofb64 NID_dsaWithSHA1_2 NID_email_protect NID_ext_key_usage + NID_id_qt_unotice NID_rsaEncryption OP_NO_ANTI_REPLAY OP_NO_COMPRESSION + OP_TLSEXT_PADDING RECEIVED_SHUTDOWN R_BAD_WRITE_RETRY R_NO_CIPHER_MATCH + SESS_CACHE_CLIENT SESS_CACHE_SERVER SSL3_RT_HANDSHAKE X509_FILETYPE_PEM + X509_TRUST_COMPAT XN_FLAG_MULTILINE */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case 'A': + if (!memcmp(name, "NID_dsaWithSHA1_2", 17)) { + /* ^ */ + +#ifdef NID_dsaWithSHA1_2 + return NID_dsaWithSHA1_2; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_NO_CIPHER_MATCH", 17)) { + /* ^ */ + +#ifdef SSL_R_NO_CIPHER_MATCH + return SSL_R_NO_CIPHER_MATCH; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "ERROR_WANT_ACCEPT", 17)) { + /* ^ */ + +#ifdef SSL_ERROR_WANT_ACCEPT + return SSL_ERROR_WANT_ACCEPT; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "CB_HANDSHAKE_DONE", 17)) { + /* ^ */ + +#ifdef SSL_CB_HANDSHAKE_DONE + return SSL_CB_HANDSHAKE_DONE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_TLSEXT_PADDING", 17)) { + /* ^ */ + +#ifdef SSL_OP_TLSEXT_PADDING + return SSL_OP_TLSEXT_PADDING; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "RECEIVED_SHUTDOWN", 17)) { + /* ^ */ + +#ifdef SSL_RECEIVED_SHUTDOWN + return SSL_RECEIVED_SHUTDOWN; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "R_BAD_WRITE_RETRY", 17)) { + /* ^ */ + +#ifdef SSL_R_BAD_WRITE_RETRY + return SSL_R_BAD_WRITE_RETRY; +#else + goto not_there; +#endif + + } + break; + case 'H': + if (!memcmp(name, "SSL3_RT_HANDSHAKE", 17)) { + /* ^ */ + +#ifdef SSL3_RT_HANDSHAKE + return SSL3_RT_HANDSHAKE; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "SESS_CACHE_CLIENT", 17)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_CLIENT + return SSL_SESS_CACHE_CLIENT; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "XN_FLAG_MULTILINE", 17)) { + /* ^ */ + +#ifdef XN_FLAG_MULTILINE + return XN_FLAG_MULTILINE; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "X509_TRUST_COMPAT", 17)) { + /* ^ */ + +#ifdef X509_TRUST_COMPAT + return X509_TRUST_COMPAT; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "OP_NO_ANTI_REPLAY", 17)) { + /* ^ */ + +#ifdef SSL_OP_NO_ANTI_REPLAY + return SSL_OP_NO_ANTI_REPLAY; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SESS_CACHE_SERVER", 17)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_SERVER + return SSL_SESS_CACHE_SERVER; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "F_D2I_SSL_SESSION", 17)) { + /* ^ */ + +#ifdef SSL_F_D2I_SSL_SESSION + return SSL_F_D2I_SSL_SESSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_I2D_SSL_SESSION", 17)) { + /* ^ */ + +#ifdef SSL_F_I2D_SSL_SESSION + return SSL_F_I2D_SSL_SESSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_COMPRESSION", 17)) { + /* ^ */ + +#ifdef SSL_OP_NO_COMPRESSION + return SSL_OP_NO_COMPRESSION; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "ERROR_ZERO_RETURN", 17)) { + /* ^ */ + +#ifdef SSL_ERROR_ZERO_RETURN + return SSL_ERROR_ZERO_RETURN; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "F_SSL_SESSION_NEW", 17)) { + /* ^ */ + +#ifdef SSL_F_SSL_SESSION_NEW + return SSL_F_SSL_SESSION_NEW; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_FILETYPE_PEM", 17)) { + /* ^ */ + +#ifdef X509_FILETYPE_PEM + return X509_FILETYPE_PEM; +#else + goto not_there; +#endif + + } + break; + case 'f': + if (!memcmp(name, "NID_des_ede_cfb64", 17)) { + /* ^ */ + +#ifdef NID_des_ede_cfb64 + return NID_des_ede_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_des_ede_ofb64", 17)) { + /* ^ */ + +#ifdef NID_des_ede_ofb64 + return NID_des_ede_ofb64; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_ext_key_usage", 17)) { + /* ^ */ + +#ifdef NID_ext_key_usage + return NID_ext_key_usage; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_email_protect", 17)) { + /* ^ */ + +#ifdef NID_email_protect + return NID_email_protect; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_id_qt_unotice", 17)) { + /* ^ */ + +#ifdef NID_id_qt_unotice + return NID_id_qt_unotice; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_rsaEncryption", 17)) { + /* ^ */ + +#ifdef NID_rsaEncryption + return NID_rsaEncryption; +#else + goto not_there; +#endif + + } + break; + case 'u': + if (!memcmp(name, "NID_ad_ca_issuers", 17)) { + /* ^ */ + +#ifdef NID_ad_ca_issuers + return NID_ad_ca_issuers; +#else + goto not_there; +#endif + + } + break; + } + break; + case 18: + /* Names all of length 18. */ + /* CB_HANDSHAKE_START ERROR_WANT_CONNECT F_GET_CLIENT_HELLO + F_GET_SERVER_HELLO NID_des_ede3_cfb64 NID_des_ede3_ofb64 + NID_dhKeyAgreement OP_COOKIE_EXCHANGE OP_SINGLE_ECDH_USE + R_BAD_SSL_FILETYPE SSL3_MT_KEY_UPDATE SSL3_MT_NEXT_PROTO + VERIFY_CLIENT_ONCE X509_FILETYPE_ASN1 */ + /* Offset 11 gives the best switch position. */ + switch (name[11]) { + case '3': + if (!memcmp(name, "NID_des_ede3_cfb64", 18)) { + /* ^ */ + +#ifdef NID_des_ede3_cfb64 + return NID_des_ede3_cfb64; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_des_ede3_ofb64", 18)) { + /* ^ */ + +#ifdef NID_des_ede3_ofb64 + return NID_des_ede3_ofb64; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "ERROR_WANT_CONNECT", 18)) { + /* ^ */ + +#ifdef SSL_ERROR_WANT_CONNECT + return SSL_ERROR_WANT_CONNECT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_SINGLE_ECDH_USE", 18)) { + /* ^ */ + +#ifdef SSL_OP_SINGLE_ECDH_USE + return SSL_OP_SINGLE_ECDH_USE; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "CB_HANDSHAKE_START", 18)) { + /* ^ */ + +#ifdef SSL_CB_HANDSHAKE_START + return SSL_CB_HANDSHAKE_START; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "R_BAD_SSL_FILETYPE", 18)) { + /* ^ */ + +#ifdef SSL_R_BAD_SSL_FILETYPE + return SSL_R_BAD_SSL_FILETYPE; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "VERIFY_CLIENT_ONCE", 18)) { + /* ^ */ + +#ifdef SSL_VERIFY_CLIENT_ONCE + return SSL_VERIFY_CLIENT_ONCE; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "X509_FILETYPE_ASN1", 18)) { + /* ^ */ + +#ifdef X509_FILETYPE_ASN1 + return X509_FILETYPE_ASN1; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "F_GET_SERVER_HELLO", 18)) { + /* ^ */ + +#ifdef SSL_F_GET_SERVER_HELLO + return SSL_F_GET_SERVER_HELLO; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "F_GET_CLIENT_HELLO", 18)) { + /* ^ */ + +#ifdef SSL_F_GET_CLIENT_HELLO + return SSL_F_GET_CLIENT_HELLO; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_MT_NEXT_PROTO", 18)) { + /* ^ */ + +#ifdef SSL3_MT_NEXT_PROTO + return SSL3_MT_NEXT_PROTO; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "OP_COOKIE_EXCHANGE", 18)) { + /* ^ */ + +#ifdef SSL_OP_COOKIE_EXCHANGE + return SSL_OP_COOKIE_EXCHANGE; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "SSL3_MT_KEY_UPDATE", 18)) { + /* ^ */ + +#ifdef SSL3_MT_KEY_UPDATE + return SSL3_MT_KEY_UPDATE; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_dhKeyAgreement", 18)) { + /* ^ */ + +#ifdef NID_dhKeyAgreement + return NID_dhKeyAgreement; +#else + goto not_there; +#endif + + } + break; + } + break; + case 19: + /* Names all of length 19. */ + /* F_CLIENT_MASTER_KEY F_GET_SERVER_VERIFY NID_invalidity_date + NID_issuer_alt_name NID_pkcs7_encrypted NID_pkcs7_enveloped + NID_rle_compression NID_safeContentsBag NID_sdsiCertificate + NID_x509Certificate OPENSSL_ENGINES_DIR OPENSSL_MODULES_DIR + OP_ALLOW_NO_DHE_KEX OP_CISCO_ANYCONNECT OP_NON_EXPORT_FIRST + OP_NO_RENEGOTIATION OP_TLS_ROLLBACK_BUG SSL3_MT_CERTIFICATE + SSL3_MT_SERVER_DONE */ + /* Offset 12 gives the best switch position. */ + switch (name[12]) { + case 'A': + if (!memcmp(name, "OP_TLS_ROLLBACK_BUG", 19)) { + /* ^ */ + +#ifdef SSL_OP_TLS_ROLLBACK_BUG + return SSL_OP_TLS_ROLLBACK_BUG; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "OP_CISCO_ANYCONNECT", 19)) { + /* ^ */ + +#ifdef SSL_OP_CISCO_ANYCONNECT + return SSL_OP_CISCO_ANYCONNECT; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "OP_ALLOW_NO_DHE_KEX", 19)) { + /* ^ */ + +#ifdef SSL_OP_ALLOW_NO_DHE_KEX + return SSL_OP_ALLOW_NO_DHE_KEX; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "SSL3_MT_SERVER_DONE", 19)) { + /* ^ */ + +#ifdef SSL3_MT_SERVER_DONE + return SSL3_MT_SERVER_DONE; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "SSL3_MT_CERTIFICATE", 19)) { + /* ^ */ + +#ifdef SSL3_MT_CERTIFICATE + return SSL3_MT_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "OPENSSL_MODULES_DIR", 19)) { + /* ^ */ + +#ifdef OPENSSL_MODULES_DIR + return OPENSSL_MODULES_DIR; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "OPENSSL_ENGINES_DIR", 19)) { + /* ^ */ + +#ifdef OPENSSL_ENGINES_DIR + return OPENSSL_ENGINES_DIR; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "F_CLIENT_MASTER_KEY", 19)) { + /* ^ */ + +#ifdef SSL_F_CLIENT_MASTER_KEY + return SSL_F_CLIENT_MASTER_KEY; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NON_EXPORT_FIRST", 19)) { + /* ^ */ + +#ifdef SSL_OP_NON_EXPORT_FIRST + return SSL_OP_NON_EXPORT_FIRST; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_NO_RENEGOTIATION", 19)) { + /* ^ */ + +#ifdef SSL_OP_NO_RENEGOTIATION + return SSL_OP_NO_RENEGOTIATION; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "F_GET_SERVER_VERIFY", 19)) { + /* ^ */ + +#ifdef SSL_F_GET_SERVER_VERIFY + return SSL_F_GET_SERVER_VERIFY; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_pkcs7_encrypted", 19)) { + /* ^ */ + +#ifdef NID_pkcs7_encrypted + return NID_pkcs7_encrypted; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_safeContentsBag", 19)) { + /* ^ */ + +#ifdef NID_safeContentsBag + return NID_safeContentsBag; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_sdsiCertificate", 19)) { + /* ^ */ + +#ifdef NID_sdsiCertificate + return NID_sdsiCertificate; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_x509Certificate", 19)) { + /* ^ */ + +#ifdef NID_x509Certificate + return NID_x509Certificate; +#else + goto not_there; +#endif + + } + break; + case 'l': + if (!memcmp(name, "NID_issuer_alt_name", 19)) { + /* ^ */ + +#ifdef NID_issuer_alt_name + return NID_issuer_alt_name; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_rle_compression", 19)) { + /* ^ */ + +#ifdef NID_rle_compression + return NID_rle_compression; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_invalidity_date", 19)) { + /* ^ */ + +#ifdef NID_invalidity_date + return NID_invalidity_date; +#else + goto not_there; +#endif + + } + break; + case 'v': + if (!memcmp(name, "NID_pkcs7_enveloped", 19)) { + /* ^ */ + +#ifdef NID_pkcs7_enveloped + return NID_pkcs7_enveloped; +#else + goto not_there; +#endif + + } + break; + } + break; + case 20: + /* Names all of length 20. */ + /* ASN1_STRFLGS_ESC_MSB ASN1_STRFLGS_RFC2253 F_CLIENT_CERTIFICATE + F_SSL_USE_PRIVATEKEY MODE_RELEASE_BUFFERS NID_netscape_comment + NID_organizationName NID_ripemd160WithRSA NID_subject_alt_name + NID_uniqueIdentifier NID_zlib_compression OP_PRIORITIZE_CHACHA + R_NO_CERTIFICATE_SET SESSION_ASN1_VERSION SSL2_MT_CLIENT_HELLO + SSL2_MT_SERVER_HELLO SSL3_MT_CLIENT_HELLO SSL3_MT_MESSAGE_HASH + SSL3_MT_SERVER_HELLO X509_TRUST_OCSP_SIGN X509_V_ERR_PATH_LOOP */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case 'A': + if (!memcmp(name, "R_NO_CERTIFICATE_SET", 20)) { + /* ^ */ + +#ifdef SSL_R_NO_CERTIFICATE_SET + return SSL_R_NO_CERTIFICATE_SET; +#else + goto not_there; +#endif + + } + break; + case 'B': + if (!memcmp(name, "MODE_RELEASE_BUFFERS", 20)) { + /* ^ */ + +#ifdef SSL_MODE_RELEASE_BUFFERS + return SSL_MODE_RELEASE_BUFFERS; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "ASN1_STRFLGS_ESC_MSB", 20)) { + /* ^ */ + +#ifdef ASN1_STRFLGS_ESC_MSB + return ASN1_STRFLGS_ESC_MSB; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "SSL3_MT_MESSAGE_HASH", 20)) { + /* ^ */ + +#ifdef SSL3_MT_MESSAGE_HASH + return SSL3_MT_MESSAGE_HASH; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "F_CLIENT_CERTIFICATE", 20)) { + /* ^ */ + +#ifdef SSL_F_CLIENT_CERTIFICATE + return SSL_F_CLIENT_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "ASN1_STRFLGS_RFC2253", 20)) { + /* ^ */ + +#ifdef ASN1_STRFLGS_RFC2253 + return ASN1_STRFLGS_RFC2253; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL2_MT_SERVER_HELLO", 20)) { + /* ^ */ + +#ifdef SSL2_MT_SERVER_HELLO + return SSL2_MT_SERVER_HELLO; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_MT_SERVER_HELLO", 20)) { + /* ^ */ + +#ifdef SSL3_MT_SERVER_HELLO + return SSL3_MT_SERVER_HELLO; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_TRUST_OCSP_SIGN", 20)) { + /* ^ */ + +#ifdef X509_TRUST_OCSP_SIGN + return X509_TRUST_OCSP_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "SSL2_MT_CLIENT_HELLO", 20)) { + /* ^ */ + +#ifdef SSL2_MT_CLIENT_HELLO + return SSL2_MT_CLIENT_HELLO; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_MT_CLIENT_HELLO", 20)) { + /* ^ */ + +#ifdef SSL3_MT_CLIENT_HELLO + return SSL3_MT_CLIENT_HELLO; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_PATH_LOOP", 20)) { + /* ^ */ + +#ifdef X509_V_ERR_PATH_LOOP + return X509_V_ERR_PATH_LOOP; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "F_SSL_USE_PRIVATEKEY", 20)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_PRIVATEKEY + return SSL_F_SSL_USE_PRIVATEKEY; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SESSION_ASN1_VERSION", 20)) { + /* ^ */ + +#ifdef SSL_SESSION_ASN1_VERSION + return SSL_SESSION_ASN1_VERSION; +#else + goto not_there; +#endif + + } + break; + case 'W': + if (!memcmp(name, "NID_ripemd160WithRSA", 20)) { + /* ^ */ + +#ifdef NID_ripemd160WithRSA + return NID_ripemd160WithRSA; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "OP_PRIORITIZE_CHACHA", 20)) { + /* ^ */ + +#ifdef SSL_OP_PRIORITIZE_CHACHA + return SSL_OP_PRIORITIZE_CHACHA; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_netscape_comment", 20)) { + /* ^ */ + +#ifdef NID_netscape_comment + return NID_netscape_comment; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_organizationName", 20)) { + /* ^ */ + +#ifdef NID_organizationName + return NID_organizationName; +#else + goto not_there; +#endif + + } + break; + case 'l': + if (!memcmp(name, "NID_subject_alt_name", 20)) { + /* ^ */ + +#ifdef NID_subject_alt_name + return NID_subject_alt_name; +#else + goto not_there; +#endif + + } + break; + case 'n': + if (!memcmp(name, "NID_uniqueIdentifier", 20)) { + /* ^ */ + +#ifdef NID_uniqueIdentifier + return NID_uniqueIdentifier; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_zlib_compression", 20)) { + /* ^ */ + +#ifdef NID_zlib_compression + return NID_zlib_compression; +#else + goto not_there; +#endif + + } + break; + } + break; + case 21: + /* Names all of length 21. */ + /* ASN1_STRFLGS_ESC_CTRL F_GET_CLIENT_FINISHED F_GET_SERVER_FINISHED + F_REQUEST_CERTIFICATE F_SSL_GET_NEW_SESSION F_SSL_USE_CERTIFICATE + NID_SMIMECapabilities NID_basic_constraints NID_netscape_base_url + NID_pkcs9_contentType NID_pkcs9_signingTime OPENSSL_VERSION_MAJOR + OPENSSL_VERSION_MINOR OPENSSL_VERSION_PATCH OP_NETSCAPE_CA_DN_BUG + SSL2_MT_SERVER_VERIFY SSL3_MT_HELLO_REQUEST VERIFY_POST_HANDSHAKE + X509_FILETYPE_DEFAULT X509_PURPOSE_CRL_SIGN X509_TRUST_SSL_CLIENT + X509_TRUST_SSL_SERVER X509_V_ERR_INVALID_CA X509_V_ERR_OUT_OF_MEM + X509_V_FLAG_CRL_CHECK XN_FLAG_SEP_CPLUS_SPC XN_FLAG_SEP_MULTILINE + XN_FLAG_SEP_SPLUS_SPC */ + /* Offset 19 gives the best switch position. */ + switch (name[19]) { + case 'C': + if (!memcmp(name, "OPENSSL_VERSION_PATCH", 21)) { + /* ^ */ + +#ifdef OPENSSL_VERSION_PATCH + return OPENSSL_VERSION_PATCH; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_INVALID_CA", 21)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_CA + return X509_V_ERR_INVALID_CA; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_CRL_CHECK", 21)) { + /* ^ */ + +#ifdef X509_V_FLAG_CRL_CHECK + return X509_V_FLAG_CRL_CHECK; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "F_GET_CLIENT_FINISHED", 21)) { + /* ^ */ + +#ifdef SSL_F_GET_CLIENT_FINISHED + return SSL_F_GET_CLIENT_FINISHED; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_GET_SERVER_FINISHED", 21)) { + /* ^ */ + +#ifdef SSL_F_GET_SERVER_FINISHED + return SSL_F_GET_SERVER_FINISHED; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_TRUST_SSL_SERVER", 21)) { + /* ^ */ + +#ifdef X509_TRUST_SSL_SERVER + return X509_TRUST_SSL_SERVER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_OUT_OF_MEM", 21)) { + /* ^ */ + +#ifdef X509_V_ERR_OUT_OF_MEM + return X509_V_ERR_OUT_OF_MEM; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "SSL2_MT_SERVER_VERIFY", 21)) { + /* ^ */ + +#ifdef SSL2_MT_SERVER_VERIFY + return SSL2_MT_SERVER_VERIFY; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "X509_PURPOSE_CRL_SIGN", 21)) { + /* ^ */ + +#ifdef X509_PURPOSE_CRL_SIGN + return X509_PURPOSE_CRL_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "VERIFY_POST_HANDSHAKE", 21)) { + /* ^ */ + +#ifdef SSL_VERIFY_POST_HANDSHAKE + return SSL_VERIFY_POST_HANDSHAKE; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "X509_FILETYPE_DEFAULT", 21)) { + /* ^ */ + +#ifdef X509_FILETYPE_DEFAULT + return X509_FILETYPE_DEFAULT; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_TRUST_SSL_CLIENT", 21)) { + /* ^ */ + +#ifdef X509_TRUST_SSL_CLIENT + return X509_TRUST_SSL_CLIENT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_SEP_MULTILINE", 21)) { + /* ^ */ + +#ifdef XN_FLAG_SEP_MULTILINE + return XN_FLAG_SEP_MULTILINE; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "F_SSL_GET_NEW_SESSION", 21)) { + /* ^ */ + +#ifdef SSL_F_SSL_GET_NEW_SESSION + return SSL_F_SSL_GET_NEW_SESSION; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OPENSSL_VERSION_MAJOR", 21)) { + /* ^ */ + +#ifdef OPENSSL_VERSION_MAJOR + return OPENSSL_VERSION_MAJOR; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OPENSSL_VERSION_MINOR", 21)) { + /* ^ */ + +#ifdef OPENSSL_VERSION_MINOR + return OPENSSL_VERSION_MINOR; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "XN_FLAG_SEP_CPLUS_SPC", 21)) { + /* ^ */ + +#ifdef XN_FLAG_SEP_CPLUS_SPC + return XN_FLAG_SEP_CPLUS_SPC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_SEP_SPLUS_SPC", 21)) { + /* ^ */ + +#ifdef XN_FLAG_SEP_SPLUS_SPC + return XN_FLAG_SEP_SPLUS_SPC; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "ASN1_STRFLGS_ESC_CTRL", 21)) { + /* ^ */ + +#ifdef ASN1_STRFLGS_ESC_CTRL + return ASN1_STRFLGS_ESC_CTRL; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "SSL3_MT_HELLO_REQUEST", 21)) { + /* ^ */ + +#ifdef SSL3_MT_HELLO_REQUEST + return SSL3_MT_HELLO_REQUEST; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "F_REQUEST_CERTIFICATE", 21)) { + /* ^ */ + +#ifdef SSL_F_REQUEST_CERTIFICATE + return SSL_F_REQUEST_CERTIFICATE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SSL_USE_CERTIFICATE", 21)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_CERTIFICATE + return SSL_F_SSL_USE_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "OP_NETSCAPE_CA_DN_BUG", 21)) { + /* ^ */ + +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG + return SSL_OP_NETSCAPE_CA_DN_BUG; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_SMIMECapabilities", 21)) { + /* ^ */ + +#ifdef NID_SMIMECapabilities + return NID_SMIMECapabilities; +#else + goto not_there; +#endif + + } + break; + case 'm': + if (!memcmp(name, "NID_pkcs9_signingTime", 21)) { + /* ^ */ + +#ifdef NID_pkcs9_signingTime + return NID_pkcs9_signingTime; +#else + goto not_there; +#endif + + } + break; + case 'p': + if (!memcmp(name, "NID_pkcs9_contentType", 21)) { + /* ^ */ + +#ifdef NID_pkcs9_contentType + return NID_pkcs9_contentType; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_netscape_base_url", 21)) { + /* ^ */ + +#ifdef NID_netscape_base_url + return NID_netscape_base_url; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_basic_constraints", 21)) { + /* ^ */ + +#ifdef NID_basic_constraints + return NID_basic_constraints; +#else + goto not_there; +#endif + + } + break; + } + break; + case 22: + /* Names all of length 22. */ + /* ASN1_STRFLGS_ESC_QUOTE ERROR_WANT_X509_LOOKUP F_SSL_SESSION_PRINT_FP + NID_netscape_cert_type NID_netscape_data_type NID_pkcs9_emailAddress + OPENSSL_VERSION_NUMBER OPENSSL_VERSION_STRING OP_NO_ENCRYPT_THEN_MAC + R_PEER_ERROR_NO_CIPHER SESS_CACHE_NO_INTERNAL TLSEXT_STATUSTYPE_ocsp + V_OCSP_CERTSTATUS_GOOD X509_TRUST_OBJECT_SIGN X509_V_ERR_UNSPECIFIED + X509_V_FLAG_USE_DELTAS XN_FLAG_SEP_COMMA_PLUS */ + /* Offset 18 gives the best switch position. */ + switch (name[18]) { + case 'F': + if (!memcmp(name, "X509_V_ERR_UNSPECIFIED", 22)) { + /* ^ */ + +#ifdef X509_V_ERR_UNSPECIFIED + return X509_V_ERR_UNSPECIFIED; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "V_OCSP_CERTSTATUS_GOOD", 22)) { + /* ^ */ + +#ifdef V_OCSP_CERTSTATUS_GOOD + return V_OCSP_CERTSTATUS_GOOD; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "X509_V_FLAG_USE_DELTAS", 22)) { + /* ^ */ + +#ifdef X509_V_FLAG_USE_DELTAS + return X509_V_FLAG_USE_DELTAS; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "OPENSSL_VERSION_NUMBER", 22)) { + /* ^ */ + +#ifdef OPENSSL_VERSION_NUMBER + return OPENSSL_VERSION_NUMBER; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "ERROR_WANT_X509_LOOKUP", 22)) { + /* ^ */ + +#ifdef SSL_ERROR_WANT_X509_LOOKUP + return SSL_ERROR_WANT_X509_LOOKUP; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "R_PEER_ERROR_NO_CIPHER", 22)) { + /* ^ */ + +#ifdef SSL_R_PEER_ERROR_NO_CIPHER + return SSL_R_PEER_ERROR_NO_CIPHER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "XN_FLAG_SEP_COMMA_PLUS", 22)) { + /* ^ */ + +#ifdef XN_FLAG_SEP_COMMA_PLUS + return XN_FLAG_SEP_COMMA_PLUS; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "OPENSSL_VERSION_STRING", 22)) { + /* ^ */ + +#ifdef OPENSSL_VERSION_STRING + return OPENSSL_VERSION_STRING; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SESS_CACHE_NO_INTERNAL", 22)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_NO_INTERNAL + return SSL_SESS_CACHE_NO_INTERNAL; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_TRUST_OBJECT_SIGN", 22)) { + /* ^ */ + +#ifdef X509_TRUST_OBJECT_SIGN + return X509_TRUST_OBJECT_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "F_SSL_SESSION_PRINT_FP", 22)) { + /* ^ */ + +#ifdef SSL_F_SSL_SESSION_PRINT_FP + return SSL_F_SSL_SESSION_PRINT_FP; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "ASN1_STRFLGS_ESC_QUOTE", 22)) { + /* ^ */ + +#ifdef ASN1_STRFLGS_ESC_QUOTE + return ASN1_STRFLGS_ESC_QUOTE; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "OP_NO_ENCRYPT_THEN_MAC", 22)) { + /* ^ */ + +#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC + return SSL_OP_NO_ENCRYPT_THEN_MAC; +#else + goto not_there; +#endif + + } + break; + case 'o': + if (!memcmp(name, "TLSEXT_STATUSTYPE_ocsp", 22)) { + /* ^ */ + +#ifdef TLSEXT_STATUSTYPE_ocsp + return TLSEXT_STATUSTYPE_ocsp; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_pkcs9_emailAddress", 22)) { + /* ^ */ + +#ifdef NID_pkcs9_emailAddress + return NID_pkcs9_emailAddress; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_netscape_cert_type", 22)) { + /* ^ */ + +#ifdef NID_netscape_cert_type + return NID_netscape_cert_type; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_netscape_data_type", 22)) { + /* ^ */ + +#ifdef NID_netscape_data_type + return NID_netscape_data_type; +#else + goto not_there; +#endif + + } + break; + } + break; + case 23: + /* Names all of length 23. */ + /* F_GET_CLIENT_MASTER_KEY F_SSL_USE_RSAPRIVATEKEY LIBRESSL_VERSION_NUMBER + NID_pkcs8ShroudedKeyBag NID_pkcs9_messageDigest NID_stateOrProvinceName + OPENSSL_INFO_CONFIG_DIR OP_CRYPTOPRO_TLSEXT_BUG R_BAD_RESPONSE_ARGUMENT + R_PUBLIC_KEY_IS_NOT_RSA SSL2_MT_CLIENT_FINISHED SSL2_MT_SERVER_FINISHED + SSL3_MT_CERTIFICATE_URL X509_PURPOSE_SMIME_SIGN X509_PURPOSE_SSL_CLIENT + X509_PURPOSE_SSL_SERVER X509_TRUST_OCSP_REQUEST X509_V_ERR_CERT_REVOKED + X509_V_ERR_INVALID_CALL X509_V_ERR_STORE_LOOKUP X509_V_FLAG_INHIBIT_ANY + X509_V_FLAG_INHIBIT_MAP X509_V_FLAG_POLICY_MASK X509_V_FLAG_X509_STRICT + */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case '5': + if (!memcmp(name, "X509_V_FLAG_X509_STRICT", 23)) { + /* ^ */ + +#ifdef X509_V_FLAG_X509_STRICT + return X509_V_FLAG_X509_STRICT; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "OPENSSL_INFO_CONFIG_DIR", 23)) { + /* ^ */ + +#ifdef OPENSSL_INFO_CONFIG_DIR + return OPENSSL_INFO_CONFIG_DIR; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "R_BAD_RESPONSE_ARGUMENT", 23)) { + /* ^ */ + +#ifdef SSL_R_BAD_RESPONSE_ARGUMENT + return SSL_R_BAD_RESPONSE_ARGUMENT; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "SSL3_MT_CERTIFICATE_URL", 23)) { + /* ^ */ + +#ifdef SSL3_MT_CERTIFICATE_URL + return SSL3_MT_CERTIFICATE_URL; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "LIBRESSL_VERSION_NUMBER", 23)) { + /* ^ */ + +#ifdef LIBRESSL_VERSION_NUMBER + return LIBRESSL_VERSION_NUMBER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_PUBLIC_KEY_IS_NOT_RSA", 23)) { + /* ^ */ + +#ifdef SSL_R_PUBLIC_KEY_IS_NOT_RSA + return SSL_R_PUBLIC_KEY_IS_NOT_RSA; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "F_GET_CLIENT_MASTER_KEY", 23)) { + /* ^ */ + +#ifdef SSL_F_GET_CLIENT_MASTER_KEY + return SSL_F_GET_CLIENT_MASTER_KEY; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_V_FLAG_INHIBIT_ANY", 23)) { + /* ^ */ + +#ifdef X509_V_FLAG_INHIBIT_ANY + return X509_V_FLAG_INHIBIT_ANY; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_INHIBIT_MAP", 23)) { + /* ^ */ + +#ifdef X509_V_FLAG_INHIBIT_MAP + return X509_V_FLAG_INHIBIT_MAP; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_STORE_LOOKUP", 23)) { + /* ^ */ + +#ifdef X509_V_ERR_STORE_LOOKUP + return X509_V_ERR_STORE_LOOKUP; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_POLICY_MASK", 23)) { + /* ^ */ + +#ifdef X509_V_FLAG_POLICY_MASK + return X509_V_FLAG_POLICY_MASK; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "F_SSL_USE_RSAPRIVATEKEY", 23)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_RSAPRIVATEKEY + return SSL_F_SSL_USE_RSAPRIVATEKEY; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL2_MT_SERVER_FINISHED", 23)) { + /* ^ */ + +#ifdef SSL2_MT_SERVER_FINISHED + return SSL2_MT_SERVER_FINISHED; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_CERT_REVOKED", 23)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_REVOKED + return X509_V_ERR_CERT_REVOKED; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_PURPOSE_SMIME_SIGN", 23)) { + /* ^ */ + +#ifdef X509_PURPOSE_SMIME_SIGN + return X509_PURPOSE_SMIME_SIGN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_PURPOSE_SSL_CLIENT", 23)) { + /* ^ */ + +#ifdef X509_PURPOSE_SSL_CLIENT + return X509_PURPOSE_SSL_CLIENT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_PURPOSE_SSL_SERVER", 23)) { + /* ^ */ + +#ifdef X509_PURPOSE_SSL_SERVER + return X509_PURPOSE_SSL_SERVER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_TRUST_OCSP_REQUEST", 23)) { + /* ^ */ + +#ifdef X509_TRUST_OCSP_REQUEST + return X509_TRUST_OCSP_REQUEST; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "OP_CRYPTOPRO_TLSEXT_BUG", 23)) { + /* ^ */ + +#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG + return SSL_OP_CRYPTOPRO_TLSEXT_BUG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL2_MT_CLIENT_FINISHED", 23)) { + /* ^ */ + +#ifdef SSL2_MT_CLIENT_FINISHED + return SSL2_MT_CLIENT_FINISHED; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "X509_V_ERR_INVALID_CALL", 23)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_CALL + return X509_V_ERR_INVALID_CALL; +#else + goto not_there; +#endif + + } + break; + case 'o': + if (!memcmp(name, "NID_stateOrProvinceName", 23)) { + /* ^ */ + +#ifdef NID_stateOrProvinceName + return NID_stateOrProvinceName; +#else + goto not_there; +#endif + + } + break; + case 's': + if (!memcmp(name, "NID_pkcs9_messageDigest", 23)) { + /* ^ */ + +#ifdef NID_pkcs9_messageDigest + return NID_pkcs9_messageDigest; +#else + goto not_there; +#endif + + } + break; + case 'u': + if (!memcmp(name, "NID_pkcs8ShroudedKeyBag", 23)) { + /* ^ */ + +#ifdef NID_pkcs8ShroudedKeyBag + return NID_pkcs8ShroudedKeyBag; +#else + goto not_there; +#endif + + } + break; + } + break; + case 24: + /* Names all of length 24. */ + /* F_SSL_RSA_PUBLIC_ENCRYPT NID_certificate_policies + NID_md2WithRSAEncryption NID_md5WithRSAEncryption + NID_netscape_renewal_url NID_pbeWithMD2AndDES_CBC + NID_pbeWithMD2AndRC2_CBC NID_pbeWithMD5AndDES_CBC + NID_pbeWithMD5AndRC2_CBC NID_shaWithRSAEncryption + OPENSSL_INFO_ENGINES_DIR OPENSSL_INFO_MODULES_DIR + OPENSSL_INFO_SEED_SOURCE OP_LEGACY_SERVER_CONNECT + OP_MICROSOFT_SESS_ID_BUG OP_TLS_BLOCK_PADDING_BUG + R_CHALLENGE_IS_DIFFERENT R_CIPHER_TABLE_SRC_ERROR + R_PEER_ERROR_CERTIFICATE R_READ_WRONG_PACKET_TYPE + SESS_CACHE_NO_AUTO_CLEAR SSL3_RT_APPLICATION_DATA + X509_PURPOSE_OCSP_HELPER X509_V_ERR_CERT_REJECTED + X509_V_ERR_DANE_NO_MATCH X509_V_ERR_NO_VALID_SCTS + X509_V_FLAG_POLICY_CHECK */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case '2': + if (!memcmp(name, "NID_pbeWithMD2AndDES_CBC", 24)) { + /* ^ */ + +#ifdef NID_pbeWithMD2AndDES_CBC + return NID_pbeWithMD2AndDES_CBC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_pbeWithMD2AndRC2_CBC", 24)) { + /* ^ */ + +#ifdef NID_pbeWithMD2AndRC2_CBC + return NID_pbeWithMD2AndRC2_CBC; +#else + goto not_there; +#endif + + } + break; + case '5': + if (!memcmp(name, "NID_pbeWithMD5AndDES_CBC", 24)) { + /* ^ */ + +#ifdef NID_pbeWithMD5AndDES_CBC + return NID_pbeWithMD5AndDES_CBC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_pbeWithMD5AndRC2_CBC", 24)) { + /* ^ */ + +#ifdef NID_pbeWithMD5AndRC2_CBC + return NID_pbeWithMD5AndRC2_CBC; +#else + goto not_there; +#endif + + } + break; + case 'A': + if (!memcmp(name, "NID_md2WithRSAEncryption", 24)) { + /* ^ */ + +#ifdef NID_md2WithRSAEncryption + return NID_md2WithRSAEncryption; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_md5WithRSAEncryption", 24)) { + /* ^ */ + +#ifdef NID_md5WithRSAEncryption + return NID_md5WithRSAEncryption; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_shaWithRSAEncryption", 24)) { + /* ^ */ + +#ifdef NID_shaWithRSAEncryption + return NID_shaWithRSAEncryption; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "R_PEER_ERROR_CERTIFICATE", 24)) { + /* ^ */ + +#ifdef SSL_R_PEER_ERROR_CERTIFICATE + return SSL_R_PEER_ERROR_CERTIFICATE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_RT_APPLICATION_DATA", 24)) { + /* ^ */ + +#ifdef SSL3_RT_APPLICATION_DATA + return SSL3_RT_APPLICATION_DATA; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "OPENSSL_INFO_ENGINES_DIR", 24)) { + /* ^ */ + +#ifdef OPENSSL_INFO_ENGINES_DIR + return OPENSSL_INFO_ENGINES_DIR; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_CIPHER_TABLE_SRC_ERROR", 24)) { + /* ^ */ + +#ifdef SSL_R_CIPHER_TABLE_SRC_ERROR + return SSL_R_CIPHER_TABLE_SRC_ERROR; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "F_SSL_RSA_PUBLIC_ENCRYPT", 24)) { + /* ^ */ + +#ifdef SSL_F_SSL_RSA_PUBLIC_ENCRYPT + return SSL_F_SSL_RSA_PUBLIC_ENCRYPT; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "OPENSSL_INFO_MODULES_DIR", 24)) { + /* ^ */ + +#ifdef OPENSSL_INFO_MODULES_DIR + return OPENSSL_INFO_MODULES_DIR; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_V_ERR_DANE_NO_MATCH", 24)) { + /* ^ */ + +#ifdef X509_V_ERR_DANE_NO_MATCH + return X509_V_ERR_DANE_NO_MATCH; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_PURPOSE_OCSP_HELPER", 24)) { + /* ^ */ + +#ifdef X509_PURPOSE_OCSP_HELPER + return X509_PURPOSE_OCSP_HELPER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_POLICY_CHECK", 24)) { + /* ^ */ + +#ifdef X509_V_FLAG_POLICY_CHECK + return X509_V_FLAG_POLICY_CHECK; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "OP_TLS_BLOCK_PADDING_BUG", 24)) { + /* ^ */ + +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG + return SSL_OP_TLS_BLOCK_PADDING_BUG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_READ_WRONG_PACKET_TYPE", 24)) { + /* ^ */ + +#ifdef SSL_R_READ_WRONG_PACKET_TYPE + return SSL_R_READ_WRONG_PACKET_TYPE; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "X509_V_ERR_CERT_REJECTED", 24)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_REJECTED + return X509_V_ERR_CERT_REJECTED; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "OPENSSL_INFO_SEED_SOURCE", 24)) { + /* ^ */ + +#ifdef OPENSSL_INFO_SEED_SOURCE + return OPENSSL_INFO_SEED_SOURCE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_MICROSOFT_SESS_ID_BUG", 24)) { + /* ^ */ + +#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG + return SSL_OP_MICROSOFT_SESS_ID_BUG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_CHALLENGE_IS_DIFFERENT", 24)) { + /* ^ */ + +#ifdef SSL_R_CHALLENGE_IS_DIFFERENT + return SSL_R_CHALLENGE_IS_DIFFERENT; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "OP_LEGACY_SERVER_CONNECT", 24)) { + /* ^ */ + +#ifdef SSL_OP_LEGACY_SERVER_CONNECT + return SSL_OP_LEGACY_SERVER_CONNECT; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "SESS_CACHE_NO_AUTO_CLEAR", 24)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_NO_AUTO_CLEAR + return SSL_SESS_CACHE_NO_AUTO_CLEAR; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_NO_VALID_SCTS", 24)) { + /* ^ */ + +#ifdef X509_V_ERR_NO_VALID_SCTS + return X509_V_ERR_NO_VALID_SCTS; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_netscape_renewal_url", 24)) { + /* ^ */ + +#ifdef NID_netscape_renewal_url + return NID_netscape_renewal_url; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_certificate_policies", 24)) { + /* ^ */ + +#ifdef NID_certificate_policies + return NID_certificate_policies; +#else + goto not_there; +#endif + + } + break; + } + break; + case 25: + /* Names all of length 25. */ + /* F_SSL_RSA_PRIVATE_DECRYPT F_SSL_USE_PRIVATEKEY_ASN1 + F_SSL_USE_PRIVATEKEY_FILE MODE_ENABLE_PARTIAL_WRITE + NID_pbeWithSHA1AndDES_CBC NID_pbeWithSHA1AndRC2_CBC + NID_sha1WithRSAEncryption OPENSSL_INFO_CPU_SETTINGS + OP_MSIE_SSLV2_RSA_PADDING OP_NETSCAPE_CHALLENGE_BUG + OP_SAFARI_ECDHE_ECDSA_BUG R_BAD_AUTHENTICATION_TYPE + SSL2_MT_CLIENT_MASTER_KEY SSL3_MT_END_OF_EARLY_DATA + SSL3_MT_NEWSESSION_TICKET SSL3_MT_SUPPLEMENTAL_DATA + V_OCSP_CERTSTATUS_REVOKED V_OCSP_CERTSTATUS_UNKNOWN + X509_V_ERR_CA_MD_TOO_WEAK X509_V_ERR_CERT_UNTRUSTED + X509_V_ERR_EMAIL_MISMATCH X509_V_ERR_INVALID_NON_CA + X509_V_ERR_SUBTREE_MINMAX X509_V_FLAG_CRL_CHECK_ALL + X509_V_FLAG_LEGACY_VERIFY X509_V_FLAG_NOTIFY_POLICY + X509_V_FLAG_NO_ALT_CHAINS X509_V_FLAG_NO_CHECK_TIME + X509_V_FLAG_PARTIAL_CHAIN X509_V_FLAG_TRUSTED_FIRST */ + /* Offset 19 gives the best switch position. */ + switch (name[19]) { + case 'A': + if (!memcmp(name, "OP_MSIE_SSLV2_RSA_PADDING", 25)) { + /* ^ */ + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + return SSL_OP_MSIE_SSLV2_RSA_PADDING; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "NID_pbeWithSHA1AndRC2_CBC", 25)) { + /* ^ */ + +#ifdef NID_pbeWithSHA1AndRC2_CBC + return NID_pbeWithSHA1AndRC2_CBC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_CRL_CHECK_ALL", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_CRL_CHECK_ALL + return X509_V_FLAG_CRL_CHECK_ALL; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_NO_ALT_CHAINS", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_NO_ALT_CHAINS + return X509_V_FLAG_NO_ALT_CHAINS; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "F_SSL_RSA_PRIVATE_DECRYPT", 25)) { + /* ^ */ + +#ifdef SSL_F_SSL_RSA_PRIVATE_DECRYPT + return SSL_F_SSL_RSA_PRIVATE_DECRYPT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_pbeWithSHA1AndDES_CBC", 25)) { + /* ^ */ + +#ifdef NID_pbeWithSHA1AndDES_CBC + return NID_pbeWithSHA1AndDES_CBC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL2_MT_CLIENT_MASTER_KEY", 25)) { + /* ^ */ + +#ifdef SSL2_MT_CLIENT_MASTER_KEY + return SSL2_MT_CLIENT_MASTER_KEY; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "V_OCSP_CERTSTATUS_REVOKED", 25)) { + /* ^ */ + +#ifdef V_OCSP_CERTSTATUS_REVOKED + return V_OCSP_CERTSTATUS_REVOKED; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "OP_NETSCAPE_CHALLENGE_BUG", 25)) { + /* ^ */ + +#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG + return SSL_OP_NETSCAPE_CHALLENGE_BUG; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "X509_V_FLAG_NO_CHECK_TIME", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_NO_CHECK_TIME + return X509_V_FLAG_NO_CHECK_TIME; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "SSL3_MT_SUPPLEMENTAL_DATA", 25)) { + /* ^ */ + +#ifdef SSL3_MT_SUPPLEMENTAL_DATA + return SSL3_MT_SUPPLEMENTAL_DATA; +#else + goto not_there; +#endif + + } + break; + case 'M': + if (!memcmp(name, "X509_V_ERR_SUBTREE_MINMAX", 25)) { + /* ^ */ + +#ifdef X509_V_ERR_SUBTREE_MINMAX + return X509_V_ERR_SUBTREE_MINMAX; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "R_BAD_AUTHENTICATION_TYPE", 25)) { + /* ^ */ + +#ifdef SSL_R_BAD_AUTHENTICATION_TYPE + return SSL_R_BAD_AUTHENTICATION_TYPE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "V_OCSP_CERTSTATUS_UNKNOWN", 25)) { + /* ^ */ + +#ifdef V_OCSP_CERTSTATUS_UNKNOWN + return V_OCSP_CERTSTATUS_UNKNOWN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_INVALID_NON_CA", 25)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_NON_CA + return X509_V_ERR_INVALID_NON_CA; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_CA_MD_TOO_WEAK", 25)) { + /* ^ */ + +#ifdef X509_V_ERR_CA_MD_TOO_WEAK + return X509_V_ERR_CA_MD_TOO_WEAK; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "X509_V_FLAG_NOTIFY_POLICY", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_NOTIFY_POLICY + return X509_V_FLAG_NOTIFY_POLICY; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "X509_V_ERR_CERT_UNTRUSTED", 25)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_UNTRUSTED + return X509_V_ERR_CERT_UNTRUSTED; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "OP_SAFARI_ECDHE_ECDSA_BUG", 25)) { + /* ^ */ + +#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG + return SSL_OP_SAFARI_ECDHE_ECDSA_BUG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_EMAIL_MISMATCH", 25)) { + /* ^ */ + +#ifdef X509_V_ERR_EMAIL_MISMATCH + return X509_V_ERR_EMAIL_MISMATCH; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "OPENSSL_INFO_CPU_SETTINGS", 25)) { + /* ^ */ + +#ifdef OPENSSL_INFO_CPU_SETTINGS + return OPENSSL_INFO_CPU_SETTINGS; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_MT_NEWSESSION_TICKET", 25)) { + /* ^ */ + +#ifdef SSL3_MT_NEWSESSION_TICKET + return SSL3_MT_NEWSESSION_TICKET; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "X509_V_FLAG_LEGACY_VERIFY", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_LEGACY_VERIFY + return X509_V_FLAG_LEGACY_VERIFY; +#else + goto not_there; +#endif + + } + break; + case 'Y': + if (!memcmp(name, "F_SSL_USE_PRIVATEKEY_ASN1", 25)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_PRIVATEKEY_ASN1 + return SSL_F_SSL_USE_PRIVATEKEY_ASN1; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SSL_USE_PRIVATEKEY_FILE", 25)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_PRIVATEKEY_FILE + return SSL_F_SSL_USE_PRIVATEKEY_FILE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_MT_END_OF_EARLY_DATA", 25)) { + /* ^ */ + +#ifdef SSL3_MT_END_OF_EARLY_DATA + return SSL3_MT_END_OF_EARLY_DATA; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "MODE_ENABLE_PARTIAL_WRITE", 25)) { + /* ^ */ + +#ifdef SSL_MODE_ENABLE_PARTIAL_WRITE + return SSL_MODE_ENABLE_PARTIAL_WRITE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_PARTIAL_CHAIN", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_PARTIAL_CHAIN + return X509_V_FLAG_PARTIAL_CHAIN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_FLAG_TRUSTED_FIRST", 25)) { + /* ^ */ + +#ifdef X509_V_FLAG_TRUSTED_FIRST + return X509_V_FLAG_TRUSTED_FIRST; +#else + goto not_there; +#endif + + } + break; + case 'y': + if (!memcmp(name, "NID_sha1WithRSAEncryption", 25)) { + /* ^ */ + +#ifdef NID_sha1WithRSAEncryption + return NID_sha1WithRSAEncryption; +#else + goto not_there; +#endif + + } + break; + } + break; + case 26: + /* Names all of length 26. */ + /* F_SSL_USE_CERTIFICATE_ASN1 F_SSL_USE_CERTIFICATE_FILE + NID_netscape_ca_policy_url NID_netscape_cert_sequence + NID_organizationalUnitName NID_pbeWithMD5AndCast5_CBC + NID_pkcs9_countersignature NID_pkcs9_unstructuredName + NID_subject_key_identifier OPENSSL_INFO_DSO_EXTENSION + OP_ENABLE_MIDDLEBOX_COMPAT OP_NO_CLIENT_RENEGOTIATION + R_INVALID_CHALLENGE_LENGTH R_NO_CERTIFICATE_SPECIFIED + R_PUBLIC_KEY_ENCRYPT_ERROR SSL2_MT_CLIENT_CERTIFICATE + SSL3_MT_CERTIFICATE_STATUS SSL3_MT_CERTIFICATE_VERIFY + SSL3_MT_CHANGE_CIPHER_SPEC SSL3_RT_CHANGE_CIPHER_SPEC + SSL3_RT_INNER_CONTENT_TYPE X509_PURPOSE_NS_SSL_SERVER + X509_PURPOSE_SMIME_ENCRYPT X509_V_ERR_CRL_HAS_EXPIRED + X509_V_ERR_INVALID_PURPOSE X509_V_FLAG_SUITEB_128_LOS + X509_V_FLAG_SUITEB_192_LOS X509_V_FLAG_USE_CHECK_TIME */ + /* Offset 20 gives the best switch position. */ + switch (name[20]) { + case '2': + if (!memcmp(name, "X509_V_FLAG_SUITEB_128_LOS", 26)) { + /* ^ */ + +#ifdef X509_V_FLAG_SUITEB_128_LOS + return X509_V_FLAG_SUITEB_128_LOS; +#else + goto not_there; +#endif + + } + break; + case '9': + if (!memcmp(name, "X509_V_FLAG_SUITEB_192_LOS", 26)) { + /* ^ */ + +#ifdef X509_V_FLAG_SUITEB_192_LOS + return X509_V_FLAG_SUITEB_192_LOS; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "OP_ENABLE_MIDDLEBOX_COMPAT", 26)) { + /* ^ */ + +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT + return SSL_OP_ENABLE_MIDDLEBOX_COMPAT; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_NO_CERTIFICATE_SPECIFIED", 26)) { + /* ^ */ + +#ifdef SSL_R_NO_CERTIFICATE_SPECIFIED + return SSL_R_NO_CERTIFICATE_SPECIFIED; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "F_SSL_USE_CERTIFICATE_ASN1", 26)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_CERTIFICATE_ASN1 + return SSL_F_SSL_USE_CERTIFICATE_ASN1; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SSL_USE_CERTIFICATE_FILE", 26)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_CERTIFICATE_FILE + return SSL_F_SSL_USE_CERTIFICATE_FILE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OPENSSL_INFO_DSO_EXTENSION", 26)) { + /* ^ */ + +#ifdef OPENSSL_INFO_DSO_EXTENSION + return OPENSSL_INFO_DSO_EXTENSION; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "SSL2_MT_CLIENT_CERTIFICATE", 26)) { + /* ^ */ + +#ifdef SSL2_MT_CLIENT_CERTIFICATE + return SSL2_MT_CLIENT_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "OP_NO_CLIENT_RENEGOTIATION", 26)) { + /* ^ */ + +#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION + return SSL_OP_NO_CLIENT_RENEGOTIATION; +#else + goto not_there; +#endif + + } + break; + case 'K': + if (!memcmp(name, "X509_V_FLAG_USE_CHECK_TIME", 26)) { + /* ^ */ + +#ifdef X509_V_FLAG_USE_CHECK_TIME + return X509_V_FLAG_USE_CHECK_TIME; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "R_INVALID_CHALLENGE_LENGTH", 26)) { + /* ^ */ + +#ifdef SSL_R_INVALID_CHALLENGE_LENGTH + return SSL_R_INVALID_CHALLENGE_LENGTH; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_PURPOSE_SMIME_ENCRYPT", 26)) { + /* ^ */ + +#ifdef X509_PURPOSE_SMIME_ENCRYPT + return X509_PURPOSE_SMIME_ENCRYPT; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL3_MT_CHANGE_CIPHER_SPEC", 26)) { + /* ^ */ + +#ifdef SSL3_MT_CHANGE_CIPHER_SPEC + return SSL3_MT_CHANGE_CIPHER_SPEC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL3_RT_CHANGE_CIPHER_SPEC", 26)) { + /* ^ */ + +#ifdef SSL3_RT_CHANGE_CIPHER_SPEC + return SSL3_RT_CHANGE_CIPHER_SPEC; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "SSL3_MT_CERTIFICATE_STATUS", 26)) { + /* ^ */ + +#ifdef SSL3_MT_CERTIFICATE_STATUS + return SSL3_MT_CERTIFICATE_STATUS; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_PURPOSE_NS_SSL_SERVER", 26)) { + /* ^ */ + +#ifdef X509_PURPOSE_NS_SSL_SERVER + return X509_PURPOSE_NS_SSL_SERVER; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "SSL3_RT_INNER_CONTENT_TYPE", 26)) { + /* ^ */ + +#ifdef SSL3_RT_INNER_CONTENT_TYPE + return SSL3_RT_INNER_CONTENT_TYPE; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "X509_V_ERR_INVALID_PURPOSE", 26)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_PURPOSE + return X509_V_ERR_INVALID_PURPOSE; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "SSL3_MT_CERTIFICATE_VERIFY", 26)) { + /* ^ */ + +#ifdef SSL3_MT_CERTIFICATE_VERIFY + return SSL3_MT_CERTIFICATE_VERIFY; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "X509_V_ERR_CRL_HAS_EXPIRED", 26)) { + /* ^ */ + +#ifdef X509_V_ERR_CRL_HAS_EXPIRED + return X509_V_ERR_CRL_HAS_EXPIRED; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "R_PUBLIC_KEY_ENCRYPT_ERROR", 26)) { + /* ^ */ + +#ifdef SSL_R_PUBLIC_KEY_ENCRYPT_ERROR + return SSL_R_PUBLIC_KEY_ENCRYPT_ERROR; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_netscape_ca_policy_url", 26)) { + /* ^ */ + +#ifdef NID_netscape_ca_policy_url + return NID_netscape_ca_policy_url; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_pkcs9_unstructuredName", 26)) { + /* ^ */ + +#ifdef NID_pkcs9_unstructuredName + return NID_pkcs9_unstructuredName; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_organizationalUnitName", 26)) { + /* ^ */ + +#ifdef NID_organizationalUnitName + return NID_organizationalUnitName; +#else + goto not_there; +#endif + + } + break; + case 'n': + if (!memcmp(name, "NID_pkcs9_countersignature", 26)) { + /* ^ */ + +#ifdef NID_pkcs9_countersignature + return NID_pkcs9_countersignature; +#else + goto not_there; +#endif + + } + break; + case 'q': + if (!memcmp(name, "NID_netscape_cert_sequence", 26)) { + /* ^ */ + +#ifdef NID_netscape_cert_sequence + return NID_netscape_cert_sequence; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_pbeWithMD5AndCast5_CBC", 26)) { + /* ^ */ + +#ifdef NID_pbeWithMD5AndCast5_CBC + return NID_pbeWithMD5AndCast5_CBC; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "NID_subject_key_identifier", 26)) { + /* ^ */ + +#ifdef NID_subject_key_identifier + return NID_subject_key_identifier; +#else + goto not_there; +#endif + + } + break; + } + break; + case 27: + /* Names all of length 27. */ + /* NID_crl_distribution_points NID_netscape_cert_extension + NID_netscape_revocation_url NID_pbe_WithSHA1And40BitRC4 + NID_pkcs9_challengePassword NID_pkcs9_extCertAttributes + OPENSSL_FULL_VERSION_STRING OPENSSL_INFO_LIST_SEPARATOR + OP_CIPHER_SERVER_PREFERENCE OP_SSLEAY_080_CLIENT_DH_BUG + R_BAD_SSL_SESSION_ID_LENGTH R_UNKNOWN_REMOTE_ERROR_TYPE + SSL2_MT_REQUEST_CERTIFICATE SSL3_MT_CERTIFICATE_REQUEST + SSL3_MT_CLIENT_KEY_EXCHANGE SSL3_MT_SERVER_KEY_EXCHANGE + VERIFY_FAIL_IF_NO_PEER_CERT X509_PURPOSE_TIMESTAMP_SIGN + X509_V_ERR_CA_KEY_TOO_SMALL X509_V_ERR_CERT_HAS_EXPIRED + X509_V_ERR_EE_KEY_TOO_SMALL X509_V_FLAG_CB_ISSUER_CHECK + X509_V_FLAG_EXPLICIT_POLICY X509_V_FLAG_IGNORE_CRITICAL + XN_FLAG_DUMP_UNKNOWN_FIELDS */ + /* Offset 13 gives the best switch position. */ + switch (name[13]) { + case 'B': + if (!memcmp(name, "X509_V_FLAG_CB_ISSUER_CHECK", 27)) { + /* ^ */ + +#ifdef X509_V_FLAG_CB_ISSUER_CHECK + return X509_V_FLAG_CB_ISSUER_CHECK; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "NID_pkcs9_extCertAttributes", 27)) { + /* ^ */ + +#ifdef NID_pkcs9_extCertAttributes + return NID_pkcs9_extCertAttributes; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "SSL3_MT_CERTIFICATE_REQUEST", 27)) { + /* ^ */ + +#ifdef SSL3_MT_CERTIFICATE_REQUEST + return SSL3_MT_CERTIFICATE_REQUEST; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "VERIFY_FAIL_IF_NO_PEER_CERT", 27)) { + /* ^ */ + +#ifdef SSL_VERIFY_FAIL_IF_NO_PEER_CERT + return SSL_VERIFY_FAIL_IF_NO_PEER_CERT; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "X509_V_FLAG_IGNORE_CRITICAL", 27)) { + /* ^ */ + +#ifdef X509_V_FLAG_IGNORE_CRITICAL + return X509_V_FLAG_IGNORE_CRITICAL; +#else + goto not_there; +#endif + + } + break; + case 'H': + if (!memcmp(name, "NID_pbe_WithSHA1And40BitRC4", 27)) { + /* ^ */ + +#ifdef NID_pbe_WithSHA1And40BitRC4 + return NID_pbe_WithSHA1And40BitRC4; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "OPENSSL_INFO_LIST_SEPARATOR", 27)) { + /* ^ */ + +#ifdef OPENSSL_INFO_LIST_SEPARATOR + return OPENSSL_INFO_LIST_SEPARATOR; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "R_UNKNOWN_REMOTE_ERROR_TYPE", 27)) { + /* ^ */ + +#ifdef SSL_R_UNKNOWN_REMOTE_ERROR_TYPE + return SSL_R_UNKNOWN_REMOTE_ERROR_TYPE; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL3_MT_SERVER_KEY_EXCHANGE", 27)) { + /* ^ */ + +#ifdef SSL3_MT_SERVER_KEY_EXCHANGE + return SSL3_MT_SERVER_KEY_EXCHANGE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_CERT_HAS_EXPIRED", 27)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_HAS_EXPIRED + return X509_V_ERR_CERT_HAS_EXPIRED; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "R_BAD_SSL_SESSION_ID_LENGTH", 27)) { + /* ^ */ + +#ifdef SSL_R_BAD_SSL_SESSION_ID_LENGTH + return SSL_R_BAD_SSL_SESSION_ID_LENGTH; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "SSL2_MT_REQUEST_CERTIFICATE", 27)) { + /* ^ */ + +#ifdef SSL2_MT_REQUEST_CERTIFICATE + return SSL2_MT_REQUEST_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "SSL3_MT_CLIENT_KEY_EXCHANGE", 27)) { + /* ^ */ + +#ifdef SSL3_MT_CLIENT_KEY_EXCHANGE + return SSL3_MT_CLIENT_KEY_EXCHANGE; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_PURPOSE_TIMESTAMP_SIGN", 27)) { + /* ^ */ + +#ifdef X509_PURPOSE_TIMESTAMP_SIGN + return X509_PURPOSE_TIMESTAMP_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "XN_FLAG_DUMP_UNKNOWN_FIELDS", 27)) { + /* ^ */ + +#ifdef XN_FLAG_DUMP_UNKNOWN_FIELDS + return XN_FLAG_DUMP_UNKNOWN_FIELDS; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "OPENSSL_FULL_VERSION_STRING", 27)) { + /* ^ */ + +#ifdef OPENSSL_FULL_VERSION_STRING + return OPENSSL_FULL_VERSION_STRING; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "OP_CIPHER_SERVER_PREFERENCE", 27)) { + /* ^ */ + +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE + return SSL_OP_CIPHER_SERVER_PREFERENCE; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "X509_V_FLAG_EXPLICIT_POLICY", 27)) { + /* ^ */ + +#ifdef X509_V_FLAG_EXPLICIT_POLICY + return X509_V_FLAG_EXPLICIT_POLICY; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "OP_SSLEAY_080_CLIENT_DH_BUG", 27)) { + /* ^ */ + +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG + return SSL_OP_SSLEAY_080_CLIENT_DH_BUG; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_CA_KEY_TOO_SMALL", 27)) { + /* ^ */ + +#ifdef X509_V_ERR_CA_KEY_TOO_SMALL + return X509_V_ERR_CA_KEY_TOO_SMALL; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_EE_KEY_TOO_SMALL", 27)) { + /* ^ */ + +#ifdef X509_V_ERR_EE_KEY_TOO_SMALL + return X509_V_ERR_EE_KEY_TOO_SMALL; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_netscape_cert_extension", 27)) { + /* ^ */ + +#ifdef NID_netscape_cert_extension + return NID_netscape_cert_extension; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_crl_distribution_points", 27)) { + /* ^ */ + +#ifdef NID_crl_distribution_points + return NID_crl_distribution_points; +#else + goto not_there; +#endif + + } + break; + case 'l': + if (!memcmp(name, "NID_pkcs9_challengePassword", 27)) { + /* ^ */ + +#ifdef NID_pkcs9_challengePassword + return NID_pkcs9_challengePassword; +#else + goto not_there; +#endif + + } + break; + case 'r': + if (!memcmp(name, "NID_netscape_revocation_url", 27)) { + /* ^ */ + +#ifdef NID_netscape_revocation_url + return NID_netscape_revocation_url; +#else + goto not_there; +#endif + + } + break; + } + break; + case 28: + /* Names all of length 28. */ + /* F_SSL_USE_RSAPRIVATEKEY_ASN1 F_SSL_USE_RSAPRIVATEKEY_FILE + NID_authority_key_identifier NID_netscape_ssl_server_name + NID_pbe_WithSHA1And128BitRC4 NID_pkcs7_signedAndEnveloped + NID_private_key_usage_period SESS_CACHE_NO_INTERNAL_STORE + SSL3_MT_ENCRYPTED_EXTENSIONS X509_CHECK_FLAG_NO_WILDCARDS + X509_V_ERR_CRL_NOT_YET_VALID X509_V_ERR_HOSTNAME_MISMATCH + X509_V_ERR_INVALID_EXTENSION X509_V_ERR_OCSP_CERT_UNKNOWN + X509_V_ERR_UNABLE_TO_GET_CRL X509_V_ERR_UNNESTED_RESOURCE */ + /* Offset 11 gives the best switch position. */ + switch (name[11]) { + case 'C': + if (!memcmp(name, "X509_V_ERR_CRL_NOT_YET_VALID", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_CRL_NOT_YET_VALID + return X509_V_ERR_CRL_NOT_YET_VALID; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "X509_CHECK_FLAG_NO_WILDCARDS", 28)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_NO_WILDCARDS + return X509_CHECK_FLAG_NO_WILDCARDS; +#else + goto not_there; +#endif + + } + break; + case 'H': + if (!memcmp(name, "X509_V_ERR_HOSTNAME_MISMATCH", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_HOSTNAME_MISMATCH + return X509_V_ERR_HOSTNAME_MISMATCH; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "X509_V_ERR_INVALID_EXTENSION", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_EXTENSION + return X509_V_ERR_INVALID_EXTENSION; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "SESS_CACHE_NO_INTERNAL_STORE", 28)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_NO_INTERNAL_STORE + return SSL_SESS_CACHE_NO_INTERNAL_STORE; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_OCSP_CERT_UNKNOWN", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_OCSP_CERT_UNKNOWN + return X509_V_ERR_OCSP_CERT_UNKNOWN; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "SSL3_MT_ENCRYPTED_EXTENSIONS", 28)) { + /* ^ */ + +#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS + return SSL3_MT_ENCRYPTED_EXTENSIONS; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "F_SSL_USE_RSAPRIVATEKEY_ASN1", 28)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 + return SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "F_SSL_USE_RSAPRIVATEKEY_FILE", 28)) { + /* ^ */ + +#ifdef SSL_F_SSL_USE_RSAPRIVATEKEY_FILE + return SSL_F_SSL_USE_RSAPRIVATEKEY_FILE; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_GET_CRL", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_GET_CRL + return X509_V_ERR_UNABLE_TO_GET_CRL; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_UNNESTED_RESOURCE", 28)) { + /* ^ */ + +#ifdef X509_V_ERR_UNNESTED_RESOURCE + return X509_V_ERR_UNNESTED_RESOURCE; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "NID_private_key_usage_period", 28)) { + /* ^ */ + +#ifdef NID_private_key_usage_period + return NID_private_key_usage_period; +#else + goto not_there; +#endif + + } + break; + case 'e': + if (!memcmp(name, "NID_netscape_ssl_server_name", 28)) { + /* ^ */ + +#ifdef NID_netscape_ssl_server_name + return NID_netscape_ssl_server_name; +#else + goto not_there; +#endif + + } + break; + case 'h': + if (!memcmp(name, "NID_pbe_WithSHA1And128BitRC4", 28)) { + /* ^ */ + +#ifdef NID_pbe_WithSHA1And128BitRC4 + return NID_pbe_WithSHA1And128BitRC4; +#else + goto not_there; +#endif + + } + break; + case 'i': + if (!memcmp(name, "NID_pkcs7_signedAndEnveloped", 28)) { + /* ^ */ + +#ifdef NID_pkcs7_signedAndEnveloped + return NID_pkcs7_signedAndEnveloped; +#else + goto not_there; +#endif + + } + break; + case 't': + if (!memcmp(name, "NID_authority_key_identifier", 28)) { + /* ^ */ + +#ifdef NID_authority_key_identifier + return NID_authority_key_identifier; +#else + goto not_there; +#endif + + } + break; + } + break; + case 29: + /* Names all of length 29. */ + /* NID_pkcs9_unstructuredAddress OCSP_RESPONSE_STATUS_TRYLATER + OP_MICROSOFT_BIG_SSLV3_BUFFER R_SSL_SESSION_ID_IS_DIFFERENT + SESS_CACHE_NO_INTERNAL_LOOKUP X509_V_ERR_AKID_SKID_MISMATCH + X509_V_ERR_CERT_NOT_YET_VALID X509_V_ERR_EXCLUDED_VIOLATION + X509_V_ERR_NO_EXPLICIT_POLICY X509_V_ERR_OCSP_VERIFY_FAILED + X509_V_ERR_OCSP_VERIFY_NEEDED X509_V_FLAG_ALLOW_PROXY_CERTS */ + /* Offset 16 gives the best switch position. */ + switch (name[16]) { + case 'A': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_TRYLATER", 29)) { + /* ^ */ + +#ifdef OCSP_RESPONSE_STATUS_TRYLATER + return OCSP_RESPONSE_STATUS_TRYLATER; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "X509_V_ERR_EXCLUDED_VIOLATION", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_EXCLUDED_VIOLATION + return X509_V_ERR_EXCLUDED_VIOLATION; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_V_ERR_CERT_NOT_YET_VALID", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_NOT_YET_VALID + return X509_V_ERR_CERT_NOT_YET_VALID; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "X509_V_ERR_NO_EXPLICIT_POLICY", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_NO_EXPLICIT_POLICY + return X509_V_ERR_NO_EXPLICIT_POLICY; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_V_ERR_AKID_SKID_MISMATCH", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_AKID_SKID_MISMATCH + return X509_V_ERR_AKID_SKID_MISMATCH; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "SESS_CACHE_NO_INTERNAL_LOOKUP", 29)) { + /* ^ */ + +#ifdef SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + return SSL_SESS_CACHE_NO_INTERNAL_LOOKUP; +#else + goto not_there; +#endif + + } + break; + case 'V': + if (!memcmp(name, "X509_V_ERR_OCSP_VERIFY_FAILED", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_OCSP_VERIFY_FAILED + return X509_V_ERR_OCSP_VERIFY_FAILED; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_OCSP_VERIFY_NEEDED", 29)) { + /* ^ */ + +#ifdef X509_V_ERR_OCSP_VERIFY_NEEDED + return X509_V_ERR_OCSP_VERIFY_NEEDED; +#else + goto not_there; +#endif + + } + break; + case 'W': + if (!memcmp(name, "X509_V_FLAG_ALLOW_PROXY_CERTS", 29)) { + /* ^ */ + +#ifdef X509_V_FLAG_ALLOW_PROXY_CERTS + return X509_V_FLAG_ALLOW_PROXY_CERTS; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "OP_MICROSOFT_BIG_SSLV3_BUFFER", 29)) { + /* ^ */ + +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + return SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "R_SSL_SESSION_ID_IS_DIFFERENT", 29)) { + /* ^ */ + +#ifdef SSL_R_SSL_SESSION_ID_IS_DIFFERENT + return SSL_R_SSL_SESSION_ID_IS_DIFFERENT; +#else + goto not_there; +#endif + + } + break; + case 'c': + if (!memcmp(name, "NID_pkcs9_unstructuredAddress", 29)) { + /* ^ */ + +#ifdef NID_pkcs9_unstructuredAddress + return NID_pkcs9_unstructuredAddress; +#else + goto not_there; +#endif + + } + break; + } + break; + case 30: + /* Names all of length 30. */ + /* NID_netscape_ca_revocation_url OP_DONT_INSERT_EMPTY_FRAGMENTS + OP_SSLREF2_REUSE_CERT_TYPE_BUG R_UNABLE_TO_EXTRACT_PUBLIC_KEY + X509_V_ERR_CERT_CHAIN_TOO_LONG X509_V_ERR_DIFFERENT_CRL_SCOPE + X509_V_ERR_IP_ADDRESS_MISMATCH X509_V_ERR_PERMITTED_VIOLATION + X509_V_FLAG_CHECK_SS_SIGNATURE */ + /* Offset 24 gives the best switch position. */ + switch (name[24]) { + case 'G': + if (!memcmp(name, "OP_DONT_INSERT_EMPTY_FRAGMENTS", 30)) { + /* ^ */ + +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + return SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "R_UNABLE_TO_EXTRACT_PUBLIC_KEY", 30)) { + /* ^ */ + +#ifdef SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY + return SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "X509_V_ERR_PERMITTED_VIOLATION", 30)) { + /* ^ */ + +#ifdef X509_V_ERR_PERMITTED_VIOLATION + return X509_V_ERR_PERMITTED_VIOLATION; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_V_FLAG_CHECK_SS_SIGNATURE", 30)) { + /* ^ */ + +#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE + return X509_V_FLAG_CHECK_SS_SIGNATURE; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_CERT_CHAIN_TOO_LONG", 30)) { + /* ^ */ + +#ifdef X509_V_ERR_CERT_CHAIN_TOO_LONG + return X509_V_ERR_CERT_CHAIN_TOO_LONG; +#else + goto not_there; +#endif + + } + break; + case 'P': + if (!memcmp(name, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", 30)) { + /* ^ */ + +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + return SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_V_ERR_IP_ADDRESS_MISMATCH", 30)) { + /* ^ */ + +#ifdef X509_V_ERR_IP_ADDRESS_MISMATCH + return X509_V_ERR_IP_ADDRESS_MISMATCH; +#else + goto not_there; +#endif + + } + break; + case '_': + if (!memcmp(name, "X509_V_ERR_DIFFERENT_CRL_SCOPE", 30)) { + /* ^ */ + +#ifdef X509_V_ERR_DIFFERENT_CRL_SCOPE + return X509_V_ERR_DIFFERENT_CRL_SCOPE; +#else + goto not_there; +#endif + + } + break; + case 'o': + if (!memcmp(name, "NID_netscape_ca_revocation_url", 30)) { + /* ^ */ + +#ifdef NID_netscape_ca_revocation_url + return NID_netscape_ca_revocation_url; +#else + goto not_there; +#endif + + } + break; + } + break; + case 31: + /* Names all of length 31. */ + /* MIN_RSA_MODULUS_LENGTH_IN_BYTES MODE_ACCEPT_MOVING_WRITE_BUFFER + NID_pbe_WithSHA1And40BitRC2_CBC OCSP_RESPONSE_STATUS_SUCCESSFUL + X509_V_ERR_KEYUSAGE_NO_CERTSIGN X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + X509_V_ERR_PATH_LENGTH_EXCEEDED X509_V_FLAG_SUITEB_128_LOS_ONLY */ + /* Offset 30 gives the best switch position. */ + switch (name[30]) { + case 'C': + if (!memcmp(name, "NID_pbe_WithSHA1And40BitRC2_CB", 30)) { + /* C */ + +#ifdef NID_pbe_WithSHA1And40BitRC2_CBC + return NID_pbe_WithSHA1And40BitRC2_CBC; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "X509_V_ERR_PATH_LENGTH_EXCEEDE", 30)) { + /* D */ + +#ifdef X509_V_ERR_PATH_LENGTH_EXCEEDED + return X509_V_ERR_PATH_LENGTH_EXCEEDED; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_SUCCESSFU", 30)) { + /* L */ + +#ifdef OCSP_RESPONSE_STATUS_SUCCESSFUL + return OCSP_RESPONSE_STATUS_SUCCESSFUL; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "X509_V_ERR_KEYUSAGE_NO_CERTSIG", 30)) { + /* N */ + +#ifdef X509_V_ERR_KEYUSAGE_NO_CERTSIGN + return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; +#else + goto not_there; +#endif + + } + if (!memcmp(name, "X509_V_ERR_KEYUSAGE_NO_CRL_SIG", 30)) { + /* N */ + +#ifdef X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + return X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "MODE_ACCEPT_MOVING_WRITE_BUFFE", 30)) { + /* R */ + +#ifdef SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + return SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "MIN_RSA_MODULUS_LENGTH_IN_BYTE", 30)) { + /* S */ + +#ifdef SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES + return SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES; +#else + goto not_there; +#endif + + } + break; + case 'Y': + if (!memcmp(name, "X509_V_FLAG_SUITEB_128_LOS_ONL", 30)) { + /* Y */ + +#ifdef X509_V_FLAG_SUITEB_128_LOS_ONLY + return X509_V_FLAG_SUITEB_128_LOS_ONLY; +#else + goto not_there; +#endif + + } + break; + } + break; + case 32: + /* Names all of length 32. */ + /* NID_pbe_WithSHA1And128BitRC2_CBC OCSP_RESPONSE_STATUS_SIGREQUIRED + X509_V_ERR_CRL_SIGNATURE_FAILURE X509_V_ERR_SUITE_B_INVALID_CURVE + X509_V_FLAG_EXTENDED_CRL_SUPPORT */ + /* Offset 25 gives the best switch position. */ + switch (name[25]) { + case 'D': + if (!memcmp(name, "X509_V_ERR_SUITE_B_INVALID_CURVE", 32)) { + /* ^ */ + +#ifdef X509_V_ERR_SUITE_B_INVALID_CURVE + return X509_V_ERR_SUITE_B_INVALID_CURVE; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_SIGREQUIRED", 32)) { + /* ^ */ + +#ifdef OCSP_RESPONSE_STATUS_SIGREQUIRED + return OCSP_RESPONSE_STATUS_SIGREQUIRED; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "X509_V_ERR_CRL_SIGNATURE_FAILURE", 32)) { + /* ^ */ + +#ifdef X509_V_ERR_CRL_SIGNATURE_FAILURE + return X509_V_ERR_CRL_SIGNATURE_FAILURE; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "NID_pbe_WithSHA1And128BitRC2_CBC", 32)) { + /* ^ */ + +#ifdef NID_pbe_WithSHA1And128BitRC2_CBC + return NID_pbe_WithSHA1And128BitRC2_CBC; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_V_FLAG_EXTENDED_CRL_SUPPORT", 32)) { + /* ^ */ + +#ifdef X509_V_FLAG_EXTENDED_CRL_SUPPORT + return X509_V_FLAG_EXTENDED_CRL_SUPPORT; +#else + goto not_there; +#endif + + } + break; + } + break; + case 33: + /* Names all of length 33. */ + /* OCSP_RESPONSE_STATUS_UNAUTHORIZED X509_V_ERR_CERT_SIGNATURE_FAILURE */ + /* Offset 32 gives the best switch position. */ + switch (name[32]) { + case 'D': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_UNAUTHORIZE", 32)) { + /* D */ + +#ifdef OCSP_RESPONSE_STATUS_UNAUTHORIZED + return OCSP_RESPONSE_STATUS_UNAUTHORIZED; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "X509_V_ERR_CERT_SIGNATURE_FAILUR", 32)) { + /* E */ + +#ifdef X509_V_ERR_CERT_SIGNATURE_FAILURE + return X509_V_ERR_CERT_SIGNATURE_FAILURE; +#else + goto not_there; +#endif + + } + break; + } + break; + case 34: + /* Names all of length 34. */ + /* OCSP_RESPONSE_STATUS_INTERNALERROR OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + X509_V_ERR_SUBJECT_ISSUER_MISMATCH X509_V_ERR_SUITE_B_INVALID_VERSION + X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED X509_V_ERR_UNSUPPORTED_NAME_SYNTAX */ + /* Offset 24 gives the best switch position. */ + switch (name[24]) { + case 'A': + if (!memcmp(name, "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX", 34)) { + /* ^ */ + +#ifdef X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG", 34)) { + /* ^ */ + +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + return SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_INTERNALERROR", 34)) { + /* ^ */ + +#ifdef OCSP_RESPONSE_STATUS_INTERNALERROR + return OCSP_RESPONSE_STATUS_INTERNALERROR; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "X509_V_ERR_SUITE_B_INVALID_VERSION", 34)) { + /* ^ */ + +#ifdef X509_V_ERR_SUITE_B_INVALID_VERSION + return X509_V_ERR_SUITE_B_INVALID_VERSION; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED", 34)) { + /* ^ */ + +#ifdef X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED + return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "X509_V_ERR_SUBJECT_ISSUER_MISMATCH", 34)) { + /* ^ */ + +#ifdef X509_V_ERR_SUBJECT_ISSUER_MISMATCH + return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; +#else + goto not_there; +#endif + + } + break; + } + break; + case 35: + /* Names all of length 35. */ + /* OPENSSL_INFO_DIR_FILENAME_SEPARATOR OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + R_PEER_DID_NOT_RETURN_A_CERTIFICATE X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + X509_V_ERR_APPLICATION_VERIFICATION X509_V_ERR_INVALID_POLICY_EXTENSION + X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER _NET_SSLEAY_TEST_UNDEFINED_CONSTANT + */ + /* Offset 29 gives the best switch position. */ + switch (name[29]) { + case 'A': + if (!memcmp(name, "OPENSSL_INFO_DIR_FILENAME_SEPARATOR", 35)) { + /* ^ */ + +#ifdef OPENSSL_INFO_DIR_FILENAME_SEPARATOR + return OPENSSL_INFO_DIR_FILENAME_SEPARATOR; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "X509_V_ERR_APPLICATION_VERIFICATION", 35)) { + /* ^ */ + +#ifdef X509_V_ERR_APPLICATION_VERIFICATION + return X509_V_ERR_APPLICATION_VERIFICATION; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "X509_V_ERR_INVALID_POLICY_EXTENSION", 35)) { + /* ^ */ + +#ifdef X509_V_ERR_INVALID_POLICY_EXTENSION + return X509_V_ERR_INVALID_POLICY_EXTENSION; +#else + goto not_there; +#endif + + } + break; + case 'F': + if (!memcmp(name, "R_PEER_DID_NOT_RETURN_A_CERTIFICATE", 35)) { + /* ^ */ + +#ifdef SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE + return SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; +#else + goto not_there; +#endif + + } + break; + case 'G': + if (!memcmp(name, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", 35)) { + /* ^ */ + +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + return SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER", 35)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + return X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "_NET_SSLEAY_TEST_UNDEFINED_CONSTANT", 35)) { + /* ^ */ + +#ifdef _NET_SSLEAY_TEST_UNDEFINED_CONSTANT + return _NET_SSLEAY_TEST_UNDEFINED_CONSTANT; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT", 35)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + return X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; +#else + goto not_there; +#endif + + } + break; + } + break; + case 36: + /* Names all of length 36. */ + /* OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + X509_V_ERR_CRL_PATH_VALIDATION_ERROR + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + X509_V_ERR_SUITE_B_INVALID_ALGORITHM + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT */ + /* Offset 25 gives the best switch position. */ + switch (name[25]) { + case 'A': + if (!memcmp(name, "X509_V_ERR_CRL_PATH_VALIDATION_ERROR", 36)) { + /* ^ */ + +#ifdef X509_V_ERR_CRL_PATH_VALIDATION_ERROR + return X509_V_ERR_CRL_PATH_VALIDATION_ERROR; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "X509_V_ERR_SUITE_B_INVALID_ALGORITHM", 36)) { + /* ^ */ + +#ifdef X509_V_ERR_SUITE_B_INVALID_ALGORITHM + return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT", 36)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + return X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT", 36)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; +#else + goto not_there; +#endif + + } + break; + case 'L': + if (!memcmp(name, "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS", 36)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + return X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION", 36)) { + /* ^ */ + +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + return SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN", 36)) { + /* ^ */ + +#ifdef X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + return X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; +#else + goto not_there; +#endif + + } + break; + } + break; + case 37: + /* Names all of length 37. */ + /* OCSP_RESPONSE_STATUS_MALFORMEDREQUEST + X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED */ + /* Offset 31 gives the best switch position. */ + switch (name[31]) { + case 'C': + if (!memcmp(name, "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED", 37)) { + /* ^ */ + +#ifdef X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + return X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; +#else + goto not_there; +#endif + + } + break; + case 'D': + if (!memcmp(name, "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS", 37)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + return X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "OCSP_RESPONSE_STATUS_MALFORMEDREQUEST", 37)) { + /* ^ */ + +#ifdef OCSP_RESPONSE_STATUS_MALFORMEDREQUEST + return OCSP_RESPONSE_STATUS_MALFORMEDREQUEST; +#else + goto not_there; +#endif + + } + break; + } + break; + case 38: + /* Names all of length 38. */ + /* NID_pbe_WithSHA1And2_Key_TripleDES_CBC + NID_pbe_WithSHA1And3_Key_TripleDES_CBC + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE */ + /* Offset 19 gives the best switch position. */ + switch (name[19]) { + case '2': + if (!memcmp(name, "NID_pbe_WithSHA1And2_Key_TripleDES_CBC", 38)) { + /* ^ */ + +#ifdef NID_pbe_WithSHA1And2_Key_TripleDES_CBC + return NID_pbe_WithSHA1And2_Key_TripleDES_CBC; +#else + goto not_there; +#endif + + } + break; + case '3': + if (!memcmp(name, "NID_pbe_WithSHA1And3_Key_TripleDES_CBC", 38)) { + /* ^ */ + +#ifdef NID_pbe_WithSHA1And3_Key_TripleDES_CBC + return NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +#else + goto not_there; +#endif + + } + break; + case 'R': + if (!memcmp(name, "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT", 38)) { + /* ^ */ + +#ifdef X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + return X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE", 38)) { + /* ^ */ + +#ifdef X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; +#else + goto not_there; +#endif + + } + break; + case 'U': + if (!memcmp(name, "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH", 38)) { + /* ^ */ + +#ifdef X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; +#else + goto not_there; +#endif + + } + break; + } + break; + case 39: + /* Names all of length 39. */ + /* X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION */ + /* Offset 26 gives the best switch position. */ + switch (name[26]) { + case 'A': + if (!memcmp(name, "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION", 39)) { + /* ^ */ + +#ifdef X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION + return X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION; +#else + goto not_there; +#endif + + } + break; + case 'C': + if (!memcmp(name, "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION", 39)) { + /* ^ */ + +#ifdef X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + return X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS", 39)) { + /* ^ */ + +#ifdef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + return X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS; +#else + goto not_there; +#endif + + } + break; + } + break; + case 40: + /* Names all of length 40. */ + /* X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE */ + /* Offset 26 gives the best switch position. */ + switch (name[26]) { + case 'E': + if (!memcmp(name, "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE", 40)) { + /* ^ */ + +#ifdef X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + return X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE; +#else + goto not_there; +#endif + + } + break; + case 'I': + if (!memcmp(name, "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE", 40)) { + /* ^ */ + +#ifdef X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD", 40)) { + /* ^ */ + +#ifdef X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + return X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX", 40)) { + /* ^ */ + +#ifdef X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + return X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; +#else + goto not_there; +#endif + + } + break; + } + break; + case 41: + /* Names all of length 41. */ + /* OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED */ + /* Offset 26 gives the best switch position. */ + switch (name[26]) { + case 'E': + if (!memcmp(name, "R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE", 41)) { + /* ^ */ + +#ifdef SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE + return SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE; +#else + goto not_there; +#endif + + } + break; + case 'N': + if (!memcmp(name, "OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION", 41)) { + /* ^ */ + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + return SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; +#else + goto not_there; +#endif + + } + break; + case 'O': + if (!memcmp(name, "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD", 41)) { + /* ^ */ + +#ifdef X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + return X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; +#else + goto not_there; +#endif + + } + break; + case 'S': + if (!memcmp(name, "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD", 41)) { + /* ^ */ + +#ifdef X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + return X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; +#else + goto not_there; +#endif + + } + break; + case 'T': + if (!memcmp(name, "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED", 41)) { + /* ^ */ + +#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + return X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; +#else + goto not_there; +#endif + + } + break; + case 'X': + if (!memcmp(name, "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD", 41)) { + /* ^ */ + +#ifdef X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + return X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; +#else + goto not_there; +#endif + + } + break; + } + break; + case 42: + /* Names all of length 42. */ + /* X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE */ + /* Offset 29 gives the best switch position. */ + switch (name[29]) { + case 'C': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE", 42)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + return X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE; +#else + goto not_there; +#endif + + } + break; + case 'E': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE", 42)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + return X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; +#else + goto not_there; +#endif + + } + break; + } + break; + case 43: + /* Names all of length 43. */ + /* X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION */ + /* Offset 14 gives the best switch position. */ + switch (name[14]) { + case 'A': + if (!memcmp(name, "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION", 43)) { + /* ^ */ + +#ifdef X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + return X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; +#else + goto not_there; +#endif + + } + break; + case 'B': + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE", 43)) { + /* ^ */ + +#ifdef X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + return X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE; +#else + goto not_there; +#endif + + } + break; + } + break; + case 44: + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY", 44)) { + +#ifdef X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; +#else + goto not_there; +#endif + + } + break; + case 45: + if (!memcmp(name, "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY", 45)) { + +#ifdef X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + return X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; +#else + goto not_there; +#endif + + } + break; + case 46: + if (!memcmp(name, "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM", 46)) { + +#ifdef X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM + return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; +#else + goto not_there; +#endif + + } + break; + case 47: + if (!memcmp(name, "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256", 47)) { + +#ifdef X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 + return X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; +#else + goto not_there; +#endif + + } + break; + } + + errno = EINVAL; + return 0; + +not_there: + errno = ENOENT; + return 0; + +} diff --git a/cpan/Net-SSLeay/helper_script/constants.txt b/cpan/Net-SSLeay/helper_script/constants.txt new file mode 100644 index 000000000000..d44c20a5d7ef --- /dev/null +++ b/cpan/Net-SSLeay/helper_script/constants.txt @@ -0,0 +1,618 @@ +# These libssl/libcrypto constants will be exported by Net::SSLeay. Constants +# whose names begin with "SSL_" will have this prefix removed when they are +# exported; for example, SSL_CB_EXIT will become Net::SSLeay::CB_EXIT(). +# +# Constants should be listed on separate lines and in lexicographical order. +# +# After changing the list below, run helper_script/update-exported-constants. +# This script will: +# - generate a new version of constants.c; +# - generate a new test file at t/local/21_constants.t; +# - update the list of exported constants in lib/Net/SSLeay.pm; +# - update the constants list in the "Constants" section of lib/Net/SSLeay.pod. + +ASN1_STRFLGS_ESC_CTRL +ASN1_STRFLGS_ESC_MSB +ASN1_STRFLGS_ESC_QUOTE +ASN1_STRFLGS_RFC2253 +EVP_PKS_DSA +EVP_PKS_EC +EVP_PKS_RSA +EVP_PKT_ENC +EVP_PKT_EXCH +EVP_PKT_EXP +EVP_PKT_SIGN +EVP_PK_DH +EVP_PK_DSA +EVP_PK_EC +EVP_PK_RSA +GEN_DIRNAME +GEN_DNS +GEN_EDIPARTY +GEN_EMAIL +GEN_IPADD +GEN_OTHERNAME +GEN_RID +GEN_URI +GEN_X400 +LIBRESSL_VERSION_NUMBER +MBSTRING_ASC +MBSTRING_BMP +MBSTRING_FLAG +MBSTRING_UNIV +MBSTRING_UTF8 +NID_OCSP_sign +NID_SMIMECapabilities +NID_X500 +NID_X509 +NID_ad_OCSP +NID_ad_ca_issuers +NID_algorithm +NID_authority_key_identifier +NID_basic_constraints +NID_bf_cbc +NID_bf_cfb64 +NID_bf_ecb +NID_bf_ofb64 +NID_cast5_cbc +NID_cast5_cfb64 +NID_cast5_ecb +NID_cast5_ofb64 +NID_certBag +NID_certificate_policies +NID_client_auth +NID_code_sign +NID_commonName +NID_countryName +NID_crlBag +NID_crl_distribution_points +NID_crl_number +NID_crl_reason +NID_delta_crl +NID_des_cbc +NID_des_cfb64 +NID_des_ecb +NID_des_ede +NID_des_ede3 +NID_des_ede3_cbc +NID_des_ede3_cfb64 +NID_des_ede3_ofb64 +NID_des_ede_cbc +NID_des_ede_cfb64 +NID_des_ede_ofb64 +NID_des_ofb64 +NID_description +NID_desx_cbc +NID_dhKeyAgreement +NID_dnQualifier +NID_dsa +NID_dsaWithSHA +NID_dsaWithSHA1 +NID_dsaWithSHA1_2 +NID_dsa_2 +NID_email_protect +NID_ext_key_usage +NID_ext_req +NID_friendlyName +NID_givenName +NID_hmacWithSHA1 +NID_id_ad +NID_id_ce +NID_id_kp +NID_id_pbkdf2 +NID_id_pe +NID_id_pkix +NID_id_qt_cps +NID_id_qt_unotice +NID_idea_cbc +NID_idea_cfb64 +NID_idea_ecb +NID_idea_ofb64 +NID_info_access +NID_initials +NID_invalidity_date +NID_issuer_alt_name +NID_keyBag +NID_key_usage +NID_localKeyID +NID_localityName +NID_md2 +NID_md2WithRSAEncryption +NID_md5 +NID_md5WithRSA +NID_md5WithRSAEncryption +NID_md5_sha1 +NID_mdc2 +NID_mdc2WithRSA +NID_ms_code_com +NID_ms_code_ind +NID_ms_ctl_sign +NID_ms_efs +NID_ms_ext_req +NID_ms_sgc +NID_name +NID_netscape +NID_netscape_base_url +NID_netscape_ca_policy_url +NID_netscape_ca_revocation_url +NID_netscape_cert_extension +NID_netscape_cert_sequence +NID_netscape_cert_type +NID_netscape_comment +NID_netscape_data_type +NID_netscape_renewal_url +NID_netscape_revocation_url +NID_netscape_ssl_server_name +NID_ns_sgc +NID_organizationName +NID_organizationalUnitName +NID_pbeWithMD2AndDES_CBC +NID_pbeWithMD2AndRC2_CBC +NID_pbeWithMD5AndCast5_CBC +NID_pbeWithMD5AndDES_CBC +NID_pbeWithMD5AndRC2_CBC +NID_pbeWithSHA1AndDES_CBC +NID_pbeWithSHA1AndRC2_CBC +NID_pbe_WithSHA1And128BitRC2_CBC +NID_pbe_WithSHA1And128BitRC4 +NID_pbe_WithSHA1And2_Key_TripleDES_CBC +NID_pbe_WithSHA1And3_Key_TripleDES_CBC +NID_pbe_WithSHA1And40BitRC2_CBC +NID_pbe_WithSHA1And40BitRC4 +NID_pbes2 +NID_pbmac1 +NID_pkcs +NID_pkcs3 +NID_pkcs7 +NID_pkcs7_data +NID_pkcs7_digest +NID_pkcs7_encrypted +NID_pkcs7_enveloped +NID_pkcs7_signed +NID_pkcs7_signedAndEnveloped +NID_pkcs8ShroudedKeyBag +NID_pkcs9 +NID_pkcs9_challengePassword +NID_pkcs9_contentType +NID_pkcs9_countersignature +NID_pkcs9_emailAddress +NID_pkcs9_extCertAttributes +NID_pkcs9_messageDigest +NID_pkcs9_signingTime +NID_pkcs9_unstructuredAddress +NID_pkcs9_unstructuredName +NID_private_key_usage_period +NID_rc2_40_cbc +NID_rc2_64_cbc +NID_rc2_cbc +NID_rc2_cfb64 +NID_rc2_ecb +NID_rc2_ofb64 +NID_rc4 +NID_rc4_40 +NID_rc5_cbc +NID_rc5_cfb64 +NID_rc5_ecb +NID_rc5_ofb64 +NID_ripemd160 +NID_ripemd160WithRSA +NID_rle_compression +NID_rsa +NID_rsaEncryption +NID_rsadsi +NID_safeContentsBag +NID_sdsiCertificate +NID_secretBag +NID_serialNumber +NID_server_auth +NID_sha +NID_sha1 +NID_sha1WithRSA +NID_sha1WithRSAEncryption +NID_shaWithRSAEncryption +NID_stateOrProvinceName +NID_subject_alt_name +NID_subject_key_identifier +NID_surname +NID_sxnet +NID_time_stamp +NID_title +NID_undef +NID_uniqueIdentifier +NID_x509Certificate +NID_x509Crl +NID_zlib_compression +OCSP_RESPONSE_STATUS_INTERNALERROR +OCSP_RESPONSE_STATUS_MALFORMEDREQUEST +OCSP_RESPONSE_STATUS_SIGREQUIRED +OCSP_RESPONSE_STATUS_SUCCESSFUL +OCSP_RESPONSE_STATUS_TRYLATER +OCSP_RESPONSE_STATUS_UNAUTHORIZED +OPENSSL_BUILT_ON +OPENSSL_CFLAGS +OPENSSL_CPU_INFO +OPENSSL_DIR +OPENSSL_ENGINES_DIR +OPENSSL_FULL_VERSION_STRING +OPENSSL_INFO_CONFIG_DIR +OPENSSL_INFO_CPU_SETTINGS +OPENSSL_INFO_DIR_FILENAME_SEPARATOR +OPENSSL_INFO_DSO_EXTENSION +OPENSSL_INFO_ENGINES_DIR +OPENSSL_INFO_LIST_SEPARATOR +OPENSSL_INFO_MODULES_DIR +OPENSSL_INFO_SEED_SOURCE +OPENSSL_MODULES_DIR +OPENSSL_PLATFORM +OPENSSL_VERSION +OPENSSL_VERSION_MAJOR +OPENSSL_VERSION_MINOR +OPENSSL_VERSION_NUMBER +OPENSSL_VERSION_PATCH +OPENSSL_VERSION_STRING +RSA_3 +RSA_F4 +SSL2_MT_CLIENT_CERTIFICATE +SSL2_MT_CLIENT_FINISHED +SSL2_MT_CLIENT_HELLO +SSL2_MT_CLIENT_MASTER_KEY +SSL2_MT_ERROR +SSL2_MT_REQUEST_CERTIFICATE +SSL2_MT_SERVER_FINISHED +SSL2_MT_SERVER_HELLO +SSL2_MT_SERVER_VERIFY +SSL2_VERSION +SSL3_MT_CCS +SSL3_MT_CERTIFICATE +SSL3_MT_CERTIFICATE_REQUEST +SSL3_MT_CERTIFICATE_STATUS +SSL3_MT_CERTIFICATE_URL +SSL3_MT_CERTIFICATE_VERIFY +SSL3_MT_CHANGE_CIPHER_SPEC +SSL3_MT_CLIENT_HELLO +SSL3_MT_CLIENT_KEY_EXCHANGE +SSL3_MT_ENCRYPTED_EXTENSIONS +SSL3_MT_END_OF_EARLY_DATA +SSL3_MT_FINISHED +SSL3_MT_HELLO_REQUEST +SSL3_MT_KEY_UPDATE +SSL3_MT_MESSAGE_HASH +SSL3_MT_NEWSESSION_TICKET +SSL3_MT_NEXT_PROTO +SSL3_MT_SERVER_DONE +SSL3_MT_SERVER_HELLO +SSL3_MT_SERVER_KEY_EXCHANGE +SSL3_MT_SUPPLEMENTAL_DATA +SSL3_RT_ALERT +SSL3_RT_APPLICATION_DATA +SSL3_RT_CHANGE_CIPHER_SPEC +SSL3_RT_HANDSHAKE +SSL3_RT_HEADER +SSL3_RT_INNER_CONTENT_TYPE +SSL3_VERSION +SSLEAY_BUILT_ON +SSLEAY_CFLAGS +SSLEAY_DIR +SSLEAY_PLATFORM +SSLEAY_VERSION +SSL_CB_ACCEPT_EXIT +SSL_CB_ACCEPT_LOOP +SSL_CB_ALERT +SSL_CB_CONNECT_EXIT +SSL_CB_CONNECT_LOOP +SSL_CB_EXIT +SSL_CB_HANDSHAKE_DONE +SSL_CB_HANDSHAKE_START +SSL_CB_LOOP +SSL_CB_READ +SSL_CB_READ_ALERT +SSL_CB_WRITE +SSL_CB_WRITE_ALERT +SSL_ERROR_NONE +SSL_ERROR_SSL +SSL_ERROR_SYSCALL +SSL_ERROR_WANT_ACCEPT +SSL_ERROR_WANT_CONNECT +SSL_ERROR_WANT_READ +SSL_ERROR_WANT_WRITE +SSL_ERROR_WANT_X509_LOOKUP +SSL_ERROR_ZERO_RETURN +SSL_FILETYPE_ASN1 +SSL_FILETYPE_PEM +SSL_F_CLIENT_CERTIFICATE +SSL_F_CLIENT_HELLO +SSL_F_CLIENT_MASTER_KEY +SSL_F_D2I_SSL_SESSION +SSL_F_GET_CLIENT_FINISHED +SSL_F_GET_CLIENT_HELLO +SSL_F_GET_CLIENT_MASTER_KEY +SSL_F_GET_SERVER_FINISHED +SSL_F_GET_SERVER_HELLO +SSL_F_GET_SERVER_VERIFY +SSL_F_I2D_SSL_SESSION +SSL_F_READ_N +SSL_F_REQUEST_CERTIFICATE +SSL_F_SERVER_HELLO +SSL_F_SSL_CERT_NEW +SSL_F_SSL_GET_NEW_SESSION +SSL_F_SSL_NEW +SSL_F_SSL_READ +SSL_F_SSL_RSA_PRIVATE_DECRYPT +SSL_F_SSL_RSA_PUBLIC_ENCRYPT +SSL_F_SSL_SESSION_NEW +SSL_F_SSL_SESSION_PRINT_FP +SSL_F_SSL_SET_FD +SSL_F_SSL_SET_RFD +SSL_F_SSL_SET_WFD +SSL_F_SSL_USE_CERTIFICATE +SSL_F_SSL_USE_CERTIFICATE_ASN1 +SSL_F_SSL_USE_CERTIFICATE_FILE +SSL_F_SSL_USE_PRIVATEKEY +SSL_F_SSL_USE_PRIVATEKEY_ASN1 +SSL_F_SSL_USE_PRIVATEKEY_FILE +SSL_F_SSL_USE_RSAPRIVATEKEY +SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 +SSL_F_SSL_USE_RSAPRIVATEKEY_FILE +SSL_F_WRITE_PENDING +SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES +SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER +SSL_MODE_AUTO_RETRY +SSL_MODE_ENABLE_PARTIAL_WRITE +SSL_MODE_RELEASE_BUFFERS +SSL_NOTHING +SSL_OP_ALL +SSL_OP_ALLOW_NO_DHE_KEX +SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +SSL_OP_CIPHER_SERVER_PREFERENCE +SSL_OP_CISCO_ANYCONNECT +SSL_OP_COOKIE_EXCHANGE +SSL_OP_CRYPTOPRO_TLSEXT_BUG +SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS +SSL_OP_ENABLE_MIDDLEBOX_COMPAT +SSL_OP_EPHEMERAL_RSA +SSL_OP_LEGACY_SERVER_CONNECT +SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER +SSL_OP_MICROSOFT_SESS_ID_BUG +SSL_OP_MSIE_SSLV2_RSA_PADDING +SSL_OP_NETSCAPE_CA_DN_BUG +SSL_OP_NETSCAPE_CHALLENGE_BUG +SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG +SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG +SSL_OP_NON_EXPORT_FIRST +SSL_OP_NO_ANTI_REPLAY +SSL_OP_NO_CLIENT_RENEGOTIATION +SSL_OP_NO_COMPRESSION +SSL_OP_NO_ENCRYPT_THEN_MAC +SSL_OP_NO_QUERY_MTU +SSL_OP_NO_RENEGOTIATION +SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +SSL_OP_NO_SSL_MASK +SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_NO_TICKET +SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_NO_TLSv1_2 +SSL_OP_NO_TLSv1_3 +SSL_OP_PKCS1_CHECK_1 +SSL_OP_PKCS1_CHECK_2 +SSL_OP_PRIORITIZE_CHACHA +SSL_OP_SAFARI_ECDHE_ECDSA_BUG +SSL_OP_SINGLE_DH_USE +SSL_OP_SINGLE_ECDH_USE +SSL_OP_SSLEAY_080_CLIENT_DH_BUG +SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG +SSL_OP_TLSEXT_PADDING +SSL_OP_TLS_BLOCK_PADDING_BUG +SSL_OP_TLS_D5_BUG +SSL_OP_TLS_ROLLBACK_BUG +SSL_READING +SSL_RECEIVED_SHUTDOWN +SSL_R_BAD_AUTHENTICATION_TYPE +SSL_R_BAD_CHECKSUM +SSL_R_BAD_MAC_DECODE +SSL_R_BAD_RESPONSE_ARGUMENT +SSL_R_BAD_SSL_FILETYPE +SSL_R_BAD_SSL_SESSION_ID_LENGTH +SSL_R_BAD_STATE +SSL_R_BAD_WRITE_RETRY +SSL_R_CHALLENGE_IS_DIFFERENT +SSL_R_CIPHER_TABLE_SRC_ERROR +SSL_R_INVALID_CHALLENGE_LENGTH +SSL_R_NO_CERTIFICATE_SET +SSL_R_NO_CERTIFICATE_SPECIFIED +SSL_R_NO_CIPHER_LIST +SSL_R_NO_CIPHER_MATCH +SSL_R_NO_PRIVATEKEY +SSL_R_NO_PUBLICKEY +SSL_R_NULL_SSL_CTX +SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE +SSL_R_PEER_ERROR +SSL_R_PEER_ERROR_CERTIFICATE +SSL_R_PEER_ERROR_NO_CIPHER +SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE +SSL_R_PUBLIC_KEY_ENCRYPT_ERROR +SSL_R_PUBLIC_KEY_IS_NOT_RSA +SSL_R_READ_WRONG_PACKET_TYPE +SSL_R_SHORT_READ +SSL_R_SSL_SESSION_ID_IS_DIFFERENT +SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY +SSL_R_UNKNOWN_REMOTE_ERROR_TYPE +SSL_R_UNKNOWN_STATE +SSL_R_X509_LIB +SSL_SENT_SHUTDOWN +SSL_SESSION_ASN1_VERSION +SSL_SESS_CACHE_BOTH +SSL_SESS_CACHE_CLIENT +SSL_SESS_CACHE_NO_AUTO_CLEAR +SSL_SESS_CACHE_NO_INTERNAL +SSL_SESS_CACHE_NO_INTERNAL_LOOKUP +SSL_SESS_CACHE_NO_INTERNAL_STORE +SSL_SESS_CACHE_OFF +SSL_SESS_CACHE_SERVER +SSL_ST_ACCEPT +SSL_ST_BEFORE +SSL_ST_CONNECT +SSL_ST_INIT +SSL_ST_OK +SSL_ST_READ_BODY +SSL_ST_READ_HEADER +SSL_VERIFY_CLIENT_ONCE +SSL_VERIFY_FAIL_IF_NO_PEER_CERT +SSL_VERIFY_NONE +SSL_VERIFY_PEER +SSL_VERIFY_POST_HANDSHAKE +SSL_WRITING +SSL_X509_LOOKUP +TLS1_1_VERSION +TLS1_2_VERSION +TLS1_3_VERSION +TLS1_VERSION +TLSEXT_STATUSTYPE_ocsp +V_OCSP_CERTSTATUS_GOOD +V_OCSP_CERTSTATUS_REVOKED +V_OCSP_CERTSTATUS_UNKNOWN +X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT +X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS +X509_CHECK_FLAG_NEVER_CHECK_SUBJECT +X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS +X509_CHECK_FLAG_NO_WILDCARDS +X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS +X509_FILETYPE_ASN1 +X509_FILETYPE_DEFAULT +X509_FILETYPE_PEM +X509_PURPOSE_ANY +X509_PURPOSE_CRL_SIGN +X509_PURPOSE_NS_SSL_SERVER +X509_PURPOSE_OCSP_HELPER +X509_PURPOSE_SMIME_ENCRYPT +X509_PURPOSE_SMIME_SIGN +X509_PURPOSE_SSL_CLIENT +X509_PURPOSE_SSL_SERVER +X509_PURPOSE_TIMESTAMP_SIGN +X509_TRUST_COMPAT +X509_TRUST_EMAIL +X509_TRUST_OBJECT_SIGN +X509_TRUST_OCSP_REQUEST +X509_TRUST_OCSP_SIGN +X509_TRUST_SSL_CLIENT +X509_TRUST_SSL_SERVER +X509_TRUST_TSA +X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH +X509_V_ERR_AKID_SKID_MISMATCH +X509_V_ERR_APPLICATION_VERIFICATION +X509_V_ERR_CA_KEY_TOO_SMALL +X509_V_ERR_CA_MD_TOO_WEAK +X509_V_ERR_CERT_CHAIN_TOO_LONG +X509_V_ERR_CERT_HAS_EXPIRED +X509_V_ERR_CERT_NOT_YET_VALID +X509_V_ERR_CERT_REJECTED +X509_V_ERR_CERT_REVOKED +X509_V_ERR_CERT_SIGNATURE_FAILURE +X509_V_ERR_CERT_UNTRUSTED +X509_V_ERR_CRL_HAS_EXPIRED +X509_V_ERR_CRL_NOT_YET_VALID +X509_V_ERR_CRL_PATH_VALIDATION_ERROR +X509_V_ERR_CRL_SIGNATURE_FAILURE +X509_V_ERR_DANE_NO_MATCH +X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT +X509_V_ERR_DIFFERENT_CRL_SCOPE +X509_V_ERR_EE_KEY_TOO_SMALL +X509_V_ERR_EMAIL_MISMATCH +X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD +X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD +X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD +X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD +X509_V_ERR_EXCLUDED_VIOLATION +X509_V_ERR_HOSTNAME_MISMATCH +X509_V_ERR_INVALID_CA +X509_V_ERR_INVALID_CALL +X509_V_ERR_INVALID_EXTENSION +X509_V_ERR_INVALID_NON_CA +X509_V_ERR_INVALID_POLICY_EXTENSION +X509_V_ERR_INVALID_PURPOSE +X509_V_ERR_IP_ADDRESS_MISMATCH +X509_V_ERR_KEYUSAGE_NO_CERTSIGN +X509_V_ERR_KEYUSAGE_NO_CRL_SIGN +X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE +X509_V_ERR_NO_EXPLICIT_POLICY +X509_V_ERR_NO_VALID_SCTS +X509_V_ERR_OCSP_CERT_UNKNOWN +X509_V_ERR_OCSP_VERIFY_FAILED +X509_V_ERR_OCSP_VERIFY_NEEDED +X509_V_ERR_OUT_OF_MEM +X509_V_ERR_PATH_LENGTH_EXCEEDED +X509_V_ERR_PATH_LOOP +X509_V_ERR_PERMITTED_VIOLATION +X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED +X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED +X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION +X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN +X509_V_ERR_STORE_LOOKUP +X509_V_ERR_SUBJECT_ISSUER_MISMATCH +X509_V_ERR_SUBTREE_MINMAX +X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 +X509_V_ERR_SUITE_B_INVALID_ALGORITHM +X509_V_ERR_SUITE_B_INVALID_CURVE +X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM +X509_V_ERR_SUITE_B_INVALID_VERSION +X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED +X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY +X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE +X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE +X509_V_ERR_UNABLE_TO_GET_CRL +X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER +X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT +X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY +X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE +X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION +X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION +X509_V_ERR_UNNESTED_RESOURCE +X509_V_ERR_UNSPECIFIED +X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX +X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE +X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE +X509_V_ERR_UNSUPPORTED_NAME_SYNTAX +X509_V_FLAG_ALLOW_PROXY_CERTS +X509_V_FLAG_CB_ISSUER_CHECK +X509_V_FLAG_CHECK_SS_SIGNATURE +X509_V_FLAG_CRL_CHECK +X509_V_FLAG_CRL_CHECK_ALL +X509_V_FLAG_EXPLICIT_POLICY +X509_V_FLAG_EXTENDED_CRL_SUPPORT +X509_V_FLAG_IGNORE_CRITICAL +X509_V_FLAG_INHIBIT_ANY +X509_V_FLAG_INHIBIT_MAP +X509_V_FLAG_LEGACY_VERIFY +X509_V_FLAG_NOTIFY_POLICY +X509_V_FLAG_NO_ALT_CHAINS +X509_V_FLAG_NO_CHECK_TIME +X509_V_FLAG_PARTIAL_CHAIN +X509_V_FLAG_POLICY_CHECK +X509_V_FLAG_POLICY_MASK +X509_V_FLAG_SUITEB_128_LOS +X509_V_FLAG_SUITEB_128_LOS_ONLY +X509_V_FLAG_SUITEB_192_LOS +X509_V_FLAG_TRUSTED_FIRST +X509_V_FLAG_USE_CHECK_TIME +X509_V_FLAG_USE_DELTAS +X509_V_FLAG_X509_STRICT +X509_V_OK +XN_FLAG_COMPAT +XN_FLAG_DN_REV +XN_FLAG_DUMP_UNKNOWN_FIELDS +XN_FLAG_FN_ALIGN +XN_FLAG_FN_LN +XN_FLAG_FN_MASK +XN_FLAG_FN_NONE +XN_FLAG_FN_OID +XN_FLAG_FN_SN +XN_FLAG_MULTILINE +XN_FLAG_ONELINE +XN_FLAG_RFC2253 +XN_FLAG_SEP_COMMA_PLUS +XN_FLAG_SEP_CPLUS_SPC +XN_FLAG_SEP_MASK +XN_FLAG_SEP_MULTILINE +XN_FLAG_SEP_SPLUS_SPC +XN_FLAG_SPC_EQ diff --git a/cpan/Net-SSLeay/helper_script/generate-test-pki b/cpan/Net-SSLeay/helper_script/generate-test-pki new file mode 100644 index 000000000000..b7213a999beb --- /dev/null +++ b/cpan/Net-SSLeay/helper_script/generate-test-pki @@ -0,0 +1,2092 @@ +#!/usr/bin/env perl + +use 5.008001; +use strict; +use warnings; + +use English qw( + $EVAL_ERROR $EXCEPTIONS_BEING_CAUGHT $EXECUTABLE_NAME $OS_ERROR $RS + -no_match_vars +); +use File::Basename qw(dirname); +use File::Spec::Functions qw( catfile splitpath ); +use File::Temp; +use Getopt::Long qw(GetOptionsFromArray); +use IPC::Run qw( start finish timeout ); + +our $VERSION = '1.92'; + +local $SIG{__DIE__} = sub { + my ($cause) = @_; + + if ($EXCEPTIONS_BEING_CAUGHT) { + return; + } + + print STDERR $cause, "\n"; + + exit 1; +}; + +my ( $args, $entities ) = eval { parse_options( \@ARGV ) } + or fatal( 'Error while parsing command line options', $EVAL_ERROR ); + +eval { + check_openssl_version( + { + min_version => '3.0.0-alpha7', + min_version_match => qr{^3\.(?!0\.0-alpha[1-6])}, + } + ); +} or fatal( 'OpenSSL minimum version check failed', $EVAL_ERROR ); + +my $tmp = eval { + File::Temp->newdir( + TEMPLATE => 'test-pki-XXXXXXXX', + TMPDIR => 1, + CLEANUP => 1, + ); +} or fatal( 'Could not create temporary working directory', $EVAL_ERROR ); + +my $pki_config = eval { pki_config() } + or fatal( 'Could not load PKI configuration file', $EVAL_ERROR ); + +my $pki_tree = eval { pki_tree() } + or fatal( 'Error while building PKI tree', $EVAL_ERROR ); + +generate_tree( + $pki_tree, + @{ $entities } + ? { map { $_ => 1 } @{ $entities } } + : undef +); + + +sub parse_options { + my ($argv) = @_; + + my $opts = { + 'config' => catfile( dirname(__FILE__), 'pki.cfg' ), + 'openssl-binary' => 'openssl', + 'output' => undef, + 'verbose' => 0, + }; + + GetOptionsFromArray( + $argv, + $opts, + 'config|c=s', + 'openssl-binary|b=s', + 'output|o=s', + 'verbose|v', + ); + + if ( !-e $opts->{config} ) { + fatal("PKI configuration file $opts->{config} does not exist"); + } + + if ( !defined $opts->{output} ) { + fatal("an output directory must be given"); + } + + if ( !-d $opts->{output} ) { + fatal("output directory $opts->{output} does not exist"); + } + + return wantarray + ? ( $opts, $argv ) + : $opts; +} + +sub pki_config { + open my $fh, '<:encoding(UTF-8)', $args->{config} + or fatal( $args->{config}, $OS_ERROR ); + + my $config = do { + local $RS = undef; + eval <$fh> + or do { + ( my $error = $EVAL_ERROR ) + =~ s{ at \(eval .+?\) }{ at $args->{config} }g; + + fatal( 'syntax error', $error ); + }; + }; + + close $fh; + + return $config; +} + +sub pki_tree { + my $children = {}; + my $tree = {}; + + for my $entity ( keys %{$pki_config} ) { + my $issuer = $pki_config->{$entity}->{cert}->{issuer}; + + if ( !exists $children->{$entity} ) { + $children->{$entity} = {}; + } + + if ( defined $issuer ) { + if ( !exists $pki_config->{$issuer} ) { + fatal("entity '$entity': issuer '$issuer' is not defined"); + } + + $children->{$issuer}->{$entity} = $children->{$entity}; + } + else { + $tree->{$entity} = $children->{$entity}; + } + } + + return $tree; +} + +sub openssl_config { + my (%tmpl) = @_; + + my $start = tell DATA; + + my $config = do { local $RS = undef; }; + + $config =~ s/\{\{ \s* (\w+) \s* \}\}/defined $tmpl{$1} ? $tmpl{$1} : ''/xeg; + + seek DATA, $start, 0; + + return $config; +} + +sub subject_string { + my (@rdns) = @_; + + my $string = q{}; + + while (@rdns) { + my ( $key, $value ) = ( shift @rdns, shift @rdns ); + + if ( !defined $key + || !defined $value ) + { + fatal('invalid key/value pair given in subject'); + } + + # Certain characters in an RDN value must be escaped + $value =~ s{([,\#+<>;"=/])}{\\$1}g; + + # Any leading space in an RDN value must be escaped + $value =~ s{^ }{\\ }; + + $string .= "/$key=$value"; + } + + return $string; +} + +sub time_string { + my ($time) = @_; + + if ( $time !~ m{^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$} ) { + fatal('invalid timestamp'); + } + + $time =~ s/[^\d]//g; + $time =~ s/Z$//; + + return $time . 'Z'; +} + +sub short_time_string { + my ($time) = @_; + + ( $time = time_string($time) ) =~ s/^\d{2}//; + + return $time; +} + +sub extensions_section { + my ($exts) = @_; + + my @section; + + for my $ext ( sort keys %{$exts} ) { + push @section, + sprintf '%s = %s', + $ext, + ref $exts->{$ext} eq 'ARRAY' + ? join ',', @{ $exts->{$ext} } + : $exts->{$ext}; + } + + return join "\n", @section; +} + +sub issuer_chain { + my ( $entity, $opts ) = @_; + + my @chain = ($entity); + + while ( defined $pki_config->{$entity}->{cert}->{issuer} ) { + push @chain, $pki_config->{$entity}->{cert}->{issuer}; + + $entity = $pki_config->{$entity}->{cert}->{issuer}; + } + + return \@chain; +} + +sub generate_tree { + my ( $tree, $entities ) = @_; + + for my $root ( sort keys %{$tree} ) { + if ( defined $entities ) { + if ( exists $entities->{$root} ) { + for my $child ( keys %{ $tree->{$root} } ) { + $entities->{$child} = 1; + } + + generate_entity( $root, $entities ) + or return 0; + } + + generate_tree( $tree->{$root}, $entities ) + or return 0; + } + else { + generate_entity($root) + or return 0; + + generate_tree( $tree->{$root} ) + or return 0; + } + } + + return 1; +} + +sub generate_entity { + my ($entity) = @_; + + print "Generating PKI for entity '$entity'\n"; + + my $entity_cfg = $pki_config->{$entity}; + my $entity_root = catfile( $args->{output}, $entity ); + + if ( !-e "$entity_root.key.pem" ) { + print "\tPEM key: $entity_root.key.pem\n"; + + eval { + generate_key( + "$entity_root.key.pem", + { + algorithm => $entity_cfg->{key}->{algorithm}, + size => $entity_cfg->{key}->{size}, + } + ) + } or fatal( "Could not generate '$entity_root.key.pem'", $EVAL_ERROR ); + + print "\tEncrypted PEM key: $entity_root.key.enc.pem\n"; + + eval { + convert_key( + "$entity_root.key.pem", + "$entity_root.key.enc.pem", + { + ( + exists $entity_cfg->{key}->{passphrase} + ? ( passphrase => $entity_cfg->{key}->{passphrase} ) + : () + ) + } + ) + } or fatal( "Could not generate '$entity_root.key.enc.pem'", + $EVAL_ERROR ); + + print "\tDER key: $entity_root.key.der\n"; + + eval { + convert_key( + "$entity_root.key.pem", + "$entity_root.key.der", + { + format => 'der', + } + ); + } or fatal( "Could not generate '$entity_root.key.der'", $EVAL_ERROR ); + + print "\tEncrypted DER key: $entity_root.key.enc.der\n"; + + eval { + convert_key( + "$entity_root.key.pem", + "$entity_root.key.enc.der", + { + format => 'der', + passphrase => 'test', + } + ); + } or fatal( "Could not generate '$entity_root.key.enc.der'", + $EVAL_ERROR ); + } + + print "\tPEM CSR: $entity_root.csr.pem\n"; + + eval { + generate_csr( + "$entity_root.key.pem", + "$entity_root.csr.pem", + { + md_algorithm => $entity_cfg->{csr}->{md_algorithm}, + subject => $entity_cfg->{cert}->{subject}, + } + ); + } or fatal( "Could not generate '$entity_root.csr.pem'", $EVAL_ERROR ); + + print "\tDER CSR: $entity_root.csr.der\n"; + + eval { + convert_csr( + "$entity_root.csr.pem", + "$entity_root.csr.der", + { + format => 'der', + } + ); + } or fatal( "Could not generate '$entity_root.csr.der'", $EVAL_ERROR ); + + print "\tPEM certificate: $entity_root.cert.pem\n"; + + my $issuer_root = defined $entity_cfg->{cert}->{issuer} + ? catfile( $args->{output}, $entity_cfg->{cert}->{issuer} ) + : $entity_root; + + my $issuer_cfg = defined $entity_cfg->{cert}->{issuer} + ? $pki_config->{ $entity_cfg->{cert}->{issuer} } + : undef; + + my @issuer_opts = defined $entity_cfg->{cert}->{issuer} + ? ( + issuer_cert_path => "$issuer_root.cert.pem", + ) + : (); + + eval { + my $valid_from = time_string( $entity_cfg->{cert}->{valid_from} ) + or fatal( 'valid_from', $EVAL_ERROR ); + + my $valid_until = time_string( $entity_cfg->{cert}->{valid_until} ) + or fatal( 'valid_until', $EVAL_ERROR ); + + generate_cert( + "$entity_root.csr.pem", + "$issuer_root.key.pem", + "$entity_root.cert.pem", + { + extensions => $entity_cfg->{cert}->{extensions}, + md_algorithm => $entity_cfg->{cert}->{md_algorithm}, + purpose => $entity_cfg->{cert}->{purpose}, + serial => $entity_cfg->{cert}->{serial}, + valid_from => $valid_from, + valid_until => $valid_until, + @issuer_opts, + } + ); + } or fatal( "Could not generate '$entity_root.cert.pem'", $EVAL_ERROR ); + + print "\tDER certificate: $entity_root.cert.der\n"; + + eval { + convert_cert( + "$entity_root.cert.pem", + "$entity_root.cert.der", + { + format => 'der', + } + ); + } or fatal( "Could not generate '$entity_root.cert.der'", $EVAL_ERROR ); + + print "\tCertificate info: $entity_root.cert.dump\n"; + + eval { + dump_cert_info( + "$entity_root.cert.pem", + "$entity_root.cert.dump" + ); + } or fatal( "Could not generate '$entity_root.cert.dump'", $EVAL_ERROR ); + + print "\tPEM certificate chain: $entity_root.certchain.pem\n"; + + eval { + generate_cert_chain( + [ + map + { catfile( $args->{output}, "$_.cert.pem" ) } + @{ issuer_chain( $entity ) } + ], + "$entity_root.certchain.pem" + ); + } or fatal( "Could not generate '$entity_root.certchain.pem'", + $EVAL_ERROR ); + + print "\tDER certificate chain: $entity_root.certchain.der\n"; + + eval { + generate_cert_chain( + [ + map + { catfile( $args->{output}, "$_.cert.der" ) } + @{ issuer_chain( $entity ) } + ], + "$entity_root.certchain.der" + ) + } or fatal( "Could not generate '$entity_root.certchain.der'", + $EVAL_ERROR ); + + if ( exists $entity_cfg->{cert}->{revoke_reason} ) { + print "\tPEM CRL for signing entity: $issuer_root.crl.pem\n"; + + eval { + revoke_cert( + "$entity_root.cert.pem", + "$issuer_root.key.pem", + "$issuer_root.cert.pem", + "$issuer_root.crl.pem", + { + crl_last_update => $issuer_cfg->{crl}->{last_update}, + crl_md_algorithm => $issuer_cfg->{crl}->{md_algorithm}, + crl_next_update => $issuer_cfg->{crl}->{next_update}, + crl_number => $issuer_cfg->{crl}->{number}, + reason => $entity_cfg->{cert}->{revoke_reason}, + time => $entity_cfg->{cert}->{revoke_time}, + } + ); + } or fatal( "Could not generate '$issuer_root.crl.pem'", $EVAL_ERROR ); + + print "\tDER CRL for signing entity: $issuer_root.crl.der\n"; + + eval { + convert_crl( + "$issuer_root.crl.pem", + "$issuer_root.crl.der", + { + format => 'der', + } + ); + } or fatal( "Could not generate '$issuer_root.crl.der'", $EVAL_ERROR ); + } + + my @extra_certs = map + { catfile( $args->{output}, "$_.cert.pem" ) } + @{ issuer_chain( $entity ) }; + + # The certificate for this entity is at the start of the chain, but we just + # want the certificates in the issuer chain + shift @extra_certs; + + my @extra_certs_opts = @extra_certs + ? ( + extra_certs => \@extra_certs, + ) + : (); + + print "\tPKCS#12 archive: $entity_root.p12\n"; + + eval { + generate_pkcs12( + "$entity_root.key.pem", + "$entity_root.cert.pem", + "$entity_root.p12", + { + name => "$entity: unencrypted, no certificate chain", + } + ); + } or fatal( "Could not generate '$entity_root.p12'", $EVAL_ERROR ); + + print "\tPKCS#12 archive with certificate chain: ", + "$entity_root.certchain.p12\n"; + + eval { + generate_pkcs12( + "$entity_root.key.pem", + "$entity_root.cert.pem", + "$entity_root.certchain.p12", + { + name => "$entity: unencrypted, certificate chain", + @extra_certs_opts, + } + ); + } or fatal( "Could not generate '$entity_root.certchain.p12'", + $EVAL_ERROR ); + + print "\tEncrypted PKCS#12 archive: $entity_root.enc.p12\n"; + + eval { + generate_pkcs12( + "$entity_root.key.pem", + "$entity_root.cert.pem", + "$entity_root.enc.p12", + { + name => "$entity: encrypted, no certificate chain", + passphrase => $entity_cfg->{pkcs12}->{passphrase}, + } + ); + } or fatal( "Could not generate '$entity_root.enc.p12'", $EVAL_ERROR ); + + print "\tEncrypted PKCS#12 archive with certificate chain: ", + "$entity_root.certchain.enc.p12\n"; + + eval { + generate_pkcs12( + "$entity_root.key.pem", + "$entity_root.cert.pem", + "$entity_root.certchain.enc.p12", + { + name => "$entity: encrypted, certificate chain", + passphrase => $entity_cfg->{pkcs12}->{passphrase}, + @extra_certs_opts, + } + ); + } or fatal( "Could not generate '$entity_root.certchain.enc.p12'", + $EVAL_ERROR ); + + return 1; +} + +sub generate_key { + my ( $out_key_path, $params ) = @_; + + my $algorithms = { + 'ec' => { + openssl_name => 'EC', + }, + 'ed25519' => { + openssl_name => 'ED25519', + }, + 'ed448' => { + openssl_name => 'ED448', + }, + 'rsa' => { + openssl_name => 'RSA', + size_param => 'rsa_keygen_bits', + }, + 'rsa-pss' => { + openssl_name => 'RSA-PSS', + size_param => 'rsa_keygen_bits', + }, + 'x25519' => { + openssl_name => 'X25519', + }, + 'x448' => { + openssl_name => 'X448', + }, + }; + + if ( !exists $params->{algorithm} ) { + fatal('missing key algorithm'); + } + + if ( !exists $algorithms->{ $params->{algorithm} } ) { + fatal("unknown key algorithm '$params->{algorithm}'"); + } + + my $algorithm = $algorithms->{ $params->{algorithm} }; + my @genpkey_opts; + + if ( exists $algorithm->{size_param} ) { + if ( !exists $params->{size} ) { + fatal("key algorithm '$params->{algorithm}' requires a key size"); + } + + @genpkey_opts = ( + '-pkeyopt', "$algorithm->{size_param}:$params->{size}" + ); + } + + # "openssl genpkey" exports keys in PKCS#8 format (which isn't recognised by + # OpenSSL 0.9.8), and there's no way to export in traditional SSLeay format + # directly - write the PKCS#8-formatted key to a temporary file, and then + # use "openssl pkey" to convert it to SSLeay format + my $out_key_name = ( splitpath($out_key_path) )[2]; + my $tmp_key_path = catfile( $tmp->dirname(), $out_key_name ); + + openssl_cmd( + [ + 'genpkey', + '-out', $tmp_key_path, + '-algorithm', $algorithm->{openssl_name}, + @genpkey_opts, + ] + ); + + return openssl_cmd( + [ + 'pkey', + '-in', $tmp_key_path, + '-out', $out_key_path, + '-traditional', + ] + ); +} + +sub convert_key { + my ( $in_key_path, $out_key_path, $params ) = @_; + + my $formats = { + pem => 'PEM', + der => 'DER', + }; + + ( my $in_format = $in_key_path ) =~ s{.*\.}{}; + + my $out_format = delete $params->{format} || 'pem'; + + if ( !exists $formats->{$in_format} ) { + fatal("unknown key input format '$in_format'"); + } + + if ( !exists $formats->{$out_format} ) { + fatal("unknown key output format '$out_format'"); + } + + my @encrypt_opts = exists $params->{passphrase} + ? ( + '-aes128', + '-passout', 'stdin', + ) + : (); + + return openssl_cmd( + [ + 'pkey', + '-in', $in_key_path, + '-inform', $formats->{$in_format}, + '-out', $out_key_path, + '-outform', $formats->{$out_format}, + '-traditional', + @encrypt_opts, + ], + $params->{passphrase} + ); +} + +sub generate_csr { + my ( $in_key_path, $out_csr_path, $params ) = @_; + + my $formats = { + pem => 'PEM', + der => 'DER', + }; + + my $format = delete $params->{format} || 'pem'; + + if ( !exists $formats->{$format} ) { + fatal("unknown CSR output format '$format'"); + } + + if ( !exists $params->{md_algorithm} ) { + fatal('missing message digest algorithm'); + } + + my $digest_opt = '-' . $params->{md_algorithm}; + + return openssl_cmd( + [ + 'req', + '-config', '-', + '-new', + '-key', $in_key_path, + '-out', $out_csr_path, + '-outform', $formats->{$format}, + '-subj', subject_string( @{ $params->{subject} } ), + '-multivalue-rdn', + $digest_opt, + ], + openssl_config() + ); +} + +sub convert_csr { + my ( $in_csr_path, $out_csr_path, $params ) = @_; + + my $formats = { + pem => 'PEM', + der => 'DER', + }; + + ( my $in_format = $in_csr_path ) =~ s{.*\.}{}; + + my $out_format = delete $params->{format} || 'pem'; + + if ( !exists $formats->{$in_format} ) { + fatal("unknown CSR input format '$in_format'"); + } + + if ( !exists $formats->{$out_format} ) { + fatal("unknown CSR output format '$out_format'"); + } + + return openssl_cmd( + [ + 'req', + '-in', $in_csr_path, + '-inform', $formats->{$in_format}, + '-out', $out_csr_path, + '-outform', $formats->{$out_format}, + ] + ); +} + +sub generate_cert { + my ( $in_csr_path, $issuer_key_path, $out_cert_path, $params ) = @_; + + if ( !exists $params->{md_algorithm} ) { + fatal('missing message digest algorithm'); + } + + my @signing_opts = exists $params->{issuer_cert_path} + ? ( + '-cert', $params->{issuer_cert_path}, + ) + : ( + '-selfsign', + '-cert', 'ignored', + ); + + my $tmp_root = do { + my $file = ( splitpath($issuer_key_path) )[2]; + + $file =~ s/(?:\.key)?\.(?:pem|der)$//; + + my $dir = catfile( $tmp->dirname(), $file ); + + if ( !-d $dir ) { + mkdir $dir + or fatal( "could not create directory $dir", $OS_ERROR ); + } + + $dir; + }; + + my $serial_file = catfile( $tmp_root, 'serial' ); + open my $serial_fh, '>', $serial_file + or fatal( "could not write serial file $serial_file", $OS_ERROR ); + printf {$serial_fh} '%02x', $params->{serial}; + close $serial_fh; + + my $db_file = catfile( $tmp_root, 'db' ); + open my $db_fh, '>>', $db_file + or fatal( "could not touch database file $db_file", $OS_ERROR ); + close $db_fh; + + return openssl_cmd( + [ + 'ca', + '-verbose', + '-batch', + '-config', '-', + '-name', 'ca_conf', + '-in', $in_csr_path, + '-out', $out_cert_path, + '-keyfile', $issuer_key_path, + '-startdate', $params->{valid_from}, + '-enddate', $params->{valid_until}, + '-md', $params->{md_algorithm}, + '-extensions', 'exts_' . $params->{purpose}, + '-notext', + '-utf8', + '-multivalue-rdn', + @signing_opts, + ], + openssl_config( + extensions => ( + exists $params->{extensions} + ? extensions_section( $params->{extensions} ) + : q{} + ), + certs_path => $tmp_root, + database_path => $db_file, + serial_path => $serial_file, + ) + ); +} + +sub convert_cert { + my ( $in_cert_path, $out_cert_path, $params ) = @_; + + my $formats = { + pem => 'PEM', + der => 'DER', + }; + + ( my $in_format = $in_cert_path ) =~ s{.*\.}{}; + + my $out_format = delete $params->{format} || 'pem'; + + if ( !exists $formats->{$in_format} ) { + fatal("unknown certificate input format '$in_format'"); + } + + if ( !exists $formats->{$out_format} ) { + fatal("unknown certificate output format '$out_format'"); + } + + return openssl_cmd( + [ + 'x509', + '-in', $in_cert_path, + '-inform', $formats->{$in_format}, + '-out', $out_cert_path, + '-outform', $formats->{$out_format}, + ] + ); +} + +sub dump_cert_info { + my ( $in_cert_path, $out_dump_path ) = @_; + + my $cwd = dirname(__FILE__); + + open my $out_fh, '>', $out_dump_path + or fatal( "could not write $out_dump_path", $OS_ERROR ); + + my $run = eval { + start( + [ + $EXECUTABLE_NAME, + catfile( $cwd, '..', 'examples', 'x509_cert_details.pl' ), + '-dump', + '-pem', $in_cert_path + ], + '>', + sub { + print {$out_fh} $_[0]; + }, + '2>', + sub { + if ( $args->{verbose} ) { + printf "[x509_cert_details.pl stderr] %s\n", $_[0]; + } + } + ); + } or fatal( 'could not run examples/x509_cert_details.pl', $EVAL_ERROR ); + + $run->finish(); + + close $out_fh; + + if ( $run->result() != 0 ) { + fatal( 'examples/x509_cert_details.pl exited with exit code ' + . $run->result() ); + } + + return 1; +} + +sub generate_cert_chain { + my ( $in_cert_paths, $out_cert_path ) = @_; + + open my $out_fh, '>', $out_cert_path + or fatal( "could not write certificate chain file $out_cert_path", + $OS_ERROR ); + + for my $in ( @{$in_cert_paths} ) { + open my $in_fh, '<', $in + or fatal( "could not read certificate file $in", $OS_ERROR ); + + my $cert = do { local $RS = undef; <$in_fh> }; + + print {$out_fh} $cert; + + close $in_fh; + } + + close $out_fh; + + return 1; +} + +sub revoke_cert { + my ( $in_cert_path, $issuer_key_path, $issuer_cert_path, $out_crl_path, + $params ) = @_; + + my $tmp_root = do { + my ( undef, undef, $file ) = splitpath($issuer_key_path); + + $file =~ s/(?:\.key)?\.(?:pem|der)$//; + + my $dir = catfile( $tmp->dirname(), $file ); + + if ( !-d $dir ) { + mkdir $dir + or fatal( "could not create directory $dir", $OS_ERROR ); + } + + $dir; + }; + + my $serial_file = catfile( $tmp_root, 'serial' ); + + my ( $stdout, $stderr ) = openssl_cmd( + [ + 'x509', + '-in', $in_cert_path, + '-noout', + '-serial', + ] + ); + + ( my $in_cert_serial = join "\n", @{$stdout} ) =~ s/^serial=//; + + if ( $in_cert_serial !~ /^[\da-f]+$/i ) { + fatal('could not get serial number for revoked certificate'); + } + + my $db_file = catfile( $tmp_root, 'db' ); + open my $db_fh, '<', $db_file + or fatal( "could not read database file $db_file", $OS_ERROR ); + + my @entries; + + while ( defined( my $entry = <$db_fh> ) ) { + chomp $entry; + my @fields = split /\t/, $entry; + + if ( $fields[3] eq $in_cert_serial ) { + $fields[0] = 'R'; + $fields[2] = short_time_string( $params->{time} ); + + if ( defined $params->{reason} ) { + $fields[2] .= ',' . $params->{reason}; + } + } + + push @entries, join "\t", @fields; + } + + close $db_fh; + + open $db_fh, '>', $db_file + or fatal( "could not write database file $db_file", $OS_ERROR ); + + for my $entry (@entries) { + print {$db_fh} $entry, "\n"; + } + + close $db_fh; + + my $crl_number_file = catfile( $tmp_root, 'crl_number' ); + open my $crl_number_fh, '>', $crl_number_file + or fatal( "could not write CRL number file $crl_number_file", $OS_ERROR ); + printf {$crl_number_fh} '%02x', $params->{crl_number}; + close $crl_number_fh; + + return openssl_cmd( + [ + 'ca', + '-verbose', + '-batch', + '-gencrl', + '-config', '-', + '-name', 'ca_conf', + '-keyfile', $issuer_key_path, + '-cert', $issuer_cert_path, + '-out', $out_crl_path, + '-crl_lastupdate', time_string( $params->{crl_last_update} ), + '-crl_nextupdate', time_string( $params->{crl_next_update} ), + '-md', $params->{crl_md_algorithm}, + ], + openssl_config( + certs_path => $tmp_root, + crl_number_path => $crl_number_file, + database_path => $db_file, + serial_path => $serial_file, + ) + ); +} + +sub convert_crl { + my ( $in_crl_path, $out_crl_path, $params ) = @_; + + my $formats = { + pem => 'PEM', + der => 'DER', + }; + + ( my $in_format = $in_crl_path ) =~ s{.*\.}{}; + + my $out_format = delete $params->{format} || 'pem'; + + if ( !exists $formats->{$in_format} ) { + fatal("unknown CRL input format '$in_format'"); + } + + if ( !exists $formats->{$out_format} ) { + fatal("unknown CRL output format '$out_format'"); + } + + return openssl_cmd( + [ + 'crl', + '-in', $in_crl_path, + '-inform', $formats->{$in_format}, + '-out', $out_crl_path, + '-outform', $formats->{$out_format}, + ] + ); +} + +sub generate_pkcs12 { + my ( $in_key_path, $in_cert_path, $out_p12_path, $params ) = @_; + + my $cert_chain_path; + + if ( exists $params->{extra_certs} ) { + my ( undef, undef, $file ) = splitpath($in_key_path); + + $file =~ s/(?:\.key)?\.(?:pem|der)$//; + + my $dir = catfile( $tmp->dirname(), $file ); + + if ( !-d $dir ) { + mkdir $dir + or fatal( 'could not create directory $dir', $OS_ERROR ); + } + + $cert_chain_path = catfile( $dir, 'pkcs12_cert_chain.pem' ); + + generate_cert_chain( + $params->{extra_certs}, + $cert_chain_path + ); + } + + my @name_opt = exists $params->{name} + ? ( + '-name', $params->{name}, + ) + : (); + + my @cert_opt = exists $params->{extra_certs} + ? ( + '-certfile', $cert_chain_path, + ) + : (); + + my @encrypt_opts = exists $params->{passphrase} + ? ( + '-passout', 'stdin', + '-keypbe', 'pbeWithSHA1And3-KeyTripleDES-CBC', + '-certpbe', 'pbeWithSHA1And3-KeyTripleDES-CBC', + ) + : ( + '-passout', 'pass:', + '-keypbe', 'NONE', + '-certpbe', 'NONE', + '-nomaciter', + ); + + return openssl_cmd( + [ + 'pkcs12', + '-export', + '-inkey', $in_key_path, + '-in', $in_cert_path, + '-out', $out_p12_path, + '-rand', $in_key_path, + '-no-CAfile', + '-no-CApath', + @name_opt, + @cert_opt, + @encrypt_opts, + ], + $params->{passphrase} + ); +} + +sub check_openssl_version { + my ($params) = @_; + + my $min_version = delete $params->{min_version} + or fatal('missing minimum OpenSSL version'); + + my $min_version_match = delete $params->{min_version_match} + or fatal('missing minimum OpenSSL version regex'); + + my ( $stdout, $stderr ); + + my $run = eval { + start( + [ 'openssl', 'version' ], + \undef, + \$stdout, + \$stderr, + timeout( 3 ) + ); + } or fatal( "could not run `openssl version`", $EVAL_ERROR ); + + $run->finish(); + + if ( $run->result() != 0 ) { + fatal( "`openssl version` exited with exit code " . $run->result() ); + } + + my ($openssl_version) = $stdout =~ m{^OpenSSL (.+?) } + or fatal("`openssl` is not the OpenSSL command line utility"); + + if ( $openssl_version !~ $min_version_match ) { + fatal( "OpenSSL >= $min_version required, but `openssl` is version " + . $openssl_version ); + } + + my $net_ssleay_version = eval { + use Net::SSLeay; + Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ); + } or fatal( 'could not load Net::SSLeay', $EVAL_ERROR ); + + ($net_ssleay_version) = $net_ssleay_version =~ m{^OpenSSL (.+?) } + or fatal('Net::SSLeay was not built against OpenSSL'); + + if ( $net_ssleay_version !~ $min_version_match ) { + fatal( "Net::SSLeay must be built against OpenSSL >= $min_version, but " + . "it is built against version $net_ssleay_version" ); + } + + return 1; +} + +sub openssl_cmd { + my ( $opts, $stdin ) = @_; + + my $wantarray = wantarray; + + my $stdout = []; + my $stderr = []; + + my $print = sub { + my ( $prefix, $data ) = @_; + + for my $line ( split /\r?\n/, $data ) { + printf "[OpenSSL %s] %s\n", $prefix, $line; + } + }; + + if ( $args->{verbose} ) { + print "Running `openssl ", join( q{ }, @{$opts} ), "`\n"; + } + + my $cmd = [ 'openssl', @{$opts} ]; + my $cmd_string = join ' ', @{$cmd}; + + my $run = eval { + start( + $cmd, + \$stdin, + sub { + if ($wantarray) { + chomp $_[0]; + push @{$stdout}, $_[0]; + } + elsif ( $args->{verbose} ) { + $print->( 'stdout', $_[0] ); + } + }, + sub { + if ($wantarray) { + chomp $_[0]; + push @{$stderr}, $_[0]; + } + elsif ( $args->{verbose} ) { + $print->( 'stderr', $_[0] ); + } + } + ); + } or fatal( "failed to run `$cmd_string`", $EVAL_ERROR ); + + $run->finish(); + + if ( $run->result() != 0 ) { + fatal( "`$cmd_string` exited with exit code " . $run->result() ); + } + + return $wantarray + ? ( $stdout, $stderr ) + : 1; +} + +sub fatal { + my ( $message, $cause ) = @_; + + die Error->new( $message, $cause ); +} + +package Error; + +use overload ( + q{""} => sub { + my ($self) = @_; + + return defined $self->{cause} + ? "$self->{message}: $self->{cause}" + : $self->{message}; + }, + fallback => 1, +); + +sub new { + my ( $class, $message, $cause ) = @_; + + return bless { + message => $message, + cause => $cause, + }, $class; +} + +package main; + +=pod + +=encoding utf-8 + +=head1 NAME + +C - Generate a PKI for the Net-SSLeay test suite + +=head1 VERSION + +This document describes version 1.92 of C. + +=head1 USAGE + + # With openssl >= 3.0.0-alpha7 in PATH, and a version of Net::SSLeay built + # against OpenSSL >= 3.0.0-alpha7 in PERL5LIB: + generate-test-pki \ + -c pki.cfg \ + -o pki-output-dir + +=head1 DESCRIPTION + +The Net-SSLeay test suite relies on a dummy X.509 public key infrastructure +(PKI). Occasionally, this PKI needs to be modified - for example, to add a +certificate with certain properties when writing a new test - but maintaining it +by hand is time-consuming, difficult, and error-prone. + +C simplifies maintenance of the PKI by generating it from +scratch using the OpenSSL command line utility, based on the structure defined +in a simple configuration file. The files it generates can then be used in +Net-SSLeay test scripts. + +=head1 DEPENDENCIES + +C requires at least version 3.0.0-alpha7 of the OpenSSL +command line utility to be present either in I as C or at the +path given by the B<-b> option (see L). Additionally, the first +occurrance of Net::SSLeay in I must be built against at least version +3.0.0-alpha7 of OpenSSL. + +LibreSSL is not supported, since its command line utility lacks some of the +functionality relied on by this program. + +=head1 OPTIONS + +C accepts the following command line options: + +=over 4 + +=item * + +B<-b I>, B<--openssl-binary=I>: the path to the OpenSSL binary to +invoke when performing PKI generation operations. Defaults to C (i.e. +the first occurrence of C in I). + +=item * + +B<-c I>, B<--config=I>: the path to the configuration file defining +the PKI to generate. See L for a description of the expected +format. + +=item * + +B<-o I>, B<--output=I>: the path to the directory to which the PKI's +files (see L) will be written. The directory must already exist. +Existing files whose names collide with files written by this program will be +overwritten without warning; other existing files will be left alone. + +=item * + +B<-v>, B<--verbose>: show the output of C and +C when they are invoked. + +=back + +=head1 CONFIGURATION + +The configuration file is an anonymous Perl hash whose keys define the names of +the PKI's entities and whose values define each entity's properties: + + { + 'entity-name' => { + 'key' => { ... }, # Private key properties + 'csr' => { ... }, # Certificate signing request (CSR) properties + 'cert' => { ... }, # Certificate properties + 'pkcs12' => { ... }, # PKCS#12 archive properties + 'crl' => { ... }, # Certificate revocation list (CRL) properties + # (optional; for CA entities only) + }, + ... + } + +=head2 key + +An anonymous hash defining properties relating to the entity's private key. + +Valid keys: + +=over 4 + +=item * + +B: the public key algorithm to use when generating the private key. +Must be one of C, C, C, C, C, C, or +C. + +=item * + +B: the passphrase under which to encrypt the private key. Used only +when generating encrypted forms of the key. + +=item * + +B: the size of the public key to generate, in bits. Used only when +B is C, C, or C. + +=back + +=head2 csr + +An anonymous hash defining properties relating to the entity's PKCS#10 +certificate signing request (CSR). The value of the B key in L +will be used to generate a subject name for the CSR. + +Valid keys: + +=over 4 + +=item * + +B: the message digest algorithm used to sign the CSR. May be any +value supported by C; commonly-supported values include C, +C, and C. + +=back + +=head2 cert + +An anonymous hash defining properties relating to the entity's X.509 v3 +certificate. + +Valid keys: + +=over 4 + +=item * + +B: optional; an anonymous hash defining the X.509 v3 extensions that +should be specified in the certificate. Keys are expected to be extension field +names as they appear in L, and values are expected to be +either strings or anonymous arrays of strings (whose elements will be +concatenated and delimited with commas), e.g.: + + { + basicConstraints => 'critical,CA:false', + certificatePolicies => [ '1.2.3', '4.5.6' ], # Becomes '1.2.3,4.5.6' + } + +=item * + +B: a top-level key denoting the entity that should sign this +certificate. If undefined, the entity's certificate will be self-signed. + +=item * + +B: the message digest algorithm used to sign the certificate. May +be any value supported by C; commonly-supported values include +C, C, and C. + +=item * + +B: a string describing the purpose of the certificate. The value given +here will define reasonable values for the I, I, +I, and/or I X.509 v3 extension fields. +Must be one of C, C, C, C, or C (in which +case no default values will be defined for any of the aforementioned fields, +allowing for complete control of the fields that appear in the certificate via +the B key). + +=item * + +B: optional; the reason for revoking the certificate. Must be one +of C, C, C, +C, C, C, or C. + +=item * + +B: optional; a timestamp string in I format +denoting the time at which the certificate was revoked, in the UTC time zone. +Must be specified if B is specified. + +=item * + +B: a decimal integer denoting the certificate's serial number. Must be +unique among the serial numbers of all certificates issued by the entity given +in B. + +=item * + +B: an anonymous array denoting the certificate's subject name; elements +are expected to alternate between field names in either short or long format and +values for those fields, e.g.: + + [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + commonName => 'test.net-ssleay.example', + ] + +The order of the fields is preserved when generating the Distinguished Name +string. + +=item * + +B: a timestamp string in I format denoting the +time from which the certificate is valid, in the UTC time zone. + +=item * + +B: a timestamp string in I format denoting the +time until which the certificate is valid, in the UTC time zone. + +=back + +=head2 pkcs12 + +An anonymous hash defining properties relating to the entity's PKCS#12 archives. + +Valid keys: + +=over 4 + +=item * + +B: the passphrase under which to encrypt the private key stored in +the archive. Used only when generating archives that contain encrypted forms of +the private key. + +=back + +=head2 crl + +An anonymous hash defining properties relating to the entity's certificate +revocation list (CRL). Only used when the entity is a certificate authority and +at least one of the certificates it issues requires revocation. + +Valid keys: + +=over 4 + +=item * + +B: a timestamp string in I format denoting the +time at which the CRL was last updated, in the UTC time zone. + +=item * + +B: the message digest algorithm used to sign the CRL. May be any +value supported by C; commonly-supported values include C, +C, and C. + +=item * + +B: a timestamp string in I format denoting the +time at which the CRL is next expected to be updated, in the UTC time zone. + +=item * + +B: a decimal integer denoting the CRL number. + +=back + +=head1 OUTPUT + +For each entity I declared in the configuration file, C +ensures the following set of files exists: + +=over 4 + +=item * + +B: a private key in PEM format. Will not be generated if it already +exists; the key in the existing file will be used instead. + +=item * + +B: the file above, encrypted with AES-128 using the passphrase +given in the configuration file (see L). + +=item * + +B: B in DER format. + +=item * + +B: the file above, encrypted with AES-128 using the passphrase +given in the configuration file (see L). + +=item * + +B: a certificate signing request in PEM format. + +=item * + +B: the file above in DER format. + +=item * + +B: a certificate in PEM format, signed by the entity given in the +configuration file (see L). + +=item * + +B: the file above in DER format. + +=item * + +B: the output of +C. C +is a Net-SSLeay example script whose output is used by the test suite to verify +the correct operation of various libssl certificate information functions. + +=item * + +B: the certificate chain in PEM format, starting with +I's certificate and ending with the root CA certificate. + +=item * + +B: the file above, with certificates in DER format. + +=item * + +B: a PKCS#12 archive containing a private key and a certificate. + +=item * + +B: the file above, with the private key encrypted with AES-128 using +the passphrase given in the configuration file (see L). + +=item * + +B: a PKCS#12 archive containing a private key and a certificate +chain starting with I's certificate and ending with the root CA certificate. + +=item * + +B: the file above, with the private key encrypted with +AES-128 using the passphrase given in the configuration file (see +L). + +=back + +Additionally, for entities that sign and then revoke at least one certificate, +C outputs the following files: + +=over 4 + +=item * + +B: a certificate revocation list (version 2) in PEM format. + +=item * + +B: the file above in DER format. + +=back + +=head1 DIAGNOSTICS + +C outputs a diagnostic message to stderr and immediately +exits with exit code 1 if an error occurs. Error messages listed below indicate +invalid input or a problem with the state of the system that can usually be +fixed. Error messages not listed below are internal and should never be +encountered under normal operation; please report any occurrences of such errors +as bugs (see L). + +=over + +=item B +does not exist> + +The PKI configuration file at I, as specified by the B<-c> command line +option (or C in the same directory as C if a value +for B<-c> was not specified), does not exist. Ensure C exists, or +speicify an alternative path with B<-c I>. + +=item B + +The B<-o> option is compulsory, and has no default value. Pass the path to a +directory in which the output files described in L should be written +with B<-o I>. + +=item B does +not exist> + +C does not attempt to create the directory at the path given +by the B<-o> option; it must already exist and be writable. + +=item B: I> + +The configuration file at I could not be loaded because of I, +which is probably an OS-level error. Ensure the file at I is readable. + +=item B> + +The configuration file could not be parsed because of I, which is likely +a Perl syntax error. Ensure the configuration file is valid Perl and meets the +specification given in L. + +=item B> + +C attempted to check the version of the OpenSSL command line +utility currently in use by invoking C, and expected it to exit +with exit code 0 (indicating success) but it actually exited with exit code I +(indicating failure). Check that the first occurrence of C in I +is in fact the OpenSSL command line utility, then run C with +the B<-v> option to see the full output from C, which may help +diagnose the problem further. + +=item B + +C attempted to check the version of the OpenSSL command line +utility currently in use by invoking C, but its output was +inconsistent with the output format known to be used by OpenSSL. Check that the +first occurrence of C in I is in fact the OpenSSL command line +utility (and not the LibreSSL command line utility), then run +C with the B<-v> option to see the full output from +C, which may help diagnose the problem further. + +=item B= I required, +but `openssl` is version I> + +C relies on features of the OpenSSL command line utility that +were added in version I, but the first occurrence of C in +I is version I, which is insufficient. It may be necessary to compile +a newer version of OpenSSL from the source code and prepend the directory +containing the command line utility to I in order to solve this problem. + +=item B> + +C attempted to check the version of OpenSSL that Net::SSLeay +is built against, but was unable to import Net::SSLeay because of I. +Ensure the first occurrence of Net::SSLeay in I can be imported by +Perl. + +=item B + +C relies on features of Net::SSLeay that are only available +when it is built against OpenSSL, but the first occurrence of Net::SSLeay in +I is built against LibreSSL. Rebuild Net::SSLeay against OpenSSL and +ensure the rebuilt version is the first occurrence of Net::SSLeay in +I. + +=item B= I, but it is built against version I> + +C relies on features of Net::SSLeay that are only available +when it is built against OpenSSL version I, but the first occurrence of +Net::SSLeay in I is built against OpenSSL I. Rebuild Net::SSLeay +against a newer version OpenSSL - ideally the same version as the OpenSSL +command line utility - and ensure the rebuilt version is the first occurrence of +Net::SSLeay in I. + +=item B> + +C attempted to create a directory to store some temporary +files that are necessary to generate the output files, but was unable to create +the directory because of I (which is probably an OS-level error). Ensure +the system's temporary directory is writable. + +=item B': issuer 'I' is not +defined> + +The configuration file defines an entity I whose issuer (per the the value of +its C<{cert}-E{issuer}> key) does not exist. Check that I is not +misnamed and that the value of C<{cert}-E{issuer}> for I is correct. + +=item B.key.pem': missing key algorithm> + +The configuration file defines an entity I with no value for +C<{key}-E{algorithm}>. See L for a list of acceptable values. + +=item B.key.pem': unknown key algorithm 'I'> + +The configuration file defines an entity I with the value I for +C<{key}-E{algorithm}>, but this is not a known public key algorithm. See +L for a list of acceptable values. + +=item B.key.pem': key algorithm 'I' requires +a key size> + +The configuration file defines an entity I with the value I for +C<{key}-E{algorithm}>, but I requires a key size to be defined +in C<{key}-E{size}>. Define a valid key size for this entity's private key. +See L for more information. + +=item B.csr.pem': invalid key/value pair given in +subject> + +The configuration file defines an entity I with at least one undefined +element in its value for C<{cert}-E{subject}>. Undefined elements cannot be +stringified, so the subject could not be transformed into a Distinguished Name +string. See L for more information of the expected format for +C<{cert}-E{subject}>. + +=item B.csr.pem': missing message digest algorithm> + +The configuration file defines an entity I with no value for +C<{csr}-E{md_algorithm}>. See L for possible values. + +=item B.cert.pem': valid_from: invalid timestamp> + +The configuration file defines an entity I with an invalid timestamp for its +value of C<{cert}-E{valid_from}>. See L for more information on the +expected timestamp format. + +=item B.cert.pem': valid_until: invalid timestamp> + +The configuration file defines an entity I with an invalid timestamp for its +value of C<{cert}-E{valid_to}>. See L for more information on the +expected timestamp format. + +=item B.cert.pem': missing message digest algorithm> + +The configuration file defines an entity I with no value for +C<{cert}-E{md_algorithm}>. See L for possible values. + +=item B.cert.pem': could not create directory I: +I> + +C attempted to create a temporary directory at I to +store intermediate files that are necessary to generate I's certificate, but +was unable to do so because of I, which is probably an OS-level error. +Ensure the system's temporary directory is writable. + +=item B.cert.pem': could not write serial file I: +I> + +C attempted to write an intermediate file to I (a +subdirectory of a temporary directory it created earlier) that is necessary to +generate I's certificate, but was unable to do so because of I, which +is probably an OS-level error. Ensure the system's temporary directory is +writable. + +=item B.cert.dump': could not write I: I> + +C attempted to write information about I's certificate to +the file at I, but was unable to do so because of I, which is +probably an OS-level error. Ensure the file at I is writable. + +=item B.cert.dump': could not run +examples/x509_cert_details.pl: I> + +C attempted to invoke the Perl script +C (part of the Net-SSLeay source distribution) to +produce an output file containing information about I's certificate, but was +unable to invoke the script because of I. Ensure that the script is +located at C<../examples/x509_cert_details.pl> relative to the path to +C, that it can be executed given the values of I and +I that are inherited by C, and that a suitable +version of Net::SSLeay is present in I (see L for more +information). + +=item B.cert.dump': examples/x509_cert_details.pl +exited with exit code I> + +C invoked the Perl script C +(part of the Net-SSLeay source distribution) to produce an output file +containing information about I's certificate, and expected it to exit +with exit code 0 (indicating success) but it actually exited with exit code I +(indicating failure). Run C with the B<-v> option to see the +full output from C, which may help diagnose the +problem further. + +=item B.certchain.pem': could not write certificate +chain file I: I> + +=item B.certchain.der': could not write certificate +chain file I: I> + +C attempted to concatenate the certificates in I's issuer +chain (in either format) and write them to I, but was unable to do so +because of I, which is probably an OS-level error. Ensure the file at +I is writable. + +=item B.certchain.pem': could not read certificate file +I: I> + +=item B.certchain.der': could not read certificate file +I: I> + +C attempted to read a certificate in I's issuer chain (in +either format) at I, but was unable to do so because of I, which +is probably an OS-level error. Ensure the file at I is readable. + +=item B.crl.pem': could not create directory I: +I> + +C attempted to create a temporary directory at I to +store intermediate files that are necessary to generate I's CRL, but was +unable to do so because of I, which is probably an OS-level error. +Ensure the system's temporary directory is writable. + +=item B.crl.pem': could not read database file I: +I> + +When revoking a certificate, C looks up the certificate's +serial number in its issuing entity's database file, which is created by OpenSSL +in a temporary directory created earlier by C. It was unable +to read this file on this occasion because of I, which is probably an +OS-level error. Ensure the system's temporary directory is readable. + +=item B.crl.pem': could not write database file +I: I> + +To revoke a certificate, C updates the certificate's entry in +its issuing entity's database file, which is created by OpenSSL in a temporary +directory created earlier by C. It was unable to update the +file on this occasion because of I, which is probably an OS-level error. +Ensure the system's temporary directory is writable. + +=item B.crl.pem': could not write CRL number file +I: I> + +When revoking a certificate, C stores the CRL number for the +CRL it outputs in a file in a temporary directory it created earlier. It was +unable to write this file on this occasion because of I, which is +probably an OS-level error. Ensure the system's temporary directory is writable. + +=item B.certchain.p12': could not create directory +I: I> + +=item B.certchain.enc.p12': could not create directory +I: I> + +When generating a PKCS#12 archive containing multiple certificates, +C concatenates the certificates and writes them to a file in +a temporary directory it creates before passing the path to that file in a +command line option to C. It was unable to create the temporary +directory on this occasion because of I, which is probably an OS-level +error. Ensure the system's temporary directory is writable. + +=item B> + +=item B': failed to run `openssl I`: +I> + +C attempted to invoke the OpenSSL command line utility, but +failed to spawn a new process because of I, which is probably an +OS-level error. + +=item B': `openssl I` failed with exit code +I> + +C attempted to generate an output file by invoking the +OpenSSL command line utility, and expected it to exit with exit code 0 +(indicating success) but it actually exited with exit code I (indicating +failure). Check that the PKI defined in the configuration file is sensible, then +run C with the B<-v> option to see the full output from +C. + +=back + +=head1 LIMITATIONS + +Although its interface is almost identical to the OpenSSL command line utility, +C is incompatible with the LibreSSL command line utility, +since it relies on features currently only found in the OpenSSL command line +utility. + +Only limited error checking is performed on the configuration file; in +particular, C will not always complain if required keys are +missing. It is recommended to run the program with the B<-v> option after +editing the configuration file to ensure C is being invoked as +expected. + +Entities can have their certificates issued by one and only one entity; +cross-signed certificates cannot currently be generated. + +The uniqueness of serial numbers among the certificates signed by any given +issuer is not enforced, and duplication will likely cause odd output from +C and breakage when certificates are revoked. Care should be +taken when editing serial numbers in the configuration file. + +While as much effort as possible has been put into generating output files +deterministically, C will still generate different private +keys and PKCS#12 archives on every invocation, even when the PKI configuration +file has not changed between invocations. C will avoid +overwriting the private key for an entity if one already exists, but cannot +recreate a private key that has been deleted. PKCS#12 archives cannot be +generated deterministically because the PKCS#12 file format uses salts and IVs +that the OpenSSL command line utiltity randomly generates on each invocation. + +=head1 SEE ALSO + +The man pages for the OpenSSL command line utility subcommands invoked by +C: L, L, +L, L, L, and +L. + +=head1 BUGS + +If you encounter a problem with this program that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * + +the list of command line options passed to C; + +=item * + +the full configuration file given by the C<-c> command line option; + +=item * + +the full output of C; + +=item * + +your operating system name and version; + +=item * + +the output of C; + +=item * + +the version of Net-SSLeay you are using; + +=item * + +the version of OpenSSL you are using. + +=back + +=head1 AUTHORS + +Originally written by Chris Novakovic. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen. + +=head1 COPYRIGHT AND LICENSE + +Copyright 2020- Chris Novakovic . + +Copyright 2020- Tuure Vartiainen . + +Copyright 2020- Heikki Vatiainen . + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=cut + +__DATA__ +#----------------------------------------------------------------------- +# openssl req +#----------------------------------------------------------------------- + +[ req ] +utf8 = yes +string_mask = utf8only +prompt = no +distinguished_name = req_dn + +[ req_dn ] +# This section is intentionally left blank - distinguished_name must be +# defined in the [ req ] section, but the distinguished name is actually +# specified in the -subj option to `openssl req` + +#----------------------------------------------------------------------- +# openssl ca +#----------------------------------------------------------------------- + +[ ca_conf ] +database = {{ database_path }} +serial = {{ serial_path }} +new_certs_dir = {{ certs_path }} +unique_subject = no +email_in_dn = yes +default_days = 3650 +policy = ca_policy +crlnumber = {{ crl_number_path }} +crl_extensions = crlexts + +[ ca_policy ] +domainComponent = optional +countryName = optional +organizationName = optional +organizationalUnitName = optional +dnQualifier = optional +stateOrProvinceName = optional +commonName = optional +serialNumber = optional +localityName = optional +title = optional +name = optional +givenName = optional +initials = optional +pseudonym = optional +generationQualifier = optional +emailAddress = optional + +[ exts_ca ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +{{ extensions }} + +[ exts_server ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +{{ extensions }} + +[ exts_client ] +keyUsage = critical,digitalSignature +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +{{ extensions }} + +[ exts_email ] +keyUsage = critical,digitalSignature,keyEncipherment +extendedKeyUsage = emailProtection,clientAuth +subjectKeyIdentifier = hash +{{ extensions }} + +[ exts_custom ] +{{ extensions }} + +[ crlexts ] +# This section is intentionally left blank - if crl_extensions is +# defined in the [ ca_conf ] section (even if it is empty), OpenSSL +# writes a V2 CRL instead of a V1 CRL diff --git a/cpan/Net-SSLeay/helper_script/pki.cfg b/cpan/Net-SSLeay/helper_script/pki.cfg new file mode 100644 index 000000000000..dd6e9be7d918 --- /dev/null +++ b/cpan/Net-SSLeay/helper_script/pki.cfg @@ -0,0 +1,412 @@ +{ + 'extended-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'intermediate-ca', + md_algorithm => 'sha256', + purpose => 'custom', + serial => 2, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + # RFC 5280 section 4.1.2.4 "MUST recognise" RDN attribute types: + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + dnQualifier => 'net-ssleay.example', + ST => 'State', + CN => 'John Doe', + serialNumber => 1234, + # RFC 5280 section 4.1.2.4 "SHOULD recognise" RDN attribute types: + L => 'Locality', + title => 'Mr.', + SN => 'Doe', + GN => 'John', + initials => 'JD', + pseudonym => 'John Q. Public', + generationQualifier => 'Sr.', + # Recommended by RFC 2985 section 3; deprecated, but still used + emailAddress => 'john.doe@net-ssleay.example', + ], + + extensions => { + authorityInfoAccess => [ + 'OCSP;URI:http://ocsp.intermediate-ca.net-ssleay.example', + 'caIssuers;URI:http://issuers.intermediate-ca.net-ssleay.example', + ], + authorityKeyIdentifier => 'keyid,issuer', + basicConstraints => 'critical,CA:false', + certificatePolicies => [ + # These OIDs are deliberately invalid + '1.2.3.4.5', + '2.3.4.5.6', + ], + crlDistributionPoints => [ + 'URI:http://intermediate-ca.net-ssleay.example/crl1.crl', + 'URI:http://intermediate-ca.net-ssleay.example/crl2.crl', + ], + extendedKeyUsage => [ + 'critical', + 'serverAuth', + 'clientAuth', + 'codeSigning', + 'emailProtection', + 'timeStamping', + 'OCSPSigning', + 'ipsecIKE', + 'msCodeInd', + 'msCodeCom', + 'msCTLSign', + 'msEFS', + # 1.3.6.1.5.5.7.3.13 = id-kp-eapOverPPP + '1.3.6.1.5.5.7.3.13', + # 1.3.6.1.5.5.7.3.14 = id-kp-eapOverLAN + '1.3.6.1.5.5.7.3.14', + ], + issuerAltName => [ + 'email:intermediate-ca@net-ssleay.example', + 'URI:http://intermediate-ca.net-ssleay.example', + 'DNS:intermediate-ca.net-ssleay.example', + 'RID:1.2.0.0', + 'IP:192.168.0.1', + 'IP:fd25:f814:afb5:9873::1', + # 1.2.840.113549.1.9.1 = emailAddress + 'otherName:1.2.840.113549.1.9.1;UTF8:ica@net-ssleay.example', + ], + keyUsage => [ + 'digitalSignature', + 'nonRepudiation', + 'keyEncipherment', + 'dataEncipherment', + 'keyAgreement', + 'keyCertSign', + 'cRLSign', + 'decipherOnly', + ], + subjectAltName => [ + 'email:john.doe@net-ssleay.example', + 'URI:http://johndoe.net-ssleay.example', + 'DNS:johndoe.net-ssleay.example', + 'RID:1.2.3.4', + 'IP:192.168.0.2', + 'IP:fd25:f814:afb5:9873::2', + # 1.2.840.113549.1.9.1 = emailAddress + 'otherName:1.2.840.113549.1.9.1;UTF8:jd@net-ssleay.example', + ], + subjectKeyIdentifier => 'hash', + }, + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'intermediate-ca' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'root-ca', + md_algorithm => 'sha256', + purpose => 'ca', + serial => 2, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => 'Intermediate CA', + ], + }, + + pkcs12 => { + passphrase => 'test', + }, + + crl => { + last_update => '2020-07-01 00:00:00', + md_algorithm => 'sha256', + next_update => '2020-07-08 00:00:00', + number => 1, + }, + }, + + 'revoked-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'intermediate-ca', + md_algorithm => 'sha256', + purpose => 'server', + revoke_reason => 'keyCompromise', + revoke_time => '2020-06-06 06:06:06', + serial => 5, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => 'revoked-cert.net-ssleay.example', + ], + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'root-ca' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + md_algorithm => 'sha256', + purpose => 'ca', + serial => 1, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => 'Root CA', + ], + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'simple-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'intermediate-ca', + md_algorithm => 'sha256', + purpose => 'server', + serial => 1, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => 'simple-cert.net-ssleay.example', + ], + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'strange-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'intermediate-ca', + md_algorithm => 'sha256', + purpose => 'server', + serial => 4, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'UA', + ST => 'ЛьвівÑька облаÑÑ‚ÑŒ', + O => 'abc D.E.F', + OU => q{START ! @ # $ % ^ & * ( ) , . - ? : _ / [ ] " ' | \ = + END}, + CN => 'strange-cert.net-ssleay.example', + ], + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'verify-ca' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'root-ca', + md_algorithm => 'sha256', + purpose => 'ca', + serial => 3, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => 'Verification CA', + ], + + extensions => { + certificatePolicies => [ + # This OID is deliberately invalid + '1.2.3.4.5', + ], + }, + }, + + pkcs12 => { + passphrase => 'test', + }, + + crl => { + last_update => '2020-07-01 00:00:00', + md_algorithm => 'sha256', + next_update => '2020-07-08 00:00:00', + number => 1, + }, + }, + + 'verify-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'verify-ca', + md_algorithm => 'sha256', + purpose => 'server', + serial => 1, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => '*.johndoe.net-ssleay.example', + emailAddress => 'john.doe@net-ssleay.example', + ], + + extensions => { + certificatePolicies => [ + # This OID is deliberately invalid + '1.2.3.4.5', + ], + subjectAltName => [ + 'email:john.doe@net-ssleay.example', + 'DNS:*.johndoe.net-ssleay.example', + 'IP:192.168.0.3', + ], + }, + }, + + pkcs12 => { + passphrase => 'test', + }, + }, + + 'wildcard-cert' => { + key => { + algorithm => 'rsa', + passphrase => 'test', + size => 2048, + }, + + csr => { + md_algorithm => 'sha256', + }, + + cert => { + issuer => 'intermediate-ca', + md_algorithm => 'sha256', + purpose => 'server', + serial => 3, + valid_from => '2020-01-01 00:00:00', + valid_until => '2038-01-01 00:00:00', + + subject => [ + C => 'PL', + O => 'Net-SSLeay', + OU => 'Test Suite', + CN => '*.net-ssleay.example', + ], + + extensions => { + subjectAltName => [ + 'DNS:*.net-ssleay.example', + ], + }, + }, + + pkcs12 => { + passphrase => 'test', + }, + }, +} diff --git a/cpan/Net-SSLeay/helper_script/update-exported-constants b/cpan/Net-SSLeay/helper_script/update-exported-constants new file mode 100644 index 000000000000..004f5bbd6dc0 --- /dev/null +++ b/cpan/Net-SSLeay/helper_script/update-exported-constants @@ -0,0 +1,808 @@ +#!/usr/bin/env perl + +use 5.008001; +use strict; +use warnings; + +use Cwd qw(abs_path); +use English qw( + $EVAL_ERROR $EXCEPTIONS_BEING_CAUGHT $OS_ERROR $RS -no_match_vars +); +use Fcntl qw(SEEK_SET); +use File::Basename qw(dirname); +use File::Spec::Functions qw(catfile); +use Getopt::Long qw(GetOptionsFromArray); +use POSIX qw(ceil); + +our $VERSION = '1.92'; + +local $SIG{__DIE__} = sub { + my ($cause) = @_; + + if ($EXCEPTIONS_BEING_CAUGHT) { + return; + } + + print STDERR $cause, "\n"; + + exit 1; +}; + +my ($args) = eval { parse_options(\@ARGV) } + or fatal( 'Failed to parse command line options', $EVAL_ERROR ); + +my @constants = eval { load_config( $args->{config} ) } + or fatal( 'Failed to load configuration file', $EVAL_ERROR ); + +my @perl_constants = sort map { $_->{exported_name} } @constants; + +eval { generate_constants_c( $args->{'constants-file'}, @constants ) } + or fatal( 'Failed to generate constants file', $EVAL_ERROR ); + +eval { generate_constants_test( $args->{'test-file'}, @perl_constants ) } + or fatal( 'Failed to generate constants test script', $EVAL_ERROR ); + +eval { update_module( $args->{'module-file'}, @perl_constants ) } + or fatal( 'Failed to update Net::SSLeay module file', $EVAL_ERROR ); + +eval { update_pod( $args->{'pod-file'}, @perl_constants ) } + or fatal( 'Failed to update Pod file', $EVAL_ERROR ); + + +sub dist_file { + my @path = @_; + + return abs_path( catfile( dirname(__FILE__), '..', @path ) ); +} + +sub parse_options { + my ($argv) = @_; + + my $opts = { + 'config' => dist_file( qw( helper_script constants.txt ) ), + 'constants-file' => dist_file( qw( constants.c ) ), + 'module-file' => dist_file( qw( lib Net SSLeay.pm ) ), + 'pod-file' => dist_file( qw( lib Net SSLeay.pod ) ), + 'test-file' => dist_file( qw( t local 21_constants.t ) ), + }; + + GetOptionsFromArray( + $argv, + $opts, + 'config|C=s', + 'constants-file|c=s', + 'module-file|m=s', + 'pod-file|p=s', + 'test-file|t=s', + ); + + if ( !-e $opts->{'config'} ) { + fatal("configuration file $opts->{config} does not exist"); + } + + if ( !-e $opts->{'module-file'} ) { + fatal("Net::SSLeay module file $opts->{'module-file'} does not exist"); + } + + if ( !-e $opts->{'pod-file'} ) { + fatal("Pod file $opts->{'pod-file'} does not exist"); + } + + return wantarray + ? ( $opts, $argv ) + : $opts; +} + +sub load_config { + my ($config_file) = @_; + + open my $fh, '<', $config_file + or fatal( $config_file, $OS_ERROR ); + + my @constants; + my $line_number = 0; + + while (<$fh>) { + $line_number++; + + # Trim leading and trailing space + s{^\s+|\s+$}{}g; + + # Skip empty lines and comments + next if m{^(?:\#.*)?$}; + + # Check whether the given constant name is likely to be a valid + # OpenSSL/LibreSSL constant name + if ( $_ !~ m{^[A-Za-z_][A-Za-z0-9_]*$} ) { + printf STDERR "%s:%d: badly-formatted constant name; skipping\n", + $config_file, $line_number; + + next; + } + + # Remove "SSL_" prefix from constant name, if present + ( my $exported_name = $_ ) =~ s{^SSL_}{}; + + push @constants, { + exported_name => $exported_name, + name => $_, + }; + } + + close $fh; + + return @constants; +} + +sub generate_constants_c { + my ( $file, @constants ) = @_; + + open my $fh, '>', $file + or fatal($OS_ERROR); + + print $fh data_section('constants_c_header'); + print $fh Net::SSLeay::ConstantsGenerator->C_constant( + { + breakout => ~0, + indent => 20, + }, + map { + { + name => $_->{exported_name}, + value => $_->{name}, + } + } + ( + # This constant name isn't defined by any libssl implementation - it + # is only intended to be used by the test script generated by this + # script to ensure that Net::SSLeay behaves as expected when a + # caller attempts to refer to an undefined constant + { + exported_name => '_NET_SSLEAY_TEST_UNDEFINED_CONSTANT', + name => '_NET_SSLEAY_TEST_UNDEFINED_CONSTANT', + }, + @constants, + ) + ); + + close $fh; + + printf "%s: generated\n", $file; + + return 1; +} + +sub generate_constants_test { + my ( $file, @constants ) = @_; + + open my $fh, '>', $file + or fatal($OS_ERROR); + + print $fh data_section( + 'constants_test', + { + constants => join( "\n", map { q{ } x 4 . $_ } @constants ), + # 1 dies_like() test for each constant + # 1 is() test for @EXPORT_OK + # 1 dies_like() test for undefined constant + tests => @constants + 2, + } + ); + + close $fh; + + printf "%s: generated\n", $file; + + return 1; +} + +sub update_content { + my ( $file, $start_match, $end_match, @replacement ) = @_; + + open my $fh, '<', $file + or fatal($OS_ERROR); + + my ( @file, $start, $end ); + + my $pos = 0; + while (<$fh>) { + push @file, $_; + + if ( !defined $start && $_ =~ $start_match ) { + $start = $pos; + } + elsif ( defined $start && !defined $end && $_ =~ $end_match ) { + $end = $pos; + } + + $pos++; + } + + close $fh; + + if ( !defined $start || !defined $end ) { + fatal('could not find start/end markers'); + } + + splice @file, $start + 1, max( 0, $end - $start - 1 ), @replacement; + + open $fh, '>', $file + or fatal($OS_ERROR); + + for (@file) { + print $fh $_; + } + + close $fh; + + return 1; +} + +sub update_module { + my ( $file, @constants ) = @_; + + eval { + update_content( + $file, + qr{^my \@constants = qw\(}, + qr{^\);}, + map { q{ } x 4 . "$_\n" } @constants + ) + } or do { + ( my $err = $EVAL_ERROR ) =~ s{start/end markers$}{\@constants declaration}; + fatal( $file, $err ); + }; + + printf "%s: updated\n", $file; + + return 1; +} + +sub format_constants { + my ( $list, $indent, $columns, $separator ) = @_; + + my $per_column = ceil( @$list / $columns ); + + my @columns = map + { [ splice @$list, 0, $per_column ] } + ( 0 .. $columns - 1 ); + + my @max_length = map + { max( map { length } @$_ ) } + @columns; + + my @formatted; + for my $row ( 0 .. $per_column - 1 ) { + my @row; + for ( 0 .. $columns - 1 ) { + my $this = $columns[$_]->[$row]; + my $left = $columns[ $_ - 1 ]->[$row]; + + next if !defined $this; + + my $gap = $_ == 0 + ? $indent + : $max_length[ $_ - 1 ] - length($left) + $separator; + + push @row, q{ } x $gap . $this; + } + push @formatted, join( '', @row ) . "\n"; + } + + return @formatted; +} + +sub update_pod { + my ( $file, @constants ) = @_; + + eval { + update_content( + $file, + qr{^=for start_constants$}, + qr{^=for end_constants$}, + ( "\n", format_constants( \@constants, 4, 2, 2 ), "\n" ) + ) + } or do { + ( my $err = $EVAL_ERROR ) =~ s{start/end markers$}{constants block}; + fatal( $file, $err ); + }; + + printf "%s: updated\n", $file; + + return 1; +} + +sub max { + my @numbers = @_; + + my $max = shift @numbers; + while ( defined( my $number = shift @numbers ) ) { + $max = $number if $number > $max; + } + + return $max; +} + +sub data_section { + my ( $section, $tmpl ) = @_; + + seek DATA, 0, SEEK_SET; + + my @content = (); + my $in_section; + + for () { + if ( my ($name) = $_ =~ m{^\[section:(\w+)\]\n} ) { + if ( $name eq $section ) { + $in_section = 1; + next; + } + elsif ($in_section) { + # Reached the section following the requested section + last; + } + } + + if ($in_section) { + s/\{\{\s*(\w+)\s*\}\}/defined $tmpl->{$1} ? $tmpl->{$1} : ''/eg; + push @content, $_; + } + } + + fatal("__DATA__ section '$section' not found") + if !$in_section; + + return join '', @content; +} + +sub fatal { + my ( $message, $cause ) = @_; + + die Error->new( $message, $cause ); +} + +package Net::SSLeay::ConstantsGenerator; + +use base 'ExtUtils::Constant::Base'; + +sub assignment_clause_for_type { + my ( $self, $args, $value ) = @_; + + return main::data_section( + 'assignment_clause_for_type', + { + value => $value, + } + ); +} + +sub C_constant_return_type { + my $ret = <<'END'; +#ifdef NET_SSLEAY_32BIT_CONSTANTS +static double +#else +static uint64_t +#endif +END + # Newline is automatically added, remove ours. + chomp($ret); + return $ret; +} + +sub return_statement_for_notfound { + return main::data_section('return_statement_for_notfound'); +} + +package Error; + +use overload ( + q{""} => sub { + my ($self) = @_; + + return defined $self->{cause} + ? "$self->{message}: $self->{cause}" + : $self->{message}; + }, + fallback => 1, +); + +sub new { + my ( $class, $message, $cause ) = @_; + + return bless { + message => $message, + cause => $cause, + }, $class; +} + +package main; + +=pod + +=encoding utf-8 + +=head1 NAME + +C - Manage constants exported by Net::SSLeay + +=head1 VERSION + +This document describes version 1.92 of C. + +=head1 USAGE + + # Edit constants.txt to add or remove a libssl/libcrypto constant + + # Export the new list of constants in Net::SSLeay, document them, and test + # for their availability in the test suite: + update-exported-constants + +=head1 DESCRIPTION + +Net::SSLeay exports a number of constants defined by libssl and libcrypto. +Several time-consuming and error-prone steps must be performed whenever this set +of constants changes: each one must be recognised as a valid constant name by +Net::SSLeay's XS code, defined as an exportable symbol in Net::SSLeay's Perl +code, documented in Net::SSLeay's user documentation, and tested in the +Net::SSLeay test suite to ensure that referencing it either returns a defined +value or raises an exception depending on whether it is defined in the version +of OpenSSL or LibreSSL being used. + +C simplifies the process of changing the set of +exportable constants by automating it: it consumes a configuration file +containing a list of constants, and performs each of the steps above for each of +the constants listed in the file. + +=head1 DEPENDENCIES + +C requires Perl 5.8.1 or higher. + +=head1 OPTIONS + +C accepts the following command line options: + +=over 4 + +=item * + +B<-C I>, B<--config=I>: the path to a file defining the libssl and +libcrypto constants that Net::SSLeay should attempt to export. See +L for a description of the expected format. Defaults to +C, relative to the path to C. + +=item * + +B<-c I>, B<--constants-file=I>: the path at which to write the C +source file defining the C function; this file should be included by +C. If a file exists at the given path, it will be overwritten. +Defaults to C<../constants.c>, relative to the path to +C. + +=item * + +B<-m I>, B<--module-file=I>: the path to Net::SSLeay's source code; +the value of the C<@constants> array defined in this file will be overwritten. +Defaults to C<../lib/Net/SSLeay.pm>, relative to the path to +C. + +=item * + +B<-p I>, B<--pod-file=I>: the path to et::SSLeay's documentation; +the list of constants given in the L section of this file +will be overwritten. Defaults to C<../lib/Net/SSLeay.pod>, relative to the path +to C. + +=item * + +B<-t I>, B<--test-file=I>: the path at which to write the constant +autoloading test script. If a file exists at the given path, it will be +overwritten. Defaults to C<../t/local/21_constants.t>, relative to the path to +C. + +=back + +The above defaults ensure that C can be executed +from a directory containing the Net-SSLeay source code without needing to +specify any options. + +=head1 CONFIGURATION + +The configuration file is a plain text file containing libssl and libcrypto +constant names, one per line. Empty lines and lines beginning with C<#> are +ignored. + +libssl and libcrypto constants are C preprocessor macro names. +C checks that constant names given in the +configuration file appear to be valid macro names, and will output a +I warning on stderr whenever it +encounters a line in the configuration file that does not appear to be a valid +macro name. Since the set of valid constant names differs between versions of +OpenSSL and LibreSSL, it is not possible to validate that constant names listed +in the configuration file are in fact valid constant names for a particular +libssl or libcrypto version. + +=head1 OUTPUT + +C generates the following files (overwriting any file +that already exists at that path): + +=over 4 + +=item * + +A C source file defining a function with the prototype +C. For a given constant name and length, +this function returns the value of the constant with the given name if it is +recognised as exportable by Net::SSLeay and exists in libssl/libcrypto, returns +C<0> and sets L to C if the constant is exportable but does not +exist in libssl/libcrypto, or returns C<0> and sets L to C if the +constant is not recognised as exportable by Net::SSLeay. This file is expected +to be Cd by C. + +=item * + +A Net::SSLeay test script that ensures each constant is exportable if it is +defined, or raises a specific exception if it is not. This test script is +expected to run as part of the standard Net::SSLeay test suite. + +=back + +C updates the following files (which therefore must +already exist and be writable): + +=over 4 + +=item * + +The source file for the Net::SSLeay module - the value of the C<@constants> +array defined in this file is overwritten with the new list of constants that +the module can export. + +=item * + +The Pod file documenting the Net::SSLeay module - the list of exportable +constants given in the L section of this file is +overwritten with the new list of constants that the module can export. + +=back + +=head1 DIAGNOSTICS + +C outputs a diagnostic message to stderr and +immediately exits with exit code 1 if an error occurs. Error messages listed +below indicate invalid input or a problem with the state of the system that can +usually be fixed. Error messages not listed below are internal and should never +be encountered under normal operation; please report any occurrences of such +errors as bugs (see L). + +=over + +=item B does +not exist> + +The configuration file listing the constants to export, as specified by the +B<-C> command line option (or C in the same directory as +C if a value for B<-C> was not specified), does not +exist. Ensure C exists, or specify an alternative path with +B<-C I>. + +=item B +does not exist> + +C updates and overwrites the Net::SSLeay module file +specified by the B<-m> command line option (or C<../lib/Net/SSLeay.pm> relative +to the path to C if a value for B<-m> was not +specified), but a file could not be found at this path. Ensure +C<../lib/Net/SSLeay.pm> exists, or specify an alternative path with +B<-m I>. + +=item B does not exist> + +C updates and overwrites the Pod file containing the +Net::SSLeay documentation at the path specified by the B<-p> command line option +(or C<../lib/Net/SSLeay.pod> relative to the path to +C if a value for B<-p> was not specified), but a file +could not be found at this path. Ensure C<../lib/Net/SSLeay.pod> exists, or +specify an alternative path with B<-p I>. + +=item B> + +The configuration file could not be loaded because of I, which is +probably an OS-level error. Ensure the path given by the B<-C> option, or the +default path if B<-C> was not specified, is readable. + +=item B> + +The constants C source file could not be written because of I, which is +probably an OS-level error. Ensure that the path given by the B<-c> option, or +the default path if B<-c> was not specified, is writable. + +=item B> + +The constants test script could not be written because of I, which is +probably an OS-level error. Ensure that the path given by the B<-t> option, or +the default path if B<-t> was not specified, is writable. + +=item B + +The Net::SSLeay module file was read, but an updated constants list could not be +written to it because the definition of the C<@constants> array could not be +found. C expects this array to be defined with the +following syntax: + + my @constants = qw( + # + ); + +Ensure the C<@constants> array is defined in this way in the Net::SSLeay module. + +=item B> + +The Net::SSLeay module file could not be either read or written because of +I, which is probably an OS-level error. Ensure that the path given by +the B<-m> option, or the default path if B<-m> was not specified, is both +readable and writable. + +=item B + +The Net::SSLeay documentation file was read, but an updated constants list could +not be written to it because the Pod code block listing the constants could not +be found. C expects this block to be surrounded by +the following Pod commands: + + =for start_constants + + + + =for end_constants + +Ensure the constants list is defined in this way in the documentation. + +=item B> + +The Net::SSLeay documentation file could not be either read or written because +of I, which is probably an OS-level error. Ensure that the path given by +the B<-p> option, or the default path if B<-p> was not specified, is both +readable and writable. + +=back + +=head1 LIMITATIONS + +Net::SSLeay currently returns the values of libssl and libcrypto constants as +double-precision floating-point numbers, regardless of the data type of the +underlying constant as it is defined by OpenSSL and/or LibreSSL; the C source +file generated by C therefore defines a function +C with the return type C. While all constants currently +exported by Net::SSLeay can be stored in this way without loss of precision, +this may not necessarily be the case for all constants defined by libssl and +libcrypto, either now or in the future. + +=head1 SEE ALSO + +The man pages for OpenSSL and LibreSSL, which describe the constants they define +(and therefore the constants that may be exported by Net::SSLeay). + +=head1 BUGS + +If you encounter a problem with this program that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * + +the list of command line options passed to C; + +=item * + +the full configuration file given by the B<-C> command line option (or the +default configuration file if B<-C> was not specified); + +=item * + +the full output of C; + +=item * + +your operating system name and version; + +=item * + +the output of C; + +=item * + +the version of Net-SSLeay you are using. + +=back + +=head1 AUTHORS + +Originally written by Chris Novakovic. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen. + +=head1 COPYRIGHT AND LICENSE + +Copyright 2021- Chris Novakovic . + +Copyright 2021- Tuure Vartiainen . + +Copyright 2021- Heikki Vatiainen . + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=cut + +__DATA__ +[section:constants_c_header] +/* + * This file is automatically generated - do not manually modify it. + * + * To add or remove a constant, edit helper_script/constants.txt, then run + * helper_script/update-exported-constants. + */ + +[section:assignment_clause_for_type] + +#ifdef {{ value }} + return {{ value }}; +#else + goto not_there; +#endif +[section:return_statement_for_notfound] + + errno = EINVAL; + return 0; + +not_there: + errno = ENOENT; + return 0; +[section:constants_test] +# This file is automatically generated - do not manually modify it. +# +# To add or remove a constant, edit helper_script/constants.txt, then run +# helper_script/update-exported-constants. + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(dies_like); + +# We rely on symbolic references in the dies_like() tests: +no strict 'refs'; + +plan tests => {{ tests }}; + +my @constants = qw( +{{ constants }} +); + +my %exported = map { $_ => 1 } @Net::SSLeay::EXPORT_OK; +my @missing; + +for my $c (@constants) { + dies_like( + sub { "Net::SSLeay::$c"->(); die "ok\n"; }, + qr/^(?:ok\n$|Your vendor has not defined SSLeay macro )/, + "constant is exported or not defined: $c" + ); + push @missing, $c if !exists $exported{$c}; +} + +is( + join( q{,}, sort @missing ), + '', + 'no constants missing from @EXPORT_OK (total missing: ' . scalar(@missing) . ')' +); + +dies_like( + sub { Net::SSLeay::_NET_SSLEAY_TEST_UNDEFINED_CONSTANT() }, + qr/^Your vendor has not defined SSLeay macro _NET_SSLEAY_TEST_UNDEFINED_CONSTANT/, + 'referencing an undefined constant raises an exception' +); diff --git a/cpan/Net-SSLeay/inc/Test/Net/SSLeay.pm b/cpan/Net-SSLeay/inc/Test/Net/SSLeay.pm new file mode 100644 index 000000000000..529384efa011 --- /dev/null +++ b/cpan/Net-SSLeay/inc/Test/Net/SSLeay.pm @@ -0,0 +1,867 @@ +package Test::Net::SSLeay; + +use 5.008001; +use strict; +use warnings; +use base qw(Exporter); + +use Carp qw(croak); +use Config; +use Cwd qw(abs_path); +use English qw( $EVAL_ERROR $OSNAME $PERL_VERSION -no_match_vars ); +use File::Basename qw(dirname); +use File::Spec::Functions qw( abs2rel catfile ); +use Test::Builder; +use Test::Net::SSLeay::Socket; + +our $VERSION = '1.92'; + +our @EXPORT_OK = qw( + can_fork can_really_fork can_thread + data_file_path + dies_like + dies_ok + doesnt_warn + initialise_libssl + is_libressl is_openssl + is_protocol_usable + lives_ok + new_ctx + protocols + tcp_socket + warns_like +); + +my $tester = Test::Builder->new(); + +my $data_path = catfile( dirname(__FILE__), '..', '..', '..', 't', 'data' ); + +my $initialised = 0; + +my %protos = ( + 'TLSv1.3' => { + constant => \&Net::SSLeay::TLS1_3_VERSION, + constant_type => 'version', + priority => 6, + }, + 'TLSv1.2' => { + constant => \&Net::SSLeay::TLSv1_2_method, + constant_type => 'method', + priority => 5, + }, + 'TLSv1.1' => { + constant => \&Net::SSLeay::TLSv1_1_method, + constant_type => 'method', + priority => 4, + }, + 'TLSv1' => { + constant => \&Net::SSLeay::TLSv1_method, + constant_type => 'method', + priority => 3, + }, + 'SSLv3' => { + constant => \&Net::SSLeay::SSLv3_method, + constant_type => 'method', + priority => 2, + }, + 'SSLv2' => { + constant => \&Net::SSLeay::SSLv2_method, + constant_type => 'method', + priority => 1, + }, +); + +my ( $test_no_warnings, $test_no_warnings_name, @warnings ); + +END { + _test_no_warnings() if $test_no_warnings; +} + +sub _all { + my ( $sub, @list ) = @_; + + for (@list) { + $sub->() or return 0; + } + + return 1; +} + +sub _diag { + my (%args) = @_; + + $tester->diag( ' ' x 9, 'got: ', $args{got} ); + $tester->diag( ' ' x 4, 'expected: ', $args{expected} ); +} + +sub _libssl_fatal { + my ($context) = @_; + + croak "$context: " + . Net::SSLeay::ERR_error_string( Net::SSLeay::ERR_get_error() ); +} + +sub _load_net_ssleay { + eval { require Net::SSLeay; 1; } or croak $EVAL_ERROR; + + return 1; +} + +sub _test_no_warnings { + my $got_str = join q{, }, map { qq{'$_'} } @warnings; + my $got_type = @warnings == 1 ? 'warning' : 'warnings'; + + $tester->ok( @warnings == 0, $test_no_warnings_name ) + or _diag( + got => "$got_type $got_str", + expected => 'no warnings', + ); +} + +sub import { + my ( $class, @imports ) = @_; + + # Enable strict and warnings in the caller + strict->import; + warnings->import; + + # Import common modules into the caller's namespace + my $caller = caller; + for (qw(Test::More)) { + eval "package $caller; use $_; 1;" or croak $EVAL_ERROR; + } + + # Import requested Test::Net::SSLeay symbols into the caller's namespace + __PACKAGE__->export_to_level( 1, $class, @imports ); + + return 1; +} + +sub can_fork { + return 1 if can_really_fork(); + + # Some platforms provide fork emulation using ithreads + return 1 if $Config{d_pseudofork}; + + # d_pseudofork was added in Perl 5.10.0 - this is an approximation for + # older Perls + if ( ( $OSNAME eq 'Win32' or $OSNAME eq 'NetWare' ) + and $Config{useithreads} + and $Config{ccflags} =~ /-DPERL_IMPLICIT_SYS/ ) + { + return 1; + } + + return can_thread(); +} + +sub can_really_fork { + return 1 if $Config{d_fork}; + + return 0; +} + +sub can_thread { + return 0 if not $Config{useithreads}; + + # Threads are broken in Perl 5.10.0 when compiled with GCC 4.8 or above + # (see GH #175) + if ( $PERL_VERSION == 5.010000 + and $Config{ccname} eq 'gcc' + and defined $Config{gccversion} + # gccversion is sometimes defined for non-GCC compilers (see GH-350); + # compilers that are truly GCC are identified with a version number in + # gccversion + and $Config{gccversion} =~ /^\d+\.\d+/ ) + { + my ( $gcc_major, $gcc_minor ) = split /[.\s]+/, $Config{gccversion}; + + return 0 + if ( $gcc_major > 4 or ( $gcc_major == 4 and $gcc_minor >= 8 ) ); + } + + # Devel::Cover doesn't (currently) work with threads + return 0 if $INC{'Devel/Cover.pm'}; + + return 1; +} + +sub data_file_path { + my ($data_file) = @_; + + my $abs_path = catfile( abs_path($data_path), $data_file ); + my $rel_path = abs2rel($abs_path); + + croak "$rel_path: data file does not exist" + if not -e $abs_path; + + return $rel_path; +} + +sub dies_like { + my ( $sub, $expected, $name ) = @_; + + my ( $got, $ok ); + + if ( eval { $sub->(); 1 } ) { + $ok = $tester->ok ( 0, $name ); + + _diag( + got => 'subroutine lived', + expected => "subroutine died with exception matching $expected", + ); + } + else { + $got = $EVAL_ERROR; + + my $test = $got =~ $expected; + + $ok = $tester->ok( $test, $name ) + or _diag( + got => qq{subroutine died with exception '$got'}, + expected => "subroutine died with exception matching $expected", + ); + } + + $EVAL_ERROR = $got; + + return $ok; +} + +sub dies_ok { + my ( $sub, $name ) = @_; + + my ( $got, $ok ); + + if ( eval { $sub->(); 1 } ) { + $got = $EVAL_ERROR; + + $ok = $tester->ok ( 0, $name ); + + _diag( + got => 'subroutine lived', + expected => 'subroutine died', + ); + } + else { + $got = $EVAL_ERROR; + + $ok = $tester->ok( 1, $name ); + } + + $EVAL_ERROR = $got; + + return $ok; +} + +sub doesnt_warn { + $test_no_warnings = 1; + $test_no_warnings_name = shift; + + $SIG{__WARN__} = sub { push @warnings, shift }; +} + +sub initialise_libssl { + return 1 if $initialised; + + _load_net_ssleay(); + + Net::SSLeay::randomize(); + + # Error strings aren't loaded by default until OpenSSL 1.1.0, but it's safe + # to load them unconditionally because these functions are simply no-ops in + # later OpenSSL versions + Net::SSLeay::load_error_strings(); + Net::SSLeay::ERR_load_crypto_strings(); + + Net::SSLeay::library_init(); + + # The test suite makes heavy use of SHA-256, but SHA-256 isn't registered by + # default in all OpenSSL versions - register it manually when Net::SSLeay is + # built against the following OpenSSL versions: + + # OpenSSL 0.9.8 series < 0.9.8o + Net::SSLeay::OpenSSL_add_all_digests() + if Net::SSLeay::constant('OPENSSL_VERSION_NUMBER') < 0x009080ff; + + # OpenSSL 1.0.0 series < 1.0.0a + Net::SSLeay::OpenSSL_add_all_digests() + if Net::SSLeay::constant('OPENSSL_VERSION_NUMBER') >= 0x10000000 + && Net::SSLeay::constant('OPENSSL_VERSION_NUMBER') < 0x1000001f; + + $initialised = 1; + + return 1; +} + +sub is_libressl { + _load_net_ssleay(); + + # The most foolproof method of checking whether libssl is provided by + # LibreSSL is by checking OPENSSL_VERSION_NUMBER: every version of + # LibreSSL identifies itself as OpenSSL 2.0.0, which is a version number + # that OpenSSL itself will never use (version 3.0.0 follows 1.1.1) + return 0 + if Net::SSLeay::constant('OPENSSL_VERSION_NUMBER') != 0x20000000; + + return 1; +} + +sub is_openssl { + _load_net_ssleay(); + + # "OpenSSL 2.0.0" is actually LibreSSL + return 0 + if Net::SSLeay::constant('OPENSSL_VERSION_NUMBER') == 0x20000000; + + return 1; +} + +sub is_protocol_usable { + my ($proto) = @_; + + _load_net_ssleay(); + initialise_libssl(); + + my $proto_data = $protos{$proto}; + + # If libssl does not support this protocol version, or if it was disabled at + # compile-time, the appropriate method for that version will be missing + if ( + $proto_data->{constant_type} eq 'version' + ? !eval { &{ $proto_data->{constant} }; 1 } + : !defined &{ $proto_data->{constant} } + ) { + return 0; + } + + # If libssl was built with support for this protocol version, the only + # reliable way to test whether its use is permitted by the security policy + # is to attempt to create a connection that uses it - if it is permitted, + # the state machine enters the following states: + # + # SSL_CB_HANDSHAKE_START (ret=1) + # SSL_CB_CONNECT_LOOP (ret=1) + # SSL_CB_CONNECT_EXIT (ret=-1) + # + # If it is not permitted, the state machine instead enters the following + # states: + # + # SSL_CB_HANDSHAKE_START (ret=1) + # SSL_CB_CONNECT_EXIT (ret=-1) + # + # Additionally, ERR_get_error() returns the error code 0x14161044, although + # this might not necessarily be guaranteed for all libssl versions, so + # testing for it may be unreliable + + my $constant = $proto_data->{constant}->(); + my $ctx; + + if ( $proto_data->{constant_type} eq 'version' ) { + $ctx = Net::SSLeay::CTX_new_with_method( Net::SSLeay::TLS_method() ) + or _libssl_fatal('Failed to create libssl SSL_CTX object'); + + Net::SSLeay::CTX_set_min_proto_version( $ctx, $constant ); + Net::SSLeay::CTX_set_max_proto_version( $ctx, $constant ); + } + else { + $ctx = Net::SSLeay::CTX_new_with_method($constant) + or _libssl_fatal('Failed to create SSL_CTX object'); + } + + my $ssl = Net::SSLeay::new($ctx) + or _libssl_fatal('Failed to create SSL structure'); + + # For the purposes of this test, it isn't necessary to link the SSL + # structure to a file descriptor, since no data actually needs to be sent or + # received + Net::SSLeay::set_fd( $ssl, -1 ) + or _libssl_fatal('Failed to set file descriptor for SSL structure'); + + my @states; + + Net::SSLeay::CTX_set_info_callback( + $ctx, + sub { + my ( $ssl, $where, $ret, $data ) = @_; + + push @states, $where; + } + ); + + Net::SSLeay::connect($ssl) + or _libssl_fatal('Failed to initiate connection'); + + my $disabled = Net::SSLeay::CB_HANDSHAKE_START() + + Net::SSLeay::CB_CONNECT_EXIT(); + + my $enabled = Net::SSLeay::CB_HANDSHAKE_START() + + Net::SSLeay::CB_CONNECT_LOOP() + + Net::SSLeay::CB_CONNECT_EXIT(); + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + my $observed = 0; + for my $state (@states) { + $observed += $state; + } + + return 0 if $observed == $disabled; + return 1 if $observed == $enabled; + + croak 'Unexpected TLS state machine sequence: ' . join( ', ', @states ); +} + +sub lives_ok { + my ( $sub, $name ) = @_; + + my ( $got, $ok ); + + if ( !eval { $sub->(); 1 } ) { + $got = $EVAL_ERROR; + + $ok = $tester->ok ( 0, $name ); + + _diag( + got => qq{subroutine died with exception '$got'}, + expected => 'subroutine lived', + ); + } + else { + $got = $EVAL_ERROR; + + $ok = $tester->ok( 1, $name ); + } + + $EVAL_ERROR = $got; + + return $ok; +} + +sub new_ctx { + my ( $min_proto, $max_proto ) = @_; + + my @usable_protos = + # Exclude protocol versions not supported by this libssl: + grep { + is_protocol_usable($_) + } + # Exclude protocol versions outside the desired range: + grep { + ( + defined $min_proto + ? $protos{$_}->{priority} >= $protos{$min_proto}->{priority} + : 1 + ) + && ( + defined $max_proto + ? $protos{$_}->{priority} <= $protos{$max_proto}->{priority} + : 1 + ) + } + protocols(); + + croak 'Failed to create libssl SSL_CTX object: no usable protocol versions' + if !@usable_protos; + + my $proto = shift @usable_protos; + my $constant = $protos{$proto}->{constant}->(); + my $ctx; + + if ( $protos{$proto}->{constant_type} eq 'version' ) { + $ctx = Net::SSLeay::CTX_new_with_method( Net::SSLeay::TLS_method() ) + or _libssl_fatal('Failed to create libssl SSL_CTX object'); + + Net::SSLeay::CTX_set_min_proto_version( $ctx, $constant ); + Net::SSLeay::CTX_set_max_proto_version( $ctx, $constant ); + } + else { + $ctx = Net::SSLeay::CTX_new_with_method($constant) + or _libssl_fatal('Failed to create SSL_CTX object'); + } + + return wantarray ? ( $ctx, $proto ) + : $ctx; +} + +sub protocols { + return + sort { + $protos{$b}->{priority} <=> $protos{$a}->{priority} + } + keys %protos; +} + +sub tcp_socket { + return Test::Net::SSLeay::Socket->new( proto => 'tcp' ); +} + +sub warns_like { + my ( $sub, $expected, $name ) = @_; + + my @expected = ref $expected eq 'ARRAY' + ? @$expected + : ($expected); + + my @got; + + local $SIG{__WARN__} = sub { push @got, shift }; + + $sub->(); + + $SIG{__WARN__} = 'DEFAULT'; + + my $test = scalar @got == scalar @expected + && _all( sub { $got[$_] =~ $expected[$_] }, 0 .. $#got ); + + my $ok = $tester->ok( $test, $name ) + or do { + my $got_str = join q{, }, map { qq{'$_'} } @got; + my $expected_str = join q{, }, map { qq{'$_'} } @expected; + + my $got_plural = @got == 1 ? '' : 's'; + my $expected_plural = @expected == 1 ? '' : 's'; + + _diag( + got => "warning$got_plural $got_str", + expected => "warning$expected_plural matching $expected_str", + ); + }; + + return $ok; +} + +1; + +__END__ + +=head1 NAME + +Test::Net::SSLeay - Helper module for the Net-SSLeay test suite + +=head1 VERSION + +This document describes version 1.92 of Test::Net::SSLeay. + +=head1 SYNOPSIS + +In a Net-SSLeay test script: + + # Optional summary of the purpose of the tests in this script + + use lib 'inc'; + + use Net::SSLeay; # if required by the tests + use Test::Net::SSLeay qw(initialise_libssl); # import other helper + # functions if required + + # Imports of other modules specific to this test script + + # Plan tests, or skip them altogether if certain preconditions aren't met + if (disqualifying_condition) { + plan skip_all => ...; + } else { + plan tests => ...; + } + + # If this script tests Net::SSLeay functionality: + initialise_libssl(); + + # Perform one or more Test::More-based tests + +=head1 DESCRIPTION + +This is a helper module that makes it easier (or, at least, less repetitive) +to write test scripts for the Net-SSLeay test suite. For consistency, all test +scripts should import this module and follow the preamble structure given in +L. + +Importing this module has the following effects on the caller, regardless of +whether any exports are requested: + +=over 4 + +=item * + +C and C are enabled; + +=item * + +L, the test framework used by the Net-SSLeay test +suite, is imported. + +=back + +No symbols are exported by default. If desired, individual helper functions +may be imported into the caller's namespace by specifying their name in the +import list; see L for a list of available helper +functions. + +=head1 HELPER FUNCTIONS + +=head2 can_fork + + if (can_fork()) { + # Run tests that rely on a working fork() implementation + } + +Returns true if this system natively supports the C system call, or if +Perl can emulate C on this system using interpreter-level threads. +Otherwise, returns false. + +=head2 can_really_fork + + if (can_really_fork()) { + # Run tests that rely on a native fork() implementation + } + +Returns true if this system natively supports the C system call, or +false if not. + +=head2 can_thread + + if (can_thread()) { + # Run tests that rely on working threads support + } + +Returns true if reliable interpreter-level threads support is available in +this Perl, or false if not. + +=head2 data_file_path + + my $cert_path = data_file_path('wildcard-cert.cert.pem'); + my $key_path = data_file_path('wildcard-cert.key.pem'); + +Returns the relative path to a given file in the test suite data directory +(C). Dies if the file does not exist. + +=head2 dies_like + + dies_like( + sub { die 'This subroutine always dies' }, + qr/always/, + 'A test that always passes' + ); + +Similar to L in Test::Exception|Test::Exception/throws_ok>: +performs a L test that passes if a given subroutine dies with an +exception string that matches a given pattern, or fails if the subroutine does +not die or dies with an exception string that does not match the given pattern. + +This function preserves the value of C<$@> set by the given subroutine, so (for +example) other tests can be performed on the value of C<$@> afterwards. + +=head2 dies_ok + + dies_ok( + sub { my $x = 1 }, + 'A test that always fails' + ); + +Similar to L in Test::Exception|Test::Exception/dies_ok>: performs a +L test that passes if a given subroutine dies, or fails if it +does not. + +This function preserves the value of C<$@> set by the given subroutine, so (for +example) other tests can be performed on the value of C<$@> afterwards. + +=head2 doesnt_warn + + doesnt_warn('Test script outputs no unexpected warnings'); + +Offers similar functionality to L: performs a L +test at the end of the test script that passes if the test script executes from +this point onwards without emitting any unexpected warnings, or fails if +warnings are emitted before the test script ends. + +Warnings omitted by subroutines that are executed as part of a L +test are not considered to be unexpected (even if the L test +fails), and will therefore not cause this test to fail. + +=head2 initialise_libssl + + initialise_libssl(); + + # Run tests that call Net::SSLeay functions + +Initialises libssl (and libcrypto) by seeding the pseudorandom number generator, +loading error strings, and registering the default TLS ciphers and digest +functions. All digest functions are explicitly registered when Net::SSLeay is +built against a libssl version that does not register SHA-256 by default, since +SHA-256 is used heavily in the test suite PKI. + +libssl will only be initialised the first time this function is called, so it is +safe for it to be called multiple times in the same test script. + +=head2 is_libressl + + if (is_libressl()) { + # Run LibreSSL-specific tests + } + +Returns true if libssl is provided by LibreSSL, or false if not. + +=head2 is_openssl + + if (is_openssl()) { + # Run OpenSSL-specific tests + } + +Returns true if libssl is provided by OpenSSL, or false if not. + +=head2 is_protocol_usable + + if ( is_protocol_usable('TLSv1.1') ) { + # Run TLSv1.1 tests + } + +Returns true if libssl can communicate using the given SSL/TLS protocol version +(represented as a string of the format returned by L), or false if +not. + +Note that the availability of a particular SSL/TLS protocol version may vary +based on the version of OpenSSL or LibreSSL in use, the options chosen when it +was compiled (e.g., OpenSSL will not support SSLv3 if it was built with +C), or run-time configuration (e.g., the use of TLSv1.0 will be +forbidden if the OpenSSL configuration sets the default security level to 3 or +higher; see L). + +=head2 lives_ok + + lives_ok( + sub { die 'Whoops' }, + 'A test that always fails' + ); + +Similar to L in Test::Exception|Test::Exception/lives_ok>: performs +a L test that passes if a given subroutine executes without +dying, or fails if it dies during execution. + +This function preserves the value of C<$@> set by the given subroutine, so (for +example) other tests can be performed on the value of C<$@> afterwards. + +=head2 new_ctx + + my $ctx = new_ctx(); + # $ctx is an SSL_CTX that uses the highest available protocol version + + my ( $ctx, $version ) = new_ctx( 'TLSv1', 'TLSv1.2' ); + # $ctx is an SSL_CTX that uses the highest available protocol version + # between TLSv1 and TLSv1.2 inclusive; $version contains the protocol + # version chosen + +Creates a libssl SSL_CTX object that uses the most recent SSL/TLS protocol +version supported by libssl, optionally bounded by the given minimum and maximum +protocol versions (represented as strings of the format returned by +L). + +If called in scalar context, returns the SSL_CTX object that was created. If +called in array context, returns the SSL_CTX object and a string containing the +protocol version used by the SSL_CTX object. Dies if libssl does not support any +of the protocol versions in the given range, or if an SSL_CTX object that uses +the chosen protocol version could not be created. + +=head2 protocols + + my @protos = protocols(); + +Returns an array containing strings that describe the SSL/TLS protocol versions +supported by L: C<'TLSv1.3'>, C<'TLSv1.2'>, C<'TLSv1.1'>, +C<'TLSv1'>, C<'SSLv3'>, and C<'SSLv2'>. The protocol versions are sorted in +reverse order of age (i.e. in the order shown here). + +Note that it may not be possible to communicate using some of these protocol +versions, depending on how libssl was compiled and is configured. These strings +can be given as parameters to L to discover whether the +protocol version is actually usable by libssl. + +=head2 tcp_socket + + my $server = tcp_socket(); + + # Accept connection from client: + my $sock_in = $server->accept(); + + # Create connection to server: + my $sock_out = $server->connect(); + +Creates a TCP server socket that listens on localhost on an arbitrarily-chosen +free port. Convenience methods are provided for accepting, establishing and +closing connections. + +Returns a L object. Dies +on failure. + +=head2 warns_like + + warns_like( + sub { + warn 'First warning'; + warn 'Second warning'; + }, + [ + qr/First/, + qr/Second/, + ], + 'A test that always passes' + ); + +Similar to L in Test::Warn|Test::Warn/warnings_like>: performs +a L test that passes if a given subroutine emits a series of +warnings that match the given sequence of patterns, or fails if the subroutine +emits any other sequence of warnings (or no warnings at all). If a pattern is +given instead of an array reference, the subroutine will be expected to emit a +single warning matching the pattern. + +=head1 BUGS + +If you encounter a problem with this module that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * + +the code you are trying to run (ideally a minimum working example that +reproduces the problem), or the full output of the Net-SSLeay test suite if +the problem relates to a test failure; + +=item * + +your operating system name and version; + +=item * + +the output of C; + +=item * + +the version of Net-SSLeay you are using; + +=item * + +the version of OpenSSL or LibreSSL you are using. + +=back + +=head1 AUTHORS + +Originally written by Chris Novakovic. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen. + +=head1 COPYRIGHT AND LICENSE + +Copyright 2020- Chris Novakovic . + +Copyright 2020- Tuure Vartiainen . + +Copyright 2020- Heikki Vatiainen . + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=cut diff --git a/cpan/Net-SSLeay/inc/Test/Net/SSLeay/Socket.pm b/cpan/Net-SSLeay/inc/Test/Net/SSLeay/Socket.pm new file mode 100644 index 000000000000..2ddbe8475947 --- /dev/null +++ b/cpan/Net-SSLeay/inc/Test/Net/SSLeay/Socket.pm @@ -0,0 +1,326 @@ +package Test::Net::SSLeay::Socket; + +use 5.008001; +use strict; +use warnings; + +use Carp qw(croak); +use English qw( $EVAL_ERROR $OS_ERROR $OUTPUT_AUTOFLUSH -no_match_vars ); +use Scalar::Util qw(refaddr reftype); +use SelectSaver; +use Socket qw( + AF_INET SOCK_DGRAM SOCK_STREAM + inet_aton inet_ntoa pack_sockaddr_in unpack_sockaddr_in +); + +our $VERSION = '1.92'; + +my %PROTOS = ( + tcp => SOCK_STREAM, + udp => SOCK_DGRAM, +); + +sub new { + my ( $class, %args ) = @_; + + my $self = bless { + addr => delete $args{addr} || '127.0.0.1', + port => delete $args{port} || 0, + proto => delete $args{proto} || 'tcp', + queue => delete $args{queue} || 5, + }, $class; + + if ( !exists $PROTOS{ $self->{proto} } ) { + croak "Unknown protocol '$self->{proto}'"; + } + + $self->_init_server(); + + return $self; +} + +sub _init_server { + my ($self) = @_; + + my $addr = eval { inet_aton( $self->{addr} ) } + or croak 'Could not pack IP address' + . ( $EVAL_ERROR ? ": $EVAL_ERROR" : q{} ); + + my $sockaddr = eval { pack_sockaddr_in( $self->{port}, $addr ) } + or croak 'Could not create sockaddr_in structure' + . ( $EVAL_ERROR ? ": $EVAL_ERROR" : q{} ); + + socket $self->{sock}, AF_INET, $PROTOS{ $self->{proto} }, 0 + or croak "Could not open server socket: $OS_ERROR"; + + if ( $self->{proto} eq 'tcp' ) { + bind $self->{sock}, $sockaddr + or croak "Could not bind server socket: $OS_ERROR"; + + listen $self->{sock}, $self->{queue} + or croak "Could not listen on server socket: $OS_ERROR"; + } + + my $sockname = getsockname $self->{sock}; + ( $self->{sport}, $self->{saddr} ) = unpack_sockaddr_in($sockname); + $self->{saddr} = inet_ntoa( $self->{saddr} ); + + return 1; +} + +sub get_addr { + my ($self) = @_; + + return $self->{saddr}; +} + +sub get_port { + my ($self) = @_; + + return $self->{sport}; +} + +sub accept { + my ( $self, $sock ) = @_; + + if ( defined $sock && reftype($sock) ne 'GLOB' ) { + croak 'Argument #1 to accept() must be a typeglob reference'; + } + + accept $sock, $self->{sock} + or croak "Could not accept connection: $OS_ERROR"; + + my $saver = SelectSaver->new($sock); + local $OUTPUT_AUTOFLUSH = 1; + + return $sock; +} + +sub connect { + my ($self) = @_; + + my $addr = eval { inet_aton( $self->{saddr} ) } + or croak 'Could not pack IP address' + . ( $EVAL_ERROR ? ": $EVAL_ERROR" : q{} ); + + my $sockaddr = eval { pack_sockaddr_in( $self->{sport}, $addr ) } + or croak 'Could not create sockaddr_in structure' + . ( $EVAL_ERROR ? ": $EVAL_ERROR" : q{} ); + + socket my $sock, AF_INET, $PROTOS{ $self->{proto} }, 0 + or croak "Could not open server socket: $OS_ERROR"; + connect $sock, $sockaddr + or croak "Could not connect to server socket: $OS_ERROR"; + + my $saver = SelectSaver->new($sock); + local $OUTPUT_AUTOFLUSH = 1; + + return $sock; +} + +sub close { + my ($self) = @_; + + return close $self->{sock}; +} + +1; + +__END__ + +=head1 NAME + +Test::Net::SSLeay::Socket - Socket class for the Net-SSLeay test suite + +=head1 VERSION + +This document describes version 1.92 of Test::Net::SSLeay::Socket. + +=head1 SYNOPSIS + + use Test::Net::SSLeay::Socket; + + # Create TCP server socket listening on localhost on a random unused port + my $server = Test::Net::SSLeay::Socket->new( protocol => 'tcp' ); + + # To wait for a connection to the server socket: + my $sock = $server->accept(); + + # Open a connection to the server socket: + my $client_sock = $server->connect(); + + # Or do so using Net::SSLeay's high-level API: + use Net::SSLeay qw(tcpcat); + my ( $response, $err ) = + tcpcat( $server->get_addr(), $server->get_port(), 'request' ); + +=head1 DESCRIPTION + +Test scripts in the Net-SSLeay test suite commonly need to establish server +and client sockets over which TLS communication can be tested. This module +simplifies the process of creating server sockets and client sockets that know +how to connect to them. + +This module is not intended to be used directly by test scripts; use the +helper functions in L +instead. + +=head1 CONSTRUCTOR + +=head2 new + + # TCP server socket listening on localhost on a random unused port: + my $server = Test::Net::SSLeay::Socket->new(); + + # TCP server socket listening on a private IP address on the standard HTTP + # port: + my $server = Test::Net::SSLeay::Socket->new( + addr => '10.0.0.1', + port => 80, + proto => 'tcp', + ); + +Creates a new C object. A server socket is created +that binds to a given (or the default) address and port number. + +Supported options: + +=over 4 + +=item * + +C (optional): the IPv4 address that the server socket should bind to. +Defaults to C<'127.0.0.1'>. + +=item * + +C (optional): the port number that the server socket should bind to. +Defaults to the number of a random unused port chosen by the operating system. + +=item * + +C (optional): the transport protocol that the server socket should use; +C<'tcp'> for TCP, C<'udp'> for UDP. Defaults to C<'tcp'>. + +=item * + +C (optional): the maximum number of pending connections to allow for +the server socket. Defaults to 5. + +=back + +Dies on failure. + +=head1 METHODS + +=head2 get_addr + + my $address = $server->get_addr(); + +Returns the address on which the server socket is listening. Useful when +manually creating a connection to the server socket (e.g. via one of +Net::SSLeay's high-level API functions) and an address was not specified in +the constructor. + +=head2 get_port + + my $port = $server->get_port(); + +Returns the port number on which the server socket is listening. Useful when +manually creating a client socket to connect to the server socket (e.g. via +one of Net::SSLeay's high-level API functions) and a port number was not +specified in the constructor. + +=head2 accept + + # Communicate with the client, creating a new file handle: + my $sock = $server->accept(); + + # Communicate with the client using an existing typeglob as the file + # handle: + $server->accept(*Net::SSLeay::SSLCAT_S); + +Accepts an incoming connection request to the server socket, and enables +autoflush on the resulting file handle. + +If a typeglob is passed as the first argument, it becomes the socket's file +handle. This is useful when creating sockets for testing Net::SSLeay's +high-level API functions, which perform their operations on the +C typeglob. + +Returns the file handle for the new socket. Dies on failure. + +=head2 connect + + my $sock = $server->connect(); + +Creates a new connection to the server socket, and enables autoflush on the +resulting file handle. + +Returns the file handle for the new socket. Dies on failure. + +=head2 close + + $server->close(); + +Closes the file handle for the server socket. + +Returns true on success, or false on failure (just like Perl's +L builtin). + +=head1 SEE ALSO + +L, for an easier way to use this module +from Net-SSLeay test scripts. + +=head1 BUGS + +If you encounter a problem with this module that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * + +the code you are trying to run (ideally a minimum working example that +reproduces the problem), or the full output of the Net-SSLeay test suite if +the problem relates to a test failure; + +=item * + +your operating system name and version; + +=item * + +the output of C; + +=item * + +the version of Net-SSLeay you are using; + +=item * + +the version of OpenSSL or LibreSSL you are using. + +=back + +=head1 AUTHORS + +Originally written by Chris Novakovic. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen. + +=head1 COPYRIGHT AND LICENSE + +Copyright 2020- Chris Novakovic . + +Copyright 2020- Tuure Vartiainen . + +Copyright 2020- Heikki Vatiainen . + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=cut diff --git a/cpan/Net-SSLeay/lib/Net/SSLeay.pm b/cpan/Net-SSLeay/lib/Net/SSLeay.pm new file mode 100644 index 000000000000..3838b594c945 --- /dev/null +++ b/cpan/Net-SSLeay/lib/Net/SSLeay.pm @@ -0,0 +1,1905 @@ +# Net::SSLeay.pm - Perl module for using Eric Young's implementation of SSL +# +# Copyright (c) 1996-2003 Sampo Kellomäki +# Copyright (c) 2005-2010 Florian Ragwitz +# Copyright (c) 2005-2018 Mike McCauley +# Copyright (c) 2018- Chris Novakovic +# Copyright (c) 2018- Tuure Vartiainen +# Copyright (c) 2018- Heikki Vatiainen +# +# All rights reserved. +# +# This module is released under the terms of the Artistic License 2.0. For +# details, see the LICENSE file distributed with Net-SSLeay's source code. + +package Net::SSLeay; + +use 5.8.1; + +use strict; +use Carp; +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK $AUTOLOAD $CRLF); +use Socket; +use Errno; + +require Exporter; +use AutoLoader; + +# 0=no warns, 1=only errors, 2=ciphers, 3=progress, 4=dump data +$Net::SSLeay::trace = 0; # Do not change here, use + # $Net::SSLeay::trace = [1-4] in caller + +# 2 = insist on v2 SSL protocol +# 3 = insist on v3 SSL +# 10 = insist on TLSv1 +# 11 = insist on TLSv1.1 +# 12 = insist on TLSv1.2 +# 13 = insist on TLSv1.3 +# 0 or undef = guess (v23) +# +$Net::SSLeay::ssl_version = 0; # don't change here, use + # Net::SSLeay::version=[2,3,0] in caller + +#define to enable the "cat /proc/$$/stat" stuff +$Net::SSLeay::linux_debug = 0; + +# Number of seconds to sleep after sending message and before half +# closing connection. Useful with antiquated broken servers. +$Net::SSLeay::slowly = 0; + +# RANDOM NUMBER INITIALIZATION +# +# Edit to your taste. Using /dev/random would be more secure, but may +# block if randomness is not available, thus the default is +# /dev/urandom. $how_random determines how many bits of randomness to take +# from the device. You should take enough (read SSLeay/doc/rand), but +# beware that randomness is limited resource so you should not waste +# it either or you may end up with randomness depletion (situation where +# /dev/random would block and /dev/urandom starts to return predictable +# numbers). +# +# N.B. /dev/urandom does not exist on all systems, such as Solaris 2.6. In that +# case you should get a third party package that emulates /dev/urandom +# (e.g. via named pipe) or supply a random number file. Some such +# packages are documented in Caveat section of the POD documentation. + +$Net::SSLeay::random_device = '/dev/urandom'; +$Net::SSLeay::how_random = 512; + +# When updating this, also update $VERSION in the following files: +# inc/Test/Net/SSLeay.pm +# inc/Test/Net/SSLeay/Socket.pm +# lib/Net/SSLeay/Handle.pm +$VERSION = '1.92'; + +@ISA = qw(Exporter); + +# This array is automatically generated - do not manually modify it. +# To add or remove a constant, edit helper_script/constants.txt, then run +# helper_script/update-exported-constants. +my @constants = qw( + ASN1_STRFLGS_ESC_CTRL + ASN1_STRFLGS_ESC_MSB + ASN1_STRFLGS_ESC_QUOTE + ASN1_STRFLGS_RFC2253 + CB_ACCEPT_EXIT + CB_ACCEPT_LOOP + CB_ALERT + CB_CONNECT_EXIT + CB_CONNECT_LOOP + CB_EXIT + CB_HANDSHAKE_DONE + CB_HANDSHAKE_START + CB_LOOP + CB_READ + CB_READ_ALERT + CB_WRITE + CB_WRITE_ALERT + ERROR_NONE + ERROR_SSL + ERROR_SYSCALL + ERROR_WANT_ACCEPT + ERROR_WANT_CONNECT + ERROR_WANT_READ + ERROR_WANT_WRITE + ERROR_WANT_X509_LOOKUP + ERROR_ZERO_RETURN + EVP_PKS_DSA + EVP_PKS_EC + EVP_PKS_RSA + EVP_PKT_ENC + EVP_PKT_EXCH + EVP_PKT_EXP + EVP_PKT_SIGN + EVP_PK_DH + EVP_PK_DSA + EVP_PK_EC + EVP_PK_RSA + FILETYPE_ASN1 + FILETYPE_PEM + F_CLIENT_CERTIFICATE + F_CLIENT_HELLO + F_CLIENT_MASTER_KEY + F_D2I_SSL_SESSION + F_GET_CLIENT_FINISHED + F_GET_CLIENT_HELLO + F_GET_CLIENT_MASTER_KEY + F_GET_SERVER_FINISHED + F_GET_SERVER_HELLO + F_GET_SERVER_VERIFY + F_I2D_SSL_SESSION + F_READ_N + F_REQUEST_CERTIFICATE + F_SERVER_HELLO + F_SSL_CERT_NEW + F_SSL_GET_NEW_SESSION + F_SSL_NEW + F_SSL_READ + F_SSL_RSA_PRIVATE_DECRYPT + F_SSL_RSA_PUBLIC_ENCRYPT + F_SSL_SESSION_NEW + F_SSL_SESSION_PRINT_FP + F_SSL_SET_FD + F_SSL_SET_RFD + F_SSL_SET_WFD + F_SSL_USE_CERTIFICATE + F_SSL_USE_CERTIFICATE_ASN1 + F_SSL_USE_CERTIFICATE_FILE + F_SSL_USE_PRIVATEKEY + F_SSL_USE_PRIVATEKEY_ASN1 + F_SSL_USE_PRIVATEKEY_FILE + F_SSL_USE_RSAPRIVATEKEY + F_SSL_USE_RSAPRIVATEKEY_ASN1 + F_SSL_USE_RSAPRIVATEKEY_FILE + F_WRITE_PENDING + GEN_DIRNAME + GEN_DNS + GEN_EDIPARTY + GEN_EMAIL + GEN_IPADD + GEN_OTHERNAME + GEN_RID + GEN_URI + GEN_X400 + LIBRESSL_VERSION_NUMBER + MBSTRING_ASC + MBSTRING_BMP + MBSTRING_FLAG + MBSTRING_UNIV + MBSTRING_UTF8 + MIN_RSA_MODULUS_LENGTH_IN_BYTES + MODE_ACCEPT_MOVING_WRITE_BUFFER + MODE_AUTO_RETRY + MODE_ENABLE_PARTIAL_WRITE + MODE_RELEASE_BUFFERS + NID_OCSP_sign + NID_SMIMECapabilities + NID_X500 + NID_X509 + NID_ad_OCSP + NID_ad_ca_issuers + NID_algorithm + NID_authority_key_identifier + NID_basic_constraints + NID_bf_cbc + NID_bf_cfb64 + NID_bf_ecb + NID_bf_ofb64 + NID_cast5_cbc + NID_cast5_cfb64 + NID_cast5_ecb + NID_cast5_ofb64 + NID_certBag + NID_certificate_policies + NID_client_auth + NID_code_sign + NID_commonName + NID_countryName + NID_crlBag + NID_crl_distribution_points + NID_crl_number + NID_crl_reason + NID_delta_crl + NID_des_cbc + NID_des_cfb64 + NID_des_ecb + NID_des_ede + NID_des_ede3 + NID_des_ede3_cbc + NID_des_ede3_cfb64 + NID_des_ede3_ofb64 + NID_des_ede_cbc + NID_des_ede_cfb64 + NID_des_ede_ofb64 + NID_des_ofb64 + NID_description + NID_desx_cbc + NID_dhKeyAgreement + NID_dnQualifier + NID_dsa + NID_dsaWithSHA + NID_dsaWithSHA1 + NID_dsaWithSHA1_2 + NID_dsa_2 + NID_email_protect + NID_ext_key_usage + NID_ext_req + NID_friendlyName + NID_givenName + NID_hmacWithSHA1 + NID_id_ad + NID_id_ce + NID_id_kp + NID_id_pbkdf2 + NID_id_pe + NID_id_pkix + NID_id_qt_cps + NID_id_qt_unotice + NID_idea_cbc + NID_idea_cfb64 + NID_idea_ecb + NID_idea_ofb64 + NID_info_access + NID_initials + NID_invalidity_date + NID_issuer_alt_name + NID_keyBag + NID_key_usage + NID_localKeyID + NID_localityName + NID_md2 + NID_md2WithRSAEncryption + NID_md5 + NID_md5WithRSA + NID_md5WithRSAEncryption + NID_md5_sha1 + NID_mdc2 + NID_mdc2WithRSA + NID_ms_code_com + NID_ms_code_ind + NID_ms_ctl_sign + NID_ms_efs + NID_ms_ext_req + NID_ms_sgc + NID_name + NID_netscape + NID_netscape_base_url + NID_netscape_ca_policy_url + NID_netscape_ca_revocation_url + NID_netscape_cert_extension + NID_netscape_cert_sequence + NID_netscape_cert_type + NID_netscape_comment + NID_netscape_data_type + NID_netscape_renewal_url + NID_netscape_revocation_url + NID_netscape_ssl_server_name + NID_ns_sgc + NID_organizationName + NID_organizationalUnitName + NID_pbeWithMD2AndDES_CBC + NID_pbeWithMD2AndRC2_CBC + NID_pbeWithMD5AndCast5_CBC + NID_pbeWithMD5AndDES_CBC + NID_pbeWithMD5AndRC2_CBC + NID_pbeWithSHA1AndDES_CBC + NID_pbeWithSHA1AndRC2_CBC + NID_pbe_WithSHA1And128BitRC2_CBC + NID_pbe_WithSHA1And128BitRC4 + NID_pbe_WithSHA1And2_Key_TripleDES_CBC + NID_pbe_WithSHA1And3_Key_TripleDES_CBC + NID_pbe_WithSHA1And40BitRC2_CBC + NID_pbe_WithSHA1And40BitRC4 + NID_pbes2 + NID_pbmac1 + NID_pkcs + NID_pkcs3 + NID_pkcs7 + NID_pkcs7_data + NID_pkcs7_digest + NID_pkcs7_encrypted + NID_pkcs7_enveloped + NID_pkcs7_signed + NID_pkcs7_signedAndEnveloped + NID_pkcs8ShroudedKeyBag + NID_pkcs9 + NID_pkcs9_challengePassword + NID_pkcs9_contentType + NID_pkcs9_countersignature + NID_pkcs9_emailAddress + NID_pkcs9_extCertAttributes + NID_pkcs9_messageDigest + NID_pkcs9_signingTime + NID_pkcs9_unstructuredAddress + NID_pkcs9_unstructuredName + NID_private_key_usage_period + NID_rc2_40_cbc + NID_rc2_64_cbc + NID_rc2_cbc + NID_rc2_cfb64 + NID_rc2_ecb + NID_rc2_ofb64 + NID_rc4 + NID_rc4_40 + NID_rc5_cbc + NID_rc5_cfb64 + NID_rc5_ecb + NID_rc5_ofb64 + NID_ripemd160 + NID_ripemd160WithRSA + NID_rle_compression + NID_rsa + NID_rsaEncryption + NID_rsadsi + NID_safeContentsBag + NID_sdsiCertificate + NID_secretBag + NID_serialNumber + NID_server_auth + NID_sha + NID_sha1 + NID_sha1WithRSA + NID_sha1WithRSAEncryption + NID_shaWithRSAEncryption + NID_stateOrProvinceName + NID_subject_alt_name + NID_subject_key_identifier + NID_surname + NID_sxnet + NID_time_stamp + NID_title + NID_undef + NID_uniqueIdentifier + NID_x509Certificate + NID_x509Crl + NID_zlib_compression + NOTHING + OCSP_RESPONSE_STATUS_INTERNALERROR + OCSP_RESPONSE_STATUS_MALFORMEDREQUEST + OCSP_RESPONSE_STATUS_SIGREQUIRED + OCSP_RESPONSE_STATUS_SUCCESSFUL + OCSP_RESPONSE_STATUS_TRYLATER + OCSP_RESPONSE_STATUS_UNAUTHORIZED + OPENSSL_BUILT_ON + OPENSSL_CFLAGS + OPENSSL_CPU_INFO + OPENSSL_DIR + OPENSSL_ENGINES_DIR + OPENSSL_FULL_VERSION_STRING + OPENSSL_INFO_CONFIG_DIR + OPENSSL_INFO_CPU_SETTINGS + OPENSSL_INFO_DIR_FILENAME_SEPARATOR + OPENSSL_INFO_DSO_EXTENSION + OPENSSL_INFO_ENGINES_DIR + OPENSSL_INFO_LIST_SEPARATOR + OPENSSL_INFO_MODULES_DIR + OPENSSL_INFO_SEED_SOURCE + OPENSSL_MODULES_DIR + OPENSSL_PLATFORM + OPENSSL_VERSION + OPENSSL_VERSION_MAJOR + OPENSSL_VERSION_MINOR + OPENSSL_VERSION_NUMBER + OPENSSL_VERSION_PATCH + OPENSSL_VERSION_STRING + OP_ALL + OP_ALLOW_NO_DHE_KEX + OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + OP_CIPHER_SERVER_PREFERENCE + OP_CISCO_ANYCONNECT + OP_COOKIE_EXCHANGE + OP_CRYPTOPRO_TLSEXT_BUG + OP_DONT_INSERT_EMPTY_FRAGMENTS + OP_ENABLE_MIDDLEBOX_COMPAT + OP_EPHEMERAL_RSA + OP_LEGACY_SERVER_CONNECT + OP_MICROSOFT_BIG_SSLV3_BUFFER + OP_MICROSOFT_SESS_ID_BUG + OP_MSIE_SSLV2_RSA_PADDING + OP_NETSCAPE_CA_DN_BUG + OP_NETSCAPE_CHALLENGE_BUG + OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + OP_NON_EXPORT_FIRST + OP_NO_ANTI_REPLAY + OP_NO_CLIENT_RENEGOTIATION + OP_NO_COMPRESSION + OP_NO_ENCRYPT_THEN_MAC + OP_NO_QUERY_MTU + OP_NO_RENEGOTIATION + OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + OP_NO_SSL_MASK + OP_NO_SSLv2 + OP_NO_SSLv3 + OP_NO_TICKET + OP_NO_TLSv1 + OP_NO_TLSv1_1 + OP_NO_TLSv1_2 + OP_NO_TLSv1_3 + OP_PKCS1_CHECK_1 + OP_PKCS1_CHECK_2 + OP_PRIORITIZE_CHACHA + OP_SAFARI_ECDHE_ECDSA_BUG + OP_SINGLE_DH_USE + OP_SINGLE_ECDH_USE + OP_SSLEAY_080_CLIENT_DH_BUG + OP_SSLREF2_REUSE_CERT_TYPE_BUG + OP_TLSEXT_PADDING + OP_TLS_BLOCK_PADDING_BUG + OP_TLS_D5_BUG + OP_TLS_ROLLBACK_BUG + READING + RECEIVED_SHUTDOWN + RSA_3 + RSA_F4 + R_BAD_AUTHENTICATION_TYPE + R_BAD_CHECKSUM + R_BAD_MAC_DECODE + R_BAD_RESPONSE_ARGUMENT + R_BAD_SSL_FILETYPE + R_BAD_SSL_SESSION_ID_LENGTH + R_BAD_STATE + R_BAD_WRITE_RETRY + R_CHALLENGE_IS_DIFFERENT + R_CIPHER_TABLE_SRC_ERROR + R_INVALID_CHALLENGE_LENGTH + R_NO_CERTIFICATE_SET + R_NO_CERTIFICATE_SPECIFIED + R_NO_CIPHER_LIST + R_NO_CIPHER_MATCH + R_NO_PRIVATEKEY + R_NO_PUBLICKEY + R_NULL_SSL_CTX + R_PEER_DID_NOT_RETURN_A_CERTIFICATE + R_PEER_ERROR + R_PEER_ERROR_CERTIFICATE + R_PEER_ERROR_NO_CIPHER + R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE + R_PUBLIC_KEY_ENCRYPT_ERROR + R_PUBLIC_KEY_IS_NOT_RSA + R_READ_WRONG_PACKET_TYPE + R_SHORT_READ + R_SSL_SESSION_ID_IS_DIFFERENT + R_UNABLE_TO_EXTRACT_PUBLIC_KEY + R_UNKNOWN_REMOTE_ERROR_TYPE + R_UNKNOWN_STATE + R_X509_LIB + SENT_SHUTDOWN + SESSION_ASN1_VERSION + SESS_CACHE_BOTH + SESS_CACHE_CLIENT + SESS_CACHE_NO_AUTO_CLEAR + SESS_CACHE_NO_INTERNAL + SESS_CACHE_NO_INTERNAL_LOOKUP + SESS_CACHE_NO_INTERNAL_STORE + SESS_CACHE_OFF + SESS_CACHE_SERVER + SSL2_MT_CLIENT_CERTIFICATE + SSL2_MT_CLIENT_FINISHED + SSL2_MT_CLIENT_HELLO + SSL2_MT_CLIENT_MASTER_KEY + SSL2_MT_ERROR + SSL2_MT_REQUEST_CERTIFICATE + SSL2_MT_SERVER_FINISHED + SSL2_MT_SERVER_HELLO + SSL2_MT_SERVER_VERIFY + SSL2_VERSION + SSL3_MT_CCS + SSL3_MT_CERTIFICATE + SSL3_MT_CERTIFICATE_REQUEST + SSL3_MT_CERTIFICATE_STATUS + SSL3_MT_CERTIFICATE_URL + SSL3_MT_CERTIFICATE_VERIFY + SSL3_MT_CHANGE_CIPHER_SPEC + SSL3_MT_CLIENT_HELLO + SSL3_MT_CLIENT_KEY_EXCHANGE + SSL3_MT_ENCRYPTED_EXTENSIONS + SSL3_MT_END_OF_EARLY_DATA + SSL3_MT_FINISHED + SSL3_MT_HELLO_REQUEST + SSL3_MT_KEY_UPDATE + SSL3_MT_MESSAGE_HASH + SSL3_MT_NEWSESSION_TICKET + SSL3_MT_NEXT_PROTO + SSL3_MT_SERVER_DONE + SSL3_MT_SERVER_HELLO + SSL3_MT_SERVER_KEY_EXCHANGE + SSL3_MT_SUPPLEMENTAL_DATA + SSL3_RT_ALERT + SSL3_RT_APPLICATION_DATA + SSL3_RT_CHANGE_CIPHER_SPEC + SSL3_RT_HANDSHAKE + SSL3_RT_HEADER + SSL3_RT_INNER_CONTENT_TYPE + SSL3_VERSION + SSLEAY_BUILT_ON + SSLEAY_CFLAGS + SSLEAY_DIR + SSLEAY_PLATFORM + SSLEAY_VERSION + ST_ACCEPT + ST_BEFORE + ST_CONNECT + ST_INIT + ST_OK + ST_READ_BODY + ST_READ_HEADER + TLS1_1_VERSION + TLS1_2_VERSION + TLS1_3_VERSION + TLS1_VERSION + TLSEXT_STATUSTYPE_ocsp + VERIFY_CLIENT_ONCE + VERIFY_FAIL_IF_NO_PEER_CERT + VERIFY_NONE + VERIFY_PEER + VERIFY_POST_HANDSHAKE + V_OCSP_CERTSTATUS_GOOD + V_OCSP_CERTSTATUS_REVOKED + V_OCSP_CERTSTATUS_UNKNOWN + WRITING + X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + X509_CHECK_FLAG_NO_WILDCARDS + X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + X509_FILETYPE_ASN1 + X509_FILETYPE_DEFAULT + X509_FILETYPE_PEM + X509_LOOKUP + X509_PURPOSE_ANY + X509_PURPOSE_CRL_SIGN + X509_PURPOSE_NS_SSL_SERVER + X509_PURPOSE_OCSP_HELPER + X509_PURPOSE_SMIME_ENCRYPT + X509_PURPOSE_SMIME_SIGN + X509_PURPOSE_SSL_CLIENT + X509_PURPOSE_SSL_SERVER + X509_PURPOSE_TIMESTAMP_SIGN + X509_TRUST_COMPAT + X509_TRUST_EMAIL + X509_TRUST_OBJECT_SIGN + X509_TRUST_OCSP_REQUEST + X509_TRUST_OCSP_SIGN + X509_TRUST_SSL_CLIENT + X509_TRUST_SSL_SERVER + X509_TRUST_TSA + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + X509_V_ERR_AKID_SKID_MISMATCH + X509_V_ERR_APPLICATION_VERIFICATION + X509_V_ERR_CA_KEY_TOO_SMALL + X509_V_ERR_CA_MD_TOO_WEAK + X509_V_ERR_CERT_CHAIN_TOO_LONG + X509_V_ERR_CERT_HAS_EXPIRED + X509_V_ERR_CERT_NOT_YET_VALID + X509_V_ERR_CERT_REJECTED + X509_V_ERR_CERT_REVOKED + X509_V_ERR_CERT_SIGNATURE_FAILURE + X509_V_ERR_CERT_UNTRUSTED + X509_V_ERR_CRL_HAS_EXPIRED + X509_V_ERR_CRL_NOT_YET_VALID + X509_V_ERR_CRL_PATH_VALIDATION_ERROR + X509_V_ERR_CRL_SIGNATURE_FAILURE + X509_V_ERR_DANE_NO_MATCH + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + X509_V_ERR_DIFFERENT_CRL_SCOPE + X509_V_ERR_EE_KEY_TOO_SMALL + X509_V_ERR_EMAIL_MISMATCH + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + X509_V_ERR_EXCLUDED_VIOLATION + X509_V_ERR_HOSTNAME_MISMATCH + X509_V_ERR_INVALID_CA + X509_V_ERR_INVALID_CALL + X509_V_ERR_INVALID_EXTENSION + X509_V_ERR_INVALID_NON_CA + X509_V_ERR_INVALID_POLICY_EXTENSION + X509_V_ERR_INVALID_PURPOSE + X509_V_ERR_IP_ADDRESS_MISMATCH + X509_V_ERR_KEYUSAGE_NO_CERTSIGN + X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + X509_V_ERR_NO_EXPLICIT_POLICY + X509_V_ERR_NO_VALID_SCTS + X509_V_ERR_OCSP_CERT_UNKNOWN + X509_V_ERR_OCSP_VERIFY_FAILED + X509_V_ERR_OCSP_VERIFY_NEEDED + X509_V_ERR_OUT_OF_MEM + X509_V_ERR_PATH_LENGTH_EXCEEDED + X509_V_ERR_PATH_LOOP + X509_V_ERR_PERMITTED_VIOLATION + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + X509_V_ERR_STORE_LOOKUP + X509_V_ERR_SUBJECT_ISSUER_MISMATCH + X509_V_ERR_SUBTREE_MINMAX + X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 + X509_V_ERR_SUITE_B_INVALID_ALGORITHM + X509_V_ERR_SUITE_B_INVALID_CURVE + X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM + X509_V_ERR_SUITE_B_INVALID_VERSION + X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + X509_V_ERR_UNABLE_TO_GET_CRL + X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + X509_V_ERR_UNNESTED_RESOURCE + X509_V_ERR_UNSPECIFIED + X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + X509_V_FLAG_ALLOW_PROXY_CERTS + X509_V_FLAG_CB_ISSUER_CHECK + X509_V_FLAG_CHECK_SS_SIGNATURE + X509_V_FLAG_CRL_CHECK + X509_V_FLAG_CRL_CHECK_ALL + X509_V_FLAG_EXPLICIT_POLICY + X509_V_FLAG_EXTENDED_CRL_SUPPORT + X509_V_FLAG_IGNORE_CRITICAL + X509_V_FLAG_INHIBIT_ANY + X509_V_FLAG_INHIBIT_MAP + X509_V_FLAG_LEGACY_VERIFY + X509_V_FLAG_NOTIFY_POLICY + X509_V_FLAG_NO_ALT_CHAINS + X509_V_FLAG_NO_CHECK_TIME + X509_V_FLAG_PARTIAL_CHAIN + X509_V_FLAG_POLICY_CHECK + X509_V_FLAG_POLICY_MASK + X509_V_FLAG_SUITEB_128_LOS + X509_V_FLAG_SUITEB_128_LOS_ONLY + X509_V_FLAG_SUITEB_192_LOS + X509_V_FLAG_TRUSTED_FIRST + X509_V_FLAG_USE_CHECK_TIME + X509_V_FLAG_USE_DELTAS + X509_V_FLAG_X509_STRICT + X509_V_OK + XN_FLAG_COMPAT + XN_FLAG_DN_REV + XN_FLAG_DUMP_UNKNOWN_FIELDS + XN_FLAG_FN_ALIGN + XN_FLAG_FN_LN + XN_FLAG_FN_MASK + XN_FLAG_FN_NONE + XN_FLAG_FN_OID + XN_FLAG_FN_SN + XN_FLAG_MULTILINE + XN_FLAG_ONELINE + XN_FLAG_RFC2253 + XN_FLAG_SEP_COMMA_PLUS + XN_FLAG_SEP_CPLUS_SPC + XN_FLAG_SEP_MASK + XN_FLAG_SEP_MULTILINE + XN_FLAG_SEP_SPLUS_SPC + XN_FLAG_SPC_EQ +); + +my @functions = qw( + BIO_eof + BIO_f_ssl + BIO_free + BIO_new + BIO_new_file + BIO_pending + BIO_read + BIO_s_mem + BIO_wpending + BIO_write + CTX_free + CTX_get_cert_store + CTX_new + CTX_use_RSAPrivateKey_file + CTX_use_certificate_file + CTX_v23_new + CTX_v2_new + CTX_v3_new + ERR_error_string + ERR_get_error + ERR_load_RAND_strings + ERR_load_SSL_strings + PEM_read_bio_X509_CRL + RSA_free + RSA_generate_key + SESSION_free + SESSION_get_master_key + SESSION_new + SESSION_print + X509_NAME_get_text_by_NID + X509_NAME_oneline + X509_STORE_add_cert + X509_STORE_add_crl + X509_check_email + X509_check_host + X509_check_ip + X509_check_ip_asc + X509_free + X509_get_issuer_name + X509_get_subject_name + X509_load_cert_crl_file + X509_load_cert_file + X509_load_crl_file + accept + clear + connect + copy_session_id + d2i_SSL_SESSION + die_if_ssl_error + die_now + do_https + dump_peer_certificate + free + get_cipher + get_cipher_list + get_client_random + get_fd + get_http + get_http4 + get_https + get_https3 + get_https4 + get_httpx + get_httpx4 + get_peer_certificate + get_peer_cert_chain + get_rbio + get_read_ahead + get_server_random + get_shared_ciphers + get_time + get_timeout + get_wbio + i2d_SSL_SESSION + load_error_strings + make_form + make_headers + new + peek + pending + post_http + post_http4 + post_https + post_https3 + post_https4 + post_httpx + post_httpx4 + print_errs + read + rstate_string + rstate_string_long + set_bio + set_cert_and_key + set_cipher_list + set_fd + set_read_ahead + set_rfd + set_server_cert_and_key + set_session + set_time + set_timeout + set_verify + set_wfd + ssl_read_CRLF + ssl_read_all + ssl_read_until + ssl_write_CRLF + ssl_write_all + sslcat + state_string + state_string_long + tcp_read_CRLF + tcp_read_all + tcp_read_until + tcp_write_CRLF + tcp_write_all + tcpcat + tcpxcat + use_PrivateKey + use_PrivateKey_ASN1 + use_PrivateKey_file + use_RSAPrivateKey + use_RSAPrivateKey_ASN1 + use_RSAPrivateKey_file + use_certificate + use_certificate_ASN1 + use_certificate_file + write + d2i_OCSP_RESPONSE + i2d_OCSP_RESPONSE + OCSP_RESPONSE_free + d2i_OCSP_REQUEST + i2d_OCSP_REQUEST + OCSP_REQUEST_free + OCSP_cert2ids + OCSP_ids2req + OCSP_response_status + OCSP_response_status_str + OCSP_response_verify + OCSP_response_results +); + +@EXPORT_OK = ( @constants, @functions ); + +sub AUTOLOAD { + # This AUTOLOAD is used to 'autoload' constants from the constant() + # XS function. If a constant is not found then control is passed + # to the AUTOLOAD in AutoLoader. + + my $constname; + ($constname = $AUTOLOAD) =~ s/.*:://; + my $val = constant($constname); + if ($! != 0) { + if ($! =~ /((Invalid)|(not valid))/i || $!{EINVAL}) { + $AutoLoader::AUTOLOAD = $AUTOLOAD; + goto &AutoLoader::AUTOLOAD; + } + else { + croak "Your vendor has not defined SSLeay macro $constname"; + } + } + eval "sub $AUTOLOAD { $val }"; + goto &$AUTOLOAD; +} + +eval { + require XSLoader; + XSLoader::load('Net::SSLeay', $VERSION); + 1; +} or do { + require DynaLoader; + push @ISA, 'DynaLoader'; + bootstrap Net::SSLeay $VERSION; +}; + +# Preloaded methods go here. + +$CRLF = "\x0d\x0a"; # because \r\n is not fully portable + +### Print SSLeay error stack + +sub print_errs { + my ($msg) = @_; + my ($count, $err, $errs, $e) = (0,0,''); + while ($err = ERR_get_error()) { + $count ++; + $e = "$msg $$: $count - " . ERR_error_string($err) . "\n"; + $errs .= $e; + warn $e if $Net::SSLeay::trace; + } + return $errs; +} + +# Death is conditional to SSLeay errors existing, i.e. this function checks +# for errors and only dies in affirmative. +# usage: Net::SSLeay::write($ssl, "foo") or die_if_ssl_error("SSL write ($!)"); + +sub die_if_ssl_error { + my ($msg) = @_; + die "$$: $msg\n" if print_errs($msg); +} + +# Unconditional death. Used to print SSLeay errors before dying. +# usage: Net::SSLeay::connect($ssl) or die_now("Failed SSL connect ($!)"); + +sub die_now { + my ($msg) = @_; + print_errs($msg); + die "$$: $msg\n"; +} + +# Perl 5.6.* unicode support causes that length() no longer reliably +# reflects the byte length of a string. This eval is to fix that. +# Thanks to Sean Burke for the snippet. + +BEGIN{ +eval 'use bytes; sub blength ($) { defined $_[0] ? length $_[0] : 0 }'; +$@ and eval ' sub blength ($) { defined $_[0] ? length $_[0] : 0 }' ; +} + +# Autoload methods go after __END__, and are processed by the autosplit program. + + +1; +__END__ + +### Some methods that are macros in C + +sub want_nothing { want(shift) == 1 } +sub want_read { want(shift) == 2 } +sub want_write { want(shift) == 3 } +sub want_X509_lookup { want(shift) == 4 } + +### +### Open TCP stream to given host and port, looking up the details +### from system databases or DNS. +### + +sub open_tcp_connection { + my ($dest_serv, $port) = @_; + my ($errs); + + $port = getservbyname($port, 'tcp') unless $port =~ /^\d+$/; + my $dest_serv_ip = gethostbyname($dest_serv); + unless (defined($dest_serv_ip)) { + $errs = "$0 $$: open_tcp_connection: destination host not found:" + . " `$dest_serv' (port $port) ($!)\n"; + warn $errs if $trace; + return wantarray ? (0, $errs) : 0; + } + my $sin = sockaddr_in($port, $dest_serv_ip); + + warn "Opening connection to $dest_serv:$port (" . + inet_ntoa($dest_serv_ip) . ")" if $trace>2; + + my $proto = &Socket::IPPROTO_TCP; # getprotobyname('tcp') not available on android + if (socket (SSLCAT_S, &PF_INET(), &SOCK_STREAM(), $proto)) { + warn "next connect" if $trace>3; + if (CORE::connect (SSLCAT_S, $sin)) { + my $old_out = select (SSLCAT_S); $| = 1; select ($old_out); + warn "connected to $dest_serv, $port" if $trace>3; + return wantarray ? (1, undef) : 1; # Success + } + } + $errs = "$0 $$: open_tcp_connection: failed `$dest_serv', $port ($!)\n"; + warn $errs if $trace; + close SSLCAT_S; + return wantarray ? (0, $errs) : 0; # Fail +} + +### Open connection via standard web proxy, if one was defined +### using set_proxy(). + +sub open_proxy_tcp_connection { + my ($dest_serv, $port) = @_; + return open_tcp_connection($dest_serv, $port) if !$proxyhost; + + warn "Connect via proxy: $proxyhost:$proxyport" if $trace>2; + my ($ret, $errs) = open_tcp_connection($proxyhost, $proxyport); + return wantarray ? (0, $errs) : 0 if !$ret; # Connection fail + + warn "Asking proxy to connect to $dest_serv:$port" if $trace>2; + #print SSLCAT_S "CONNECT $dest_serv:$port HTTP/1.0$proxyauth$CRLF$CRLF"; + #my $line = ; # *** bug? Mixing stdio with syscall read? + ($ret, $errs) = + tcp_write_all("CONNECT $dest_serv:$port HTTP/1.0$proxyauth$CRLF$CRLF"); + return wantarray ? (0,$errs) : 0 if $errs; + ($line, $errs) = tcp_read_until($CRLF . $CRLF, 1024); + warn "Proxy response: $line" if $trace>2; + return wantarray ? (0,$errs) : 0 if $errs; + return wantarray ? (1,'') : 1; # Success +} + +### +### read and write helpers that block +### + +sub debug_read { + my ($replyr, $gotr) = @_; + my $vm = $trace>2 && $linux_debug ? + (split ' ', `cat /proc/$$/stat`)[22] : 'vm_unknown'; + warn " got " . blength($$gotr) . ':' + . blength($$replyr) . " bytes (VM=$vm).\n" if $trace == 3; + warn " got `$$gotr' (" . blength($$gotr) . ':' + . blength($$replyr) . " bytes, VM=$vm)\n" if $trace>3; +} + +sub ssl_read_all { + my ($ssl,$how_much) = @_; + $how_much = 2000000000 unless $how_much; + my ($got, $rv, $errs); + my $reply = ''; + + while ($how_much > 0) { + ($got, $rv) = Net::SSLeay::read($ssl, + ($how_much > 32768) ? 32768 : $how_much + ); + if (! defined $got) { + my $err = Net::SSLeay::get_error($ssl, $rv); + if ($err != Net::SSLeay::ERROR_WANT_READ() and + $err != Net::SSLeay::ERROR_WANT_WRITE()) { + $errs = print_errs('SSL_read'); + last; + } + next; + } + $how_much -= blength($got); + debug_read(\$reply, \$got) if $trace>1; + last if $got eq ''; # EOF + $reply .= $got; + } + + return wantarray ? ($reply, $errs) : $reply; +} + +sub tcp_read_all { + my ($how_much) = @_; + $how_much = 2000000000 unless $how_much; + my ($n, $got, $errs); + my $reply = ''; + + my $bsize = 0x10000; + while ($how_much > 0) { + $n = sysread(SSLCAT_S,$got, (($bsize < $how_much) ? $bsize : $how_much)); + warn "Read error: $! ($n,$how_much)" unless defined $n; + last if !$n; # EOF + $how_much -= $n; + debug_read(\$reply, \$got) if $trace>1; + $reply .= $got; + } + return wantarray ? ($reply, $errs) : $reply; +} + +sub ssl_write_all { + my $ssl = $_[0]; + my ($data_ref, $errs); + if (ref $_[1]) { + $data_ref = $_[1]; + } else { + $data_ref = \$_[1]; + } + my ($wrote, $written, $to_write) = (0,0, blength($$data_ref)); + my $vm = $trace>2 && $linux_debug ? + (split ' ', `cat /proc/$$/stat`)[22] : 'vm_unknown'; + warn " write_all VM at entry=$vm\n" if $trace>2; + while ($to_write) { + #sleep 1; # *** DEBUG + warn "partial `$$data_ref'\n" if $trace>3; + $wrote = write_partial($ssl, $written, $to_write, $$data_ref); + if (defined $wrote && ($wrote > 0)) { # write_partial can return -1 + $written += $wrote; + $to_write -= $wrote; + } else { + if (defined $wrote) { + # check error conditions via SSL_get_error per man page + if ( my $sslerr = get_error($ssl, $wrote) ) { + my $errstr = ERR_error_string($sslerr); + my $errname = ''; + SWITCH: { + $sslerr == constant("ERROR_NONE") && do { + # according to map page SSL_get_error(3ssl): + # The TLS/SSL I/O operation completed. + # This result code is returned if and only if ret > 0 + # so if we received it here complain... + warn "ERROR_NONE unexpected with invalid return value!" + if $trace; + $errname = "SSL_ERROR_NONE"; + }; + $sslerr == constant("ERROR_WANT_READ") && do { + # operation did not complete, call again later, so do not + # set errname and empty err_que since this is a known + # error that is expected but, we should continue to try + # writing the rest of our data with same io call and params. + warn "ERROR_WANT_READ (TLS/SSL Handshake, will continue)\n" + if $trace; + print_errs('SSL_write(want read)'); + last SWITCH; + }; + $sslerr == constant("ERROR_WANT_WRITE") && do { + # operation did not complete, call again later, so do not + # set errname and empty err_que since this is a known + # error that is expected but, we should continue to try + # writing the rest of our data with same io call and params. + warn "ERROR_WANT_WRITE (TLS/SSL Handshake, will continue)\n" + if $trace; + print_errs('SSL_write(want write)'); + last SWITCH; + }; + $sslerr == constant("ERROR_ZERO_RETURN") && do { + # valid protocol closure from other side, no longer able to + # write, since there is no longer a session... + warn "ERROR_ZERO_RETURN($wrote): TLS/SSLv3 Closure alert\n" + if $trace; + $errname = "SSL_ERROR_ZERO_RETURN"; + last SWITCH; + }; + $sslerr == constant("ERROR_SSL") && do { + # library/protocol error + warn "ERROR_SSL($wrote): Library/Protocol error occured\n" + if $trace; + $errname = "SSL_ERROR_SSL"; + last SWITCH; + }; + $sslerr == constant("ERROR_WANT_CONNECT") && do { + # according to man page, should never happen on call to + # SSL_write, so complain, but handle as known error type + warn "ERROR_WANT_CONNECT: Unexpected error for SSL_write\n" + if $trace; + $errname = "SSL_ERROR_WANT_CONNECT"; + last SWITCH; + }; + $sslerr == constant("ERROR_WANT_ACCEPT") && do { + # according to man page, should never happen on call to + # SSL_write, so complain, but handle as known error type + warn "ERROR_WANT_ACCEPT: Unexpected error for SSL_write\n" + if $trace; + $errname = "SSL_ERROR_WANT_ACCEPT"; + last SWITCH; + }; + $sslerr == constant("ERROR_WANT_X509_LOOKUP") && do { + # operation did not complete: waiting on call back, + # call again later, so do not set errname and empty err_que + # since this is a known error that is expected but, we should + # continue to try writing the rest of our data with same io + # call parameter. + warn "ERROR_WANT_X509_LOOKUP: (Cert Callback asked for in ". + "SSL_write will contine)\n" if $trace; + print_errs('SSL_write(want x509'); + last SWITCH; + }; + $sslerr == constant("ERROR_SYSCALL") && do { + # some IO error occured. According to man page: + # Check retval, ERR, fallback to errno + if ($wrote==0) { # EOF + warn "ERROR_SYSCALL($wrote): EOF violates protocol.\n" + if $trace; + $errname = "SSL_ERROR_SYSCALL(EOF)"; + } else { # -1 underlying BIO error reported. + # check error que for details, don't set errname since we + # are directly appending to errs + my $chkerrs = print_errs('SSL_write (syscall)'); + if ($chkerrs) { + warn "ERROR_SYSCALL($wrote): Have errors\n" if $trace; + $errs .= "ssl_write_all $$: 1 - ERROR_SYSCALL($wrote,". + "$sslerr,$errstr,$!)\n$chkerrs"; + } else { # que was empty, use errno + warn "ERROR_SYSCALL($wrote): errno($!)\n" if $trace; + $errs .= "ssl_write_all $$: 1 - ERROR_SYSCALL($wrote,". + "$sslerr) : $!\n"; + } + } + last SWITCH; + }; + warn "Unhandled val $sslerr from SSL_get_error(SSL,$wrote)\n" + if $trace; + $errname = "SSL_ERROR_?($sslerr)"; + } # end of SWITCH block + if ($errname) { # if we had an errname set add the error + $errs .= "ssl_write_all $$: 1 - $errname($wrote,$sslerr,". + "$errstr,$!)\n"; + } + } # endif on have SSL_get_error val + } # endif on $wrote defined + } # endelse on $wrote > 0 + $vm = $trace>2 && $linux_debug ? + (split ' ', `cat /proc/$$/stat`)[22] : 'vm_unknown'; + warn " written so far $wrote:$written bytes (VM=$vm)\n" if $trace>2; + # append remaining errors in que and report if errs exist + $errs .= print_errs('SSL_write'); + return (wantarray ? (undef, $errs) : undef) if $errs; + } + return wantarray ? ($written, $errs) : $written; +} + +sub tcp_write_all { + my ($data_ref, $errs); + if (ref $_[0]) { + $data_ref = $_[0]; + } else { + $data_ref = \$_[0]; + } + my ($wrote, $written, $to_write) = (0,0, blength($$data_ref)); + my $vm = $trace>2 && $linux_debug ? + (split ' ', `cat /proc/$$/stat`)[22] : 'vm_unknown'; + warn " write_all VM at entry=$vm to_write=$to_write\n" if $trace>2; + while ($to_write) { + warn "partial `$$data_ref'\n" if $trace>3; + $wrote = syswrite(SSLCAT_S, $$data_ref, $to_write, $written); + if (defined $wrote && ($wrote > 0)) { # write_partial can return -1 + $written += $wrote; + $to_write -= $wrote; + } elsif (!defined($wrote)) { + warn "tcp_write_all: $!"; + return (wantarray ? (undef, "$!") : undef); + } + $vm = $trace>2 && $linux_debug ? + (split ' ', `cat /proc/$$/stat`)[22] : 'vm_unknown'; + warn " written so far $wrote:$written bytes (VM=$vm)\n" if $trace>2; + } + return wantarray ? ($written, '') : $written; +} + +### from patch by Clinton Wong + +# ssl_read_until($ssl [, $delimit [, $max_length]]) +# if $delimit missing, use $/ if it exists, otherwise use \n +# read until delimiter reached, up to $max_length chars if defined + +sub ssl_read_until ($;$$) { + my ($ssl,$delim, $max_length) = @_; + + # guess the delim string if missing + if ( ! defined $delim ) { + if ( defined $/ && length $/ ) { $delim = $/ } + else { $delim = "\n" } # Note: \n,$/ value depends on the platform + } + my $len_delim = length $delim; + + my ($got); + my $reply = ''; + + # If we have OpenSSL 0.9.6a or later, we can use SSL_peek to + # speed things up. + # N.B. 0.9.6a has security problems, so the support for + # anything earlier than 0.9.6e will be dropped soon. + if (&Net::SSLeay::OPENSSL_VERSION_NUMBER >= 0x0090601f) { + $max_length = 2000000000 unless (defined $max_length); + my ($pending, $peek_length, $found, $done); + while (blength($reply) < $max_length and !$done) { + #Block if necessary until we get some data + $got = Net::SSLeay::peek($ssl,1); + last if print_errs('SSL_peek'); + + $pending = Net::SSLeay::pending($ssl) + blength($reply); + $peek_length = ($pending > $max_length) ? $max_length : $pending; + $peek_length -= blength($reply); + $got = Net::SSLeay::peek($ssl, $peek_length); + last if print_errs('SSL_peek'); + $peek_length = blength($got); + + #$found = index($got, $delim); # Old and broken + + # the delimiter may be split across two gets, so we prepend + # a little from the last get onto this one before we check + # for a match + my $match; + if(blength($reply) >= blength($delim) - 1) { + #if what we've read so far is greater or equal + #in length of what we need to prepatch + $match = substr $reply, blength($reply) - blength($delim) + 1; + } else { + $match = $reply; + } + + $match .= $got; + $found = index($match, $delim); + + if ($found > -1) { + #$got = Net::SSLeay::ssl_read_all($ssl, $found+$len_delim); + #read up to the end of the delimiter + $got = Net::SSLeay::ssl_read_all($ssl, + $found + $len_delim + - ((blength($match)) - (blength($got)))); + $done = 1; + } else { + $got = Net::SSLeay::ssl_read_all($ssl, $peek_length); + $done = 1 if ($peek_length == $max_length - blength($reply)); + } + + last if print_errs('SSL_read'); + debug_read(\$reply, \$got) if $trace>1; + last if $got eq ''; + $reply .= $got; + } + } else { + while (!defined $max_length || length $reply < $max_length) { + $got = Net::SSLeay::ssl_read_all($ssl,1); # one by one + last if print_errs('SSL_read'); + debug_read(\$reply, \$got) if $trace>1; + last if $got eq ''; + $reply .= $got; + last if $len_delim + && substr($reply, blength($reply)-$len_delim) eq $delim; + } + } + return $reply; +} + +sub tcp_read_until { + my ($delim, $max_length) = @_; + + # guess the delim string if missing + if ( ! defined $delim ) { + if ( defined $/ && length $/ ) { $delim = $/ } + else { $delim = "\n" } # Note: \n,$/ value depends on the platform + } + my $len_delim = length $delim; + + my ($n,$got); + my $reply = ''; + + while (!defined $max_length || length $reply < $max_length) { + $n = sysread(SSLCAT_S, $got, 1); # one by one + warn "tcp_read_until: $!" if !defined $n; + debug_read(\$reply, \$got) if $trace>1; + last if !$n; # EOF + $reply .= $got; + last if $len_delim + && substr($reply, blength($reply)-$len_delim) eq $delim; + } + return $reply; +} + +# ssl_read_CRLF($ssl [, $max_length]) +sub ssl_read_CRLF ($;$) { ssl_read_until($_[0], $CRLF, $_[1]) } +sub tcp_read_CRLF { tcp_read_until($CRLF, $_[0]) } + +# ssl_write_CRLF($ssl, $message) writes $message and appends CRLF +sub ssl_write_CRLF ($$) { + # the next line uses less memory but might use more network packets + return ssl_write_all($_[0], $_[1]) + ssl_write_all($_[0], $CRLF); + + # the next few lines do the same thing at the expense of memory, with + # the chance that it will use less packets, since CRLF is in the original + # message and won't be sent separately. + + #my $data_ref; + #if (ref $_[1]) { $data_ref = $_[1] } + # else { $data_ref = \$_[1] } + #my $message = $$data_ref . $CRLF; + #return ssl_write_all($_[0], \$message); +} + +sub tcp_write_CRLF { + # the next line uses less memory but might use more network packets + return tcp_write_all($_[0]) + tcp_write_all($CRLF); + + # the next few lines do the same thing at the expense of memory, with + # the chance that it will use less packets, since CRLF is in the original + # message and won't be sent separately. + + #my $data_ref; + #if (ref $_[1]) { $data_ref = $_[1] } + # else { $data_ref = \$_[1] } + #my $message = $$data_ref . $CRLF; + #return tcp_write_all($_[0], \$message); +} + +### Quickly print out with whom we're talking + +sub dump_peer_certificate ($) { + my ($ssl) = @_; + my $cert = get_peer_certificate($ssl); + return if print_errs('get_peer_certificate'); + print "no cert defined\n" if !defined($cert); + # Cipher=NONE with empty cert fix + if (!defined($cert) || ($cert == 0)) { + warn "cert = `$cert'\n" if $trace; + return "Subject Name: undefined\nIssuer Name: undefined\n"; + } else { + my $x = 'Subject Name: ' + . X509_NAME_oneline(X509_get_subject_name($cert)) . "\n" + . 'Issuer Name: ' + . X509_NAME_oneline(X509_get_issuer_name($cert)) . "\n"; + Net::SSLeay::X509_free($cert); + return $x; + } +} + +### Arrange some randomness for eay PRNG + +sub randomize (;$$$) { + my ($rn_seed_file, $seed, $egd_path) = @_; + my $rnsf = defined($rn_seed_file) && -r $rn_seed_file; + + $egd_path = ''; + $egd_path = $ENV{'EGD_PATH'} if $ENV{'EGD_PATH'}; + + RAND_seed(rand() + $$); # Stir it with time and pid + + unless ($rnsf || -r $Net::SSLeay::random_device || $seed || -S $egd_path) { + my $poll_retval = Net::SSLeay::RAND_poll(); + warn "Random number generator not seeded!!!" if $trace && !$poll_retval; + } + + RAND_load_file($rn_seed_file, -s _) if $rnsf; + RAND_seed($seed) if $seed; + RAND_seed($ENV{RND_SEED}) if $ENV{RND_SEED}; + RAND_load_file($Net::SSLeay::random_device, $Net::SSLeay::how_random/8) + if -r $Net::SSLeay::random_device; +} + +sub new_x_ctx { + if ($ssl_version == 2) { + unless (exists &Net::SSLeay::CTX_v2_new) { + warn "ssl_version has been set to 2, but this version of OpenSSL has been compiled without SSLv2 support"; + return undef; + } + $ctx = CTX_v2_new(); + } + elsif ($ssl_version == 3) { $ctx = CTX_v3_new(); } + elsif ($ssl_version == 10) { $ctx = CTX_tlsv1_new(); } + elsif ($ssl_version == 11) { + unless (exists &Net::SSLeay::CTX_tlsv1_1_new) { + warn "ssl_version has been set to 11, but this version of OpenSSL has been compiled without TLSv1.1 support"; + return undef; + } + $ctx = CTX_tlsv1_1_new; + } + elsif ($ssl_version == 12) { + unless (exists &Net::SSLeay::CTX_tlsv1_2_new) { + warn "ssl_version has been set to 12, but this version of OpenSSL has been compiled without TLSv1.2 support"; + return undef; + } + $ctx = CTX_tlsv1_2_new; + } + elsif ($ssl_version == 13) { + unless (eval { Net::SSLeay::TLS1_3_VERSION(); } ) { + warn "ssl_version has been set to 13, but this version of OpenSSL has been compiled without TLSv1.3 support"; + return undef; + } + $ctx = CTX_new(); + unless(Net::SSLeay::CTX_set_min_proto_version($ctx, Net::SSLeay::TLS1_3_VERSION())) { + warn "CTX_set_min_proto failed for TLSv1.3"; + return undef; + } + unless(Net::SSLeay::CTX_set_max_proto_version($ctx, Net::SSLeay::TLS1_3_VERSION())) { + warn "CTX_set_max_proto failed for TLSv1.3"; + return undef; + } + } + else { $ctx = CTX_new(); } + return $ctx; +} + +### +### Standard initialisation. Initialise the ssl library in the usual way +### at most once. Override this if you need differnet initialisation +### SSLeay_add_ssl_algorithms is also protected against multiple runs in SSLeay.xs +### and is also mutex protected in threading perls +### + +my $library_initialised; +sub initialize +{ + if (!$library_initialised) + { + load_error_strings(); # Some bloat, but I'm after ease of use + SSLeay_add_ssl_algorithms(); # and debuggability. + randomize(); + $library_initialised++; + } +} + +### +### Basic request - response primitive (don't use for https) +### + +sub sslcat { # address, port, message, $crt, $key --> reply / (reply,errs,cert) + my ($dest_serv, $port, $out_message, $crt_path, $key_path) = @_; + my ($ctx, $ssl, $got, $errs, $written); + + ($got, $errs) = open_proxy_tcp_connection($dest_serv, $port); + return (wantarray ? (undef, $errs) : undef) unless $got; + + ### Do SSL negotiation stuff + + warn "Creating SSL $ssl_version context...\n" if $trace>2; + initialize(); # Will init at most once + + $ctx = new_x_ctx(); + goto cleanup2 if $errs = print_errs('CTX_new') or !$ctx; + + CTX_set_options($ctx, &OP_ALL); + goto cleanup2 if $errs = print_errs('CTX_set_options'); + + warn "Cert `$crt_path' given without key" if $crt_path && !$key_path; + set_cert_and_key($ctx, $crt_path, $key_path) if $crt_path; + + warn "Creating SSL connection (context was '$ctx')...\n" if $trace>2; + $ssl = new($ctx); + goto cleanup if $errs = print_errs('SSL_new') or !$ssl; + + warn "Setting fd (ctx $ctx, con $ssl)...\n" if $trace>2; + set_fd($ssl, fileno(SSLCAT_S)); + goto cleanup if $errs = print_errs('set_fd'); + + warn "Entering SSL negotiation phase...\n" if $trace>2; + + if ($trace>2) { + my $i = 0; + my $p = ''; + my $cipher_list = 'Cipher list: '; + $p=Net::SSLeay::get_cipher_list($ssl,$i); + $cipher_list .= $p if $p; + do { + $i++; + $cipher_list .= ', ' . $p if $p; + $p=Net::SSLeay::get_cipher_list($ssl,$i); + } while $p; + $cipher_list .= '\n'; + warn $cipher_list; + } + + $got = Net::SSLeay::connect($ssl); + warn "SSLeay connect returned $got\n" if $trace>2; + goto cleanup if $errs = print_errs('SSL_connect'); + + my $server_cert = get_peer_certificate($ssl); + print_errs('get_peer_certificate'); + if ($trace>1) { + warn "Cipher `" . get_cipher($ssl) . "'\n"; + print_errs('get_ciper'); + warn dump_peer_certificate($ssl); + } + + ### Connected. Exchange some data (doing repeated tries if necessary). + + warn "sslcat $$: sending " . blength($out_message) . " bytes...\n" + if $trace==3; + warn "sslcat $$: sending `$out_message' (" . blength($out_message) + . " bytes)...\n" if $trace>3; + ($written, $errs) = ssl_write_all($ssl, $out_message); + goto cleanup unless $written; + + sleep $slowly if $slowly; # Closing too soon can abort broken servers + Net::SSLeay::shutdown($ssl); # Useful starting with OpenSSL 1.1.1e + CORE::shutdown SSLCAT_S, 1; # Half close --> No more output, send EOF to server + + warn "waiting for reply...\n" if $trace>2; + ($got, $errs) = ssl_read_all($ssl); + warn "Got " . blength($got) . " bytes.\n" if $trace==3; + warn "Got `$got' (" . blength($got) . " bytes)\n" if $trace>3; + +cleanup: + free ($ssl); + $errs .= print_errs('SSL_free'); +cleanup2: + CTX_free ($ctx); + $errs .= print_errs('CTX_free'); + close SSLCAT_S; + return wantarray ? ($got, $errs, $server_cert) : $got; +} + +sub tcpcat { # address, port, message, $crt, $key --> reply / (reply,errs,cert) + my ($dest_serv, $port, $out_message) = @_; + my ($got, $errs, $written); + + ($got, $errs) = open_proxy_tcp_connection($dest_serv, $port); + return (wantarray ? (undef, $errs) : undef) unless $got; + + ### Connected. Exchange some data (doing repeated tries if necessary). + + warn "tcpcat $$: sending " . blength($out_message) . " bytes...\n" + if $trace==3; + warn "tcpcat $$: sending `$out_message' (" . blength($out_message) + . " bytes)...\n" if $trace>3; + ($written, $errs) = tcp_write_all($out_message); + goto cleanup unless $written; + + sleep $slowly if $slowly; # Closing too soon can abort broken servers + CORE::shutdown SSLCAT_S, 1; # Half close --> No more output, send EOF to server + + warn "waiting for reply...\n" if $trace>2; + ($got, $errs) = tcp_read_all(); + warn "Got " . blength($got) . " bytes.\n" if $trace==3; + warn "Got `$got' (" . blength($got) . " bytes)\n" if $trace>3; + +cleanup: + close SSLCAT_S; + return wantarray ? ($got, $errs) : $got; +} + +sub tcpxcat { + my ($usessl, $site, $port, $req, $crt_path, $key_path) = @_; + if ($usessl) { + return sslcat($site, $port, $req, $crt_path, $key_path); + } else { + return tcpcat($site, $port, $req); + } +} + +### +### Basic request - response primitive, this is different from sslcat +### because this does not shutdown the connection. +### + +sub https_cat { # address, port, message --> returns reply / (reply,errs,cert) + my ($dest_serv, $port, $out_message, $crt_path, $key_path) = @_; + my ($ctx, $ssl, $got, $errs, $written); + + ($got, $errs) = open_proxy_tcp_connection($dest_serv, $port); + return (wantarray ? (undef, $errs) : undef) unless $got; + + ### Do SSL negotiation stuff + + warn "Creating SSL $ssl_version context...\n" if $trace>2; + initialize(); + + $ctx = new_x_ctx(); + goto cleanup2 if $errs = print_errs('CTX_new') or !$ctx; + + CTX_set_options($ctx, &OP_ALL); + goto cleanup2 if $errs = print_errs('CTX_set_options'); + + warn "Cert `$crt_path' given without key" if $crt_path && !$key_path; + set_cert_and_key($ctx, $crt_path, $key_path) if $crt_path; + + warn "Creating SSL connection (context was '$ctx')...\n" if $trace>2; + $ssl = new($ctx); + goto cleanup if $errs = print_errs('SSL_new') or !$ssl; + + warn "Setting fd (ctx $ctx, con $ssl)...\n" if $trace>2; + set_fd($ssl, fileno(SSLCAT_S)); + goto cleanup if $errs = print_errs('set_fd'); + + warn "Entering SSL negotiation phase...\n" if $trace>2; + + if ($trace>2) { + my $i = 0; + my $p = ''; + my $cipher_list = 'Cipher list: '; + $p=Net::SSLeay::get_cipher_list($ssl,$i); + $cipher_list .= $p if $p; + do { + $i++; + $cipher_list .= ', ' . $p if $p; + $p=Net::SSLeay::get_cipher_list($ssl,$i); + } while $p; + $cipher_list .= '\n'; + warn $cipher_list; + } + + $got = Net::SSLeay::connect($ssl); + warn "SSLeay connect failed" if $trace>2 && $got==0; + goto cleanup if $errs = print_errs('SSL_connect'); + + my $server_cert = get_peer_certificate($ssl); + print_errs('get_peer_certificate'); + if ($trace>1) { + warn "Cipher `" . get_cipher($ssl) . "'\n"; + print_errs('get_ciper'); + warn dump_peer_certificate($ssl); + } + + ### Connected. Exchange some data (doing repeated tries if necessary). + + warn "https_cat $$: sending " . blength($out_message) . " bytes...\n" + if $trace==3; + warn "https_cat $$: sending `$out_message' (" . blength($out_message) + . " bytes)...\n" if $trace>3; + ($written, $errs) = ssl_write_all($ssl, $out_message); + goto cleanup unless $written; + + warn "waiting for reply...\n" if $trace>2; + ($got, $errs) = ssl_read_all($ssl); + warn "Got " . blength($got) . " bytes.\n" if $trace==3; + warn "Got `$got' (" . blength($got) . " bytes)\n" if $trace>3; + +cleanup: + free ($ssl); + $errs .= print_errs('SSL_free'); +cleanup2: + CTX_free ($ctx); + $errs .= print_errs('CTX_free'); + close SSLCAT_S; + return wantarray ? ($got, $errs, $server_cert) : $got; +} + +sub http_cat { # address, port, message --> returns reply / (reply,errs,cert) + my ($dest_serv, $port, $out_message) = @_; + my ($got, $errs, $written); + + ($got, $errs) = open_proxy_tcp_connection($dest_serv, $port); + return (wantarray ? (undef, $errs) : undef) unless $got; + + ### Connected. Exchange some data (doing repeated tries if necessary). + + warn "http_cat $$: sending " . blength($out_message) . " bytes...\n" + if $trace==3; + warn "http_cat $$: sending `$out_message' (" . blength($out_message) + . " bytes)...\n" if $trace>3; + ($written, $errs) = tcp_write_all($out_message); + goto cleanup unless $written; + + warn "waiting for reply...\n" if $trace>2; + ($got, $errs) = tcp_read_all(); + warn "Got " . blength($got) . " bytes.\n" if $trace==3; + warn "Got `$got' (" . blength($got) . " bytes)\n" if $trace>3; + +cleanup: + close SSLCAT_S; + return wantarray ? ($got, $errs) : $got; +} + +sub httpx_cat { + my ($usessl, $site, $port, $req, $crt_path, $key_path) = @_; + warn "httpx_cat: usessl=$usessl ($site:$port)" if $trace; + if ($usessl) { + return https_cat($site, $port, $req, $crt_path, $key_path); + } else { + return http_cat($site, $port, $req); + } +} + +### +### Easy set up of private key and certificate +### + +sub set_cert_and_key ($$$) { + my ($ctx, $cert_path, $key_path) = @_; + my $errs = ''; + # Following will ask password unless private key is not encrypted + CTX_use_PrivateKey_file( $ctx, $key_path, &FILETYPE_PEM ) == 1 + or $errs .= print_errs("private key `$key_path' ($!)"); + CTX_use_certificate_file ($ctx, $cert_path, &FILETYPE_PEM) == 1 + or $errs .= print_errs("certificate `$cert_path' ($!)"); + return wantarray ? (undef, $errs) : ($errs eq ''); +} + +### Old deprecated API + +sub set_server_cert_and_key ($$$) { &set_cert_and_key } + +### Set up to use web proxy + +sub set_proxy ($$;**) { + ($proxyhost, $proxyport, $proxyuser, $proxypass) = @_; + require MIME::Base64 if $proxyuser; + $proxyauth = $proxyuser + ? $CRLF . 'Proxy-authorization: Basic ' + . MIME::Base64::encode("$proxyuser:$proxypass", '') + : ''; +} + +### +### Easy https manipulation routines +### + +sub make_form { + my (@fields) = @_; + my $form; + while (@fields) { + my ($name, $data) = (shift(@fields), shift(@fields)); + $data =~ s/([^\w\-.\@\$ ])/sprintf("%%%2.2x",ord($1))/gse; + $data =~ tr[ ][+]; + $form .= "$name=$data&"; + } + chop $form; + return $form; +} + +sub make_headers { + my (@headers) = @_; + my $headers; + while (@headers) { + my $header = shift(@headers); + my $value = shift(@headers); + $header =~ s/:$//; + $value =~ s/\x0d?\x0a$//; # because we add it soon, see below + $headers .= "$header: $value$CRLF"; + } + return $headers; +} + +sub do_httpx3 { + my ($method, $usessl, $site, $port, $path, $headers, + $content, $mime_type, $crt_path, $key_path) = @_; + my ($response, $page, $h,$v); + + my $len = blength($content); + if ($len) { + $mime_type = "application/x-www-form-urlencoded" unless $mime_type; + $content = "Content-Type: $mime_type$CRLF" + . "Content-Length: $len$CRLF$CRLF$content"; + } else { + $content = "$CRLF$CRLF"; + } + my $req = "$method $path HTTP/1.0$CRLF"; + unless (defined $headers && $headers =~ /^Host:/m) { + $req .= "Host: $site"; + unless (($port == 80 && !$usessl) || ($port == 443 && $usessl)) { + $req .= ":$port"; + } + $req .= $CRLF; + } + $req .= (defined $headers ? $headers : '') . "Accept: */*$CRLF$content"; + + warn "do_httpx3($method,$usessl,$site:$port)" if $trace; + my ($http, $errs, $server_cert) + = httpx_cat($usessl, $site, $port, $req, $crt_path, $key_path); + return (undef, "HTTP/1.0 900 NET OR SSL ERROR$CRLF$CRLF$errs") if $errs; + + $http = '' if !defined $http; + ($headers, $page) = split /\s?\n\s?\n/, $http, 2; + warn "headers >$headers< page >>$page<< http >>>$http<<<" if $trace>1; + ($response, $headers) = split /\s?\n/, $headers, 2; + return ($page, $response, $headers, $server_cert); +} + +sub do_https3 { splice(@_,1,0) = 1; do_httpx3; } # Legacy undocumented + +### do_https2() is a legacy version in the sense that it is unable +### to return all instances of duplicate headers. + +sub do_httpx2 { + my ($page, $response, $headers, $server_cert) = &do_httpx3; + X509_free($server_cert) if defined $server_cert; + return ($page, $response, defined $headers ? + map( { ($h,$v)=/^(\S+)\:\s*(.*)$/; (uc($h),$v); } + split(/\s?\n/, $headers) + ) : () + ); +} + +sub do_https2 { splice(@_,1,0) = 1; do_httpx2; } # Legacy undocumented + +### Returns headers as a hash where multiple instances of same header +### are handled correctly. + +sub do_httpx4 { + my ($page, $response, $headers, $server_cert) = &do_httpx3; + my %hr = (); + for my $hh (split /\s?\n/, $headers) { + my ($h,$v) = ($hh =~ /^(\S+)\:\s*(.*)$/); + push @{$hr{uc($h)}}, $v; + } + return ($page, $response, \%hr, $server_cert); +} + +sub do_https4 { splice(@_,1,0) = 1; do_httpx4; } # Legacy undocumented + +# https + +sub get_https { do_httpx2(GET => 1, @_) } +sub post_https { do_httpx2(POST => 1, @_) } +sub put_https { do_httpx2(PUT => 1, @_) } +sub head_https { do_httpx2(HEAD => 1, @_) } + +sub get_https3 { do_httpx3(GET => 1, @_) } +sub post_https3 { do_httpx3(POST => 1, @_) } +sub put_https3 { do_httpx3(PUT => 1, @_) } +sub head_https3 { do_httpx3(HEAD => 1, @_) } + +sub get_https4 { do_httpx4(GET => 1, @_) } +sub post_https4 { do_httpx4(POST => 1, @_) } +sub put_https4 { do_httpx4(PUT => 1, @_) } +sub head_https4 { do_httpx4(HEAD => 1, @_) } + +# http + +sub get_http { do_httpx2(GET => 0, @_) } +sub post_http { do_httpx2(POST => 0, @_) } +sub put_http { do_httpx2(PUT => 0, @_) } +sub head_http { do_httpx2(HEAD => 0, @_) } + +sub get_http3 { do_httpx3(GET => 0, @_) } +sub post_http3 { do_httpx3(POST => 0, @_) } +sub put_http3 { do_httpx3(PUT => 0, @_) } +sub head_http3 { do_httpx3(HEAD => 0, @_) } + +sub get_http4 { do_httpx4(GET => 0, @_) } +sub post_http4 { do_httpx4(POST => 0, @_) } +sub put_http4 { do_httpx4(PUT => 0, @_) } +sub head_http4 { do_httpx4(HEAD => 0, @_) } + +# Either https or http + +sub get_httpx { do_httpx2(GET => @_) } +sub post_httpx { do_httpx2(POST => @_) } +sub put_httpx { do_httpx2(PUT => @_) } +sub head_httpx { do_httpx2(HEAD => @_) } + +sub get_httpx3 { do_httpx3(GET => @_) } +sub post_httpx3 { do_httpx3(POST => @_) } +sub put_httpx3 { do_httpx3(PUT => @_) } +sub head_httpx3 { do_httpx3(HEAD => @_) } + +sub get_httpx4 { do_httpx4(GET => @_) } +sub post_httpx4 { do_httpx4(POST => @_) } +sub put_httpx4 { do_httpx4(PUT => @_) } +sub head_httpx4 { do_httpx4(HEAD => @_) } + +### Legacy, don't use +# ($page, $respone_or_err, %headers) = do_https(...); + +sub do_https { + my ($site, $port, $path, $method, $headers, + $content, $mime_type, $crt_path, $key_path) = @_; + + do_https2($method, $site, $port, $path, $headers, + $content, $mime_type, $crt_path, $key_path); +} + +1; +__END__ + diff --git a/cpan/Net-SSLeay/lib/Net/SSLeay.pod b/cpan/Net-SSLeay/lib/Net/SSLeay.pod new file mode 100644 index 000000000000..820a1743f8d6 --- /dev/null +++ b/cpan/Net-SSLeay/lib/Net/SSLeay.pod @@ -0,0 +1,10434 @@ +=encoding utf-8 + +=head1 NAME + +Net::SSLeay - Perl bindings for OpenSSL and LibreSSL + +=head1 SYNOPSIS + + use Net::SSLeay qw(get_https post_https sslcat make_headers make_form); + + ($page) = get_https('www.bacus.pt', 443, '/'); # Case 1 + + ($page, $response, %reply_headers) + = get_https('www.bacus.pt', 443, '/', # Case 2 + make_headers(User-Agent => 'Cryptozilla/5.0b1', + Referer => 'https://www.bacus.pt' + )); + + ($page, $result, %headers) = # Case 2b + = get_https('www.bacus.pt', 443, '/protected.html', + make_headers(Authorization => + 'Basic ' . MIME::Base64::encode("$user:$pass",'')) + ); + + ($page, $response, %reply_headers) + = post_https('www.bacus.pt', 443, '/foo.cgi', '', # Case 3 + make_form(OK => '1', + name => 'Sampo' + )); + + $reply = sslcat($host, $port, $request); # Case 4 + + ($reply, $err, $server_cert) = sslcat($host, $port, $request); # Case 5 + + $Net::SSLeay::trace = 2; # 0=no debugging, 1=ciphers, 2=trace, 3=dump data + + Net::SSLeay::initialize(); # Initialize ssl library once + +=head1 DESCRIPTION + +This module provides Perl bindings for libssl (an SSL/TLS API) and libcrypto (a +cryptography API). + +=head1 COMPATIBILITY + +Net::SSLeay supports the following libssl implementations: + +=over + +=item * + +Any stable release of L in the 0.9.8 - 3.0 +branches, except for OpenSSL 0.9.8 - 0.9.8b. + +=item * + +Any stable release of L in the 2.0 - 3.4 +series, except for LibreSSL 3.2.2 and 3.2.3. + +=back + +Net::SSLeay may not function as expected with releases other than the ones +listed above due to libssl API incompatibilities, or, in the case of LibreSSL, +because of deviations from the libssl API. + +Net::SSLeay is only as secure as the underlying libssl implementation you use. +Although Net::SSLeay maintains compatibility with old versions of OpenSSL and +LibreSSL, it is B that you use a version of OpenSSL or +LibreSSL that is supported by the OpenSSL/LibreSSL developers and/or your +operating system vendor. Many unsupported versions of OpenSSL and LibreSSL are +known to contain severe security vulnerabilities. Refer to the +L +and L for +information on which versions are currently supported. + +The libssl API has changed significantly since OpenSSL 0.9.8: hundreds of +functions have been added, deprecated or removed in the intervening versions. +Although this documentation lists all of the functions and constants that +Net::SSLeay may expose, they will not be available for use if they are missing +from the underlying libssl implementation. Refer to the compatibility notes in +this documentation, as well as the OpenSSL/LibreSSL manual pages, for +information on which OpenSSL/LibreSSL versions support each function or +constant. At run-time, you can check whether a function or constant is exposed +before calling it using the following convention: + + if ( defined &Net::SSLeay::libssl_function ) { + # libssl_function() (or SSL_libssl_function()) is available + Net::SSLeay::libssl_function(...); + } + +=head1 OVERVIEW + +L module basically comprise of: + +=over + +=item * High level functions for accessing web servers (by using HTTP/HTTPS) + +=item * Low level API (mostly mapped 1:1 to openssl's C functions) + +=item * Convenience functions (related to low level API but with more perl friendly interface) + +=back + +There is also a related module called L included in this +distribution that you might want to use instead. It has its own pod +documentation. + +=head2 High level functions for accessing web servers + +This module offers some high level convenience functions for accessing +web pages on SSL servers (for symmetry, the same API is offered for +accessing http servers, too), an C function for writing your own +clients, and finally access to the SSL api of the SSLeay/OpenSSL package +so you can write servers or clients for more complicated applications. + +For high level functions it is most convenient to import them into your +main namespace as indicated in the synopsis. + +=head3 Basic set of functions + +=over + +=item * get_https + +=item * post_https + +=item * put_https + +=item * head_https + +=item * do_https + +=item * sslcat + +=item * https_cat + +=item * make_form + +=item * make_headers + +=back + +B demonstrates the typical invocation of get_https() to fetch an HTML +page from secure server. The first argument provides the hostname or IP +in dotted decimal notation of the remote server to contact. The second +argument is the TCP port at the remote end (your own port is picked +arbitrarily from high numbered ports as usual for TCP). The third +argument is the URL of the page without the host name part. If in +doubt consult the HTTP specifications at L. + +B demonstrates full fledged use of C. As can be seen, +C parses the response and response headers and returns them as +a list, which can be captured in a hash for later reference. Also a +fourth argument to C is used to insert some additional headers +in the request. C is a function that will convert a list or +hash to such headers. By default C supplies C (to make +virtual hosting easy) and C (reportedly needed by IIS) headers. + +B demonstrates how to get a password protected page. Refer to +the HTTP protocol specifications for further details (e.g. RFC-2617). + +B invokes C to submit a HTML/CGI form to a secure +server. The first four arguments are equal to C (note that +the empty string (C<''>) is passed as header argument). +The fifth argument is the +contents of the form formatted according to CGI specification. +Do not post UTF-8 data as content: use utf8::downgrade first. In this +case the helper function C is used to do the formatting, +but you could pass any string. C automatically adds +C and C headers to the request. + +B shows the fundamental C function (inspired in spirit by +the C utility :-). It's your swiss army knife that allows you to +easily contact servers, send some data, and then get the response. You +are responsible for formatting the data and parsing the response - +C is just a transport. + +B is a full invocation of C which allows the return of errors +as well as the server (peer) certificate. + +The C<$trace> global variable can be used to control the verbosity of the +high level functions. Level 0 guarantees silence, level 1 (the default) +only emits error messages. + +=head3 Alternate versions of high-level API + +=over + +=item * get_https3 + +=item * post_https3 + +=item * put_https3 + +=item * get_https4 + +=item * post_https4 + +=item * put_https4 + +=back + +The above mentioned functions actually return the response headers as +a list, which only gets converted to hash upon assignment (this +assignment looses information if the same header occurs twice, as may +be the case with cookies). There are also other variants of the +functions that return unprocessed headers and that return a reference +to a hash. + + ($page, $response, @headers) = get_https('www.bacus.pt', 443, '/'); + for ($i = 0; $i < $#headers; $i+=2) { + print "$headers[$i] = " . $headers[$i+1] . "\n"; + } + + ($page, $response, $headers, $server_cert) + = get_https3('www.bacus.pt', 443, '/'); + print "$headers\n"; + + ($page, $response, $headers_ref) + = get_https4('www.bacus.pt', 443, '/'); + for $k (sort keys %{$headers_ref}) { + for $v (@{$$headers_ref{$k}}) { + print "$k = $v\n"; + } + } + +All of the above code fragments accomplish the same thing: display all +values of all headers. The API functions ending in "3" return the +headers simply as a scalar string and it is up to the application to +split them up. The functions ending in "4" return a reference to +a hash of arrays (see L and L if you are +not familiar with complex perl data structures). To access a single value +of such a header hash you would do something like + + print $$headers_ref{COOKIE}[0]; + +Variants 3 and 4 also allow you to discover the server certificate +in case you would like to store or display it, e.g. + + ($p, $resp, $hdrs, $server_cert) = get_https3('www.bacus.pt', 443, '/'); + if (!defined($server_cert) || ($server_cert == 0)) { + warn "Subject Name: undefined, Issuer Name: undefined"; + } else { + warn 'Subject Name: ' + . Net::SSLeay::X509_NAME_oneline( + Net::SSLeay::X509_get_subject_name($server_cert)) + . 'Issuer Name: ' + . Net::SSLeay::X509_NAME_oneline( + Net::SSLeay::X509_get_issuer_name($server_cert)); + } + +Beware that this method only allows after the fact verification of +the certificate: by the time C has returned the https +request has already been sent to the server, whether you decide to +trust it or not. To do the verification correctly you must either +employ the OpenSSL certificate verification framework or use +the lower level API to first connect and verify the certificate +and only then send the http data. See the implementation of C +for guidance on how to do this. + +=head3 Using client certificates + +Secure web communications are encrypted using symmetric crypto keys +exchanged using encryption based on the certificate of the +server. Therefore in all SSL connections the server must have a +certificate. This serves both to authenticate the server to the +clients and to perform the key exchange. + +Sometimes it is necessary to authenticate the client as well. Two +options are available: HTTP basic authentication and a client side +certificate. The basic authentication over HTTPS is actually quite +safe because HTTPS guarantees that the password will not travel in +the clear. Never-the-less, problems like easily guessable passwords +remain. The client certificate method involves authentication of the +client at the SSL level using a certificate. For this to work, both the +client and the server have certificates (which typically are +different) and private keys. + +The API functions outlined above accept additional arguments that +allow one to supply the client side certificate and key files. The +format of these files is the same as used for server certificates and +the caveat about encrypting private keys applies. + + ($page, $result, %headers) = # 2c + = get_https('www.bacus.pt', 443, '/protected.html', + make_headers(Authorization => + 'Basic ' . MIME::Base64::encode("$user:$pass",'')), + '', $mime_type6, $path_to_crt7, $path_to_key8); + + ($page, $response, %reply_headers) + = post_https('www.bacus.pt', 443, '/foo.cgi', # 3b + make_headers('Authorization' => + 'Basic ' . MIME::Base64::encode("$user:$pass",'')), + make_form(OK => '1', name => 'Sampo'), + $mime_type6, $path_to_crt7, $path_to_key8); + +B demonstrates getting a password protected page that also requires +a client certificate, i.e. it is possible to use both authentication +methods simultaneously. + +B is a full blown POST to a secure server that requires both password +authentication and a client certificate, just like in case 2c. + +Note: The client will not send a certificate unless the server requests one. +This is typically achieved by setting the verify mode to C on the +server: + + Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0); + +See C for a full description. + +=head3 Working through a web proxy + +=over + +=item * set_proxy + +=back + +C can use a web proxy to make its connections. You need to +first set the proxy host and port using C and then just +use the normal API functions, e.g: + + Net::SSLeay::set_proxy('gateway.myorg.com', 8080); + ($page) = get_https('www.bacus.pt', 443, '/'); + +If your proxy requires authentication, you can supply a username and +password as well + + Net::SSLeay::set_proxy('gateway.myorg.com', 8080, 'joe', 'salainen'); + ($page, $result, %headers) = + = get_https('www.bacus.pt', 443, '/protected.html', + make_headers(Authorization => + 'Basic ' . MIME::Base64::encode("susie:pass",'')) + ); + +This example demonstrates the case where we authenticate to the proxy as +C<"joe"> and to the final web server as C<"susie">. Proxy authentication +requires the C module to work. + +=head3 HTTP (without S) API + +=over + +=item * get_http + +=item * post_http + +=item * tcpcat + +=item * get_httpx + +=item * post_httpx + +=item * tcpxcat + +=back + +Over the years it has become clear that it would be convenient to use +the light-weight flavour API of C for normal HTTP as well (see +C for the heavy-weight object-oriented approach). In fact it would be +nice to be able to flip https on and off on the fly. Thus regular HTTP +support was evolved. + + use Net::SSLeay qw(get_http post_http tcpcat + get_httpx post_httpx tcpxcat + make_headers make_form); + + ($page, $result, %headers) + = get_http('www.bacus.pt', 443, '/protected.html', + make_headers(Authorization => + 'Basic ' . MIME::Base64::encode("$user:$pass",'')) + ); + + ($page, $response, %reply_headers) + = post_http('www.bacus.pt', 443, '/foo.cgi', '', + make_form(OK => '1', + name => 'Sampo' + )); + + ($reply, $err) = tcpcat($host, $port, $request); + + ($page, $result, %headers) + = get_httpx($usessl, 'www.bacus.pt', 443, '/protected.html', + make_headers(Authorization => + 'Basic ' . MIME::Base64::encode("$user:$pass",'')) + ); + + ($page, $response, %reply_headers) + = post_httpx($usessl, 'www.bacus.pt', 443, '/foo.cgi', '', + make_form(OK => '1', name => 'Sampo' )); + + ($reply, $err, $server_cert) = tcpxcat($usessl, $host, $port, $request); + +As can be seen, the C<"x"> family of APIs takes as the first argument a flag +which indicates whether SSL is used or not. + +=head2 Certificate verification and Certificate Revocation Lists (CRLs) + +OpenSSL supports the ability to verify peer certificates. It can also +optionally check the peer certificate against a Certificate Revocation +List (CRL) from the certificates issuer. A CRL is a file, created by +the certificate issuer that lists all the certificates that it +previously signed, but which it now revokes. CRLs are in PEM format. + +You can enable C checking like this: + + &Net::SSLeay::X509_STORE_set_flags + (&Net::SSLeay::CTX_get_cert_store($ssl), + &Net::SSLeay::X509_V_FLAG_CRL_CHECK); + +After setting this flag, if OpenSSL checks a peer's certificate, then +it will attempt to find a CRL for the issuer. It does this by looking +for a specially named file in the search directory specified by +CTX_load_verify_locations. CRL files are named with the hash of the +issuer's subject name, followed by C<.r0>, C<.r1> etc. For example +C, C. It will read all the .r files for the +issuer, and then check for a revocation of the peer certificate in all +of them. (You can also force it to look in a specific named CRL +file., see below). You can find out the hash of the issuer subject +name in a CRL with + + openssl crl -in crl.pem -hash -noout + +If the peer certificate does not pass the revocation list, or if no +CRL is found, then the handshaking fails with an error. + +You can also force OpenSSL to look for CRLs in one or more arbitrarily +named files. + + my $bio = Net::SSLeay::BIO_new_file($crlfilename, 'r'); + my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio); + if ($crl) { + Net::SSLeay::X509_STORE_add_crl( + Net::SSLeay::CTX_get_cert_store($ssl, $crl) + ); + } else { + error reading CRL.... + } + +Usually the URLs where you can download the CRLs is contained in the certificate +itself and you can extract them with + + my @url = Net::SSLeay::P_X509_get_crl_distribution_points($cert) + +But there is no automatic downloading of the CRLs and often these CRLs are too +huge to just download them to verify a single certificate. +Also, these CRLs are often in DER format which you need to convert to PEM before +you can use it: + + openssl crl -in crl.der -inform der -out crl.pem + +So as an alternative for faster and timely revocation checks you better use +the Online Status Revocation Protocol (OCSP). + +=head2 Certificate verification and Online Status Revocation Protocol (OCSP) + +While checking for revoked certificates is possible and fast with Certificate +Revocation Lists, you need to download the complete and often huge list before +you can verify a single certificate. + +A faster way is to ask the CA to check the revocation of just a single or a few +certificates using OCSP. Basically you generate for each certificate an +OCSP_CERTID based on the certificate itself and its issuer, put the ids +togetether into an OCSP_REQUEST and send the request to the URL given in the +certificate. + +As a result you get back an OCSP_RESPONSE and need to check the status of the +response, check that it is valid (e.g. signed by the CA) and finally extract the +information about each OCSP_CERTID to find out if the certificate is still valid +or got revoked. + +With Net::SSLeay this can be done like this: + + # get id(s) for given certs, like from get_peer_certificate + # or get_peer_cert_chain. This will croak if + # - one tries to make an OCSP_CERTID for a self-signed certificate + # - the issuer of the certificate cannot be found in the SSL objects + # store, nor in the current certificate chain + my $cert = Net::SSLeay::get_peer_certificate($ssl); + my $id = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) }; + die "failed to make OCSP_CERTID: $@" if $@; + + # create OCSP_REQUEST from id(s) + # Multiple can be put into the same request, if the same OCSP responder + # is responsible for them. + my $req = Net::SSLeay::OCSP_ids2req($id); + + # determine URI of OCSP responder + my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert); + + # Send stringified OCSP_REQUEST with POST to $uri. + # We can ignore certificate verification for https, because the OCSP + # response itself is signed. + my $ua = HTTP::Tiny->new(verify_SSL => 0); + my $res = $ua->request( 'POST',$uri, { + headers => { 'Content-type' => 'application/ocsp-request' }, + content => Net::SSLeay::i2d_OCSP_REQUEST($req) + }); + my $content = $res && $res->{success} && $res->{content} + or die "query failed"; + + # Extract OCSP_RESPONSE. + # this will croak if the string is not an OCSP_RESPONSE + my $resp = eval { Net::SSLeay::d2i_OCSP_RESPONSE($content) }; + + # Check status of response. + my $status = Net::SSLeay::OCSP_response_status($resp); + if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) + die "OCSP response failed: ". + Net::SSLeay::OCSP_response_status_str($status); + } + + # Verify signature of response and if nonce matches request. + # This will croak if there is a nonce in the response, but it does not match + # the request. It will return false if the signature could not be verified, + # in which case details can be retrieved with Net::SSLeay::ERR_get_error. + # It will not complain if the response does not contain a nonce, which is + # usually the case with pre-signed responses. + if ( ! eval { Net::SSLeay::OCSP_response_verify($ssl,$resp,$req) }) { + die "OCSP response verification failed"; + } + + # Extract information from OCSP_RESPONSE for each of the ids. + + # If called in scalar context it will return the time (as time_t), when the + # next update is due (minimum of all successful responses inside $resp). It + # will croak on the following problems: + # - response is expired or not yet valid + # - no response for given OCSP_CERTID + # - certificate status is not good (e.g. revoked or unknown) + if ( my $nextupd = eval { Net::SSLeay::OCSP_response_results($resp,$id) }) { + warn "certificate is valid, next update in ". + ($nextupd-time())." seconds\n"; + } else { + die "certificate is not valid: $@"; + } + + # But in array context it will return detailed information about each given + # OCSP_CERTID instead croaking on errors: + # if no @ids are given it will return information about all single responses + # in the OCSP_RESPONSE + my @results = Net::SSLeay::OCSP_response_results($resp,@ids); + for my $r (@results) { + print Dumper($r); + # @results are in the same order as the @ids and contain: + # $r->[0] - OCSP_CERTID + # $r->[1] - undef if no error (certificate good) OR error message as string + # $r->[2] - hash with details: + # thisUpdate - time_t of this single response + # nextUpdate - time_t when update is expected + # statusType - integer: + # V_OCSP_CERTSTATUS_GOOD(0) + # V_OCSP_CERTSTATUS_REVOKED(1) + # V_OCSP_CERTSTATUS_UNKNOWN(2) + # revocationTime - time_t (only if revoked) + # revocationReason - integer (only if revoked) + # revocationReason_str - reason as string (only if revoked) + } + +To further speed up certificate revocation checking one can use a TLS extension +to instruct the server to staple the OCSP response: + + # set TLS extension before doing SSL_connect + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + + # setup callback to verify OCSP response + my $cert_valid = undef; + Net::SSLeay::CTX_set_tlsext_status_cb($context,sub { + my ($ssl,$resp) = @_; + if (!$resp) { + # Lots of servers don't return an OCSP response. + # In this case we must check the OCSP status outside the SSL + # handshake. + warn "server did not return stapled OCSP response\n"; + return 1; + } + # verify status + my $status = Net::SSLeay::OCSP_response_status($resp); + if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) { + warn "OCSP response failure: $status\n"; + return 1; + } + # verify signature - we have no OCSP_REQUEST here to check nonce + if (!eval { Net::SSLeay::OCSP_response_verify($ssl,$resp) }) { + warn "OCSP response verify failed\n"; + return 1; + } + # check if the certificate is valid + # we should check here against the peer_certificate + my $cert = Net::SSLeay::get_peer_certificate(); + my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do { + warn "cannot get certid from cert: $@"; + $cert_valid = -1; + return 1; + }; + + if ( $nextupd = eval { + Net::SSLeay::OCSP_response_results($resp,$certid) }) { + warn "certificate not revoked\n"; + $cert_valid = 1; + } else { + warn "certificate not valid: $@"; + $cert_valid = 0; + } + }); + + # do SSL handshake here + .... + # check if certificate revocation was checked already + if ( ! defined $cert_valid) { + # check revocation outside of SSL handshake by asking OCSP responder + ... + } elsif ( ! $cert_valid ) { + die "certificate not valid - closing SSL connection"; + } elsif ( $cert_valid<0 ) { + die "cannot verify certificate revocation - self-signed ?"; + } else { + # everything fine + ... + } + + +=head2 Using Net::SSLeay in multi-threaded applications + +B + +Net::SSLeay module implements all necessary stuff to be ready for multi-threaded +environment - it requires openssl-0.9.7 or newer. The implementation fully follows thread safety related requirements +of openssl library(see L). + +If you are about to use Net::SSLeay (or any other module based on Net::SSLeay) in multi-threaded +perl application it is recommended to follow this best-practice: + +=head3 Initialization + +Load and initialize Net::SSLeay module in the main thread: + + use threads; + use Net::SSLeay; + + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + sub do_master_job { + #... call whatever from Net::SSLeay + } + + sub do_worker_job { + #... call whatever from Net::SSLeay + } + + #start threads + my $master = threads->new(\&do_master_job, 'param1', 'param2'); + my @workers = threads->new(\&do_worker_job, 'arg1', 'arg2') for (1..10); + + #waiting for all threads to finish + $_->join() for (threads->list); + +NOTE: Openssl's C function (which is also aliased as +C, C and C) +is not re-entrant and multiple calls can cause a crash in threaded application. +Net::SSLeay implements flags preventing repeated calls to this function, +therefore even multiple initialization via Net::SSLeay::SSLeay_add_ssl_algorithms() +should work without trouble. + +=head3 Using callbacks + +Do not use callbacks across threads (the module blocks cross-thread callback operations +and throws a warning). Always do the callback setup, callback use and callback destruction +within the same thread. + +=head3 Using openssl elements + +All openssl elements (X509, SSL_CTX, ...) can be directly passed between threads. + + use threads; + use Net::SSLeay; + + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + sub do_job { + my $context = shift; + Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" }); + #... + } + + my $c = Net::SSLeay::CTX_new(); + threads->create(\&do_job, $c); + +Or: + + use threads; + use Net::SSLeay; + + my $context; #does not need to be 'shared' + + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + sub do_job { + Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" }); + #... + } + + $context = Net::SSLeay::CTX_new(); + threads->create(\&do_job); + + +=head3 Using other perl modules based on Net::SSLeay + +It should be fine to use any other module based on L (like L) +in multi-threaded applications. It is generally recommended to do any global initialization +of such a module in the main thread before calling C<< threads->new(..) >> or +C<< threads->create(..) >> but it might differ module by module. + +To be safe you can load and init Net::SSLeay explicitly in the main thread: + + use Net::SSLeay; + use Other::SSLeay::Based::Module; + + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + +Or even safer: + + use Net::SSLeay; + use Other::SSLeay::Based::Module; + + BEGIN { + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + } + +=head3 Combining Net::SSLeay with other modules linked with openssl + +B + +There are many other (XS) modules linked directly to openssl library (like L). + +As it is expected that also "another" module will call C at some point +we have again a trouble with multiple openssl initialization by Net::SSLeay and "another" module. + +As you can expect Net::SSLeay is not able to avoid multiple initialization of openssl library +called by "another" module, thus you have to handle this on your own (in some cases it might +not be possible at all to avoid this). + +=head3 Threading with get_https and friends + +The convenience functions get_https, post_https etc all initialize the SSL library by calling +Net::SSLeay::initialize which does the conventional library initialization: + + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + +Net::SSLeay::initialize initializes the SSL library at most once. +You can override the Net::SSLeay::initialize function if you desire +some other type of initialization behaviour by get_https and friends. +You can call Net::SSLeay::initialize from your own code if you desire this conventional library initialization. + +=head2 Convenience routines + +To be used with Low level API + + Net::SSLeay::randomize($rn_seed_file,$additional_seed); + Net::SSLeay::set_cert_and_key($ctx, $cert_path, $key_path); + $cert = Net::SSLeay::dump_peer_certificate($ssl); + Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure"; + $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure"; + + $got = Net::SSLeay::ssl_read_CRLF($ssl [, $max_length]); + $got = Net::SSLeay::ssl_read_until($ssl [, $delimit [, $max_length]]); + Net::SSLeay::ssl_write_CRLF($ssl, $message); + +=over + +=item * randomize + +seeds the openssl PRNG with C (see the top of C +for how to change or configure this) and optionally with user provided +data. It is very important to properly seed your random numbers, so +do not forget to call this. The high level API functions automatically +call C so it is not needed with them. See also caveats. + +=item * set_cert_and_key + +takes two file names as arguments and sets +the certificate and private key to those. This can be used to +set either server certificates or client certificates. + +=item * dump_peer_certificate + +allows you to get a plaintext description of the +certificate the peer (usually the server) presented to us. + +=item * ssl_read_all + +see ssl_write_all (below) + +=item * ssl_write_all + +C and C provide true blocking semantics for +these operations (see limitation, below, for explanation). These are +much preferred to the low level API equivalents (which implement BSD +blocking semantics). The message argument to C can be +a reference. This is helpful to avoid unnecessary copying when writing +something big, e.g: + + $data = 'A' x 1000000000; + Net::SSLeay::ssl_write_all($ssl, \$data) or die "ssl write failed"; + +=item * ssl_read_CRLF + +uses C to read in a line terminated with a +carriage return followed by a linefeed (CRLF). The CRLF is included in +the returned scalar. + +=item * ssl_read_until + +uses C to read from the SSL input +stream until it encounters a programmer specified delimiter. +If the delimiter is undefined, C<$/> is used. If C<$/> is undefined, +C<\n> is used. One can optionally set a maximum length of bytes to read +from the SSL input stream. + +=item * ssl_write_CRLF + +writes C<$message> and appends CRLF to the SSL output stream. + +=back + +=head2 Initialization + +In order to use the low level API you should start your programs with +the following incantation: + + use Net::SSLeay qw(die_now die_if_ssl_error); + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); # Important! + Net::SSLeay::ENGINE_load_builtin_engines(); # If you want built-in engines + Net::SSLeay::ENGINE_register_all_complete(); # If you want built-in engines + Net::SSLeay::randomize(); + +=head2 Error handling functions + +I can not emphasize the need to check for error enough. Use these +functions even in the most simple programs, they will reduce debugging +time greatly. Do not ask questions on the mailing list without having +first sprinkled these in your code. + +=over + +=item * die_now + +=item * die_if_ssl_error + +C and C are used to conveniently print the SSLeay error +stack when something goes wrong: + + Net::SSLeay::connect($ssl) or die_now("Failed SSL connect ($!)"); + + + Net::SSLeay::write($ssl, "foo") or die_if_ssl_error("SSL write ($!)"); + +=item * print_errs + +You can also use C to dump the error stack without +exiting the program. As can be seen, your code becomes much more readable +if you import the error reporting functions into your main name space. + +=back + +=head2 Sockets + +Perl uses file handles for all I/O. While SSLeay has a quite flexible BIO +mechanism and perl has an evolved PerlIO mechanism, this module still +sticks to using file descriptors. Thus to attach SSLeay to a socket you +should use C to extract the underlying file descriptor: + + Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno + +You should also set C<$|> to 1 to eliminate STDIO buffering so you do not +get confused if you use perl I/O functions to manipulate your socket +handle. + +If you need to C on the socket, go right ahead, but be warned +that OpenSSL does some internal buffering so SSL_read does not always +return data even if the socket selected for reading (just keep on +selecting and trying to read). C is no different from the +C language OpenSSL in this respect. + +=head2 Callbacks + +You can establish a per-context verify callback function something like this: + + sub verify { + my ($ok, $x509_store_ctx) = @_; + print "Verifying certificate...\n"; + ... + return $ok; + } + +It is used like this: + + Net::SSLeay::set_verify ($ssl, Net::SSLeay::VERIFY_PEER, \&verify); + +Per-context callbacks for decrypting private keys are implemented. + + Net::SSLeay::CTX_set_default_passwd_cb($ctx, sub { "top-secret" }); + Net::SSLeay::CTX_use_PrivateKey_file($ctx, "key.pem", + Net::SSLeay::FILETYPE_PEM) + or die "Error reading private key"; + Net::SSLeay::CTX_set_default_passwd_cb($ctx, undef); + +If Hello Extensions are supported by your OpenSSL, +a session secret callback can be set up to be called when a session secret is set +by openssl. + +Establish it like this: + + Net::SSLeay::set_session_secret_cb($ssl, \&session_secret_cb, $somedata); + +It will be called like this: + + sub session_secret_cb + { + my ($secret, \@cipherlist, \$preferredcipher, $somedata) = @_; + } + + +No other callbacks are implemented. You do not need to use any +callback for simple (i.e. normal) cases where the SSLeay built-in +verify mechanism satisfies your needs. + +It is required to reset these callbacks to undef immediately after use to prevent +memory leaks, thread safety problems and crashes on exit that +can occur if different threads set different callbacks. + +If you want to use callback stuff, see examples/callback.pl! It's the +only one I am able to make work reliably. + +=head2 Low level API + +In addition to the high level functions outlined above, this module +contains straight-forward access to CRYPTO and SSL parts of OpenSSL C API. + +See the C<*.h> headers from OpenSSL C distribution for a list of low level +SSLeay functions to call (check SSLeay.xs to see if some function has been +implemented). The module strips the initial C<"SSL_"> off of the SSLeay names. +Generally you should use C in its place. + +Note that some functions are prefixed with C<"P_"> - these are very close to +the original API however contain some kind of a wrapper making its interface +more perl friendly. + +For example: + +In C: + + #include + + err = SSL_set_verify (ssl, SSL_VERIFY_CLIENT_ONCE, + &your_call_back_here); + +In Perl: + + use Net::SSLeay; + + $err = Net::SSLeay::set_verify ($ssl, + Net::SSLeay::VERIFY_CLIENT_ONCE, + \&your_call_back_here); + +If the function does not start with C you should use the full +function name, e.g.: + + $err = Net::SSLeay::ERR_get_error; + +The following new functions behave in perlish way: + + $got = Net::SSLeay::read($ssl); + # Performs SSL_read, but returns $got + # resized according to data received. + # Returns undef on failure. + + Net::SSLeay::write($ssl, $foo) || die; + # Performs SSL_write, but automatically + # figures out the size of $foo + +=head3 Low level API: Version and library information related functions + +=over + +=item * OpenSSL_version_num and SSLeay + +B SSLeay() is not available in Net-SSLeay-1.42 and +before. SSLeay() was made an alias of OpenSSL_version_num() in OpenSSL +1.1.0 and LibreSSL 2.7.0. + +B OpenSSL_version_num() requires at least +Net-SSLeay-1.82 with OpenSSL 1.1.0, or Net-SSLeay-1.88 with LibreSSL +2.7.0. + +Both functions return OPENSSL_VERSION_NUMBER constant (numeric) as +defined by the underlying OpenSSL or LibreSSL library. + + my $ver_number = Net::SSLeay::SSLeay(); +or + my $ver_number = Net::SSLeay::OpenSSL_version_num(); + # returns: OPENSSL_VERSION_NUMBER constant + + OpenSSL version numbering is: + + # 0x00903100 => openssl-0.9.3 + # 0x00904100 => openssl-0.9.4 + # 0x00905100 => openssl-0.9.5 + # 0x0090600f => openssl-0.9.6 + # 0x0090601f => openssl-0.9.6a + # ... + # 0x009060df => openssl-0.9.6m + # 0x0090700f => openssl-0.9.7 + # 0x0090701f => openssl-0.9.7a + # ... + # 0x009070df => openssl-0.9.7m + # 0x0090800f => openssl-0.9.8 + # 0x0090801f => openssl-0.9.8a + # ... + # 0x0090821f => openssl-0.9.8zh + # 0x1000000f => openssl-1.0.0 + # ... + # 0x1000014f => openssl-1.0.0t + # 0x1000100f => openssl-1.0.1 + # ... + # 0x1000115f => openssl-1.0.1u + # 0x1000200f => openssl-1.0.2 + # ... + # 0x1000215f => openssl-1.0.2u + # 0x1010000f => openssl-1.1.0 + # ... + # 0x101000cf => openssl-1.1.0l + # 0x1010100f => openssl-1.1.1 + # ... + # 0x101010df => openssl-1.1.1m + # 0x30000000 => openssl-3.0.0 + # 0x30000010 => openssl-3.0.1 + + Note that OpenSSL 3.0.0 and later do not set the status nibble in the + least significant octet to f. + + LibreSSL returns 0x20000000 always: + + # 0x20000000 => libressl-2.2.1 + # ... + # 0x20000000 => libressl-3.4.2 + +You can use the version number like this when you know that the +underlying library is OpenSSL: + + if (Net::SSLeay::SSLeay() < 0x0090800f) { + die "You need OpenSSL 0.9.8 or higher"; + } + +LibresSSL 2.2.2 and later define constant LIBRESSL_VERSION_NUMBER that +gives the LibreSSL version number. The format is the same that OpenSSL +uses with OPENSSL_VERSION_NUMBER. You can do this if you need to +check that the underlying library is LibreSSL and it's recent enough: + + + if (Net::SSLeay::SSLeay() != 0x20000000 || + Net::SSLeay::LIBRESSL_VERSION_NUMBER() < 0x3040200f) { + die "You need LibreSSL. Version 3.4.2 or higher"; + } + +Check openssl doc +L + +See OpenSSL 1.1.1 and earlier documentation for the details of status +nibble and the format interpretation. + +=item * SSLeay_version + +B not available in Net-SSLeay-1.42 and before + +Returns different strings depending on $type. + + my $ver_string = Net::SSLeay::SSLeay_version($type); + # $type + # SSLEAY_VERSION - e.g. 'OpenSSL 1.0.0d 8 Feb 2011' + # SSLEAY_CFLAGS - e.g. 'compiler: gcc -D_WINDLL -DOPENSSL_USE_APPLINK .....' + # SSLEAY_BUILT_ON - e.g. 'built on: Fri May 6 00:00:46 GMT 2011' + # SSLEAY_PLATFORM - e.g. 'platform: mingw' + # SSLEAY_DIR - e.g. 'OPENSSLDIR: "z:/...."' + # + # returns: string + + Net::SSLeay::SSLeay_version(); + #is equivalent to + Net::SSLeay::SSLeay_version(SSLEAY_VERSION); + +OpenSSL 1.1.0 changed SSLeay_version() to an alias of +OpenSSL_version(). To ensure correct functionality with LibreSSL, use +SSLEAY_* constants with SSLeay_version() and OPENSSL_* constants with +OpenSSL_version(). + +Check openssl doc L + +OpenSSL website no longer has a manual page for SSLeay_version(). + +=item * OpenSSL_version + +B requires at least Net-SSLeay-1.82 with OpenSSL +1.1.0, or Net-SSLeay-1.88 with LibreSSL 2.7.0. + +Returns different strings depending on $t. Available $t constants +depend on the library version. + + my $ver_string = Net::SSLeay::OpenSSL_version($t); + # $t + # OPENSSL_VERSION - e.g. 'OpenSSL 1.1.0g 2 Nov 2017' + # OPENSSL_CFLAGS - e.g. 'compiler: cc -DDSO_DLFCN -DHAVE_DLFCN_H .....' + # OPENSSL_BUILT_ON - e.g. 'built on: reproducible build, date unspecified' + # OPENSSL_PLATFORM - e.g. 'platform: darwin64-x86_64-cc' + # OPENSSL_DIR - e.g. 'OPENSSLDIR: "/opt/openssl-1.1.0g"' + # OPENSSL_ENGINES_DIR - e.g. 'ENGINESDIR: "/opt/openssl-1.1.0g/lib/engines-1.1"' + # + # returns: string + + Net::SSLeay::OpenSSL_version(); + #is equivalent to + Net::SSLeay::OpenSSL_version(OPENSSL_VERSION); + +Check openssl doc L + +=item * OPENSSL_info + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 3.0.0-alpha1 + +Returns different strings depending on $t. Available $t constants +depend on the library version. + + my $info_string = Net::SSLeay::OPENSSL_info($t); + # $t + # OPENSSL_INFO_CONFIG_DIR - e.g. '/opt/openssl-3.0.1' + # OPENSSL_INFO_... + # + # returns: string + +Check openssl doc L + +=item * OPENSSL_version_major, OPENSSL_version_minor and OPENSSL_version_patch + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 3.0.0-alpha1, not in LibreSSL + +Return constants OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR and OPENSSL_VERSION_PATCH, respectively. + + my $major = Net::SSLeay::OPENSSL_version_major(); + my $minor = Net::SSLeay::OPENSSL_version_minor(); + my $patch = Net::SSLeay::OPENSSL_version_patch(); + # + # return: integer + +For example with OpenSSL 3.0.1, $major is 3, $minor is 0 and $patch is 1. + +Note: the constants record Net::SSLeay compile time values whereas the +three functions return values from the library. Typically these are +the same, but they can be different if the library version is updated +but Net::SSLeay is not re-compiled. See the OpenSSL and LibreSSL +API/ABI compatibility statements for more information. + +Check openssl doc L + +=item * OPENSSL_version_pre_release + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 3.0.0-alpha1, not in LibreSSL + +Return constant string defined by C macro OPENSSL_VERSION_PRE_RELEASE. + + my $pre_release = Net::SSLeay::OPENSSL_version_pre_release(); + # + # returns: string + + For example: "-alpha3" or "" for a release version. + +When the macro is not defined, an empty string is returned instead. + +Check openssl doc L + +=item * OPENSSL_version_build_metadata() + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 3.0.0-alpha1, not in LibreSSL + +Return constant string defined by C macro OPENSSL_VERSION_BUILD_METADATA. + + my $metadata = Net::SSLeay::OPENSSL_version_build_metadata(); + # + # returns: string + + For example: "+fips" or "". + +When the macro is not defined, an empty string is returned instead. + +Check openssl doc L + + +=back + +=head3 Low level API: Initialization related functions + +=over + +=item * library_init + +Initialize SSL library by registering algorithms. + + my $rv = Net::SSLeay::library_init(); + +Check openssl doc L + +While the original function from OpenSSL always returns 1, Net::SSLeay adds a +wrapper around it to make sure that the OpenSSL function is only called once. +Thus the function will return 1 if initialization was done and 0 if not, i.e. if +initialization was done already before. + +=item * add_ssl_algorithms + +The alias for L + + Net::SSLeay::add_ssl_algorithms(); + +=item * OpenSSL_add_ssl_algorithms + +The alias for L + + Net::SSLeay::OpenSSL_add_ssl_algorithms(); + +=item * SSLeay_add_ssl_algorithms + +The alias for L + + Net::SSLeay::SSLeay_add_ssl_algorithms(); + +=item * load_error_strings + +Registers the error strings for all libcrypto + libssl related functions. + + Net::SSLeay::load_error_strings(); + # + # returns: no return value + +Check openssl doc L + +=item * ERR_load_crypto_strings + +Registers the error strings for all libcrypto functions. No need to call this function if you have already called L. + + Net::SSLeay::ERR_load_crypto_strings(); + # + # returns: no return value + +Check openssl doc L + +=item * ERR_load_RAND_strings + +Registers the error strings for RAND related functions. No need to call this function if you have already called L. + + Net::SSLeay::ERR_load_RAND_strings(); + # + # returns: no return value + +=item * ERR_load_SSL_strings + +Registers the error strings for SSL related functions. No need to call this function if you have already called L. + + Net::SSLeay::ERR_load_SSL_strings(); + # + # returns: no return value + +=item * OpenSSL_add_all_algorithms + +B not available in Net-SSLeay-1.45 and before + +Add algorithms to internal table. + + Net::SSLeay::OpenSSL_add_all_algorithms(); + # + # returns: no return value + +Check openssl doc L + +=item * OPENSSL_add_all_algorithms_conf + +B not available in Net-SSLeay-1.45 and before + +Similar to L - will ALWAYS load the config file + + Net::SSLeay::OPENSSL_add_all_algorithms_conf(); + # + # returns: no return value + +=item * OPENSSL_add_all_algorithms_noconf + +B not available in Net-SSLeay-1.45 and before + +Similar to L - will NEVER load the config file + + Net::SSLeay::OPENSSL_add_all_algorithms_noconf(); + # + # returns: no return value + +=back + +=head3 Low level API: ERR_* and SSL_alert_* related functions + +B Please note that SSL_alert_* function have "SSL_" part stripped from their names. + +=over + +=item * ERR_clear_error + +Clear the error queue. + + Net::SSLeay::ERR_clear_error(); + # + # returns: no return value + +Check openssl doc L + +=item * ERR_error_string + +Generates a human-readable string representing the error code $error. + + my $rv = Net::SSLeay::ERR_error_string($error); + # $error - (unsigned integer) error code + # + # returns: string + +Check openssl doc L + +=item * ERR_get_error + +Returns the earliest error code from the thread's error queue and removes the entry. +This function can be called repeatedly until there are no more error codes to return. + + my $rv = Net::SSLeay::ERR_get_error(); + # + # returns: (unsigned integer) error code + +Check openssl doc L + +=item * ERR_peek_error + +Returns the earliest error code from the thread's error queue without modifying it. + + my $rv = Net::SSLeay::ERR_peek_error(); + # + # returns: (unsigned integer) error code + +Check openssl doc L + +=item * ERR_put_error + +Adds an error code to the thread's error queue. It signals that the error of $reason +code reason occurred in function $func of library $lib, in line number $line of $file. + + Net::SSLeay::ERR_put_error($lib, $func, $reason, $file, $line); + # $lib - (integer) library id (check openssl/err.h for constants e.g. ERR_LIB_SSL) + # $func - (integer) function id (check openssl/ssl.h for constants e.g. SSL_F_SSL23_READ) + # $reason - (integer) reason id (check openssl/ssl.h for constants e.g. SSL_R_SSL_HANDSHAKE_FAILURE) + # $file - (string) file name + # $line - (integer) line number in $file + # + # returns: no return value + +Check openssl doc L +and L + +=item * alert_desc_string + +Returns a two letter string as a short form describing the reason of the alert specified by value. + + my $rv = Net::SSLeay::alert_desc_string($value); + # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants) + # + # returns: description string (2 letters) + +Check openssl doc L + +=item * alert_desc_string_long + +Returns a string describing the reason of the alert specified by value. + + my $rv = Net::SSLeay::alert_desc_string_long($value); + # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants) + # + # returns: description string + +Check openssl doc L + +=item * alert_type_string + +Returns a one letter string indicating the type of the alert specified by value. + + my $rv = Net::SSLeay::alert_type_string($value); + # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants) + # + # returns: string (1 letter) + +Check openssl doc L + +=item * alert_type_string_long + +Returns a string indicating the type of the alert specified by value. + + my $rv = Net::SSLeay::alert_type_string_long($value); + # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants) + # + # returns: string + +Check openssl doc L + +=back + +=head3 Low level API: SSL_METHOD_* related functions + +=over + +=item * SSLv23_method, SSLv23_server_method and SSLv23_client_method + +B not available in Net-SSLeay-1.82 and before. + +Returns SSL_METHOD structure corresponding to general-purpose version-flexible TLS method, the return value can be later used as a param of L. + +B Consider using TLS_method, TLS_server_method or TLS_client_method with new code. + + my $rv = Net::SSLeay::SSLv2_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +=item * SSLv2_method + +Returns SSL_METHOD structure corresponding to SSLv2 method, the return value can be later used as a param of L. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::SSLv2_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +=item * SSLv3_method + +Returns SSL_METHOD structure corresponding to SSLv3 method, the return value can be later used as a param of L. + + my $rv = Net::SSLeay::SSLv3_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=item * TLSv1_method, TLSv1_server_method and TLSv1_client_method + +B Server and client methods not available in Net-SSLeay-1.82 and before. + +Returns SSL_METHOD structure corresponding to TLSv1 method, the return value can be later used as a param of L. + + my $rv = Net::SSLeay::TLSv1_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=item * TLSv1_1_method, TLSv1_1_server_method and TLSv1_1_client_method + +B Server and client methods not available in Net-SSLeay-1.82 and before. + +Returns SSL_METHOD structure corresponding to TLSv1_1 method, the return value can be later used as a param of L. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::TLSv1_1_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=item * TLSv1_2_method, TLSv1_2_server_method and TLSv1_2_client_method + +B Server and client methods not available in Net-SSLeay-1.82 and before. + +Returns SSL_METHOD structure corresponding to TLSv1_2 method, the return value can be later used as a param of L. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::TLSv1_2_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=item * TLS_method, TLS_server_method and TLS_client_method + +B Not available in Net-SSLeay-1.82 and before. + +Returns SSL_METHOD structure corresponding to general-purpose version-flexible TLS method, the return value can be later used as a param of L. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::TLS_method(); + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=back + +=head3 Low level API: ENGINE_* related functions + +=over + +=item * ENGINE_load_builtin_engines + +B Requires an OpenSSL build with dynamic engine loading support. + +Load all bundled ENGINEs into memory and make them visible. + + Net::SSLeay::ENGINE_load_builtin_engines(); + # + # returns: no return value + +Check openssl doc L + +=item * ENGINE_register_all_complete + +B Requires an OpenSSL build with dynamic engine loading support. + +Register all loaded ENGINEs for every algorithm they collectively implement. + + Net::SSLeay::ENGINE_register_all_complete(); + # + # returns: no return value + +Check openssl doc L + +=item * ENGINE_set_default + +B Requires an OpenSSL build with dynamic engine loading support. + +Set default engine to $e + set its flags to $flags. + + my $rv = Net::SSLeay::ENGINE_set_default($e, $flags); + # $e - value corresponding to openssl's ENGINE structure + # $flags - (integer) engine flags + # flags value can be made by bitwise "OR"ing: + # 0x0001 - ENGINE_METHOD_RSA + # 0x0002 - ENGINE_METHOD_DSA + # 0x0004 - ENGINE_METHOD_DH + # 0x0008 - ENGINE_METHOD_RAND + # 0x0010 - ENGINE_METHOD_ECDH + # 0x0020 - ENGINE_METHOD_ECDSA + # 0x0040 - ENGINE_METHOD_CIPHERS + # 0x0080 - ENGINE_METHOD_DIGESTS + # 0x0100 - ENGINE_METHOD_STORE + # 0x0200 - ENGINE_METHOD_PKEY_METHS + # 0x0400 - ENGINE_METHOD_PKEY_ASN1_METHS + # Obvious all-or-nothing cases: + # 0xFFFF - ENGINE_METHOD_ALL + # 0x0000 - ENGINE_METHOD_NONE + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * ENGINE_by_id + +Get ENGINE by its identification $id. + +B Requires an OpenSSL build with dynamic engine loading support. + + my $rv = Net::SSLeay::ENGINE_by_id($id); + # $id - (string) engine identification e.g. "dynamic" + # + # returns: value corresponding to openssl's ENGINE structure (0 on failure) + +Check openssl doc L + +=back + +=head3 Low level API: EVP_PKEY_* related functions + +=over + +=item * EVP_PKEY_copy_parameters + +Copies the parameters from key $from to key $to. + + my $rv = Net::SSLeay::EVP_PKEY_copy_parameters($to, $from); + # $to - value corresponding to openssl's EVP_PKEY structure + # $from - value corresponding to openssl's EVP_PKEY structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * EVP_PKEY_new + +B not available in Net-SSLeay-1.45 and before + +Creates a new EVP_PKEY structure. + + my $rv = Net::SSLeay::EVP_PKEY_new(); + # + # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) + +Check openssl doc L + +=item * EVP_PKEY_free + +B not available in Net-SSLeay-1.45 and before + +Free an allocated EVP_PKEY structure. + + Net::SSLeay::EVP_PKEY_free($pkey); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: no return value + +Check openssl doc L + +=item * EVP_PKEY_assign_RSA + +B not available in Net-SSLeay-1.45 and before + +Set the key referenced by $pkey to $key + +B No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. + + my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $key - value corresponding to openssl's RSA structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * EVP_PKEY_assign_EC_KEY + +B not available in Net-SSLeay-1.74 and before + +Set the key referenced by $pkey to $key + +B No reference counter will be increased, i.e. $key will be freed if +$pkey is freed. + + my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $key - value corresponding to openssl's EC_KEY structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * EVP_PKEY_bits + +B not available in Net-SSLeay-1.45 and before + +Returns the size of the key $pkey in bits. + + my $rv = Net::SSLeay::EVP_PKEY_bits($pkey); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: size in bits + +=item * EVP_PKEY_size + +B not available in Net-SSLeay-1.45 and before + +Returns the maximum size of a signature in bytes. The actual signature may be smaller. + + my $rv = Net::SSLeay::EVP_PKEY_size($pkey); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: the maximum size in bytes + +Check openssl doc L + +=item * EVP_PKEY_id + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-1.0.0 + +Returns $pkey type (integer value of corresponding NID). + + my $rv = Net::SSLeay::EVP_PKEY_id($pkey); + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: (integer) key type + +Example: + + my $pubkey = Net::SSLeay::X509_get_pubkey($x509); + my $type = Net::SSLeay::EVP_PKEY_id($pubkey); + print Net::SSLeay::OBJ_nid2sn($type); #prints e.g. 'rsaEncryption' + +=back + +=head3 Low level API: PEM_* related functions + +Check openssl doc L + +=over + +=item * PEM_read_bio_X509 + +B not available in Net-SSLeay-1.45 and before + +Loads PEM formatted X509 certificate via given BIO structure. + + my $rv = Net::SSLeay::PEM_read_bio_X509($bio); + # $bio - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $x509 = Net::SSLeay::PEM_read_bio_X509($bio); + Net::SSLeay::BIO_free($bio); + +=item * PEM_read_bio_X509_REQ + +B not available in Net-SSLeay-1.45 and before + +Loads PEM formatted X509_REQ object via given BIO structure. + + my $rv = Net::SSLeay::PEM_read_bio_X509_REQ($bio, $x=NULL, $cb=NULL, $u=NULL); + # $bio - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509_REQ structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $x509_req = Net::SSLeay::PEM_read_bio_X509_REQ($bio); + Net::SSLeay::BIO_free($bio); + +=item * PEM_read_bio_DHparams + +Reads DH structure from BIO. + + my $rv = Net::SSLeay::PEM_read_bio_DHparams($bio); + # $bio - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's DH structure (0 on failure) + +=item * PEM_read_bio_X509_CRL + +Reads X509_CRL structure from BIO. + + my $rv = Net::SSLeay::PEM_read_bio_X509_CRL($bio); + # $bio - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509_CRL structure (0 on failure) + +=item * PEM_read_bio_PrivateKey + +B not available in Net-SSLeay-1.45 and before + +Loads PEM formatted private key via given BIO structure. + + my $rv = Net::SSLeay::PEM_read_bio_PrivateKey($bio, $cb, $data); + # $bio - value corresponding to openssl's BIO structure + # $cb - reference to perl callback function + # $data - data that will be passed to callback function (see examples below) + # + # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); #ask for password if needed + Net::SSLeay::BIO_free($bio); + +To use password you have the following options: + + $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func); # use callback func for getting password + $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func, $data); # use callback_func + pass $data to callback_func + $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, "secret"); # use password "secret" + $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, ""); # use empty password + +Callback function signature: + + sub callback_func { + my ($max_passwd_size, $rwflag, $data) = @_; + # $max_passwd_size - maximum size of returned password (longer values will be discarded) + # $rwflag - indicates whether we are loading (0) or storing (1) - for PEM_read_bio_PrivateKey always 0 + # $data - the data passed to PEM_read_bio_PrivateKey as 3rd parameter + + return "secret"; + } + +=item * PEM_X509_INFO_read_bio + +Reads a BIO containing a PEM formatted file into a STACK_OF(X509_INFO) structure. + + my $rv = Net::SSLeay::PEM_X509_INFO_read_bio($bio); + # $bio - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's STACK_OF(X509_INFO) structure. + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'r'); + my $sk_x509_info = Net::SSLeay::PEM_X509_INFO_read_bio($bio); + Net::SSLeay::BIO_free($bio); + +=item * PEM_get_string_X509 + +B Does not exactly correspond to any low level API function + +Converts/exports X509 certificate to string (PEM format). + + Net::SSLeay::PEM_get_string_X509($x509); + # $x509 - value corresponding to openssl's X509 structure + # + # returns: string with $x509 in PEM format + +=item * PEM_get_string_PrivateKey + +B not available in Net-SSLeay-1.45 and before + +Converts public key $pk into PEM formatted string (optionally protected with password). + + my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg); + # $pk - value corresponding to openssl's EVP_PKEY structure + # $passwd - [optional] (string) password to use for key encryption + # $enc_alg - [optional] algorithm to use for key encryption (default: DES_CBC) - value corresponding to openssl's EVP_CIPHER structure + # + # returns: PEM formatted string + +Examples: + + $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk); + $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret"); + $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret", Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC")); + +=item * PEM_get_string_X509_CRL + +B not available in Net-SSLeay-1.45 and before + +Converts X509_CRL object $x509_crl into PEM formatted string. + + Net::SSLeay::PEM_get_string_X509_CRL($x509_crl); + # $x509_crl - value corresponding to openssl's X509_CRL structure + # + # returns: no return value + +=item * PEM_get_string_X509_REQ + +B not available in Net-SSLeay-1.45 and before + +Converts X509_REQ object $x509_crl into PEM formatted string. + + Net::SSLeay::PEM_get_string_X509_REQ($x509_req); + # $x509_req - value corresponding to openssl's X509_REQ structure + # + # returns: no return value + +=back + +=head3 Low level API: d2i_* (DER format) related functions + +=over + +=item * d2i_X509_bio + +B not available in Net-SSLeay-1.45 and before + +Loads DER formatted X509 certificate via given BIO structure. + + my $rv = Net::SSLeay::d2i_X509_bio($bp); + # $bp - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'rb'); + my $x509 = Net::SSLeay::d2i_X509_bio($bio); + Net::SSLeay::BIO_free($bio); + +Check openssl doc L + +=item * d2i_X509_CRL_bio + +B not available in Net-SSLeay-1.45 and before + +Loads DER formatted X509_CRL object via given BIO structure. + + my $rv = Net::SSLeay::d2i_X509_CRL_bio($bp); + # $bp - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509_CRL structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'rb'); + my $x509_crl = Net::SSLeay::d2i_X509_CRL_bio($bio); + Net::SSLeay::BIO_free($bio); + +=item * d2i_X509_REQ_bio + +B not available in Net-SSLeay-1.45 and before + +Loads DER formatted X509_REQ object via given BIO structure. + + my $rv = Net::SSLeay::d2i_X509_REQ_bio($bp); + # $bp - value corresponding to openssl's BIO structure + # + # returns: value corresponding to openssl's X509_REQ structure (0 on failure) + +Example: + + my $bio = Net::SSLeay::BIO_new_file($filename, 'rb'); + my $x509_req = Net::SSLeay::d2i_X509_REQ_bio($bio); + Net::SSLeay::BIO_free($bio); + +=back + +=head3 Low level API: PKCS12 related functions + +=over + +=item * P_PKCS12_load_file + +B not available in Net-SSLeay-1.45 and before + +Loads X509 certificate + private key + certificates of CA chain (if present in PKCS12 file). + + my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, $load_chain, $password); + # $filename - name of PKCS12 file + # $load_chain - [optional] whether load (1) or not(0) CA chain (default: 0) + # $password - [optional] password for private key + # + # returns: triplet ($privkey, $cert, @cachain) + # $privkey - value corresponding to openssl's EVP_PKEY structure + # $cert - value corresponding to openssl's X509 structure + # @cachain - array of values corresponding to openssl's X509 structure (empty if no CA chain in PKCS12) + +B after you do the job you need to call X509_free() on $privkey + all members +of @cachain and EVP_PKEY_free() on $privkey. + +Examples: + + my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename); + #or + my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 0, $password); + #or + my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1); + #or + my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password); + + #BEWARE: THIS IS WRONG - MEMORY LEAKS! (you cannot free @cachain items) + my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password); + +B With some combinations of Windows, perl, compiler and compiler options, you +may see a runtime error "no OPENSSL_Applink", when calling +Net::SSLeay::P_PKCS12_load_file. See README.Win32 for more details. + +=back + +=head3 Low level API: SESSION_* related functions + +=over + +=item * d2i_SSL_SESSION + +B does not work in Net-SSLeay-1.85 and before + +Transforms the binary ASN1 representation string of an SSL/TLS session into an +SSL_SESSION object. + + my $ses = Net::SSLeay::d2i_SSL_SESSION($data); + # $data - the session as ASN1 representation string + # + # returns: $ses - the new SSL_SESSION + +Check openssl doc L + +=item * i2d_SSL_SESSION + +B does not work in Net-SSLeay-1.85 and before + +Transforms the SSL_SESSION object in into the ASN1 representation and returns +it as string. + + my $data = Net::SSLeay::i2d_SSL_SESSION($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: $data - session as string + +Check openssl doc L + +=item * SESSION_new + +Creates a new SSL_SESSION structure. + + my $rv = Net::SSLeay::SESSION_new(); + # + # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure) + +=item * SESSION_free + +Free an allocated SSL_SESSION structure. + + Net::SSLeay::SESSION_free($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: no return value + +Check openssl doc L + +=item * SESSION_up_ref + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0-pre4 or LibreSSL 2.7.0 + +Increases the reference counter on a SSL_SESSION structure. + + Net::SSLeay::SESSION_up_ref($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success else 0 + +Check openssl doc +L + +=item * SESSION_dup + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Duplicates a SSL_SESSION structure. + + Net::SSLeay::SESSION_dup($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: the duplicated session + +Check openssl doc +L + +=item * SESSION_is_resumable + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Determine whether an SSL_SESSION object can be used for resumption. + + Net::SSLeay::SESSION_is_resumable($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: (integer) 1 if it can or 0 if not + +Check openssl doc L + +=item * SESSION_cmp + +Compare two SSL_SESSION structures. + + my $rv = Net::SSLeay::SESSION_cmp($sesa, $sesb); + # $sesa - value corresponding to openssl's SSL_SESSION structure + # $sesb - value corresponding to openssl's SSL_SESSION structure + # + # returns: 0 if the two structures are the same + +B Not available in openssl 1.0 or later + +=item * SESSION_get_app_data + +Can be used to get application defined value/data. + + my $rv = Net::SSLeay::SESSION_get_app_data($ses); + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: string/buffer/pointer ??? + +=item * SESSION_set_app_data + +Can be used to set some application defined value/data. + + my $rv = Net::SSLeay::SESSION_set_app_data($s, $a); + # $s - value corresponding to openssl's SSL_SESSION structure + # $a - (string/buffer/pointer ???) data + # + # returns: ??? + +=item * SESSION_get_ex_data + +Is used to retrieve the information for $idx from session $ses. + + my $rv = Net::SSLeay::SESSION_get_ex_data($ses, $idx); + # $ses - value corresponding to openssl's SSL_SESSION structure + # $idx - (integer) index for application specific data + # + # returns: pointer to ??? + +Check openssl doc L + +=item * SESSION_set_ex_data + +Is used to store application data at arg for idx into the session object. + + my $rv = Net::SSLeay::SESSION_set_ex_data($ss, $idx, $data); + # $ss - value corresponding to openssl's SSL_SESSION structure + # $idx - (integer) ??? + # $data - (pointer) ??? + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * SESSION_get_ex_new_index + +Is used to register a new index for application specific data. + + my $rv = Net::SSLeay::SESSION_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func); + # $argl - (long) ??? + # $argp - (pointer) ??? + # $new_func - function pointer ??? (CRYPTO_EX_new *) + # $dup_func - function pointer ??? (CRYPTO_EX_dup *) + # $free_func - function pointer ??? (CRYPTO_EX_free *) + # + # returns: (integer) ??? + +Check openssl doc L + +=item * SESSION_get_master_key + +B Does not exactly correspond to any low level API function + +Returns 'master_key' value from SSL_SESSION structure $s + + Net::SSLeay::SESSION_get_master_key($s); + # $s - value corresponding to openssl's SSL_SESSION structure + # + # returns: master key (binary data) + +=item * SESSION_set_master_key + +Sets 'master_key' value for SSL_SESSION structure $s + + Net::SSLeay::SESSION_set_master_key($s, $key); + # $s - value corresponding to openssl's SSL_SESSION structure + # $key - master key (binary data) + # + # returns: no return value + +Not available with OpenSSL 1.1 and later. +Code that previously used + SESSION_set_master_key must now set $secret in the session_secret + callback set with SSL_set_session_secret_cb. + +=item * SESSION_get_time + +Returns the time at which the session s was established. +The time is given in seconds since 1.1.1970. + + my $rv = Net::SSLeay::SESSION_get_time($s); + # $s - value corresponding to openssl's SSL_SESSION structure + # + # returns: timestamp (seconds since 1.1.1970) + +Check openssl doc L + +=item * get_time + +Technically the same functionality as L. + + my $rv = Net::SSLeay::get_time($s); + +=item * SESSION_get_timeout + +Returns the timeout value set for session $s in seconds. + + my $rv = Net::SSLeay::SESSION_get_timeout($s); + # $s - value corresponding to openssl's SSL_SESSION structure + # + # returns: timeout (in seconds) + +Check openssl doc L + +=item * get_timeout + +Technically the same functionality as L. + + my $rv = Net::SSLeay::get_timeout($s); + +=item * SESSION_print + +B Does not exactly correspond to any low level API function + +Prints session details (e.g. protocol version, cipher, session-id ...) to BIO. + + my $rv = Net::SSLeay::SESSION_print($fp, $ses); + # $fp - value corresponding to openssl's BIO structure + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success, 0 on failure + +You have to use necessary BIO functions like this: + + # let us have $ssl corresponding to openssl's SSL structure + my $ses = Net::SSLeay::get_session($ssl); + my $bio = Net::SSLeay::BIO_new(&Net::SSLeay::BIO_s_mem); + Net::SSLeay::SESSION_print($bio, $ses); + print Net::SSLeay::BIO_read($bio); + +=item * SESSION_print_fp + +Prints session details (e.g. protocol version, cipher, session-id ...) to file handle. + + my $rv = Net::SSLeay::SESSION_print_fp($fp, $ses); + # $fp - perl file handle + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success, 0 on failure + +Example: + + # let us have $ssl corresponding to openssl's SSL structure + my $ses = Net::SSLeay::get_session($ssl); + open my $fh, ">", "output.txt"; + Net::SSLeay::SESSION_print_fp($fh,$ses); + +=item * SESSION_set_time + +Replaces the creation time of the session s with the chosen value $t (seconds since 1.1.1970). + + my $rv = Net::SSLeay::SESSION_set_time($ses, $t); + # $ses - value corresponding to openssl's SSL_SESSION structure + # $t - time value + # + # returns: 1 on success + +Check openssl doc L + +=item * set_time + +Technically the same functionality as L. + + my $rv = Net::SSLeay::set_time($ses, $t); + +=item * SESSION_set_timeout + +Sets the timeout value for session s in seconds to $t. + + my $rv = Net::SSLeay::SESSION_set_timeout($s, $t); + # $s - value corresponding to openssl's SSL_SESSION structure + # $t - timeout (in seconds) + # + # returns: 1 on success + +Check openssl doc L + +=item * set_timeout + +Technically the same functionality as L. + + my $rv = Net::SSLeay::set_timeout($ses, $t); + +=back + +=head3 Low level API: SSL_CTX_* related functions + +B Please note that the function described in this chapter have "SSL_" part stripped from their original openssl names. + +=over + +=item * CTX_add_client_CA + +Adds the CA name extracted from $cacert to the list of CAs sent to the client when requesting a client certificate for $ctx. + + my $rv = Net::SSLeay::CTX_add_client_CA($ctx, $cacert); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $cacert - value corresponding to openssl's X509 structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_add_extra_chain_cert + +Adds the certificate $x509 to the certificate chain presented together with the certificate. Several certificates can be added one after the other. + + my $rv = Net::SSLeay::CTX_add_extra_chain_cert($ctx, $x509); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $x509 - value corresponding to openssl's X509 structure + # + # returns: 1 on success, check out the error stack to find out the reason for failure otherwise + +Check openssl doc L + +=item * CTX_add_session + +Adds the session $ses to the context $ctx. + + my $rv = Net::SSLeay::CTX_add_session($ctx, $ses); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_callback_ctrl + +??? (more info needed) + + my $rv = Net::SSLeay::CTX_callback_ctrl($ctx, $cmd, $fp); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $cmd - (integer) command id + # $fp - (function pointer) ??? + # + # returns: ??? + +Check openssl doc L + +=item * CTX_check_private_key + +Checks the consistency of a private key with the corresponding certificate loaded into $ctx. + + my $rv = Net::SSLeay::CTX_check_private_key($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_ctrl + +Internal handling function for SSL_CTX objects. + +B openssl doc says: This function should never be called directly! + + my $rv = Net::SSLeay::CTX_ctrl($ctx, $cmd, $larg, $parg); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $cmd - (integer) command id + # $larg - (integer) long ??? + # $parg - (string/pointer) ??? + # + # returns: (long) result of given command ??? + + #valid $cmd values + 1 - SSL_CTRL_NEED_TMP_RSA + 2 - SSL_CTRL_SET_TMP_RSA + 3 - SSL_CTRL_SET_TMP_DH + 4 - SSL_CTRL_SET_TMP_ECDH + 5 - SSL_CTRL_SET_TMP_RSA_CB + 6 - SSL_CTRL_SET_TMP_DH_CB + 7 - SSL_CTRL_SET_TMP_ECDH_CB + 8 - SSL_CTRL_GET_SESSION_REUSED + 9 - SSL_CTRL_GET_CLIENT_CERT_REQUEST + 10 - SSL_CTRL_GET_NUM_RENEGOTIATIONS + 11 - SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS + 12 - SSL_CTRL_GET_TOTAL_RENEGOTIATIONS + 13 - SSL_CTRL_GET_FLAGS + 14 - SSL_CTRL_EXTRA_CHAIN_CERT + 15 - SSL_CTRL_SET_MSG_CALLBACK + 16 - SSL_CTRL_SET_MSG_CALLBACK_ARG + 17 - SSL_CTRL_SET_MTU + 20 - SSL_CTRL_SESS_NUMBER + 21 - SSL_CTRL_SESS_CONNECT + 22 - SSL_CTRL_SESS_CONNECT_GOOD + 23 - SSL_CTRL_SESS_CONNECT_RENEGOTIATE + 24 - SSL_CTRL_SESS_ACCEPT + 25 - SSL_CTRL_SESS_ACCEPT_GOOD + 26 - SSL_CTRL_SESS_ACCEPT_RENEGOTIATE + 27 - SSL_CTRL_SESS_HIT + 28 - SSL_CTRL_SESS_CB_HIT + 29 - SSL_CTRL_SESS_MISSES + 30 - SSL_CTRL_SESS_TIMEOUTS + 31 - SSL_CTRL_SESS_CACHE_FULL + 32 - SSL_CTRL_OPTIONS + 33 - SSL_CTRL_MODE + 40 - SSL_CTRL_GET_READ_AHEAD + 41 - SSL_CTRL_SET_READ_AHEAD + 42 - SSL_CTRL_SET_SESS_CACHE_SIZE + 43 - SSL_CTRL_GET_SESS_CACHE_SIZE + 44 - SSL_CTRL_SET_SESS_CACHE_MODE + 45 - SSL_CTRL_GET_SESS_CACHE_MODE + 50 - SSL_CTRL_GET_MAX_CERT_LIST + 51 - SSL_CTRL_SET_MAX_CERT_LIST + 52 - SSL_CTRL_SET_MAX_SEND_FRAGMENT + 53 - SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + 54 - SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG + 55 - SSL_CTRL_SET_TLSEXT_HOSTNAME + 56 - SSL_CTRL_SET_TLSEXT_DEBUG_CB + 57 - SSL_CTRL_SET_TLSEXT_DEBUG_ARG + 58 - SSL_CTRL_GET_TLSEXT_TICKET_KEYS + 59 - SSL_CTRL_SET_TLSEXT_TICKET_KEYS + 60 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT + 61 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB + 62 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG + 63 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB + 64 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG + 65 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE + 66 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS + 67 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS + 68 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS + 69 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS + 70 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP + 71 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP + 72 - SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB + 73 - DTLS_CTRL_GET_TIMEOUT + 74 - DTLS_CTRL_HANDLE_TIMEOUT + 75 - DTLS_CTRL_LISTEN + 76 - SSL_CTRL_GET_RI_SUPPORT + 77 - SSL_CTRL_CLEAR_OPTIONS + 78 - SSL_CTRL_CLEAR_MODE + + 82 - SSL_CTRL_GET_EXTRA_CHAIN_CERTS + 83 - SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS + + 88 - SSL_CTRL_CHAIN + 89 - SSL_CTRL_CHAIN_CERT + + 90 - SSL_CTRL_GET_CURVES + 91 - SSL_CTRL_SET_CURVES + 92 - SSL_CTRL_SET_CURVES_LIST + 93 - SSL_CTRL_GET_SHARED_CURVE + 94 - SSL_CTRL_SET_ECDH_AUTO + 97 - SSL_CTRL_SET_SIGALGS + 98 - SSL_CTRL_SET_SIGALGS_LIST + 99 - SSL_CTRL_CERT_FLAGS + 100 - SSL_CTRL_CLEAR_CERT_FLAGS + 101 - SSL_CTRL_SET_CLIENT_SIGALGS + 102 - SSL_CTRL_SET_CLIENT_SIGALGS_LIST + 103 - SSL_CTRL_GET_CLIENT_CERT_TYPES + 104 - SSL_CTRL_SET_CLIENT_CERT_TYPES + 105 - SSL_CTRL_BUILD_CERT_CHAIN + 106 - SSL_CTRL_SET_VERIFY_CERT_STORE + 107 - SSL_CTRL_SET_CHAIN_CERT_STORE + 108 - SSL_CTRL_GET_PEER_SIGNATURE_NID + 109 - SSL_CTRL_GET_SERVER_TMP_KEY + 110 - SSL_CTRL_GET_RAW_CIPHERLIST + 111 - SSL_CTRL_GET_EC_POINT_FORMATS + 112 - SSL_CTRL_GET_TLSA_RECORD + 113 - SSL_CTRL_SET_TLSA_RECORD + 114 - SSL_CTRL_PULL_TLSA_RECORD + +Check openssl doc L + +=item * CTX_flush_sessions + +Causes a run through the session cache of $ctx to remove sessions expired at time $tm. + + Net::SSLeay::CTX_flush_sessions($ctx, $tm); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $tm - specifies the time which should be used for the expiration test (seconds since 1.1.1970) + # + # returns: no return value + +Check openssl doc L + +=item * CTX_free + +Free an allocated SSL_CTX object. + + Net::SSLeay::CTX_free($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: no return value + +Check openssl doc L + +=item * CTX_get_app_data + +Can be used to get application defined value/data. + + my $rv = Net::SSLeay::CTX_get_app_data($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: string/buffer/pointer ??? + +=item * CTX_set_app_data + +Can be used to set some application defined value/data. + + my $rv = Net::SSLeay::CTX_set_app_data($ctx, $arg); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $arg - (string/buffer/pointer ???) data + # + # returns: ??? + +=item * CTX_get0_param + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Returns the current verification parameters. + + my $vpm = Net::SSLeay::CTX_get0_param($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's X509_VERIFY_PARAM structure + +Check openssl doc L + +=item * CTX_get_cert_store + +Returns the current certificate verification storage. + + my $rv = Net::SSLeay::CTX_get_cert_store($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's X509_STORE structure (0 on failure) + +Check openssl doc L + +=item * CTX_get_client_CA_list + +Returns the list of client CAs explicitly set for $ctx using L. + + my $rv = Net::SSLeay::CTX_get_client_CA_list($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's X509_NAME_STACK structure (0 on failure) + +Check openssl doc L + +=item * CTX_get_ex_data + +Is used to retrieve the information for index $idx from $ctx. + + my $rv = Net::SSLeay::CTX_get_ex_data($ssl, $idx); + # $ssl - value corresponding to openssl's SSL_CTX structure + # $idx - (integer) index for application specific data + # + # returns: pointer to ??? + +Check openssl doc L + +=item * CTX_get_ex_new_index + +Is used to register a new index for application specific data. + + my $rv = Net::SSLeay::CTX_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func); + # $argl - (long) ??? + # $argp - (pointer) ??? + # $new_func - function pointer ??? (CRYPTO_EX_new *) + # $dup_func - function pointer ??? (CRYPTO_EX_dup *) + # $free_func - function pointer ??? (CRYPTO_EX_free *) + # + # returns: (integer) ??? + +Check openssl doc L + +=item * CTX_get_mode + +Returns the mode set for ctx. + + my $rv = Net::SSLeay::CTX_get_mode($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: mode (bitmask) + + #to decode the return value (bitmask) use: + 0x00000001 corresponds to SSL_MODE_ENABLE_PARTIAL_WRITE + 0x00000002 corresponds to SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + 0x00000004 corresponds to SSL_MODE_AUTO_RETRY + 0x00000008 corresponds to SSL_MODE_NO_AUTO_CHAIN + 0x00000010 corresponds to SSL_MODE_RELEASE_BUFFERS + (note: some of the bits might not be supported by older openssl versions) + +Check openssl doc L + +=item * CTX_set_mode + +Adds the mode set via bitmask in $mode to $ctx. Options already set before are not cleared. + + my $rv = Net::SSLeay::CTX_set_mode($ctx, $mode); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $mode - mode bitmask + # + # returns: the new mode bitmask after adding $mode + +For bitmask details see L (above). + +Check openssl doc L + +=item * CTX_get_options + +Returns the options (bitmask) set for $ctx. + + my $rv = Net::SSLeay::CTX_get_options($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: options (bitmask) + +B The available constants and their values in bitmask depend +on the TLS library. For example, SSL_OP_NO_TLSv1_3 became available +much later than SSL_OP_NO_COMPRESS which is already deprecated by some +libraries. Also, some previously used option values have been recycled +and are now used for newer options. See the list of constants in this +document for options Net::SSLeay currently supports. + +You are strongly encouraged to B if you need +to use numeric values directly. The following is a sample of historic +values. It may not be correct anymore. + + #to decode the return value (bitmask) use: + 0x00000004 corresponds to SSL_OP_LEGACY_SERVER_CONNECT + 0x00000800 corresponds to SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + 0x00004000 corresponds to SSL_OP_NO_TICKET + 0x00010000 corresponds to SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + 0x00400000 corresponds to SSL_OP_CIPHER_SERVER_PREFERENCE + 0x04000000 corresponds to SSL_OP_NO_TLSv1 + +Check openssl doc L + +=item * CTX_set_options + +Adds the options set via bitmask in $options to ctx. Options already set before are not cleared. + + Net::SSLeay::CTX_set_options($ctx, $options); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $options - options bitmask + # + # returns: the new options bitmask after adding $options + +For bitmask details see L (above). + +Check openssl doc L + +=item * CTX_get_quiet_shutdown + +Returns the 'quiet shutdown' setting of $ctx. + + my $rv = Net::SSLeay::CTX_get_quiet_shutdown($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: (integer) the current setting + +Check openssl doc L + +=item * CTX_get_read_ahead + + my $rv = Net::SSLeay::CTX_get_read_ahead($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: (integer) read_ahead value + +=item * CTX_get_session_cache_mode + +Returns the currently used cache mode (bitmask). + + my $rv = Net::SSLeay::CTX_get_session_cache_mode($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: mode (bitmask) + +B SESS_CACHE_OFF and other constants are not available in +Net-SSLeay-1.82 and before. If the constants are not available, the +following values have historically been correct. You are strongly +encouraged to B for the current values. + + #to decode the return value (bitmask) use: + 0x0000 corresponds to SSL_SESS_CACHE_OFF + 0x0001 corresponds to SSL_SESS_CACHE_CLIENT + 0x0002 corresponds to SSL_SESS_CACHE_SERVER + 0x0080 corresponds to SSL_SESS_CACHE_NO_AUTO_CLEAR + 0x0100 corresponds to SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + 0x0200 corresponds to SSL_SESS_CACHE_NO_INTERNAL_STORE + (note: some of the bits might not be supported by older openssl versions) + +Check openssl doc L + +=item * CTX_set_session_cache_mode + +Enables/disables session caching by setting the operational mode for $ctx to $mode. + + my $rv = Net::SSLeay::CTX_set_session_cache_mode($ctx, $mode); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $mode - mode (bitmask) + # + # returns: previously set cache mode + +For bitmask details see L (above). + +Check openssl doc L + +=item * CTX_get_timeout + +Returns the currently set timeout value for $ctx. + + my $rv = Net::SSLeay::CTX_get_timeout($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: timeout in seconds + +Check openssl doc L + +=item * CTX_get_verify_depth + +Returns the verification depth limit currently set in $ctx. If no limit has been explicitly set, -1 is returned and the default value will be used. + + my $rv = Net::SSLeay::CTX_get_verify_depth($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: depth limit currently set in $ctx, -1 if no limit has been explicitly set + +Check openssl doc L + +=item * CTX_get_verify_mode + +Returns the verification mode (bitmask) currently set in $ctx. + + my $rv = Net::SSLeay::CTX_get_verify_mode($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: mode (bitmask) + +For bitmask details see L. + +Check openssl doc L + +=item * CTX_set_verify + +Sets the verification flags for $ctx to be $mode and specifies the verify_callback function to be used. + + Net::SSLeay::CTX_set_verify($ctx, $mode, $callback); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $mode - mode (bitmask), see OpenSSL manual + # $callback - [optional] reference to perl callback function + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_post_handshake_auth + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Enable the Post-Handshake Authentication extension to be added to the ClientHello such that post-handshake authentication can be requested by the server. + + Net::SSLeay::CTX_set_posthandshake_auth($ctx, $val); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $val - 0 then the extension is not sent, otherwise it is + # + # returns: no return value + +Check openssl doc L + +=item * CTX_load_verify_locations + +Specifies the locations for $ctx, at which CA certificates for verification purposes are located. The certificates available via $CAfile and $CApath are trusted. + + my $rv = Net::SSLeay::CTX_load_verify_locations($ctx, $CAfile, $CApath); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $CAfile - (string) file of CA certificates in PEM format, the file can contain several CA certificates (or '') + # $CApath - (string) directory containing CA certificates in PEM format (or '') + # + # returns: 1 on success, 0 on failure (check the error stack to find out the reason) + +Check openssl doc L + +=item * CTX_need_tmp_RSA + +Return the result of C + + my $rv = Net::SSLeay::CTX_need_tmp_RSA($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: result of SSL_CTRL_NEED_TMP_RSA command + +Not available with OpenSSL 1.1 and later. + +=item * CTX_new + +The same as L + + my $rv = Net::SSLeay::CTX_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +Check openssl doc L + +Not available with OpenSSL 1.1 and later. + +=item * CTX_v2_new + +Creates a new SSL_CTX object - based on SSLv2_method() - as framework to establish TLS/SSL enabled connections. + + my $rv = Net::SSLeay::CTX_v2_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_v23_new + +Creates a new SSL_CTX object - based on SSLv23_method() - as framework to establish TLS/SSL enabled connections. + + my $rv = Net::SSLeay::CTX_v23_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_v3_new + +Creates a new SSL_CTX object - based on SSLv3_method() - as framework to establish TLS/SSL enabled connections. + + my $rv = Net::SSLeay::CTX_v3_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_tlsv1_new + +Creates a new SSL_CTX object - based on TLSv1_method() - as framework to establish TLS/SSL enabled connections. + + my $rv = Net::SSLeay::CTX_tlsv1_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_tlsv1_1_new + +Creates a new SSL_CTX object - based on TLSv1_1_method() - as framework to establish TLS/SSL +enabled connections. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::CTX_tlsv1_1_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_tlsv1_2_new + +Creates a new SSL_CTX object - based on TLSv1_2_method() - as framework to establish TLS/SSL +enabled connections. Only available where supported by the underlying openssl. + + my $rv = Net::SSLeay::CTX_tlsv1_2_new(); + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +=item * CTX_new_with_method + +Creates a new SSL_CTX object based on $meth method + + my $rv = Net::SSLeay::CTX_new_with_method($meth); + # $meth - value corresponding to openssl's SSL_METHOD structure + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + + #example + my $ctx = Net::SSLeay::CTX_new_with_method(&Net::SSLeay::TLSv1_method); + +Check openssl doc L + +=item * CTX_set_min_proto_version, CTX_set_max_proto_version, set_min_proto_version and set_max_proto_version, + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.1.0-pre2 or LibreSSL 2.6.0 + +Set the minimum and maximum supported protocol for $ctx or $ssl. + + my $rv = Net::SSLeay::CTX_set_min_proto_version($ctx, $version) + # $ctx - value corresponding to openssl's SSL_CTX structure + # $version - (integer) constat version value or 0 for automatic lowest or highest value + # + # returns: 1 on success, 0 on failure + + #example: allow only TLS 1.2 for a SSL_CTX + my $rv_min = Net::SSLeay::CTX_set_min_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION()); + my $rv_max = Net::SSLeay::CTX_set_max_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION()); + + #example: allow only TLS 1.1 for a SSL + my $rv_min = Net::SSLeay::set_min_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION()); + my $rv_max = Net::SSLeay::set_max_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION()); + +Check openssl doc L + +=item * CTX_get_min_proto_version, CTX_get_max_proto_version, get_min_proto_version and get_max_proto_version, + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.1.0g + +Get the minimum and maximum supported protocol for $ctx or $ssl. + + my $version = Net::SSLeay::CTX_get_min_proto_version($ctx) + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: 0 automatic lowest or highest value, configured value otherwise + +Check openssl doc L + +=item * CTX_remove_session + +Removes the session $ses from the context $ctx. + + my $rv = Net::SSLeay::CTX_remove_session($ctx, $ses); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_sess_accept + + my $rv = Net::SSLeay::CTX_sess_accept($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of started SSL/TLS handshakes in server mode + +Check openssl doc L + +=item * CTX_sess_accept_good + + my $rv = Net::SSLeay::CTX_sess_accept_good($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of successfully established SSL/TLS sessions in server mode + +Check openssl doc L + +=item * CTX_sess_accept_renegotiate + + my $rv = Net::SSLeay::CTX_sess_accept_renegotiate($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of start renegotiations in server mode + +Check openssl doc L + +=item * CTX_sess_cache_full + + my $rv = Net::SSLeay::CTX_sess_cache_full($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of sessions that were removed because the maximum session cache size was exceeded + +Check openssl doc L + +=item * CTX_sess_cb_hits + + my $rv = Net::SSLeay::CTX_sess_cb_hits($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of successfully retrieved sessions from the external session cache in server mode + +Check openssl doc L + +=item * CTX_sess_connect + + my $rv = Net::SSLeay::CTX_sess_connect($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of started SSL/TLS handshakes in client mode + +Check openssl doc L + +=item * CTX_sess_connect_good + + my $rv = Net::SSLeay::CTX_sess_connect_good($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of successfully established SSL/TLS sessions in client mode + +Check openssl doc L + +=item * CTX_sess_connect_renegotiate + + my $rv = Net::SSLeay::CTX_sess_connect_renegotiate($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of start renegotiations in client mode + +Check openssl doc L + +=item * CTX_sess_get_cache_size + +Returns the currently valid session cache size. + + my $rv = Net::SSLeay::CTX_sess_get_cache_size($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: current size + +Check openssl doc L + +=item * CTX_sess_hits + + my $rv = Net::SSLeay::CTX_sess_hits($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of successfully reused sessions + +Check openssl doc L + +=item * CTX_sess_misses + + my $rv = Net::SSLeay::CTX_sess_misses($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of sessions proposed by clients that were not found in the internal session cache in server mode + +Check openssl doc L + +=item * CTX_sess_number + + my $rv = Net::SSLeay::CTX_sess_number($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: current number of sessions in the internal session cache + +Check openssl doc L + +=item * CTX_sess_set_cache_size + +Sets the size of the internal session cache of context $ctx to $size. + + Net::SSLeay::CTX_sess_set_cache_size($ctx, $size); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $size - cache size (0 = unlimited) + # + # returns: previously valid size + +Check openssl doc L + +=item * CTX_sess_timeouts + +Returns the number of sessions proposed by clients and either found in the internal or external session cache in +server mode, but that were invalid due to timeout. These sessions are not included in the SSL_CTX_sess_hits count. + + my $rv = Net::SSLeay::CTX_sess_timeouts($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: number of sessions + +Check openssl doc L + +=item * CTX_sess_set_new_cb + +B not available in Net-SSLeay-1.85 and before + +Sets the callback function, which is automatically called whenever a new session was negotiated. + + Net::SSLeay::CTX_sess_set_new_cb($ctx, $func); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $func - perl reference to callback function + # + # returns: no return value + +Check openssl doc L + +=item * CTX_sess_set_remove_cb + +B not available in Net-SSLeay-1.85 and before + +Sets the callback function, which is automatically called whenever a session is removed by the SSL engine. + + Net::SSLeay::CTX_sess_set_remove_cb($ctx, $func); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $func - perl reference to callback function + # + # returns: no return value + +Check openssl doc L + +=item * CTX_sessions + +Returns a pointer to the lhash databases containing the internal session cache for ctx. + + my $rv = Net::SSLeay::CTX_sessions($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's LHASH structure (0 on failure) + +Check openssl doc L + +=item * CTX_set1_param + +B requires at least OpenSSL 1.0.0-beta3 + +Applies X509 verification parameters $vpm on $ctx + + my $rv = Net::SSLeay::CTX_set1_param($ctx, $vpm); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_set_cert_store + +Sets/replaces the certificate verification storage of $ctx to/with $store. + + Net::SSLeay::CTX_set_cert_store($ctx, $store); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $store - value corresponding to openssl's X509_STORE structure + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_cert_verify_callback + +Sets the verification callback function for $ctx. SSL objects that are created from $ctx +inherit the setting valid at the time when C is called. + + Net::SSLeay::CTX_set_cert_verify_callback($ctx, $func, $data); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $func - perl reference to callback function + # $data - [optional] data that will be passed to callback function when invoked + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_cipher_list + +Sets the list of available ciphers for $ctx using the control string $str. +The list of ciphers is inherited by all ssl objects created from $ctx. + + my $rv = Net::SSLeay::CTX_set_cipher_list($s, $str); + # $s - value corresponding to openssl's SSL_CTX structure + # $str - (string) cipher list e.g. '3DES:+RSA' + # + # returns: 1 if any cipher could be selected and 0 on complete failure + +The format of $str is described in L + +Check openssl doc L + +=item * CTX_set_ciphersuites + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Configure the available TLSv1.3 ciphersuites. + + my $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $str); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference + # + # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise + +Check openssl doc L + +=item * CTX_set_client_CA_list + +Sets the list of CAs sent to the client when requesting a client certificate for $ctx. + + Net::SSLeay::CTX_set_client_CA_list($ctx, $list); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $list - value corresponding to openssl's X509_NAME_STACK structure + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_default_passwd_cb + +Sets the default password callback called when loading/storing a PEM certificate with encryption. + + Net::SSLeay::CTX_set_default_passwd_cb($ctx, $func); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $func - perl reference to callback function + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_default_passwd_cb_userdata + +Sets a pointer to userdata which will be provided to the password callback on invocation. + + Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx, $userdata); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $userdata - data that will be passed to callback function when invoked + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_default_verify_paths + +??? (more info needed) + + my $rv = Net::SSLeay::CTX_set_default_verify_paths($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: 1 on success, 0 on failure + +=item * CTX_set_ex_data + +Is used to store application data at $data for $idx into the $ctx object. + + my $rv = Net::SSLeay::CTX_set_ex_data($ssl, $idx, $data); + # $ssl - value corresponding to openssl's SSL_CTX structure + # $idx - (integer) ??? + # $data - (pointer) ??? + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_set_purpose + + my $rv = Net::SSLeay::CTX_set_purpose($s, $purpose); + # $s - value corresponding to openssl's SSL_CTX structure + # $purpose - (integer) purpose identifier + # + # returns: 1 on success, 0 on failure + + #avainable purpose identifier + 1 - X509_PURPOSE_SSL_CLIENT + 2 - X509_PURPOSE_SSL_SERVER + 3 - X509_PURPOSE_NS_SSL_SERVER + 4 - X509_PURPOSE_SMIME_SIGN + 5 - X509_PURPOSE_SMIME_ENCRYPT + 6 - X509_PURPOSE_CRL_SIGN + 7 - X509_PURPOSE_ANY + 8 - X509_PURPOSE_OCSP_HELPER + 9 - X509_PURPOSE_TIMESTAMP_SIGN + + #or use corresponding constants + $purpose = &Net::SSLeay::X509_PURPOSE_SSL_CLIENT; + ... + $purpose = &Net::SSLeay::X509_PURPOSE_TIMESTAMP_SIGN; + +=item * CTX_set_quiet_shutdown + +Sets the 'quiet shutdown' flag for $ctx to be mode. SSL objects created from $ctx inherit the mode valid at the time C is called. + + Net::SSLeay::CTX_set_quiet_shutdown($ctx, $mode); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $mode - 0 or 1 + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_read_ahead + + my $rv = Net::SSLeay::CTX_set_read_ahead($ctx, $val); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $val - read_ahead value to be set + # + # returns: the original read_ahead value + +=item * CTX_set_session_id_context + +Sets the context $sid_ctx of length $sid_ctx_len within which a session can be reused for the $ctx object. + + my $rv = Net::SSLeay::CTX_set_session_id_context($ctx, $sid_ctx, $sid_ctx_len); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $sid_ctx - data buffer + # $sid_ctx_len - length of data in $sid_ctx + # + # returns: 1 on success, 0 on failure (the error is logged to the error stack) + +Check openssl doc L + +=item * CTX_set_ssl_version + +Sets a new default TLS/SSL method for SSL objects newly created from this $ctx. +SSL objects already created with C are not +affected, except when C is being called. + + my $rv = Net::SSLeay::CTX_set_ssl_version($ctx, $meth); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $meth - value corresponding to openssl's SSL_METHOD structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_set_timeout + +Sets the timeout for newly created sessions for $ctx to $t. The timeout value $t must be given in seconds. + + my $rv = Net::SSLeay::CTX_set_timeout($ctx, $t); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $t - timeout in seconds + # + # returns: previously set timeout value + +Check openssl doc L + +=item * CTX_set_tmp_dh + +Sets DH parameters to be used to be $dh. The key is inherited by all ssl objects created from $ctx. + + my $rv = Net::SSLeay::CTX_set_tmp_dh($ctx, $dh); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $dh - value corresponding to openssl's DH structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * CTX_set_tmp_dh_callback + +Sets the callback function for $ctx to be used when a DH parameters are required to $tmp_dh_callback. + + Net::SSLeay::CTX_set_tmp_dh_callback($ctx, $tmp_dh_callback); + # $ctx - value corresponding to openssl's SSL_CTX structure + # tmp_dh_callback - (function pointer) ??? + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_tmp_rsa + +Sets the temporary/ephemeral RSA key to be used to be $rsa. + + my $rv = Net::SSLeay::CTX_set_tmp_rsa($ctx, $rsa); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $rsa - value corresponding to openssl's RSA structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +Not available with OpenSSL 1.1 and later. + +=item * CTX_set_tmp_rsa_callback + +Sets the callback function for ctx to be used when a temporary/ephemeral RSA key is required to $tmp_rsa_callback. + +??? (does this function really work?) + + Net::SSLeay::CTX_set_tmp_rsa_callback($ctx, $tmp_rsa_callback); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $tmp_rsa_callback - (function pointer) ??? + # + # returns: no return value + +Check openssl doc L + +Not available with OpenSSL 1.1 and later. + +=item * CTX_set_trust + + my $rv = Net::SSLeay::CTX_set_trust($s, $trust); + # $s - value corresponding to openssl's SSL_CTX structure + # $trust - (integer) trust identifier + # + # returns: the original value + + #available trust identifiers + 1 - X509_TRUST_COMPAT + 2 - X509_TRUST_SSL_CLIENT + 3 - X509_TRUST_SSL_SERVER + 4 - X509_TRUST_EMAIL + 5 - X509_TRUST_OBJECT_SIGN + 6 - X509_TRUST_OCSP_SIGN + 7 - X509_TRUST_OCSP_REQUEST + 8 - X509_TRUST_TSA + + #or use corresponding constants + $trust = &Net::SSLeay::X509_TRUST_COMPAT; + ... + $trust = &Net::SSLeay::X509_TRUST_TSA; + +=item * CTX_set_verify_depth + +Sets the maximum depth for the certificate chain verification that shall be allowed for ctx. + + Net::SSLeay::CTX_set_verify_depth($ctx, $depth); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $depth - max. depth + # + # returns: no return value + +Check openssl doc L + +=item * CTX_use_PKCS12_file + +Adds the certificate and private key from PKCS12 file $p12filename to $ctx. + + my $rv = Net::SSLeay::CTX_use_PKCS12_file($ctx, $p12filename, $password); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $p12filename - (string) filename + # $password - (string) password to decrypt private key + # + # returns: 1 on success, 0 on failure + +=item * CTX_use_PrivateKey + +Adds the private key $pkey to $ctx. + + my $rv = Net::SSLeay::CTX_use_PrivateKey($ctx, $pkey); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_use_PrivateKey_file + +Adds the first private key found in $file to $ctx. + + my $rv = Net::SSLeay::CTX_use_PrivateKey_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_use_RSAPrivateKey + +Adds the RSA private key $rsa to $ctx. + + my $rv = Net::SSLeay::CTX_use_RSAPrivateKey($ctx, $rsa); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $rsa - value corresponding to openssl's RSA structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_use_RSAPrivateKey_file + +Adds the first RSA private key found in $file to $ctx. + + my $rv = Net::SSLeay::CTX_use_RSAPrivateKey_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +=item * CTX_use_certificate + +Loads the certificate $x into $ctx + + my $rv = Net::SSLeay::CTX_use_certificate($ctx, $x); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $x - value corresponding to openssl's X509 structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_use_certificate_chain_file + +Loads a certificate chain from $file into $ctx. The certificates must be in PEM format and must be sorted +starting with the subject's certificate (actual client or server certificate), followed by intermediate +CA certificates if applicable, and ending at the highest level (root) CA. + + my $rv = Net::SSLeay::CTX_use_certificate_chain_file($ctx, $file); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $file - (string) file name + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_use_certificate_file + +Loads the first certificate stored in $file into $ctx. + + my $rv = Net::SSLeay::CTX_use_certificate_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * CTX_get_security_level + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Returns the security level associated with $ctx. + + my $level = Net::SSLeay::CTX_get_security_level($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: (integer) current security level + +Check openssl doc L + +=item * CTX_set_security_level + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Sets the security level associated with $ctx to $level. + + Net::SSLeay::CTX_set_security_level($ctx, $level); + # $ssl - value corresponding to openssl's SSL_CTX structure + # $level - new security level + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_num_tickets + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Set number of TLSv1.3 session tickets that will be sent to a client. + + my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $number_of_tickets - number of tickets to send + # + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +Check openssl doc L + +=item * CTX_get_num_tickets + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Get number of TLSv1.3 session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: (integer) number of tickets to send + +Check openssl doc L + +=item * CTX_set_keylog_callback + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 1.1.1pre1, not in LibreSSL + +Set the TLS key logging callback. + + Net::SSLeay::CTX_set_keylog_callback($ctx, $cb); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $cb - reference to a perl callback function + # + # returns: no return value + +The callback function will be called like this: + + keylog_cb_func($ssl, $line); + # $ssl - value corresponding to OpenSSL's SSL object associated with the connection + # $line - a string containing the key material in the format used by NSS for its SSLKEYLOGFILE debugging output + +Check openssl doc L + +=item * CTX_get_keylog_callback + +B not available in Net-SSLeay-1.90 and before; requires at least OpenSSL 1.1.1pre1, not in LibreSSL + +Retrieve the previously set TLS key logging callback. + + my $cb = Net::SSLeay::CTX_get_keylog_callback($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: a reference to a perl callback function or undef if no callback is set + +Check openssl doc L + +=back + +=head3 Low level API: SSL_* related functions + +B Please note that the function described in this chapter have "SSL_" part stripped from their original openssl names. + +=over + +=item * new + +Creates a new SSL structure which is needed to hold the data for a TLS/SSL connection. +The new structure inherits the settings of the underlying context $ctx: connection +method (SSLv2/v3/TLSv1), options, verification settings, timeout settings. + + my $rv = Net::SSLeay::new($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's SSL structure (0 on failure) + +Check openssl doc L + +=item * accept + +Waits for a TLS/SSL client to initiate the TLS/SSL handshake. The communication +channel must already have been set and assigned to the ssl by setting an underlying BIO. + + my $rv = Net::SSLeay::accept($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake + +Check openssl doc L + +=item * add_client_CA + +Adds the CA name extracted from cacert to the list of CAs sent to the client +when requesting a client certificate for the chosen ssl, overriding the setting +valid for ssl's SSL_CTX object. + + my $rv = Net::SSLeay::add_client_CA($ssl, $x); + # $ssl - value corresponding to openssl's SSL structure + # $x - value corresponding to openssl's X509 structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * callback_ctrl + +??? (more info needed) + + my $rv = Net::SSLeay::callback_ctrl($ssl, $cmd, $fp); + # $ssl - value corresponding to openssl's SSL structure + # $cmd - (integer) command id + # $fp - (function pointer) ??? + # + # returns: ??? + +Check openssl doc L + +=item * check_private_key + +Checks the consistency of a private key with the corresponding certificate loaded into $ssl + + my $rv = Net::SSLeay::check_private_key($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * clear + +Reset SSL object to allow another connection. + + Net::SSLeay::clear($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: no return value + +Check openssl doc L + +=item * connect + +Initiate the TLS/SSL handshake with an TLS/SSL server. + + my $rv = Net::SSLeay::connect($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake + +Check openssl doc L + +=item * copy_session_id + +Copies the session structure fro $from to $to (+ also the private key and certificate associated with $from). + + Net::SSLeay::copy_session_id($to, $from); + # $to - value corresponding to openssl's SSL structure + # $from - value corresponding to openssl's SSL structure + # + # returns: no return value + +=item * ctrl + +Internal handling function for SSL objects. + +B openssl doc says: This function should never be called directly! + + my $rv = Net::SSLeay::ctrl($ssl, $cmd, $larg, $parg); + # $ssl - value corresponding to openssl's SSL structure + # $cmd - (integer) command id + # $larg - (integer) long ??? + # $parg - (string/pointer) ??? + # + # returns: (long) result of given command ??? + +For more details about valid $cmd values check L. + +Check openssl doc L + +=item * do_handshake + +Will wait for a SSL/TLS handshake to take place. If the connection is in client +mode, the handshake will be started. The handshake routines may have to be +explicitly set in advance using either SSL_set_connect_state or SSL_set_accept_state(3). + + my $rv = Net::SSLeay::do_handshake($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake + +Check openssl doc L + +=item * dup + +Returns a duplicate of $ssl. + + my $rv = Net::SSLeay::dup($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL structure (0 on failure) + +=item * free + +Free an allocated SSL structure. + + Net::SSLeay::free($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: no return value + +Check openssl doc L + +=item * get0_param + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Returns the current verification parameters. + + my $vpm = Net::SSLeay::get0_param($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's X509_VERIFY_PARAM structure + +Check openssl doc L + +=item * get_SSL_CTX + +Returns a pointer to the SSL_CTX object, from which $ssl was created with Net::SSLeay::new. + + my $rv = Net::SSLeay::get_SSL_CTX($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL_CTX structure (0 on failure) + +Check openssl doc L + +=item * set_SSL_CTX + +B requires at least OpenSSL 0.9.8f + +Sets the SSL_CTX the corresponds to an SSL session. + + my $the_ssl_ctx = Net::SSLeay::set_SSL_CTX($ssl, $ssl_ctx); + # $ssl - value corresponding to openssl's SSL structure + # $ssl_ctx - Change the ssl object to the given ssl_ctx + # + # returns - the ssl_ctx + +=item * get_app_data + +Can be used to get application defined value/data. + + my $rv = Net::SSLeay::get_app_data($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: string/buffer/pointer ??? + +=item * set_app_data + +Can be used to set some application defined value/data. + + my $rv = Net::SSLeay::set_app_data($ssl, $arg); + # $ssl - value corresponding to openssl's SSL structure + # $arg - (string/buffer/pointer ???) data + # + # returns: ??? + +=item * get_certificate + +Gets X509 certificate from an established SSL connection. + + my $rv = Net::SSLeay::get_certificate($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +=item * get_cipher + +Obtains the name of the currently used cipher. + + my $rv = Net::SSLeay::get_cipher($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA' or '', when no session has been established. + +Check openssl doc L + +=item * get_cipher_bits + +Obtain the number of secret/algorithm bits used. + + my $rv = Net::SSLeay::get_cipher_bits($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: number of secret bits used by current cipher + +Check openssl doc L +and L + +=item * get_ciphers + +B not available in Net-SSLeay-1.88 and before + +Returns a list of SSL_CIPHER structures available for $ssl sorted by preference + + my @ciphers = Net::SSLeay::get_ciphers($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (list) SSL_CIPHER structures or nothing when $ssl is undefined or no ciphers are available + +Example: + + my @ciphers = Net::SSLeay::get_ciphers($ssl); + foreach my $c (@ciphers) { + print Net::SSLeay::CIPHER_get_name($c) . "\n"; + } + +Check openssl doc L + +=item * get_cipher_list + +Returns the name (string) of the SSL_CIPHER listed for $ssl with priority $n. + + my $rv = Net::SSLeay::get_cipher_list($ssl, $n); + # $ssl - value corresponding to openssl's SSL structure + # $n - (integer) priority + # + # returns: (string) cipher name e.g. 'EDH-DSS-DES-CBC3-SHA' or undef in case of error + +Call Net::SSLeay::get_cipher_list with priority starting from 0 to obtain +the sorted list of available ciphers, until undef is returned: + + my $priority = 0; + while (my $c = Net::SSLeay::get_cipher_list($ssl, $priority)) { + print "cipher[$priority] = $c\n"; + $priority++; + } + +Check openssl doc L + +=item * get_client_CA_list + +Returns the list of client CAs explicitly set for $ssl using C +or $ssl's SSL_CTX object with C, when in server mode. + +In client mode, returns the list of client CAs sent from the server, if any. + + my $rv = Net::SSLeay::get_client_CA_list($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure) + +Check openssl doc L + +=item * get_current_cipher + +Returns the cipher actually used. + + my $rv = Net::SSLeay::get_current_cipher($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL_CIPHER structure (0 on failure) + +Check openssl doc L + +=item * get_default_timeout + +Returns the default timeout value assigned to SSL_SESSION objects negotiated for the protocol valid for $ssl. + + my $rv = Net::SSLeay::get_default_timeout($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (long) timeout in seconds + +Check openssl doc L + +=item * get_error + +Returns a result code for a preceding call to C, C, C, C, C or C on $ssl. + + my $rv = Net::SSLeay::get_error($ssl, $ret); + # $ssl - value corresponding to openssl's SSL structure + # $ret - return value of preceding TLS/SSL I/O operation + # + # returns: result code, which is one of the following values: + # 0 - SSL_ERROR_NONE + # 1 - SSL_ERROR_SSL + # 2 - SSL_ERROR_WANT_READ + # 3 - SSL_ERROR_WANT_WRITE + # 4 - SSL_ERROR_WANT_X509_LOOKUP + # 5 - SSL_ERROR_SYSCALL + # 6 - SSL_ERROR_ZERO_RETURN + # 7 - SSL_ERROR_WANT_CONNECT + # 8 - SSL_ERROR_WANT_ACCEPT + +Check openssl doc L + +=item * get_ex_data + +Is used to retrieve the information for $idx from $ssl. + + my $rv = Net::SSLeay::get_ex_data($ssl, $idx); + # $ssl - value corresponding to openssl's SSL structure + # $idx - (integer) index for application specific data + # + # returns: pointer to ??? + +Check openssl doc L + +=item * set_ex_data + +Is used to store application data at $data for $idx into the $ssl object. + + my $rv = Net::SSLeay::set_ex_data($ssl, $idx, $data); + # $ssl - value corresponding to openssl's SSL structure + # $idx - (integer) ??? + # $data - (pointer) ??? + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * get_ex_new_index + +Is used to register a new index for application specific data. + + my $rv = Net::SSLeay::get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func); + # $argl - (long) ??? + # $argp - (pointer) ??? + # $new_func - function pointer ??? (CRYPTO_EX_new *) + # $dup_func - function pointer ??? (CRYPTO_EX_dup *) + # $free_func - function pointer ??? (CRYPTO_EX_free *) + # + # returns: (integer) ??? + +Check openssl doc L + +=item * get_fd + +Returns the file descriptor which is linked to $ssl. + + my $rv = Net::SSLeay::get_fd($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: file descriptor (>=0) or -1 on failure + +Check openssl doc L + +=item * get_finished + +Obtains the latest 'Finished' message sent to the peer. Return value +is zero if there's been no Finished message yet. Default count is +2*EVP_MAX_MD_SIZE that is long enough for all possible Finish +messages. If you supply a non-default count, the resulting return +value may be longer than returned buf's length. + + my $rv = Net::SSLeay::get_finished($ssl, $buf, $count); + # $ssl - value corresponding to openssl's SSL structure + # $buf - buffer where the returned data will be stored + # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE + # + # returns: length of latest Finished message + +=item * get_peer_finished + +Obtains the latest 'Finished' message expected from the +peer. Parameters and return value are similar to get_finished(). + + my $rv = Net::SSLeay::get_peer_finished($ssl, $buf, $count); + # $ssl - value corresponding to openssl's SSL structure + # $buf - buffer where the returned data will be stored + # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE + # + # returns: length of latest Finished message + +=item * get_keyblock_size + +Gets the length of the TLS keyblock. + +B Does not exactly correspond to any low level API function. + + my $rv = Net::SSLeay::get_keyblock_size($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: keyblock size, -1 on error + +=item * get_mode + +Returns the mode (bitmask) set for $ssl. + + my $rv = Net::SSLeay::get_mode($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: mode (bitmask) + +To decode the return value (bitmask) see documentation for L. + +Check openssl doc L + +=item * set_mode + +Adds the mode set via bitmask in $mode to $ssl. Options already set before are not cleared. + + my $rv = Net::SSLeay::set_mode($ssl, $mode); + # $ssl - value corresponding to openssl's SSL structure + # $mode - mode (bitmask) + # + # returns: the new mode bitmask after adding $mode + +For $mode bitmask details see L. + +Check openssl doc L + +=item * get_options + +Returns the options (bitmask) set for $ssl. + + my $rv = Net::SSLeay::get_options($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: options (bitmask) + +To decode the return value (bitmask) see documentation for L. + +Check openssl doc L + +=item * set_options + +Adds the options set via bitmask in $options to $ssl. Options already set before are not cleared! + + Net::SSLeay::set_options($ssl, $options); + # $ssl - value corresponding to openssl's SSL structure + # $options - options (bitmask) + # + # returns: the new options bitmask after adding $options + +For $options bitmask details see L. + +Check openssl doc L + +=item * get_peer_certificate + +Get the X509 certificate of the peer. + + my $rv = Net::SSLeay::get_peer_certificate($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +Check openssl doc L + +=item * get_peer_cert_chain + +Get the certificate chain of the peer as an array of X509 structures. + + my @rv = Net::SSLeay::get_peer_cert_chain($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: list of X509 structures + +Check openssl doc L + +=item * get_quiet_shutdown + +Returns the 'quiet shutdown' setting of ssl. + + my $rv = Net::SSLeay::get_quiet_shutdown($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) current 'quiet shutdown' value + +Check openssl doc L + +=item * get_rbio + +Get 'read' BIO linked to an SSL object $ssl. + + my $rv = Net::SSLeay::get_rbio($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * get_read_ahead + + my $rv = Net::SSLeay::get_read_ahead($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) read_ahead value + +=item * set_read_ahead + + Net::SSLeay::set_read_ahead($ssl, $val); + # $ssl - value corresponding to openssl's SSL structure + # $val - read_ahead value to be set + # + # returns: the original read_ahead value + +=item * get_security_level + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Returns the security level associated with $ssl. + + my $level = Net::SSLeay::get_security_level($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) current security level + +Check openssl doc L + +=item * set_security_level + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Sets the security level associated with $ssl to $level. + + Net::SSLeay::set_security_level($ssl, $level); + # $ssl - value corresponding to openssl's SSL structure + # $level - new security level + # + # returns: no return value + +Check openssl doc L + +=item * set_num_tickets + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Set number of TLSv1.3 session tickets that will be sent to a client. + + my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets); + # $ssl - value corresponding to openssl's SSL structure + # $number_of_tickets - number of tickets to send + # + # returns: 1 on success, 0 on failure + +Set to zero if you do not no want to support a session resumption. + +Check openssl doc L + +=item * get_num_tickets + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Get number of TLSv1.3 session tickets that will be sent to a client. + + my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx); + # $ctx - value corresponding to openssl's SSL structure + # + # returns: number of tickets to send + +Check openssl doc L + +=item * get_server_random + +Returns internal SSLv3 server_random value. + + Net::SSLeay::get_server_random($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: server_random value (binary data) + +=item * get_client_random + +B Does not exactly correspond to any low level API function + +Returns internal SSLv3 client_random value. + + Net::SSLeay::get_client_random($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: client_random value (binary data) + +=item * export_keying_material + +Returns keying material based on the string $label and optional +$context. Note that with TLSv1.2 and lower, empty context (empty +string) and undefined context (no value or 'undef') will return +different values. + + my $out = Net::SSLeay::export_keying_material($ssl, $olen, $label, $context); + # $ssl - value corresponding to openssl's SSL structure + # $olen - number of bytes to return + # $label - application specific label + # $context - [optional] context - default is undef for no context + # + # returns: keying material (binary data) or undef on error + +Check openssl doc L + +=item * get_session + +Retrieve TLS/SSL session data used in $ssl. The reference count of the SSL_SESSION is NOT incremented. + + my $rv = Net::SSLeay::get_session($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure) + +Check openssl doc L + +=item * SSL_get0_session + +The alias for L (note that the name is C NOT C). + + my $rv = Net::SSLeay::SSL_get0_session(); + +=item * get1_session + +Returns a pointer to the SSL_SESSION actually used in $ssl. The reference count of the SSL_SESSION is incremented by 1. + + my $rv = Net::SSLeay::get1_session($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure) + +Check openssl doc L + +=item * get_shared_ciphers + +Returns string with a list (colon ':' separated) of ciphers shared between client and server +within SSL session $ssl. + + my $rv = Net::SSLeay::get_shared_ciphers() + # + # returns: string like 'ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:...' + +=item * get_shutdown + +Returns the shutdown mode of $ssl. + + my $rv = Net::SSLeay::get_shutdown($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: shutdown mode (bitmask) of ssl + + #to decode the return value (bitmask) use: + 0 - No shutdown setting, yet + 1 - SSL_SENT_SHUTDOWN + 2 - SSL_RECEIVED_SHUTDOWN + +Check openssl doc L + +=item * get_ssl_method + +Returns a function pointer to the TLS/SSL method set in $ssl. + + my $rv = Net::SSLeay::get_ssl_method($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure) + +Check openssl doc L + +=item * in_init, in_before, is_init_finished, in_connect_init, in_accept_init + +B not available in Net-SSLeay-1.85 and before. + +Retrieve information about the handshake state machine. All functions take $ssl as the only argument and return 0 or 1. These functions are recommended over get_state() and state(). + + my $rv = Net::SSLeay::is_init_finished($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: All functions return 1 or 0 + +Check openssl doc L + +=item * get_state + +B OpenSSL 1.1.0 and later use different constants which are not made available. Use is_init_finished() and related functions instead. + +Returns the SSL connection state. + + my $rv = Net::SSLeay::get_state($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) state value + # to decode the returned state check: + # SSL_ST_* constants in openssl/ssl.h + # SSL2_ST_* constants in openssl/ssl2.h + # SSL23_ST_* constants in openssl/ssl23.h + # SSL3_ST_* + DTLS1_ST_* constants in openssl/ssl3.h + +=item * state + +Exactly the same as L. + + my $rv = Net::SSLeay::state($ssl); + +=item * set_state + +Sets the SSL connection state. + + Net::SSLeay::set_state($ssl,Net::SSLeay::SSL_ST_ACCEPT()); + +Not available with OpenSSL 1.1 and later. + +=item * get_verify_depth + +Returns the verification depth limit currently set in $ssl. + + my $rv = Net::SSLeay::get_verify_depth($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: current depth or -1 if no limit has been explicitly set + +Check openssl doc L + +=item * set_verify_depth + +Sets the maximum depth for the certificate chain verification that shall be allowed for $ssl. + + Net::SSLeay::set_verify_depth($ssl, $depth); + # $ssl - value corresponding to openssl's SSL structure + # $depth - (integer) depth + # + # returns: no return value + +Check openssl doc L + +=item * get_verify_mode + +Returns the verification mode (bitmask) currently set in $ssl. + + my $rv = Net::SSLeay::get_verify_mode($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: mode (bitmask) + +To decode the return value (bitmask) see documentation for L. + +Check openssl doc L + +=item * set_verify + +Sets the verification flags for $ssl to be $mode and specifies the $verify_callback function to be used. + + Net::SSLeay::set_verify($ssl, $mode, $callback); + # $ssl - value corresponding to openssl's SSL structure + # $mode - mode (bitmask) + # $callback - [optional] reference to perl callback function + # + # returns: no return value + +For $mode bitmask details see L. + +Check openssl doc L + +=item * set_post_handshake_auth + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Enable the Post-Handshake Authentication extension to be added to the ClientHello such that post-handshake authentication can be requested by the server. + + Net::SSLeay::set_posthandshake_auth($ssl, $val); + # $ssl - value corresponding to openssl's SSL structure + # $val - 0 then the extension is not sent, otherwise it is + # + # returns: no return value + +Check openssl doc L + +=item * verify_client_post_handshake + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +verify_client_post_handshake causes a CertificateRequest message to be sent by a server on the given ssl connection. + + my $rv = Net::SSLeay::verify_client_post_handshake($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 if the request succeeded, and 0 if the request failed. The error stack can be examined to determine the failure reason. + +Check openssl doc L + +=item * get_verify_result + +Returns the result of the verification of the X509 certificate presented by the peer, if any. + + my $rv = Net::SSLeay::get_verify_result($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) + # 0 - X509_V_OK: ok + # 2 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate + # 3 - X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL + # 4 - X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature + # 5 - X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature + # 6 - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key + # 7 - X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure + # 8 - X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure + # 9 - X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid + # 10 - X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired + # 11 - X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid + # 12 - X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired + # 13 - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field + # 14 - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field + # 15 - X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field + # 16 - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field + # 17 - X509_V_ERR_OUT_OF_MEM: out of memory + # 18 - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate + # 19 - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain + # 20 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate + # 21 - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate + # 22 - X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long + # 23 - X509_V_ERR_CERT_REVOKED: certificate revoked + # 24 - X509_V_ERR_INVALID_CA: invalid CA certificate + # 25 - X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded + # 26 - X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose + # 27 - X509_V_ERR_CERT_UNTRUSTED: certificate not trusted + # 28 - X509_V_ERR_CERT_REJECTED: certificate rejected + # 29 - X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch + # 30 - X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch + # 31 - X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch + # 32 - X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing + # 50 - X509_V_ERR_APPLICATION_VERIFICATION: application verification failure + +Check openssl doc L + +=item * set_verify_result + +Override result of peer certificate verification. + + Net::SSLeay::set_verify_result($ssl, $v); + # $ssl - value corresponding to openssl's SSL structure + # $v - (integer) result value + # + # returns: no return value + +For more info about valid return values see L + +Check openssl doc L + +=item * get_wbio + +Get 'write' BIO linked to an SSL object $ssl. + + my $rv = Net::SSLeay::get_wbio($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * load_client_CA_file + +Load X509 certificates from file (PEM formatted). + + my $rv = Net::SSLeay::load_client_CA_file($file); + # $file - (string) file name + # + # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure) + +Check openssl doc L + +=item * clear_num_renegotiations + +Executes SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS command on $ssl. + + my $rv = Net::SSLeay::clear_num_renegotiations($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: command result + +=item * need_tmp_RSA + +Executes SSL_CTRL_NEED_TMP_RSA command on $ssl. + + my $rv = Net::SSLeay::need_tmp_RSA($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: command result + +Not available with OpenSSL 1.1 and later. + +=item * num_renegotiations + +Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl. + + my $rv = Net::SSLeay::num_renegotiations($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: command result + +=item * total_renegotiations + +Executes SSL_CTRL_GET_TOTAL_RENEGOTIATIONS command on $ssl. + + my $rv = Net::SSLeay::total_renegotiations($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: command result + +=item * peek + +Copies $max bytes from the specified $ssl into the returned value. +In contrast to the C function, the data in the SSL +buffer is unmodified after the SSL_peek() operation. + + Net::SSLeay::peek($ssl, $max); + # $ssl - value corresponding to openssl's SSL structure + # $max - [optional] max bytes to peek (integer) - default is 32768 + # + # in scalar context: data read from the TLS/SSL connection, undef on error + # in list context: two-item array consisting of data read (undef on error), + # and return code from SSL_peek(). + +=item * peek_ex + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Copies $max bytes from the specified $ssl into the returned value. +In contrast to the C function, the data in the SSL +buffer is unmodified after the SSL_peek_ex() operation. + + my($got, $rv) = Net::SSLeay::peek_ex($ssl, $max); + # $ssl - value corresponding to openssl's SSL structure + # $max - [optional] max bytes to peek (integer) - default is 32768 + # + # returns a list: two-item list consisting of data read (undef on error), + # and return code from SSL_peek_ex(). + +Check openssl doc L + +=item * pending + +Obtain number of readable bytes buffered in $ssl object. + + my $rv = Net::SSLeay::pending($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: the number of bytes pending + +Check openssl doc L + +=item * has_pending + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Returns 1 if $ssl has buffered data (whether processed or unprocessed) and 0 otherwise. + + my $rv = Net::SSLeay::has_pending($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) 1 or 0 + +Check openssl doc L + +=item * read + +Tries to read $max bytes from the specified $ssl. + + my $got = Net::SSLeay::read($ssl, $max); + my($got, $rv) = Net::SSLeay::read($ssl, $max); + # $ssl - value corresponding to openssl's SSL structure + # $max - [optional] max bytes to read (integer) - default is 32768 + # + # returns: + # in scalar context: data read from the TLS/SSL connection, undef on error + # in list context: two-item array consisting of data read (undef on error), + # and return code from SSL_read(). + +Check openssl doc L + +=item * read_ex + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Tries to read $max bytes from the specified $ssl. + + my($got, $rv) = Net::SSLeay::read_ex($ssl, $max); + # $ssl - value corresponding to openssl's SSL structure + # $max - [optional] max bytes to read (integer) - default is 32768 + # + # returns a list: two-item list consisting of data read (undef on error), + # and return code from SSL_read_ex(). + +Check openssl doc L + +=item * renegotiate + +Turn on flags for renegotiation so that renegotiation will happen + + my $rv = Net::SSLeay::renegotiate($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 on success, 0 on failure + +=item * rstate_string + +Returns a 2 letter string indicating the current read state of the SSL object $ssl. + + my $rv = Net::SSLeay::rstate_string($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 2-letter string + +Check openssl doc L + +=item * rstate_string_long + +Returns a string indicating the current read state of the SSL object ssl. + + my $rv = Net::SSLeay::rstate_string_long($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: string with current state + +Check openssl doc L + +=item * session_reused + +Query whether a reused session was negotiated during handshake. + + my $rv = Net::SSLeay::session_reused($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 0 - new session was negotiated; 1 - session was reused. + +Check openssl doc L + +=item * set1_param + +B requires at least OpenSSL 1.0.0-beta3 + +Applies X509 verification parameters $vpm on $ssl + + my $rv = Net::SSLeay::set1_param($ssl, $vpm); + # $ssl - value corresponding to openssl's SSL structure + # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +=item * set_accept_state + +Sets $ssl to work in server mode. + + Net::SSLeay::set_accept_state($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: no return value + +Check openssl doc L + +=item * set_bio + +Connects the BIOs $rbio and $wbio for the read and write operations of the TLS/SSL (encrypted) side of $ssl. + + Net::SSLeay::set_bio($ssl, $rbio, $wbio); + # $ssl - value corresponding to openssl's SSL structure + # $rbio - value corresponding to openssl's BIO structure + # $wbio - value corresponding to openssl's BIO structure + # + # returns: no return value + +Check openssl doc L + +=item * set_cipher_list + +Sets the list of ciphers only for ssl. + + my $rv = Net::SSLeay::set_cipher_list($ssl, $str); + # $ssl - value corresponding to openssl's SSL structure + # $str - (string) cipher list e.g. '3DES:+RSA' + # + # returns: 1 if any cipher could be selected and 0 on complete failure + +Check openssl doc L + +=item * set_ciphersuites + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Configure the available TLSv1.3 ciphersuites. + + my $rv = Net::SSLeay::set_ciphersuites($ssl, $str); + # $ssl - value corresponding to openssl's SSL structure + # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference + # + # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise + +Check openssl doc L + +=item * set_client_CA_list + +Sets the list of CAs sent to the client when requesting a client certificate +for the chosen $ssl, overriding the setting valid for $ssl's SSL_CTX object. + + my $rv = Net::SSLeay::set_client_CA_list($ssl, $list); + # $ssl - value corresponding to openssl's SSL structure + # $list - value corresponding to openssl's STACK_OF(X509_NAME) structure + # + # returns: no return value + +Check openssl doc L + +=item * set_connect_state + +Sets $ssl to work in client mode. + + Net::SSLeay::set_connect_state($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: no return value + +Check openssl doc L + +=item * set_fd + +Sets the file descriptor $fd as the input/output facility for the TLS/SSL (encrypted) +side of $ssl, $fd will typically be the socket file descriptor of a network connection. + + my $rv = Net::SSLeay::set_fd($ssl, $fd); + # $ssl - value corresponding to openssl's SSL structure + # $fd - (integer) file handle (got via perl's fileno) + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_psk_client_callback + +Sets the psk client callback. + + Net::SSLeay::set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } ); + # $ssl - value corresponding to openssl's SSL structure + # $hint - PSK identity hint send by the server + # $identity - PSK identity + # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef' + # + # returns: no return value + +Check openssl doc L + +=item * set_rfd + +Sets the file descriptor $fd as the input (read) facility for the TLS/SSL (encrypted) side of $ssl. + + my $rv = Net::SSLeay::set_rfd($ssl, $fd); + # $ssl - value corresponding to openssl's SSL structure + # $fd - (integer) file handle (got via perl's fileno) + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_wfd + + my $rv = Net::SSLeay::set_wfd($ssl, $fd); + # $ssl - value corresponding to openssl's SSL structure + # $fd - (integer) file handle (got via perl's fileno) + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_info_callback + +Sets the callback function, that can be used to obtain state information for $ssl during connection setup and use. +When callback is undef, the callback setting currently valid for ctx is used. + + Net::SSLeay::set_info_callback($ssl, $cb, [$data]); + # $ssl - value corresponding to openssl's SSL structure + # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... } + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_info_callback + +Sets the callback function on ctx, that can be used to obtain state information during ssl connection setup and use. +When callback is undef, an existing callback will be disabled. + + Net::SSLeay::CTX_set_info_callback($ssl, $cb, [$data]); + # $ssl - value corresponding to openssl's SSL structure + # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... } + # + # returns: no return value + +Check openssl doc L + +=item * set_msg_callback + +Sets the callback function, that can be used to obtain protocol messages information for $ssl during connection setup and use. +When callback is undef, the callback setting currently valid for ctx is used. +Note that set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by set_msg_callback. + + Net::SSLeay::set_msg_callback($ssl, $cb, [$arg]); + # $ssl - value corresponding to openssl's SSL structure + # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... } + # + # returns: no return value + +Check openssl doc L + +=item * CTX_set_msg_callback + +Sets the callback function on ctx, that can be used to obtain protocol messages information for ssl connection setup and use. +When callback is undef, the existing callback will be disabled. +Note that CTX_set_msg_callback_arg is not provided as there is no need to explicitly set $arg, this is handled by CTX_set_msg_callback. + + Net::SSLeay::CTX_set_msg_callback($ssl, $cb, [$arg]); + # $ssl - value corresponding to openssl's SSL structure + # $cb - sub { my ($write_p,$version,$content_type,$buf,$len,$ssl,$arg) = @_; ... } + # + # returns: no return value + +Check openssl doc L + +=item * set_pref_cipher + +Sets the list of available ciphers for $ssl using the control string $str. + + my $rv = Net::SSLeay::set_pref_cipher($ssl, $str); + # $ssl - value corresponding to openssl's SSL structure + # $str - (string) cipher list e.g. '3DES:+RSA' + # + # returns: 1 if any cipher could be selected and 0 on complete failure + +Check openssl doc L + +=item * CTX_set_psk_client_callback + +Sets the psk client callback. + + Net::SSLeay::CTX_set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } ); + # $ssl - value corresponding to openssl's SSL structure + # $hint - PSK identity hint send by the server + # $identity - PSK identity + # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef' + # + # returns: no return value + +Check openssl doc L + +=item * set_purpose + + my $rv = Net::SSLeay::set_purpose($ssl, $purpose); + # $ssl - value corresponding to openssl's SSL structure + # $purpose - (integer) purpose identifier + # + # returns: 1 on success, 0 on failure + +For more info about available $purpose identifiers see L. + +=item * set_quiet_shutdown + +Sets the 'quiet shutdown' flag for $ssl to be $mode. + + Net::SSLeay::set_quiet_shutdown($ssl, $mode); + # $ssl - value corresponding to openssl's SSL structure + # $mode - 0 or 1 + # + # returns: no return value + +Check openssl doc L + +=item * set_session + +Set a TLS/SSL session to be used during TLS/SSL connect. + + my $rv = Net::SSLeay::set_session($to, $ses); + # $to - value corresponding to openssl's SSL structure + # $ses - value corresponding to openssl's SSL_SESSION structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_session_id_context + +Sets the context $sid_ctx of length $sid_ctx_len within which a session can be reused for the $ssl object. + + my $rv = Net::SSLeay::set_session_id_context($ssl, $sid_ctx, $sid_ctx_len); + # $ssl - value corresponding to openssl's SSL structure + # $sid_ctx - data buffer + # $sid_ctx_len - length of data in $sid_ctx + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_session_secret_cb + +Setup pre-shared secret session resumption function. + + Net::SSLeay::set_session_secret_cb($ssl, $func, $data); + # $ssl - value corresponding to openssl's SSL structure + # $func - perl reference to callback function + # $data - [optional] data that will be passed to callback function when invoked + # + # returns: no return value + +The callback function will be called like: + + callback_function($secret, $ciphers, $pref_cipher, $data); + # $secret is the current master session key, usually all 0s at the beginning of a session + # $ciphers is ref to an array of peer cipher names + # $pref_cipher is a ref to an index into the list of cipher names of + # the preferred cipher. Set it if you want to specify a preferred cipher + # $data is the data passed to set_session_secret_cb + +The callback function should return 1 if it likes the suggested cipher (or has selected an alternative +by setting pref_cipher), else it should return 0 (in which case OpenSSL will select its own preferred cipher). + +With OpenSSL 1.1 and later, callback_function can change the master key for the session by +altering $secret and returning 1. + +=item * CTX_set_tlsext_ticket_getkey_cb + +Setup encryption for TLS session tickets (stateless session reuse). + + Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $func - perl reference to callback function + # $data - [optional] data that will be passed to callback function when invoked + # + # returns: no return value + +The callback function will be called like: + + getkey($data,[$key_name]) -> ($key,$current_key_name) + # $data is the data passed to set_session_secret_cb + # $key_name is the name of the key OpenSSL has extracted from the session ticket + # $key is the requested key for ticket encryption + HMAC + # $current_key_name is the name for the currently valid key + +OpenSSL will call the function without a key name if it generates a new ticket. +It then needs the callback to return the encryption+HMAC key and an identifier +(key name) for this key. + +When OpenSSL gets a session ticket from the client it extracts the key name and +calls the callback with this name as argument. It then expects the callback to +return the encryption+HMAC key matching the requested key name and and also the +key name which should be used at the moment. If the requested key name and the +returned key name differ it means that this session ticket was created with an +expired key and need to be renewed. In this case OpenSSL will call the callback +again with no key name to create a new session ticket based on the old one. + +The key must be at least 32 byte of random data which can be created with +RAND_bytes. Internally the first 16 byte are used as key in AES-128 encryption +while the next 16 byte are used for the SHA-256 HMAC. +The key name are binary data and must be exactly 16 byte long. + +Example: + + Net::SSLeay::RAND_bytes(my $oldkey,32); + Net::SSLeay::RAND_bytes(my $newkey,32); + my $oldkey_name = pack("a16",'oldsecret'); + my $newkey_name = pack("a16",'newsecret'); + + my @keys = ( + [ $newkey_name, $newkey ], # current active key + [ $oldkey_name, $oldkey ], # already expired + ); + + Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub { + my ($mykeys,$name) = @_; + + # return (current_key, current_key_name) if no name given + return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name; + + # return (matching_key, current_key_name) if we find a key matching + # the given name + for(my $i = 0; $i<@$mykeys; $i++) { + next if $name ne $mykeys->[$i][0]; + return ($mykeys->[$i][1],$mykeys->[0][0]); + } + + # no matching key found + return; + },\@keys); + + +This function is based on the OpenSSL function SSL_CTX_set_tlsext_ticket_key_cb +but provides a simpler to use interface. For more information see +L + +=item * set_session_ticket_ext_cb + +Setup callback for TLS session tickets (stateless session reuse). + + Net::SSLeay::set_session_ticket_ext_cb($ssl, $func, $data); + # $ssl - value corresponding to openssl's SSL structure + # $func - perl reference to callback function + # $data - [optional] data that will be passed to callback function when invoked + # + # returns: no return value + +The callback function will be called like: + + getticket($ssl,$ticket,$data) -> $return_value + # $ssl is a value corresponding to openssl's SSL structure + # $ticket is a value of received TLS session ticket (can also be empty) + # $data is the data passed to set_session_ticket_ext_cb + # $return_value is either 0 (failure) or 1 (success) + +This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. + +=item * set_session_ticket_ext + +Set TLS session ticket (stateless session reuse). + + Net::SSLeay::set_session_ticket_ext($ssl, $ticket); + # $ssl - value corresponding to openssl's SSL structure + # $ticket - is a value of TLS session ticket which client will send (can also be empty string) + # + # returns: no return value + +The callback function will be called like: + + getticket($ssl,$ticket,$data) -> $return_value + # $ssl is a value corresponding to openssl's SSL structure + # $ticket is a value of received TLS session ticket (can also be empty) + # $data is the data passed to set_session_ticket_ext_cb + # $return_value is either 0 (failure) or 1 (success) + +This function is based on the OpenSSL function SSL_set_session_ticket_ext_cb. + +=item * set_shutdown + +Sets the shutdown state of $ssl to $mode. + + Net::SSLeay::set_shutdown($ssl, $mode); + # $ssl - value corresponding to openssl's SSL structure + # $mode - (integer) shutdown mode: + # 0 - No shutdown + # 1 - SSL_SENT_SHUTDOWN + # 2 - SSL_RECEIVED_SHUTDOWN + # 3 - SSL_RECEIVED_SHUTDOWN+SSL_SENT_SHUTDOWN + # + # returns: no return value + +Check openssl doc L + +=item * set_ssl_method + +Sets a new TLS/SSL method for a particular $ssl object. + + my $rv = Net::SSLeay::set_ssl_method($ssl, $method); + # $ssl - value corresponding to openssl's SSL structure + # $method - value corresponding to openssl's SSL_METHOD structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_tmp_dh + +Sets DH parameters to be used to be $dh. + + my $rv = Net::SSLeay::set_tmp_dh($ssl, $dh); + # $ssl - value corresponding to openssl's SSL structure + # $dh - value corresponding to openssl's DH structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * set_tmp_dh_callback + +Sets the callback function for $ssl to be used when a DH parameters are required to $dh_cb. + +??? (does this function really work?) + + Net::SSLeay::set_tmp_dh_callback($ssl, $dh); + # $ssl - value corresponding to openssl's SSL structure + # $dh_cb - pointer to function ??? + # + # returns: no return value + +Check openssl doc L + +=item * set_tmp_rsa + +Sets the temporary/ephemeral RSA key to be used in $ssl to be $rsa. + + my $rv = Net::SSLeay::set_tmp_rsa($ssl, $rsa); + # $ssl - value corresponding to openssl's SSL structure + # $rsa - value corresponding to openssl's RSA structure + # + # returns: 1 on success, 0 on failure + +Example: + + $rsakey = Net::SSLeay::RSA_generate_key(); + Net::SSLeay::set_tmp_rsa($ssl, $rsakey); + Net::SSLeay::RSA_free($rsakey); + +Check openssl doc L + +=item * set_tmp_rsa_callback + +Sets the callback function for $ssl to be used when a temporary/ephemeral RSA key is required to $tmp_rsa_callback. + +??? (does this function really work?) + + Net::SSLeay::set_tmp_rsa_callback($ssl, $tmp_rsa_callback); + # $ssl - value corresponding to openssl's SSL structure + # $tmp_rsa_callback - (function pointer) ??? + # + # returns: no return value + +Check openssl doc L + +=item * set_trust + + my $rv = Net::SSLeay::set_trust($ssl, $trust); + # $ssl - value corresponding to openssl's SSL structure + # $trust - (integer) trust identifier + # + # returns: the original value + +For more details about $trust values see L. + +=item * shutdown + +Shuts down an active TLS/SSL connection. It sends the 'close notify' shutdown alert to the peer. + + my $rv = Net::SSLeay::shutdown($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 1 - shutdown was successfully completed + # 0 - shutdown is not yet finished, + # -1 - shutdown was not successful + +Check openssl doc L + +=item * state_string + +Returns a 6 letter string indicating the current state of the SSL object $ssl. + + my $rv = Net::SSLeay::state_string($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: 6-letter string + +Check openssl doc L + +=item * state_string_long + +Returns a string indicating the current state of the SSL object $ssl. + + my $rv = Net::SSLeay::state_string_long($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: state strings + +Check openssl doc L + +=item * set_default_passwd_cb + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.1.0f. Not needed with LibreSSL. + +Sets the default password callback called when loading/storing a PEM certificate with encryption for $ssl. + + Net::SSLeay::set_default_passwd_cb($ssl, $func); + # $ssl - value corresponding to openssl's SSL structure + # $func - perl reference to callback function + # + # returns: no return value + +Check openssl doc L + +=item * set_default_passwd_cb_userdata + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.1.0f. Not needed with LibreSSL. + +Sets a pointer to userdata which will be provided to the password callback of $ssl on invocation. + + Net::SSLeay::set_default_passwd_cb_userdata($ssl, $userdata); + # $ssl - value corresponding to openssl's SSL structure + # $userdata - data that will be passed to callback function when invoked + # + # returns: no return value + +Check openssl doc L + +=item * use_PrivateKey + +Adds $pkey as private key to $ssl. + + my $rv = Net::SSLeay::use_PrivateKey($ssl, $pkey); + # $ssl - value corresponding to openssl's SSL structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_PrivateKey_ASN1 + +Adds the private key of type $pk stored in $data to $ssl. + + my $rv = Net::SSLeay::use_PrivateKey_ASN1($pk, $ssl, $d, $len); + # $pk - (integer) key type, NID of corresponding algorithm + # $ssl - value corresponding to openssl's SSL structure + # $data - key data (binary) + # $len - length of $data + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_PrivateKey_file + +Adds the first private key found in $file to $ssl. + + my $rv = Net::SSLeay::use_PrivateKey_file($ssl, $file, $type); + # $ssl - value corresponding to openssl's SSL structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_RSAPrivateKey + +Adds $rsa as RSA private key to $ssl. + + my $rv = Net::SSLeay::use_RSAPrivateKey($ssl, $rsa); + # $ssl - value corresponding to openssl's SSL structure + # $rsa - value corresponding to openssl's RSA structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_RSAPrivateKey_ASN1 + +Adds RSA private key stored in $data to $ssl. + + my $rv = Net::SSLeay::use_RSAPrivateKey_ASN1($ssl, $data, $len); + # $ssl - value corresponding to openssl's SSL structure + # $data - key data (binary) + # $len - length of $data + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_RSAPrivateKey_file + +Adds the first RSA private key found in $file to $ssl. + + my $rv = Net::SSLeay::use_RSAPrivateKey_file($ssl, $file, $type); + # $ssl - value corresponding to openssl's SSL structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_certificate + +Loads the certificate $x into $ssl. + + my $rv = Net::SSLeay::use_certificate($ssl, $x); + # $ssl - value corresponding to openssl's SSL structure + # $x - value corresponding to openssl's X509 structure + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_certificate_ASN1 + +Loads the ASN1 encoded certificate from $data to $ssl. + + my $rv = Net::SSLeay::use_certificate_ASN1($ssl, $data, $len); + # $ssl - value corresponding to openssl's SSL structure + # $data - certificate data (binary) + # $len - length of $data + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_certificate_chain_file + +B: not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.1.0 + +Loads a certificate chain from $file into $ssl. The certificates must be in PEM format and must be sorted +starting with the subject's certificate (actual client or server certificate), followed by intermediate +CA certificates if applicable, and ending at the highest level (root) CA. + + my $rv = Net::SSLeay::use_certificate_chain_file($ssl, $file); + # $ssl - value corresponding to openssl's SSL structure + # $file - (string) file name + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * use_certificate_file + +Loads the first certificate stored in $file into $ssl. + + my $rv = Net::SSLeay::use_certificate_file($ssl, $file, $type); + # $ssl - value corresponding to openssl's SSL structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, otherwise check out the error stack to find out the reason + +Check openssl doc L + +=item * get_version + +Returns SSL/TLS protocol name + + my $rv = Net::SSLeay::get_version($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (string) protocol name, see OpenSSL manual for the full list + # TLSv1 + # TLSv1.3 + +Check openssl doc L + +=item * version + +Returns SSL/TLS protocol version + + my $rv = Net::SSLeay::version($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) protocol version, see OpenSSL manual for the full list + # 0x0301 - TLS1_VERSION (TLSv1) + # 0xFEFF - DTLS1_VERSION (DTLSv1) + +Check openssl doc L + +=item * client_version + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + +Returns TLS protocol version used by the client when initiating the connection + + my $rv = Net::SSLeay::client_version($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) protocol version, see OpenSSL manual for the full list + # 0x0301 - TLS1_VERSION (TLSv1) + # 0xFEFF - DTLS1_VERSION (DTLSv1) + +Check openssl doc L + +=item * is_dtls + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.0, not in LibreSSL + + my $rv = Net::SSLeay::is_dtls($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) zero or one + # 0 - connection is not using DTLS + # 1 - connection is using DTLS + +Check openssl doc L + +=item * want + +Returns state information for the SSL object $ssl. + + my $rv = Net::SSLeay::want($ssl); + # $ssl - value corresponding to openssl's SSL structure + # + # returns: state + # 1 - SSL_NOTHING + # 2 - SSL_WRITING + # 3 - SSL_READING + # 4 - SSL_X509_LOOKUP + +Check openssl doc L + +=item * write + +Writes data from the buffer $data into the specified $ssl connection. + + my $rv = Net::SSLeay::write($ssl, $data); + # $ssl - value corresponding to openssl's SSL structure + # $data - data to be written + # + # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection + # 0 - write not successful, probably the underlying connection was closed + # <0 - error + +Check openssl doc L + +=item * write_ex + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Writes data from the buffer $data into the specified $ssl connection. + + my ($len, $rv) = Net::SSLeay::write_ex($ssl, $data); + # $ssl - value corresponding to openssl's SSL structure + # $data - data to be written + # + # returns a list: two-item list consisting of number of bytes written, + # and return code from SSL_write_ex() + +Check openssl doc L + +=item * write_partial + +B Does not exactly correspond to any low level API function + +Writes a fragment of data in $data from the buffer $data into the specified +$ssl connection. This is a non-blocking function like L. + + my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data); + # $ssl - value corresponding to openssl's SSL structure + # $from - (integer) offset from the beginning of $data + # $count - (integer) length of data to be written + # $data - data buffer + # + # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection + # 0 - write not successful, probably the underlying connection was closed + # <0 - error + +=item * set_tlsext_host_name + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.8f + +Sets TLS servername extension on SLL object $ssl to value $name. + + my $rv = set_tlsext_host_name($ssl, $name); + # $ssl - value corresponding to openssl's SSL structure + # $name - (string) name to be set + # + # returns: 1 on success, 0 on failure + +=back + +=head3 Low level API: RAND_* related functions + +Check openssl doc related to RAND stuff L + +=over + +=item * RAND_add + +Mixes the $num bytes at $buf into the PRNG state. + + Net::SSLeay::RAND_add($buf, $num, $entropy); + # $buf - buffer with data to be mixed into the PRNG state + # $num - number of bytes in $buf + # $entropy - estimate of how much randomness is contained in $buf (in bytes) + # + # returns: no return value + +Check openssl doc L + +=item * RAND_seed + +Equivalent to L when $num == $entropy. + + Net::SSLeay::RAND_seed($buf); # Perlishly figures out buf size + # $buf - buffer with data to be mixed into the PRNG state + # $num - number of bytes in $buf + # + # returns: no return value + +Check openssl doc L + +=item * RAND_status + +Gives PRNG status (seeded enough or not). + + my $rv = Net::SSLeay::RAND_status(); + #returns: 1 if the PRNG has been seeded with enough data, 0 otherwise + +Check openssl doc L + +=item * RAND_bytes + +Puts $num cryptographically strong pseudo-random bytes into $buf. + + my $rv = Net::SSLeay::RAND_bytes($buf, $num); + # $buf - buffer where the random data will be stored + # $num - the size (in bytes) of requested random data + # + # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure + +Check openssl doc L + +=item * RAND_priv_bytes + +B not available in Net-SSLeay-1.85 and before; requires at least OpenSSL 1.1.1, not in LibreSSL + +Puts $num cryptographically strong pseudo-random bytes into $buf. + + my $rv = Net::SSLeay::RAND_priv_bytes($buf, $num); + # $buf - buffer where the random data will be stored + # $num - the size (in bytes) of requested random data + # + # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure + +RAND_priv_bytes has the same semantics as RAND_bytes, but see see the documentation for more information. + +Check openssl doc L + +=item * RAND_pseudo_bytes + +Puts $num pseudo-random (not necessarily unpredictable) bytes into $buf. + + my $rv = Net::SSLeay::RAND_pseudo_bytes($buf, $num); + # $buf - buffer where the random data will be stored + # $num - the size (in bytes) of requested random data + # + # returns: 1 if the bytes generated are cryptographically strong, 0 otherwise + +Check openssl doc L + +=item * RAND_cleanup + +Erase the PRNG state. + + Net::SSLeay::RAND_cleanup(); + # no args, no return value + +Check openssl doc L + +=item * RAND_egd_bytes + +Queries the entropy gathering daemon EGD on socket $path for $bytes bytes. + + my $rv = Net::SSLeay::RAND_egd_bytes($path, $bytes); + # $path - path to a socket of entropy gathering daemon EGD + # $bytes - number of bytes we want from EGD + # + # returns: the number of bytes read from the daemon on success, and -1 on failure + +Check openssl doc L + +=item * RAND_file_name + +Generates a default path for the random seed file. + + my $file = Net::SSLeay::RAND_file_name($num); + # $num - maximum size of returned file name + # + # returns: string with file name on success, '' (empty string) or undef on failure + +LibreSSL and OpenSSL 1.1.0a and later return undef when, for example, $num is not large enough to hold the filename. + +Check openssl doc L + +=item * RAND_load_file + +B Is no longer functional on LibreSSL + +Reads $max_bytes of bytes from $file_name and adds them to the PRNG. + + my $rv = Net::SSLeay::RAND_load_file($file_name, $max_bytes); + # $file_name - the name of file + # $max_bytes - bytes to read from $file_name; -1 => the complete file is read + # + # returns: the number of bytes read + +Check openssl doc L + +=item * RAND_write_file + +Writes 1024 random bytes to $file_name which can be used to initialize the PRNG by calling L in a later session. + + my $rv = Net::SSLeay::RAND_write_file($file_name); + # $file_name - the name of file + # + # returns: the number of bytes written, and -1 if the bytes written were generated without appropriate seed + +Check openssl doc L + +=item * RAND_poll + +Collects some entropy from operating system and adds it to the PRNG. + + my $rv = Net::SSLeay::RAND_poll(); + # returns: 1 on success, 0 on failure (unable to gather reasonable entropy) + +=back + +=head3 Low level API: OBJ_* related functions + +=over + +=item * OBJ_cmp + +Compares ASN1_OBJECT $a to ASN1_OBJECT $b. + + my $rv = Net::SSLeay::OBJ_cmp($a, $b); + # $a - value corresponding to openssl's ASN1_OBJECT structure + # $b - value corresponding to openssl's ASN1_OBJECT structure + # + # returns: if the two are identical 0 is returned + +Check openssl doc L + +=item * OBJ_dup + +Returns a copy/duplicate of $o. + + my $rv = Net::SSLeay::OBJ_dup($o); + # $o - value corresponding to openssl's ASN1_OBJECT structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +Check openssl doc L + +=item * OBJ_nid2ln + +Returns long name for given NID $n. + + my $rv = Net::SSLeay::OBJ_nid2ln($n); + # $n - (integer) NID + # + # returns: (string) long name e.g. 'commonName' + +Check openssl doc L + +=item * OBJ_ln2nid + +Returns NID corresponding to given long name $n. + + my $rv = Net::SSLeay::OBJ_ln2nid($s); + # $s - (string) long name e.g. 'commonName' + # + # returns: (integer) NID + +=item * OBJ_nid2sn + +Returns short name for given NID $n. + + my $rv = Net::SSLeay::OBJ_nid2sn($n); + # $n - (integer) NID + # + # returns: (string) short name e.g. 'CN' + +Example: + + print Net::SSLeay::OBJ_nid2sn(&Net::SSLeay::NID_commonName); + +=item * OBJ_sn2nid + +Returns NID corresponding to given short name $s. + + my $rv = Net::SSLeay::OBJ_sn2nid($s); + # $s - (string) short name e.g. 'CN' + # + # returns: (integer) NID + +Example: + + print "NID_commonName constant=", &Net::SSLeay::NID_commonName; + print "OBJ_sn2nid('CN')=", Net::SSLeay::OBJ_sn2nid('CN'); + +=item * OBJ_nid2obj + +Returns ASN1_OBJECT for given NID $n. + + my $rv = Net::SSLeay::OBJ_nid2obj($n); + # $n - (integer) NID + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +Check openssl doc L + +=item * OBJ_obj2nid + +Returns NID corresponding to given ASN1_OBJECT $o. + + my $rv = Net::SSLeay::OBJ_obj2nid($o); + # $o - value corresponding to openssl's ASN1_OBJECT structure + # + # returns: (integer) NID + +Check openssl doc L + +=item * OBJ_txt2obj + +Converts the text string s into an ASN1_OBJECT structure. If $no_name is 0 then +long names (e.g. 'commonName') and short names (e.g. 'CN') will be interpreted +as well as numerical forms (e.g. '2.5.4.3'). If $no_name is 1 only the numerical +form is acceptable. + + my $rv = Net::SSLeay::OBJ_txt2obj($s, $no_name); + # $s - text string to be converted + # $no_name - (integer) 0 or 1 + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +Check openssl doc L + +=item * OBJ_obj2txt + +Converts the ASN1_OBJECT a into a textual representation. + + Net::SSLeay::OBJ_obj2txt($a, $no_name); + # $a - value corresponding to openssl's ASN1_OBJECT structure + # $no_name - (integer) 0 or 1 + # + # returns: textual representation e.g. 'commonName' ($no_name=0), '2.5.4.3' ($no_name=1) + +Check openssl doc L + +=item * OBJ_txt2nid + +Returns NID corresponding to text string $s which can be a long name, a short name or the numerical representation of an object. + + my $rv = Net::SSLeay::OBJ_txt2nid($s); + # $s - (string) e.g. 'commonName' or 'CN' or '2.5.4.3' + # + # returns: (integer) NID + +Example: + + my $nid = Net::SSLeay::OBJ_txt2nid('2.5.4.3'); + Net::SSLeay::OBJ_nid2sn($n); + +Check openssl doc L + +=back + +=head3 Low level API: ASN1_INTEGER_* related functions + +=over + +=item * ASN1_INTEGER_new + +B not available in Net-SSLeay-1.45 and before + +Creates a new ASN1_INTEGER structure. + + my $rv = Net::SSLeay::ASN1_INTEGER_new(); + # + # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure) + +=item * ASN1_INTEGER_free + +B not available in Net-SSLeay-1.45 and before + +Free an allocated ASN1_INTEGER structure. + + Net::SSLeay::ASN1_INTEGER_free($i); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: no return value + +=item * ASN1_INTEGER_get + +B not available in Net-SSLeay-1.45 and before + +Returns integer value of given ASN1_INTEGER object. + +B If the value stored in ASN1_INTEGER is greater than max. integer that can be stored +in 'long' type (usually 32bit but may vary according to platform) then this function will return -1. +For getting large ASN1_INTEGER values consider using L or L. + + my $rv = Net::SSLeay::ASN1_INTEGER_get($a); + # $a - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: integer value of ASN1_INTEGER object in $a + +=item * ASN1_INTEGER_set + +B not available in Net-SSLeay-1.45 and before + +Sets value of given ASN1_INTEGER object to value $val + +B $val has max. limit (= max. integer that can be stored in 'long' type). +For setting large ASN1_INTEGER values consider using L or L. + + my $rv = Net::SSLeay::ASN1_INTEGER_set($i, $val); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # $val - integer value + # + # returns: 1 on success, 0 on failure + +=item * P_ASN1_INTEGER_get_dec + +B not available in Net-SSLeay-1.45 and before + +Returns string with decimal representation of integer value of given ASN1_INTEGER object. + + Net::SSLeay::P_ASN1_INTEGER_get_dec($i); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: string with decimal representation + +=item * P_ASN1_INTEGER_get_hex + +B not available in Net-SSLeay-1.45 and before + +Returns string with hexadecimal representation of integer value of given ASN1_INTEGER object. + + Net::SSLeay::P_ASN1_INTEGER_get_hex($i); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: string with hexadecimal representation + +=item * P_ASN1_INTEGER_set_dec + +B not available in Net-SSLeay-1.45 and before + +Sets value of given ASN1_INTEGER object to value $val (decimal string, suitable for large integers) + + Net::SSLeay::P_ASN1_INTEGER_set_dec($i, $str); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # $str - string with decimal representation + # + # returns: 1 on success, 0 on failure + +=item * P_ASN1_INTEGER_set_hex + +B not available in Net-SSLeay-1.45 and before + +Sets value of given ASN1_INTEGER object to value $val (hexadecimal string, suitable for large integers) + + Net::SSLeay::P_ASN1_INTEGER_set_hex($i, $str); + # $i - value corresponding to openssl's ASN1_INTEGER structure + # $str - string with hexadecimal representation + # + # returns: 1 on success, 0 on failure + +=back + +=head3 Low level API: ASN1_STRING_* related functions + +=over + +=item * P_ASN1_STRING_get + +B not available in Net-SSLeay-1.45 and before + +Returns string value of given ASN1_STRING object. + + Net::SSLeay::P_ASN1_STRING_get($s, $utf8_decode); + # $s - value corresponding to openssl's ASN1_STRING structure + # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0) + # + # returns: string + + $string = Net::SSLeay::P_ASN1_STRING_get($s); + #is the same as: + $string = Net::SSLeay::P_ASN1_STRING_get($s, 0); + +=back + +=head3 Low level API: ASN1_TIME_* related functions + +=over + +=item * ASN1_TIME_new + +B not available in Net-SSLeay-1.42 and before + + my $time = ASN1_TIME_new(); + # returns: value corresponding to openssl's ASN1_TIME structure + +=item * ASN1_TIME_free + +B not available in Net-SSLeay-1.42 and before + + ASN1_TIME_free($time); + # $time - value corresponding to openssl's ASN1_TIME structure + +=item * ASN1_TIME_set + +B not available in Net-SSLeay-1.42 and before + + ASN1_TIME_set($time, $t); + # $time - value corresponding to openssl's ASN1_TIME structure + # $t - time value in seconds since 1.1.1970 + +B It is platform dependent how this function will handle dates after 2038. +Although perl's integer is large enough the internal implementation of this function +is dependent on the size of time_t structure (32bit time_t has problem with 2038). + +If you want to safely set date and time after 2038 use function L. + +=item * P_ASN1_TIME_get_isotime + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7e + +B Does not exactly correspond to any low level API function + +Gives ISO-8601 string representation of ASN1_TIME structure. + + my $datetime_string = P_ASN1_TIME_get_isotime($time); + # $time - value corresponding to openssl's ASN1_TIME structure + # + # returns: datetime string like '2033-05-16T20:39:37Z' or '' on failure + +The output format is compatible with module L + +=item * P_ASN1_TIME_set_isotime + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7e + +B Does not exactly correspond to any low level API function + +Sets time and date value of ANS1_time structure. + + my $rv = P_ASN1_TIME_set_isotime($time, $string); + # $time - value corresponding to openssl's ASN1_TIME structure + # $string - ISO-8601 timedate string like '2033-05-16T20:39:37Z' + # + # returns: 1 on success, 0 on failure + +The C<$string> parameter has to be in full form like C<"2012-03-22T23:55:33"> or +C<"2012-03-22T23:55:33Z"> or C<"2012-03-22T23:55:33CET">. Short forms like +C<"2012-03-22T23:55"> or C<"2012-03-22"> are not supported. + +=item * P_ASN1_TIME_put2string + +B not available in Net-SSLeay-1.42 and before, has bugs with openssl-0.9.8i + +B Does not exactly correspond to any low level API function + +Gives string representation of ASN1_TIME structure. + + my $str = P_ASN1_TIME_put2string($time); + # $time - value corresponding to openssl's ASN1_TIME structure + # + # returns: datetime string like 'May 16 20:39:37 2033 GMT' + +=item * P_ASN1_UTCTIME_put2string + +B deprecated function, only for backward compatibility, just an alias +for L + +=back + +=head3 Low level API: X509_* related functions + +=over + +=item * X509_new + +B not available in Net-SSLeay-1.45 and before + +Allocates and initializes a X509 structure. + + my $rv = Net::SSLeay::X509_new(); + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +Check openssl doc L + +=item * X509_free + +Frees up the X509 structure. + + Net::SSLeay::X509_free($a); + # $a - value corresponding to openssl's X509 structure + # + # returns: no return value + +Check openssl doc L + +=item * X509_check_host + +B not available in Net-SSLeay-1.68 and before; requires at +least OpenSSL 1.0.2. X509_CHECK_FLAG_NEVER_CHECK_SUBJECT requires OpenSSL 1.1.0. + +Checks if the certificate Subject Alternative Name (SAN) or Subject CommonName +(CN) matches the specified host name. + + my $rv = Net::SSLeay::X509_check_host($cert, $name, $flags, $peername); + # $cert - value corresponding to openssl's X509 structure + # $name - host name to check + # $flags (optional, default: 0) - can be the bitwise OR of: + # &Net::SSLeay::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + # &Net::SSLeay::X509_CHECK_FLAG_NO_WILDCARDS + # &Net::SSLeay::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + # &Net::SSLeay::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + # &Net::SSLeay::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + # &Net::SSLeay::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + # $peername (optional) - If not omitted and $host matches $cert, + # a copy of the matching SAN or CN from + # the peer certificate is stored in $peername. + # + # returns: + # 1 for a successful match + # 0 for a failed match + # -1 for an internal error + # -2 if the input is malformed + +Check openssl doc L. + +=item * X509_check_email + +B not available in Net-SSLeay-1.68 and before; requires at least OpenSSL 1.0.2. + +Checks if the certificate matches the specified email address. + + my $rv = Net::SSLeay::X509_check_email($cert, $address, $flags); + # $cert - value corresponding to openssl's X509 structure + # $address - email address to check + # $flags (optional, default: 0) - see X509_check_host() + # + # returns: see X509_check_host() + +Check openssl doc L. + +=item * X509_check_ip + +B not available in Net-SSLeay-1.68 and before; requires at least OpenSSL 1.0.2. + +Checks if the certificate matches the specified IPv4 or IPv6 address. + + my $rv = Net::SSLeay::X509_check_ip($cert, $address, $flags); + # $cert - value corresponding to openssl's X509 structure + # $address - IP address to check in binary format, in network byte order + # $flags (optional, default: 0) - see X509_check_host() + # + # returns: see X509_check_host() + +Check openssl doc L. + +=item * X509_check_ip_asc + +B not available in Net-SSLeay-1.68 and before; requires at least OpenSSL 1.0.2. + +Checks if the certificate matches the specified IPv4 or IPv6 address. + + my $rv = Net::SSLeay::X509_check_ip_asc($cert, $address, $flags); + # $cert - value corresponding to openssl's X509 structure + # $address - IP address to check in text representation + # $flags (optional, default: 0) - see X509_check_host() + # + # returns: see X509_check_host() + +Check openssl doc L. + +=item * X509_certificate_type + +B not available in Net-SSLeay-1.45 and before + +Returns bitmask with type of certificate $x. + + my $rv = Net::SSLeay::X509_certificate_type($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: (integer) bitmask with certificate type + + #to decode bitmask returned by this function use these constants: + &Net::SSLeay::EVP_PKS_DSA + &Net::SSLeay::EVP_PKS_EC + &Net::SSLeay::EVP_PKS_RSA + &Net::SSLeay::EVP_PKT_ENC + &Net::SSLeay::EVP_PKT_EXCH + &Net::SSLeay::EVP_PKT_EXP + &Net::SSLeay::EVP_PKT_SIGN + &Net::SSLeay::EVP_PK_DH + &Net::SSLeay::EVP_PK_DSA + &Net::SSLeay::EVP_PK_EC + &Net::SSLeay::EVP_PK_RSA + +=item * X509_digest + +B not available in Net-SSLeay-1.45 and before + +Computes digest/fingerprint of X509 $data using $type hash function. + + my $digest_value = Net::SSLeay::X509_digest($data, $type); + # $data - value corresponding to openssl's X509 structure + # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname() + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * X509_issuer_and_serial_hash + +B not available in Net-SSLeay-1.45 and before + +Sort of a checksum of issuer name and serial number of X509 certificate $x. +The result is not a full hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of 'unsigned long' (32 bits). +The resulting value might differ across different openssl versions for the same X509 certificate. + + my $rv = Net::SSLeay::X509_issuer_and_serial_hash($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: number representing checksum + +=item * X509_issuer_name_hash + +B not available in Net-SSLeay-1.45 and before + +Sort of a checksum of issuer name of X509 certificate $x. +The result is not a full hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of 'unsigned long' (32 bits). +The resulting value might differ across different openssl versions for the same X509 certificate. + + my $rv = Net::SSLeay::X509_issuer_name_hash($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: number representing checksum + +=item * X509_subject_name_hash + +B not available in Net-SSLeay-1.45 and before + +Sort of a checksum of subject name of X509 certificate $x. +The result is not a full hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of 'unsigned long' (32 bits). +The resulting value might differ across different openssl versions for the same X509 certificate. + + my $rv = Net::SSLeay::X509_subject_name_hash($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: number representing checksum + +=item * X509_pubkey_digest + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Computes digest/fingerprint of public key from X509 certificate $data using $type hash function. + + my $digest_value = Net::SSLeay::X509_pubkey_digest($data, $type); + # $data - value corresponding to openssl's X509 structure + # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname() + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * X509_set_issuer_name + +B not available in Net-SSLeay-1.45 and before + +Sets issuer of X509 certificate $x to $name. + + my $rv = Net::SSLeay::X509_set_issuer_name($x, $name); + # $x - value corresponding to openssl's X509 structure + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_set_pubkey + +B not available in Net-SSLeay-1.45 and before + +Sets public key of X509 certificate $x to $pkey. + + my $rv = Net::SSLeay::X509_set_pubkey($x, $pkey); + # $x - value corresponding to openssl's X509 structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: 1 on success, 0 on failure + +=item * X509_set_serialNumber + +B not available in Net-SSLeay-1.45 and before + +Sets serial number of X509 certificate $x to $serial. + + my $rv = Net::SSLeay::X509_set_serialNumber($x, $serial); + # $x - value corresponding to openssl's X509 structure + # $serial - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: 1 on success, 0 on failure + + #to create $serial value use one of these: + $serial = Net::SSLeay::P_ASN1_INTEGER_set_hex('45ad6f'); + $serial = Net::SSLeay::P_ASN1_INTEGER_set_dec('7896541238529631478'); + $serial = Net::SSLeay::ASN1_INTEGER_set(45896); + +=item * X509_set_subject_name + +B not available in Net-SSLeay-1.45 and before + +Sets subject of X509 certificate $x to $name. + + my $rv = Net::SSLeay::X509_set_subject_name($x, $name); + # $x - value corresponding to openssl's X509 structure + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_set_version + +B not available in Net-SSLeay-1.45 and before + +Set 'version' value for X509 certificate $ to $version. + + my $rv = Net::SSLeay::X509_set_version($x, $version); + # $x - value corresponding to openssl's X509 structure + # $version - (integer) version number + # + # returns: 1 on success, 0 on failure + +=item * X509_sign + +B not available in Net-SSLeay-1.45 and before + +Sign X509 certificate $x with private key $pkey (using digest algorithm $md). + + my $rv = Net::SSLeay::X509_sign($x, $pkey, $md); + # $x - value corresponding to openssl's X509 structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $md - value corresponding to openssl's EVP_MD structure + # + # returns: 1 on success, 0 on failure + +=item * X509_verify + +B not available in Net-SSLeay-1.45 and before + +Verifies X509 object $a using public key $r (pubkey of issuing CA). + + my $rv = Net::SSLeay::X509_verify($x, $r); + # $x - value corresponding to openssl's X509 structure + # $r - value corresponding to openssl's EVP_PKEY structure + # + # returns: 0 - verify failure, 1 - verify OK, <0 - error + +=item * X509_get_ext_count + +B not available in Net-SSLeay-1.45 and before + +Returns the total number of extensions in X509 object $x. + + my $rv = Net::SSLeay::X509_get_ext_count($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: count of extensions + +=item * X509_get_pubkey + +B not available in Net-SSLeay-1.45 and before + +Returns public key corresponding to given X509 object $x. + + my $rv = Net::SSLeay::X509_get_pubkey($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) + +B This method returns only the public key's key bits, without the +algorithm or parameters. Use C to return the full +public key (SPKI) instead. + +=item * X509_get_X509_PUBKEY + +B not available in Net-SSLeay-1.72 and before + +Returns the full public key (SPKI) of given X509 certificate $x. + + Net::SSLeay::X509_get_X509_PUBKEY($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: public key data in DER format (binary) + +=item * X509_get_serialNumber + +B not available in Net-SSLeay-1.45 and before + +Returns serial number of X509 certificate $x. + + my $rv = Net::SSLeay::X509_get_serialNumber($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure) + +See L, L or L to decode ASN1_INTEGER object. + +=item * X509_get0_serialNumber + +B available in Net-SSLeay-1.86 onwards + +X509_get0_serialNumber() is the same as X509_get_serialNumber() except it accepts a const parameter and returns a const result. + +=item * X509_get_version + +B not available in Net-SSLeay-1.45 and before + +Returns 'version' value of given X509 certificate $x. + + my $rv = Net::SSLeay::X509_get_version($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: (integer) version + +=item * X509_get_ext + +Returns X509_EXTENSION from $x509 based on given position/index. + + my $rv = Net::SSLeay::X509_get_ext($x509, $index); + # $x509 - value corresponding to openssl's X509 structure + # $index - (integer) position/index of extension within $x509 + # + # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure) + +=item * X509_get_ext_by_NID + +Returns X509_EXTENSION from $x509 based on given NID. + + my $rv = Net::SSLeay::X509_get_ext_by_NID($x509, $nid, $loc); + # $x509 - value corresponding to openssl's X509 structure + # $nid - (integer) NID value + # $loc - (integer) position to start lookup at + # + # returns: position/index of extension, negative value on error + # call Net::SSLeay::X509_get_ext($x509, $rv) to get the actual extension + +=item * X509_get_fingerprint + +Returns fingerprint of certificate $cert. + +B Does not exactly correspond to any low level API function. The implementation +is based on openssl's C. + + Net::SSLeay::X509_get_fingerprint($x509, $type); + # $x509 - value corresponding to openssl's X509 structure + # $type - (string) digest type, currently supported values: + # "md5" + # "sha1" + # "sha256" + # "ripemd160" + # + # returns: certificate digest - hexadecimal string (NOT binary data!) + +=item * X509_get_issuer_name + +Return an X509_NAME object representing the issuer of the certificate $cert. + + my $rv = Net::SSLeay::X509_get_issuer_name($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +=item * X509_get_notAfter + +Return an object giving the time after which the certificate $cert is not valid. + + my $rv = Net::SSLeay::X509_get_notAfter($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure) + +To get human readable/printable form the return value you can use: + + my $time = Net::SSLeay::X509_get_notAfter($cert); + print "notAfter=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n"; + +=item * X509_get_notBefore + +Return an object giving the time before which the certificate $cert is not valid + + my $rv = Net::SSLeay::X509_get_notBefore($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure) + +To get human readable/printable form the return value you can use: + + my $time = Net::SSLeay::X509_get_notBefore($cert); + print "notBefore=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n"; + +=item * X509_get_subjectAltNames + +B Does not exactly correspond to any low level API function. + +Returns the list of alternative subject names from X509 certificate $cert. + + my @rv = Net::SSLeay::X509_get_subjectAltNames($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: list containing pairs - name_type (integer), name_value (string) + # where name_type can be: + # 0 - GEN_OTHERNAME + # 1 - GEN_EMAIL + # 2 - GEN_DNS + # 3 - GEN_X400 + # 4 - GEN_DIRNAME + # 5 - GEN_EDIPARTY + # 6 - GEN_URI + # 7 - GEN_IPADD + # 8 - GEN_RID + +Note: type 7 - GEN_IPADD contains the IP address as a packed binary +address. GEN_RID is available in Net-SSLeay-1.90 and later. Maximum +length for returned RID string is currently 2500. Invalid and overly +long RID values are skipped and not returned. GEN_X400 and +GEN_EDIPARTY are not supported and will not be returned even when +present in the certificate. + +=item * X509_get_subject_name + +Returns the subject of the certificate $cert. + + my $rv = Net::SSLeay::X509_get_subject_name($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +=item * X509_gmtime_adj + +Adjust th ASN1_TIME object to the timestamp (in GMT). + + my $rv = Net::SSLeay::X509_gmtime_adj($s, $adj); + # $s - value corresponding to openssl's ASN1_TIME structure + # $adj - timestamp (seconds since 1.1.1970) + # + # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure) + +B this function may fail for dates after 2038 as it is dependent on time_t size on your +system (32bit time_t does not work after 2038). Consider using L instead). + +=item * X509_load_cert_crl_file + +Takes PEM file and loads all X509 certificates and X509 CRLs from that file into X509_LOOKUP structure. + + my $rv = Net::SSLeay::X509_load_cert_crl_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's X509_LOOKUP structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # if not FILETYPE_PEM then behaves as Net::SSLeay::X509_load_cert_file() + # + # returns: 1 on success, 0 on failure + +=item * X509_load_cert_file + +Loads/adds X509 certificate from $file to X509_LOOKUP structure + + my $rv = Net::SSLeay::X509_load_cert_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's X509_LOOKUP structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, 0 on failure + +=item * X509_load_crl_file + +Loads/adds X509 CRL from $file to X509_LOOKUP structure + + my $rv = Net::SSLeay::X509_load_crl_file($ctx, $file, $type); + # $ctx - value corresponding to openssl's X509_LOOKUP structure + # $file - (string) file name + # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1 + # + # returns: 1 on success, 0 on failure + +=item * X509_policy_level_get0_node + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_level_get0_node($level, $i); + # $level - value corresponding to openssl's X509_POLICY_LEVEL structure + # $i - (integer) index/position + # + # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure) + +=item * X509_policy_level_node_count + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_level_node_count($level); + # $level - value corresponding to openssl's X509_POLICY_LEVEL structure + # + # returns: (integer) node count + +=item * X509_policy_node_get0_parent + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_node_get0_parent($node); + # $node - value corresponding to openssl's X509_POLICY_NODE structure + # + # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure) + +=item * X509_policy_node_get0_policy + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_node_get0_policy($node); + # $node - value corresponding to openssl's X509_POLICY_NODE structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +=item * X509_policy_node_get0_qualifiers + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_node_get0_qualifiers($node); + # $node - value corresponding to openssl's X509_POLICY_NODE structure + # + # returns: value corresponding to openssl's STACK_OF(POLICYQUALINFO) structure (0 on failure) + +=item * X509_policy_tree_free + +??? (more info needed) + + Net::SSLeay::X509_policy_tree_free($tree); + # $tree - value corresponding to openssl's X509_POLICY_TREE structure + # + # returns: no return value + +=item * X509_policy_tree_get0_level + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_tree_get0_level($tree, $i); + # $tree - value corresponding to openssl's X509_POLICY_TREE structure + # $i - (integer) level index + # + # returns: value corresponding to openssl's X509_POLICY_LEVEL structure (0 on failure) + +=item * X509_policy_tree_get0_policies + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_tree_get0_policies($tree); + # $tree - value corresponding to openssl's X509_POLICY_TREE structure + # + # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure) + +=item * X509_policy_tree_get0_user_policies + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_tree_get0_user_policies($tree); + # $tree - value corresponding to openssl's X509_POLICY_TREE structure + # + # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure) + +=item * X509_policy_tree_level_count + +??? (more info needed) + + my $rv = Net::SSLeay::X509_policy_tree_level_count($tree); + # $tree - value corresponding to openssl's X509_POLICY_TREE structure + # + # returns: (integer) count + +=item * X509_verify_cert_error_string + +Returns a human readable error string for verification error $n. + + my $rv = Net::SSLeay::X509_verify_cert_error_string($n); + # $n - (long) numeric error code + # + # returns: error string + +Check openssl doc L + +=item * P_X509_add_extensions + +B not available in Net-SSLeay-1.45 and before + +Adds one or more X509 extensions to X509 object $x. + + my $rv = Net::SSLeay::P_X509_add_extensions($x, $ca_cert, $nid, $value); + # $x - value corresponding to openssl's X509 structure + # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier) + # $nid - NID identifying extension to be set + # $value - extension value + # + # returns: 1 on success, 0 on failure + +You can set more extensions at once: + + my $rv = Net::SSLeay::P_X509_add_extensions($x509, $ca_cert, + &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment', + &Net::SSLeay::NID_subject_key_identifier => 'hash', + &Net::SSLeay::NID_authority_key_identifier => 'keyid', + &Net::SSLeay::NID_authority_key_identifier => 'issuer', + &Net::SSLeay::NID_basic_constraints => 'CA:FALSE', + &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth', + &Net::SSLeay::NID_netscape_cert_type => 'server', + &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.dom.com,DNS:s2.dom.com,DNS:s3.dom.com', + ); + +=item * P_X509_copy_extensions + +B not available in Net-SSLeay-1.45 and before + +Copies X509 extensions from X509_REQ object to X509 object - handy when you need to turn X509_REQ into X509 certificate. + + Net::SSLeay::P_X509_copy_extensions($x509_req, $x509, $override); + # $x509_req - value corresponding to openssl's X509_REQ structure + # $x509 - value corresponding to openssl's X509 structure + # $override - (integer) flag indication whether to override already existing items in $x509 (default 1) + # + # returns: 1 on success, 0 on failure + +=item * P_X509_get_crl_distribution_points + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Get the list of CRL distribution points from X509 certificate. + + my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509); + # $x509 - value corresponding to openssl's X509 structure + # + # returns: list of distribution points (usually URLs) + +=item * P_X509_get_ext_key_usage + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Gets the list of extended key usage of given X509 certificate $cert. + + my @ext_usage = Net::SSLeay::P_X509_get_ext_key_usage($cert, $format); + # $cert - value corresponding to openssl's X509 structure + # $format - choose type of return values: 0=OIDs, 1=NIDs, 2=shortnames, 3=longnames + # + # returns: list of values + +Examples: + + my @extkeyusage_oid = Net::SSLeay::P_X509_get_ext_key_usage($x509,0); + # returns for example: ("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2") + + my @extkeyusage_nid = Net::SSLeay::P_X509_get_ext_key_usage($x509,1); + # returns for example: (129, 130) + + my @extkeyusage_sn = Net::SSLeay::P_X509_get_ext_key_usage($x509,2); + # returns for example: ("serverAuth", "clientAuth") + + my @extkeyusage_ln = Net::SSLeay::P_X509_get_ext_key_usage($x509,3); + # returns for example: ("TLS Web Server Authentication", "TLS Web Client Authentication") + +=item * P_X509_get_key_usage + +B not available in Net-SSLeay-1.45 and before + +Gets the list of key usage of given X509 certificate $cert. + + my @keyusage = Net::SSLeay::P_X509_get_key_usage($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: list of key usage values which can be none, one or more from the following list: + # "digitalSignature" + # "nonRepudiation" + # "keyEncipherment" + # "dataEncipherment" + # "keyAgreement" + # "keyCertSign" + # "cRLSign" + # "encipherOnly" + # "decipherOnly" + +=item * P_X509_get_netscape_cert_type + +B not available in Net-SSLeay-1.45 and before + +Gets the list of Netscape cert types of given X509 certificate $cert. + + Net::SSLeay::P_X509_get_netscape_cert_type($cert); + # $cert - value corresponding to openssl's X509 structure + # + # returns: list of Netscape type values which can be none, one or more from the following list: + # "client" + # "server" + # "email" + # "objsign" + # "reserved" + # "sslCA" + # "emailCA" + # "objCA" + +=item * P_X509_get_pubkey_alg + +B not available in Net-SSLeay-1.45 and before + +Returns ASN1_OBJECT corresponding to X509 certificate public key algorithm. + + my $rv = Net::SSLeay::P_X509_get_pubkey_alg($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +To get textual representation use: + + my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_pubkey_alg($x509)); + # returns for example: "rsaEncryption" + +=item * P_X509_get_signature_alg + +B not available in Net-SSLeay-1.45 and before + +Returns ASN1_OBJECT corresponding to X509 signarite key algorithm. + + my $rv = Net::SSLeay::P_X509_get_signature_alg($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +To get textual representation use: + + my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_signature_alg($x509)) + # returns for example: "sha1WithRSAEncryption" + +=item * sk_X509_new_null + +Returns a new, empty, STACK_OF(X509) structure. + + my $rv = Net::SSLeay::sk_X509_new_null(); + # + # returns: value corresponding to openssl's STACK_OF(X509) structure + +=item * sk_X509_push + +Pushes an X509 structure onto a STACK_OF(X509) structure. + + my $rv = Net::SSLeay::sk_X509_push($sk_x509, $x509); + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # $x509 - value corresponding to openssl's X509 structure + # + # returns: total number of elements after the operation, 0 on failure + +=item * sk_X509_pop + +Pops an single X509 structure from a STACK_OF(X509) structure. + + my $x509 = NetSSLeay::sk_X509_pop($sk_x509) + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # + # returns: a pointer to an X509 structure, undef on failure + +Check openssl doc L + +=item * sk_X509_shift + +Shifts an single X509 structure onto a STACK_OF(X509) structure. + + my $x509 = NetSSLeay::sk_X509_shift($sk_x509, $x509) + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # $x509 - value corresponding to openssl's X509 structure + # + # returns: a pointer to an X509 structure, undef on failure + +Check openssl doc L + +=item * sk_X509_unshift + +Unshifts an single X509 structure from a STACK_OF(X509) structure. + + my $rv = NetSSLeay::sk_X509_unshift($sk_x509) + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # + # returns: total number of elements after the operation, 0 on failure + +Check openssl doc L + +=item * sk_X509_insert + +Inserts a single X509 structure into a STACK_OF(X509) at the specified index. + + my $rv = Net::SSLeay::sk_X509_insert($sk_x509, $x509, index); + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # $x509 - value corresponding to openssl's X509 structure + # index - integer - 0 based index + # + # returns: total number of elements after the operation, 0 on failure + +Check openssl doc L + +=item * sk_X509_delete + +Delete a single X509 structure from a STACK_OF(X509) at the specified index. + + my $x509 = Net::SSLeay::sk_X509_delete($sk_x509, index); + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # index - integer - 0 based index + # + # returns: a pointer to an X509 structure, undef on failure + +Check openssl doc L + +=item * sk_X509_value + +Return a single X509 structure from a STACK_OF(X509) at the specified index. + + my $x509 = Net::SSLeay::sk_X509_value($sk_x509, index) + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # index - integer - 0 based index + # + # returns: a pointer to an X509 structure, undef on failure + +Check openssl doc L + +=item * sk_X509_num + +Return the number of X509 elements in a STACK_OF(X509). + + my $num = Net::SSLeay::sk_X509_num($sk_x509); + # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure + # + # returns: the number of elements in the stack, -1 if the passed stack is NULL + +Check openssl doc L + +=back + +=head3 Low level API: X509_REQ_* related functions + +=over + +=item * X509_REQ_new + +B not available in Net-SSLeay-1.45 and before + +Creates a new X509_REQ structure. + + my $rv = Net::SSLeay::X509_REQ_new(); + # + # returns: value corresponding to openssl's X509_REQ structure (0 on failure) + +=item * X509_REQ_free + +B not available in Net-SSLeay-1.45 and before + +Free an allocated X509_REQ structure. + + Net::SSLeay::X509_REQ_free($x); + # $x - value corresponding to openssl's X509_REQ structure + # + # returns: no return value + +=item * X509_REQ_add1_attr_by_NID + +B not available in Net-SSLeay-1.45 and before + +Adds an attribute whose name is defined by a NID $nid. The field value to be added is in $bytes. + + my $rv = Net::SSLeay::X509_REQ_add1_attr_by_NID($req, $nid, $type, $bytes); + # $req - value corresponding to openssl's X509_REQ structure + # $nid - (integer) NID value + # $type - (integer) type of data in $bytes (see below) + # $bytes - data to be set + # + # returns: 1 on success, 0 on failure + + # values for $type - use constants: + &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data + &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data + +=item * X509_REQ_digest + +B not available in Net-SSLeay-1.45 and before + +Computes digest/fingerprint of X509_REQ $data using $type hash function. + + my $digest_value = Net::SSLeay::X509_REQ_digest($data, $type); + # $data - value corresponding to openssl's X509_REQ structure + # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname() + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * X509_REQ_get_attr_by_NID + +B not available in Net-SSLeay-1.45 and before + +Retrieve the next index matching $nid after $lastpos ($lastpos should initially be set to -1). + + my $rv = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid, $lastpos=-1); + # $req - value corresponding to openssl's X509_REQ structure + # $nid - (integer) NID value + # $lastpos - [optional] (integer) index where to start search (default -1) + # + # returns: index (-1 if there are no more entries) + +Note: use L to get the actual attribute value - e.g. + + my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid); + my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index); + +=item * X509_REQ_get_attr_by_OBJ + +B not available in Net-SSLeay-1.45 and before + +Retrieve the next index matching $obj after $lastpos ($lastpos should initially be set to -1). + + my $rv = Net::SSLeay::X509_REQ_get_attr_by_OBJ($req, $obj, $lastpos=-1); + # $req - value corresponding to openssl's X509_REQ structure + # $obj - value corresponding to openssl's ASN1_OBJECT structure + # $lastpos - [optional] (integer) index where to start search (default -1) + # + # returns: index (-1 if there are no more entries) + +Note: use L to get the actual attribute value - e.g. + + my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid); + my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index); + +=item * X509_REQ_get_attr_count + +B not available in Net-SSLeay-1.45 and before + +Returns the total number of attributes in $req. + + my $rv = Net::SSLeay::X509_REQ_get_attr_count($req); + # $req - value corresponding to openssl's X509_REQ structure + # + # returns: (integer) items count + +=item * X509_REQ_get_pubkey + +B not available in Net-SSLeay-1.45 and before + +Returns public key corresponding to given X509_REQ object $x. + + my $rv = Net::SSLeay::X509_REQ_get_pubkey($x); + # $x - value corresponding to openssl's X509_REQ structure + # + # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) + +=item * X509_REQ_get_subject_name + +B not available in Net-SSLeay-1.45 and before + +Returns X509_NAME object corresponding to subject name of given X509_REQ object $x. + + my $rv = Net::SSLeay::X509_REQ_get_subject_name($x); + # $x - value corresponding to openssl's X509_REQ structure + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +=item * X509_REQ_get_version + +B not available in Net-SSLeay-1.45 and before + +Returns 'version' value for given X509_REQ object $x. + + my $rv = Net::SSLeay::X509_REQ_get_version($x); + # $x - value corresponding to openssl's X509_REQ structure + # + # returns: (integer) version e.g. 0 = "version 1" + +=item * X509_REQ_set_pubkey + +B not available in Net-SSLeay-1.45 and before + +Sets public key of given X509_REQ object $x to $pkey. + + my $rv = Net::SSLeay::X509_REQ_set_pubkey($x, $pkey); + # $x - value corresponding to openssl's X509_REQ structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # + # returns: 1 on success, 0 on failure + +=item * X509_REQ_set_subject_name + +B not available in Net-SSLeay-1.45 and before + +Sets subject name of given X509_REQ object $x to X509_NAME object $name. + + my $rv = Net::SSLeay::X509_REQ_set_subject_name($x, $name); + # $x - value corresponding to openssl's X509_REQ structure + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_REQ_set_version + +B not available in Net-SSLeay-1.45 and before + +Sets 'version' of given X509_REQ object $x to $version. + + my $rv = Net::SSLeay::X509_REQ_set_version($x, $version); + # $x - value corresponding to openssl's X509_REQ structure + # $version - (integer) e.g. 0 = "version 1" + # + # returns: 1 on success, 0 on failure + +=item * X509_REQ_sign + +B not available in Net-SSLeay-1.45 and before + +Sign X509_REQ object $x with private key $pk (using digest algorithm $md). + + my $rv = Net::SSLeay::X509_REQ_sign($x, $pk, $md); + # $x - value corresponding to openssl's X509_REQ structure + # $pk - value corresponding to openssl's EVP_PKEY structure (requestor's private key) + # $md - value corresponding to openssl's EVP_MD structure + # + # returns: 1 on success, 0 on failure + +=item * X509_REQ_verify + +B not available in Net-SSLeay-1.45 and before + +Verifies X509_REQ object $x using public key $r (pubkey of requesting party). + + my $rv = Net::SSLeay::X509_REQ_verify($x, $r); + # $x - value corresponding to openssl's X509_REQ structure + # $r - value corresponding to openssl's EVP_PKEY structure + # + # returns: 0 - verify failure, 1 - verify OK, <0 - error + +=item * P_X509_REQ_add_extensions + +B not available in Net-SSLeay-1.45 and before + +Adds one or more X509 extensions to X509_REQ object $x. + + my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x, $nid, $value); + # $x - value corresponding to openssl's X509_REQ structure + # $nid - NID identifying extension to be set + # $value - extension value + # + # returns: 1 on success, 0 on failure + +You can set more extensions at once: + + my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x509_req, + &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment', + &Net::SSLeay::NID_basic_constraints => 'CA:FALSE', + &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth', + &Net::SSLeay::NID_netscape_cert_type => 'server', + &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.com,DNS:s2.com', + &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.com/crl1,URI:http://pki.com/crl2', + ); + +=item * P_X509_REQ_get_attr + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Returns attribute value for X509_REQ's attribute at index $n. + + Net::SSLeay::P_X509_REQ_get_attr($req, $n); + # $req - value corresponding to openssl's X509_REQ structure + # $n - (integer) attribute index + # + # returns: value corresponding to openssl's ASN1_STRING structure + +=back + +=head3 Low level API: X509_CRL_* related functions + +=over + +=item * X509_CRL_new + +B not available in Net-SSLeay-1.45 and before + +Creates a new X509_CRL structure. + + my $rv = Net::SSLeay::X509_CRL_new(); + # + # returns: value corresponding to openssl's X509_CRL structure (0 on failure) + +=item * X509_CRL_free + +B not available in Net-SSLeay-1.45 and before + +Free an allocated X509_CRL structure. + + Net::SSLeay::X509_CRL_free($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: no return value + +=item * X509_CRL_digest + +B not available in Net-SSLeay-1.45 and before + +Computes digest/fingerprint of X509_CRL $data using $type hash function. + + my $digest_value = Net::SSLeay::X509_CRL_digest($data, $type); + # $data - value corresponding to openssl's X509_CRL structure + # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname() + # + # returns: hash value (binary) + +Example: + + my $x509_crl + my $md = Net::SSLeay::EVP_get_digestbyname("sha1"); + my $digest_value = Net::SSLeay::X509_CRL_digest($x509_crl, $md); + #to get printable (hex) value of digest use: + print "digest=", unpack('H*', $digest_value), "\n"; + +=item * X509_CRL_get_ext + +B not available in Net-SSLeay-1.54 and before + +Returns X509_EXTENSION from $x509 based on given position/index. + + my $rv = Net::SSLeay::X509_CRL_get_ext($x509, $index); + # $x509 - value corresponding to openssl's X509_CRL structure + # $index - (integer) position/index of extension within $x509 + # + # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure) + +=item * X509_CRL_get_ext_by_NID + +B not available in Net-SSLeay-1.54 and before + +Returns X509_EXTENSION from $x509 based on given NID. + + my $rv = Net::SSLeay::X509_CRL_get_ext_by_NID($x509, $nid, $loc); + # $x509 - value corresponding to openssl's X509_CRL structure + # $nid - (integer) NID value + # $loc - (integer) position to start lookup at + # + # returns: position/index of extension, negative value on error + # call Net::SSLeay::X509_CRL_get_ext($x509, $rv) to get the actual extension + +=item * X509_CRL_get_ext_count + +B not available in Net-SSLeay-1.54 and before + +Returns the total number of extensions in X509_CRL object $x. + + my $rv = Net::SSLeay::X509_CRL_get_ext_count($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: count of extensions + +=item * X509_CRL_get_issuer + +B not available in Net-SSLeay-1.45 and before + +Returns X509_NAME object corresponding to the issuer of X509_CRL $x. + + my $rv = Net::SSLeay::X509_CRL_get_issuer($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +See other C functions to get more info from X509_NAME structure. + +=item * X509_CRL_get_lastUpdate + +B not available in Net-SSLeay-1.45 and before + +Returns 'lastUpdate' date-time value of X509_CRL object $x. + + my $rv = Net::SSLeay::X509_CRL_get_lastUpdate($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure) + +=item * X509_CRL_get_nextUpdate + +B not available in Net-SSLeay-1.45 and before + +Returns 'nextUpdate' date-time value of X509_CRL object $x. + + my $rv = Net::SSLeay::X509_CRL_get_nextUpdate($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure) + +=item * X509_CRL_get_version + +B not available in Net-SSLeay-1.45 and before + +Returns 'version' value of given X509_CRL structure $x. + + my $rv = Net::SSLeay::X509_CRL_get_version($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: (integer) version + +=item * X509_CRL_set_issuer_name + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sets the issuer of X509_CRL object $x to X509_NAME object $name. + + my $rv = Net::SSLeay::X509_CRL_set_issuer_name($x, $name); + # $x - value corresponding to openssl's X509_CRL structure + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_CRL_set_lastUpdate + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sets 'lastUpdate' value of X509_CRL object $x to $tm. + + my $rv = Net::SSLeay::X509_CRL_set_lastUpdate($x, $tm); + # $x - value corresponding to openssl's X509_CRL structure + # $tm - value corresponding to openssl's ASN1_TIME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_CRL_set_nextUpdate + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sets 'nextUpdate' value of X509_CRL object $x to $tm. + + my $rv = Net::SSLeay::X509_CRL_set_nextUpdate($x, $tm); + # $x - value corresponding to openssl's X509_CRL structure + # $tm - value corresponding to openssl's ASN1_TIME structure + # + # returns: 1 on success, 0 on failure + +=item * X509_CRL_set_version + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sets 'version' value of given X509_CRL structure $x to $version. + + my $rv = Net::SSLeay::X509_CRL_set_version($x, $version); + # $x - value corresponding to openssl's X509_CRL structure + # $version - (integer) version number (1 = version 2 CRL) + # + # returns: 1 on success, 0 on failure + +Note that if you want to use any X509_CRL extension you need to set "version 2 CRL" - C. + +=item * X509_CRL_sign + +B not available in Net-SSLeay-1.45 and before + +Sign X509_CRL object $x with private key $pkey (using digest algorithm $md). + + my $rv = Net::SSLeay::X509_CRL_sign($x, $pkey, $md); + # $x - value corresponding to openssl's X509_CRL structure + # $pkey - value corresponding to openssl's EVP_PKEY structure + # $md - value corresponding to openssl's EVP_MD structure + # + # returns: 1 on success, 0 on failure + +=item * X509_CRL_sort + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sorts the data of X509_CRL object so it will be written in serial number order. + + my $rv = Net::SSLeay::X509_CRL_sort($x); + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: 1 on success, 0 on failure + +=item * X509_CRL_verify + +B not available in Net-SSLeay-1.45 and before + +Verifies X509_CRL object $a using public key $r (pubkey of issuing CA). + + my $rv = Net::SSLeay::X509_CRL_verify($a, $r); + # $a - value corresponding to openssl's X509_CRL structure + # $r - value corresponding to openssl's EVP_PKEY structure + # + # returns: 0 - verify failure, 1 - verify OK, <0 - error + +=item * P_X509_CRL_add_revoked_serial_hex + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Adds given serial number $serial_hex to X509_CRL object $crl. + + Net::SSLeay::P_X509_CRL_add_revoked_serial_hex($crl, $serial_hex, $rev_time, $reason_code, $comp_time); + # $crl - value corresponding to openssl's X509_CRL structure + # $serial_hex - string (hexadecimal) representation of serial number + # $rev_time - (revocation time) value corresponding to openssl's ASN1_TIME structure + # $reason_code - [optional] (integer) reason code (see below) - default 0 + # $comp_time - [optional] (compromise time) value corresponding to openssl's ASN1_TIME structure + # + # returns: no return value + + reason codes: + 0 - unspecified + 1 - keyCompromise + 2 - CACompromise + 3 - affiliationChanged + 4 - superseded + 5 - cessationOfOperation + 6 - certificateHold + 7 - removeFromCRL + +=item * P_X509_CRL_get_serial + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Returns serial number of X509_CRL object. + + my $rv = Net::SSLeay::P_X509_CRL_get_serial($crl); + # $crl - value corresponding to openssl's X509_CRL structure + # + # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure) + +=item * P_X509_CRL_set_serial + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.7 + +Sets serial number of X509_CRL object to $crl_number. + + my $rv = Net::SSLeay::P_X509_CRL_set_serial($crl, $crl_number); + # $crl - value corresponding to openssl's X509_CRL structure + # $crl_number - value corresponding to openssl's ASN1_INTEGER structure + # + # returns: 1 on success, 0 on failure + +=item * P_X509_CRL_add_extensions + +B not available in Net-SSLeay-1.88 and before + +Adds one or more X509 extensions to X509 CRL object $x. + + my $rv = Net::SSLeay::P_X509_CRL_add_extensions($x, $ca_cert, $nid, $value); + # $x - value corresponding to openssl's X509 CRL structure + # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier) + # $nid - NID identifying extension to be set + # $value - extension value + # + # returns: 1 on success, 0 on failure + +For more details see L. + +=back + +=head3 Low level API: X509_EXTENSION_* related functions + +=over + +=item * X509_EXTENSION_get_critical + +B not available in Net-SSLeay-1.45 and before + +Returns 'critical' flag of given X509_EXTENSION object $ex. + + my $rv = Net::SSLeay::X509_EXTENSION_get_critical($ex); + # $ex - value corresponding to openssl's X509_EXTENSION structure + # + # returns: (integer) 1 - critical, 0 - noncritical + +=item * X509_EXTENSION_get_data + +B not available in Net-SSLeay-1.45 and before + +Returns value (raw data) of X509_EXTENSION object $ne. + + my $rv = Net::SSLeay::X509_EXTENSION_get_data($ne); + # $ne - value corresponding to openssl's X509_EXTENSION structure + # + # returns: value corresponding to openssl's ASN1_OCTET_STRING structure (0 on failure) + +Note: you can use L to convert ASN1_OCTET_STRING into perl scalar variable. + +=item * X509_EXTENSION_get_object + +B not available in Net-SSLeay-1.45 and before + +Returns OID (ASN1_OBJECT) of X509_EXTENSION object $ne. + + my $rv = Net::SSLeay::X509_EXTENSION_get_object($ex); + # $ex - value corresponding to openssl's X509_EXTENSION structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +=item * X509V3_EXT_print + +B not available in Net-SSLeay-1.45 and before + +Returns string representation of given X509_EXTENSION object $ext. + + Net::SSLeay::X509V3_EXT_print($ext, $flags, $utf8_decode); + # $ext - value corresponding to openssl's X509_EXTENSION structure + # $flags - [optional] (integer) Currently the flag argument is unused and should be set to 0 + # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0) + # + # returns: no return value + +=item * X509V3_EXT_d2i + +Parses an extension and returns its internal structure. + + my $rv = Net::SSLeay::X509V3_EXT_d2i($ext); + # $ext - value corresponding to openssl's X509_EXTENSION structure + # + # returns: pointer ??? + +=back + +=head3 Low level API: X509_NAME_* related functions + +=over + +=item * X509_NAME_ENTRY_get_data + +B not available in Net-SSLeay-1.45 and before + +Retrieves the field value of $ne in and ASN1_STRING structure. + + my $rv = Net::SSLeay::X509_NAME_ENTRY_get_data($ne); + # $ne - value corresponding to openssl's X509_NAME_ENTRY structure + # + # returns: value corresponding to openssl's ASN1_STRING structure (0 on failure) + +Check openssl doc L + +=item * X509_NAME_ENTRY_get_object + +B not available in Net-SSLeay-1.45 and before + +Retrieves the field name of $ne in and ASN1_OBJECT structure. + + my $rv = Net::SSLeay::X509_NAME_ENTRY_get_object($ne); + # $ne - value corresponding to openssl's X509_NAME_ENTRY structure + # + # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure) + +Check openssl doc L + +=item * X509_NAME_new + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-0.9.5 + +Creates a new X509_NAME structure. +Adds a field whose name is defined by a string $field. The field value to be added is in $bytes. + + my $rv = Net::SSLeay::X509_NAME_new(); + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +=item * X509_NAME_hash + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-0.9.5 + +Sort of a checksum of issuer name $name. +The result is not a full hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of 'unsigned long' (32 bits). +The resulting value might differ across different openssl versions for the same X509 certificate. + + my $rv = Net::SSLeay::X509_NAME_hash($name); + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: number representing checksum + +=item * X509_NAME_add_entry_by_txt + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.5 + +Adds a field whose name is defined by a string $field. The field value to be added is in $bytes. + + my $rv = Net::SSLeay::X509_NAME_add_entry_by_txt($name, $field, $type, $bytes, $len, $loc, $set); + # $name - value corresponding to openssl's X509_NAME structure + # $field - (string) field definition (name) - e.g. "organizationName" + # $type - (integer) type of data in $bytes (see below) + # $bytes - data to be set + # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended + # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created + # + # returns: 1 on success, 0 on failure + + # values for $type - use constants: + &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data + &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data + +Unicode note: when passing non-ascii (unicode) string in $bytes do not forget to set C<$flags = &Net::SSLeay::MBSTRING_UTF8> and encode the perl $string via C<$bytes = encode('utf-8', $string)>. + +Check openssl doc L + +=item * X509_NAME_add_entry_by_NID + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.5 + +Adds a field whose name is defined by a NID $nid. The field value to be added is in $bytes. + + my $rv = Net::SSLeay::X509_NAME_add_entry_by_NID($name, $nid, $type, $bytes, $len, $loc, $set); + # $name - value corresponding to openssl's X509_NAME structure + # $nid - (integer) field definition - NID value + # $type - (integer) type of data in $bytes (see below) + # $bytes - data to be set + # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended + # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_NAME_add_entry_by_OBJ + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.5 + +Adds a field whose name is defined by a object (OID) $obj . The field value to be added is in $bytes. + + my $rv = Net::SSLeay::X509_NAME_add_entry_by_OBJ($name, $obj, $type, $bytes, $len, $loc, $set); + # $name - value corresponding to openssl's X509_NAME structure + # $obj - field definition - value corresponding to openssl's ASN1_OBJECT structure + # $type - (integer) type of data in $bytes (see below) + # $bytes - data to be set + # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended + # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_NAME_cmp + +B not available in Net-SSLeay-1.45 and before + +Compares two X509_NAME obejcts. + + my $rv = Net::SSLeay::X509_NAME_cmp($a, $b); + # $a - value corresponding to openssl's X509_NAME structure + # $b - value corresponding to openssl's X509_NAME structure + # + # returns: 0 if $a matches $b; non zero otherwise + +=item * X509_NAME_digest + +B not available in Net-SSLeay-1.45 and before + +Computes digest/fingerprint of X509_NAME $data using $type hash function. + + my $digest_value = Net::SSLeay::X509_NAME_digest($data, $type); + # $data - value corresponding to openssl's X509_NAME structure + # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname() + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * X509_NAME_entry_count + +B not available in Net-SSLeay-1.45 and before + +Returns the total number of entries in $name. + + my $rv = Net::SSLeay::X509_NAME_entry_count($name); + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: (integer) entries count + +Check openssl doc L + +=item * X509_NAME_get_entry + +B not available in Net-SSLeay-1.45 and before + +Retrieves the X509_NAME_ENTRY from $name corresponding to index $loc. Acceptable values for $loc run +from 0 to C. The value returned is an internal pointer which must not be freed. + + my $rv = Net::SSLeay::X509_NAME_get_entry($name, $loc); + # $name - value corresponding to openssl's X509_NAME structure + # $loc - (integer) index of wanted entry + # + # returns: value corresponding to openssl's X509_NAME_ENTRY structure (0 on failure) + +Check openssl doc L + +=item * X509_NAME_print_ex + +B not available in Net-SSLeay-1.45 and before + +Returns a string with human readable version of $name. + + Net::SSLeay::X509_NAME_print_ex($name, $flags, $utf8_decode); + # $name - value corresponding to openssl's X509_NAME structure + # $flags - [optional] conversion flags (default XN_FLAG_RFC2253) - see below + # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0) + # + # returns: string representation of $name + + #available conversion flags - use constants: + &Net::SSLeay::XN_FLAG_COMPAT + &Net::SSLeay::XN_FLAG_DN_REV + &Net::SSLeay::XN_FLAG_DUMP_UNKNOWN_FIELDS + &Net::SSLeay::XN_FLAG_FN_ALIGN + &Net::SSLeay::XN_FLAG_FN_LN + &Net::SSLeay::XN_FLAG_FN_MASK + &Net::SSLeay::XN_FLAG_FN_NONE + &Net::SSLeay::XN_FLAG_FN_OID + &Net::SSLeay::XN_FLAG_FN_SN + &Net::SSLeay::XN_FLAG_MULTILINE + &Net::SSLeay::XN_FLAG_ONELINE + &Net::SSLeay::XN_FLAG_RFC2253 + &Net::SSLeay::XN_FLAG_SEP_COMMA_PLUS + &Net::SSLeay::XN_FLAG_SEP_CPLUS_SPC + &Net::SSLeay::XN_FLAG_SEP_MASK + &Net::SSLeay::XN_FLAG_SEP_MULTILINE + &Net::SSLeay::XN_FLAG_SEP_SPLUS_SPC + &Net::SSLeay::XN_FLAG_SPC_EQ + +Most likely you will be fine with default: + + Net::SSLeay::X509_NAME_print_ex($name, &Net::SSLeay::XN_FLAG_RFC2253); + +Or you might want RFC2253-like output without utf8 chars escaping: + + use Net::SSLeay qw/XN_FLAG_RFC2253 ASN1_STRFLGS_ESC_MSB/; + my $flag_rfc22536_utf8 = (XN_FLAG_RFC2253) & (~ ASN1_STRFLGS_ESC_MSB); + my $result = Net::SSLeay::X509_NAME_print_ex($name, $flag_rfc22536_utf8, 1); + +Check openssl doc L + +=item * X509_NAME_get_text_by_NID + +Retrieves the text from the first entry in name which matches $nid, if no +such entry exists -1 is returned. + +B this is a legacy function which has various limitations which +makes it of minimal use in practice. It can only find the first matching +entry and will copy the contents of the field verbatim: this can be highly +confusing if the target is a multicharacter string type like a BMPString or a UTF8String. + + Net::SSLeay::X509_NAME_get_text_by_NID($name, $nid); + # $name - value corresponding to openssl's X509_NAME structure + # $nid - NID value (integer) + # + # returns: text value + +Check openssl doc L + +=item * X509_NAME_oneline + +Return an ASCII version of $name. + + Net::SSLeay::X509_NAME_oneline($name); + # $name - value corresponding to openssl's X509_NAME structure + # + # returns: (string) ASCII version of $name + +Check openssl doc L + +=item * sk_X509_NAME_free + +Free an allocated STACK_OF(X509_NAME) structure. + + Net::SSLeay::sk_X509_NAME_free($sk); + # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure + # + # returns: no return value + +=item * sk_X509_NAME_num + +Return number of items in STACK_OF(X509_NAME) + + my $rv = Net::SSLeay::sk_X509_NAME_num($sk); + # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure + # + # returns: number of items + +=item * sk_X509_NAME_value + +Returns X509_NAME from position $index in STACK_OF(X509_NAME) + + my $rv = Net::SSLeay::sk_X509_NAME_value($sk, $i); + # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure + # $i - (integer) index/position + # + # returns: value corresponding to openssl's X509_NAME structure (0 on failure) + +=item * add_file_cert_subjects_to_stack + +Add a file of certs to a stack. All certs in $file that are not already in the $stackCAs will be added. + + my $rv = Net::SSLeay::add_file_cert_subjects_to_stack($stackCAs, $file); + # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure + # $file - (string) filename + # + # returns: 1 on success, 0 on failure + +=item * add_dir_cert_subjects_to_stack + +Add a directory of certs to a stack. All certs in $dir that are not already in the $stackCAs will be added. + + my $rv = Net::SSLeay::add_dir_cert_subjects_to_stack($stackCAs, $dir); + # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure + # $dir - (string) the directory to append from. All files in this directory will be examined as potential certs. Any that are acceptable to SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be included. + # + # returns: 1 on success, 0 on failure + +=back + +=head3 Low level API: X509_STORE_* related functions + +=over + +=item * X509_STORE_CTX_new + +returns a newly initialised X509_STORE_CTX structure. + +=item * X509_STORE_CTX_init + +X509_STORE_CTX_init() sets up an X509_STORE_CTX for a subsequent verification operation. +It must be called before each call to X509_verify_cert(). + + my $rv = Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store, $x509, $chain); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure (required) + # $x509_store - value corresponding to openssl's X509_STORE structure (optional) + # $x509 - value corresponding to openssl's X509 structure (optional) + # $chain - value corresponding to openssl's STACK_OF(X509) structure (optional) + # + # returns: 1 on success, 0 on failure + # + # Note: returns nothing with Net::SSLeay 1.90 and earlier. + +Check openssl doc L + +=item * X509_STORE_CTX_free + +Frees an X509_STORE_CTX structure. + + Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx); + +# $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + +=item * X509_verify_cert + +The X509_verify_cert() function attempts to discover and validate a +certificate chain based on parameters in ctx. A complete description +of the process is contained in the verify(1) manual page. + +If this function returns 0, use X509_STORE_CTX_get_error to get additional error +information. + + my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: 1 if a complete chain can be built and validated, otherwise 0 + +Check openssl doc L + +=item * X509_STORE_CTX_get_current_cert + +Returns the certificate in ctx which caused the error or 0 if no certificate is relevant. + + my $rv = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: value corresponding to openssl's X509 structure (0 on failure) + +Check openssl doc L + +=item * X509_STORE_CTX_get0_cert + +B: not available in Net-SSLeay-1.88 and before; requires at least OpenSSL 1.1.0pre6 or LibreSSL 2.7.0 + +Returns an internal pointer to the certificate being verified by the ctx. + + my $x509 = Net::SSLeay::X509_STORE_CTX_get0_cert($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: value corresponding to openssl's X509 structure + +Check openssl doc L + +=item * X509_STORE_CTX_get1_chain + +Returns a returns a complete validate chain if a previous call to X509_verify_cert() is successful. + + my $rv = Net::SSLeay::X509_STORE_CTX_get1_chain($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: value corresponding to openssl's STACK_OF(X509) structure + +Check openssl doc L + +=item * X509_STORE_CTX_get_error + +Returns the error code of $ctx. + + my $rv = Net::SSLeay::X509_STORE_CTX_get_error($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: (integer) error code + +For more info about erro code values check function L. + +Check openssl doc L + +=item * X509_STORE_CTX_get_error_depth + +Returns the depth of the error. This is a non-negative integer representing +where in the certificate chain the error occurred. If it is zero it occurred +in the end entity certificate, one if it is the certificate which signed +the end entity certificate and so on. + + my $rv = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # + # returns: (integer) depth + +Check openssl doc L + +=item * X509_STORE_CTX_get_ex_data + +Is used to retrieve the information for $idx from $x509_store_ctx. + + my $rv = Net::SSLeay::X509_STORE_CTX_get_ex_data($x509_store_ctx, $idx); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # $idx - (integer) index for application specific data + # + # returns: pointer to ??? + +=item * X509_STORE_CTX_set_ex_data + +Is used to store application data at arg for idx into $x509_store_ctx. + + my $rv = Net::SSLeay::X509_STORE_CTX_set_ex_data($x509_store_ctx, $idx, $data); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # $idx - (integer) ??? + # $data - (pointer) ??? + # + # returns: 1 on success, 0 on failure + +=item * X509_STORE_CTX_set_cert + +Sets the certificate to be verified in $x509_store_ctx to $x. + + Net::SSLeay::X509_STORE_CTX_set_cert($x509_store_ctx, $x); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # $x - value corresponding to openssl's X509 structure + # + # returns: no return value + +Check openssl doc L + +=item * X509_STORE_new + +Returns a newly initialized X509_STORE structure. + + my $rv = Net::SSLeay::X509_STORE_new(); + # + # returns: value corresponding to openssl's X509_STORE structure (0 on failure) + +=item * X509_STORE_free + +Frees an X509_STORE structure + + Net::SSLeay::X509_STORE_free($x509_store); + # $x509_store - value corresponding to openssl's X509_STORE structure + +=item * X509_STORE_add_lookup + +Adds a lookup to an X509_STORE for a given lookup method. + + my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; + my $rv = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); + # $method - value corresponding to openssl's X509_LOOKUP_METHOD structure + # $x509_store - value corresponding to openssl's X509_STORE structure + # + # returns: value corresponding to openssl's X509_LOOKUP structure + +Check openssl doc L + +=item * X509_STORE_CTX_set_error + +Sets the error code of $ctx to $s. For example it might be used in a verification callback to set an error based on additional checks. + + Net::SSLeay::X509_STORE_CTX_set_error($x509_store_ctx, $s); + # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure + # $s - (integer) error id + # + # returns: no return value + +Check openssl doc L + +=item * X509_STORE_add_cert + +Adds X509 certificate $x into the X509_STORE $store. + + my $rv = Net::SSLeay::X509_STORE_add_cert($store, $x); + # $store - value corresponding to openssl's X509_STORE structure + # $x - value corresponding to openssl's X509 structure + # + # returns: 1 on success, 0 on failure + +=item * X509_STORE_add_crl + +Adds X509 CRL $x into the X509_STORE $store. + + my $rv = Net::SSLeay::X509_STORE_add_crl($store, $x); + # $store - value corresponding to openssl's X509_STORE structure + # $x - value corresponding to openssl's X509_CRL structure + # + # returns: 1 on success, 0 on failure + +=item * X509_STORE_set1_param + +??? (more info needed) + + my $rv = Net::SSLeay::X509_STORE_set1_param($store, $pm); + # $store - value corresponding to openssl's X509_STORE structure + # $pm - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +=item * X509_LOOKUP_hash_dir + +Returns an X509_LOOKUP structure that instructs an X509_STORE to +load files from a directory containing certificates with filenames +in the format I or crls with filenames in the format IBI + + my $rv = Net::SSLeay::X509_LOOKUP_hash_dir(); + # + # returns: value corresponding to openssl's X509_LOOKUP_METHOD structure, with the hashed directory method + +Check openssl doc L + +=item * X509_LOOKUP_add_dir + +Add a directory to an X509_LOOKUP structure, usually obtained from +X509_STORE_add_lookup. + + my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; + my $lookup = Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); + my $type = &Net::SSLeay::X509_FILETYPE_PEM; + Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type); + # $lookup - value corresponding to openssl's X509_LOOKUP structure + # $dir - string path to a directory + # $type - constant corresponding to the type of file in the directory - can be X509_FILETYPE_PEM, X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1 + +=item * X509_STORE_set_flags + + Net::SSLeay::X509_STORE_set_flags($ctx, $flags); + # $ctx - value corresponding to openssl's X509_STORE structure + # $flags - (unsigned long) flags to be set (bitmask) + # + # returns: no return value + + #to create $flags value use corresponding constants like + $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK(); + +For more details about $flags bitmask see L. + +=item * X509_STORE_set_purpose + + Net::SSLeay::X509_STORE_set_purpose($ctx, $purpose); + # $ctx - value corresponding to openssl's X509_STORE structure + # $purpose - (integer) purpose identifier + # + # returns: no return value + +For more details about $purpose identifier check L. + +=item * X509_STORE_set_trust + + Net::SSLeay::X509_STORE_set_trust($ctx, $trust); + # $ctx - value corresponding to openssl's X509_STORE structure + # $trust - (integer) trust identifier + # + # returns: no return value + +For more details about $trust identifier check L. + +=back + +=head3 Low Level API: X509_INFO related functions + +=over + +=item * sk_X509_INFO_num + +Returns the number of values in a STACK_OF(X509_INFO) structure. + + my $rv = Net::SSLeay::sk_X509_INFO_num($sk_x509_info); + # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure + # + # returns: number of values in $sk_X509_info + +=item * sk_X509_INFO_value + +Returns the value of a STACK_OF(X509_INFO) structure at a given index. + + my $rv = Net::SSLeay::sk_X509_INFO_value($sk_x509_info, $index); + # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure + # $index - index into the stack + # + # returns: value corresponding to openssl's X509_INFO structure at the given index + +=item * P_X509_INFO_get_x509 + +Returns the X509 structure stored in an X509_INFO structure. + + my $rv = Net::SSLeay::P_X509_INFO_get_x509($x509_info); + # $x509_info - value corresponding to openssl's X509_INFO structure + # + # returns: value corresponding to openssl's X509 structure + +=back + +=head3 Low level API: X509_VERIFY_PARAM_* related functions + +=over + +=item * X509_VERIFY_PARAM_add0_policy + +Enables policy checking (it is disabled by default) and adds $policy to the acceptable policy set. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_policy($param, $policy); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $policy - value corresponding to openssl's ASN1_OBJECT structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_VERIFY_PARAM_add0_table + +??? (more info needed) + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_table($param); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +=item * X509_VERIFY_PARAM_add1_host + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0 + +Adds an additional reference identifier that can match the peer's certificate. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_add1_host($param, $name); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $name - (string) name to be set + # + # returns: 1 on success, 0 on failure + +See also OpenSSL docs, L and +L for more information, including +wildcard matching. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_clear_flags + +Clears the flags $flags in param. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_clear_flags($param, $flags); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $flags - (unsigned long) flags to be set (bitmask) + # + # returns: 1 on success, 0 on failure + +For more details about $flags bitmask see L. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_free + +Frees up the X509_VERIFY_PARAM structure. + + Net::SSLeay::X509_VERIFY_PARAM_free($param); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: no return value + +=item * X509_VERIFY_PARAM_get0_peername + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0 + +Returns the DNS hostname or subject CommonName from the peer certificate that matched one of the reference identifiers. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_get0_peername($param); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: (string) name e.g. '*.example.com' or undef + +Check openssl doc L + +=item * X509_VERIFY_PARAM_get_depth + +Returns the current verification depth. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_depth($param); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: (ineger) depth + +Check openssl doc L + +=item * X509_VERIFY_PARAM_get_flags + +Returns the current verification flags. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_flags($param); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: (unsigned long) flags to be set (bitmask) + +For more details about returned flags bitmask see L. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_flags + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_flags($param, $flags); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $flags - (unsigned long) flags to be set (bitmask) + # + # returns: 1 on success, 0 on failure + + #to create $flags value use corresponding constants like + $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK(); + +For more details about $flags bitmask, see the OpenSSL docs below. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_inherit + +??? (more info needed) + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_inherit($to, $from); + # $to - value corresponding to openssl's X509_VERIFY_PARAM structure + # $from - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +=item * X509_VERIFY_PARAM_lookup + +Finds X509_VERIFY_PARAM by name. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_lookup($name); + # $name - (string) name we want to find + # + # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure) + +=item * X509_VERIFY_PARAM_new + +Creates a new X509_VERIFY_PARAM structure. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_new(); + # + # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure) + +=item * X509_VERIFY_PARAM_set1 + +Sets the name of X509_VERIFY_PARAM structure $to to the same value +as the name of X509_VERIFY_PARAM structure $from. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1($to, $from); + # $to - value corresponding to openssl's X509_VERIFY_PARAM structure + # $from - value corresponding to openssl's X509_VERIFY_PARAM structure + # + # returns: 1 on success, 0 on failure + +=item * X509_VERIFY_PARAM_set1_email + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Sets the expected RFC822 email address to email. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_email($param, $email); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $email - (string) email to be set + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set1_host + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Sets the expected DNS hostname to name clearing any previously specified host name or names. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_host($param, $name); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $name - (string) name to be set + # + # returns: 1 on success, 0 on failure + +See also OpenSSL docs, L and +L for more information, including +wildcard matching. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set1_ip + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Sets the expected IP address to ip. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_ip($param, $ip); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $ip - (binary) 4 octet IPv4 or 16 octet IPv6 address + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set1_ip_asc + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0 + +Sets the expected IP address to ipasc. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_asc($param, $ipasc); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $ip - (string) IPv4 or IPv6 address + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set1_name + +Sets the name of X509_VERIFY_PARAM structure $param to $name. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_name($param, $name); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $name - (string) name to be set + # + # returns: 1 on success, 0 on failure + +=item * X509_VERIFY_PARAM_set1_policies + +Enables policy checking (it is disabled by default) and sets the acceptable policy set to policies. +Any existing policy set is cleared. The policies parameter can be 0 to clear an existing policy set. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_policies($param, $policies); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $policies - value corresponding to openssl's STACK_OF(ASN1_OBJECT) structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_depth + +Sets the maximum verification depth to depth. That is the maximum number of untrusted CA certificates that can appear in a chain. + + Net::SSLeay::X509_VERIFY_PARAM_set_depth($param, $depth); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $depth - (integer) depth to be set + # + # returns: no return value + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_hostflags + +B not available in Net-SSLeay-1.82 and before; requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0 + + Net::SSLeay::X509_VERIFY_PARAM_set_hostflags($param, $flags); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $flags - (unsigned int) flags to be set (bitmask) + # + # returns: no return value + +See also OpenSSL docs, L and L for more information. +The flags for controlling wildcard checks and other features are defined in OpenSSL docs. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_purpose + +Sets the verification purpose in $param to $purpose. This determines the acceptable purpose +of the certificate chain, for example SSL client or SSL server. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_purpose($param, $purpose); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $purpose - (integer) purpose identifier + # + # returns: 1 on success, 0 on failure + +For more details about $purpose identifier check L. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_time + +Sets the verification time in $param to $t. Normally the current time is used. + + Net::SSLeay::X509_VERIFY_PARAM_set_time($param, $t); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $t - (time_t) time in seconds since 1.1.1970 + # + # returns: no return value + +Check openssl doc L + +=item * X509_VERIFY_PARAM_set_trust + +Sets the trust setting in $param to $trust. + + my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_trust($param, $trust); + # $param - value corresponding to openssl's X509_VERIFY_PARAM structure + # $trust - (integer) trust identifier + # + # returns: 1 on success, 0 on failure + +For more details about $trust identifier check L. + +Check openssl doc L + +=item * X509_VERIFY_PARAM_table_cleanup + +??? (more info needed) + + Net::SSLeay::X509_VERIFY_PARAM_table_cleanup(); + # + # returns: no return value + +=back + +=head3 Low level API: Cipher (EVP_CIPHER_*) related functions + +=over + +=item * EVP_get_cipherbyname + +B not available in Net-SSLeay-1.45 and before + +Returns an EVP_CIPHER structure when passed a cipher name. + + my $rv = Net::SSLeay::EVP_get_cipherbyname($name); + # $name - (string) cipher name e.g. 'aes-128-cbc', 'camellia-256-ecb', 'des-ede', ... + # + # returns: value corresponding to openssl's EVP_CIPHER structure + +Check openssl doc L + +=back + +=head3 Low level API: Digest (EVP_MD_*) related functions + +=over + +=item * OpenSSL_add_all_digests + +B not available in Net-SSLeay-1.42 and before + + Net::SSLeay::OpenSSL_add_all_digests(); + # no args, no return value + +http://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html + +=item * P_EVP_MD_list_all + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-1.0.0 + +B Does not exactly correspond to any low level API function + + my $rv = Net::SSLeay::P_EVP_MD_list_all(); + # + # returns: arrayref - list of available digest names + +The returned digest names correspond to values expected by L. + +Note that some of the digests are available by default and some only after calling L. + +=item * EVP_get_digestbyname + +B not available in Net-SSLeay-1.42 and before + + my $rv = Net::SSLeay::EVP_get_digestbyname($name); + # $name - string with digest name + # + # returns: value corresponding to openssl's EVP_MD structure + +The $name param can be: + + md2 + md4 + md5 + mdc2 + ripemd160 + sha + sha1 + sha224 + sha256 + sha512 + whirlpool + +Or better check the supported digests by calling L. + +=item * EVP_MD_type + +B not available in Net-SSLeay-1.42 and before + + my $rv = Net::SSLeay::EVP_MD_type($md); + # $md - value corresponding to openssl's EVP_MD structure + # + # returns: the NID (integer) of the OBJECT IDENTIFIER representing the given message digest + +=item * EVP_MD_size + +B not available in Net-SSLeay-1.42 and before + + my $rv = Net::SSLeay::EVP_MD_size($md); + # $md - value corresponding to openssl's EVP_MD structure + # + # returns: the size of the message digest in bytes (e.g. 20 for SHA1) + +=item * EVP_MD_CTX_md + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + + Net::SSLeay::EVP_MD_CTX_md($ctx); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # + # returns: value corresponding to openssl's EVP_MD structure + +=item * EVP_MD_CTX_create + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Allocates, initializes and returns a digest context. + + my $rv = Net::SSLeay::EVP_MD_CTX_create(); + # + # returns: value corresponding to openssl's EVP_MD_CTX structure + +The complete idea behind EVP_MD_CTX looks like this example: + + Net::SSLeay::OpenSSL_add_all_digests(); + + my $md = Net::SSLeay::EVP_get_digestbyname("sha1"); + my $ctx = Net::SSLeay::EVP_MD_CTX_create(); + Net::SSLeay::EVP_DigestInit($ctx, $md); + + while(my $chunk = get_piece_of_data()) { + Net::SSLeay::EVP_DigestUpdate($ctx,$chunk); + } + + my $result = Net::SSLeay::EVP_DigestFinal($ctx); + Net::SSLeay::EVP_MD_CTX_destroy($ctx); + + print "digest=", unpack('H*', $result), "\n"; #print hex value + +=item * EVP_DigestInit_ex + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Sets up digest context $ctx to use a digest $type from ENGINE $impl, $ctx must be +initialized before calling this function, type will typically be supplied by a function +such as L. If $impl is 0 then the default implementation of digest $type is used. + + my $rv = Net::SSLeay::EVP_DigestInit_ex($ctx, $type, $impl); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # $type - value corresponding to openssl's EVP_MD structure + # $impl - value corresponding to openssl's ENGINE structure + # + # returns: 1 for success and 0 for failure + +=item * EVP_DigestInit + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Behaves in the same way as L except the passed context $ctx does not have +to be initialized, and it always uses the default digest implementation. + + my $rv = Net::SSLeay::EVP_DigestInit($ctx, $type); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # $type - value corresponding to openssl's EVP_MD structure + # + # returns: 1 for success and 0 for failure + +=item * EVP_MD_CTX_destroy + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Cleans up digest context $ctx and frees up the space allocated to it, it should be +called only on a context created using L. + + Net::SSLeay::EVP_MD_CTX_destroy($ctx); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # + # returns: no return value + +=item * EVP_DigestUpdate + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + + my $rv = Net::SSLeay::EVP_DigestUpdate($ctx, $data); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # $data - data to be hashed + # + # returns: 1 for success and 0 for failure + +=item * EVP_DigestFinal_ex + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Retrieves the digest value from $ctx. After calling L no +additional calls to L can be made, but +L can be called to initialize a new digest operation. + + my $digest_value = Net::SSLeay::EVP_DigestFinal_ex($ctx); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * EVP_DigestFinal + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Similar to L except the digest context ctx is automatically cleaned up. + + my $rv = Net::SSLeay::EVP_DigestFinal($ctx); + # $ctx - value corresponding to openssl's EVP_MD_CTX structure + # + # returns: hash value (binary) + + #to get printable (hex) value of digest use: + print unpack('H*', $digest_value); + +=item * MD2 + +B no supported by default in openssl-1.0.0 + +Computes MD2 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::MD2($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * MD4 + +Computes MD4 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::MD4($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * MD5 + +Computes MD5 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::MD5($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * RIPEMD160 + +Computes RIPEMD160 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::RIPEMD160($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * SHA1 + +B not available in Net-SSLeay-1.42 and before + +Computes SHA1 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::SHA1($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * SHA256 + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.8 + +Computes SHA256 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::SHA256($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * SHA512 + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.8 + +Computes SHA512 from given $data (all data needs to be loaded into memory) + + my $digest = Net::SSLeay::SHA512($data); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * EVP_Digest + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.7 + +Computes "any" digest from given $data (all data needs to be loaded into memory) + + my $md = Net::SSLeay::EVP_get_digestbyname("sha1"); #or any other algorithm + my $digest = Net::SSLeay::EVP_Digest($data, $md); + print "digest(hexadecimal)=", unpack('H*', $digest); + +=item * EVP_sha1 + +B not available in Net-SSLeay-1.42 and before + + my $md = Net::SSLeay::EVP_sha1(); + # + # returns: value corresponding to openssl's EVP_MD structure + +=item * EVP_sha256 + +B requires at least openssl-0.9.8 + + my $md = Net::SSLeay::EVP_sha256(); + # + # returns: value corresponding to openssl's EVP_MD structure + +=item * EVP_sha512 + +B not available in Net-SSLeay-1.42 and before; requires at least openssl-0.9.8 + + my $md = Net::SSLeay::EVP_sha512(); + # + # returns: value corresponding to openssl's EVP_MD structure + +=item * EVP_add_digest + + my $rv = Net::SSLeay::EVP_add_digest($digest); + # $digest - value corresponding to openssl's EVP_MD structure + # + # returns: 1 on success, 0 otherwise + +=back + +=head3 Low level API: CIPHER_* related functions + +=over + +=item * CIPHER_get_name + +B not available in Net-SSLeay-1.42 and before + +Returns name of the cipher used. + + my $rv = Net::SSLeay::CIPHER_get_name($cipher); + # $cipher - value corresponding to openssl's SSL_CIPHER structure + # + # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA', '(NONE)' if $cipher is undefined. + +Check openssl doc L + +Example: + + my $ssl_cipher = Net::SSLeay::get_current_cipher($ssl); + my $cipher_name = Net::SSLeay::CIPHER_get_name($ssl_cipher); + +=item * CIPHER_description + +B doesn't work correctly in Net-SSLeay-1.88 and before + +Returns a textual description of the cipher used. + + my $rv = Net::SSLeay::CIPHER_description($cipher); + # $cipher - value corresponding to openssl's SSL_CIPHER structure + # + # returns: (string) cipher description e.g. 'DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1' + +Check openssl doc L + +=item * CIPHER_get_bits + +B $alg_bits doesn't work correctly in Net-SSLeay-1.88 and before + +Returns the number of secret bits used for cipher. + + my $rv = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits); + # $cipher - value corresponding to openssl's SSL_CIPHER structure + # $alg_bits - [optional] empty scalar for storing additional return value + # + # returns: (integer) number of secret bits, 0 on error + # (integer) in $alg_bits for bits processed by the chosen algorithm + +Check openssl doc L + +Example: + + # bits and alg_bits are not equal for e.g., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + # RFC 8422 name TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + my $alg_bits; + my $bits = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits); + #my $bits = Net::SSLeay::CIPHER_get_bits($cipher); + print "bits: $bits, alg_bits: $alg_bits\n"; + + +=item * CIPHER_get_version + +B not available in Net-SSLeay-1.88 and before + +Returns version of SSL/TLS protocol that first defined the cipher + + my $rv = Net::SSLeay::CIPHER_get_version($cipher); + # $cipher - value corresponding to openssl's SSL_CIPHER structure + # + # returns: (string) cipher name e.g. 'TLSv1/SSLv3' with some libraries, 'TLSv1.0' or 'TLSv1.3', '(NONE)' if $cipher is undefined. + +Check openssl doc L + +=back + +=head3 Low level API: RSA_* related functions + +=over + +=item * RSA_generate_key + +Generates a key pair and returns it in a newly allocated RSA structure. +The pseudo-random number generator must be seeded prior to calling RSA_generate_key. + + my $rv = Net::SSLeay::RSA_generate_key($bits, $e, $perl_cb, $perl_cb_arg); + # $bits - (integer) modulus size in bits e.g. 512, 1024, 2048 + # $e - (integer) public exponent, an odd number, typically 3, 17 or 65537 + # $perl_cb - [optional] reference to perl callback function + # $perl_cb_arg - [optional] data that will be passed to callback function when invoked + # + # returns: value corresponding to openssl's RSA structure (0 on failure) + +Check openssl doc L + +=item * RSA_free + +Frees the RSA structure and its components. The key is erased before the memory is returned to the system. + + Net::SSLeay::RSA_free($r); + # $r - value corresponding to openssl's RSA structure + # + # returns: no return value + +Check openssl doc L + +=item * RSA_get_key_parameters + +Returns a list of pointers to BIGNUMs representing the parameters of the key in +this order: +(n, e, d, p, q, dmp1, dmq1, iqmp) + +Caution: returned list consists of SV pointers to BIGNUMs, which would need to be blessed as Crypt::OpenSSL::Bignum for further use + + my (@params) = RSA_get_key_parameters($r); + +=back + +=head3 Low level API: BIO_* related functions + +=over + +=item * BIO_eof + +Returns 1 if the BIO has read EOF, the precise meaning of 'EOF' varies according to the BIO type. + + my $rv = Net::SSLeay::BIO_eof($s); + # $s - value corresponding to openssl's BIO structure + # + # returns: 1 if EOF has been reached 0 otherwise + +Check openssl doc L + +=item * BIO_f_ssl + +Returns the SSL BIO method. This is a filter BIO which is a wrapper +round the OpenSSL SSL routines adding a BIO 'flavour' to SSL I/O. + + my $rv = Net::SSLeay::BIO_f_ssl(); + # + # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure) + +Check openssl doc L + +=item * BIO_free + +Frees up a single BIO. + + my $rv = Net::SSLeay::BIO_free($bio;); + # $bio; - value corresponding to openssl's BIO structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * BIO_new + +Returns a new BIO using method $type + + my $rv = Net::SSLeay::BIO_new($type); + # $type - value corresponding to openssl's BIO_METHOD structure + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * BIO_new_buffer_ssl_connect + +Creates a new BIO chain consisting of a buffering BIO, an SSL BIO (using ctx) and a connect BIO. + + my $rv = Net::SSLeay::BIO_new_buffer_ssl_connect($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * BIO_new_file + +Creates a new file BIO with mode $mode the meaning of mode is the same +as the stdio function fopen(). The BIO_CLOSE flag is set on the returned BIO. + + my $rv = Net::SSLeay::BIO_new_file($filename, $mode); + # $filename - (string) filename + # $mode - (string) opening mode (as mode by stdio function fopen) + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * BIO_new_ssl + +Allocates an SSL BIO using SSL_CTX ctx and using client mode if client is non zero. + + my $rv = Net::SSLeay::BIO_new_ssl($ctx, $client); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $client - (integer) 0 or 1 - indicates ssl client mode + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * BIO_new_ssl_connect + +Creates a new BIO chain consisting of an SSL BIO (using ctx) followed by a connect BIO. + + my $rv = Net::SSLeay::BIO_new_ssl_connect($ctx); + # $ctx - value corresponding to openssl's SSL_CTX structure + # + # returns: value corresponding to openssl's BIO structure (0 on failure) + +Check openssl doc L + +=item * BIO_pending + +Return the number of pending characters in the BIOs read buffers. + + my $rv = Net::SSLeay::BIO_pending($s); + # $s - value corresponding to openssl's BIO structure + # + # returns: the amount of pending data + +Check openssl doc L + +=item * BIO_wpending + +Return the number of pending characters in the BIOs write buffers. + + my $rv = Net::SSLeay::BIO_wpending($s); + # $s - value corresponding to openssl's BIO structure + # + # returns: the amount of pending data + +Check openssl doc L + +=item * BIO_read + +Read the underlying descriptor. + + Net::SSLeay::BIO_read($s, $max); + # $s - value corresponding to openssl's BIO structure + # $max - [optional] max. bytes to read (if not specified, the value 32768 is used) + # + # returns: data + +Check openssl doc L + +=item * BIO_write + +Attempts to write data from $buffer to BIO $b. + + my $rv = Net::SSLeay::BIO_write($b, $buffer); + # $b - value corresponding to openssl's BIO structure + # $buffer - data + # + # returns: amount of data successfully written + # or that no data was successfully read or written if the result is 0 or -1 + # or -2 when the operation is not implemented in the specific BIO type + +Check openssl doc L + +=item * BIO_s_mem + +Return the memory BIO method function. + + my $rv = Net::SSLeay::BIO_s_mem(); + # + # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure) + +Check openssl doc L + +=item * BIO_ssl_copy_session_id + +Copies an SSL session id between BIO chains from and to. It does this by locating +the SSL BIOs in each chain and calling SSL_copy_session_id() on the internal SSL pointer. + + my $rv = Net::SSLeay::BIO_ssl_copy_session_id($to, $from); + # $to - value corresponding to openssl's BIO structure + # $from - value corresponding to openssl's BIO structure + # + # returns: 1 on success, 0 on failure + +Check openssl doc L + +=item * BIO_ssl_shutdown + +Closes down an SSL connection on BIO chain bio. It does this by locating the +SSL BIO in the chain and calling SSL_shutdown() on its internal SSL pointer. + + Net::SSLeay::BIO_ssl_shutdown($ssl_bio); + # $ssl_bio - value corresponding to openssl's BIO structure + # + # returns: no return value + +Check openssl doc L + +=back + +=head3 Low level API: Server side Server Name Indication (SNI) support + +=over + +=item * set_tlsext_host_name + +TBA + +=item * get_servername + +TBA + +=item * get_servername_type + +TBA + +=item * CTX_set_tlsext_servername_callback + +B requires at least OpenSSL 0.9.8f + +This function is used in a server to support Server side Server Name Indication (SNI). + + Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, $code) + # $ctx - SSL context + # $code - reference to a subroutine that will be called when a new connection is being initiated + # + # returns: no return value + +On the client side: +use set_tlsext_host_name($ssl, $servername) before initiating the SSL connection. + +On the server side: +Set up an additional SSL_CTX() for each different certificate; + +Add a servername callback to each SSL_CTX() using CTX_set_tlsext_servername_callback(); + +The callback function is required to retrieve the client-supplied servername +with get_servername(ssl). Figure out the right +SSL_CTX to go with that host name, then switch the SSL object to that SSL_CTX +with set_SSL_CTX(). + +Example: + + # set callback + Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, + sub { + my $ssl = shift; + my $h = Net::SSLeay::get_servername($ssl); + Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h}; + } ); + + +More complete example: + + # ... initialize Net::SSLeay + + my %hostnames = ( + 'sni1' => { cert=>'sni1.pem', key=>'sni1.key' }, + 'sni2' => { cert=>'sni2.pem', key=>'sni2.key' }, + ); + + # create a new context for each certificate/key pair + for my $name (keys %hostnames) { + $hostnames{$name}->{ctx} = Net::SSLeay::CTX_new or die; + Net::SSLeay::CTX_set_cipher_list($hostnames{$name}->{ctx}, 'ALL'); + Net::SSLeay::set_cert_and_key($hostnames{$name}->{ctx}, + $hostnames{$name}->{cert}, $hostnames{$name}->{key}) or die; + } + + # create default context + my $ctx = Net::SSLeay::CTX_new or die; + Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'); + Net::SSLeay::set_cert_and_key($ctx, 'cert.pem','key.pem') or die; + + # set callback + Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub { + my $ssl = shift; + my $h = Net::SSLeay::get_servername($ssl); + Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h}; + } ); + + # ... later + + $s = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($s, fileno($accepted_socket)); + Net::SSLeay::accept($s); + +=back + +=head3 Low level API: NPN (next protocol negotiation) related functions + +NPN is being replaced with ALPN, a more recent TLS extension for application +protocol negotiation that's in process of being adopted by IETF. Please look +below for APLN API description. + +Simple approach for using NPN support looks like this: + + ### client side + use Net::SSLeay; + use IO::Socket::INET; + + Net::SSLeay::initialize(); + my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die; + my $ctx = Net::SSLeay::CTX_tlsv1_new() or die; + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::CTX_set_next_proto_select_cb($ctx, ['http1.1','spdy/2']); + my $ssl = Net::SSLeay::new($ctx) or die; + Net::SSLeay::set_fd($ssl, fileno($sock)) or die; + Net::SSLeay::connect($ssl); + + warn "client:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl), "\n"; + warn "client:last_status=", Net::SSLeay::P_next_proto_last_status($ssl), "\n"; + + ### server side + use Net::SSLeay; + use IO::Socket::INET; + + Net::SSLeay::initialize(); + my $ctx = Net::SSLeay::CTX_tlsv1_new() or die; + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem"); + Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, ['spdy/2','http1.1']); + my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die; + + while (1) { + my $ssl = Net::SSLeay::new($ctx); + warn("server:waiting for incoming connection...\n"); + my $fd = $sock->accept(); + Net::SSLeay::set_fd($ssl, $fd->fileno); + Net::SSLeay::accept($ssl); + warn "server:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl),"\n"; + my $got = Net::SSLeay::read($ssl); + Net::SSLeay::ssl_write_all($ssl, "length=".length($got)); + Net::SSLeay::free($ssl); + $fd->close(); + } + # check with: openssl s_client -connect localhost:5443 -nextprotoneg http/1.1,spdy/2 + +Please note that the selection (negotiation) is performed by client side, the server side simply advertise the list of supported protocols. + +Advanced approach allows you to implement your own negotiation algorithm. + + #see below documentation for: + Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data); + Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data); + +Detection of NPN support (works even in older Net::SSLeay versions): + + use Net::SSLeay; + + if (exists &Net::SSLeay::P_next_proto_negotiated) { + # do NPN stuff + } + +=over + +=item * CTX_set_next_proto_select_cb + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-1.0.1 + +B You need CTX_set_next_proto_select_cb on B of SSL connection. + +Simple usage - in this case a "common" negotiation algorithm (as implemented by openssl's function SSL_select_next_proto) is used. + + $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $arrayref); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $arrayref - list of accepted protocols - e.g. ['http1.0', 'http1.1'] + # + # returns: 0 on success, 1 on failure + +Advanced usage (you probably do not need this): + + $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $perl_callback_function - reference to perl function + # $callback_data - [optional] data to passed to callback function when invoked + # + # returns: 0 on success, 1 on failure + + # where callback function looks like + sub npn_advertised_cb_invoke { + my ($ssl, $arrayref_proto_list_advertised_by_server, $callback_data) = @_; + my $status; + # ... + $status = 1; #status can be: + # 0 - OPENSSL_NPN_UNSUPPORTED + # 1 - OPENSSL_NPN_NEGOTIATED + # 2 - OPENSSL_NPN_NO_OVERLAP + return $status, ['http1.1','spdy/2']; # the callback has to return 2 values + } + +To undefine/clear this callback use: + + Net::SSleay::CTX_set_next_proto_select_cb($ctx, undef); + +=item * CTX_set_next_protos_advertised_cb + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-1.0.1 + +B You need CTX_set_next_proto_select_cb on B of SSL connection. + +Simple usage: + + $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $arrayref); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $arrayref - list of advertised protocols - e.g. ['http1.0', 'http1.1'] + # + # returns: 0 on success, 1 on failure + +Advanced usage (you probably do not need this): + + $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $perl_callback_function - reference to perl function + # $callback_data - [optional] data to passed to callback function when invoked + # + # returns: 0 on success, 1 on failure + + # where callback function looks like + sub npn_advertised_cb_invoke { + my ($ssl, $callback_data) = @_; + # ... + return ['http1.1','spdy/2']; # the callback has to return arrayref + } + +To undefine/clear this callback use: + + Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, undef); + +=item * P_next_proto_negotiated + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-1.0.1 + +Returns the name of negotiated protocol for given SSL connection $ssl. + + $rv = Net::SSLeay::P_next_proto_negotiated($ssl) + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error) + +=item * P_next_proto_last_status + +B not available in Net-SSLeay-1.45 and before; requires at least openssl-1.0.1 + +Returns the result of the last negotiation for given SSL connection $ssl. + + $rv = Net::SSLeay::P_next_proto_last_status($ssl) + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (integer) negotiation status + # 0 - OPENSSL_NPN_UNSUPPORTED + # 1 - OPENSSL_NPN_NEGOTIATED + # 2 - OPENSSL_NPN_NO_OVERLAP + +=back + +=head3 Low level API: ALPN (application layer protocol negotiation) related functions + +Application protocol can be negotiated via two different mechanisms employing +two different TLS extensions: NPN (obsolete) and ALPN (recommended). + +The API is rather similar, with slight differences reflecting protocol +specifics. In particular, with ALPN the protocol negotiation takes place on +server, while with NPN the client implements the protocol negotiation logic. + +With ALPN, the most basic implementation looks like this: + + ### client side + use Net::SSLeay; + use IO::Socket::INET; + + Net::SSLeay::initialize(); + my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die; + my $ctx = Net::SSLeay::CTX_tlsv1_new() or die; + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]); + my $ssl = Net::SSLeay::new($ctx) or die; + Net::SSLeay::set_fd($ssl, fileno($sock)) or die; + Net::SSLeay::connect($ssl); + + warn "client:selected=",Net::SSLeay::P_alpn_selected($ssl), "\n"; + + ### server side + use Net::SSLeay; + use IO::Socket::INET; + + Net::SSLeay::initialize(); + my $ctx = Net::SSLeay::CTX_tlsv1_new() or die; + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem"); + Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1', 'http/2.0', 'spdy/3]); + my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die; + + while (1) { + my $ssl = Net::SSLeay::new($ctx); + warn("server:waiting for incoming connection...\n"); + my $fd = $sock->accept(); + Net::SSLeay::set_fd($ssl, $fd->fileno); + Net::SSLeay::accept($ssl); + warn "server:selected=",Net::SSLeay::P_alpn_selected($ssl),"\n"; + my $got = Net::SSLeay::read($ssl); + Net::SSLeay::ssl_write_all($ssl, "length=".length($got)); + Net::SSLeay::free($ssl); + $fd->close(); + } + # check with: openssl s_client -connect localhost:5443 -alpn spdy/3,http/1.1 + +Advanced approach allows you to implement your own negotiation algorithm. + + #see below documentation for: + Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data); + +Detection of ALPN support (works even in older Net::SSLeay versions): + + use Net::SSLeay; + + if (exists &Net::SSLeay::P_alpn_selected) { + # do ALPN stuff + } + +=over + +=item * CTX_set_alpn_select_cb + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-1.0.2 + +B You need CTX_set_alpn_select_cb on B of TLS connection. + +Simple usage - in this case a "common" negotiation algorithm (as implemented by openssl's function SSL_select_next_proto) is used. + + $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $arrayref); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $arrayref - list of accepted protocols - e.g. ['http/2.0', 'http/1.1', 'spdy/3'] + # + # returns: 0 on success, 1 on failure + +Advanced usage (you probably do not need this): + + $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data); + # $ctx - value corresponding to openssl's SSL_CTX structure + # $perl_callback_function - reference to perl function + # $callback_data - [optional] data to passed to callback function when invoked + # + # returns: 0 on success, 1 on failure + + # where callback function looks like + sub alpn_select_cb_invoke { + my ($ssl, $arrayref_proto_list_advertised_by_client, $callback_data) = @_; + # ... + if ($negotiated) { + return 'http/2.0'; + } else { + return undef; + } + } + +To undefine/clear this callback use: + + Net::SSleay::CTX_set_alpn_select_cb($ctx, undef); + +=item * set_alpn_protos + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-1.0.2 + +B You need set_alpn_protos on B of TLS connection. + +This adds list of supported application layer protocols to ClientHello message sent by a client. +It advertises the enumeration of supported protocols: + + Net::SSLeay::set_alpn_protos($ssl, ['http/1.1', 'http/2.0', 'spdy/3]); + # returns 0 on success + +=item * CTX_set_alpn_protos + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-1.0.2 + +B You need CTX_set_alpn_protos on B of TLS connection. + +This adds list of supported application layer protocols to ClientHello message sent by a client. +It advertises the enumeration of supported protocols: + + Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]); + # returns 0 on success + +=item * P_alpn_selected + +B not available in Net-SSLeay-1.55 and before; requires at least openssl-1.0.2 + +Returns the name of negotiated protocol for given TLS connection $ssl. + + $rv = Net::SSLeay::P_alpn_selected($ssl) + # $ssl - value corresponding to openssl's SSL structure + # + # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error) + +=back + +=head3 Low level API: DANE Support + +OpenSSL version 1.0.2 adds preliminary support RFC6698 Domain Authentication of +Named Entities (DANE) Transport Layer Association within OpenSSL + +=over + +=item * SSL_get_tlsa_record_byname + +B DELETED from net-ssleay, since it is not supported by OpenSSL + +In order to facilitate DANE there is additional interface, +SSL_get_tlsa_record_byname, accepting hostname, port and socket type +that returns packed TLSA record. In order to make it even easier there +is additional SSL_ctrl function that calls SSL_get_tlsa_record_byname +for you. Latter is recommended for programmers that wish to maintain +broader binary compatibility, e.g. make application work with both 1.0.2 +and prior version (in which case call to SSL_ctrl with new code +returning error would have to be ignored when running with prior version). + + Net::SSLeay::get_tlsa_record_byname($name, $port, $type); + +=back + +=head3 Low level API: Other functions + +=over + +=item * COMP_add_compression_method + +Adds the compression method cm with the identifier id to the list of available compression methods. +This list is globally maintained for all SSL operations within this application. +It cannot be set for specific SSL_CTX or SSL objects. + + my $rv = Net::SSLeay::COMP_add_compression_method($id, $cm); + # $id - (integer) compression method id + # 0 to 63: methods defined by the IETF + # 64 to 192: external party methods assigned by IANA + # 193 to 255: reserved for private use + # + # $cm - value corresponding to openssl's COMP_METHOD structure + # + # returns: 0 on success, 1 on failure (check the error queue to find out the reason) + +Check openssl doc L + +=item * DH_free + +Frees the DH structure and its components. The values are erased before the memory is returned to the system. + + Net::SSLeay::DH_free($dh); + # $dh - value corresponding to openssl's DH structure + # + # returns: no return value + +Check openssl doc L + +=item * FIPS_mode_set + +Enable or disable FIPS mode in a FIPS capable OpenSSL. + + Net::SSLeay:: FIPS_mode_set($enable); + # $enable - (integer) 1 to enable, 0 to disable + +=back + +=head3 Low level API: EC related functions + +=over + +=item * CTX_set_tmp_ecdh + +TBA + +=item * EC_KEY_free + +TBA + +=item * EC_KEY_new_by_curve_name + +TBA + +=item * EC_KEY_generate_key + +Generates a EC key and returns it in a newly allocated EC_KEY structure. +The EC key then can be used to create a PKEY which can be used in calls +like X509_set_pubkey. + + my $key = Net::SSLeay::EVP_PKEY_new(); + my $ec = Net::SSLeay::EC_KEY_generate_key($curve); + Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec); + + # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve + # + # returns: value corresponding to openssl's EC_KEY structure (0 on failure) + +This function has no equivalent in OpenSSL but combines multiple OpenSSL +functions for an easier interface. + +=item * CTX_set_ecdh_auto, set_ecdh_auto + +These functions enable or disable the automatic curve selection on the server +side by calling SSL_CTX_set_ecdh_auto or SSL_set_ecdh_auto respectively. +If enabled the highest preference curve is automatically used for ECDH temporary +keys used during key exchange. +This function is no longer available for OpenSSL 1.1.0 or higher. + + Net::SSLeay::CTX_set_ecdh_auto($ctx,1); + Net::SSLeay::set_ecdh_auto($ssl,1); + +=item * CTX_set1_curves_list, set1_curves_list + +These functions set the supported curves (in order of preference) by calling +SSL_CTX_set1_curves_list or SSL_set1_curves_list respectively. +For a TLS client these curves are offered to the server in the supported curves +extension while on the server side these are used to determine the shared +curve. +These functions are only available since OpenSSL 1.1.0. + + Net::SSLeay::CTX_set1_curves_list($ctx,"P-521:P-384:P-256"); + Net::SSLeay::set1_curves_list($ssl,"P-521:P-384:P-256"); + +=item * CTX_set1_groups_list, set1_groups_list + +These functions set the supported groups (in order of preference) by calling +SSL_CTX_set1_groups_list or SSL_set1_groups_list respectively. +This is practically the same as CTX_set1_curves_list and set1_curves_list except +that all DH groups can be given as supported by TLS 1.3. +These functions are only available since OpenSSL 1.1.1. + + Net::SSLeay::CTX_set1_groups_list($ctx,"P-521:P-384:P-256"); + Net::SSLeay::set1_groups_list($ssl,"P-521:P-384:P-256"); + +=back + + +=head3 Low level API: OSSL_LIB_CTX and OSSL_PROVIDER related functions + +=over + +=item * OSSL_LIB_CTX_get0_global_default + +Returns a concrete (non NULL) reference to the global default library context. + + my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default(); + # returns: a value corresponding to OSSL_LIB_CTX structure or false on failure + +Typically it's simpler to use undef with functions that take an +OSSL_LIB_CTX argument when global default library context is needed. + +Check openssl doc L + +=item * OSSL_PROVIDER_load + +Loads and initializes a provider + + my $provider = Net::SSLeay::OSSL_PROVIDER_load($libctx, $name); + # $libctx - value corresponding to OSSL_LIB_CTX structure or undef + # $name - (string) provider name, e.g., 'legacy' + # + # returns: a value corresponding to OSSL_PROVIDER or false on failure + +Using undef loads the provider within the global default library context. + + my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy'); + +Check openssl doc L + +=item * OSSL_PROVIDER_try_load + +Loads and initializes a provider similar to OSSL_PROVIDER_load with additional fallback control. + + my $provider = Net::SSLeay::OSSL_PROVIDER_try_load($libctx, $name, $retain_fallbacks); + # $libctx - value corresponding to OSSL_LIB_CTX structure or undef + # $name - (string) provider name, e.g., 'legacy' + # $retain_fallbacks - (integer) 0 or 1 + # + # returns: a value corresponding to OSSL_PROVIDER or false on failure + +Check openssl doc L + +=item * OSSL_PROVIDER_unload + +Unloads the given provider. + + my $rv = Net::SSLeay::OSSL_PROVIDER_unload($provider); + # $provider - a value corresponding to OSSL_PROVIDER + # + # returns: (integer) 1 on success, 0 on error + +Check openssl doc L + +=item * OSSL_PROVIDER_available + +Checks if a named provider is available for use. + + my $rv = Net::SSLeay::OSSL_PROVIDER_available($libctx, $name); + # $libctx - value corresponding to OSSL_LIB_CTX structure or undef + # $name - (string) provider name, e.g., 'legacy' + # + # returns: (integer) 1 if the named provider is available, otherwise 0. + +Check openssl doc L + +=item * OSSL_PROVIDER_do_all + +Iterates over all loaded providers. A callback is called for each provider. + + my $rv = Net::SSLeay::OSSL_PROVIDER_do_all($libctx, $cb, $cbdata); + # $libctx - value corresponding to OSSL_LIB_CTX structure or undef + # $cb - reference to a perl callback function + $ $cbdata - data that will be passed to callback function + # + # returns: (integer) 1 if all callbacks returned 1, 0 the first time a callback returns 0. + +Example: + + sub do_all_cb { + my ($provider, $cbdata) = @_; + + my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider); + print "Callback for provider: '$name', cbdata: '$cbdata'\n"; + return 1; + } + my $data_for_cb = 'Hello'; + + # Triggers default provider automatic loading. + Net::SSLeay::OSSL_PROVIDER_available(undef, 'default') || die 'default provider not available'; + Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy') || die 'load legacy'; + Net::SSLeay::OSSL_PROVIDER_load(undef, 'null') || die 'load null'; + Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&do_all_cb, $data_for_cb) || die 'a callback failed'; + +Check openssl doc L + +=item * OSSL_PROVIDER_get0_name + +Returns the name of the given provider. + + my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider); + # $provider - a value corresponding to OSSL_PROVIDER + # + # returns: (string) provider name, e.g., 'legacy' + +Check openssl doc L + +=item * OSSL_PROVIDER_self_test + +Runs the provider's self tests. + + my $rv = Net::SSLeay::OSSL_PROVIDER_self_test($provider); + # $libctx - value corresponding to OSSL_LIB_CTX structure or undef + # $provider - a value corresponding to OSSL_PROVIDER + # + # returns: (integer) returns 1 if the self tests pass, 0 on error + +Check openssl doc L + +=back + +=head2 Constants + +There are many openssl constants available in L. You can use them like this: + + use Net::SSLeay; + print &Net::SSLeay::NID_commonName; + #or + print Net::SSLeay::NID_commonName(); + +Or you can import them and use: + + use Net::SSLeay qw/NID_commonName/; + print &NID_commonName; + #or + print NID_commonName(); + #or + print NID_commonName; + +The constants names are derived from openssl constants, however constants starting with C prefix +have name with C part stripped - e.g. openssl's constant C is available as C + +The list of all available constant names: + +=for comment +The list below is automatically generated - do not manually modify it. +To add or remove a constant, edit helper_script/constants.txt, then run +helper_script/update-exported-constants. + +=for start_constants + + ASN1_STRFLGS_ESC_CTRL OPENSSL_VERSION_STRING + ASN1_STRFLGS_ESC_MSB OP_ALL + ASN1_STRFLGS_ESC_QUOTE OP_ALLOW_NO_DHE_KEX + ASN1_STRFLGS_RFC2253 OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + CB_ACCEPT_EXIT OP_CIPHER_SERVER_PREFERENCE + CB_ACCEPT_LOOP OP_CISCO_ANYCONNECT + CB_ALERT OP_COOKIE_EXCHANGE + CB_CONNECT_EXIT OP_CRYPTOPRO_TLSEXT_BUG + CB_CONNECT_LOOP OP_DONT_INSERT_EMPTY_FRAGMENTS + CB_EXIT OP_ENABLE_MIDDLEBOX_COMPAT + CB_HANDSHAKE_DONE OP_EPHEMERAL_RSA + CB_HANDSHAKE_START OP_LEGACY_SERVER_CONNECT + CB_LOOP OP_MICROSOFT_BIG_SSLV3_BUFFER + CB_READ OP_MICROSOFT_SESS_ID_BUG + CB_READ_ALERT OP_MSIE_SSLV2_RSA_PADDING + CB_WRITE OP_NETSCAPE_CA_DN_BUG + CB_WRITE_ALERT OP_NETSCAPE_CHALLENGE_BUG + ERROR_NONE OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + ERROR_SSL OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + ERROR_SYSCALL OP_NON_EXPORT_FIRST + ERROR_WANT_ACCEPT OP_NO_ANTI_REPLAY + ERROR_WANT_CONNECT OP_NO_CLIENT_RENEGOTIATION + ERROR_WANT_READ OP_NO_COMPRESSION + ERROR_WANT_WRITE OP_NO_ENCRYPT_THEN_MAC + ERROR_WANT_X509_LOOKUP OP_NO_QUERY_MTU + ERROR_ZERO_RETURN OP_NO_RENEGOTIATION + EVP_PKS_DSA OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + EVP_PKS_EC OP_NO_SSL_MASK + EVP_PKS_RSA OP_NO_SSLv2 + EVP_PKT_ENC OP_NO_SSLv3 + EVP_PKT_EXCH OP_NO_TICKET + EVP_PKT_EXP OP_NO_TLSv1 + EVP_PKT_SIGN OP_NO_TLSv1_1 + EVP_PK_DH OP_NO_TLSv1_2 + EVP_PK_DSA OP_NO_TLSv1_3 + EVP_PK_EC OP_PKCS1_CHECK_1 + EVP_PK_RSA OP_PKCS1_CHECK_2 + FILETYPE_ASN1 OP_PRIORITIZE_CHACHA + FILETYPE_PEM OP_SAFARI_ECDHE_ECDSA_BUG + F_CLIENT_CERTIFICATE OP_SINGLE_DH_USE + F_CLIENT_HELLO OP_SINGLE_ECDH_USE + F_CLIENT_MASTER_KEY OP_SSLEAY_080_CLIENT_DH_BUG + F_D2I_SSL_SESSION OP_SSLREF2_REUSE_CERT_TYPE_BUG + F_GET_CLIENT_FINISHED OP_TLSEXT_PADDING + F_GET_CLIENT_HELLO OP_TLS_BLOCK_PADDING_BUG + F_GET_CLIENT_MASTER_KEY OP_TLS_D5_BUG + F_GET_SERVER_FINISHED OP_TLS_ROLLBACK_BUG + F_GET_SERVER_HELLO READING + F_GET_SERVER_VERIFY RECEIVED_SHUTDOWN + F_I2D_SSL_SESSION RSA_3 + F_READ_N RSA_F4 + F_REQUEST_CERTIFICATE R_BAD_AUTHENTICATION_TYPE + F_SERVER_HELLO R_BAD_CHECKSUM + F_SSL_CERT_NEW R_BAD_MAC_DECODE + F_SSL_GET_NEW_SESSION R_BAD_RESPONSE_ARGUMENT + F_SSL_NEW R_BAD_SSL_FILETYPE + F_SSL_READ R_BAD_SSL_SESSION_ID_LENGTH + F_SSL_RSA_PRIVATE_DECRYPT R_BAD_STATE + F_SSL_RSA_PUBLIC_ENCRYPT R_BAD_WRITE_RETRY + F_SSL_SESSION_NEW R_CHALLENGE_IS_DIFFERENT + F_SSL_SESSION_PRINT_FP R_CIPHER_TABLE_SRC_ERROR + F_SSL_SET_FD R_INVALID_CHALLENGE_LENGTH + F_SSL_SET_RFD R_NO_CERTIFICATE_SET + F_SSL_SET_WFD R_NO_CERTIFICATE_SPECIFIED + F_SSL_USE_CERTIFICATE R_NO_CIPHER_LIST + F_SSL_USE_CERTIFICATE_ASN1 R_NO_CIPHER_MATCH + F_SSL_USE_CERTIFICATE_FILE R_NO_PRIVATEKEY + F_SSL_USE_PRIVATEKEY R_NO_PUBLICKEY + F_SSL_USE_PRIVATEKEY_ASN1 R_NULL_SSL_CTX + F_SSL_USE_PRIVATEKEY_FILE R_PEER_DID_NOT_RETURN_A_CERTIFICATE + F_SSL_USE_RSAPRIVATEKEY R_PEER_ERROR + F_SSL_USE_RSAPRIVATEKEY_ASN1 R_PEER_ERROR_CERTIFICATE + F_SSL_USE_RSAPRIVATEKEY_FILE R_PEER_ERROR_NO_CIPHER + F_WRITE_PENDING R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE + GEN_DIRNAME R_PUBLIC_KEY_ENCRYPT_ERROR + GEN_DNS R_PUBLIC_KEY_IS_NOT_RSA + GEN_EDIPARTY R_READ_WRONG_PACKET_TYPE + GEN_EMAIL R_SHORT_READ + GEN_IPADD R_SSL_SESSION_ID_IS_DIFFERENT + GEN_OTHERNAME R_UNABLE_TO_EXTRACT_PUBLIC_KEY + GEN_RID R_UNKNOWN_REMOTE_ERROR_TYPE + GEN_URI R_UNKNOWN_STATE + GEN_X400 R_X509_LIB + LIBRESSL_VERSION_NUMBER SENT_SHUTDOWN + MBSTRING_ASC SESSION_ASN1_VERSION + MBSTRING_BMP SESS_CACHE_BOTH + MBSTRING_FLAG SESS_CACHE_CLIENT + MBSTRING_UNIV SESS_CACHE_NO_AUTO_CLEAR + MBSTRING_UTF8 SESS_CACHE_NO_INTERNAL + MIN_RSA_MODULUS_LENGTH_IN_BYTES SESS_CACHE_NO_INTERNAL_LOOKUP + MODE_ACCEPT_MOVING_WRITE_BUFFER SESS_CACHE_NO_INTERNAL_STORE + MODE_AUTO_RETRY SESS_CACHE_OFF + MODE_ENABLE_PARTIAL_WRITE SESS_CACHE_SERVER + MODE_RELEASE_BUFFERS SSL2_MT_CLIENT_CERTIFICATE + NID_OCSP_sign SSL2_MT_CLIENT_FINISHED + NID_SMIMECapabilities SSL2_MT_CLIENT_HELLO + NID_X500 SSL2_MT_CLIENT_MASTER_KEY + NID_X509 SSL2_MT_ERROR + NID_ad_OCSP SSL2_MT_REQUEST_CERTIFICATE + NID_ad_ca_issuers SSL2_MT_SERVER_FINISHED + NID_algorithm SSL2_MT_SERVER_HELLO + NID_authority_key_identifier SSL2_MT_SERVER_VERIFY + NID_basic_constraints SSL2_VERSION + NID_bf_cbc SSL3_MT_CCS + NID_bf_cfb64 SSL3_MT_CERTIFICATE + NID_bf_ecb SSL3_MT_CERTIFICATE_REQUEST + NID_bf_ofb64 SSL3_MT_CERTIFICATE_STATUS + NID_cast5_cbc SSL3_MT_CERTIFICATE_URL + NID_cast5_cfb64 SSL3_MT_CERTIFICATE_VERIFY + NID_cast5_ecb SSL3_MT_CHANGE_CIPHER_SPEC + NID_cast5_ofb64 SSL3_MT_CLIENT_HELLO + NID_certBag SSL3_MT_CLIENT_KEY_EXCHANGE + NID_certificate_policies SSL3_MT_ENCRYPTED_EXTENSIONS + NID_client_auth SSL3_MT_END_OF_EARLY_DATA + NID_code_sign SSL3_MT_FINISHED + NID_commonName SSL3_MT_HELLO_REQUEST + NID_countryName SSL3_MT_KEY_UPDATE + NID_crlBag SSL3_MT_MESSAGE_HASH + NID_crl_distribution_points SSL3_MT_NEWSESSION_TICKET + NID_crl_number SSL3_MT_NEXT_PROTO + NID_crl_reason SSL3_MT_SERVER_DONE + NID_delta_crl SSL3_MT_SERVER_HELLO + NID_des_cbc SSL3_MT_SERVER_KEY_EXCHANGE + NID_des_cfb64 SSL3_MT_SUPPLEMENTAL_DATA + NID_des_ecb SSL3_RT_ALERT + NID_des_ede SSL3_RT_APPLICATION_DATA + NID_des_ede3 SSL3_RT_CHANGE_CIPHER_SPEC + NID_des_ede3_cbc SSL3_RT_HANDSHAKE + NID_des_ede3_cfb64 SSL3_RT_HEADER + NID_des_ede3_ofb64 SSL3_RT_INNER_CONTENT_TYPE + NID_des_ede_cbc SSL3_VERSION + NID_des_ede_cfb64 SSLEAY_BUILT_ON + NID_des_ede_ofb64 SSLEAY_CFLAGS + NID_des_ofb64 SSLEAY_DIR + NID_description SSLEAY_PLATFORM + NID_desx_cbc SSLEAY_VERSION + NID_dhKeyAgreement ST_ACCEPT + NID_dnQualifier ST_BEFORE + NID_dsa ST_CONNECT + NID_dsaWithSHA ST_INIT + NID_dsaWithSHA1 ST_OK + NID_dsaWithSHA1_2 ST_READ_BODY + NID_dsa_2 ST_READ_HEADER + NID_email_protect TLS1_1_VERSION + NID_ext_key_usage TLS1_2_VERSION + NID_ext_req TLS1_3_VERSION + NID_friendlyName TLS1_VERSION + NID_givenName TLSEXT_STATUSTYPE_ocsp + NID_hmacWithSHA1 VERIFY_CLIENT_ONCE + NID_id_ad VERIFY_FAIL_IF_NO_PEER_CERT + NID_id_ce VERIFY_NONE + NID_id_kp VERIFY_PEER + NID_id_pbkdf2 VERIFY_POST_HANDSHAKE + NID_id_pe V_OCSP_CERTSTATUS_GOOD + NID_id_pkix V_OCSP_CERTSTATUS_REVOKED + NID_id_qt_cps V_OCSP_CERTSTATUS_UNKNOWN + NID_id_qt_unotice WRITING + NID_idea_cbc X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + NID_idea_cfb64 X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + NID_idea_ecb X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + NID_idea_ofb64 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + NID_info_access X509_CHECK_FLAG_NO_WILDCARDS + NID_initials X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + NID_invalidity_date X509_FILETYPE_ASN1 + NID_issuer_alt_name X509_FILETYPE_DEFAULT + NID_keyBag X509_FILETYPE_PEM + NID_key_usage X509_LOOKUP + NID_localKeyID X509_PURPOSE_ANY + NID_localityName X509_PURPOSE_CRL_SIGN + NID_md2 X509_PURPOSE_NS_SSL_SERVER + NID_md2WithRSAEncryption X509_PURPOSE_OCSP_HELPER + NID_md5 X509_PURPOSE_SMIME_ENCRYPT + NID_md5WithRSA X509_PURPOSE_SMIME_SIGN + NID_md5WithRSAEncryption X509_PURPOSE_SSL_CLIENT + NID_md5_sha1 X509_PURPOSE_SSL_SERVER + NID_mdc2 X509_PURPOSE_TIMESTAMP_SIGN + NID_mdc2WithRSA X509_TRUST_COMPAT + NID_ms_code_com X509_TRUST_EMAIL + NID_ms_code_ind X509_TRUST_OBJECT_SIGN + NID_ms_ctl_sign X509_TRUST_OCSP_REQUEST + NID_ms_efs X509_TRUST_OCSP_SIGN + NID_ms_ext_req X509_TRUST_SSL_CLIENT + NID_ms_sgc X509_TRUST_SSL_SERVER + NID_name X509_TRUST_TSA + NID_netscape X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + NID_netscape_base_url X509_V_ERR_AKID_SKID_MISMATCH + NID_netscape_ca_policy_url X509_V_ERR_APPLICATION_VERIFICATION + NID_netscape_ca_revocation_url X509_V_ERR_CA_KEY_TOO_SMALL + NID_netscape_cert_extension X509_V_ERR_CA_MD_TOO_WEAK + NID_netscape_cert_sequence X509_V_ERR_CERT_CHAIN_TOO_LONG + NID_netscape_cert_type X509_V_ERR_CERT_HAS_EXPIRED + NID_netscape_comment X509_V_ERR_CERT_NOT_YET_VALID + NID_netscape_data_type X509_V_ERR_CERT_REJECTED + NID_netscape_renewal_url X509_V_ERR_CERT_REVOKED + NID_netscape_revocation_url X509_V_ERR_CERT_SIGNATURE_FAILURE + NID_netscape_ssl_server_name X509_V_ERR_CERT_UNTRUSTED + NID_ns_sgc X509_V_ERR_CRL_HAS_EXPIRED + NID_organizationName X509_V_ERR_CRL_NOT_YET_VALID + NID_organizationalUnitName X509_V_ERR_CRL_PATH_VALIDATION_ERROR + NID_pbeWithMD2AndDES_CBC X509_V_ERR_CRL_SIGNATURE_FAILURE + NID_pbeWithMD2AndRC2_CBC X509_V_ERR_DANE_NO_MATCH + NID_pbeWithMD5AndCast5_CBC X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + NID_pbeWithMD5AndDES_CBC X509_V_ERR_DIFFERENT_CRL_SCOPE + NID_pbeWithMD5AndRC2_CBC X509_V_ERR_EE_KEY_TOO_SMALL + NID_pbeWithSHA1AndDES_CBC X509_V_ERR_EMAIL_MISMATCH + NID_pbeWithSHA1AndRC2_CBC X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + NID_pbe_WithSHA1And128BitRC2_CBC X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + NID_pbe_WithSHA1And128BitRC4 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + NID_pbe_WithSHA1And2_Key_TripleDES_CBC X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + NID_pbe_WithSHA1And3_Key_TripleDES_CBC X509_V_ERR_EXCLUDED_VIOLATION + NID_pbe_WithSHA1And40BitRC2_CBC X509_V_ERR_HOSTNAME_MISMATCH + NID_pbe_WithSHA1And40BitRC4 X509_V_ERR_INVALID_CA + NID_pbes2 X509_V_ERR_INVALID_CALL + NID_pbmac1 X509_V_ERR_INVALID_EXTENSION + NID_pkcs X509_V_ERR_INVALID_NON_CA + NID_pkcs3 X509_V_ERR_INVALID_POLICY_EXTENSION + NID_pkcs7 X509_V_ERR_INVALID_PURPOSE + NID_pkcs7_data X509_V_ERR_IP_ADDRESS_MISMATCH + NID_pkcs7_digest X509_V_ERR_KEYUSAGE_NO_CERTSIGN + NID_pkcs7_encrypted X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + NID_pkcs7_enveloped X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + NID_pkcs7_signed X509_V_ERR_NO_EXPLICIT_POLICY + NID_pkcs7_signedAndEnveloped X509_V_ERR_NO_VALID_SCTS + NID_pkcs8ShroudedKeyBag X509_V_ERR_OCSP_CERT_UNKNOWN + NID_pkcs9 X509_V_ERR_OCSP_VERIFY_FAILED + NID_pkcs9_challengePassword X509_V_ERR_OCSP_VERIFY_NEEDED + NID_pkcs9_contentType X509_V_ERR_OUT_OF_MEM + NID_pkcs9_countersignature X509_V_ERR_PATH_LENGTH_EXCEEDED + NID_pkcs9_emailAddress X509_V_ERR_PATH_LOOP + NID_pkcs9_extCertAttributes X509_V_ERR_PERMITTED_VIOLATION + NID_pkcs9_messageDigest X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + NID_pkcs9_signingTime X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + NID_pkcs9_unstructuredAddress X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION + NID_pkcs9_unstructuredName X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + NID_private_key_usage_period X509_V_ERR_STORE_LOOKUP + NID_rc2_40_cbc X509_V_ERR_SUBJECT_ISSUER_MISMATCH + NID_rc2_64_cbc X509_V_ERR_SUBTREE_MINMAX + NID_rc2_cbc X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 + NID_rc2_cfb64 X509_V_ERR_SUITE_B_INVALID_ALGORITHM + NID_rc2_ecb X509_V_ERR_SUITE_B_INVALID_CURVE + NID_rc2_ofb64 X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM + NID_rc4 X509_V_ERR_SUITE_B_INVALID_VERSION + NID_rc4_40 X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED + NID_rc5_cbc X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + NID_rc5_cfb64 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + NID_rc5_ecb X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + NID_rc5_ofb64 X509_V_ERR_UNABLE_TO_GET_CRL + NID_ripemd160 X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + NID_ripemd160WithRSA X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + NID_rle_compression X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + NID_rsa X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + NID_rsaEncryption X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + NID_rsadsi X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + NID_safeContentsBag X509_V_ERR_UNNESTED_RESOURCE + NID_sdsiCertificate X509_V_ERR_UNSPECIFIED + NID_secretBag X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + NID_serialNumber X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + NID_server_auth X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + NID_sha X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + NID_sha1 X509_V_FLAG_ALLOW_PROXY_CERTS + NID_sha1WithRSA X509_V_FLAG_CB_ISSUER_CHECK + NID_sha1WithRSAEncryption X509_V_FLAG_CHECK_SS_SIGNATURE + NID_shaWithRSAEncryption X509_V_FLAG_CRL_CHECK + NID_stateOrProvinceName X509_V_FLAG_CRL_CHECK_ALL + NID_subject_alt_name X509_V_FLAG_EXPLICIT_POLICY + NID_subject_key_identifier X509_V_FLAG_EXTENDED_CRL_SUPPORT + NID_surname X509_V_FLAG_IGNORE_CRITICAL + NID_sxnet X509_V_FLAG_INHIBIT_ANY + NID_time_stamp X509_V_FLAG_INHIBIT_MAP + NID_title X509_V_FLAG_LEGACY_VERIFY + NID_undef X509_V_FLAG_NOTIFY_POLICY + NID_uniqueIdentifier X509_V_FLAG_NO_ALT_CHAINS + NID_x509Certificate X509_V_FLAG_NO_CHECK_TIME + NID_x509Crl X509_V_FLAG_PARTIAL_CHAIN + NID_zlib_compression X509_V_FLAG_POLICY_CHECK + NOTHING X509_V_FLAG_POLICY_MASK + OCSP_RESPONSE_STATUS_INTERNALERROR X509_V_FLAG_SUITEB_128_LOS + OCSP_RESPONSE_STATUS_MALFORMEDREQUEST X509_V_FLAG_SUITEB_128_LOS_ONLY + OCSP_RESPONSE_STATUS_SIGREQUIRED X509_V_FLAG_SUITEB_192_LOS + OCSP_RESPONSE_STATUS_SUCCESSFUL X509_V_FLAG_TRUSTED_FIRST + OCSP_RESPONSE_STATUS_TRYLATER X509_V_FLAG_USE_CHECK_TIME + OCSP_RESPONSE_STATUS_UNAUTHORIZED X509_V_FLAG_USE_DELTAS + OPENSSL_BUILT_ON X509_V_FLAG_X509_STRICT + OPENSSL_CFLAGS X509_V_OK + OPENSSL_CPU_INFO XN_FLAG_COMPAT + OPENSSL_DIR XN_FLAG_DN_REV + OPENSSL_ENGINES_DIR XN_FLAG_DUMP_UNKNOWN_FIELDS + OPENSSL_FULL_VERSION_STRING XN_FLAG_FN_ALIGN + OPENSSL_INFO_CONFIG_DIR XN_FLAG_FN_LN + OPENSSL_INFO_CPU_SETTINGS XN_FLAG_FN_MASK + OPENSSL_INFO_DIR_FILENAME_SEPARATOR XN_FLAG_FN_NONE + OPENSSL_INFO_DSO_EXTENSION XN_FLAG_FN_OID + OPENSSL_INFO_ENGINES_DIR XN_FLAG_FN_SN + OPENSSL_INFO_LIST_SEPARATOR XN_FLAG_MULTILINE + OPENSSL_INFO_MODULES_DIR XN_FLAG_ONELINE + OPENSSL_INFO_SEED_SOURCE XN_FLAG_RFC2253 + OPENSSL_MODULES_DIR XN_FLAG_SEP_COMMA_PLUS + OPENSSL_PLATFORM XN_FLAG_SEP_CPLUS_SPC + OPENSSL_VERSION XN_FLAG_SEP_MASK + OPENSSL_VERSION_MAJOR XN_FLAG_SEP_MULTILINE + OPENSSL_VERSION_MINOR XN_FLAG_SEP_SPLUS_SPC + OPENSSL_VERSION_NUMBER XN_FLAG_SPC_EQ + OPENSSL_VERSION_PATCH + +=for end_constants + +=head2 INTERNAL ONLY functions (do not use these) + +The following functions are not intended for use from outside of L module. +They might be removed, renamed or changed without prior notice in future version. + +Simply B! + +=over + +=item * hello + +=item * blength + +=item * constant + +=back + +=head1 EXAMPLES + +One very good example to look at is the implementation of C in the +C file. + +The following is a simple SSLeay client (with too little error checking :-( + + #!/usr/bin/perl + use Socket; + use Net::SSLeay qw(die_now die_if_ssl_error) ; + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + ($dest_serv, $port, $msg) = @ARGV; # Read command line + $port = getservbyname ($port, 'tcp') unless $port =~ /^\d+$/; + $dest_ip = gethostbyname ($dest_serv); + $dest_serv_params = sockaddr_in($port, $dest_ip); + + socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; + connect (S, $dest_serv_params) or die "connect: $!"; + select (S); $| = 1; select (STDOUT); # Eliminate STDIO buffering + + # The network connection is now open, lets fire up SSL + + $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!"); + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL) + or die_if_ssl_error("ssl ctx set options"); + $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!"); + Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno + $res = Net::SSLeay::connect($ssl) and die_if_ssl_error("ssl connect"); + print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n"; + + # Exchange data + + $res = Net::SSLeay::write($ssl, $msg); # Perl knows how long $msg is + die_if_ssl_error("ssl write"); + CORE::shutdown S, 1; # Half close --> No more output, sends EOF to server + $got = Net::SSLeay::read($ssl); # Perl returns undef on failure + die_if_ssl_error("ssl read"); + print $got; + + Net::SSLeay::free ($ssl); # Tear down connection + Net::SSLeay::CTX_free ($ctx); + close S; + +The following is a simple SSLeay echo server (non forking): + + #!/usr/bin/perl -w + use Socket; + use Net::SSLeay qw(die_now die_if_ssl_error); + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + $our_ip = "\0\0\0\0"; # Bind to all interfaces + $port = 1235; + $sockaddr_template = 'S n a4 x8'; + $our_serv_params = pack ($sockaddr_template, &AF_INET, $port, $our_ip); + + socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; + bind (S, $our_serv_params) or die "bind: $!"; + listen (S, 5) or die "listen: $!"; + $ctx = Net::SSLeay::CTX_new () or die_now("CTX_new ($ctx): $!"); + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL) + or die_if_ssl_error("ssl ctx set options"); + + # Following will ask password unless private key is not encrypted + Net::SSLeay::CTX_use_RSAPrivateKey_file ($ctx, 'plain-rsa.pem', + &Net::SSLeay::FILETYPE_PEM); + die_if_ssl_error("private key"); + Net::SSLeay::CTX_use_certificate_file ($ctx, 'plain-cert.pem', + &Net::SSLeay::FILETYPE_PEM); + die_if_ssl_error("certificate"); + + while (1) { + print "Accepting connections...\n"; + ($addr = accept (NS, S)) or die "accept: $!"; + select (NS); $| = 1; select (STDOUT); # Piping hot! + + ($af,$client_port,$client_ip) = unpack($sockaddr_template,$addr); + @inetaddr = unpack('C4',$client_ip); + print "$af connection from " . + join ('.', @inetaddr) . ":$client_port\n"; + + # We now have a network connection, lets fire up SSLeay... + + $ssl = Net::SSLeay::new($ctx) or die_now("SSL_new ($ssl): $!"); + Net::SSLeay::set_fd($ssl, fileno(NS)); + + $err = Net::SSLeay::accept($ssl) and die_if_ssl_error('ssl accept'); + print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n"; + + # Connected. Exchange some data. + + $got = Net::SSLeay::read($ssl); # Returns undef on fail + die_if_ssl_error("ssl read"); + print "Got `$got' (" . length ($got) . " chars)\n"; + + Net::SSLeay::write ($ssl, uc ($got)) or die "write: $!"; + die_if_ssl_error("ssl write"); + + Net::SSLeay::free ($ssl); # Tear down connection + close NS; + } + +Yet another echo server. This one runs from C so it avoids +all the socket code overhead. Only caveat is opening an rsa key file - +it had better be without any encryption or else it will not know where +to ask for the password. Note how C and C are wired to SSL. + + #!/usr/bin/perl + # /etc/inetd.conf + # ssltst stream tcp nowait root /path/to/server.pl server.pl + # /etc/services + # ssltst 1234/tcp + + use Net::SSLeay qw(die_now die_if_ssl_error); + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + + chdir '/key/dir' or die "chdir: $!"; + $| = 1; # Piping hot! + open LOG, ">>/dev/console" or die "Can't open log file $!"; + select LOG; print "server.pl started\n"; + + $ctx = Net::SSLeay::CTX_new() or die_now "CTX_new ($ctx) ($!)"; + $ssl = Net::SSLeay::new($ctx) or die_now "new ($ssl) ($!)"; + Net::SSLeay::set_options($ssl, &Net::SSLeay::OP_ALL) + and die_if_ssl_error("ssl set options"); + + # We get already open network connection from inetd, now we just + # need to attach SSLeay to STDIN and STDOUT + Net::SSLeay::set_rfd($ssl, fileno(STDIN)); + Net::SSLeay::set_wfd($ssl, fileno(STDOUT)); + + Net::SSLeay::use_RSAPrivateKey_file ($ssl, 'plain-rsa.pem', + Net::SSLeay::FILETYPE_PEM); + die_if_ssl_error("private key"); + Net::SSLeay::use_certificate_file ($ssl, 'plain-cert.pem', + Net::SSLeay::FILETYPE_PEM); + die_if_ssl_error("certificate"); + + Net::SSLeay::accept($ssl) and die_if_ssl_err("ssl accept: $!"); + print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n"; + + $got = Net::SSLeay::read($ssl); + die_if_ssl_error("ssl read"); + print "Got `$got' (" . length ($got) . " chars)\n"; + + Net::SSLeay::write ($ssl, uc($got)) or die "write: $!"; + die_if_ssl_error("ssl write"); + + Net::SSLeay::free ($ssl); # Tear down the connection + Net::SSLeay::CTX_free ($ctx); + close LOG; + +There are also a number of example/test programs in the examples directory: + + sslecho.pl - A simple server, not unlike the one above + minicli.pl - Implements a client using low level SSLeay routines + sslcat.pl - Demonstrates using high level sslcat utility function + get_page.pl - Is a utility for getting html pages from secure servers + callback.pl - Demonstrates certificate verification and callback usage + stdio_bulk.pl - Does SSL over Unix pipes + ssl-inetd-serv.pl - SSL server that can be invoked from inetd.conf + httpd-proxy-snif.pl - Utility that allows you to see how a browser + sends https request to given server and what reply + it gets back (very educative :-) + makecert.pl - Creates a self signed cert (does not use this module) + +=head1 INSTALLATION + +See README and README.* in the distribution directory for installation guidance on a variety of platforms. + +=head1 LIMITATIONS + +C uses an internal buffer of 32KB, thus no single read +will return more. In practice one read returns much less, usually +as much as fits in one network packet. To work around this, +you should use a loop like this: + + $reply = ''; + while ($got = Net::SSLeay::read($ssl)) { + last if print_errs('SSL_read'); + $reply .= $got; + } + +Although there is no built-in limit in C, the network +packet size limitation applies here as well, thus use: + + $written = 0; + + while ($written < length($message)) { + $written += Net::SSLeay::write($ssl, substr($message, $written)); + last if print_errs('SSL_write'); + } + +Or alternatively you can just use the following convenience functions: + + Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure"; + $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure"; + +=head1 KNOWN BUGS AND CAVEATS + +LibreSSL versions in the 3.1 - 3.3 series contain a TLS 1.3 implementation that +is not fully compatible with the libssl API, but is still advertised during +protocol auto-negotiation. If you encounter problems or unexpected behaviour +with SSL or SSL_CTX objects whose protocol version was automatically negotiated +and libssl is provided by any of these versions of LibreSSL, it could be because +the peers negotiated to use TLS 1.3 - try setting the maximum protocol version +to TLS 1.2 (via C or +C) before establishing the connection. +The first stable LibreSSL version with a fully libssl-compatible TLS 1.3 +implementation is 3.4.1. + +An OpenSSL bug CVE-2015-0290 "OpenSSL Multiblock Corrupted Pointer Issue" +can cause POST requests of over 90kB to fail or crash. This bug is reported to be fixed in +OpenSSL 1.0.2a. + +Autoloader emits a + + Argument "xxx" isn't numeric in entersub at blib/lib/Net/SSLeay.pm' + +warning if die_if_ssl_error is made autoloadable. If you figure out why, +drop me a line. + +Callback set using C does not appear to work. This may +well be an openssl problem (e.g. see C line 1029). Try using +C instead and do not be surprised if even this stops +working in future versions. + +Callback and certificate verification stuff is generally too little tested. + +Random numbers are not initialized randomly enough, especially if you +do not have C and/or C (such as in Solaris +platforms - but it's been suggested that cryptorand daemon from the SUNski +package solves this). In this case you should investigate third party +software that can emulate these devices, e.g. by way of a named pipe +to some program. + +Another gotcha with random number initialization is randomness +depletion. This phenomenon, which has been extensively discussed in +OpenSSL, Apache-SSL, and Apache-mod_ssl forums, can cause your +script to block if you use C or to operate insecurely +if you use C. What happens is that when too much +randomness is drawn from the operating system's randomness pool +then randomness can temporarily be unavailable. C solves +this problem by waiting until enough randomness can be gathered - and +this can take a long time since blocking reduces activity in the +machine and less activity provides less random events: a vicious circle. +C solves this dilemma more pragmatically by simply returning +predictable "random" numbers. SomeC< /dev/urandom> emulation software +however actually seems to implement C semantics. Caveat emptor. + +I've been pointed to two such daemons by Mik Firestone +who has used them on Solaris 8: + +=over + +=item 1 + +Entropy Gathering Daemon (EGD) at L + +=item 2 + +Pseudo-random number generating daemon (PRNGD) at +L + +=back + +If you are using the low level API functions to communicate with other +SSL implementations, you would do well to call + + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL) + or die_if_ssl_error("ssl ctx set options"); + +to cope with some well know bugs in some other SSL +implementations. The high level API functions always set all known +compatibility options. + +Sometimes C (and the high level HTTPS functions that build on it) +is too fast in signaling the EOF to legacy HTTPS servers. This causes +the server to return empty page. To work around this problem you can +set the global variable + + $Net::SSLeay::slowly = 1; # Add sleep so broken servers can keep up + +HTTP/1.1 is not supported. Specifically this module does not know to +issue or serve multiple http requests per connection. This is a serious +shortcoming, but using the SSL session cache on your server helps to +alleviate the CPU load somewhat. + +As of version 1.09 many newer OpenSSL auxiliary functions were +added (from C onwards in C). +Unfortunately I have not had any opportunity to test these. Some of +them are trivial enough that I believe they "just work", but others +have rather complex interfaces with function pointers and all. In these +cases you should proceed wit great caution. + +This module defaults to using OpenSSL automatic protocol negotiation +code for automatically detecting the version of the SSL/TLS protocol +that the other end talks. With most web servers this works just +fine, but once in a while I get complaints from people that the module +does not work with some web servers. Usually this can be solved +by explicitly setting the protocol version, e.g. + + $Net::SSLeay::ssl_version = 2; # Insist on SSLv2 + $Net::SSLeay::ssl_version = 3; # Insist on SSLv3 + $Net::SSLeay::ssl_version = 10; # Insist on TLSv1 + $Net::SSLeay::ssl_version = 11; # Insist on TLSv1.1 + $Net::SSLeay::ssl_version = 12; # Insist on TLSv1.2 + $Net::SSLeay::ssl_version = 13; # Insist on TLSv1.3 + +Although the autonegotiation is nice to have, the SSL standards +do not formally specify any such mechanism. Most of the world has +accepted the SSLeay/OpenSSL way of doing it as the de facto standard. But +for the few that think differently, you have to explicitly speak +the correct version. This is not really a bug, but rather a deficiency +in the standards. If a site refuses to respond or sends back some +nonsensical error codes (at the SSL handshake level), try this option +before mailing me. + +On some systems, OpenSSL may be compiled without support for SSLv2. +If this is the case, Net::SSLeay will warn if ssl_version has been set +to 2. + +The high level API returns the certificate of the peer, thus allowing +one to check what certificate was supplied. However, you will only be +able to check the certificate after the fact, i.e. you already sent +your form data by the time you find out that you did not trust them, +oops. + +So, while being able to know the certificate after the fact is surely +useful, the security minded would still choose to do the connection +and certificate verification first and only then exchange data +with the site. Currently none of the high level API functions do +this, thus you would have to program it using the low level API. A +good place to start is to see how the C function +is implemented. + +The high level API functions use a global file handle C +internally. This really should not be a problem because there is no +way to interleave the high level API functions, unless you use threads +(but threads are not very well supported in perl anyway). However, you +may run into problems if you call undocumented internal functions in an +interleaved fashion. The best solution is to "require Net::SSLeay" in +one thread after all the threads have been created. + +=head1 DIAGNOSTICS + +=over + +=item Random number generator not seeded!!! + +B<(W)> This warning indicates that C was not able to read +C or C, possibly because your system does not +have them or they are differently named. You can still use SSL, but +the encryption will not be as strong. + +=item open_tcp_connection: destination host not found:`server' (port 123) ($!) + +Name lookup for host named C failed. + +=item open_tcp_connection: failed `server', 123 ($!) + +The name was resolved, but establishing the TCP connection failed. + +=item msg 123: 1 - error:140770F8:SSL routines:SSL23_GET_SERVER_HELLO:unknown proto + +SSLeay error string. The first number (123) is the PID, the second number +(1) indicates the position of the error message in SSLeay error stack. +You often see a pile of these messages as errors cascade. + +=item msg 123: 1 - error:02001002::lib(2) :func(1) :reason(2) + +The same as above, but you didn't call load_error_strings() so SSLeay +couldn't verbosely explain the error. You can still find out what it +means with this command: + + /usr/local/ssl/bin/ssleay errstr 02001002 + +=item Password is being asked for private key + +This is normal behaviour if your private key is encrypted. Either +you have to supply the password or you have to use an unencrypted +private key. Scan OpenSSL.org for the FAQ that explains how to +do this (or just study examples/makecert.pl which is used +during C to do just that). + +=back + +=head1 SECURITY + +You can mitigate some of the security vulnerabilities that might be present in your SSL/TLS application: + + +=head2 BEAST Attack + +http://blogs.cisco.com/security/beat-the-beast-with-tls/ +https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls +http://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html + +The BEAST attack relies on a weakness in the way CBC mode is used in SSL/TLS. +In OpenSSL versions 0.9.6d and later, the protocol-level mitigation is enabled by default, +thus making it not vulnerable to the BEAST attack. + +Solutions: + +=over + +=item * Compile with OpenSSL versions 0.9.6d or later, which enables SSL_OP_ALL by default + +=item * Ensure SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not enabled (its not enabled by default) + +=item * Don't support SSLv2, SSLv3 + +=item * Actively control the ciphers your server supports with set_cipher_list: + +=back + +Net::SSLeay::set_cipher_list($ssl, 'RC4-SHA:HIGH:!ADH'); + + +=head2 Session Resumption + +http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html + +The SSL Labs vulnerability test on your SSL server might report in red: + +Session resumption No (IDs assigned but not accepted) + +This report is not really bug or a vulnerability, since the server will not +accept session resumption requests. +However, you can prevent this noise in the report by disabling the session cache altogether: +Net::SSLeay::CTX_set_session_cache_mode($ssl_ctx, Net::SSLeay::SESS_CACHE_OFF()); +Use 0 if you don't have SESS_CACHE_OFF constant. + + +=head2 Secure Renegotiation and DoS Attack + +https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks + +This is not a "security flaw," it is more of a DoS vulnerability. + +Solutions: + +=over + +=item * Do not support SSLv2 + +=item * Do not set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option + +=item * Compile with OpenSSL 0.9.8m or later + +=back + +=head1 BUGS + +If you encounter a problem with this module that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * the code you are trying to run; + +=item * your operating system name and version; + +=item * the output of C; + +=item * the version of OpenSSL or LibreSSL you are using. + +=back + +=head1 AUTHOR + +Originally written by Sampo Kellomäki. + +Maintained by Florian Ragwitz between November 2005 and January 2010. + +Maintained by Mike McCauley between November 2005 and June 2018. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen since June 2018. + +=head1 COPYRIGHT + +Copyright (c) 1996-2003 Sampo Kellomäki + +Copyright (c) 2005-2010 Florian Ragwitz + +Copyright (c) 2005-2018 Mike McCauley + +Copyright (c) 2018- Chris Novakovic + +Copyright (c) 2018- Tuure Vartiainen + +Copyright (c) 2018- Heikki Vatiainen + +All rights reserved. + +=head1 LICENSE + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=head1 SEE ALSO + + Net::SSLeay::Handle - File handle interface + ./examples - Example servers and a clients + - OpenSSL source, documentation, etc + openssl-users-request@openssl.org - General OpenSSL mailing list + - TLS 1.0 specification + - HTTP specifications + - How to send password + - Entropy Gathering Daemon (EGD) + + - pseudo-random number generating daemon (PRNGD) + perl(1) + perlref(1) + perllol(1) + perldoc ~openssl/doc/ssl/SSL_CTX_set_verify.pod diff --git a/cpan/Net-SSLeay/lib/Net/SSLeay/Handle.pm b/cpan/Net-SSLeay/lib/Net/SSLeay/Handle.pm new file mode 100644 index 000000000000..036b10a6c0fb --- /dev/null +++ b/cpan/Net-SSLeay/lib/Net/SSLeay/Handle.pm @@ -0,0 +1,409 @@ +package Net::SSLeay::Handle; + +use 5.8.1; + +use strict; + +use Socket; +use Net::SSLeay; + +require Exporter; + +=encoding utf-8 + +=head1 NAME + +Net::SSLeay::Handle - Perl module that lets SSL (HTTPS) sockets be +handled as standard file handles. + +=head1 SYNOPSIS + + use Net::SSLeay::Handle qw/shutdown/; + my ($host, $port) = ("localhost", 443); + + tie(*SSL, "Net::SSLeay::Handle", $host, $port); + + print SSL "GET / HTTP/1.0\r\n"; + shutdown(\*SSL, 1); + print while (); + close SSL; + +=head1 DESCRIPTION + +Net::SSLeay::Handle allows you to request and receive HTTPS web pages +using "old-fashion" file handles as in: + + print SSL "GET / HTTP/1.0\r\n"; + +and + + print while (); + +If you export the shutdown routine, then the only extra code that +you need to add to your program is the tie function as in: + + my $socket; + if ($scheme eq "https") { + tie(*S2, "Net::SSLeay::Handle", $host, $port); + $socket = \*S2; + else { + $socket = Net::SSLeay::Handle->make_socket($host, $port); + } + print $socket $request_headers; + ... + +=cut + +use vars qw(@ISA @EXPORT_OK $VERSION); +@ISA = qw(Exporter); +@EXPORT_OK = qw(shutdown); +$VERSION = '1.92'; + +my $Initialized; #-- only _initialize() once +my $Debug = 0; #-- pretty hokey + +#== Tie Handle Methods ======================================================== +# +# see perldoc perltie for details. +# +#============================================================================== + +sub TIEHANDLE { + my ($class, $socket, $port) = @_; + $Debug > 10 and print "TIEHANDLE(@{[join ', ', @_]})\n"; + + ref $socket eq "GLOB" or $socket = $class->make_socket($socket, $port); + + $class->_initialize(); + + my $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!"); + my $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!"); + + my $fileno = fileno($socket); + + Net::SSLeay::set_fd($ssl, $fileno); # Must use fileno + + my $resp = Net::SSLeay::connect($ssl); + + $Debug and print "Cipher '" . Net::SSLeay::get_cipher($ssl) . "'\n"; + + my $self = bless { + ssl => $ssl, + ctx => $ctx, + socket => $socket, + fileno => $fileno, + }, $class; + + return $self; +} + +sub PRINT { + my $self = shift; + + my $ssl = _get_ssl($self); + my $resp = 0; + for my $msg (@_) { + defined $msg or last; + $resp = Net::SSLeay::write($ssl, $msg) or last; + } + return $resp; +} + +sub READLINE { + my $self = shift; + my $ssl = _get_ssl($self); + if (wantarray) { + my @lines; + while (my $line = Net::SSLeay::ssl_read_until($ssl)) { + push @lines, $line; + } + return @lines; + } else { + my $line = Net::SSLeay::ssl_read_until($ssl); + return $line ? $line : undef; + } +} + +sub READ { + my ($self, $buf, $len, $offset) = \ (@_); + my $ssl = _get_ssl($$self); + defined($$offset) or + return length($$buf = Net::SSLeay::ssl_read_all($ssl, $$len)); + + defined(my $read = Net::SSLeay::ssl_read_all($ssl, $$len)) + or return undef; + + my $buf_len = length($$buf); + $$offset > $buf_len and $$buf .= chr(0) x ($$offset - $buf_len); + substr($$buf, $$offset) = $read; + return length($read); +} + +sub WRITE { + my $self = shift; + my ($buf, $len, $offset) = @_; + $offset = 0 unless defined $offset; + + # Return number of characters written. + my $ssl = $self->_get_ssl(); + return $len if Net::SSLeay::write($ssl, substr($buf, $offset, $len)); + return undef; +} + +sub CLOSE { + my $self = shift; + my $fileno = $self->{fileno}; + $Debug > 10 and print "close($fileno)\n"; + Net::SSLeay::free ($self->{ssl}); + Net::SSLeay::CTX_free ($self->{ctx}); + close $self->{socket}; +} + +sub FILENO { $_[0]->{fileno} } + + +=head1 FUNCTIONS + +=over + +=item shutdown + + shutdown(\*SOCKET, $mode) + +Calls to the main shutdown() don't work with tied sockets created with this +module. This shutdown should be able to distinquish between tied and untied +sockets and do the right thing. + +=cut + +sub shutdown { + my ($obj, @params) = @_; + + my $socket = UNIVERSAL::isa($obj, 'Net::SSLeay::Handle') ? + $obj->{socket} : $obj; + return shutdown($socket, @params); +} + +=item debug + + my $debug = Net::SSLeay::Handle->debug() + Net::SSLeay::Handle->debug(1) + +Get/set debugging mode. Always returns the debug value before the function call. +if an additional argument is given the debug option will be set to this value. + +=cut + +sub debug { + my ($class, $debug) = @_; + my $old_debug = $Debug; + @_ >1 and $Debug = $debug || 0; + return $old_debug; +} + +#=== Internal Methods ========================================================= + +=item make_socket + + my $sock = Net::SSLeay::Handle->make_socket($host, $port); + +Creates a socket that is connected to $post using $port. It uses +$Net::SSLeay::proxyhost and proxyport if set and authentificates itself against +this proxy depending on $Net::SSLeay::proxyauth. It also turns autoflush on for +the created socket. + +=cut + +sub make_socket { + my ($class, $host, $port) = @_; + $Debug > 10 and print "_make_socket(@{[join ', ', @_]})\n"; + $host ||= 'localhost'; + $port ||= 443; + + my $phost = $Net::SSLeay::proxyhost; + my $pport = $Net::SSLeay::proxyhost ? $Net::SSLeay::proxyport : $port; + + my $dest_ip = gethostbyname($phost || $host); + my $host_params = sockaddr_in($pport, $dest_ip); + + socket(my $socket, &PF_INET(), &SOCK_STREAM(), 0) or die "socket: $!"; + connect($socket, $host_params) or die "connect: $!"; + + my $old_select = select($socket); $| = 1; select($old_select); + $phost and do { + my $auth = $Net::SSLeay::proxyauth; + my $CRLF = $Net::SSLeay::CRLF; + print $socket "CONNECT $host:$port HTTP/1.0$auth$CRLF$CRLF"; + my $line = <$socket>; + }; + return $socket; +} + +=back + +=cut + +sub _initialize { + $Initialized++ and return; + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); +} + +sub __dummy { + my $host = $Net::SSLeay::proxyhost; + my $port = $Net::SSLeay::proxyport; + my $auth = $Net::SSLeay::proxyauth; +} + +#--- _get_self($socket) ------------------------------------------------------- +# Returns a hash containing attributes for $socket (= \*SOMETHING) based +# on fileno($socket). Will return undef if $socket was not created here. +#------------------------------------------------------------------------------ + +sub _get_self { return $_[0]; } + +#--- _get_ssl($socket) -------------------------------------------------------- +# Returns a the "ssl" attribute for $socket (= \*SOMETHING) based +# on fileno($socket). Will cause a warning and return undef if $socket was not +# created here. +#------------------------------------------------------------------------------ + +sub _get_ssl { + return $_[0]->{ssl}; +} + +1; + +__END__ + +=head2 USING EXISTING SOCKETS + +One of the motivations for writing this module was to avoid +duplicating socket creation code (which is mostly error handling). +The calls to tie() above where it is passed a $host and $port is +provided for convenience testing. If you already have a socket +connected to the right host and port, S1, then you can do something +like: + + my $socket \*S1; + if ($scheme eq "https") { + tie(*S2, "Net::SSLeay::Handle", $socket); + $socket = \*S2; + } + my $last_sel = select($socket); $| = 1; select($last_sel); + print $socket $request_headers; + ... + +Note: As far as I know you must be careful with the globs in the tie() +function. The first parameter must be a glob (*SOMETHING) and the +last parameter must be a reference to a glob (\*SOMETHING_ELSE) or a +scaler that was assigned to a reference to a glob (as in the example +above) + +Also, the two globs must be different. When I tried to use the same +glob, I got a core dump. + +=head2 EXPORT + +None by default. + +You can export the shutdown() function. + +It is suggested that you do export shutdown() or use the fully +qualified Net::SSLeay::Handle::shutdown() function to shutdown SSL +sockets. It should be smart enough to distinguish between SSL and +non-SSL sockets and do the right thing. + +=head1 EXAMPLES + + use Net::SSLeay::Handle qw/shutdown/; + my ($host, $port) = ("localhost", 443); + + tie(*SSL, "Net::SSLeay::Handle", $host, $port); + + print SSL "GET / HTTP/1.0\r\n"; + shutdown(\*SSL, 1); + print while (); + close SSL; + +=head1 TODO + +Better error handling. Callback routine? + +=head1 CAVEATS + +Tying to a file handle is a little tricky (for me at least). + +The first parameter to tie() must be a glob (*SOMETHING) and the last +parameter must be a reference to a glob (\*SOMETHING_ELSE) or a scaler +that was assigned to a reference to a glob ($s = \*SOMETHING_ELSE). +Also, the two globs must be different. When I tried to use the same +glob, I got a core dump. + +I was able to associate attributes to globs created by this module +(like *SSL above) by making a hash of hashes keyed by the file head1. + +=head1 CHANGES + +Please see Net-SSLeay-Handle-0.50/Changes file. + +=head1 BUGS + +If you encounter a problem with this module that you believe is a bug, please +L +in the Net-SSLeay GitHub repository. Please make sure your bug report includes +the following information: + +=over + +=item * the code you are trying to run; + +=item * your operating system name and version; + +=item * the output of C; + +=item * the version of OpenSSL or LibreSSL you are using. + +=back + +=head1 AUTHOR + +Originally written by Jim Bowlin. + +Maintained by Sampo Kellomäki between July 2001 and August 2003. + +Maintained by Florian Ragwitz between November 2005 and January 2010. + +Maintained by Mike McCauley between November 2005 and June 2018. + +Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen since June 2018. + +=head1 COPYRIGHT + +Copyright (c) 2001 Jim Bowlin + +Copyright (c) 2001-2003 Sampo Kellomäki + +Copyright (c) 2005-2010 Florian Ragwitz + +Copyright (c) 2005-2018 Mike McCauley + +Copyright (c) 2018- Chris Novakovic + +Copyright (c) 2018- Tuure Vartiainen + +Copyright (c) 2018- Heikki Vatiainen + +All rights reserved. + +=head1 LICENSE + +This module is released under the terms of the Artistic License 2.0. For +details, see the C file distributed with Net-SSLeay's source code. + +=head1 SEE ALSO + +Net::SSLeay, perl(1), http://openssl.org/ + +=cut diff --git a/cpan/Net-SSLeay/t/data/binary-test.file b/cpan/Net-SSLeay/t/data/binary-test.file new file mode 100644 index 000000000000..119cecc8c35b Binary files /dev/null and b/cpan/Net-SSLeay/t/data/binary-test.file differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.cert.der b/cpan/Net-SSLeay/t/data/extended-cert.cert.der new file mode 100644 index 000000000000..3c85968b6e1d Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.cert.dump b/cpan/Net-SSLeay/t/data/extended-cert.cert.dump new file mode 100644 index 000000000000..6ba8f78c31be --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.cert.dump @@ -0,0 +1,350 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/extended-cert.cert.pem > t/data/extended-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [ + "http://intermediate-ca.net-ssleay.example/crl1.crl", + "http://intermediate-ca.net-ssleay.example/crl2.crl", + ], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","db74943bae1b9a5a4749fee47bc40dd18ca9f6bd"), + x509 => pack("H*","0e54235bc35990a1c68c5960a964ef3836082cc9"), + }, + extensions => { + count => 10, + entries => [ + { + critical => 0, + data => "OCSP - URI:http://ocsp.intermediate-ca.net-ssleay.example\nCA Issuers - URI:http://issuers.intermediate-ca.net-ssleay.example", + ln => "Authority Information Access", + nid => 177, + oid => "1.3.6.1.5.5.7.1.1", + sn => "authorityInfoAccess", + }, + { + critical => 0, + data => "D5:D3:4D:E4:59:B9:5C:75:F6:D9:72:F3:9B:DC:FB:EE:80:26:91:6F", + ln => "X509v3 Authority Key Identifier", + nid => 90, + oid => "2.5.29.35", + sn => "authorityKeyIdentifier", + }, + { + critical => 1, + data => "CA:FALSE", + ln => "X509v3 Basic Constraints", + nid => 87, + oid => "2.5.29.19", + sn => "basicConstraints", + }, + { + critical => 0, + data => "Policy: 1.2.3.4.5\nPolicy: 2.3.4.5.6", + ln => "X509v3 Certificate Policies", + nid => 89, + oid => "2.5.29.32", + sn => "certificatePolicies", + }, + { + critical => 0, + data => "Full Name:\n URI:http://intermediate-ca.net-ssleay.example/crl1.crl\nFull Name:\n URI:http://intermediate-ca.net-ssleay.example/crl2.crl", + ln => "X509v3 CRL Distribution Points", + nid => 103, + oid => "2.5.29.31", + sn => "crlDistributionPoints", + }, + { + critical => 1, + data => "TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing, ipsec Internet Key Exchange, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Encrypted File System, 1.3.6.1.5.5.7.3.13, 1.3.6.1.5.5.7.3.14", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "email:intermediate-ca\@net-ssleay.example, URI:http://intermediate-ca.net-ssleay.example, DNS:intermediate-ca.net-ssleay.example, Registered ID:1.2.0.0, IP Address:192.168.0.1, IP Address:FD25:F814:AFB5:9873:0:0:0:1, othername: emailAddress::ica\@net-ssleay.example", + ln => "X509v3 Issuer Alternative Name", + nid => 86, + oid => "2.5.29.18", + sn => "issuerAltName", + }, + { + critical => 0, + data => "Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Decipher Only", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "email:john.doe\@net-ssleay.example, URI:http://johndoe.net-ssleay.example, DNS:johndoe.net-ssleay.example, Registered ID:1.2.3.4, IP Address:192.168.0.2, IP Address:FD25:F814:AFB5:9873:0:0:0:2, othername: emailAddress::jd\@net-ssleay.example", + ln => "X509v3 Subject Alternative Name", + nid => 85, + oid => "2.5.29.17", + sn => "subjectAltName", + }, + { + critical => 0, + data => "DB:74:94:3B:AE:1B:9A:5A:47:49:FE:E4:7B:C4:0D:D1:8C:A9:F6:BD", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + "Code Signing", + "E-mail Protection", + "Time Stamping", + "OCSP Signing", + "ipsec Internet Key Exchange", + "Microsoft Individual Code Signing", + "Microsoft Commercial Code Signing", + "Microsoft Trust List Signing", + "Microsoft Encrypted File System", + ], + nid => [129 .. 133, 180, 1022, 134, 135, 136, 138], + oid => [ + "1.3.6.1.5.5.7.3.1", + "1.3.6.1.5.5.7.3.2", + "1.3.6.1.5.5.7.3.3", + "1.3.6.1.5.5.7.3.4", + "1.3.6.1.5.5.7.3.8", + "1.3.6.1.5.5.7.3.9", + "1.3.6.1.5.5.7.3.17", + "1.3.6.1.4.1.311.2.1.21", + "1.3.6.1.4.1.311.2.1.22", + "1.3.6.1.4.1.311.10.3.1", + "1.3.6.1.4.1.311.10.3.4", + "1.3.6.1.5.5.7.3.13", + "1.3.6.1.5.5.7.3.14", + ], + sn => [ + "serverAuth", + "clientAuth", + "codeSigning", + "emailProtection", + "timeStamping", + "OCSPSigning", + "ipsecIKE", + "msCodeInd", + "msCodeCom", + "msCTLSign", + "msEFS", + ], + }, + fingerprint => { + md5 => "D8:B8:96:CB:80:3B:B1:59:E6:D8:D7:DF:82:9F:B9:4A", + sha1 => "0E:54:23:5B:C3:59:90:A1:C6:8C:59:60:A9:64:EF:38:36:08:2C:C9", + }, + hash => { + issuer => { dec => 2397076613, hex => "8EE07C85" }, + issuer_and_serial => { dec => 2318623373, hex => "8A33628D" }, + subject => { dec => 1333988679, hex => "4F830D47" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => [ + "digitalSignature", + "nonRepudiation", + "keyEncipherment", + "dataEncipherment", + "keyAgreement", + "keyCertSign", + "cRLSign", + "decipherOnly", + ], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 2, hex => "02", long => 2 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [ + 1, + "john.doe\@net-ssleay.example", + 6, + "http://johndoe.net-ssleay.example", + 2, + "johndoe.net-ssleay.example", + 8, + "1.2.3.4", + 7, + "\xC0\xA8\0\2", + 7, + pack("H*","fd25f814afb598730000000000000002"), + 0, + "jd\@net-ssleay.example", + ], + count => 14, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "net-ssleay.example", + data_utf8_decoded => "net-ssleay.example", + ln => "dnQualifier", + nid => 174, + oid => "2.5.4.46", + sn => "dnQualifier", + }, + { + data => "State", + data_utf8_decoded => "State", + ln => "stateOrProvinceName", + nid => 16, + oid => "2.5.4.8", + sn => "ST", + }, + { + data => "John Doe", + data_utf8_decoded => "John Doe", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + { + data => 1234, + data_utf8_decoded => 1234, + ln => "serialNumber", + nid => 105, + oid => "2.5.4.5", + sn => "serialNumber", + }, + { + data => "Locality", + data_utf8_decoded => "Locality", + ln => "localityName", + nid => 15, + oid => "2.5.4.7", + sn => "L", + }, + { + data => "Mr.", + data_utf8_decoded => "Mr.", + ln => "title", + nid => 106, + oid => "2.5.4.12", + sn => "title", + }, + { + data => "John", + data_utf8_decoded => "John", + ln => "givenName", + nid => 99, + oid => "2.5.4.42", + sn => "GN", + }, + { + data => "JD", + data_utf8_decoded => "JD", + ln => "initials", + nid => 101, + oid => "2.5.4.43", + sn => "initials", + }, + { + data => "John Q. Public", + data_utf8_decoded => "John Q. Public", + ln => "pseudonym", + nid => 510, + oid => "2.5.4.65", + sn => "pseudonym", + }, + { + data => "Sr.", + data_utf8_decoded => "Sr.", + ln => "generationQualifier", + nid => 509, + oid => "2.5.4.44", + sn => "generationQualifier", + }, + { + data => "john.doe\@net-ssleay.example", + data_utf8_decoded => "john.doe\@net-ssleay.example", + ln => "emailAddress", + nid => 48, + oid => "1.2.840.113549.1.9.1", + sn => "emailAddress", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/dnQualifier=net-ssleay.example/ST=State/CN=John Doe/serialNumber=1234/L=Locality/title=Mr./GN=John/initials=JD/pseudonym=John Q. Public/generationQualifier=Sr./emailAddress=john.doe\@net-ssleay.example", + print_rfc2253 => "emailAddress=john.doe\@net-ssleay.example,generationQualifier=Sr.,pseudonym=John Q. Public,initials=JD,GN=John,title=Mr.,L=Locality,serialNumber=1234,CN=John Doe,ST=State,dnQualifier=net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "emailAddress=john.doe\@net-ssleay.example,generationQualifier=Sr.,pseudonym=John Q. Public,initials=JD,GN=John,title=Mr.,L=Locality,serialNumber=1234,CN=John Doe,ST=State,dnQualifier=net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "emailAddress=john.doe\@net-ssleay.example,generationQualifier=Sr.,pseudonym=John Q. Public,initials=JD,GN=John,title=Mr.,L=Locality,serialNumber=1234,CN=John Doe,ST=State,dnQualifier=net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/extended-cert.cert.pem b/cpan/Net-SSLeay/t/data/extended-cert.cert.pem new file mode 100644 index 000000000000..6cbdc1faea51 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.cert.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIHdTCCBl+gAwIBAgIBAjALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIIBFjELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsM +ClRlc3QgU3VpdGUxGzAZBgNVBC4TEm5ldC1zc2xlYXkuZXhhbXBsZTEOMAwGA1UE +CAwFU3RhdGUxETAPBgNVBAMMCEpvaG4gRG9lMQ0wCwYDVQQFEwQxMjM0MREwDwYD +VQQHDAhMb2NhbGl0eTEMMAoGA1UEDAwDTXIuMQ0wCwYDVQQqDARKb2huMQswCQYD +VQQrDAJKRDEXMBUGA1UEQQwOSm9obiBRLiBQdWJsaWMxDDAKBgNVBCwMA1NyLjEq +MCgGCSqGSIb3DQEJARYbam9obi5kb2VAbmV0LXNzbGVheS5leGFtcGxlMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00brOddneRnLR16XbabDULkvA6Io +D0tHG8X60TJcdFVF3GFJPTesYq6C5KmI3cubWgzrotSVXFh/gy1PT9ewXGxVvDTM +LqAaKJQiJixSyZP2r1LP9nCl+ygNqW+PY5+f6Vwko2i1Qh9mm5yVJyF7E5I8WcKb +QHhdGolosQ1e9nBBvJR12jU2/Um4a4pgWyDIxv9xEFpS1I88EUkC/5wDEr4OZaGQ +vp8J+mX8B18gWRO75buofrDIk38+m3JG1qOlNEAqIzpQQtGthqjfMPAjhIM6rdXc +xAhXgMwykhONrtwBz8qTh+8nfwMzxGvNgO//rn0ba2HrCQH26ax1oSmGhwIDAQAB +o4IDkzCCA48wgYkGCCsGAQUFBwEBBH0wezA6BggrBgEFBQcwAYYuaHR0cDovL29j +c3AuaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhhbXBsZTA9BggrBgEFBQcw +AoYxaHR0cDovL2lzc3VlcnMuaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhh +bXBsZTAfBgNVHSMEGDAWgBTV003kWblcdfbZcvOb3PvugCaRbzAMBgNVHRMBAf8E +AjAAMBkGA1UdIAQSMBAwBgYEKgMEBTAGBgRTBAUGMH0GA1UdHwR2MHQwOKA2oDSG +Mmh0dHA6Ly9pbnRlcm1lZGlhdGUtY2EubmV0LXNzbGVheS5leGFtcGxlL2NybDEu +Y3JsMDigNqA0hjJodHRwOi8vaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhh +bXBsZS9jcmwyLmNybDCBmAYDVR0lAQH/BIGNMIGKBggrBgEFBQcDAQYIKwYBBQUH +AwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEF +BQcDEQYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYKKwYBBAGC +NwoDBAYIKwYBBQUHAw0GCCsGAQUFBwMOMIHCBgNVHRIEgbowgbeBImludGVybWVk +aWF0ZS1jYUBuZXQtc3NsZWF5LmV4YW1wbGWGKWh0dHA6Ly9pbnRlcm1lZGlhdGUt +Y2EubmV0LXNzbGVheS5leGFtcGxlgiJpbnRlcm1lZGlhdGUtY2EubmV0LXNzbGVh +eS5leGFtcGxliAMqAACHBMCoAAGHEP0l+BSvtZhzAAAAAAAAAAGgJQYJKoZIhvcN +AQkBoBgMFmljYUBuZXQtc3NsZWF5LmV4YW1wbGUwDAYDVR0PBAUDAwf+gDCBqgYD +VR0RBIGiMIGfgRtqb2huLmRvZUBuZXQtc3NsZWF5LmV4YW1wbGWGIWh0dHA6Ly9q +b2huZG9lLm5ldC1zc2xlYXkuZXhhbXBsZYIaam9obmRvZS5uZXQtc3NsZWF5LmV4 +YW1wbGWIAyoDBIcEwKgAAocQ/SX4FK+1mHMAAAAAAAAAAqAkBgkqhkiG9w0BCQGg +FwwVamRAbmV0LXNzbGVheS5leGFtcGxlMB0GA1UdDgQWBBTbdJQ7rhuaWkdJ/uR7 +xA3RjKn2vTALBgkqhkiG9w0BAQsDggEBAEz87Fu1bOk4ezO3A9hJIRkzmRw6HoJy +M632rtvkn8wim5YPOJEWZgzXyRg/9xZX5ZYjwyH3t+k/Z203VImrYfGoGxVRqFGj +tJ7Bf9YJo/igCGtE4mNrS4JGHFmxM0HnsaUbb/WruHv42PTPjOTcPQGTVYPdWOuw +qTCuL7iYAUCEI4wsJlVy2/fUX4cIUC8ILLoQGqaFjpYVyEsieXGzAHQdp4JNebMY +i0lwe46EoVLJ8iOW8TxNeSWEMSRpWpL1Rmiq4WZDn6pjXVafk7D2zZaq7SaKXf5q +4RE/YHPhk7/lEvKu9xieVL19tf9RISlI5YrgBZRecR7Avj62auiSEkY= +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/extended-cert.certchain.der b/cpan/Net-SSLeay/t/data/extended-cert.certchain.der new file mode 100644 index 000000000000..654f7557bb7f Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/extended-cert.certchain.enc.p12 new file mode 100644 index 000000000000..e3b8b5aa6ae1 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/extended-cert.certchain.p12 new file mode 100644 index 000000000000..a2c8064ff302 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.certchain.pem b/cpan/Net-SSLeay/t/data/extended-cert.certchain.pem new file mode 100644 index 000000000000..b7d819c35c6a --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.certchain.pem @@ -0,0 +1,82 @@ +-----BEGIN CERTIFICATE----- +MIIHdTCCBl+gAwIBAgIBAjALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIIBFjELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsM +ClRlc3QgU3VpdGUxGzAZBgNVBC4TEm5ldC1zc2xlYXkuZXhhbXBsZTEOMAwGA1UE +CAwFU3RhdGUxETAPBgNVBAMMCEpvaG4gRG9lMQ0wCwYDVQQFEwQxMjM0MREwDwYD +VQQHDAhMb2NhbGl0eTEMMAoGA1UEDAwDTXIuMQ0wCwYDVQQqDARKb2huMQswCQYD +VQQrDAJKRDEXMBUGA1UEQQwOSm9obiBRLiBQdWJsaWMxDDAKBgNVBCwMA1NyLjEq +MCgGCSqGSIb3DQEJARYbam9obi5kb2VAbmV0LXNzbGVheS5leGFtcGxlMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00brOddneRnLR16XbabDULkvA6Io +D0tHG8X60TJcdFVF3GFJPTesYq6C5KmI3cubWgzrotSVXFh/gy1PT9ewXGxVvDTM +LqAaKJQiJixSyZP2r1LP9nCl+ygNqW+PY5+f6Vwko2i1Qh9mm5yVJyF7E5I8WcKb +QHhdGolosQ1e9nBBvJR12jU2/Um4a4pgWyDIxv9xEFpS1I88EUkC/5wDEr4OZaGQ +vp8J+mX8B18gWRO75buofrDIk38+m3JG1qOlNEAqIzpQQtGthqjfMPAjhIM6rdXc +xAhXgMwykhONrtwBz8qTh+8nfwMzxGvNgO//rn0ba2HrCQH26ax1oSmGhwIDAQAB +o4IDkzCCA48wgYkGCCsGAQUFBwEBBH0wezA6BggrBgEFBQcwAYYuaHR0cDovL29j +c3AuaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhhbXBsZTA9BggrBgEFBQcw +AoYxaHR0cDovL2lzc3VlcnMuaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhh +bXBsZTAfBgNVHSMEGDAWgBTV003kWblcdfbZcvOb3PvugCaRbzAMBgNVHRMBAf8E +AjAAMBkGA1UdIAQSMBAwBgYEKgMEBTAGBgRTBAUGMH0GA1UdHwR2MHQwOKA2oDSG +Mmh0dHA6Ly9pbnRlcm1lZGlhdGUtY2EubmV0LXNzbGVheS5leGFtcGxlL2NybDEu +Y3JsMDigNqA0hjJodHRwOi8vaW50ZXJtZWRpYXRlLWNhLm5ldC1zc2xlYXkuZXhh +bXBsZS9jcmwyLmNybDCBmAYDVR0lAQH/BIGNMIGKBggrBgEFBQcDAQYIKwYBBQUH +AwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBggrBgEF +BQcDEQYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYKKwYBBAGC +NwoDBAYIKwYBBQUHAw0GCCsGAQUFBwMOMIHCBgNVHRIEgbowgbeBImludGVybWVk +aWF0ZS1jYUBuZXQtc3NsZWF5LmV4YW1wbGWGKWh0dHA6Ly9pbnRlcm1lZGlhdGUt +Y2EubmV0LXNzbGVheS5leGFtcGxlgiJpbnRlcm1lZGlhdGUtY2EubmV0LXNzbGVh +eS5leGFtcGxliAMqAACHBMCoAAGHEP0l+BSvtZhzAAAAAAAAAAGgJQYJKoZIhvcN +AQkBoBgMFmljYUBuZXQtc3NsZWF5LmV4YW1wbGUwDAYDVR0PBAUDAwf+gDCBqgYD +VR0RBIGiMIGfgRtqb2huLmRvZUBuZXQtc3NsZWF5LmV4YW1wbGWGIWh0dHA6Ly9q +b2huZG9lLm5ldC1zc2xlYXkuZXhhbXBsZYIaam9obmRvZS5uZXQtc3NsZWF5LmV4 +YW1wbGWIAyoDBIcEwKgAAocQ/SX4FK+1mHMAAAAAAAAAAqAkBgkqhkiG9w0BCQGg +FwwVamRAbmV0LXNzbGVheS5leGFtcGxlMB0GA1UdDgQWBBTbdJQ7rhuaWkdJ/uR7 +xA3RjKn2vTALBgkqhkiG9w0BAQsDggEBAEz87Fu1bOk4ezO3A9hJIRkzmRw6HoJy +M632rtvkn8wim5YPOJEWZgzXyRg/9xZX5ZYjwyH3t+k/Z203VImrYfGoGxVRqFGj +tJ7Bf9YJo/igCGtE4mNrS4JGHFmxM0HnsaUbb/WruHv42PTPjOTcPQGTVYPdWOuw +qTCuL7iYAUCEI4wsJlVy2/fUX4cIUC8ILLoQGqaFjpYVyEsieXGzAHQdp4JNebMY +i0lwe46EoVLJ8iOW8TxNeSWEMSRpWpL1Rmiq4WZDn6pjXVafk7D2zZaq7SaKXf5q +4RE/YHPhk7/lEvKu9xieVL19tf9RISlI5YrgBZRecR7Avj62auiSEkY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/extended-cert.csr.der b/cpan/Net-SSLeay/t/data/extended-cert.csr.der new file mode 100644 index 000000000000..7aa24d49bdb3 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.csr.pem b/cpan/Net-SSLeay/t/data/extended-cert.csr.pem new file mode 100644 index 000000000000..d7cca16166c3 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.csr.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDaTCCAlMCAQAwggEkMQswCQYDVQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVh +eTETMBEGA1UECwwKVGVzdCBTdWl0ZTEbMBkGA1UELhMSbmV0LXNzbGVheS5leGFt +cGxlMQ4wDAYDVQQIDAVTdGF0ZTERMA8GA1UEAwwISm9obiBEb2UxDTALBgNVBAUT +BDEyMzQxETAPBgNVBAcMCExvY2FsaXR5MQwwCgYDVQQMDANNci4xDDAKBgNVBAQM +A0RvZTENMAsGA1UEKgwESm9objELMAkGA1UEKwwCSkQxFzAVBgNVBEEMDkpvaG4g +US4gUHVibGljMQwwCgYDVQQsDANTci4xKjAoBgkqhkiG9w0BCQEWG2pvaG4uZG9l +QG5ldC1zc2xlYXkuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANNG6znXZ3kZy0del22mw1C5LwOiKA9LRxvF+tEyXHRVRdxhST03rGKuguSp +iN3Lm1oM66LUlVxYf4MtT0/XsFxsVbw0zC6gGiiUIiYsUsmT9q9Sz/ZwpfsoDalv +j2Ofn+lcJKNotUIfZpuclSchexOSPFnCm0B4XRqJaLENXvZwQbyUddo1Nv1JuGuK +YFsgyMb/cRBaUtSPPBFJAv+cAxK+DmWhkL6fCfpl/AdfIFkTu+W7qH6wyJN/Ppty +RtajpTRAKiM6UELRrYao3zDwI4SDOq3V3MQIV4DMMpITja7cAc/Kk4fvJ38DM8Rr +zYDv/659G2th6wkB9umsdaEphocCAwEAAaAAMAsGCSqGSIb3DQEBCwOCAQEAQzAz +EnFE/Roi+R9qiWy9zRyOL8GI7uArmjfWkumA6mvSH/V2ZMI+t6Wj0olc1m83fiJm +3BFQeI8XCAIQ9xIuPp9+7cak367lE8jhZ/TLJmrZ2Iokp3CDCtKxGz6JUB+0fKh8 +NWyHKDJiz00FpDtIFYRwPACg8mL/GUg/HwoVhrDF/FlqPm7Rbop2cpdFyh+oiQ7U +G5SbOvBUqXkYLuRDOb6aIV47nV39O9oQoa2jXS+j1IjN6z1nR5OCdGVe8QnNSRYl +46kiQYp/9YIAyzQSQ+SVqL2scJAFllrKAyUFNxpHT8RrkHA2ZuZwdmtuvHmIdwRB +0ZCzzct+blX87+WR8g== +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/extended-cert.enc.p12 b/cpan/Net-SSLeay/t/data/extended-cert.enc.p12 new file mode 100644 index 000000000000..a8a92ba296cb Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.key.der b/cpan/Net-SSLeay/t/data/extended-cert.key.der new file mode 100644 index 000000000000..bd55cb3d6213 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.key.enc.der b/cpan/Net-SSLeay/t/data/extended-cert.key.enc.der new file mode 100644 index 000000000000..bd55cb3d6213 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/extended-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/extended-cert.key.enc.pem new file mode 100644 index 000000000000..0bae8db83480 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,50C304F62D13EFABEF66F75F6169BFEE + +HFRYa0G0F+lgvVS6moHTsWz9rlWtKEsz+GNDByVmum3mvrgZaylP43ScCOlAI9JZ +kgU0qLsKf+dHO8ODsrc83Xn01ab/AytfbsTa2P1/8RyHcrts3z4yovyGDvUobf4Z +p2h75cO8viwQ5aChDL7+84s04q/niA18OJQWi3zl2hQqJht7Jc/0ReQGsCYIrgN6 +UxOeplLN8Mf1x8cn65hZz36ozympF+D9jZm8lxIyTJWTpp/DFa/C56rl39VUutx1 +VmhseR1UiX+3SE5EMoBiVj7gw9Vtk6NJLiT346c5wsKIK/pczs+PhEfjLc8YP4ZV +QrXRDrOcXCIFmqEoF5BVh0yilNluHXJ2YaBJsWa19/OU3cn3G6OUgw0N3dmMv7j6 +5F32lkfgj6HOaN+4WZ6hU05/lYW9oPAw0Ln+AI6AVVH5JMFtfZ0RN8rCLGfbWRd0 +Yy5wKaHFunNK2L/05EUh3QR/E8b4kPhnkceq9sO2IbQJwMhg7h7A6QUbKuF1ppi3 +gwYC+ltwreWZ+YbWIzBhHIn+RXQQsuiajuTCU8Im7F8aYVSPlIJA1kp5lLzMcBut +nX8O/X5b/fMadSHeMYOX3CHRukkwoM9Xf8pp0+XJaGj71OlR0u7Bp9QCq0qouR+Y +i94st5+mjSM6D/YWoM9SPjEzc4qu5uAVwf+f6uJX/3tYF6+U5nmVtJd/dWcdow28 +l5Ljdn3uBy2IM39KTG76JLnNuy7oTma5wIJGaFyrqBhgSi7BCOPCnqH79MFOr3As +DHlJUq/s4iyhvY589cpHtT4rQjDNT39U5sxmsjiIRSV8MeD3drBRJqvZ7IMSQyBB +XhieoX0SiGSYWa1Mm7YJy3z78K6RQXtJ6hu6dtdWGC3II2HzTe2O9lS4Kvs1aziA +KXUgM+RQOQRKo/Jpy8qus/HgUCLMfSwzsDgVR67NYkjnudgUT+e5k9u4d3A12X92 +BaM03o7hIDUw0/muHqiflqr6QBsQbqA5HJlpg85TgBjVaqyN5seyv8FpxbmRLf7g +sG/fE1njtOh+Cx5aGR7yYn3hdfkhrRWcNJutFONWq9zJR9MPk65kryMKrh3aSxAT +3/9yUDz/gp3zHAWjXCMYeeYIbK5/8E39VN1hojCJB7wznWMKfLBN6xnckScu4qkD +8Klh3f0oHcxuu4o/ow7Fve2Gks6UlYCGG5urLGnklKqktp0vMsCPCO0thtB4TfzY +5tX43esfYAWrPLigMjk3XodA+k9gcB0o6kmU6RS4em/EbwazD5UHdlEseazOTi1w +m3gY34ue08Pk4mDbJ5QUYfz/fseSX5cAUtk6On4QsvfubO83XO+ap0AVGTffee0y +KD8qtbGBQqQRLNwCh4NtQ136C8BOAF7IVtj6yqq2+Ihuak8S1vWpDKVU8uhpI356 +jQ+ZtPTVD3IFo/4IIW563du/vn2sssugRfPYp2KXNVeXfQwt+YEZvGNY0EtdzQEx +DYHE532jUm/F5YJSVdroSZjdpou9tbVyXnntN814qo0j+Oncn2Mf5y0Wsd4pmtWU +NJ/ftN+KBzmhUG1mFjuiFkSZH+GXYOnxYiT/y9C/zc57veoJHETXGmMVGb2kTMIw +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/extended-cert.key.pem b/cpan/Net-SSLeay/t/data/extended-cert.key.pem new file mode 100644 index 000000000000..be4ee4eb509c --- /dev/null +++ b/cpan/Net-SSLeay/t/data/extended-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA00brOddneRnLR16XbabDULkvA6IoD0tHG8X60TJcdFVF3GFJ +PTesYq6C5KmI3cubWgzrotSVXFh/gy1PT9ewXGxVvDTMLqAaKJQiJixSyZP2r1LP +9nCl+ygNqW+PY5+f6Vwko2i1Qh9mm5yVJyF7E5I8WcKbQHhdGolosQ1e9nBBvJR1 +2jU2/Um4a4pgWyDIxv9xEFpS1I88EUkC/5wDEr4OZaGQvp8J+mX8B18gWRO75buo +frDIk38+m3JG1qOlNEAqIzpQQtGthqjfMPAjhIM6rdXcxAhXgMwykhONrtwBz8qT +h+8nfwMzxGvNgO//rn0ba2HrCQH26ax1oSmGhwIDAQABAoIBAEx7jVa8jBgyRrzY +2M+YgXcc+pCBqKfUs/KxallFtmNkpSwgyb8QAuccToURfFryRJRGPh0NgN5TqSFn +CyGXrp/elfDSWiH80ktjSLNx8yxG1JPmUiNf5y4y8zMlkA5b8CstsJO5KXi83kux +1Oq7+457rz49LS+bAvVCzfPeJ8Tk+KJK5mAoe+bCEc5ODUDCnVOgxhVqMpZeH9BW +7RgSTY6rmm8kUgX4tAdHN5HHRXwZMMU42V3lJzAG/8h6MqWL0A4SwlGDICYGJ95A +S0u3zL/c9bjS2nwvVNDF6ni1LN5D1Mq3qpX4ozDVCT9P6ofDAwX70H5nuHyRtWgX +7oULzpECgYEA2er0WY4McbOou98O4JMlV5hhm8iD+bgywWPKbm5vgF6f9hR/FDJY +8HZBDcuXGgU0QOzfAB8oJJcwR1fHihtK2gKQ2JjPFjD7L8VGEW+VXTWZrK662dvz +yhqcH6hWjy8GrtJqAigYPa+TzA0kzsURwuWxs9WNJriH7QGtKb4q1DECgYEA+DLf +70ogc1S2BwGScG8FZTv+5wjOh8NQw53gwjuOuB30a7sCOJYFR+vLo/1DQVIlBBae +9j2Meym9b53lyBz641Vvld0JhE6TEVgMCVtOt3FJ6GbkuImtByiOHxxDapgavTNQ +bAV+TLo5U9jHuPBTagYSAeByAfaDkSbKAvWI8DcCgYEAyaXk3knXsg8xgEd0GNOQ +pnHXQLRXi2irbtDMrUt72im1k5x7y1CbhEepAv71n5pZNAr8f7xVBSbyAdJ0TpPa +u8nMBuHAHyTMCvRdVh0O9eV3gpddR+OEv+vHtHOtRWmaoYMLnVtEszAZb6Rp/vvU +56hsu6BMsRvoi6QVfJ8AOsECgYEAxnsgu2JDCxfOLVIjgkg2P1u4H5faWZVm69hA +WfN40WIbCV/Widvmwzoccrrg4sbHFTrlyjM0OXYKqMzTabFLLSswfd7yclzHnVIU +5hKfo3E0UmaeN7jZpuTWqqhWfVK/51e203udIcy2dYfhR9LgUeQi2F9drJYvZo9n +cvBZnwcCgYBXSSukPEBzJE80eVz3LxEMvu/TfQJj2ePtIgS8l5vIeOdQlY6Khtqr +QMYcFeMdQwtszLEmIe9qlueIxT+Yc54FdJMg8/MW7Rok7eMcy94V6e456zFHrbbC +EiiJZRyH8rxPcN9akZeJ5E9c9gQ6rXQiB8bTxD3pxP/+7Po4gLGLvw== +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/extended-cert.p12 b/cpan/Net-SSLeay/t/data/extended-cert.p12 new file mode 100644 index 000000000000..333ae1446ac2 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/extended-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.cert.der b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.der new file mode 100644 index 000000000000..0e6a998ec94b Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.cert.dump b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.dump new file mode 100644 index 000000000000..da6b3cbcb951 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.dump @@ -0,0 +1,144 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/intermediate-ca.cert.pem > t/data/intermediate-ca.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","d5d34de459b95c75f6d972f39bdcfbee8026916f"), + x509 => pack("H*","143cc2abd987b88a5534fdee31d950afdd62bbde"), + }, + extensions => { + count => 3, + entries => [ + { + critical => 1, + data => "Certificate Sign, CRL Sign", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 1, + data => "CA:TRUE", + ln => "X509v3 Basic Constraints", + nid => 87, + oid => "2.5.29.19", + sn => "basicConstraints", + }, + { + critical => 0, + data => "D5:D3:4D:E4:59:B9:5C:75:F6:D9:72:F3:9B:DC:FB:EE:80:26:91:6F", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { ln => [], nid => [], oid => [], sn => [] }, + fingerprint => { + md5 => "95:50:6F:E6:DF:5D:C9:FA:DC:43:D2:FB:1A:55:A7:8E", + sha1 => "14:3C:C2:AB:D9:87:B8:8A:55:34:FD:EE:31:D9:50:AF:DD:62:BB:DE", + }, + hash => { + issuer => { dec => 3235285478, hex => "C0D689E6" }, + issuer_and_serial => { dec => 3593084692, hex => "D62A1F14" }, + subject => { dec => 2397076613, hex => "8EE07C85" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Root CA", + data_utf8_decoded => "Root CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA", + print_rfc2253 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["keyCertSign", "cRLSign"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 2, hex => "02", long => 2 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.cert.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.pem new file mode 100644 index 000000000000..6997e313db1b --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.der b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.der new file mode 100644 index 000000000000..b45231501247 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.enc.p12 new file mode 100644 index 000000000000..33810a348813 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.p12 b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.p12 new file mode 100644 index 000000000000..f6a5fe341fa0 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.pem new file mode 100644 index 000000000000..c125d6f4a984 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.certchain.pem @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.crl.der b/cpan/Net-SSLeay/t/data/intermediate-ca.crl.der new file mode 100644 index 000000000000..160573a5030a Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.crl.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.crl.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.crl.pem new file mode 100644 index 000000000000..bab2b0fcd6f2 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIByjCBtQIBATALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzARBgNVBAoM +Ck5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMMD0ludGVy +bWVkaWF0ZSBDQRcNMjAwNzAxMDAwMDAwWhcNMjAwNzA4MDAwMDAwWjAiMCACAQUX +DTIwMDYwNjA2MDYwNlowDDAKBgNVHRUEAwoBAaAOMAwwCgYDVR0UBAMCAQEwCwYJ +KoZIhvcNAQELA4IBAQCJAh/qVFniXxlouKNtyOLeWZpXOAUS729/xBlyL/SyfqPy +eGZOOBIWVu9IyTKJ5UP8ujTnh+JP2RbdYaT/kQuqgQnFRX7Ga4oqn2emaEW2J8qj +w3HuIIKW+KuRvUASUPopl5hKBr6pg+xEJ3qvd/HB1oWQBAf50rxYWOnQ1z5n+YRk +iA8T6/Vintrxme/83giAdbVkOGX4TlVxsk3M7BnrpMqrLnAI6RWq8RvTAGFDsS9u +zREsoUmPrQrc3GSdh3f1NZr4YNJR+7tXU5oZycQ6ysMo8xyp3ycPnrqGyK3t0ifv +cuOi5RIield9xz92GbtR2fFf+M8N8JZa7DQ7jpO3 +-----END X509 CRL----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.csr.der b/cpan/Net-SSLeay/t/data/intermediate-ca.csr.der new file mode 100644 index 000000000000..4e15ef5cfad7 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.csr.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.csr.pem new file mode 100644 index 000000000000..fb66284a7597 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIClDCCAX4CAQAwUTELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2wUIPt5f0lBRgxDb6b0z56 +feNp427K5HH6ZqXy0D5/RrDJZRmELxu2KjdjVeOKxBpRU0ZIQ2FYZ4tTDaHt1Zxk +czZJ0qApr4Y6ohvKI2UyM49/2jiGDYie0T3ovHKoE/VlI7XLJxy0KtrTyMtTJvGx +PQWszXhRwhPfwfLvMtOCrNvp7rMTK4aRQPPXhzU7N17eiu46cfxScaWAEJJH5C7w +Ayf/wJxReLrUH6j+0ChxhOFeFNPulxjAmf/VQSMvbJ/FY9L2PNIx4LoOIWT6YHNj +Vkqa3yOqa21oQvJf6ixkfIYHqBVOa1UfShOy0dxZwOoHpL+AOuknaheveGm5710C +AwEAAaAAMAsGCSqGSIb3DQEBCwOCAQEAQdUDHAwemqq61+19HhsPZhiyk+UyNc/K +6w+tYkb81cCCSH40TveAzuEWUiHTJhahhVHO8LvyOWU7fotNefTBhpJ17vI+f7dD +APW/4QJjDipCYLyLrNN+4yDtUlom7I311x3jfTIQ/d6MFgJ/EAqSgfHANLl9aM+Y +nwNkh0FW8Op3a6Y8bct6bZwGm6JDIPesq30TtRE+sBiEp623ICIvzc8aNrwBkgmG +Ae9QNbtbk1L2Pw/BA0FZQnEEBAzpIxNrxqA/5+hUzbSOX4Z0Z2Ew6v4ecm9FHkjB +PbUXk0JI2+rliZPVlJ0WOtVB9tOk8l4MgErzXOdoGHbZaHocClzk4A== +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.enc.p12 b/cpan/Net-SSLeay/t/data/intermediate-ca.enc.p12 new file mode 100644 index 000000000000..02f4f0e82e14 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.key.der b/cpan/Net-SSLeay/t/data/intermediate-ca.key.der new file mode 100644 index 000000000000..4283b56cd8cb Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.key.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.der b/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.der new file mode 100644 index 000000000000..4283b56cd8cb Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.pem new file mode 100644 index 000000000000..d925991611ce --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,D8B921ED2486BF1DCE56BA14A896CECC + +d1+JUPFBQIo+hp6wbGw48wUuxbQpp414RPVrTn4aT+9Ja0gII7Lmd+ttPcjZ9Ggv +A/sC3SU3YcK7jkS7/lXLQ24px6T2dAjppbnSgo5EMfH0I8dQ5qzSGA3tSE/U2v2I +87rG5MQxcWBo3gpakYuwH9aUGkRFHA2QDYiqRUcfaYZPWP2pq6Bgl2+zPtJvmFm4 +KzqONOh+ngaq4tIawVjj3rXTYffuLpgOcfx8bEvnxJlR/XsqVVGnK+bJzOO5vQ+N +4Q19We3X759rQcgS2K6KJOkCJAf75zro5KjPm7bIqvSS/sJzShvLBe7qbplJo/by +NS52+G8259QstamGdY4481B/JFASkYIWifuETPMTF3lRzdogCfIcuCucWRUnYhXY +JHGQByw+GVg9Yn3CxzoGmm5aoMnk2L/Au5ceOStq0iGoPN1bIwbQ98Wo4GZOaGHl +qLyT5dS98pWRhH6L8FVA3WX4fhrS7Gx+J+rqtf6H4tSXj0MXVkEWiXPKwe/X4r+t ++HREzXZdr/LJYAIKe7TJUEaDoO46NZ8Dy42BrLwmgUYYpsSMg81T6jEQRLlQDXxv +zSApBAHHeKYLKnUdk8W4/UnMDOMQt7UCBxoOtULFc8lbtiF1JAdO4BCSbFnlk/9z +Oxu4kJKHghjHakBejsjMGxn4oB9ra95d/Ye2n2vuD87MF/kpa/Nf2XLWUpo/LQ+w +2c2PZ73uYW59xOLnD9SHlevUGAoSjRue9Xk244KkQ0JklPLJTxuCkMKb2e5saiMo +ANpo8UZldRicXrcfbwBxRQD/o7meYWtkQPF+oHHfrzzZvRruNntRYpa/+//o+HuR +BQqLrDgTJ8aI9D5g/S2HquRGrPPh7vS6LV6maFbD4ifSwS13AfUxKfv9nZHHAZDO +L599pZxupiCmdUfUK9oz7VgqVeRD3OOcG+b8WdSlIE9GB64IxOYzHcgFw/+ZmO+x +Qt9qYjb3OQDhASAMCTPsJwL8byZ5OpOx4Obh0Vu9STloZWeXqjLtXfb8+kOwQw3b +EyVCivOo9CkDkoJH6SskiwoTlZOunrF8Ip38WPtSy5/c2eofccBG+6Bny+vrSOhG +OmdO7DBEBVlvodvHuC8HdN1UKfitFHKFiYHnJbbQkmEHq8YYw4ReSphLDtrDBrCi +P5E1ig9AgyN2d2k3s1QKPos91o4SCcpPxkRYkTJxDRwyPOSJH/0K6I5v3NojR3xo +PW4iZeojnkSp0LIkQuQ1AQWz9f94gSnsf9FNkLZMq7HtcOM8ZeJUyRCgz1rGlKaN +Q/bnBojx3GwHgVffosD9asZIAOhgwDIZGYl3mx5u4B0EH6WD6HRScd8E0eY7cYsC +4aniA/Zzc3KpkWRNfYvj7yQr1GQHoApp1iJOVvFczmQ/bg8eYIXLUCd1hCDC+7Dq +8Qqd9KyGqMZzFSEbpgpC30X1T77cCs5h9XyMzy04CcY6WThUcskdHK/OPRYAIOt3 +f6/ZIEvuj7ZDjNk8pA5NCiWKD3LQPnszY5oDhUlC31W4U2gSJGdCmDPwuH8dDhni +bTZubnQXzOoA5NIWl6ugSqqNmUJBuUD+DRmT7UYkDrNgEcm9X4Tw2Y0bPgMllW60 +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.key.pem b/cpan/Net-SSLeay/t/data/intermediate-ca.key.pem new file mode 100644 index 000000000000..3b9e1daf74bd --- /dev/null +++ b/cpan/Net-SSLeay/t/data/intermediate-ca.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABAoIBAAnqH554TQGXRGQu +IKe5w2Q0n80EdVwUrtemwIdGhgabQ1DCHkhHmFzPmDdTL0ru1+TcsZE4fMgowLhe +RE/zAJeN0FnP+vrzhjZ2UFyfvEeBhxnw5WcGl+0ti6oqB9/PolwGqvQspY3o5u1Y +24RnubhgMqiJRa1RlW+G/U49wzv5iGDNnvQ9NN8zVXSUUBAwNzlNiZRaN+zbwgHM +R4ifAwrrYEIZVDkWBAaa/hsjOrnVdOMR8cvU4J89lmQMV1g+jm9zjjFZGarnaJqh +4jeRga2NZ0B1gk6H3L/xKLAVhrlpENV5ypY7vvz6kaDlO9uQ79pmgYPAruFZ7bfG +M22MtYECgYEAu23mI/8qU/K98n1ROZxwp6aPgruubHiI8yQq8mxEhZnULGUlgbme +M09rsq6fmXNrLkcS0etesM3TyAl5hbZuvpiYIGpyqSi6OF9MHCpNwQ91edN6GltK +GgFBZE2pg6bxfVlTugmF3JdBqxtEfYf+J9KtOzzIzbSMNDPbfXiiCr0CgYEA7TuD +S5FXSC/Vc474ZuHJtkeNCdjqkvTJxu98lGdlUSy5FLofIi9CFCzcXg0ZWucai2U0 +AQZaFPRYfLjs++pC/oCS6FVVUQKPKcEqY0purQEKeozWQ3ISxENOCZn0Rm54heDF +K5BPsYX867fXdMeKg06e6tPLKOi6wJ6mZDSgESECgYA/S5nQxjcRKoSjA1cO0Znp +xAHq8F6zGvGEys4GGDH7vDs+0tmbuYeHZGbGbNpRA/1KH45nfcj4hEnk3+4+DaHQ +k8+sAsa+AZcBuo0FZfPkIshVX+l4RSP9LDddHC0G3LXo0uXHibe/CwWONyMmEWrv +H+KIgrp9XV+LsYeKE9cFMQKBgHrZgMpXP43AR5cKCJSuhBiCwQTCceccIImGZ0sq +qAr7T/Tt1UWMl3l/KbcCrYineNWK2P1W3rtPNauQ0Bg8XekRiAIMfpvu6VhEEcFN +QDcS/Owtlp9iqVk9SWIreZYniv45QaGnn71cl3cxwr9UveP1iNIuT1yl+F/bSGtH +3URBAoGAEtbKiQEOJWlc3Bh6a3xnq+ebQb1gOcrbxX8k73RcKDSEHKlwSvCGfYw8 +ccE+aXbRGi3WC5sp46x+7ZNxcBE26BVC7MiE7Mg48Sj8oYHsjjHXxyBlYPkTrhMO +tro/g55fbEIXclcKrv/O6EDegYuytLuxm+48j4uI/ryJe56iwzM= +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/intermediate-ca.p12 b/cpan/Net-SSLeay/t/data/intermediate-ca.p12 new file mode 100644 index 000000000000..490ac22c8599 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/intermediate-ca.p12 differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.cert.der b/cpan/Net-SSLeay/t/data/revoked-cert.cert.der new file mode 100644 index 000000000000..baaf9aaa41e4 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.cert.dump b/cpan/Net-SSLeay/t/data/revoked-cert.cert.dump new file mode 100644 index 000000000000..334da2377cef --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.cert.dump @@ -0,0 +1,152 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/revoked-cert.cert.pem > t/data/revoked-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","0a899f29c348fdeb499c8493b961f2ff773bb18f"), + x509 => pack("H*","9a401f7c4714157b88b9a24faec20e6b89fb6864"), + }, + extensions => { + count => 3, + entries => [ + { + critical => 1, + data => "Digital Signature, Key Encipherment", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "TLS Web Server Authentication, TLS Web Client Authentication", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "0A:89:9F:29:C3:48:FD:EB:49:9C:84:93:B9:61:F2:FF:77:3B:B1:8F", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + ], + nid => [129, 130], + oid => ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], + sn => ["serverAuth", "clientAuth"], + }, + fingerprint => { + md5 => "42:CE:3D:42:75:D9:D9:58:D3:C0:4F:DB:FD:40:5E:49", + sha1 => "9A:40:1F:7C:47:14:15:7B:88:B9:A2:4F:AE:C2:0E:6B:89:FB:68:64", + }, + hash => { + issuer => { dec => 2397076613, hex => "8EE07C85" }, + issuer_and_serial => { dec => 4163254640, hex => "F8263970" }, + subject => { dec => 168762383, hex => "A0F1C0F" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["digitalSignature", "keyEncipherment"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 5, hex => "05", long => 5 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "revoked-cert.net-ssleay.example", + data_utf8_decoded => "revoked-cert.net-ssleay.example", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=revoked-cert.net-ssleay.example", + print_rfc2253 => "CN=revoked-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=revoked-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=revoked-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.cert.pem b/cpan/Net-SSLeay/t/data/revoked-cert.cert.pem new file mode 100644 index 000000000000..9c2d5eb1a22f --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmOgAwIBAgIBBTALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MGExCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMSgwJgYDVQQDDB9yZXZva2VkLWNlcnQubmV0LXNzbGVheS5leGFt +cGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAydkDWdvnw6Yglwzp +H6caBO1lSHc+yHt301porX24RBXZ6WqwRlA67TXdWGc8QlzrJpH/9W5rS+k+gtvO +U5/r5kMoFcW0ALvGa/kSVABcG/KvnpbEM037EdxMc7HHTz58EJkxgsZykiP1fINu +M5uQSMQERG+jt3lBPVPwdqijDxrZQU0znK7OZpAXvTv2HZ5nlfIQTR8+oBrOqfuY +ws/QKvZAHHtpKwhwxG+MZk2UeIx6LQ7qfKiQABDndSVI+Yb0xu0wmCzNTGIqhno1 +jtvdkxMCmkr8Bfw2O0nAVXTzZj0Z/A83p/J2fbJDvIiavL6di5cT4DVxnCyMvCDj +Uxde8QIDAQABo1AwTjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQKiZ8pw0j960mchJO5YfL/dzuxjzALBgkq +hkiG9w0BAQsDggEBAJx2mcG2uBHvwpgMW1Q5p7aTgfGI0mKqGfX7K3yo/ty8oBtV +4RU6EpoT3LVbstf7njem9+YUeSWaiHvaXSTJPJI7jj1t7rCFlWKh0jck9p8+kyOa +JCkv1S/gxts/wphIXJb0GoI/cGDfB6fuIYkWxhIaI1si3qH3nsnxSR4VZ+hJ1LcO +b+KsRfN06CJUf5w/aXv+t+yLTW4F902toDTmp9Bmw/QgPKNfkKAq4SjrDeN/6B+b +XolI/3e+INBnsOlIpKySTxTOcQ+JSRdEgtnDvM9/GKwrlUvkdKInK8mwSoX/7Lzq +X53g37fn6V13axDOgMrfR4V1ll9g6ZgmFzCaWDg= +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.certchain.der b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.der new file mode 100644 index 000000000000..d703bab72ff1 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.enc.p12 new file mode 100644 index 000000000000..a2ff03e8f568 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.p12 new file mode 100644 index 000000000000..07ee5eaf97d7 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.certchain.pem b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.pem new file mode 100644 index 000000000000..bad4b7c6c0ab --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.certchain.pem @@ -0,0 +1,61 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmOgAwIBAgIBBTALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MGExCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMSgwJgYDVQQDDB9yZXZva2VkLWNlcnQubmV0LXNzbGVheS5leGFt +cGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAydkDWdvnw6Yglwzp +H6caBO1lSHc+yHt301porX24RBXZ6WqwRlA67TXdWGc8QlzrJpH/9W5rS+k+gtvO +U5/r5kMoFcW0ALvGa/kSVABcG/KvnpbEM037EdxMc7HHTz58EJkxgsZykiP1fINu +M5uQSMQERG+jt3lBPVPwdqijDxrZQU0znK7OZpAXvTv2HZ5nlfIQTR8+oBrOqfuY +ws/QKvZAHHtpKwhwxG+MZk2UeIx6LQ7qfKiQABDndSVI+Yb0xu0wmCzNTGIqhno1 +jtvdkxMCmkr8Bfw2O0nAVXTzZj0Z/A83p/J2fbJDvIiavL6di5cT4DVxnCyMvCDj +Uxde8QIDAQABo1AwTjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQKiZ8pw0j960mchJO5YfL/dzuxjzALBgkq +hkiG9w0BAQsDggEBAJx2mcG2uBHvwpgMW1Q5p7aTgfGI0mKqGfX7K3yo/ty8oBtV +4RU6EpoT3LVbstf7njem9+YUeSWaiHvaXSTJPJI7jj1t7rCFlWKh0jck9p8+kyOa +JCkv1S/gxts/wphIXJb0GoI/cGDfB6fuIYkWxhIaI1si3qH3nsnxSR4VZ+hJ1LcO +b+KsRfN06CJUf5w/aXv+t+yLTW4F902toDTmp9Bmw/QgPKNfkKAq4SjrDeN/6B+b +XolI/3e+INBnsOlIpKySTxTOcQ+JSRdEgtnDvM9/GKwrlUvkdKInK8mwSoX/7Lzq +X53g37fn6V13axDOgMrfR4V1ll9g6ZgmFzCaWDg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.csr.der b/cpan/Net-SSLeay/t/data/revoked-cert.csr.der new file mode 100644 index 000000000000..f2f311c0242a Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.csr.pem b/cpan/Net-SSLeay/t/data/revoked-cert.csr.pem new file mode 100644 index 000000000000..0f963688f84c --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICpDCCAY4CAQAwYTELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxKDAmBgNVBAMMH3Jldm9rZWQtY2VydC5uZXQt +c3NsZWF5LmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ +2QNZ2+fDpiCXDOkfpxoE7WVIdz7Ie3fTWmitfbhEFdnparBGUDrtNd1YZzxCXOsm +kf/1bmtL6T6C285Tn+vmQygVxbQAu8Zr+RJUAFwb8q+elsQzTfsR3ExzscdPPnwQ +mTGCxnKSI/V8g24zm5BIxAREb6O3eUE9U/B2qKMPGtlBTTOcrs5mkBe9O/YdnmeV +8hBNHz6gGs6p+5jCz9Aq9kAce2krCHDEb4xmTZR4jHotDup8qJAAEOd1JUj5hvTG +7TCYLM1MYiqGejWO292TEwKaSvwF/DY7ScBVdPNmPRn8Dzen8nZ9skO8iJq8vp2L +lxPgNXGcLIy8IONTF17xAgMBAAGgADALBgkqhkiG9w0BAQsDggEBAIEpslRDjRZ4 +S7O6rJePZ4gvJ4CR0AbYEj5keNYgKS3ykYIcO0tSquimlKIdZuEwfSKiLZ19Pycu ++SPExOxof2kOcmy2X2/C1oxgdo4Mr9HQlrAQSZ+LZqJcG3M6ogDVVsV/MJkf+2+f +NI/h5qrH2ErUC/W4akx4Cl6yPQ0OSekuCp1alKkAb33zo1Y6gRvCZIpAb9JFHl5L +sYNgF70Wv3Qj47ZorPWNZpasH+BJVdIcBhjM+yVcJ8GkLs2KFlIYcMZIIOWU/SkV +h6gzRMyM2ZpIqk0HO6ZuAmM1FEORhJU9JNkkrqO90GZGbwYSPoWf+F5v2aYnD9ru +yLF3Fkv5/RA= +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.enc.p12 b/cpan/Net-SSLeay/t/data/revoked-cert.enc.p12 new file mode 100644 index 000000000000..80c0fa2ba4c6 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.key.der b/cpan/Net-SSLeay/t/data/revoked-cert.key.der new file mode 100644 index 000000000000..3981d0a51a81 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.der b/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.der new file mode 100644 index 000000000000..3981d0a51a81 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.pem new file mode 100644 index 000000000000..9fbd1d045916 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,3355D51E49FF08E889DFE1B5BECA5629 + +HBOo4GUGlhClMpKJCn7mKKZizPe2o8+/d7SrgRTtyL1x3XUQXWKRUXbB7nuvEzte +sJ/wSojvuhIjpM+GEi1xK9Grwpf2F0QcBHpAjXXlt9MKZioT//RVxmyv/AgOZ/WC +EIs8/BD+rvZuQUHErbmeV8n/Gc9XJaj16M5w5ZN3LKHdjES9kLPiv3ZnyfheBp2S +vPnL18Sbzs8g8WNvHTcQXT6v4O0awf/j9PRELB787QXkZmED7QpS98xbZaCf4osQ +v0G2I7Mer5KxX6XZWW2ZfLHaPNfv0AIaaDlJqWSb03REpocsvbscQC4ZbCEynF4m +9qkW6tzAd37jtYllXmCQ/RdleRm3V88ybhHYF3hBlxa0N3ye4CoNpgPQH5u6psKh +6GDUkL2Us6ek/pmAs2EYXVnQulISyS4bva6eBeD+g7OMUtAWtxEcdJwfDMZkfTBd +6nfkiQkcTRpzBBl9PnFVkJYX+TH2QpPQo+cI8EZ5nVwvkSagRVgVnXSBZC/i3vm1 +929ZY8rtlhYp3ALM4FmnnE7hovI00NJHG+yuSM6IxsBWMO8DvbqXGLp9mpcVheqv +566j1lg4+3oCoJEI2QZhAaUZcpw6FVA/SPebPoOLmwtaVTm727akaOoUtz96HJMR +tiTJsCifUkOFNr9d9HXKuMMMynBDDdmvO740V0JEstcY5S0OGwDf4GBo0ofFOzSL +I6rOhjiz+UvC25dkF5dmXsAQCtR9a/q2TDY73Q9Yasl/RpnfbLgjeik0qLlqfnvO +xIphTx1KiFw/z5PMZbK168Bv04yaYb/z5NVaVqrpuER1FC252zLg43pGFcN7NR7p +Dr1G8VdK7IXjADg+dY5o+x080PravPe4Bek54z6HYnHyEGTOhWeD/0ZrHwqz7ykW +N5VzO0s7Wgt5B7rR13/KoHSHSXwyW3xZ/Yuyw/vJo6fThbE/G4+9gsGmV4sDWAyh +0j56oWAFnDSaOWYSf6Ctx4NuruUa7/gqcP0yO59Xxy3NQm0J5bluSuYeyDhPJNCu +vKfU4CF8ubfm8EY+EgRDiFxMg4EqKif2S94Cgs5msff1x2VPbcTMHv/2zXBChXYv +h+hQ3+Lo46c8EM7HqtiaPSxbhMv+Y8N4ok5S5Z+P12+ph0nZ77ZN4xW2BoqW9ggg +SHwsU09CuA1mFKh3YCyjfk+nC+7GVk1z6RsNp4TveZtQdI6cmnCxmfflwHx2EkM0 +o6g4SIbzK8yKpcd4Ae/TWnmqx6xhEFBmuPbzMQEjWQmjwc/dMDrRvbNjBreEUfv5 +NSpJaNQEWbFUZtt7Rd4dIFrEaosR0IdsXXfXuuwxaqHrCeKMRJx5LwhKw3Gi0eqV +G/XbxO3dTBTCfcqbAx5HcmpEqlaLIrbkLCmPbyHMF++ZUx0c4R0641peUTtB4uUx +fV9qXxhyCeKQehUEytdXaBsucWMdJAWE5xXQDvv5PzC/bhDgTzePAYttDNNRp3tZ +QuWTKNH/5cnqi4p+s0uk4ViHmobqv3NQhPPLBeyzqiYnDBoGSnxjDywlFRh8E7iD +DzEIjFiIlgkU51cM6vaEmxAcQmiumtOYtlEc/bU0UP7SFPCGCRbrOLGhyNZLVzO1 +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.key.pem b/cpan/Net-SSLeay/t/data/revoked-cert.key.pem new file mode 100644 index 000000000000..417cd3d54991 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/revoked-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAydkDWdvnw6YglwzpH6caBO1lSHc+yHt301porX24RBXZ6Wqw +RlA67TXdWGc8QlzrJpH/9W5rS+k+gtvOU5/r5kMoFcW0ALvGa/kSVABcG/KvnpbE +M037EdxMc7HHTz58EJkxgsZykiP1fINuM5uQSMQERG+jt3lBPVPwdqijDxrZQU0z +nK7OZpAXvTv2HZ5nlfIQTR8+oBrOqfuYws/QKvZAHHtpKwhwxG+MZk2UeIx6LQ7q +fKiQABDndSVI+Yb0xu0wmCzNTGIqhno1jtvdkxMCmkr8Bfw2O0nAVXTzZj0Z/A83 +p/J2fbJDvIiavL6di5cT4DVxnCyMvCDjUxde8QIDAQABAoIBAADpIu7r60NWh5s8 +3HynQqqa5lgFyzWI+pL8W4BsYrliapq3L7NKg4CMW5q9cP/45rn0Ys3w/QiRNWYu +XxOBI0WlQAwcma2+6yPTsmuo+oFpBnYyBpG3cGp9xqXHO5+pt9I0mbzF/9B1W3M/ +zc6LbTLJ2R3Urd27HSJtY3Zql30/AwXNrznPvb9+sxKtOKWMSRVYHXCTiMW+GNRE +2GLnx5iZxyrpepGrQlGwBda45l1eLiqa/oHD4b9GIjcO5QU1AILqwY0JYFbXHRyb +9/HQfdme5f/BYcI5QYBp0Kd8qfF4Amhb43FdRrYDhNggfAaFLsXLhFfodd/8fEyx +qxN2WCECgYEA1of3g0NDLuHcwkAjXO23uPtUFyTe46phquHfi/8wYreg0h/FX5Wj +jf9Ifafm3JY7+NR+cEqNF6vqJgWIr0XsBiMcPKDH9eHNX3TOcA8H7Rw2UyjNb1zf +Wy638W4IrwQTnJGqq2km2qOi/V241kVdV8rWWkBS81igeRhqfi5nL5ECgYEA8N1o +7VYKOb9LU91EeSL5IOH69gP3HIvi9a/TMKOpYflsCEGFn9Si9jAotlSR0t7CG+ke +Xih2sNkm0bg+AAvJfsEFahu2HaCf+040vABX1ANIJ5lrWxySyQvBGNQ1Z5pssdrn +c7sB3wX2EuSBm3Iq2oYduwrQ4OaK6MpSU3+OSWECgYEA0M5OTuis/3i/EiKzSMPn +yph1ZIFyoE05+sUWfIDJa4wnb92UklBnfNI4kHVX8uQXQz4wQsONSLj/kjpYq6B2 +9hI+bZRgjCZXas2aEN/QayzGg3J3YikXDP0P9GGQ+igRnpb5cxVJyAz1m34ZZhTl +oYm/0OBC3LAqoTLulBo+PMECgYEA07Z51Stsf4fCaWuzFRsFib64PWgM292lV7j9 +U+J3LvPy3mrhTjS0LNr13hYFuykryyakF7VPZnDo6ywb6yRxLuXwoWzMLcyS8myy +c5GFoYhk8tGqiIJcDzUyvGVCr9cPtWEpUhNNOMBfpAmQVpcKTdvW5CJEqXpbHPVB +Wb1jzuECgYBoHgu/B8mO0AQ7yr/r8d2ssH2WYcL0QFnpkR9kpDVfi48gZmYqqa5s +AsQU4Zr/uFel+Es+rrYJ3Prgl6EC0x9MVi4KyiHZmHG57/sRkCduW9FbPLyKkeLb +F7RfOWvl/D5+wW9jc2AwnZU8AsweQkICCh7hOffyV0t0ProGLAdNMw== +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/revoked-cert.p12 b/cpan/Net-SSLeay/t/data/revoked-cert.p12 new file mode 100644 index 000000000000..7cee3dab8768 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/revoked-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.cert.der b/cpan/Net-SSLeay/t/data/root-ca.cert.der new file mode 100644 index 000000000000..7b4ee9ea0370 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.cert.dump b/cpan/Net-SSLeay/t/data/root-ca.cert.dump new file mode 100644 index 000000000000..a062f1d51fb0 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.cert.dump @@ -0,0 +1,144 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/root-ca.cert.pem > t/data/root-ca.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","bcce875d3a14c27cbbf30035bed267967eb3056b"), + x509 => pack("H*","7a0a5ed28550577415e83e97373181a9708cad0d"), + }, + extensions => { + count => 3, + entries => [ + { + critical => 1, + data => "Certificate Sign, CRL Sign", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 1, + data => "CA:TRUE", + ln => "X509v3 Basic Constraints", + nid => 87, + oid => "2.5.29.19", + sn => "basicConstraints", + }, + { + critical => 0, + data => "BC:CE:87:5D:3A:14:C2:7C:BB:F3:00:35:BE:D2:67:96:7E:B3:05:6B", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { ln => [], nid => [], oid => [], sn => [] }, + fingerprint => { + md5 => "41:F8:1A:EE:19:3D:28:70:79:BA:6E:07:AA:9D:74:27", + sha1 => "7A:0A:5E:D2:85:50:57:74:15:E8:3E:97:37:31:81:A9:70:8C:AD:0D", + }, + hash => { + issuer => { dec => 3235285478, hex => "C0D689E6" }, + issuer_and_serial => { dec => 960827716, hex => 39451144 }, + subject => { dec => 3235285478, hex => "C0D689E6" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Root CA", + data_utf8_decoded => "Root CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA", + print_rfc2253 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["keyCertSign", "cRLSign"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 1, hex => "01", long => 1 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Root CA", + data_utf8_decoded => "Root CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA", + print_rfc2253 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/root-ca.cert.pem b/cpan/Net-SSLeay/t/data/root-ca.cert.pem new file mode 100644 index 000000000000..ab481e2346ce --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/root-ca.certchain.der b/cpan/Net-SSLeay/t/data/root-ca.certchain.der new file mode 100644 index 000000000000..7b4ee9ea0370 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/root-ca.certchain.enc.p12 new file mode 100644 index 000000000000..06931769ff53 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.certchain.p12 b/cpan/Net-SSLeay/t/data/root-ca.certchain.p12 new file mode 100644 index 000000000000..a30dd0f9f9b8 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.certchain.pem b/cpan/Net-SSLeay/t/data/root-ca.certchain.pem new file mode 100644 index 000000000000..ab481e2346ce --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.certchain.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/root-ca.csr.der b/cpan/Net-SSLeay/t/data/root-ca.csr.der new file mode 100644 index 000000000000..a32d3ccc3997 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.csr.pem b/cpan/Net-SSLeay/t/data/root-ca.csr.pem new file mode 100644 index 000000000000..8d165e2ac9d6 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICjDCCAXYCAQAwSTELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkhfLSCLZT39yqS81ICOiVVv3f/i2T9c2H +nawxRV472bvuLhcROc6eL3M215Po4RdE2ZNvdnkrQPZFTA3j1THBsIzRd1KffcmI +rBXv4eKL7f8NzqfW+ykvccuVYX1DasaYRyFEuP0vfu6PQ1I6jT/eBLMw8xbvEd1e +0F3QxPaUp+FGTFQ06M6Xrvqy6PhTpHezUCCTEijnQr9RzoXBbro/uBZC5aPJOWw4 +BFR+vMUzi/dkOLC8LmxxFpfx39SAPDzsKDlS7bi4+BsiK26jP2I++/ZJkV/i7Y7C +dZAJi4bIeE/14U2jsqs/3dud7zhOoTOqTNCrLhS6XTwycp6Uh6EHAgMBAAGgADAL +BgkqhkiG9w0BAQsDggEBAGinCBxBYGfimynq9S/EvRpLARaM6HabwX9YT2AYQj3U +cfkXSkPpB6Bn4o5Q435hMoDzaG79vqdMaoVNt4Ht1W5UAOhxQ/g0DOglmarEXjTX +ent/egpzQ8QiDHctUWZ7olwy7pfWFQuULGwt3jGTQbL6ZJDiwmsE6XRrgxh81Q9u +TECwkEtFNS3+zzPxtmmj5T3rOFF06rFGs/KWX55zz40NnL9FghzAXuZH6tFGiUUR +QeginY8G6q+ymu9SPmF3TNtSd/mvcclXXgOR70jBNDLunm8ZJl2/JHA51kFVvch9 +nM31imT1fCoN/dHAqmdoi2Wps1CheQX3WNBi9wdIWE0= +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/root-ca.enc.p12 b/cpan/Net-SSLeay/t/data/root-ca.enc.p12 new file mode 100644 index 000000000000..cb9abc542d14 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.key.der b/cpan/Net-SSLeay/t/data/root-ca.key.der new file mode 100644 index 000000000000..916ea92701d0 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.key.der differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.key.enc.der b/cpan/Net-SSLeay/t/data/root-ca.key.enc.der new file mode 100644 index 000000000000..916ea92701d0 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/root-ca.key.enc.pem b/cpan/Net-SSLeay/t/data/root-ca.key.enc.pem new file mode 100644 index 000000000000..d4ae051d27d3 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,97C9A548C873A5BEA3525B33A2CF16BC + ++ETo6l9x7msMBh7MnRPcUgZxRly1t5G9pjaSxrgSpXJhKWH9qvY6cYYFmHuIOaiW +piudIcb9dCyJHnZ7XI0NbFvLYAPQjVfC1FY/iesDZp+f5bHjpg7GIuySJ61bMxMM +fb+EGqZGko2GetPTkyTVRuG/wcXDIbMeHu54XWUA+x84bzJIKYYbWS6bpXP+FzIV +96r8bnqysBNcWmPzRv9Si+q11XkmD80ayuGcITJg/h+d8VAjwJrmFSQY7y5WazF8 +qU8Hq2gkxBnJF5B/vgKisJEieeiYESUOeIT+1QJ3Iu82Mh9BdILI60aUpxzi50i9 +DYWWaQ/5euOVhFKazGFhIdUZowECSLIHrScse/6HA4leTcWUMdXrNkjhuARhvgUD +cvRmoXT94GnwUbynqR+DVXNvwJMN7dnyJ1r6HqjyqUyBJa6m4miwsYFD47QE7O8p +c1jj9kQuG5jDo+4g6cPcqfBCeXjFGRotwyCprXXVj2S6PtR+h4lxcLgiep5K6xu9 +YLbwa45rjOImXFkKKTa7Y5uaZwq0U5OLHd/GaFpnrtui6n3xxkWLB1G1Lh2huIRD +Ifv5Rpo6hGKRuM3ZBKzLoo6hQavHQ79UviuIClaf27gTV5MgAucfahqnLmrqUkHH +IbUDTqNpPxvZwak65UHXdY6dhwgITlh55VewfaN3/eyxWNEJFLz2d8deyE0IXRfI +nHRRj8CWpWxtkbMz1SSSF+0fYWFce5Ttk3MTTGSKaCdqifuaJxr53p96w2R936iD +fPDhIMizmesLqTtCbfxBY70rstAwlhySZWABiScEMKm//S+M/r3usm/0Vhy8x4kD +HFAyGEnG1pt44BWOV6GO1nIKEC9LKS4LBBJVo9DdfU1O4ERmvuXZety6tfF1cjj6 ++uvnaaz+zlwxYQY6rbUHobu59/5i4tFMlX8kU7uPzZH2xX/lzw2f+zhWGZNtp2kD +2Z3XpenjRGSRPtcx4oZBmOroYlFQcFKHG6PkYn5fcaWcqHPh07oKCBX8lBskw2qj +A+1ON7UfMagB/yWGU6X7MNfBRiQZC2lmTLRBTHMXleLF8sxYfzgv7Pe2zoi4ErX3 +yGAUokob4px2Gg9bcmrnbRsLz8U4fXTqELLPkd3arBsYO1mm5GC+pzvG8dIJ2OHz +xQV19IIeFuzIgzIRpeGDGiFuGc+8XKWP1tvyeN7Dc8WzWhrhVtnkgRgBc4i9ISuR +6y8GVM5knR9zIClTP4h90pDfBvMFg96NaY8yLNVRfaUVXLHtsq65jrcbze8hrND9 +RuErQ5x/43QXii3jsBUMFgo7USY2Tr6MtCWm995NgPuyETTPUurXKKlDeEezYX9F +yhPEjy3pBzsjFOTpwZYZ9M3zT1aRgI3MaAeztbmN6My6OxQbfe35KNoCbG+zA1/7 +a84d5NGXyjWmDN8YE75PHY4iPbMfHwmC0maY8K37KODN7MMXpkEbsGC9HDqvMNuo +JhRnhrfmFi0cMuFv/HXli4Zvbn6h/vao0qDmy0ricItZsRMYSoQUMJoFJxqTsGgn +ygUXGnqLjVz64qRODzgK+1vTBiy6VYR5VL8IzHUbs3gz89BD43W0vxo6uo9GpuqI +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/root-ca.key.pem b/cpan/Net-SSLeay/t/data/root-ca.key.pem new file mode 100644 index 000000000000..ea5a5c71395d --- /dev/null +++ b/cpan/Net-SSLeay/t/data/root-ca.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEApIXy0gi2U9/cqkvNSAjolVb93/4tk/XNh52sMUVeO9m77i4X +ETnOni9zNteT6OEXRNmTb3Z5K0D2RUwN49UxwbCM0XdSn33JiKwV7+Hii+3/Dc6n +1vspL3HLlWF9Q2rGmEchRLj9L37uj0NSOo0/3gSzMPMW7xHdXtBd0MT2lKfhRkxU +NOjOl676suj4U6R3s1AgkxIo50K/Uc6FwW66P7gWQuWjyTlsOARUfrzFM4v3ZDiw +vC5scRaX8d/UgDw87Cg5Uu24uPgbIituoz9iPvv2SZFf4u2OwnWQCYuGyHhP9eFN +o7KrP93bne84TqEzqkzQqy4Uul08MnKelIehBwIDAQABAoIBABmcFi+2lncY5jcG +BKbdaCLy/yLSZJLfFMay9v5Wb3Q+kN/jAck3J9/8v+D+DrKV8zLO8YHMvdDLVGp2 +C8V2xr+BNXJXsh9Mi8YAD4wfK84fVm/2Rq8Supb9jjSrD74iTVaf3+BcMWEmz4iy +cIbXvOTY83G/rUa6j6x2H9xjBIUgGoh5AQbtOv1eJNhC/Dq6IKW1oxGvG8VJbdX+ ++IGoxqu/50HpjGIxxhIUTZ+EtoMERmWtALsJzAn9CdVWV+EAngkipoTHq9qZHqVE +sjHJI1J6mcE71/C92tVkSAvbhk5rvcoJk9zrIZ8JLRAqZTc5ayvm8NAUoxWEFn/+ +CRs1TrECgYEA5YpiXSE1CdANKCl1JsZ/Q3KlWiLjRNZOTAp1rAT/nY1vZk+K8URv +xDIO3amX5EthL4kUzwx5Mqd91TvyfbWkK3KTqFloxUX+bduNHR0AU0Sbra5Jz6Vi +BSheMEtE/ZwEEBuFLNCetYhT0x+BA/bmD0Ji5/UdKYX0QWwXo+cKNzcCgYEAt3zw +UGO1hwHysje/3gFflto2V8oHbmBZMEDqTBzjvgo2cYurV9jDEzE/8GtQEK5HoPk7 +FWrV9ZlWncmVh0pC+O0imLFktsOkSYdUA9hlmcjUSfc/dB67/iizGTmDGNCoY+Td +ffmPb4IX45i6+81YSR+Z/Z0/wNQ+hQFJ3/vWLLECgYEAo9aEoyiirOBdo78Dqauh +Bsl8ELw6L9YviMMmfqQKt7BORV6dM9y/UfDQ/5KfognT0pQr0CV9FJTMkjj5upS+ +G2zqzA0VZUmyc0N0k8UxiD2+SNfQQ3AuaLQJlrsDAWos1Dpwci5uOfCWtGkWM3g1 +ecrOwfYI3KyKTXAT559vgT0CgYEAnE1mnORDFy2WozAQVjpPRj6+OgxURjb24r75 +lzqo2hLzC8hRfjSdADVc5R1VB9CeHccRCI6Ikn07po+4u5WL9WZzqSS7yWBhC22n +KNtmuRi1lghzWiRwOfJLlnpCbZoZR3cHIq+6+t8UIIHTDnp+8VNlJwCT9VwXoc9W +MeHiMRECgYEA1U5nrRkdEHKrK97CZFVmeh8InvSvI9hzIiIGobF3OpqOlnpmuct3 +Ene2YtOHVclLiS4sNRzsQhKw/V7Krkk6OieyUU61DVRd6yPSFIUKcaYowI94Fj2k +IJZQVMvp3ClmDFmcxCWLq5ai2XxQ9S2Fo723kpAjp1t0wEMjHqQUwpo= +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/root-ca.p12 b/cpan/Net-SSLeay/t/data/root-ca.p12 new file mode 100644 index 000000000000..7c740346c690 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/root-ca.p12 differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.cert.der b/cpan/Net-SSLeay/t/data/simple-cert.cert.der new file mode 100644 index 000000000000..2129eb5e7d8b Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.cert.dump b/cpan/Net-SSLeay/t/data/simple-cert.cert.dump new file mode 100644 index 000000000000..c6dd8f092bae --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.cert.dump @@ -0,0 +1,152 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/simple-cert.cert.pem > t/data/simple-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","f97df76fdbdf40e3a4b123b8a1176589fc7a5bf5"), + x509 => pack("H*","9c2e90b9a7847a3a2bbefda5d146ea3175e90326"), + }, + extensions => { + count => 3, + entries => [ + { + critical => 1, + data => "Digital Signature, Key Encipherment", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "TLS Web Server Authentication, TLS Web Client Authentication", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "F9:7D:F7:6F:DB:DF:40:E3:A4:B1:23:B8:A1:17:65:89:FC:7A:5B:F5", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + ], + nid => [129, 130], + oid => ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], + sn => ["serverAuth", "clientAuth"], + }, + fingerprint => { + md5 => "B0:86:83:7D:61:C9:77:F6:7B:38:64:E2:5E:DE:93:F1", + sha1 => "9C:2E:90:B9:A7:84:7A:3A:2B:BE:FD:A5:D1:46:EA:31:75:E9:03:26", + }, + hash => { + issuer => { dec => 2397076613, hex => "8EE07C85" }, + issuer_and_serial => { dec => 2508738936, hex => 95885178 }, + subject => { dec => 2371491374, hex => "8D5A162E" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["digitalSignature", "keyEncipherment"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 1, hex => "01", long => 1 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "simple-cert.net-ssleay.example", + data_utf8_decoded => "simple-cert.net-ssleay.example", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example", + print_rfc2253 => "CN=simple-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=simple-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=simple-cert.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/simple-cert.cert.pem b/cpan/Net-SSLeay/t/data/simple-cert.cert.pem new file mode 100644 index 000000000000..23dcc34df0d0 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmKgAwIBAgIBATALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MGAxCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMScwJQYDVQQDDB5zaW1wbGUtY2VydC5uZXQtc3NsZWF5LmV4YW1w +bGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhoQB/VTScf7nkxmfS +b0xbXTb74F4ZGh9OCKsdmv7cEd0uoymSPfYV4b9ElZODDmdcxIaMlURoSpfymWjm +tarUEEnqRBcAF98uZDkSWyb6XCSgIQl5UXTq83OHOcfKz0fwxBYQkmShvsj3B2Yz +oKB0SLoL8817Bk0S43siUATw/kZy1IEKvRyPx3c7/bPWKJNjLy9WTUfJnBOokC9P +brRIa78UbMrWTecZPt7w9P5drpIxf1EF0kftU7CAc+9WzUR6zk25eazoQOGOr9RS +mTeLZ/PAgNHg74x53788kIi7BaXVCGAxizfjN9zPLXh+ei00o3DA/iCutIK7DVTM +50dDAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD +AQYIKwYBBQUHAwIwHQYDVR0OBBYEFPl992/b30DjpLEjuKEXZYn8elv1MAsGCSqG +SIb3DQEBCwOCAQEAf4AukrDG9wiJ0sEmYeqnlKGQ1fBSteLIKDBKy+cOPmatdtPb +NU2Cf9RU76Cf8wm71LRo/vDbuRs6NFTZxl3BOndamg/4Dyel+M6bMDm/53xDsqXm +Fx+NadtdwZE/nXVPQbqbn26WG03tXIajbPgrLcyPtY+NM67RTlyYLE+L7PN8l6C/ +jZjeZ9cUxNYMeSatQTBhXuCwx1nokghx6p9w6KoT5NILgjf0nDpVIxWOcW25HCfn +OCRJXir8SYPuxonZ/+qAd/+txlTAX42HGkM8rpM8Tb8JuLfGRnYEiv0F73kkkUPt +Zll1cO6pEZcs37iMRDajNcxdk7qa99QWeS+fHw== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/simple-cert.certchain.der b/cpan/Net-SSLeay/t/data/simple-cert.certchain.der new file mode 100644 index 000000000000..81846ae28b12 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/simple-cert.certchain.enc.p12 new file mode 100644 index 000000000000..33dbae314046 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/simple-cert.certchain.p12 new file mode 100644 index 000000000000..0a5b5db2ccf7 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.certchain.pem b/cpan/Net-SSLeay/t/data/simple-cert.certchain.pem new file mode 100644 index 000000000000..62ac3a2233d3 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.certchain.pem @@ -0,0 +1,61 @@ +-----BEGIN CERTIFICATE----- +MIIDeDCCAmKgAwIBAgIBATALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MGAxCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMScwJQYDVQQDDB5zaW1wbGUtY2VydC5uZXQtc3NsZWF5LmV4YW1w +bGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhoQB/VTScf7nkxmfS +b0xbXTb74F4ZGh9OCKsdmv7cEd0uoymSPfYV4b9ElZODDmdcxIaMlURoSpfymWjm +tarUEEnqRBcAF98uZDkSWyb6XCSgIQl5UXTq83OHOcfKz0fwxBYQkmShvsj3B2Yz +oKB0SLoL8817Bk0S43siUATw/kZy1IEKvRyPx3c7/bPWKJNjLy9WTUfJnBOokC9P +brRIa78UbMrWTecZPt7w9P5drpIxf1EF0kftU7CAc+9WzUR6zk25eazoQOGOr9RS +mTeLZ/PAgNHg74x53788kIi7BaXVCGAxizfjN9zPLXh+ei00o3DA/iCutIK7DVTM +50dDAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD +AQYIKwYBBQUHAwIwHQYDVR0OBBYEFPl992/b30DjpLEjuKEXZYn8elv1MAsGCSqG +SIb3DQEBCwOCAQEAf4AukrDG9wiJ0sEmYeqnlKGQ1fBSteLIKDBKy+cOPmatdtPb +NU2Cf9RU76Cf8wm71LRo/vDbuRs6NFTZxl3BOndamg/4Dyel+M6bMDm/53xDsqXm +Fx+NadtdwZE/nXVPQbqbn26WG03tXIajbPgrLcyPtY+NM67RTlyYLE+L7PN8l6C/ +jZjeZ9cUxNYMeSatQTBhXuCwx1nokghx6p9w6KoT5NILgjf0nDpVIxWOcW25HCfn +OCRJXir8SYPuxonZ/+qAd/+txlTAX42HGkM8rpM8Tb8JuLfGRnYEiv0F73kkkUPt +Zll1cO6pEZcs37iMRDajNcxdk7qa99QWeS+fHw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/simple-cert.csr.der b/cpan/Net-SSLeay/t/data/simple-cert.csr.der new file mode 100644 index 000000000000..edd90eec08fa Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.csr.pem b/cpan/Net-SSLeay/t/data/simple-cert.csr.pem new file mode 100644 index 000000000000..9bce8fd68550 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICozCCAY0CAQAwYDELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxJzAlBgNVBAMMHnNpbXBsZS1jZXJ0Lm5ldC1z +c2xlYXkuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGh +AH9VNJx/ueTGZ9JvTFtdNvvgXhkaH04Iqx2a/twR3S6jKZI99hXhv0SVk4MOZ1zE +hoyVRGhKl/KZaOa1qtQQSepEFwAX3y5kORJbJvpcJKAhCXlRdOrzc4c5x8rPR/DE +FhCSZKG+yPcHZjOgoHRIugvzzXsGTRLjeyJQBPD+RnLUgQq9HI/Hdzv9s9Yok2Mv +L1ZNR8mcE6iQL09utEhrvxRsytZN5xk+3vD0/l2ukjF/UQXSR+1TsIBz71bNRHrO +Tbl5rOhA4Y6v1FKZN4tn88CA0eDvjHnfvzyQiLsFpdUIYDGLN+M33M8teH56LTSj +cMD+IK60grsNVMznR0MCAwEAAaAAMAsGCSqGSIb3DQEBCwOCAQEAczET6zVSbA/f +Kr41p//q5A6PurV/Kbwlj6li3kJgDZso1Zw/muCSabuXp+5v6XXHm11e8nGB5DpJ +8xoy7VdvzutttA8Ywrjfvxwsf/FxEVNgjL8Yzp+iwFQcp2jl7yA1+3WefMY7Yz4B +tPHJam2VGahpFiZJbIeRrn+kA6Dq9yl8XulnCZtHH2OK/E/02i1XEWbh6J3ju65S +f4lotjL74k2La1cVD2cF7hFi76JwlI2pQq7eXaOvo82S+CjRMTn+9i8oJasLT9IH +ybdaz+A1akEIsZgyVIqDoJSK7WH8EZWkaJRBVxrzpBFtPYJtWkL6e4Rz3xmEK/7g +QJ/1MPWYZw== +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/simple-cert.enc.p12 b/cpan/Net-SSLeay/t/data/simple-cert.enc.p12 new file mode 100644 index 000000000000..d0526bf56b32 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.key.der b/cpan/Net-SSLeay/t/data/simple-cert.key.der new file mode 100644 index 000000000000..50966aceef29 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.key.enc.der b/cpan/Net-SSLeay/t/data/simple-cert.key.enc.der new file mode 100644 index 000000000000..50966aceef29 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/simple-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/simple-cert.key.enc.pem new file mode 100644 index 000000000000..9cad3841853f --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,CA0111C181D97AFC60C5BEFC7B110E3C + +LdI/uPXbBWbGleO1Tf+BZuJgc0SPNqZVK3EFWQU3XjJRTW8aPLdXO3tWoTeRHLqx +wgVFCDrelqGih99uKBDiL32zVCQ12I/nPrB5vlmVm86nPNngi1ib1N4Wzp4UC5at +JwiJJJvO/4nC07OJTPdBTl8LDrPPtx4x3xJwkr3JrbVW6Yfwz7E7uAC2X2ijoXSj +h4is3MgKEwSGnwTN76R0ZbzbEtlP3MPguDvmmzVeBTRO/SpY2PvPTVOH6nGz9cgO +2W90mXaaSaTflIOsSfLrkb3PknwSzcKyr2TFShc2WYJjNgF3dm+8Nd9hJarb3eJ3 +20SRVG+hl4Kz6+swT0Vg88rC6WMn1vmpPmzfVI8GX/p3h6xMphzweXQ+CdVZAneq +D6ggadWNRJK2OGISDNz/SpMTZYBXUSCOV9Ok/iQNzoK+A3Nv687hBQNRX75Lw8st +lxGTtOmgkz81lQM+oMJ+kN7PEmhWZ0J9DNX7w3QBgCqt5V16MjsJRyk0Ak38lApA +3dqmBadkcDVt5WdLhLE828qTu3KZ+ikv3pmMXoGYpOmFbIKpWunFrkZkZQuMiudG +p7sIFJibhh6BAZNzcLI/8opE530zQa3N2ngUYNI6YRn87KAzDhQPhbt+4vNvjAiX +avojkt82mTj3vDEZiMt3rYB8LtD9H3m7ggqd8CGW1A7Ev6jfVJlSbxtgdgOkyflU +zY5EvqSLx406LhkX6U1HROeYR1bsvH+B5dM3xKS/xrDuF0RRAGMQKckajL3Aql0E +Tq7g5LaQYkFgKhaRgV7nz/Dh1fVxHqWE7sM94C+J0GMEPJmUW4UmLA7S0YMyUrZ2 +qTy2Mnk2go1s7jyKORjm56dD0EKwDbOVXKZ292KrocFKHSKwCOkERjQHN6wmZ0N+ +BJ0kgmA4SFn7N7tE3k/1P+Q1uNdItv2WdFCYSCqRdI42XVW9h/e2OhCPzfhKjI2M +ILF/B+jp55c0Tu/+yhRWS4KBRTnEm2docaf3anKISgbJch1Ir15cO4k4l8R3V1sN +qp8ow06cQvTjVh7GXa7Kax3gIJWwZqu+2/zcUDDqnWe9fYkW2yGn0OFZRKl8itWB +aboJ/Pi8YcO20XFgraM1Q8X9m/B2TLRKdlSb2cnkfB/UuhTROqnSsGPevCw7mf7d +53IHuv/jbjdrCItv3XvSZIf4U0oh5mx1+0+op7lK/BkRBCq2NSH8SY3ltza07Kre +0MsIzvWK1/luwuThPDN0yjpQtyqLieZkhG+E5oaHPrFxEiqDSbu+zzHF5G76K48m +ccLdIt2/IqQIBXml0oZVEV5b4xDnWh4IQR19BJPoqSacQzCH71bwSHiVONVknrs/ +VIcf3n+RgB3RHzvj0xQ45HU2DHq/N0LvDEX6WjjM7dFqxCauXs7G0njGs7aZ36p1 +vyi3pAbgB4RZV+OIFIZn5EjcQ46xI3zTRl6HCgOJa8PTG6ub1/4gb7IyhOrvVF2L +h4ctBMREAvZqC54pooCBxLd4ljJ/tcfWvjzwU3zB7it5mDX6XXwr2UqAWcaBMcgb ++R3/jZlF0eDtKyWxuE09rn3TrmYvU/efR20XlbbXnArGUyxOE1KhIznZaKGP2SLw +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/simple-cert.key.pem b/cpan/Net-SSLeay/t/data/simple-cert.key.pem new file mode 100644 index 000000000000..d37b17afe277 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/simple-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA4aEAf1U0nH+55MZn0m9MW102++BeGRofTgirHZr+3BHdLqMp +kj32FeG/RJWTgw5nXMSGjJVEaEqX8plo5rWq1BBJ6kQXABffLmQ5Elsm+lwkoCEJ +eVF06vNzhznHys9H8MQWEJJkob7I9wdmM6CgdEi6C/PNewZNEuN7IlAE8P5GctSB +Cr0cj8d3O/2z1iiTYy8vVk1HyZwTqJAvT260SGu/FGzK1k3nGT7e8PT+Xa6SMX9R +BdJH7VOwgHPvVs1Ees5NuXms6EDhjq/UUpk3i2fzwIDR4O+Med+/PJCIuwWl1Qhg +MYs34zfczy14fnotNKNwwP4grrSCuw1UzOdHQwIDAQABAoIBAC9p8fzQHvo0LRBS +UUb7dIROlltfzuZfguyXDb5u79e3OU+vofDFbI00n0j+Vb1YrYflFJE+XN29ryif +7FdvHbLqqV29aUfvvEq3bPbaiNpbuqabyq3f3D3zYverwLxxyqBh1HEvEk6bFQg0 +WdnHi3BkSBRy619K969cdmfDgQZTQ90NA2aZd+SRtAl34SmV49/SOpzt8zfcPVuF +5w58BNnsIg4dz0NYcWDCPuBDdJz5Mq5fVDKtJ/oof9HVx90RISOosHvDu6+szrTG +w4roFxV7uoYCKgeuh/WlGvsEUXUJDbzyjS/DdJuTYAD8U0tB8ufVIOCSzp6EhLMz +UcOEuSECgYEA7K7ISbxo4PStdOtv+jPWKHLQMG/aUbbOfi6XosK7QtP/viaV56PB +vu1pc4e4XXgaMDJGAAFY0oe4QO6IV7+Q9ZTnyukZKsldOEAsAjEuEy7AFBWmVf2i +TmyqkL/y2Vw9miu44HaX8i4JMwJYKz3ZEsH/IsRejJ9g5UABVekRggUCgYEA9AtD +J7Lp3FIhgevOSiaKYQShbDdC2gIoa+rHgH9CliZB/oIHajPRJM2PYpc37YwsODfY +FpzM1YyPR4Y3jNS1KplINY1OTUQhoM0JptNamTeAPjaNJ8JtS6ex74HCaDBDft9c +P4UbMYBkNK+uL73kbXfFhw8RpuvNMrbAqEoZfqcCgYEAlsUwaWhQFx1GcbiY+HWU +8udQn8pg9LTTDaZ4igIqcAPEYkkKLSkv/oQWLLZER6Z+aD1eQhqZjmNOiG5rBBrQ +KODWV3ftxEfJzk9yuWLCyw145lJ0R0ru3a5zaQodlUEhLNi1SKfDW07gJVJVABbB +9SUHdgpJgKL2gpMnRqbVtFECgYEAnYD7SY7eAjT7rTc8P30aSD1N1WLhAYTtA6FW +OudnWTK92v2evXtN2vvUM6Q3E1gpXeskyotOY/DAtD+6cGkDt8eP5Agb5iA3t+k8 +9m9oBITefsiEV4nTMkW7wEE18DpeBW8wwUot38fmZF6SA/wBhmkLkfw2v01mdPmf +471XMPcCgYA+e1T5HbCPKtOL3OzBQ1RjjHoGvn7zWJc13BctHgrjboeT1mbVRsg6 +NdWnsYCUmuMtIt4/Xex5OprAyn0vRCf0UeWHVgj7lOUwxF2eWUkxryJA0ol/S69d +fD28mPNQN4lgSjXPGO9QEGX+DcoAhbFfJwHDKYx1e6IBX4EwiDvc+g== +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/simple-cert.p12 b/cpan/Net-SSLeay/t/data/simple-cert.p12 new file mode 100644 index 000000000000..9b58eae492de Binary files /dev/null and b/cpan/Net-SSLeay/t/data/simple-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.cert.der b/cpan/Net-SSLeay/t/data/strange-cert.cert.der new file mode 100644 index 000000000000..d85313d3a9bc Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.cert.dump b/cpan/Net-SSLeay/t/data/strange-cert.cert.dump new file mode 100644 index 000000000000..8fc94c7057d5 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.cert.dump @@ -0,0 +1,160 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/strange-cert.cert.pem > t/data/strange-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","0d115f7bf1d18314665f7f7bf574ae274e8740d9"), + x509 => pack("H*","a0b4e0c8ae9428bc8e3a6d54a76fc7fedf39bfef"), + }, + extensions => { + count => 3, + entries => [ + { + critical => 1, + data => "Digital Signature, Key Encipherment", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "TLS Web Server Authentication, TLS Web Client Authentication", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "0D:11:5F:7B:F1:D1:83:14:66:5F:7F:7B:F5:74:AE:27:4E:87:40:D9", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + ], + nid => [129, 130], + oid => ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], + sn => ["serverAuth", "clientAuth"], + }, + fingerprint => { + md5 => "D9:28:01:72:6F:C6:7E:F1:C2:0A:C9:39:1D:50:BD:05", + sha1 => "A0:B4:E0:C8:AE:94:28:BC:8E:3A:6D:54:A7:6F:C7:FE:DF:39:BF:EF", + }, + hash => { + issuer => { dec => 2397076613, hex => "8EE07C85" }, + issuer_and_serial => { dec => 1043266401, hex => "3E2EFB61" }, + subject => { dec => 1601970016, hex => "5F7C1F60" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["digitalSignature", "keyEncipherment"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 4, hex => "04", long => 4 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 5, + entries => [ + { + data => "UA", + data_utf8_decoded => "UA", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "abc D.E.F", + data_utf8_decoded => "abc D.E.F", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "START ! \@ # \$ % ^ & * ( ) , . - ? : _ / [ ] \" ' | = + END", + data_utf8_decoded => "START ! \@ # \$ % ^ & * ( ) , . - ? : _ / [ ] \" ' | = + END", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => pack("H*","d09bd18cd0b2d196d0b2d181d18cd0bad0b020d0bed0b1d0bbd0b0d181d182d18c"), + data_utf8_decoded => "\x{41B}\x{44C}\x{432}\x{456}\x{432}\x{441}\x{44C}\x{43A}\x{430} \x{43E}\x{431}\x{43B}\x{430}\x{441}\x{442}\x{44C}", + ln => "stateOrProvinceName", + nid => 16, + oid => "2.5.4.8", + sn => "ST", + }, + { + data => "strange-cert.net-ssleay.example", + data_utf8_decoded => "strange-cert.net-ssleay.example", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=UA/O=abc D.E.F/OU=START ! \@ # \$ % ^ & * ( ) , . - ? : _ \\/ [ ] \" ' | = \\+ END/ST=\\xD0\\x9B\\xD1\\x8C\\xD0\\xB2\\xD1\\x96\\xD0\\xB2\\xD1\\x81\\xD1\\x8C\\xD0\\xBA\\xD0\\xB0 \\xD0\\xBE\\xD0\\xB1\\xD0\\xBB\\xD0\\xB0\\xD1\\x81\\xD1\\x82\\xD1\\x8C/CN=strange-cert.net-ssleay.example", + print_rfc2253 => "CN=strange-cert.net-ssleay.example,ST=\\D0\\9B\\D1\\8C\\D0\\B2\\D1\\96\\D0\\B2\\D1\\81\\D1\\8C\\D0\\BA\\D0\\B0 \\D0\\BE\\D0\\B1\\D0\\BB\\D0\\B0\\D1\\81\\D1\\82\\D1\\8C,OU=START ! \@ # \$ % ^ & * ( ) \\, . - ? : _ / [ ] \\\" ' | = \\+ END,O=abc D.E.F,C=UA", + print_rfc2253_utf8 => "CN=strange-cert.net-ssleay.example,ST=\xD0\x9B\xD1\x8C\xD0\xB2\xD1\x96\xD0\xB2\xD1\x81\xD1\x8C\xD0\xBA\xD0\xB0 \xD0\xBE\xD0\xB1\xD0\xBB\xD0\xB0\xD1\x81\xD1\x82\xD1\x8C,OU=START ! \@ # \$ % ^ & * ( ) \\, . - ? : _ / [ ] \\\" ' | = \\+ END,O=abc D.E.F,C=UA", + print_rfc2253_utf8_decoded => "CN=strange-cert.net-ssleay.example,ST=\x{41B}\x{44C}\x{432}\x{456}\x{432}\x{441}\x{44C}\x{43A}\x{430} \x{43E}\x{431}\x{43B}\x{430}\x{441}\x{442}\x{44C},OU=START ! \@ # \$ % ^ & * ( ) \\, . - ? : _ / [ ] \\\" ' | = \\+ END,O=abc D.E.F,C=UA", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/strange-cert.cert.pem b/cpan/Net-SSLeay/t/data/strange-cert.cert.pem new file mode 100644 index 000000000000..cc437d309089 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr+gAwIBAgIBBDALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIG8MQswCQYDVQQGEwJVQTESMBAGA1UECgwJYWJjIEQuRS5GMUMwQQYDVQQLDDpT +VEFSVCAhIEAgIyAkICUgXiAmICogKCApICwgLiAtID8gOiBfIC8gWyBdICIgJyB8 +ICA9ICsgRU5EMSowKAYDVQQIDCHQm9GM0LLRltCy0YHRjNC60LAg0L7QsdC70LDR +gdGC0YwxKDAmBgNVBAMMH3N0cmFuZ2UtY2VydC5uZXQtc3NsZWF5LmV4YW1wbGUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11J19KFGse8fVp8ES2MLe +VngTkW93zmdqcykByrXyw8LfH7yTKwTn2TqEmSliopzOeKK2hfETyMQYlUa9mdr8 +qJeREDFQfUrasOncb4eT9Jfr2i5J9yak68bG8I0/EtAGyT/04DBgatZK9V9dhnzP +dovb/kojd2JX98aJqcYtJL5bPqELEFtdjXhWm4lzoyqq0eeH0aymO8X3ORWw9XeI +aJtuXadG6jQhFq7aAsrX11lRjKbSGvUCh+zYX8pVaM0eMKBgjcgFqqiml3Y+vnVf +e2+JkTl35vEZ6scA6WyVpYOkG0gbKHipH9XUfgeuEat7quedQzjejA1dH9IJGuH/ +AgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwHQYDVR0OBBYEFA0RX3vx0YMUZl9/e/V0ridOh0DZMAsGCSqGSIb3 +DQEBCwOCAQEAbSgGiiajGn5qYbK6Xi26CTCqvLlmQANTQDg1Ufs6DO1Vi6OpuGWv +Q2WCcwRZQvL1lE0GgOl7DNuURZKlwmerYCT2VnF48qcxDOV4GxRjiy0PaWD9LiQz +w5ODDutwmY3I0Le9HPNvIiC2vHPj0Nu2gIapkL90SKJws7ag7mMmbpi/5HNbxT3b +gFnRpmOQBiiqAtz7dKSzusQ30F/mAB/FoLhB2HeyKQyQeTJEqn+vo/6XZzqXzL4+ +Olp2o0SxvGC03fwucJJW/zbgNsdiHswGR57OUv02LckYwFSgyrTvnfASViIakd2y +I+GONFs+17aGcSolGWpygJFwozwKAQr6ew== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/strange-cert.certchain.der b/cpan/Net-SSLeay/t/data/strange-cert.certchain.der new file mode 100644 index 000000000000..0936ba5be2c0 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/strange-cert.certchain.enc.p12 new file mode 100644 index 000000000000..e2ea3f049b17 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/strange-cert.certchain.p12 new file mode 100644 index 000000000000..ff48551c0f97 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.certchain.pem b/cpan/Net-SSLeay/t/data/strange-cert.certchain.pem new file mode 100644 index 000000000000..fbce0ac9b555 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.certchain.pem @@ -0,0 +1,63 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr+gAwIBAgIBBDALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIG8MQswCQYDVQQGEwJVQTESMBAGA1UECgwJYWJjIEQuRS5GMUMwQQYDVQQLDDpT +VEFSVCAhIEAgIyAkICUgXiAmICogKCApICwgLiAtID8gOiBfIC8gWyBdICIgJyB8 +ICA9ICsgRU5EMSowKAYDVQQIDCHQm9GM0LLRltCy0YHRjNC60LAg0L7QsdC70LDR +gdGC0YwxKDAmBgNVBAMMH3N0cmFuZ2UtY2VydC5uZXQtc3NsZWF5LmV4YW1wbGUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11J19KFGse8fVp8ES2MLe +VngTkW93zmdqcykByrXyw8LfH7yTKwTn2TqEmSliopzOeKK2hfETyMQYlUa9mdr8 +qJeREDFQfUrasOncb4eT9Jfr2i5J9yak68bG8I0/EtAGyT/04DBgatZK9V9dhnzP +dovb/kojd2JX98aJqcYtJL5bPqELEFtdjXhWm4lzoyqq0eeH0aymO8X3ORWw9XeI +aJtuXadG6jQhFq7aAsrX11lRjKbSGvUCh+zYX8pVaM0eMKBgjcgFqqiml3Y+vnVf +e2+JkTl35vEZ6scA6WyVpYOkG0gbKHipH9XUfgeuEat7quedQzjejA1dH9IJGuH/ +AgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwHQYDVR0OBBYEFA0RX3vx0YMUZl9/e/V0ridOh0DZMAsGCSqGSIb3 +DQEBCwOCAQEAbSgGiiajGn5qYbK6Xi26CTCqvLlmQANTQDg1Ufs6DO1Vi6OpuGWv +Q2WCcwRZQvL1lE0GgOl7DNuURZKlwmerYCT2VnF48qcxDOV4GxRjiy0PaWD9LiQz +w5ODDutwmY3I0Le9HPNvIiC2vHPj0Nu2gIapkL90SKJws7ag7mMmbpi/5HNbxT3b +gFnRpmOQBiiqAtz7dKSzusQ30F/mAB/FoLhB2HeyKQyQeTJEqn+vo/6XZzqXzL4+ +Olp2o0SxvGC03fwucJJW/zbgNsdiHswGR57OUv02LckYwFSgyrTvnfASViIakd2y +I+GONFs+17aGcSolGWpygJFwozwKAQr6ew== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/strange-cert.csr.der b/cpan/Net-SSLeay/t/data/strange-cert.csr.der new file mode 100644 index 000000000000..e9e2e10bd9d4 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.csr.pem b/cpan/Net-SSLeay/t/data/strange-cert.csr.pem new file mode 100644 index 000000000000..8fc7bf7d9592 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.csr.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDADCCAeoCAQAwgbwxCzAJBgNVBAYTAlVBMSowKAYDVQQIDCHQm9GM0LLRltCy +0YHRjNC60LAg0L7QsdC70LDRgdGC0YwxEjAQBgNVBAoMCWFiYyBELkUuRjFDMEEG +A1UECww6U1RBUlQgISBAICMgJCAlIF4gJiAqICggKSAsIC4gLSA/IDogXyAvIFsg +XSAiICcgfCAgPSArIEVORDEoMCYGA1UEAwwfc3RyYW5nZS1jZXJ0Lm5ldC1zc2xl +YXkuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXUnX0o +Uax7x9WnwRLYwt5WeBORb3fOZ2pzKQHKtfLDwt8fvJMrBOfZOoSZKWKinM54oraF +8RPIxBiVRr2Z2vyol5EQMVB9Stqw6dxvh5P0l+vaLkn3JqTrxsbwjT8S0AbJP/Tg +MGBq1kr1X12GfM92i9v+SiN3Ylf3xompxi0kvls+oQsQW12NeFabiXOjKqrR54fR +rKY7xfc5FbD1d4hom25dp0bqNCEWrtoCytfXWVGMptIa9QKH7NhfylVozR4woGCN +yAWqqKaXdj6+dV97b4mROXfm8RnqxwDpbJWlg6QbSBsoeKkf1dR+B64Rq3uq551D +ON6MDV0f0gka4f8CAwEAAaAAMAsGCSqGSIb3DQEBCwOCAQEAQ7s9+1foz7FCtb+L +4uc6NiAi888PIqJkFQMfnr+4WSY35fLQHY4r5LNAGPmdQN36FOHlRwZeK7B4DVKh +TpN+KnHnGiQEqsjnIOh9gia1bsM8n00dTLrirDjEII8pmFD7Mzw7ic17BkTZjxKA +m3yvJiNrc2LvV96xaqhP1ftrrBf0W8kuRCoMdMf9WEKOAih9ym+LEJlQBgBugbKG +b7JVawdIgONtkWgHNwjlzEfinO/IqN/t9tu/wWMDqFMi1MuZlMHMTJd3EbnHi10d +yM2/Hxsp3akdtYh03YEVuv2nx7NGwL267XYpv99LzCpG6LMnOjr1d4IA3l19izSf +f+QcLw== +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/strange-cert.enc.p12 b/cpan/Net-SSLeay/t/data/strange-cert.enc.p12 new file mode 100644 index 000000000000..274df585949b Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.key.der b/cpan/Net-SSLeay/t/data/strange-cert.key.der new file mode 100644 index 000000000000..2a2de5e4012f Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.key.enc.der b/cpan/Net-SSLeay/t/data/strange-cert.key.enc.der new file mode 100644 index 000000000000..2a2de5e4012f Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/strange-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/strange-cert.key.enc.pem new file mode 100644 index 000000000000..fd4003780a9d --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,B77CE985CD51B8ECFE85CFA9B82249FE + +8J6PQb0g0x3fq4ijhU20OaBK5PwCWxKUzv7IkAweKg7/1y7PraAPi3zH8AdSYRwz +8LYB4coJdvd67Ev11urlfW8frVXqw9yZRTrxexS6BbUhZh0LFCvoA2VS1SIzyHtM +iC9fWd3BXCw014qX3gQHPEszZBLPElpki28avrsGHV1Cui1sQ2nbpeIAU4vMfvzb +vw9AGSekyqRWOkC8NI9RB84CP9K2en9oR07yRlbm9+c7iBCVulCCPbuQdHFMEBwX +6R8miOePOYBvTGDVkamNMUNx0nAkNtXW/xwsaX7+GntPZkYagn+46d48CWVDcc91 +dwaYIf7RDFgGqKcszHmFJrl2X9VlfPrAeIAhieJoTwJfF3Q243ybcv5aY63DwnHH +oo1V8kbrVVBcOPu71hFiwCaIa3Pst8JNVtChkISeMavtm/ATbSTpxcUvPEszHICq +yMmSBTaCPTlCH0K//dhkWzv2GRZvieZ3G52TO0qhZVlQ/iKwikcI7RnnixnNtPmg +heFy20l9jKIuBVovQZ7xxG/F+yPwhaQWszYUpvPTADKDdSMWuFxulFApZx+LR/2u +cHlDXHxh3gurF2IdLPX8CmU1bYo0EbJQ2pwXfD7uVEF4lPE3zTfh2BZvYWiS90d1 +q8UK3DpjM2iBrwQ7ZYwrm4M4SLz09z+psf+AXpeEc89Q4ETVqvL4pzWuqQ2k4RPT ++aCPF2WaGNrCpo26UjrhA5gWPCW1NvCJGxdJTTnRBJmQe5eNZbo6ub/TGdBrYcvx +Z932Fkulu4CF1ScA6bpJJgsTLxCXVEKWoHEMU9A/XnDXjaBhXmipt6jpXBjvZw19 +aXZlhMfELrqJ2hZJeIqMyC7OU36HkynfVWGN2XHABwoYMJSX8NwtDbmdHSG7TO/G +lPTTUmEmnx/j4xoP7x618bM4GBnjRbrv/o7S8ZrjeddtSI0wdk2PPwLKOrC/Aj5y +m/dNfGntVsPLJ2JxBvqK5dQvhr8HV4OeZknx+iSjkZSAtQWS6oME+iTw1bMob/6Z +0CF86+Ob8rE2A13USXR7Sj8xzsIWqXsYip1TlePfAp7KnXhhwNUT5NR8OhCPxDyM +aWHZTyF/JDk7VS8jIZk8r+P1mwPQzep/5Xo1Y1pXNJY5++4zuyo75YP8FoL8LOBO +Ws6k7jZjZatLwvfNKvI6K6TyCKOuvXDku7vcZ1Lw7LA0yQz8Gsr9Kqsi9/6IiNq5 +eaYXyqyx/Dw83yW1/qIa16a+l8svPECyVZ59RdKi2FtcJ4OXvm5VRj7V0KdqcbBN +ixA7bTch8/b8QYBcxncQiiCbpZRPBYcLlFvyfr/3iFTqRa5wahYO3vD08SNrPlrX ++jOToBoZZxlKYw776L1PBSnMjISMwHUL0tb65WHdWCklCkAOUjr4VmiFaciNT7sd +Fy3Sge1z2S80riXWRTnIzpnjdPHNWLopXnj/uwGPki4hUNPgw2SwCGhyF7qDB4mB +L1QlrUEVmED+EQwz0cUrkKtgzbdUi+YyrO2xE6B3QfF3mJ4tirDT/Pk5qb8NX+Xg +HSEkOA9Piruia38U6ZkXqFGdqQIP00xlxehm7YlRCqHMav6H0/sAGjvecFyR+HdA +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/strange-cert.key.pem b/cpan/Net-SSLeay/t/data/strange-cert.key.pem new file mode 100644 index 000000000000..449f2654b5bc --- /dev/null +++ b/cpan/Net-SSLeay/t/data/strange-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAtdSdfShRrHvH1afBEtjC3lZ4E5Fvd85nanMpAcq18sPC3x+8 +kysE59k6hJkpYqKczniitoXxE8jEGJVGvZna/KiXkRAxUH1K2rDp3G+Hk/SX69ou +SfcmpOvGxvCNPxLQBsk/9OAwYGrWSvVfXYZ8z3aL2/5KI3diV/fGianGLSS+Wz6h +CxBbXY14VpuJc6MqqtHnh9GspjvF9zkVsPV3iGibbl2nRuo0IRau2gLK19dZUYym +0hr1Aofs2F/KVWjNHjCgYI3IBaqoppd2Pr51X3tviZE5d+bxGerHAOlslaWDpBtI +Gyh4qR/V1H4HrhGre6rnnUM43owNXR/SCRrh/wIDAQABAoIBAAYlv8tX2nVEzdm9 +3wgoQZ0HiNGixL4sCJDvuCCXjEqwYG82oRVZypkq+l7ISjC9dUDzWCuhQ8TMhc7x +aC3roFWvsGUIw0hIpQgQjbTiz8EjUwZ37RbSwrKn8VyPt1eu9TLEpdwvMN/2E9ep +fb6FyeDMo0tP83CCFUgKpo1WY87NoyNzFJAtH0GKzhZvJXXDMXJY/IAVvr5I16bW +j7KcsBf3R9YMPMRoAhQp9H6VfCqYE7YTTGrH188Ksr1titZmkMBBFyyPaBx5vzuJ +EfKhyTjLU4Ce/Rck9T+PTvn7AYfwL77XY5qWp8L+TdnxtLqobAtdtPva/TfZht5Y +NiG2Mk0CgYEA8t1GgUn63v1sy+CQfLyCvo8Rqx/34kxVmdBDrCNBry/pE20Fz8xl +dvKs+vjigg8j2iFKbgwhJ/B1MsAz/bTLd5rukinT0ds1t+H6gBQjdeXNhsnTEzMq +HCWA+qP2uJVMOVckDMHMiEsGw947YtqkXXrpIcjyh47VEtUFeqbU1JMCgYEAv6pC +WWqiO1JNC2SQQGC0sOtccQtSSMWdkhZPNPNtal0M/441HkYfUVHQoPCDqBMMIWlv +ncAzcBAiRdKv9Pg1wYkufjKTtIPwJONPrnVMpeRcOL7xA1qwzx42Umr7RVd6UBf0 +8LOIQJDZmZm6IOqh9CvHUrbZiEt2gKQhgELXbGUCgYEA29zacT1KMgl3LvLzmxkF +vAHFWwgr3uCANilGulWIp1JWTNHMCxzdVlvHocUjOd7+9ABjY1DzyzZywykhaDL+ +aB8Ij6XyLu+mp/uaTcztdVQ/RiD8R0twed6x7zX0q5HtWZO7/RiNU22oiDVtycZq +On6FA6LpfTMfTlcvCKRz1KUCgYB7ak6+9QLx39TseRzJ13uCUIt93yRk55rG7sah ++f2Cd9he1lst20lfO6dzemvMVjeBbDsLATAeAMWQ4FGdFBbJQGRHrpmdqzd/CT/N +vopUZ+9aOtlGp6ciNvoTp/+Ubve7izGVrIUXzi3P0kUf3PXcHDSE9miscqsjuow3 +4tKEYQKBgHIlUOPyU3F4qxR1lx+mOncvX2HWyqptNlbrRzyf4aJzP5uKeMRrp2m5 +4sjIYZ7NW64GBQUaS9DRbXJU8d1M3PKSI/8LKgXht3vrrW/IK3YCVhaonHn7034p +H5Jz822qO9+DXqTRQnInk+itxFh8PHIr05WQym3IIV1mILVlz91U +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/strange-cert.p12 b/cpan/Net-SSLeay/t/data/strange-cert.p12 new file mode 100644 index 000000000000..6a2556436625 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/strange-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.cert.der b/cpan/Net-SSLeay/t/data/verify-ca.cert.der new file mode 100644 index 000000000000..95dca1826414 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.cert.dump b/cpan/Net-SSLeay/t/data/verify-ca.cert.dump new file mode 100644 index 000000000000..fd3bcb34d2cb --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.cert.dump @@ -0,0 +1,152 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/verify-ca.cert.pem > t/data/verify-ca.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","21edf373ac92ed72840a12518d4f1a7a16528205"), + x509 => pack("H*","b7d290f2e81ccf507afc62514cffaff35dc9a51a"), + }, + extensions => { + count => 4, + entries => [ + { + critical => 1, + data => "Certificate Sign, CRL Sign", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 1, + data => "CA:TRUE", + ln => "X509v3 Basic Constraints", + nid => 87, + oid => "2.5.29.19", + sn => "basicConstraints", + }, + { + critical => 0, + data => "21:ED:F3:73:AC:92:ED:72:84:0A:12:51:8D:4F:1A:7A:16:52:82:05", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + { + critical => 0, + data => "Policy: 1.2.3.4.5", + ln => "X509v3 Certificate Policies", + nid => 89, + oid => "2.5.29.32", + sn => "certificatePolicies", + }, + ], + }, + extkeyusage => { ln => [], nid => [], oid => [], sn => [] }, + fingerprint => { + md5 => "C2:93:B9:A1:1E:1D:64:15:8C:26:83:C1:0A:54:0F:47", + sha1 => "B7:D2:90:F2:E8:1C:CF:50:7A:FC:62:51:4C:FF:AF:F3:5D:C9:A5:1A", + }, + hash => { + issuer => { dec => 3235285478, hex => "C0D689E6" }, + issuer_and_serial => { dec => 2780294971, hex => "A5B7EF3B" }, + subject => { dec => 1524484324, hex => "5ADDC8E4" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Root CA", + data_utf8_decoded => "Root CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA", + print_rfc2253 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["keyCertSign", "cRLSign"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 3, hex => "03", long => 3 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Verification CA", + data_utf8_decoded => "Verification CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Verification CA", + print_rfc2253 => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/verify-ca.cert.pem b/cpan/Net-SSLeay/t/data/verify-ca.cert.pem new file mode 100644 index 000000000000..a5be81733cab --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAlCgAwIBAgIBAzALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPVmVyaWZpY2F0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAyfTwpdmsqv2HBPCMUBMrsNhGhJuyIoL+amSXDZWDPNmR7ylM +DWWtt2zF2qF0teK5C0xQI1mZN5XkzWb4qlP19F1nnIGKgY2Y95m16QpX6quT+auG +hL10Rp0LmNsqMqifjEyC5hk/XUzVCtzv2YDEy003pRyTUPrXMLzYDnwPEgFdaWS2 +Iles/nVjb2gGaBo3CzYeR00s2Cy31TXF9EOEs17FpwQG8oxwFKsbgykGxXPWj/w9 +DWO+UNaoBTgi8JupQmCmuzCrq85tdWwTvMjb+sBhchC22Ow6VbGXY3RI1rRm2Hjd +uc4YORZlKKPNIjD7pSEmM/0ymbej5gMMiHXwOwIDAQABo1UwUzAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUIe3zc6yS7XKEChJRjU8a +ehZSggUwEQYDVR0gBAowCDAGBgQqAwQFMAsGCSqGSIb3DQEBCwOCAQEAgBQ7buzn +jZRSPG1nA+ysxdqm8tvKDRXLYjUDoc7ITCM0wbEypcKAB0Za3Y5fOc1xIka9o77X +qiNVIir0JGJEOb7I7UyZMjpY+rebiE1evCgtU8leZMzhzi9xs2zNU2az2YDEocPM +N9ptKm3IjbMVHrvspDhk3xb4sBmMaXjorRk6w5tyx6Ft/ksLJ1Q1Ubp0vGFB9dFX +BLFeHCtjhYCOFf+qqhuxE0Rb9SORgtK9BcNCPQsiATk054axKcfumeUUl0FyJnK1 +T9ZaOMz1Rqh+Gwof1YUcSbOEqoUE2MxuEfCTLRFtCYJIfeff2TCHND7AQeYO+V2d +/62BQ9lK3klPyA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/verify-ca.certchain.der b/cpan/Net-SSLeay/t/data/verify-ca.certchain.der new file mode 100644 index 000000000000..dabeb0fc7841 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/verify-ca.certchain.enc.p12 new file mode 100644 index 000000000000..bac044823f06 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.certchain.p12 b/cpan/Net-SSLeay/t/data/verify-ca.certchain.p12 new file mode 100644 index 000000000000..2cfd8fc98add Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.certchain.pem b/cpan/Net-SSLeay/t/data/verify-ca.certchain.pem new file mode 100644 index 000000000000..294e4740167f --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.certchain.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAlCgAwIBAgIBAzALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPVmVyaWZpY2F0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAyfTwpdmsqv2HBPCMUBMrsNhGhJuyIoL+amSXDZWDPNmR7ylM +DWWtt2zF2qF0teK5C0xQI1mZN5XkzWb4qlP19F1nnIGKgY2Y95m16QpX6quT+auG +hL10Rp0LmNsqMqifjEyC5hk/XUzVCtzv2YDEy003pRyTUPrXMLzYDnwPEgFdaWS2 +Iles/nVjb2gGaBo3CzYeR00s2Cy31TXF9EOEs17FpwQG8oxwFKsbgykGxXPWj/w9 +DWO+UNaoBTgi8JupQmCmuzCrq85tdWwTvMjb+sBhchC22Ow6VbGXY3RI1rRm2Hjd +uc4YORZlKKPNIjD7pSEmM/0ymbej5gMMiHXwOwIDAQABo1UwUzAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUIe3zc6yS7XKEChJRjU8a +ehZSggUwEQYDVR0gBAowCDAGBgQqAwQFMAsGCSqGSIb3DQEBCwOCAQEAgBQ7buzn +jZRSPG1nA+ysxdqm8tvKDRXLYjUDoc7ITCM0wbEypcKAB0Za3Y5fOc1xIka9o77X +qiNVIir0JGJEOb7I7UyZMjpY+rebiE1evCgtU8leZMzhzi9xs2zNU2az2YDEocPM +N9ptKm3IjbMVHrvspDhk3xb4sBmMaXjorRk6w5tyx6Ft/ksLJ1Q1Ubp0vGFB9dFX +BLFeHCtjhYCOFf+qqhuxE0Rb9SORgtK9BcNCPQsiATk054axKcfumeUUl0FyJnK1 +T9ZaOMz1Rqh+Gwof1YUcSbOEqoUE2MxuEfCTLRFtCYJIfeff2TCHND7AQeYO+V2d +/62BQ9lK3klPyA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/verify-ca.csr.der b/cpan/Net-SSLeay/t/data/verify-ca.csr.der new file mode 100644 index 000000000000..6f7478012da1 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.csr.pem b/cpan/Net-SSLeay/t/data/verify-ca.csr.pem new file mode 100644 index 000000000000..82d5a307d329 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIClDCCAX4CAQAwUTELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMMD1ZlcmlmaWNhdGlvbiBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMn08KXZrKr9hwTwjFATK7DY +RoSbsiKC/mpklw2VgzzZke8pTA1lrbdsxdqhdLXiuQtMUCNZmTeV5M1m+KpT9fRd +Z5yBioGNmPeZtekKV+qrk/mrhoS9dEadC5jbKjKon4xMguYZP11M1Qrc79mAxMtN +N6Uck1D61zC82A58DxIBXWlktiJXrP51Y29oBmgaNws2HkdNLNgst9U1xfRDhLNe +xacEBvKMcBSrG4MpBsVz1o/8PQ1jvlDWqAU4IvCbqUJgprswq6vObXVsE7zI2/rA +YXIQttjsOlWxl2N0SNa0Zth43bnOGDkWZSijzSIw+6UhJjP9Mpm3o+YDDIh18DsC +AwEAAaAAMAsGCSqGSIb3DQEBCwOCAQEAeA291KocvMaUu3zY9vSlJv5n+Y4xVo+f +5T2DN+70T/ev+/7Mn95aT0csJNPWc7bZYawIAAQfpM+rKVreHOjfcKzHoITodDg1 +EBnasP8PKagYwYcaoFvhuODjoreHaf5rocTxolP4zJNBGpO1kitNXmvVyUyp9D+s +krf7qkLmBO2oxVZcRkeHaBcssHIZ83AFzCVg7VVkVPCW2xOsB+YVGhCLmRnKpB/P +cZfief5hB/QVek9INwNlLb9Ni97xTmcTaOZG27AlQ6fZjAsqBFvQZq2Eu6LblEaE +OgugrujrezEKG50+K57AWWmmuiDp3nq3NngunTavN9EZwHFOLEiWvA== +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/verify-ca.enc.p12 b/cpan/Net-SSLeay/t/data/verify-ca.enc.p12 new file mode 100644 index 000000000000..ed3f4fbadafb Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.key.der b/cpan/Net-SSLeay/t/data/verify-ca.key.der new file mode 100644 index 000000000000..1aafb9ab9ed5 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.key.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.key.enc.der b/cpan/Net-SSLeay/t/data/verify-ca.key.enc.der new file mode 100644 index 000000000000..1aafb9ab9ed5 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-ca.key.enc.pem b/cpan/Net-SSLeay/t/data/verify-ca.key.enc.pem new file mode 100644 index 000000000000..f3d0bd538983 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,653296D10A4C066A6865DAB458166404 + +1Bsbea51+wBGYVKF76n6csZlArTFPGx3QxnX2I77B+AQhRWKPA3KwT4i+PdPvoEf +7TXffSj2Rcv677IM8mVpEnZRfW26dCdYfmIYh1x2YOD/vErCo9kgWMzhIFbOg5eH +SFtbw1zgaZiyeRi1revymv2+WzMO2aTSV2chxtfj9n3mG3edool1HbE4DqdT0hx6 +URUsq2vms5waZKMpXJvvNnenQvbzDNt82Rp2Y0D5Hw4HPZ0h5WF1dXJdwckLGEFX +0hE9yN38DR05KoZo89Gsd6lIypGW9dlkfAywb1LLkxdJ6ba6jsJfj/rmyBJIoK7u +YNNMzHAQraz7Wrb7lPgk+IXdbzdvR9e16n+5xT8hHY5WA4R6qdnZaMZ1k8RXAqvy +PZA0smAJ6fVYER7NknNU11LzObhR/IV2eDt3HcqK9l3sqWSedl9iqvO0hu7D5Ot7 +n0dIkzU415p0oux4lrbaaXSeCGHPCWLKYEr28Fq6C9xFZZeoXKhhDdOjZA8qFYvn +8kwqifGyB/jK1QYMUWKZsX1TvvrPXe+Hsrf/sk87ZbWws2vCJDJ3Vh99XfF30NYy +l5/YWrZ70S0IeRGzHGw2TqI69Xr1t2YlwtuB73p+kipFpOZuCAAcMROEBcYZQiuF +z/d5E7RFHoNCHUa/ML5BGnHa4eiAsjqUnN77BxvEAQgIJdIIzJSILrQrVwk1awcX +P7Fitvqzgb3jhMcXgcgTHMAMH8RfFrC2Bkn2bG5hlpQ3pC6Q1DbKLeb5ZypYpHLq +6HLyOnnpBhAb+fHFtZ28xstSJ6KpVHjv/SMDX7pAyG9xHneMIICfBl+atnSsyEYm +uRI+8BxzP1qGyexUYUP3ykcdk47EsQgMKBLc/k/U371Zy9t0/TZr22TQ/JLeJzw0 +QNIU7AFYcTpjB0HA66fMXNFo13aT44gQhm2Y0uyUPgh602LFMi591OwNr2q/vIuC +6Uea1ojH7WZMe7RdDRR7Rz7K6O1oRp+RBbpEC5qtiZergKSNnQJ241XAt0+FonBF +J6XFLsRaLG0VFDgxMD/lmMFc3FLy1CSqTSMAPDorjKKya4moSvm/AC9z4mIuWotP +M7kqEHeApvhRAvathlCXCQ3p0V/RitMMXwLpYXs3JkK+R5U+x71NRlbqLA4Ioe5u +kgmwuD36MFdYmlT5bzP0cPQxAPuEAfQCtmrkZiSj3gxyG/k67kHaR5avVcFTVXd+ +xmtanAAZngFvBwAiTQpjvcx1rhmfEkGN4udysPTrO5T13CtWugImjz1ovVR1ANI7 +jcnQQBkm1pwS8ypyF1Aeya5D5zj6UhE7X48l8QhQPc9KQIXNpgWFnhuoc2fy5p5p +MqEo6sd+kOBHxtMqg66Gr7bDk+Qukm+csbWGEgWUSNgAXwdeD9MkA3Tt2ZBqmdLg +BijcafofR3TadGxPTrYNKegwKtxkatb5PzmOZb/uNwpAjwuyv4ytqj7FBDqjED3Z +pHTpN27n1+PIl+MPYgj06RTTj9mQf3fF/5SiLC5B7oHvtEfRRS410XAV5JLwvzIn +0HDujwNHB5QdFWUOIp/hIrNfRQOwlWyXz6mdUu3ra9YZk9frtsZ6cnRvO4lfTIlc +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/verify-ca.key.pem b/cpan/Net-SSLeay/t/data/verify-ca.key.pem new file mode 100644 index 000000000000..0a418fbaf6a0 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-ca.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyfTwpdmsqv2HBPCMUBMrsNhGhJuyIoL+amSXDZWDPNmR7ylM +DWWtt2zF2qF0teK5C0xQI1mZN5XkzWb4qlP19F1nnIGKgY2Y95m16QpX6quT+auG +hL10Rp0LmNsqMqifjEyC5hk/XUzVCtzv2YDEy003pRyTUPrXMLzYDnwPEgFdaWS2 +Iles/nVjb2gGaBo3CzYeR00s2Cy31TXF9EOEs17FpwQG8oxwFKsbgykGxXPWj/w9 +DWO+UNaoBTgi8JupQmCmuzCrq85tdWwTvMjb+sBhchC22Ow6VbGXY3RI1rRm2Hjd +uc4YORZlKKPNIjD7pSEmM/0ymbej5gMMiHXwOwIDAQABAoIBAAf4DE7fCfstSdie +DUtTllPCFPZCloLaHGPiWDuG/Mi35RRE0uVsb7BfMGdyG4LZ0WdquXbLoEobNg4M +1B8UdQ4RaXc5fVejWLfcbtslN1bhMlOVuxcdyqrGo6CCdWXOVY1Zr4iY0nFCCN4G +3cf9VsaW4202dXGqlDcuHHBl4MpbBXgNbRDt9r0QHU9txIPlZr2AGuIZ9PMopfjg +cfBZsBcEjcDDXTE7sLt9+iSC3312sV9AAxiAKfsgg7HQCvjwIjFf0r3BwEJatZR+ +XEEqTsSXIevVbEcSUWMbWnirhpsJbc1rI5CVjpZe3MCOKFJQDWp9PTaeMP+EW/pw +1jZT1cECgYEA2T5r6AIJ4Qda7raNNhdE5F2gWYpr9cOX4T25SOwq8aB8Lij3pelN +lXD9AqaUGg3xp21WO2fGVFDbGAfkIyR3gOXzuowenU2OXLYsaw9KRsb4+IHwE1sx +mWAz3b+3H+72lkYKVHjosB5+83H4ZyWcj+tolxHbyKdRg+KnTkfbwHECgYEA7fxb +GFZAwybuqdQSDunjHoSEgWar2hzvzSKhoS9Vtabq1L0YqKYp3uDJ2gz9ER0PEdau +fFl2XM4KVI94Wfu/ROuR72StRy49si/pEEXj9btpUH1b0421CiXs1r3frn4DByIU +J97HylBNFkzabtl/qKcLi8gauGEjc+GemU+lEWsCgYEAuqogHeJiirC/OY4yF+A2 +meK4/TcrPKkrv6ZBpp8G50d2bFNXN4AX4eiL/dMUPq7sjWgtSC4LBDfVifh91pRm ++qKbohbz10XkpVUDJZqlv9sH4sADgR5Cp/85kbhBqXay+ryD88FQbsRFYPj07+wp +cqBb5jK6Htdl+2StTV4BPIECgYAVNPepI4aB3WZHG+7ABXeHsKdeIJgPx6RW008z +3dP1a/phGrinzqbMhZt3ItEqRTyiik7iJda2TmX9QwumeRiCO7u1aXNHdIdq6XoL +SS8XJqwrz//uyiHn1ZlVSXY1RmVerVq+csu664zy/8Y3Oop1rO0Kd7pp074lBWXs +o3xCIQKBgHUFVPodMHz++Azzsec8LupstCpfP4bmr6s7ST3qVNu8LgeDW6l55Jlq +5fEUzsaBhv00qnoS03yJLgIFPdCfl1LNslyRKGSLPBv0iVnY+k7LSqhTalt2OAxZ +/jb/IVgy7m4OBbLo+VSb1vQ089omsYqWS6v/oryzQ/ie1GeXrpTK +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/verify-ca.p12 b/cpan/Net-SSLeay/t/data/verify-ca.p12 new file mode 100644 index 000000000000..80f6a2d79a6b Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-ca.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.cert.der b/cpan/Net-SSLeay/t/data/verify-cert.cert.der new file mode 100644 index 000000000000..3111bd773b19 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.cert.dump b/cpan/Net-SSLeay/t/data/verify-cert.cert.dump new file mode 100644 index 000000000000..84aa265ed48f --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.cert.dump @@ -0,0 +1,183 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/verify-cert.cert.pem > t/data/verify-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","6c04300b89fdd566b291c90161a982e849f149c8"), + x509 => pack("H*","b01e01d619bcec62ef10ccb75460bb0cc6b2bce0"), + }, + extensions => { + count => 5, + entries => [ + { + critical => 1, + data => "Digital Signature, Key Encipherment", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "TLS Web Server Authentication, TLS Web Client Authentication", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "6C:04:30:0B:89:FD:D5:66:B2:91:C9:01:61:A9:82:E8:49:F1:49:C8", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + { + critical => 0, + data => "Policy: 1.2.3.4.5", + ln => "X509v3 Certificate Policies", + nid => 89, + oid => "2.5.29.32", + sn => "certificatePolicies", + }, + { + critical => 0, + data => "email:john.doe\@net-ssleay.example, DNS:*.johndoe.net-ssleay.example, IP Address:192.168.0.3", + ln => "X509v3 Subject Alternative Name", + nid => 85, + oid => "2.5.29.17", + sn => "subjectAltName", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + ], + nid => [129, 130], + oid => ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], + sn => ["serverAuth", "clientAuth"], + }, + fingerprint => { + md5 => "3F:EE:91:43:6F:20:61:62:C6:AD:26:E9:ED:BF:F3:25", + sha1 => "B0:1E:01:D6:19:BC:EC:62:EF:10:CC:B7:54:60:BB:0C:C6:B2:BC:E0", + }, + hash => { + issuer => { dec => 1524484324, hex => "5ADDC8E4" }, + issuer_and_serial => { dec => 3016836270, hex => "B3D144AE" }, + subject => { dec => 1528789409, hex => "5B1F79A1" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Verification CA", + data_utf8_decoded => "Verification CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Verification CA", + print_rfc2253 => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Verification CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["digitalSignature", "keyEncipherment"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 1, hex => "01", long => 1 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [ + 1, + "john.doe\@net-ssleay.example", + 2, + "*.johndoe.net-ssleay.example", + 7, + "\xC0\xA8\0\3", + ], + count => 5, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "*.johndoe.net-ssleay.example", + data_utf8_decoded => "*.johndoe.net-ssleay.example", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + { + data => "john.doe\@net-ssleay.example", + data_utf8_decoded => "john.doe\@net-ssleay.example", + ln => "emailAddress", + nid => 48, + oid => "1.2.840.113549.1.9.1", + sn => "emailAddress", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=*.johndoe.net-ssleay.example/emailAddress=john.doe\@net-ssleay.example", + print_rfc2253 => "emailAddress=john.doe\@net-ssleay.example,CN=*.johndoe.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "emailAddress=john.doe\@net-ssleay.example,CN=*.johndoe.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "emailAddress=john.doe\@net-ssleay.example,CN=*.johndoe.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/verify-cert.cert.pem b/cpan/Net-SSLeay/t/data/verify-cert.cert.pem new file mode 100644 index 000000000000..080b6972f42a --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAu6gAwIBAgIBATALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D1ZlcmlmaWNhdGlvbiBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIGKMQswCQYDVQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwK +VGVzdCBTdWl0ZTElMCMGA1UEAwwcKi5qb2huZG9lLm5ldC1zc2xlYXkuZXhhbXBs +ZTEqMCgGCSqGSIb3DQEJARYbam9obi5kb2VAbmV0LXNzbGVheS5leGFtcGxlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuA19a8IB+OZWYRpCZO+4c3UI +fkrTAD/XjUyFs6deHRkIGGISAGDLeSJFenbIVYT5n4GWwmJmZDZTyWaFwlbaQIZe +ZLeJbVwFTP1rh4uqtYnxtwPy+t/o9HJqmH8G9nW2Kzy9llBVXzeWAGm23Fcwad98 +wyh0y4fwiJPbOZn5xHD9B1w0NtXLEO0xyQejESAbbIDUKw/Z+8aegxBXG0dZhUyS +MPiXarXHSoxL9Se+WWxCLeTzdiw3KwWXOqFF5G79v8PUIZpyAVV6+xjow1V9+eBG +StfQnyGzp++3ojMWQbKYJcz9Bc941gmDXuesXqdzmhTJeM9eA88agM7Q3xHhfwID +AQABo4GwMIGtMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwHQYDVR0OBBYEFGwEMAuJ/dVmspHJAWGpguhJ8UnIMBEGA1UdIAQK +MAgwBgYEKgMEBTBKBgNVHREEQzBBgRtqb2huLmRvZUBuZXQtc3NsZWF5LmV4YW1w +bGWCHCouam9obmRvZS5uZXQtc3NsZWF5LmV4YW1wbGWHBMCoAAMwCwYJKoZIhvcN +AQELA4IBAQBlkfUelR35jj9bN9kdFE0fsYNTS/edfVEXUrsr1UclG/gH2jvusGPc +sopO5bkn5ZpXZ+ECbxsnq3HjqMYrI6UjcX7yszJtLiAvWkIcHg2PkKEztcVYL0Sb +NDKdSIEB8zdmPzCgo72OdRluk0N/JHnV8ooMuZrzgRLrHr4pO5eBKQg8AkM7Vu3i +cofnEwLximaMv9vHHza+JlncePOoy59kXybOrxYlqU+vrzDgrWdOTVumK1b+7RAh +GRnLzTCM6FEfyYJsjYKGM/ep/dL4GEVi4ZJ/fiZ096JbBZebIRbTmJVYG6g9rkH/ +MD8nduuaP4FacbSItkJnJKFrdB6GWLpq +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/verify-cert.certchain.der b/cpan/Net-SSLeay/t/data/verify-cert.certchain.der new file mode 100644 index 000000000000..c0d61ee529c7 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/verify-cert.certchain.enc.p12 new file mode 100644 index 000000000000..0e504ae836e2 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/verify-cert.certchain.p12 new file mode 100644 index 000000000000..63c2c872c480 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.certchain.pem b/cpan/Net-SSLeay/t/data/verify-cert.certchain.pem new file mode 100644 index 000000000000..7f9f7b9c94b4 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.certchain.pem @@ -0,0 +1,65 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAu6gAwIBAgIBATALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D1ZlcmlmaWNhdGlvbiBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MIGKMQswCQYDVQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwK +VGVzdCBTdWl0ZTElMCMGA1UEAwwcKi5qb2huZG9lLm5ldC1zc2xlYXkuZXhhbXBs +ZTEqMCgGCSqGSIb3DQEJARYbam9obi5kb2VAbmV0LXNzbGVheS5leGFtcGxlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuA19a8IB+OZWYRpCZO+4c3UI +fkrTAD/XjUyFs6deHRkIGGISAGDLeSJFenbIVYT5n4GWwmJmZDZTyWaFwlbaQIZe +ZLeJbVwFTP1rh4uqtYnxtwPy+t/o9HJqmH8G9nW2Kzy9llBVXzeWAGm23Fcwad98 +wyh0y4fwiJPbOZn5xHD9B1w0NtXLEO0xyQejESAbbIDUKw/Z+8aegxBXG0dZhUyS +MPiXarXHSoxL9Se+WWxCLeTzdiw3KwWXOqFF5G79v8PUIZpyAVV6+xjow1V9+eBG +StfQnyGzp++3ojMWQbKYJcz9Bc941gmDXuesXqdzmhTJeM9eA88agM7Q3xHhfwID +AQABo4GwMIGtMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwHQYDVR0OBBYEFGwEMAuJ/dVmspHJAWGpguhJ8UnIMBEGA1UdIAQK +MAgwBgYEKgMEBTBKBgNVHREEQzBBgRtqb2huLmRvZUBuZXQtc3NsZWF5LmV4YW1w +bGWCHCouam9obmRvZS5uZXQtc3NsZWF5LmV4YW1wbGWHBMCoAAMwCwYJKoZIhvcN +AQELA4IBAQBlkfUelR35jj9bN9kdFE0fsYNTS/edfVEXUrsr1UclG/gH2jvusGPc +sopO5bkn5ZpXZ+ECbxsnq3HjqMYrI6UjcX7yszJtLiAvWkIcHg2PkKEztcVYL0Sb +NDKdSIEB8zdmPzCgo72OdRluk0N/JHnV8ooMuZrzgRLrHr4pO5eBKQg8AkM7Vu3i +cofnEwLximaMv9vHHza+JlncePOoy59kXybOrxYlqU+vrzDgrWdOTVumK1b+7RAh +GRnLzTCM6FEfyYJsjYKGM/ep/dL4GEVi4ZJ/fiZ096JbBZebIRbTmJVYG6g9rkH/ +MD8nduuaP4FacbSItkJnJKFrdB6GWLpq +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDZjCCAlCgAwIBAgIBAzALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPVmVyaWZpY2F0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAyfTwpdmsqv2HBPCMUBMrsNhGhJuyIoL+amSXDZWDPNmR7ylM +DWWtt2zF2qF0teK5C0xQI1mZN5XkzWb4qlP19F1nnIGKgY2Y95m16QpX6quT+auG +hL10Rp0LmNsqMqifjEyC5hk/XUzVCtzv2YDEy003pRyTUPrXMLzYDnwPEgFdaWS2 +Iles/nVjb2gGaBo3CzYeR00s2Cy31TXF9EOEs17FpwQG8oxwFKsbgykGxXPWj/w9 +DWO+UNaoBTgi8JupQmCmuzCrq85tdWwTvMjb+sBhchC22Ow6VbGXY3RI1rRm2Hjd +uc4YORZlKKPNIjD7pSEmM/0ymbej5gMMiHXwOwIDAQABo1UwUzAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUIe3zc6yS7XKEChJRjU8a +ehZSggUwEQYDVR0gBAowCDAGBgQqAwQFMAsGCSqGSIb3DQEBCwOCAQEAgBQ7buzn +jZRSPG1nA+ysxdqm8tvKDRXLYjUDoc7ITCM0wbEypcKAB0Za3Y5fOc1xIka9o77X +qiNVIir0JGJEOb7I7UyZMjpY+rebiE1evCgtU8leZMzhzi9xs2zNU2az2YDEocPM +N9ptKm3IjbMVHrvspDhk3xb4sBmMaXjorRk6w5tyx6Ft/ksLJ1Q1Ubp0vGFB9dFX +BLFeHCtjhYCOFf+qqhuxE0Rb9SORgtK9BcNCPQsiATk054axKcfumeUUl0FyJnK1 +T9ZaOMz1Rqh+Gwof1YUcSbOEqoUE2MxuEfCTLRFtCYJIfeff2TCHND7AQeYO+V2d +/62BQ9lK3klPyA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/verify-cert.csr.der b/cpan/Net-SSLeay/t/data/verify-cert.csr.der new file mode 100644 index 000000000000..43b81bc55c31 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.csr.pem b/cpan/Net-SSLeay/t/data/verify-cert.csr.pem new file mode 100644 index 000000000000..297287bc7361 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.csr.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICzjCCAbgCAQAwgYoxCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5 +MRMwEQYDVQQLDApUZXN0IFN1aXRlMSUwIwYDVQQDDBwqLmpvaG5kb2UubmV0LXNz +bGVheS5leGFtcGxlMSowKAYJKoZIhvcNAQkBFhtqb2huLmRvZUBuZXQtc3NsZWF5 +LmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4DX1rwgH4 +5lZhGkJk77hzdQh+StMAP9eNTIWzp14dGQgYYhIAYMt5IkV6dshVhPmfgZbCYmZk +NlPJZoXCVtpAhl5kt4ltXAVM/WuHi6q1ifG3A/L63+j0cmqYfwb2dbYrPL2WUFVf +N5YAabbcVzBp33zDKHTLh/CIk9s5mfnEcP0HXDQ21csQ7THJB6MRIBtsgNQrD9n7 +xp6DEFcbR1mFTJIw+JdqtcdKjEv1J75ZbEIt5PN2LDcrBZc6oUXkbv2/w9QhmnIB +VXr7GOjDVX354EZK19CfIbOn77eiMxZBspglzP0Fz3jWCYNe56xep3OaFMl4z14D +zxqAztDfEeF/AgMBAAGgADALBgkqhkiG9w0BAQsDggEBAKWx3MICh61xA8xb99jZ +38m60FFUTf/blDRMaKJmwRhQMcWQ8IAfBOVCqzHw9hsGloT8zVAE37nO90TukplY +V80kBLZvSYDrCV7bHgX3Mxzp1TMxTkPc6FDFU3IM5czaaGiVRDNA97rjgRaZKyXP +V8WsuoDalZiKEK5dN8+gxhb8GnNDxLYzO875jPcFLgwP1oTnFthQSbK967Iv5N/9 +pamQkztikb4LhhLjzUQk13ieCdqBipOqxcTMG+xlSkXy8a2AfnYUzwptzqq9mEo6 +rdHoRgTdcgftAFHN0YuY5r4MDUHDRNMoRvQH3FV4327I6ESMDufzrx80/tsQ289D +VrY= +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/verify-cert.enc.p12 b/cpan/Net-SSLeay/t/data/verify-cert.enc.p12 new file mode 100644 index 000000000000..ec0fc8dc7763 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.key.der b/cpan/Net-SSLeay/t/data/verify-cert.key.der new file mode 100644 index 000000000000..84862f87b5fa Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.key.enc.der b/cpan/Net-SSLeay/t/data/verify-cert.key.enc.der new file mode 100644 index 000000000000..84862f87b5fa Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/verify-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/verify-cert.key.enc.pem new file mode 100644 index 000000000000..a875204f2efc --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,02259B7050C64CC324F90A75965ECEC4 + +r6qQaWzKbJHctKUiaSLBmM1hFkJSkafmOpG0mNlV4Cey4HbQk94KOm1qWZe71NxZ +X7jtb8ywQstPWqmH+XcKddRkIPs+TwlFdxwh1uTcUgYlkP2PryqGAV6WSwtPHbwC +ZBix+hm/lT/67eny53vm+E0g98odaqAH2h/Sr3vx+n6jqUxzoq+rONfVnZcQntPO +0z0wGv3WnArl4MQz9j0esDYEXumRF06DLoerr7W71GHSQFMqKOPuDIaJVeaY0sKu +uovWlUwyc7556CJcfmiybujc21kzZ8SaIB3DGAhPP+4z5d0ELcBLkDYiNcn5im0o +5EAOoipiYIZPMqw6LHCZej7BzgPi2+UnNrcdZts7jujfVzej/MlioT8cqFedR37t +w434zT6VsN0wisE2IYW0fE9WEEIn/izv06qLnGjqHoIj5J3WmpQVp8p0+jCnVgFP +lUyks31KcxMascW1raaro6+m/TlPdxUQZ/hi0nnRd1OY7zFpTZq69TTdthDc/QEV +GWRgkRCZ+Z4/mFv5SaSOtc6JqV35As2BpC8ALm7qaQ+N9vndPrfHHjJ4NhYV1WhE +hSyc5N3bLwSpabgMNbk6BziskoMzXNIpKXPyxxHVwbFbglc1b8TziO+yZIx1pix0 +pioKgS22YbD6sb6NeGnv2+MJvnmteSDF7lLmPghXtaT5T46w25FbCYqEkbe5uVC2 +TKagEVOA2mxJqRo0ZjxBUFo9vN6HVoE42rrmeKOfVAXmprZ0MDC1yeFXC6om9uO3 +OWllCjg2XaWqH5DO16Xwgpqi3Nxl1u1GSN7FsDt0Lc/mbo7Wtc7TjY8aIftJ/Myi +qh/gMeURBwCVzvtszl3matclfGYw34hl4qAlt99Kl7iTjGiWGHsuq3FnIZ+yQsjy +Xlz3DruKqHggkH5nWyZVS33xtWmjCIqMRlYNjfG/+28biJ7Hm/qj3lHcKq10fSfs +VxuRxCYeE8s+ei65s8M2Cu6ZoinMfEIJrLlMzYPnXMB7qMiV8eDE8d00JX9OOgXC +iN3QrNQN0eaL2zwZIiIIXIskMl1tBOkv0PIfiUyhYmgBJJUqFS7grPfjx2rH9KMk +rVZ42q8ca8Cav4nZKiLwUflWH/r8mgOtOVPcLFnn9vOPZH9biC+OzGpNd+Opvoq6 +qveDF7gSO64z/0khpHULTZuCM3Vs37H8FmkC/e0+XMkOL815k3yyaHXleFZWCGa1 +smXgOpDd0cJfXqv4ApVoRioXHHo119yVELTIkmi2jKzeMg4mTskqVziTZ6WQzccm +ZsgGSYq2vYmkMAyzD07hCLmg4ubfNekoPkYkPmXZ3NKVvCYw0Yeem7Iij8Kz6VV1 +0pJRvV/H6O0KsV2VqBCG/9Bur44mz65rusIV9RhYysEAmdJ3iyBstZe9K2Mvbs6s +ihIFY9QO8x+v9pZmMLNAoyWyj38m1fmXQgoJrtLf0ahEeIT37CV0X926lc+h44H6 +BOuE8PV/Bfx/fazSqsjfGeyak2cP8ih/S+IaIdObfpaO430xqVHKYt0IEdK0GHsG +D2Gl2eNBNuXc+jBbtypaxIFA5WcrffFJg4WrklVuswKGoBT1ZuuRe2jDNzec3l5g +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/verify-cert.key.pem b/cpan/Net-SSLeay/t/data/verify-cert.key.pem new file mode 100644 index 000000000000..18806d636506 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/verify-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuA19a8IB+OZWYRpCZO+4c3UIfkrTAD/XjUyFs6deHRkIGGIS +AGDLeSJFenbIVYT5n4GWwmJmZDZTyWaFwlbaQIZeZLeJbVwFTP1rh4uqtYnxtwPy ++t/o9HJqmH8G9nW2Kzy9llBVXzeWAGm23Fcwad98wyh0y4fwiJPbOZn5xHD9B1w0 +NtXLEO0xyQejESAbbIDUKw/Z+8aegxBXG0dZhUySMPiXarXHSoxL9Se+WWxCLeTz +diw3KwWXOqFF5G79v8PUIZpyAVV6+xjow1V9+eBGStfQnyGzp++3ojMWQbKYJcz9 +Bc941gmDXuesXqdzmhTJeM9eA88agM7Q3xHhfwIDAQABAoIBAFV0xgArczj60a6C +P8OX3l+VPl1NJo0eF1oe5pFUq4j9H1oa5trQFolm1TWYQ0oZ1MEvrS0R/RKYeuyv +MnnaU7nT6a3/3couCLQHkk68FYX2x4k/Ryken44oNcAacsQqQWvv5uMM56avK3GD +pAjIXs05nDcM6LW7p33ykL489NA1EEfOKVnATegUxXH43YPLFcTEhgYTChdJTJ4/ +hHgfEQKZ6wF8H0NrZ3r/IMklkndBm86WUvPqkz4yVDlvC3fXvCIBHYShJ4kYuyh0 +FaLW4lDzYiEQLC13EMfmWOVF/gv3xf21hb6nJKTs4HZgoajDHtTxQSTaxeR1Yo57 +UJoqWoECgYEA4G0CCAXEnTzEg0VVGvcKdrQOI0ULF9yfVz91za115pCmAVSm5Ddb +oUMGuWrGmh6LyTWbkUO+K/db1iAYGDc+TKP3U5nSZ+DaPCnu1JK88UOMqGJW9123 +S6c11QiVQK9R+t65Ew6uzR3bc7KgVMaMNXmBmUmWX3boixG+DHKXmz8CgYEA0fJk +Dn6SINxsV97vHkCG640PQDNzmTklepIN0qrby8QxNRrRhXAFcnEIZ7287CiaZmAc +WBdGzdbP52KKanyg5YYhBfrf1rABY5JvTxTnfN8zG7RXCtQAj1WC8ybUhCjFKs5S +QCnrAo7iaHQYf4TibtRpPXnjkhIk0QotdHqnacECgYAgf2h15O/tnOkP4TBLsU4w +li4d6VeL4wSny6axW9bgxj1jn/Byx5lbJquIme+cTaQMRNj8FgUptK31ubwDdaxt +yKh90J5pMGQppiDRY1Y80X1CvMq/EzEBoXroGFAUh86lNy8xlUS2qwYmIM2auQ2A +iNG9cqx1snBGAxG0F7vgXQKBgHebyYc8ctIH4i25k68/gd5Gse6YoX4kwYZwGTHx +J2GSd5pSmhWUeXX2kZxQy4Ybp8M1dFB3il4QyMeBK2x5bkz1OnEmuUmdYl0w+vsp +5KwOmRZqisBfgaYnSIBwmdhlRdcaTl/BweLmNnTd12sm8L3Fg+ODQrRgY9s4Gidn +DWPBAoGBAIG9/NSeCDEhg38r4M6+FglDc7/eTXXMV9aq7rSji0Cg0mPYAE2LHSV6 +sclJ9Fx0e4KNRERBezKkbIdTvx5kx/mCyBEi26RMWS+xZTdSHEeN1Hh9e1EcGkBE +a+AmdF1W9k/nrcIilodg9c/QBjrRUdVo4W15NuYIEY4QEoKKTPsW +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/verify-cert.p12 b/cpan/Net-SSLeay/t/data/verify-cert.p12 new file mode 100644 index 000000000000..c7f1f30c8699 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/verify-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.cert.der b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.der new file mode 100644 index 000000000000..0254d84098bd Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.der differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.cert.dump b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.dump new file mode 100644 index 000000000000..484f34482b9d --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.dump @@ -0,0 +1,160 @@ + +# exported via command: perl examples/x509_cert_details.pl -dump -pem t/data/wildcard-cert.cert.pem > t/data/wildcard-cert.cert.pem_dump +# hashref dumped via Data::Dump +{ + cdp => [], + certificate_type => 305, + digest_sha1 => { + pubkey => pack("H*","308c68e0f72b4592c2084b9f02113d1203352779"), + x509 => pack("H*","6f07b76e454c7b5e00a8eb1d321019500fa294f5"), + }, + extensions => { + count => 4, + entries => [ + { + critical => 1, + data => "Digital Signature, Key Encipherment", + ln => "X509v3 Key Usage", + nid => 83, + oid => "2.5.29.15", + sn => "keyUsage", + }, + { + critical => 0, + data => "TLS Web Server Authentication, TLS Web Client Authentication", + ln => "X509v3 Extended Key Usage", + nid => 126, + oid => "2.5.29.37", + sn => "extendedKeyUsage", + }, + { + critical => 0, + data => "30:8C:68:E0:F7:2B:45:92:C2:08:4B:9F:02:11:3D:12:03:35:27:79", + ln => "X509v3 Subject Key Identifier", + nid => 82, + oid => "2.5.29.14", + sn => "subjectKeyIdentifier", + }, + { + critical => 0, + data => "DNS:*.net-ssleay.example", + ln => "X509v3 Subject Alternative Name", + nid => 85, + oid => "2.5.29.17", + sn => "subjectAltName", + }, + ], + }, + extkeyusage => { + ln => [ + "TLS Web Server Authentication", + "TLS Web Client Authentication", + ], + nid => [129, 130], + oid => ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], + sn => ["serverAuth", "clientAuth"], + }, + fingerprint => { + md5 => "D7:CA:D0:AA:8E:A9:30:8C:0D:F4:A3:6B:1B:94:74:76", + sha1 => "6F:07:B7:6E:45:4C:7B:5E:00:A8:EB:1D:32:10:19:50:0F:A2:94:F5", + }, + hash => { + issuer => { dec => 2397076613, hex => "8EE07C85" }, + issuer_and_serial => { dec => 3758447858, hex => "E0055CF2" }, + subject => { dec => 3756668519, hex => "DFEA3667" }, + }, + issuer => { + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "Intermediate CA", + data_utf8_decoded => "Intermediate CA", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA", + print_rfc2253 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + keyusage => ["digitalSignature", "keyEncipherment"], + not_after => "2038-01-01T00:00:00Z", + not_before => "2020-01-01T00:00:00Z", + ns_cert_type => [], + pubkey_alg => "rsaEncryption", + pubkey_bits => 2048, + pubkey_id => 6, + pubkey_size => 256, + serial => { dec => 3, hex => "03", long => 3 }, + signature_alg => "sha256WithRSAEncryption", + subject => { + altnames => [2, "*.net-ssleay.example"], + count => 4, + entries => [ + { + data => "PL", + data_utf8_decoded => "PL", + ln => "countryName", + nid => 14, + oid => "2.5.4.6", + sn => "C", + }, + { + data => "Net-SSLeay", + data_utf8_decoded => "Net-SSLeay", + ln => "organizationName", + nid => 17, + oid => "2.5.4.10", + sn => "O", + }, + { + data => "Test Suite", + data_utf8_decoded => "Test Suite", + ln => "organizationalUnitName", + nid => 18, + oid => "2.5.4.11", + sn => "OU", + }, + { + data => "*.net-ssleay.example", + data_utf8_decoded => "*.net-ssleay.example", + ln => "commonName", + nid => 13, + oid => "2.5.4.3", + sn => "CN", + }, + ], + oneline => "/C=PL/O=Net-SSLeay/OU=Test Suite/CN=*.net-ssleay.example", + print_rfc2253 => "CN=*.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8 => "CN=*.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + print_rfc2253_utf8_decoded => "CN=*.net-ssleay.example,OU=Test Suite,O=Net-SSLeay,C=PL", + }, + version => 2, +} diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.cert.pem b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.pem new file mode 100644 index 000000000000..f65a01771a50 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnmgAwIBAgIBAzALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MFYxCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMR0wGwYDVQQDDBQqLm5ldC1zc2xlYXkuZXhhbXBsZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALLRNAISgdaTgnQ38B0FJCslZ7dWJENm +p2xZ31+kzEgYOoY6n5U1ME/QzdXo8kn9KIa+LuPMQWXISGqS1LgyUabQTRqY+o9l +KKZNuDseD8tdoPFVTLvVkV2nieE1kXZE0T+tMZ5bsUs68Y/7utZ24z3d4ckz+Fxb +k48nEBHAvQhicv0pij7GKKN1xueUAylRe+1h1g0kjQsV0lIRpPkgl08yeBV7iUUj +JrXu4ji5X2h4f8js+2p8Qwce25UUe5U8ZUpx/MTJ2tZSPfY19A5DcJXChuBeKMsM +tYI3GAOjcJtZAcCMmDyTAdAn7u4rFak6BTqPfl++xc4uvGe62cOJ4XkCAwEAAaNx +MG8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD +AjAdBgNVHQ4EFgQUMIxo4PcrRZLCCEufAhE9EgM1J3kwHwYDVR0RBBgwFoIUKi5u +ZXQtc3NsZWF5LmV4YW1wbGUwCwYJKoZIhvcNAQELA4IBAQCPTVntOhLoKlEipQiB +t/VVrxPbo3QTTwvAja4tjWC1zIckAbTS8yyEbgLezhimlYJFEa63mOVDHeD0HqAw +HZ8FhL/LHBX5HJLrYRA7ni6rKE/I2i4bMa+F0gdvXbEhWUnZ/zQ2j39DNSMPnYqw +KGykqKSJlRqcKO+y1H5+Vn9DrUmFKtUxaPmiYL2UkAUzbFXVUiDUe0QN2kUansji +6K6qjVYaOXEe0CH7wejrCuRU8Xqo2t4pXs/Jax73FK6KEMAzprMrWW+RyltseZ/R +88P0ckcctjq3xv0eiXSlCp7CSIJj3q6IZSOxPEsL4+4XuqchEAZoFXDllJxW2iek +LWJQ +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.der b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.der new file mode 100644 index 000000000000..20b73fa4ceb2 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.der differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.enc.p12 b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.enc.p12 new file mode 100644 index 000000000000..48c704ce2f8a Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.p12 b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.p12 new file mode 100644 index 000000000000..f51651016ef5 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.p12 differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.pem b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.pem new file mode 100644 index 000000000000..391801bb71f2 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.certchain.pem @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnmgAwIBAgIBAzALBgkqhkiG9w0BAQswUTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxGDAWBgNVBAMM +D0ludGVybWVkaWF0ZSBDQTAeFw0yMDAxMDEwMDAwMDBaFw0zODAxMDEwMDAwMDBa +MFYxCzAJBgNVBAYTAlBMMRMwEQYDVQQKDApOZXQtU1NMZWF5MRMwEQYDVQQLDApU +ZXN0IFN1aXRlMR0wGwYDVQQDDBQqLm5ldC1zc2xlYXkuZXhhbXBsZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALLRNAISgdaTgnQ38B0FJCslZ7dWJENm +p2xZ31+kzEgYOoY6n5U1ME/QzdXo8kn9KIa+LuPMQWXISGqS1LgyUabQTRqY+o9l +KKZNuDseD8tdoPFVTLvVkV2nieE1kXZE0T+tMZ5bsUs68Y/7utZ24z3d4ckz+Fxb +k48nEBHAvQhicv0pij7GKKN1xueUAylRe+1h1g0kjQsV0lIRpPkgl08yeBV7iUUj +JrXu4ji5X2h4f8js+2p8Qwce25UUe5U8ZUpx/MTJ2tZSPfY19A5DcJXChuBeKMsM +tYI3GAOjcJtZAcCMmDyTAdAn7u4rFak6BTqPfl++xc4uvGe62cOJ4XkCAwEAAaNx +MG8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD +AjAdBgNVHQ4EFgQUMIxo4PcrRZLCCEufAhE9EgM1J3kwHwYDVR0RBBgwFoIUKi5u +ZXQtc3NsZWF5LmV4YW1wbGUwCwYJKoZIhvcNAQELA4IBAQCPTVntOhLoKlEipQiB +t/VVrxPbo3QTTwvAja4tjWC1zIckAbTS8yyEbgLezhimlYJFEa63mOVDHeD0HqAw +HZ8FhL/LHBX5HJLrYRA7ni6rKE/I2i4bMa+F0gdvXbEhWUnZ/zQ2j39DNSMPnYqw +KGykqKSJlRqcKO+y1H5+Vn9DrUmFKtUxaPmiYL2UkAUzbFXVUiDUe0QN2kUansji +6K6qjVYaOXEe0CH7wejrCuRU8Xqo2t4pXs/Jax73FK6KEMAzprMrWW+RyltseZ/R +88P0ckcctjq3xv0eiXSlCp7CSIJj3q6IZSOxPEsL4+4XuqchEAZoFXDllJxW2iek +LWJQ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDUzCCAj2gAwIBAgIBAjALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBRMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEArbBQg+3l/SUFGDENvpvTPnp942njbsrkcfpmpfLQPn9GsMll +GYQvG7YqN2NV44rEGlFTRkhDYVhni1MNoe3VnGRzNknSoCmvhjqiG8ojZTIzj3/a +OIYNiJ7RPei8cqgT9WUjtcsnHLQq2tPIy1Mm8bE9BazNeFHCE9/B8u8y04Ks2+nu +sxMrhpFA89eHNTs3Xt6K7jpx/FJxpYAQkkfkLvADJ//AnFF4utQfqP7QKHGE4V4U +0+6XGMCZ/9VBIy9sn8Vj0vY80jHgug4hZPpgc2NWSprfI6prbWhC8l/qLGR8hgeo +FU5rVR9KE7LR3FnA6gekv4A66SdqF694abnvXQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU1dNN5Fm5XHX22XLzm9z7 +7oAmkW8wCwYJKoZIhvcNAQELA4IBAQB+oK8jmUKMZ7YItcCAnoFvcY4pLgGPcnAT +h30Rc0uUUUcVB66J6+YRHFVWA1X/AgyWI9Jxq/Qy50hGye2fdZmxBa3j5nbZlwAU +2JylwYigjhNHD3CUxYFInxKSaQKKnzLsjazn8pjLUvJLdPuO42l4RVYRJlfW/TZX +vc4Qoql1xN46C4eNjewzW76BzqyykGjAR02JhImclaciZ+oOz04jp1bvMwfYwcdO +7UBROGqUuamfS6URU5rpMkj6Z/2Z0TtneO9nIhTN0P8dxxDTxoKDDko5KOOzXrAO +nDCAamxvxhlxLcFbog3rTGaSvY0JO6T96lepvnOuaYEuRx9oyj37 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDSzCCAjWgAwIBAgIBATALBgkqhkiG9w0BAQswSTELMAkGA1UEBhMCUEwxEzAR +BgNVBAoMCk5ldC1TU0xlYXkxEzARBgNVBAsMClRlc3QgU3VpdGUxEDAOBgNVBAMM +B1Jvb3QgQ0EwHhcNMjAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjBJMQswCQYD +VQQGEwJQTDETMBEGA1UECgwKTmV0LVNTTGVheTETMBEGA1UECwwKVGVzdCBTdWl0 +ZTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAKSF8tIItlPf3KpLzUgI6JVW/d/+LZP1zYedrDFFXjvZu+4uFxE5zp4vczbX +k+jhF0TZk292eStA9kVMDePVMcGwjNF3Up99yYisFe/h4ovt/w3Op9b7KS9xy5Vh +fUNqxphHIUS4/S9+7o9DUjqNP94EszDzFu8R3V7QXdDE9pSn4UZMVDTozpeu+rLo ++FOkd7NQIJMSKOdCv1HOhcFuuj+4FkLlo8k5bDgEVH68xTOL92Q4sLwubHEWl/Hf +1IA8POwoOVLtuLj4GyIrbqM/Yj779kmRX+LtjsJ1kAmLhsh4T/XhTaOyqz/d253v +OE6hM6pM0KsuFLpdPDJynpSHoQcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G +A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLzOh106FMJ8u/MANb7SZ5Z+swVrMAsG +CSqGSIb3DQEBCwOCAQEAXU6HGU8ThUuJz+KCSNYaO3HxxFrNH2pFWwrTjt2tdBLk +uDvicaquwUzq6zetEys7v70WOCprGB6uARiet1vU7dg7cmrd7eWibMDNoKdcPNML +oZLO29WL+hvGTx/UD0o0j7l+ab2XB83q73mNRlqRBXZkkykaqWt9qy+LTvI7QYbc +ZoONmVE1wbq5c3R9L2aa27uJsfLPAErjr3mpnNtFhJfULv+hpmXHVukhra+VUkyp +jTiY83ad8ZHfCIxfZ+MUCcWNGj7G4Rkfd27MB7fDEQlisaSk8B17FK7oIqO/NN4E +w1SHQ5TRZSmbOTGIfZtS0KaTaZdZtBNee5BEzQz1sA== +-----END CERTIFICATE----- diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.csr.der b/cpan/Net-SSLeay/t/data/wildcard-cert.csr.der new file mode 100644 index 000000000000..81cc89790630 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.csr.der differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.csr.pem b/cpan/Net-SSLeay/t/data/wildcard-cert.csr.pem new file mode 100644 index 000000000000..bbdf51bd6d85 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.csr.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICmTCCAYMCAQAwVjELMAkGA1UEBhMCUEwxEzARBgNVBAoMCk5ldC1TU0xlYXkx +EzARBgNVBAsMClRlc3QgU3VpdGUxHTAbBgNVBAMMFCoubmV0LXNzbGVheS5leGFt +cGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstE0AhKB1pOCdDfw +HQUkKyVnt1YkQ2anbFnfX6TMSBg6hjqflTUwT9DN1ejySf0ohr4u48xBZchIapLU +uDJRptBNGpj6j2Uopk24Ox4Py12g8VVMu9WRXaeJ4TWRdkTRP60xnluxSzrxj/u6 +1nbjPd3hyTP4XFuTjycQEcC9CGJy/SmKPsYoo3XG55QDKVF77WHWDSSNCxXSUhGk ++SCXTzJ4FXuJRSMmte7iOLlfaHh/yOz7anxDBx7blRR7lTxlSnH8xMna1lI99jX0 +DkNwlcKG4F4oywy1gjcYA6Nwm1kBwIyYPJMB0Cfu7isVqToFOo9+X77Fzi68Z7rZ +w4nheQIDAQABoAAwCwYJKoZIhvcNAQELA4IBAQCnds4bDg5xOEIjmZWAkvwklktS +IO8lmiMv38RuD1EKOvPJgyBzXxZa9gXz1axM1PTrxmz3jm9YXtqHbNQYovr6yBkV +63sc0Woqb/ovbEDSxz9gZo1LxfTOb6q/Rdyxg4L55b4GJMSW0j6TeDafbEM/NclB +adXWZfhQ4ajbcv9IjC1/Ohe21aRRwtp4e7IzQhCiz8jMG1GN9uKlLrPSKxvWGRhc +NZv3pl1T/qWxjwwgc9WYg9DfSNUob0hPUlidtMeSkiaS1Nf/FhfHJnKkcoZBM/uL +1GuaJ6PQUgMpO6K83oVSVi/NP4IAOoeOxKp+m/N/m3y+zewEr3KOuSOUO71K +-----END CERTIFICATE REQUEST----- diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.enc.p12 b/cpan/Net-SSLeay/t/data/wildcard-cert.enc.p12 new file mode 100644 index 000000000000..6347dfe616c6 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.enc.p12 differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.key.der b/cpan/Net-SSLeay/t/data/wildcard-cert.key.der new file mode 100644 index 000000000000..d35aa07d8404 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.key.der differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.der b/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.der new file mode 100644 index 000000000000..d35aa07d8404 Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.der differ diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.pem b/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.pem new file mode 100644 index 000000000000..83d3cd722148 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.key.enc.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,22A87C4E10CCE3101EA266DA88CEE247 + +DHD+x+cc/q4cUaEFbb0dKp8GcR8KZAFo1zKdaM7KSdQq7yfevts/AqkrKqhxcSjV +pqh1UbtI+sUQ31ygh3X5+BCoUGfSDX11jr1OTKlTgBa2KZkH3QzXIGTX8hGd/2ZI +RKDq6pPCtQfaEEecNlfafZ7R9brFcZ67bQFDAGodITt29nNIhW3/oT/gbFC9v+Ln +Da+I7VJV+zKu9+2HoVobA2HxQKeKeF0QjnMylIy/Heqg96TF1QQbG+g7OWr9SmSN +vddERLecFomMQQCxS+3Iyk2hKVw6gw7nvKOjRfcNU7U4ZQZwpu1U3xqGg+cdvtVe +raM1WpfrhVwydJvTgbMLeGjN/3rw3F7W2mN5IUIvVa+D08XrtItynbOgPdiGzQQ3 +tL3ivVoMECxgqaCeB0ogkMg1/aIElhLwUmSWOWqI+0aF7+8zfNfoWTPkvd3OcdWg +Ltkgme5ZRm0ZFNSs8bxlwQ1u3S3AQXX5gslyBWFCCvg3dppN7b+4zGa26XoH32vH +OcGA2dZDBfnuB3YE2Cz+IdWncqANP4/TZJraU95M6IZ6IVWOzRfAzMYm1Wl1xsyx +/48vv3RleB0mvsTwcRgmqPpGzormzwC+/y75ph6IKlluoc95w0j35j/bHUzsRPF8 +Ad7BEUSB7CS8+XNZMygOSAJG9t5ah5nl81EWX8ESHRWQAyMOxA9jdlCYO3KaBMEV +XiWVvEYKx1bWTHOhzoTBXV94E0NLYB94dpFN3qsCwNbuqY47fGBIioEKaE3fA1SK +x5an9HmtaB3nqgJDv+bCAYZJo8EEd5FXu7FkgcsemFGrxqMNvfJvnSjDRC6gyujX +RG3lT2QZS7d77CFlaGQUdiUqTLbQEZn2SMrR4k622gg7A0deuThuFLeF3f5yxWxk +0XuyNJ2cj0YKPocobV5+itdgwrA+opxfQO6KxBHN69UCKTdgF3Cbq9o0JzYBKKpA +Cb3C37ilhOHFvb+JkKIWLL9A0huc/Qut1fqIup6FXlp7aYk9iBXTxQmJTTAMUL3M +W0X2A9k9wIeccQLJU0mohH+Z+D236MQiC8v8YGTFD4+tSI9TbzgNBspf3xiw69yK +G03z30yjoRDbmwLAyKeoGzV7Hf3Yi4i56kuCkkNc+fsFZqgPuDAHWuX5Xn8wO0MM +DH60f2rOiPl9eJTCmGHoRPgY4AwSSG7WpiMIGh7HfxFUfrcJu/vyAhZTqYvcm4Iu +ItXbsN4QAb4OG3ydpwPFkR/TIIteOsM+x8wiS1uDyxYxCkES1OdqSiJc4ffru5Pl +XF8GR+3VVxs4TeT7F+sYow8lc23P9hx5BhX/u/s1h3jFJoAYrEOVvebnwtqzep0F +iUEQAyU+eZHg81CFyfp9jE+x9m48ET9nnPUjwOctXSqmwKUyyc3/d3RlwLCYBO4q +7syMhmMKSg/QofGpzlbRmOYRNnZb+5oYS2u9QLj7FLOAlJTSifiHSSRlhPgikGzy +qrwSdQjagqx7mgW00FDJlddTnuYg6fA6JTuiyYjo6cVMB2l70cbGgxbwqNP/Bzq5 +ULW4chlEp8jrVgjqqa6K3toNAww4dcrcMNJ5HkiJbV1TPPyAdvEGqUjlOuVRJrhA +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.key.pem b/cpan/Net-SSLeay/t/data/wildcard-cert.key.pem new file mode 100644 index 000000000000..34f272ac1276 --- /dev/null +++ b/cpan/Net-SSLeay/t/data/wildcard-cert.key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAstE0AhKB1pOCdDfwHQUkKyVnt1YkQ2anbFnfX6TMSBg6hjqf +lTUwT9DN1ejySf0ohr4u48xBZchIapLUuDJRptBNGpj6j2Uopk24Ox4Py12g8VVM +u9WRXaeJ4TWRdkTRP60xnluxSzrxj/u61nbjPd3hyTP4XFuTjycQEcC9CGJy/SmK +PsYoo3XG55QDKVF77WHWDSSNCxXSUhGk+SCXTzJ4FXuJRSMmte7iOLlfaHh/yOz7 +anxDBx7blRR7lTxlSnH8xMna1lI99jX0DkNwlcKG4F4oywy1gjcYA6Nwm1kBwIyY +PJMB0Cfu7isVqToFOo9+X77Fzi68Z7rZw4nheQIDAQABAoIBAAPC37+taPq89pEA +PjY2Dfk0W7ahArlCNwJR759g5YUcsVpycDnguQfswe+eaz5AK3KOHIlhGf0Mle1b +8kp/kHUcS4rkLd0HSTAaUWY47ycdbI22+Bq5VsnsBLvudwVQVEBtIa6NijClaEBZ +kKgDLyt1d9LWG4LB0FxB+5YMAk3jTyDrsR6TmlG099EUt4IaHX0NQrMiRgahDi12 +DFXkd8mUzG0LfSpYOvoMhifvzny2SnOotOtTntUmMjTsAdBMIrm9iCgFVoSnC5FI +dN+2PLupKXkeuZXmsag7GWpBO2v4KKzwNXBFUUmWTeWMzsxpf5NxG3ABrb8/s3rR +OkF24eMCgYEA+dbonSu6aEzq1qejfUBvt16/4cCjfyVvfvnfHK2GsyQ3ZNVS+WWn +VtcZi7ot4JFN6ZWSdlAarlMWPCRXO2xzl5AySH1LJlx1h68NTGTxIsXgYKp7GD7h +dloTbBkRLAS8EOWzPzfoyi+EvMTP43imyPYoyHZhP2aqyknlpjvYhj8CgYEAtzn4 +3Q22QGt5ejj4Ht/x6F41i9tpiEwlYvDmtT95RBPYEVRqoqkXGRSwV/y9vnFA12TQ +zVZzYR5wjcau0H3ZPA/QHLsZlEHb7aazoQmXThwLKoW0gZ73bExOFDgT3C6xntik +WcPODF/+YdKvWbR3YZsX5kSG5BupsfNcGvsV2kcCgYBL8kpPzMUjg443pkoKfxX2 +tfS6WWbZ9bVI8gginZU+y5mTK03HxmDyAv0e/n+HrmPyx6b4FC2oJFWz/pAN3k/d +GNZQNtYrWRvZHRt7x4uNuH0WpXw5yJOc+JDC4XPY36+Tq1+rrgEzxPIit+lCCqEY +ocuP9HxnW3w7de87cyHE3QKBgCgV9M5X66GYYdFNmWsXz5Lo2YopjKMXFa7ZyX+p +zVwJg2H3OAUyPS1ti08UqmZ53JfDJLNn0IJU6Ib8Cs7uWZJ8WymN/YCkD/ukVvRK +ZuHd3MuGyQD6yGLXJtXhlua7CH0aJIrG/dNTRRIdx+M2Sk/+YHIuV9yb+LpH5cS5 +XgSNAoGBAJLUzkXEr+x2vgMHBZ9IT+h4DOo7aVm4iIYrV9aX+uaXwysQSW+KfkGq +BmOh/rp2pqb4l4oKvXhj7R42ORLzdeX/F5oRWh4lklSgmYFGPd0/kD6MIaqD4I4d +jUZ1siJ9NVc7CYjIJi1qVdeMdF30lSoPAspdQRLFmggVNcnELLEh +-----END RSA PRIVATE KEY----- diff --git a/cpan/Net-SSLeay/t/data/wildcard-cert.p12 b/cpan/Net-SSLeay/t/data/wildcard-cert.p12 new file mode 100644 index 000000000000..144dc52633bd Binary files /dev/null and b/cpan/Net-SSLeay/t/data/wildcard-cert.p12 differ diff --git a/cpan/Net-SSLeay/t/external/ocsp.t b/cpan/Net-SSLeay/t/external/ocsp.t new file mode 100644 index 000000000000..6b1367a77446 --- /dev/null +++ b/cpan/Net-SSLeay/t/external/ocsp.t @@ -0,0 +1,263 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(initialise_libssl); + +use IO::Socket::INET; + +if (!defined &Net::SSLeay::OCSP_response_status) { + plan skip_all => 'No support for OCSP in your OpenSSL'; +} + +#$Net::SSLeay::trace=3; + +my @tests = ( + { + # this should give us OCSP stapling + host => 'www.microsoft.com', + port => 443, + fingerprint => '5f0b37e633840ca02468552ea3b1197e5e118f7b', + ocsp_staple => 1, + expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), + }, + { + # no OCSP stapling + host => 'www.heise.de', + port => 443, + fingerprint => '36a7d7bfc59db65c040bccd291ae563d9ef7bafc', + expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_GOOD(), + }, + { + # this is revoked + host => 'revoked.grc.com', + port => 443, + fingerprint => '310665f4c8e78db761c764e798dca66047341264', + expect_status => Net::SSLeay::V_OCSP_CERTSTATUS_REVOKED(), + }, +); + +my $release_tests = $ENV{RELEASE_TESTING} ? 1:0; +plan tests => $release_tests + @tests; + +initialise_libssl(); + +my $timeout = 10; # used to TCP connect and SSL connect +my $http_ua = eval { require HTTP::Tiny } && HTTP::Tiny->new(verify_SSL => 0); + +my $sha1 = Net::SSLeay::EVP_get_digestbyname('sha1'); + + +my @fp_mismatch; +TEST: +for my $test (@tests) { + my $cleanup = __cleanup__->new; + SKIP: { + skip 'HTTP::Tiny required but not installed', 1 + unless $http_ua; + + my $cl = IO::Socket::INET->new( + PeerAddr => $test->{host}, + PeerPort => $test->{port}, + Timeout => $timeout, + ); + skip "TCP connect to $test->{host}:$test->{port} failed: $!",1 + if !$cl; + diag("tcp connect to $test->{host}:$test->{port} ok"); + + my $ctx = Net::SSLeay::CTX_new() or die "failed to create CTX"; + + # enable verification with hopefully usable CAs + Net::SSLeay::CTX_set_default_verify_paths($ctx); + Net::SSLeay::CTX_load_verify_locations($ctx, + Mozilla::CA::SSL_ca_file(),'') + if eval { require Mozilla::CA }; + Net::SSLeay::CTX_set_verify($ctx,Net::SSLeay::VERIFY_PEER(),undef); + + # setup TLS extension callback to catch stapled OCSP response + my $stapled_response; + Net::SSLeay::CTX_set_tlsext_status_cb($ctx,sub { + my ($ssl,$resp) = @_; + diag("got ".($resp ? '':'no ')."stapled OCSP response"); + return 1 if ! $resp; + $stapled_response = Net::SSLeay::i2d_OCSP_RESPONSE($resp); + return 1; + }); + + # create SSL object only after we have the context fully done since + # some parts of the context (like verification mode) will be copied + # to the SSL object and thus later changes to the CTX don't affect + # the SSL object + my $ssl = Net::SSLeay::new($ctx) or die "failed to create SSL"; + + # setup TLS extension to request stapled OCSP response + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + + # non-blocking SSL_connect with timeout + $cl->blocking(0); + Net::SSLeay::set_fd($ssl,fileno($cl)); + my $end = time() + $timeout; + my ($rv,@err); + while (($rv = Net::SSLeay::connect($ssl)) < 0) { + my $to = $end-time(); + $to<=0 and last; + my $err = Net::SSLeay::get_error($ssl,$rv); + vec( my $vec = '',fileno($cl),1) = 1; + if ( $err == Net::SSLeay::ERROR_WANT_READ()) { + select($vec,undef,undef,$to); + } elsif ( $err == Net::SSLeay::ERROR_WANT_WRITE()) { + select(undef,$vec,undef,$to); + } else { + while ( my $err = Net::SSLeay::ERR_get_error()) { + push @err, Net::SSLeay::ERR_error_string($err); + } + last + } + } + skip "SSL_connect with $test->{host}:$test->{port} failed: @err",1 + if $rv<=0; + diag("SSL_connect ok"); + + # make sure we talk to the right party, e.g. no SSL interception + my $leaf_cert = Net::SSLeay::get_peer_certificate($ssl); + $cleanup->add(sub { Net::SSLeay::X509_free($leaf_cert) }) if $leaf_cert; + my $fp = $leaf_cert + && unpack("H*",Net::SSLeay::X509_digest($leaf_cert,$sha1)); + skip "could not get fingerprint",1 if !$fp; + if ($fp ne $test->{fingerprint}) { + push @fp_mismatch, [ $fp,$test ]; + skip("bad fingerprint for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp",1) + } + diag("fingerprint matches"); + + if ( $test->{ocsp_staple} && ! $stapled_response ) { + fail("did not get expected stapled OCSP response on $test->{host}:$test->{port}"); + next TEST; + } + + # create OCSP_REQUEST for all certs + my @requests; + for my $cert (Net::SSLeay::get_peer_cert_chain($ssl)) { + my $subj = Net::SSLeay::X509_NAME_oneline( + Net::SSLeay::X509_get_subject_name($cert)); + my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert); + if (!$uri) { + diag("no OCSP URI for cert $subj"); + next; + } + my $id = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do { + fail("failed to get OCSP_CERTIDs for cert $subj: $@"); + next TEST; + }; + my $req = Net::SSLeay::OCSP_ids2req($id); + push @requests, [ $uri,$req,$id,$subj ]; + $cleanup->add(sub { Net::SSLeay::OCSP_REQUEST_free($req) }); + } + if (!@requests) { + fail("no certificate checks for $test->{host}:$test->{port}"); + next TEST; + } + + my $check_response = sub { + my ($resp,$req,$id,$expect_status) = @_; + if ( Net::SSLeay::OCSP_response_status($resp) + != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) { + return [ undef,"response bad status ". + Net::SSLeay::OCSP_response_status_str(Net::SSLeay::OCSP_response_status($resp)) ]; + } elsif ( ! eval { + Net::SSLeay::OCSP_response_verify($ssl,$resp,$req) }) { + return [ undef,"cannot verify response: $@" ]; + } + # extract result for id + my ($status) = Net::SSLeay::OCSP_response_results($resp,$id); + return [ undef,"no data for cert in response: $status->[1]" ] + if ! $status->[2]; + if ($expect_status != $status->[2]{statusType}) { + return [ undef, + "unexpected status=$status->[2]{statusType} (expected $expect_status): $status->[1]" ] + } elsif ( $status->[2]{nextUpdate} ) { + diag("status=$expect_status as expected: nextUpd=".localtime($status->[2]{nextUpdate})); + } else { + diag("status=$expect_status as expected: no nextUpd"); + } + return $status; + }; + + if ($stapled_response) { + my $stat = $check_response->( + Net::SSLeay::d2i_OCSP_RESPONSE($stapled_response), + undef, # no OCSP_REQUEST + $requests[0][2], # stapled response is for the leaf certificate + $test->{expect_status} + ); + if (!$stat->[0]) { + fail($stat->[1]); + next TEST; + } + } + + for(my $i=0;$i<@requests;$i++) { + my ($uri,$req,$id,$subj) = @{$requests[$i]}; + if ( ! $http_ua ) { + diag("no HTTP: skip checking $uri | $subj"); + next + } + my $res = $http_ua->request('POST',$uri, { + headers => { 'Content-type' => 'application/ocsp-request' }, + content => Net::SSLeay::i2d_OCSP_REQUEST($req), + timeout => $timeout, + }); + if (!$res->{success}) { + if ($res->{status} == 599) { + # internal error, assume network problem + diag("disabling HTTP because of $http_ua->{reason}"); + $http_ua = undef; + } + diag("$http_ua->{reason}: skip checking $uri | $subj"); + next; + } + my $resp = eval { Net::SSLeay::d2i_OCSP_RESPONSE($res->{content}) }; + if (!$resp) { + diag("bad OCSP response($@): skip checking $uri | $subj"); + next; + } + my $stat = $check_response->( + $resp, + $req, + $id, + ($i>0) ? Net::SSLeay::V_OCSP_CERTSTATUS_GOOD() : $test->{expect_status}, + ); + if (!$stat->[0]) { + fail($stat->[1]); + next TEST; + } + } + + pass("OCSP test $test->{host}:$test->{port} ok"); + } +} + +if ($release_tests) { + if (!@fp_mismatch) { + pass("all fingerprints matched"); + } else { + for(@fp_mismatch) { + my ($fp,$test) = @$_; + diag("fingerprint mismatch for $test->{host}:$test->{port} -". + " expected $test->{fingerprint}, got $fp") + } + fail("some fingerprints did not matched - please adjust test"); + } +} + +{ + # cleanup stuff when going out of scope + package __cleanup__; + sub new { bless [],shift }; + sub add { my $self = shift; push @$self,@_ } + sub DESTROY { + my $self = shift; + &$_ for(@$self) + } +} diff --git a/cpan/Net-SSLeay/t/handle/external/10_destroy.t b/cpan/Net-SSLeay/t/handle/external/10_destroy.t new file mode 100644 index 000000000000..cf2279ef7517 --- /dev/null +++ b/cpan/Net-SSLeay/t/handle/external/10_destroy.t @@ -0,0 +1,55 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; + +my @uris = qw( + www.google.com + www.microsoft.com + www.kernel.org +); +@uris = split(/:/, $ENV{SSLEAY_URIS}) if exists $ENV{SSLEAY_URIS}; +if (@uris) { + plan tests => scalar @uris * 2; +} +else { + plan skip_all => 'No external hosts specified for SSL testing'; +} + +use File::Spec; +use Symbol qw(gensym); +use Net::SSLeay::Handle; + +# On some platforms, such as Solaris, the act of resolving the host name +# opens (and leaves open) a connection to the DNS client, which breaks +# the fd counting algorithm below. Make sure the DNS is operating before +# we count the FDs for the first time. +for my $uri (@uris) { + my $dummy = gethostbyname($uri); +} + +my $fdcount_start = count_fds(); + +for my $uri (@uris) { + { + my $ssl = gensym(); + tie(*$ssl, "Net::SSLeay::Handle", $uri, 443); + print $ssl "GET / HTTP/1.0\r\n\r\n"; + + my $response = do { local $/ = undef; <$ssl> }; + like( $response, qr/^HTTP\/1/s, 'correct response' ); + } + + my $fdcount_end = count_fds(); + is ($fdcount_end, $fdcount_start, 'handle gets destroyed when it goes out of scope'); +} + +sub count_fds { + my $fdpath = File::Spec->devnull(); + my $fh = gensym(); + open($fh, $fdpath) or die; + my $count = fileno($fh); + close($fh); + return $count; +} diff --git a/cpan/Net-SSLeay/t/handle/external/50_external.t b/cpan/Net-SSLeay/t/handle/external/50_external.t new file mode 100644 index 000000000000..40df5b9c91d8 --- /dev/null +++ b/cpan/Net-SSLeay/t/handle/external/50_external.t @@ -0,0 +1,78 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More; +use Symbol qw(gensym); +use Net::SSLeay::Handle; + +my @sites = qw( + www.google.com + www.microsoft.com + www.kernel.org +); +@sites = split(/:/, $ENV{SSLEAY_SITES}) if exists $ENV{SSLEAY_SITES}; +if (@sites) { + plan tests => scalar @sites * 7; +} +else { + plan skip_all => 'No external hosts specified for SSL testing'; +} + + +for my $site (@sites) { + SKIP: { + my $ssl = gensym(); + eval { + tie(*$ssl, 'Net::SSLeay::Handle', $site, 443); + }; + + skip('could not connect to '.$site, 2) if $@; + pass('connection to '.$site); + + print $ssl "GET / HTTP/1.0\r\n\r\n"; + my $resp = do { local $/ = undef; <$ssl> }; + + like( $resp, qr/^HTTP\/1/, 'response' ); + } +} + +{ + my @sock; + for (my $i = 0; $i < scalar @sites; $i++) { + SKIP: { + my $ssl = gensym(); + eval { + tie(*$ssl, 'Net::SSLeay::Handle', $sites[$i], 443); + }; + + $sock[$i] = undef; #so scalar @sock == scalar @sites + + skip('could not connect', 2) if $@; + pass('connection'); + + $sock[$i] = $ssl; + + ok( $ssl, 'got handle' ); + } + } + + for my $sock (@sock) { + SKIP : { + skip('not connected', 2) unless defined $sock; + pass('connected'); + + print $sock "GET / HTTP/1.0\r\n\r\n"; + + my $resp = do { local $/ = undef; <$sock> }; + like( $resp, qr/^HTTP\/1/, 'response' ); + } + } + + for my $sock (@sock) { + SKIP : { + skip('not connected', 1) unless defined $sock; + ok(close($sock), 'socket closed'); + } + } +} diff --git a/cpan/Net-SSLeay/t/handle/local/05_use.t b/cpan/Net-SSLeay/t/handle/local/05_use.t new file mode 100644 index 000000000000..6e82b4fc1c5c --- /dev/null +++ b/cpan/Net-SSLeay/t/handle/local/05_use.t @@ -0,0 +1,9 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use Test::More tests => 1; + +BEGIN { + use_ok('Net::SSLeay::Handle'); +} diff --git a/cpan/Net-SSLeay/t/local/03_use.t b/cpan/Net-SSLeay/t/local/03_use.t new file mode 100644 index 000000000000..36364b47d71f --- /dev/null +++ b/cpan/Net-SSLeay/t/local/03_use.t @@ -0,0 +1,74 @@ +# Basic module loading test, plus OS/Perl/libssl information to assist +# with diagnosing later test failures + +use lib 'inc'; + +use Test::Net::SSLeay; + +BEGIN { + plan tests => 1; + + use_ok('Net::SSLeay'); +} + +diag(""); +diag("Testing Net::SSLeay $Net::SSLeay::VERSION"); +diag(""); +diag("Perl information:"); +diag(" Version: '" . $] . "'"); +diag(" Executable path: '" . $^X . "'"); +diag(""); + +my $version_num; +if (defined &Net::SSLeay::OpenSSL_version_num) { + diag("Library version with OpenSSL_version_num():"); + $version_num = Net::SSLeay::OpenSSL_version_num(); +} else { + diag("Library version with SSLeay():"); + $version_num = Net::SSLeay::SSLeay(); +} +diag(" OPENSSL_VERSION_NUMBER: " . sprintf("'0x%08x'", $version_num)); +diag(""); + +my $have_openssl_version = defined &Net::SSLeay::OpenSSL_version; + +diag("Library information with SSLeay_version()" . ($have_openssl_version ? " and OpenSSL_version()" : '') . ":"); +diag(" SSLEAY_VERSION: '" . Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()) . "'"); +diag(" SSLEAY_CFLAGS: '" . Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_CFLAGS()) . "'"); +diag(" SSLEAY_BUILT_ON: '" . Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_BUILT_ON()) . "'"); +diag(" SSLEAY_PLATFORM: '" . Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_PLATFORM()) . "'"); +diag(" SSLEAY_DIR: '" . Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_DIR()) . "'"); + +# This constant was added about the same time as OpenSSL_version() +if ($have_openssl_version) { + diag(" OPENSSL_ENGINES_DIR: '" . Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_ENGINES_DIR()) . "'"); +} + +# These were added in OpenSSL 3.0.0 +if (eval { Net::SSLeay::OPENSSL_MODULES_DIR(); 1; }) { + diag(" OPENSSL_MODULES_DIR: '" . Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_MODULES_DIR()) . "'"); + diag(" OPENSSL_CPU_INFO: '" . Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_CPU_INFO()) . "'"); + diag(" OPENSSL_VERSION_STRING: '" . Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_VERSION_STRING()) . "'"); + diag(" OPENSSL_FULL_VERSION_STRING: '" . Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_FULL_VERSION_STRING()) . "'"); +} + +# These were added in OpenSSL 3.0.0 +if (defined &Net::SSLeay::OPENSSL_version_major) { + diag(""); + diag("Library version information with OPENSSL_version_*():"); + diag(" OPENSSL_version_major(): '" . Net::SSLeay::OPENSSL_version_major() . "'"); + diag(" OPENSSL_version_minor(): '" . Net::SSLeay::OPENSSL_version_minor() . "'"); + diag(" OPENSSL_version_patch(): '" . Net::SSLeay::OPENSSL_version_patch() . "'"); + diag(" OPENSSL_version_pre_release(): '" . Net::SSLeay::OPENSSL_version_pre_release() . "'"); + diag(" OPENSSL_version_build_metadata(): '" . Net::SSLeay::OPENSSL_version_build_metadata() . "'"); + diag(""); + diag("Library information with OPENSSL_info():"); + diag(" OPENSSL_INFO_CONFIG_DIR: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_CONFIG_DIR()) . "'"); + diag(" OPENSSL_INFO_ENGINES_DIR: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_ENGINES_DIR()) . "'"); + diag(" OPENSSL_INFO_MODULES_DIR: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_MODULES_DIR()) . "'"); + diag(" OPENSSL_INFO_DSO_EXTENSION: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_DSO_EXTENSION()) . "'"); + diag(" OPENSSL_INFO_DIR_FILENAME_SEPARATOR: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_DIR_FILENAME_SEPARATOR()) . "'"); + diag(" OPENSSL_INFO_LIST_SEPARATOR: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_LIST_SEPARATOR()) . "'"); + diag(" OPENSSL_INFO_SEED_SOURCE: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_SEED_SOURCE()) . "'"); + diag(" OPENSSL_INFO_CPU_SETTINGS: '" . Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_CPU_SETTINGS()) . "'"); +} diff --git a/cpan/Net-SSLeay/t/local/04_basic.t b/cpan/Net-SSLeay/t/local/04_basic.t new file mode 100644 index 000000000000..6796c8521ca7 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/04_basic.t @@ -0,0 +1,72 @@ +# Test version and initialisation functions + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(lives_ok); + +plan tests => 29; + +lives_ok( sub { Net::SSLeay::randomize() }, 'seed pseudorandom number generator' ); +lives_ok( sub { Net::SSLeay::ERR_load_crypto_strings() }, 'load libcrypto error strings' ); +lives_ok( sub { Net::SSLeay::load_error_strings() }, 'load libssl error strings' ); +lives_ok( sub { Net::SSLeay::library_init() }, 'register default TLS ciphers and digest functions' ); +lives_ok( sub { Net::SSLeay::OpenSSL_add_all_digests() }, 'register all digest functions' ); +#version numbers: 0x00903100 ~ 0.9.3, 0x0090600f ~ 0.6.9 +ok( Net::SSLeay::SSLeay() >= 0x00903100, 'SSLeay (version min 0.9.3)' ); +isnt( Net::SSLeay::SSLeay_version(), '', 'SSLeay (version string)' ); +is( Net::SSLeay::SSLeay_version(), Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), 'SSLeay_version optional argument' ); +is(Net::SSLeay::hello(), 1, 'hello world'); + +if (exists &Net::SSLeay::OpenSSL_version) +{ + is(Net::SSLeay::SSLeay(), Net::SSLeay::OpenSSL_version_num(), 'OpenSSL_version_num'); + + is(Net::SSLeay::OpenSSL_version(), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_VERSION()), 'OpenSSL_version optional argument'); + + is(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_VERSION()), 'OpenSSL_version(OPENSSL_VERSION)'); + is(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_CFLAGS()), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_CFLAGS()), 'OpenSSL_version(OPENSSL_CFLAGS)'); + is(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_BUILT_ON()), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_BUILT_ON()), 'OpenSSL_version(OPENSSL_BUILT_ON)'); + is(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_PLATFORM()), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_PLATFORM()), 'OpenSSL_version(OPENSSL_PLATFORM)'); + is(Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_DIR()), Net::SSLeay::OpenSSL_version(Net::SSLeay::OPENSSL_DIR()), 'OpenSSL_version(OPENSSL_DIR)'); +} +else +{ + SKIP: { + skip('Only on OpenSSL 1.1.0 or later', 7); + } +} + +if (defined &Net::SSLeay::OPENSSL_version_major) +{ + + my $major = Net::SSLeay::OPENSSL_version_major(); + my $minor = Net::SSLeay::OPENSSL_version_minor(); + my $patch = Net::SSLeay::OPENSSL_version_patch(); + + # Separate test for being defined because cmp_ok won't fail this: + # cmp_ok(undef, '>=', 0) + isnt($major, undef, 'major is defined'); + isnt($minor, undef, 'minor is defined'); + isnt($patch, undef, 'patch is defined'); + + cmp_ok($major, '>=', 3, 'OPENSSL_version_major'); + cmp_ok($minor, '>=', 0, 'OPENSSL_version_minor'); + cmp_ok($patch, '>=', 0, 'OPENSSL_version_patch'); + + is(Net::SSLeay::OPENSSL_VERSION_MAJOR(), $major, 'OPENSSL_VERSION_MAJOR and OPENSSL_version_major are equal'); + is(Net::SSLeay::OPENSSL_VERSION_MINOR(), $minor, 'OPENSSL_VERSION_MINOR and OPENSSL_version_minor are equal'); + is(Net::SSLeay::OPENSSL_VERSION_PATCH(), $patch, 'OPENSSL_VERSION_PATCH and OPENSSL_version_patch are equal'); + + isnt(defined Net::SSLeay::OPENSSL_version_pre_release(), undef, 'OPENSSL_version_pre_release returns a defined value'); + isnt(defined Net::SSLeay::OPENSSL_version_build_metadata(), undef, 'OPENSSL_version_build_metadata returns a defined value'); + + isnt(Net::SSLeay::OPENSSL_info(Net::SSLeay::OPENSSL_INFO_CONFIG_DIR()), undef, 'OPENSSL_INFO(OPENSSL_INFO_CONFIG_DIR) returns a defined value'); + is(Net::SSLeay::OPENSSL_info(-1), undef, 'OPENSSL_INFO(-1) returns an undefined value'); +} +else +{ + SKIP: { + skip('Only on OpenSSL 3.0.0 or later', 13); + } +} diff --git a/cpan/Net-SSLeay/t/local/05_passwd_cb.t b/cpan/Net-SSLeay/t/local/05_passwd_cb.t new file mode 100644 index 000000000000..878e2aa9b8e8 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/05_passwd_cb.t @@ -0,0 +1,181 @@ +# Test password entry callback functionality + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( data_file_path initialise_libssl ); + +plan tests => 36; + +initialise_libssl(); + +my $key_pem = data_file_path('simple-cert.key.enc.pem'); +my $key_password = 'test'; + +my $cb_1_calls = 0; +my $cb_2_calls = 0; +my $cb_3_calls = 0; +my $cb_4_calls = 0; +my $cb_bad_calls = 0; + +sub callback1 { + my ($rwflag, $userdata) = @_; + + $cb_1_calls++; + + is ($rwflag, 0, 'rwflag is set correctly'); + is( $$userdata, $key_password, 'received userdata properly' ); + return $$userdata; +} + +sub callback2 { + my ($rwflag, $userdata) = @_; + + $cb_2_calls++; + + is( $$userdata, $key_password, 'received userdata properly' ); + return $$userdata; +} + +sub callback3 { + my ($rwflag, $userdata) = @_; + + $cb_3_calls++; + + is( $userdata, undef, 'received no userdata' ); + return $key_password; +} + +sub callback_bad { + my ($rwflag, $userdata) = @_; + + $cb_bad_calls++; + + is( $userdata, $key_password, 'received userdata properly' ); + return $key_password . 'incorrect'; # Return incorrect password +} + +my $ctx_1 = Net::SSLeay::CTX_new(); +ok($ctx_1, 'CTX_new 1'); + +my $ctx_2 = Net::SSLeay::CTX_new(); +ok($ctx_2, 'CTX_new 2'); + +my $ctx_3 = Net::SSLeay::CTX_new(); +ok($ctx_3, 'CTX_new 3'); + +my $ctx_4 = Net::SSLeay::CTX_new(); +ok($ctx_4, 'CTX_new 4'); + +Net::SSLeay::CTX_set_default_passwd_cb($ctx_1, \&callback1); +Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx_1, \$key_password); + +Net::SSLeay::CTX_set_default_passwd_cb($ctx_2, \&callback2); +Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx_2, \$key_password); + +Net::SSLeay::CTX_set_default_passwd_cb($ctx_3, \&callback3); + +ok( Net::SSLeay::CTX_use_PrivateKey_file($ctx_1, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'CTX_use_PrivateKey_file works with right passphrase and userdata' ); + +ok( Net::SSLeay::CTX_use_PrivateKey_file($ctx_2, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'CTX_use_PrivateKey_file works with right passphrase and userdata' ); + +ok( Net::SSLeay::CTX_use_PrivateKey_file($ctx_3, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'CTX_use_PrivateKey_file works with right passphrase and without userdata' ); + +Net::SSLeay::CTX_set_default_passwd_cb($ctx_4, sub { $cb_4_calls++; return $key_password; }); +ok( Net::SSLeay::CTX_use_PrivateKey_file($ctx_4, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'CTX_use_PrivateKey_file works when callback data is unset' ); + +ok( $cb_1_calls == 1 + && $cb_2_calls == 1 + && $cb_3_calls == 1 + && $cb_4_calls == 1, + 'different cbs per ctx work' ); + +$key_password = 'incorrect'; + +ok( !Net::SSLeay::CTX_use_PrivateKey_file($ctx_1, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'CTX_use_PrivateKey_file doesn\'t work with wrong passphrase' ); + +is($cb_1_calls, 2, 'callback1 called 2 times'); + + +# OpenSSL 1.1.0 has SSL_set_default_passwd_cb, but the callback is not +# called for SSL before OpenSSL 1.1.0f +if (exists &Net::SSLeay::set_default_passwd_cb) +{ + test_ssl_funcs(); +} +else +{ + SKIP: { + skip('Do not have Net::SSLeay::set_default_passwd_cb', 19); + }; +} + +exit(0); + +sub test_ssl_funcs +{ + my $ctx_1 = Net::SSLeay::CTX_new(); + my $ssl_1 = Net::SSLeay::new($ctx_1); + ok($ssl_1, 'SSL_new 1'); + + my $ctx_2 = Net::SSLeay::CTX_new(); + my $ssl_2 = Net::SSLeay::new($ctx_2); + ok($ssl_2, 'SSL_new 2'); + + my $ctx_3 = Net::SSLeay::CTX_new(); + my $ssl_3 = Net::SSLeay::new($ctx_3); + ok($ssl_3, 'SSL_new 3'); + + my $ctx_4 = Net::SSLeay::CTX_new(); + my $ssl_4 = Net::SSLeay::new($ctx_4); + ok($ssl_4, 'SSL_new 4'); + + $cb_1_calls = $cb_2_calls = $cb_3_calls = $cb_4_calls = $cb_bad_calls = 0; + $key_password = 'test'; + + Net::SSLeay::set_default_passwd_cb($ssl_1, \&callback1); + Net::SSLeay::set_default_passwd_cb_userdata($ssl_1, \$key_password); + + Net::SSLeay::set_default_passwd_cb($ssl_2, \&callback2); + Net::SSLeay::set_default_passwd_cb_userdata($ssl_2, \$key_password); + + Net::SSLeay::set_default_passwd_cb($ssl_3, \&callback3); + + ok( Net::SSLeay::use_PrivateKey_file($ssl_1, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file works with right passphrase and userdata' ); + + ok( Net::SSLeay::use_PrivateKey_file($ssl_2, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file works with right passphrase and userdata' ); + + # Setting the callback for CTX should not change anything + Net::SSLeay::CTX_set_default_passwd_cb($ctx_2, \&callback_bad); + Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx_2, \$key_password); + ok( Net::SSLeay::use_PrivateKey_file($ssl_2, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file works with right passphrase and userdata after bad passphrase set for CTX' ); + + ok( Net::SSLeay::use_PrivateKey_file($ssl_3, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file works with right passphrase and without userdata' ); + + Net::SSLeay::set_default_passwd_cb($ssl_4, sub { $cb_4_calls++; return $key_password; }); + ok( Net::SSLeay::use_PrivateKey_file($ssl_4, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file works when callback data is unset' ); + + ok( $cb_1_calls == 1 + && $cb_2_calls == 2 + && $cb_3_calls == 1 + && $cb_4_calls == 1 + && $cb_bad_calls == 0, + 'different cbs per ssl work' ); + + $key_password = 'incorrect'; + + ok( !Net::SSLeay::use_PrivateKey_file($ssl_1, $key_pem, &Net::SSLeay::FILETYPE_PEM), + 'use_PrivateKey_file doesn\'t work with wrong passphrase' ); + + is($cb_1_calls, 2, 'callback1 called 2 times'); +} diff --git a/cpan/Net-SSLeay/t/local/06_tcpecho.t b/cpan/Net-SSLeay/t/local/06_tcpecho.t new file mode 100644 index 000000000000..e92c0eb06f88 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/06_tcpecho.t @@ -0,0 +1,55 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( can_fork initialise_libssl tcp_socket ); + +BEGIN { + if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; + } else { + plan tests => 4; + } +} + +initialise_libssl(); + +my $server = tcp_socket(); +my $msg = 'ssleay-tcp-test'; + +my $pid; + +{ + $pid = fork(); + die "fork failed: $!" unless defined $pid; + if ($pid == 0) { + $server->accept(\*Net::SSLeay::SSLCAT_S); + + my $got = Net::SSLeay::tcp_read_all(); + is($got, $msg, 'tcp_read_all'); + + ok(Net::SSLeay::tcp_write_all(uc($got)), 'tcp_write_all'); + + close Net::SSLeay::SSLCAT_S; + $server->close() || die("server listen socket close: $!"); + + exit; + } +} + +my @results; +{ + my ($got) = Net::SSLeay::tcpcat($server->get_addr(), $server->get_port(), $msg); + push @results, [ $got eq uc($msg), 'sent and received correctly' ]; +} + +$server->close() || die("client listen socket close: $!"); + +waitpid $pid, 0; +push @results, [ $? == 0, 'server exited with 0' ]; + +END { + Test::More->builder->current_test(2); + for my $t (@results) { + ok( $t->[0], $t->[1] ); + } +} diff --git a/cpan/Net-SSLeay/t/local/07_sslecho.t b/cpan/Net-SSLeay/t/local/07_sslecho.t new file mode 100644 index 000000000000..e809c97a0a5c --- /dev/null +++ b/cpan/Net-SSLeay/t/local/07_sslecho.t @@ -0,0 +1,349 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl new_ctx tcp_socket +); + +BEGIN { + if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; + } else { + plan tests => 122; + } +} + +initialise_libssl(); + +$SIG{'PIPE'} = 'IGNORE'; + +my $server = tcp_socket(); +my $pid; + +my $msg = 'ssleay-test'; + +my $ca_cert_pem = data_file_path('intermediate-ca.certchain.pem'); +my $cert_pem = data_file_path('simple-cert.cert.pem'); +my $key_pem = data_file_path('simple-cert.key.pem'); + +my $cert_name = '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example'; +my $cert_issuer = '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA'; +my $cert_sha1_fp = '9C:2E:90:B9:A7:84:7A:3A:2B:BE:FD:A5:D1:46:EA:31:75:E9:03:26'; + +$ENV{RND_SEED} = '1234567890123456789012345678901234567890'; + +{ + my ( $ctx, $ctx_protocol ) = new_ctx(); + ok($ctx, 'new CTX'); + ok(Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL'), 'CTX_set_cipher_list'); + my ($dummy, $errs) = Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + ok($errs eq '', "set_cert_and_key: $errs"); + SKIP: { + skip 'Disabling session tickets requires OpenSSL >= 1.1.1', 1 + unless defined (&Net::SSLeay::CTX_set_num_tickets); + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connection before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. + ok(Net::SSLeay::CTX_set_num_tickets($ctx, 0), 'Session tickets disabled'); + } + + # The client side of this test uses Net::SSLeay::sslcat(), which by default + # will attempt to auto-negotiate the SSL/TLS protocol version to use when it + # connects to the server. This conflicts with the server-side SSL_CTX + # created by Test::Net::SSLeay::new_ctx(), which only accepts the most recent + # SSL/TLS protocol version supported by libssl; atempts to negotiate the + # version will fail. We need to force sslcat() to communicate with the server + # using the same protocol version that was chosen for the server SSL_CTX, + # which is done by setting a specific value for $Net::SSLeay::ssl_version + my %ssl_versions = ( + 'SSLv2' => 2, + 'SSLv3' => 3, + 'TLSv1' => 10, + 'TLSv1.1' => 11, + 'TLSv1.2' => 12, + 'TLSv1.3' => 13, + ); + + $Net::SSLeay::ssl_version = $ssl_versions{$ctx_protocol}; + + $pid = fork(); + BAIL_OUT("failed to fork: $!") unless defined $pid; + if ($pid == 0) { + for (1 .. 7) { + my $ns = $server->accept(); + + my $ssl = Net::SSLeay::new($ctx); + ok($ssl, 'new'); + + is(Net::SSLeay::in_before($ssl), 1, 'in_before is 1'); + is(Net::SSLeay::in_init($ssl), 1, 'in_init is 1'); + + ok(Net::SSLeay::set_fd($ssl, fileno($ns)), 'set_fd using fileno'); + ok(Net::SSLeay::accept($ssl), 'accept'); + + is(Net::SSLeay::is_init_finished($ssl), 1, 'is_init_finished is 1'); + + ok(Net::SSLeay::get_cipher($ssl), 'get_cipher'); + like(Net::SSLeay::get_shared_ciphers($ssl), qr/(AES|RSA|SHA|CBC|DES)/, 'get_shared_ciphers'); + + my $got = Net::SSLeay::ssl_read_all($ssl); + is($got, $msg, 'ssl_read_all') if $_ < 7; + + is(Net::SSLeay::get_shutdown($ssl), Net::SSLeay::RECEIVED_SHUTDOWN(), 'shutdown from peer'); + ok(Net::SSLeay::ssl_write_all($ssl, uc($got)), 'ssl_write_all'); + + # With 1.1.1e and $Net::SSLeay::trace=3 you'll see these without shutdown: + # SSL_read 9740: 1 - error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading + my $sret = Net::SSLeay::shutdown($ssl); + if ($sret < 0) + { + # ERROR_SYSCALL seen on < 1.1.1, if so also print errno string + my $err = Net::SSLeay::get_error($ssl, $sret); + my $extra = ($err == Net::SSLeay::ERROR_SYSCALL()) ? "$err, $!" : "$err"; + + ok($err == Net::SSLeay::ERROR_ZERO_RETURN() || + $err == Net::SSLeay::ERROR_SYSCALL(), + "server shutdown not success, but acceptable: $extra"); + } + else + { + pass('server shutdown success'); + } + + Net::SSLeay::free($ssl); + close($ns) || die("server close: $!"); + } + + Net::SSLeay::CTX_free($ctx); + $server->close() || die("server listen socket close: $!"); + + exit; + } +} + +my @results; +{ + my ($got) = Net::SSLeay::sslcat($server->get_addr(), $server->get_port(), $msg); + push @results, [ $got eq uc($msg), 'send and received correctly' ]; + +} + +{ + my $s = $server->connect(); + + push @results, [ my $ctx = new_ctx(), 'new CTX' ]; + push @results, [ my $ssl = Net::SSLeay::new($ctx), 'new' ]; + + push @results, [ Net::SSLeay::set_fd($ssl, $s), 'set_fd using glob ref' ]; + push @results, [ Net::SSLeay::connect($ssl), 'connect' ]; + + push @results, [ Net::SSLeay::get_cipher($ssl), 'get_cipher' ]; + + push @results, [ Net::SSLeay::ssl_write_all($ssl, $msg), 'write' ]; + push @results, [ Net::SSLeay::shutdown($ssl) >= 0, 'client side ssl shutdown' ]; + shutdown($s, 1); + + my $got = Net::SSLeay::ssl_read_all($ssl); + push @results, [ $got eq uc($msg), 'read' ]; + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + shutdown($s, 2); + close($s) || die("client close: $!"); + +} + +{ + my $verify_cb_1_called = 0; + my $verify_cb_2_called = 0; + my $verify_cb_3_called = 0; + { + my $ctx = new_ctx(); + push @results, [ Net::SSLeay::CTX_load_verify_locations($ctx, $ca_cert_pem, ''), 'CTX_load_verify_locations' ]; + Net::SSLeay::CTX_set_verify($ctx, &Net::SSLeay::VERIFY_PEER, \&verify); + + my $ctx2 = new_ctx(); + Net::SSLeay::CTX_set_cert_verify_callback($ctx2, \&verify4, 1); + + { + my $s = $server->connect(); + + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl); + + Net::SSLeay::ssl_write_all($ssl, $msg); + + push @results, [Net::SSLeay::shutdown($ssl) >= 0, 'verify: client side ssl shutdown' ]; + shutdown $s, 2; + close $s; + Net::SSLeay::free($ssl); + + push @results, [ $verify_cb_1_called == 1, 'verify cb 1 called once' ]; + push @results, [ $verify_cb_2_called == 0, 'verify cb 2 wasn\'t called yet' ]; + push @results, [ $verify_cb_3_called == 0, 'verify cb 3 wasn\'t called yet' ]; + } + + { + my $s1 = $server->connect(); + my $s2 = $server->connect(); + my $s3 = $server->connect(); + + my $ssl1 = Net::SSLeay::new($ctx); + Net::SSLeay::set_verify($ssl1, &Net::SSLeay::VERIFY_PEER, \&verify2); + Net::SSLeay::set_fd($ssl1, $s1); + + my $ssl2 = Net::SSLeay::new($ctx); + Net::SSLeay::set_verify($ssl2, &Net::SSLeay::VERIFY_PEER, \&verify3); + Net::SSLeay::set_fd($ssl2, $s2); + + my $ssl3 = Net::SSLeay::new($ctx2); + Net::SSLeay::set_fd($ssl3, $s3); + + Net::SSLeay::connect($ssl1); + Net::SSLeay::ssl_write_all($ssl1, $msg); + push @results, [Net::SSLeay::shutdown($ssl1) >= 0, 'client side ssl1 shutdown' ]; + shutdown $s1, 2; + + Net::SSLeay::connect($ssl2); + Net::SSLeay::ssl_write_all($ssl2, $msg); + push @results, [Net::SSLeay::shutdown($ssl2) >= 0, 'client side ssl2 shutdown' ]; + shutdown $s2, 2; + + Net::SSLeay::connect($ssl3); + Net::SSLeay::ssl_write_all($ssl3, $msg); + push @results, [Net::SSLeay::shutdown($ssl3) >= 0, 'client side ssl3 shutdown' ]; + shutdown $s3, 2; + + close($s1) || die("client close s1: $!"); + close($s2) || die("client close s2: $!"); + close($s3) || die("client close s3: $!"); + + Net::SSLeay::free($ssl1); + Net::SSLeay::free($ssl2); + Net::SSLeay::free($ssl3); + + push @results, [ $verify_cb_1_called == 1, 'verify cb 1 wasn\'t called again' ]; + push @results, [ $verify_cb_2_called == 1, 'verify cb 2 called once' ]; + push @results, [ $verify_cb_3_called == 1, 'verify cb 3 wasn\'t called yet' ]; + } + + + Net::SSLeay::CTX_free($ctx); + Net::SSLeay::CTX_free($ctx2); + } + + sub verify { + my ($ok, $x509_store_ctx) = @_; + + # Skip intermediate certs but propagate possible not ok condition + my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx); + return $ok unless $depth == 0; + + $verify_cb_1_called++; + + my $cert = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx); + push @results, [ $cert, 'verify cb cert' ]; + + my $issuer_name = Net::SSLeay::X509_get_issuer_name( $cert ); + my $issuer = Net::SSLeay::X509_NAME_oneline( $issuer_name ); + + my $subject_name = Net::SSLeay::X509_get_subject_name( $cert ); + my $subject = Net::SSLeay::X509_NAME_oneline( $subject_name ); + + my $cn = Net::SSLeay::X509_NAME_get_text_by_NID($subject_name, &Net::SSLeay::NID_commonName); + + my $fingerprint = Net::SSLeay::X509_get_fingerprint($cert, 'SHA-1'); + + push @results, [ $ok == 1, 'verify is ok' ]; + push @results, [ $issuer eq $cert_issuer, 'cert issuer' ]; + push @results, [ $subject eq $cert_name, 'cert subject' ]; + push @results, [ substr($cn, length($cn) - 1, 1) ne "\0", 'tailing 0 character is not returned from get_text_by_NID' ]; + push @results, [ $fingerprint eq $cert_sha1_fp, 'SHA-1 fingerprint' ]; + + return 1; + } + + sub verify2 { + my ($ok, $x509_store_ctx) = @_; + + # Skip intermediate certs but propagate possible not ok condition + my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx); + return $ok unless $depth == 0; + + $verify_cb_2_called++; + push @results, [ $ok == 1, 'verify 2 is ok' ]; + return $ok; + } + + sub verify3 { + my ($ok, $x509_store_ctx) = @_; + + # Skip intermediate certs but propagate possible not ok condition + my $depth = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx); + return $ok unless $depth == 0; + + $verify_cb_3_called++; + push @results, [ $ok == 1, 'verify 3 is ok' ]; + return $ok; + } + + sub verify4 { + my ($cert_store, $userdata) = @_; + push @results, [$userdata == 1, 'CTX_set_cert_verify_callback']; + return $userdata; + } +} + +{ + my $s = $server->connect(); + + my $ctx = new_ctx(); + my $ssl = Net::SSLeay::new($ctx); + + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl); + + my $cert = Net::SSLeay::get_peer_certificate($ssl); + + my $subject = Net::SSLeay::X509_NAME_oneline( + Net::SSLeay::X509_get_subject_name($cert) + ); + + my $issuer = Net::SSLeay::X509_NAME_oneline( + Net::SSLeay::X509_get_issuer_name($cert) + ); + + push @results, [ $subject eq $cert_name, 'get_peer_certificate subject' ]; + push @results, [ $issuer eq $cert_issuer, 'get_peer_certificate issuer' ]; + + my $data = 'a' x 1024 ** 2; + my $written = Net::SSLeay::ssl_write_all($ssl, \$data); + push @results, [ $written == length $data, 'ssl_write_all' ]; + + push @results, [Net::SSLeay::shutdown($ssl) >= 0, 'client side aaa write ssl shutdown' ]; + shutdown $s, 1; + + my $got = Net::SSLeay::ssl_read_all($ssl); + push @results, [ $got eq uc($data), 'ssl_read_all' ]; + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + close($s) || die("client close: $!"); +} + +$server->close() || die("client listen socket close: $!"); + +waitpid $pid, 0; +push @results, [ $? == 0, 'server exited with 0' ]; + +END { + Test::More->builder->current_test(87); + for my $t (@results) { + ok( $t->[0], $t->[1] ); + } +} diff --git a/cpan/Net-SSLeay/t/local/08_pipe.t b/cpan/Net-SSLeay/t/local/08_pipe.t new file mode 100644 index 000000000000..e85f188b8aa7 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/08_pipe.t @@ -0,0 +1,96 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( can_really_fork data_file_path initialise_libssl ); + +use IO::Handle; +use Symbol qw( gensym ); + +if (not can_really_fork()) { + # Perl's pseudofork implementation doesn't correctly dup file handles + # connected to pipes, so this test requires a native fork() system call + plan skip_all => "fork() not natively supported on this system"; +} else { + plan tests => 11; +} + +initialise_libssl(); + +my $cert = data_file_path('simple-cert.cert.pem'); +my $key = data_file_path('simple-cert.key.pem'); + +my $how_much = 1024 ** 2; + +my $rs = gensym(); +my $ws = gensym(); +my $rc = gensym(); +my $wc = gensym(); + +pipe $rs, $wc or die "pipe 1 ($!)"; +pipe $rc, $ws or die "pipe 2 ($!)"; + +for my $h ($rs, $ws, $rc, $wc) { + my $old_select = select $h; + $| = 1; + select $old_select; +} + +my $pid = fork(); +die unless defined $pid; + +if ($pid == 0) { + my $ctx = Net::SSLeay::CTX_new(); + Net::SSLeay::set_server_cert_and_key($ctx, $cert, $key); + + my $ssl = Net::SSLeay::new($ctx); + + ok( Net::SSLeay::set_rfd($ssl, fileno($rs)), 'set_rfd using fileno' ); + ok( Net::SSLeay::set_wfd($ssl, fileno($ws)), 'set_wfd using fileno' ); + + ok( Net::SSLeay::accept($ssl), 'accept' ); + + ok( my $got = Net::SSLeay::ssl_read_all($ssl, $how_much), 'ssl_read_all' ); + + is( Net::SSLeay::ssl_write_all($ssl, \$got), length $got, 'ssl_write_all' ); + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + close $ws; + close $rs; + exit; +} + +my @results; +{ + my $ctx = Net::SSLeay::CTX_new(); + my $ssl = Net::SSLeay::new($ctx); + + my $rc_handle = IO::Handle->new_from_fd( fileno($rc), 'r' ); + my $wc_handle = IO::Handle->new_from_fd( fileno($wc), 'w' ); + push @results, [ Net::SSLeay::set_rfd($ssl, $rc_handle), 'set_rfd using an io handle' ]; + push @results, [ Net::SSLeay::set_wfd($ssl, $wc_handle), 'set_wfd using an io handle' ]; + + push @results, [ Net::SSLeay::connect($ssl), 'connect' ]; + + my $data = 'B' x $how_much; + + push @results, [ Net::SSLeay::ssl_write_all($ssl, \$data) == length $data, 'ssl_write_all' ]; + + my $got = Net::SSLeay::ssl_read_all($ssl, $how_much); + push @results, [ $got eq $data, 'ssl_read_all' ]; + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + close $wc; + close $rc; +} + +waitpid $pid, 0; +push @results, [ $? == 0, 'server exited with 0' ]; + +Test::More->builder->current_test(5); +for my $t (@results) { + ok( $t->[0], $t->[1] ); +} diff --git a/cpan/Net-SSLeay/t/local/09_ctx_new.t b/cpan/Net-SSLeay/t/local/09_ctx_new.t new file mode 100644 index 000000000000..128af0b04340 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/09_ctx_new.t @@ -0,0 +1,183 @@ +# Test SSL_CTX_new and related functions, and handshake state machine retrieval + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(initialise_libssl); + +plan tests => 44; + +initialise_libssl(); + +sub is_known_proto_version { + return 1 if $_[0] == 0x0000; # Automatic version selection + return 1 if $_[0] == Net::SSLeay::SSL3_VERSION(); # OpenSSL 0.9.8+ + return 1 if $_[0] == Net::SSLeay::TLS1_VERSION(); # OpenSSL 0.9.8+ + return 1 if $_[0] == Net::SSLeay::TLS1_1_VERSION(); # OpenSSL 0.9.8+ + return 1 if $_[0] == Net::SSLeay::TLS1_2_VERSION(); # OpenSSL 0.9.8+ + if (eval { Net::SSLeay::TLS1_3_VERSION() }) { + return 1 if $_[0] == Net::SSLeay::TLS1_3_VERSION(); # OpenSSL 1.1.1+ + } + + return; +} + +# Shortcuts from SSLeay.xs +my $ctx = Net::SSLeay::CTX_new(); +ok($ctx, 'CTX_new'); +$ctx = Net::SSLeay::CTX_v23_new(); +ok($ctx, 'CTX_v23_new'); +$ctx = Net::SSLeay::CTX_tlsv1_new(); +ok($ctx, 'CTX_tlsv1_new'); + +my $ctx_23 = Net::SSLeay::CTX_new_with_method(Net::SSLeay::SSLv23_method()); +ok($ctx_23, 'CTX_new with SSLv23_method'); + +my $ctx_23_client = Net::SSLeay::CTX_new_with_method(Net::SSLeay::SSLv23_client_method()); +ok($ctx_23_client, 'CTX_new with SSLv23_client_method'); + +my $ctx_23_server = Net::SSLeay::CTX_new_with_method(Net::SSLeay::SSLv23_server_method()); +ok($ctx_23_server, 'CTX_new with SSLv23_server_method'); + +my $ctx_tls1 = Net::SSLeay::CTX_new_with_method(Net::SSLeay::TLSv1_method()); +ok($ctx_tls1, 'CTX_new with TLSv1_method'); + +# Retrieve information about the handshake state machine +is(Net::SSLeay::in_connect_init(Net::SSLeay::new($ctx_23_client)), 1, 'in_connect_init() is 1 for client'); +is(Net::SSLeay::in_accept_init(Net::SSLeay::new($ctx_23_client)), 0, 'in_accept_init() is 0 for client'); +is(Net::SSLeay::in_connect_init(Net::SSLeay::new($ctx_23_server)), 0, 'in_connect_init() is 0 for server'); +is(Net::SSLeay::in_accept_init(Net::SSLeay::new($ctx_23_server)), 1, 'in_accept_init() is 1 for server'); + +# Need recent enough OpenSSL or LibreSSL for TLS_method functions +my ($ctx_tls, $ssl_tls, $ctx_tls_client, $ssl_tls_client, $ctx_tls_server, $ssl_tls_server); +if (exists &Net::SSLeay::TLS_method) +{ + $ctx_tls = Net::SSLeay::CTX_new_with_method(Net::SSLeay::TLS_method()); + ok($ctx_tls, 'CTX_new with TLS_method'); + + $ssl_tls = Net::SSLeay::new($ctx_tls); + ok($ssl_tls, 'New SSL created with ctx_tls'); + + $ctx_tls_client = Net::SSLeay::CTX_new_with_method(Net::SSLeay::TLS_client_method()); + ok($ctx_tls_client, 'CTX_new with TLS_client_method'); + + $ctx_tls_server = Net::SSLeay::CTX_new_with_method(Net::SSLeay::TLS_server_method()); + ok($ctx_tls_server, 'CTX_new with TLS_server_method'); +} +else +{ + SKIP: { + skip('Do not have Net::SSLeay::TLS_method', 4); + }; +} + +# Having TLS_method() does not necessarily that proto setters are available +if ($ctx_tls && exists &Net::SSLeay::CTX_set_min_proto_version) +{ + my $ver_1_0 = Net::SSLeay::TLS1_VERSION(); + ok($ver_1_0, "Net::SSLeay::TLS1_VERSION() returns non-false: $ver_1_0, hex " . sprintf('0x%04x', $ver_1_0)); + my $ver_min = Net::SSLeay::TLS1_1_VERSION(); + ok($ver_min, "Net::SSLeay::TLS1_1_VERSION() returns non-false: $ver_min, hex " . sprintf('0x%04x', $ver_min)); + my $ver_max = Net::SSLeay::TLS1_2_VERSION(); + ok($ver_max, "Net::SSLeay::TLS1_2_VERSION() returns $ver_max, hex " . sprintf('0x%04x', $ver_max)); + isnt($ver_1_0, $ver_min, 'Version 1_0 and 1_1 values are different'); + isnt($ver_min, $ver_max, 'Version 1_1 and 1_2 values are different'); + + my $rv; + + $rv = Net::SSLeay::CTX_set_min_proto_version($ctx_tls_client, $ver_min); + is($rv, 1, 'Setting client CTX minimum version'); + + $rv = Net::SSLeay::CTX_set_min_proto_version($ctx_tls_client, 0); + is($rv, 1, 'Setting client CTX minimum version to automatic'); + + $rv = Net::SSLeay::CTX_set_min_proto_version($ctx_tls_client, -1); + is($rv, 0, 'Setting client CTX minimum version to bad value'); + + $rv = Net::SSLeay::CTX_set_min_proto_version($ctx_tls_client, $ver_min); + is($rv, 1, 'Setting client CTX minimum version back to good value'); + + $rv = Net::SSLeay::CTX_set_max_proto_version($ctx_tls_client, $ver_max); + is($rv, 1, 'Setting client CTX maximum version'); + + # This SSL should have min and max versions set based on its + # CTX. We test the getters later, if they exist. + $ssl_tls_client = Net::SSLeay::new($ctx_tls_client); + ok($ssl_tls_client, 'New SSL created from client CTX'); + + # This SSL should have min and max versions set to automatic based + # on its CTX. We change them now and test the getters later, if + # they exist. + $ssl_tls_server = Net::SSLeay::new($ctx_tls_server); + ok($ssl_tls_server, 'New SSL created from server CTX'); + $rv = Net::SSLeay::set_min_proto_version($ssl_tls_server, Net::SSLeay::TLS1_VERSION()); + is($rv, 1, 'Setting SSL minimum version for ssl_tls_server'); + $rv = Net::SSLeay::set_max_proto_version($ssl_tls_server, Net::SSLeay::TLS1_2_VERSION()); + is($rv, 1, 'Setting SSL maximum version for ssl_tls_server'); +} +else +{ + SKIP: { + skip('Do not have Net::SSLeay::CTX_get_min_proto_version', 14); + }; +} + +# Having TLS_method() does not necessarily that proto getters are available +if ($ctx_tls && exists &Net::SSLeay::CTX_get_min_proto_version) +{ + my $ver; + $ver = Net::SSLeay::CTX_get_min_proto_version($ctx_tls); + ok(is_known_proto_version($ver), 'TLS_method CTX has known minimum version'); + $ver = Net::SSLeay::CTX_get_max_proto_version($ctx_tls); + ok(is_known_proto_version($ver), 'TLS_method CTX has known maximum version'); + + $ver = Net::SSLeay::get_min_proto_version($ssl_tls); + ok(is_known_proto_version($ver), 'SSL from TLS_method CTX has known minimum version'); + $ver = Net::SSLeay::get_max_proto_version($ssl_tls); + ok(is_known_proto_version($ver), 'SSL from TLS_method CTX has known maximum version'); + + # First see if our CTX has min and max settings enabled + $ver = Net::SSLeay::CTX_get_min_proto_version($ctx_tls_client); + is($ver, Net::SSLeay::TLS1_1_VERSION(), 'TLS_client CTX has minimum version correctly set'); + $ver = Net::SSLeay::CTX_get_max_proto_version($ctx_tls_client); + is($ver, Net::SSLeay::TLS1_2_VERSION(), 'TLS_client CTX has maximum version correctly set'); + + # Then see if our client SSL has min and max settings enabled + $ver = Net::SSLeay::get_min_proto_version($ssl_tls_client); + is($ver, Net::SSLeay::TLS1_1_VERSION(), 'SSL from TLS_client CTX has minimum version correctly set'); + $ver = Net::SSLeay::get_max_proto_version($ssl_tls_client); + is($ver, Net::SSLeay::TLS1_2_VERSION(), 'SSL from TLS_client CTX has maximum version correctly set'); + + # Then see if our server SSL has min and max settings enabled + $ver = Net::SSLeay::get_min_proto_version($ssl_tls_server); + is($ver, Net::SSLeay::TLS1_VERSION(), 'SSL from TLS_server CTX has minimum version correctly set'); + $ver = Net::SSLeay::get_max_proto_version($ssl_tls_server); + is($ver, Net::SSLeay::TLS1_2_VERSION(), 'SSL from TLS_server CTX has maximum version correctly set'); +} +else +{ + SKIP: { + skip('Do not have Net::SSLeay::CTX_get_min_proto_version', 10); + }; +} + +if (eval {Net::SSLeay::TLS1_3_VERSION()}) +{ + my $ver_1_2 = Net::SSLeay::TLS1_2_VERSION(); + ok($ver_1_2, "Net::SSLeay::TLS1_2_VERSION() returns non-false: $ver_1_2, hex " . sprintf('0x%04x', $ver_1_2)); + my $ver_1_3 = Net::SSLeay::TLS1_3_VERSION(); + ok($ver_1_3, "Net::SSLeay::TLS1_3_VERSION() returns non-false: $ver_1_3, hex " . sprintf('0x%04x', $ver_1_3)); + isnt($ver_1_2, $ver_1_3, 'Version 1_2 and 1_3 values are different'); + + my $rv = 0; + ok(eval {$rv = Net::SSLeay::OP_NO_TLSv1_3()}, 'Have OP_NO_TLSv1_3'); + isnt($rv, 0, 'OP_NO_TLSv1_3 returns non-zero value'); +} +else +{ + SKIP: { + skip('Do not have Net::SSLeay::TLS1_3_VERSION', 5); + }; +} + +exit(0); diff --git a/cpan/Net-SSLeay/t/local/10_rand.t b/cpan/Net-SSLeay/t/local/10_rand.t new file mode 100644 index 000000000000..fb0f0f3ce13c --- /dev/null +++ b/cpan/Net-SSLeay/t/local/10_rand.t @@ -0,0 +1,147 @@ +# RAND-related tests + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( data_file_path initialise_libssl is_libressl ); + +plan tests => 53; + +initialise_libssl(); + +is(Net::SSLeay::RAND_status(), 1, 'RAND_status'); +is(Net::SSLeay::RAND_poll(), 1, 'RAND_poll'); + +# RAND_file_name has significant differences between the two libraries +is_libressl() ? + test_rand_file_name_libressl() : + test_rand_file_name_openssl(); + +# RAND_load_file +my $binary_file = data_file_path('binary-test.file'); +my $binary_file_size = -s $binary_file; + +cmp_ok($binary_file_size, '>=', 1000, "Have binary file with good size: $binary_file $binary_file_size"); +is(Net::SSLeay::RAND_load_file($binary_file, $binary_file_size), $binary_file_size, 'RAND_load with specific size'); +if (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")) +{ + # RAND_load_file does nothing on LibreSSL but should return something sane + cmp_ok(Net::SSLeay::RAND_load_file($binary_file, -1), '>', 0, 'RAND_load with -1 is positive with LibreSSL'); +} else { + is(Net::SSLeay::RAND_load_file($binary_file, -1), $binary_file_size, 'RAND_load with -1 returns file size'); +} + +test_rand_bytes(); + +exit(0); + +# With LibreSSL RAND_file_name is expected to always succeed as long +# as the buffer size is large enough. Their manual states that it's +# implemented for API compatibility only and its use is discouraged. +sub test_rand_file_name_libressl +{ + my $file_name = Net::SSLeay::RAND_file_name(300); + isnt($file_name, undef, 'RAND_file_name returns defined value'); + isnt($file_name, q{}, "RAND_file_name returns non-empty string: $file_name"); + + $file_name = Net::SSLeay::RAND_file_name(2); + is($file_name, undef, "RAND_file_name return value is undef with too short buffer"); + + return; +} + +# With OpenSSL there are a number of options that affect +# RAND_file_name return value. Note: we override environment variables +# temporarily because some environments do not have HOME set or may +# already have RANDFILE set. We do not try to trigger a failure which +# happens if there's no HOME nor RANDFILE in order to keep the test +# from becoming overly complicated. +sub test_rand_file_name_openssl +{ + my $file_name; + local %ENV = %ENV; + delete $ENV{RANDFILE}; + + # NOTE: If there are test failures, are you using some type of + # setuid environment? If so, this may affect usability of + # environment variables. + + $ENV{HOME} = '/nosuchdir-1/home'; + $file_name = Net::SSLeay::RAND_file_name(300); + if (Net::SSLeay::SSLeay() >= 0x10100006 && Net::SSLeay::SSLeay() <= 0x1010000f) + { + # This was broken starting with 1.0.0-pre6 and fixed after 1.0.0 + is($file_name, q{}, "RAND_file_name return value is empty and doesn't include '.rnd'"); + } else { + like($file_name, qr/\.rnd/s, "RAND_file_name return value '$file_name' includes '.rnd'"); + } + + my $randfile = '/nosuchdir-2/randfile'; + $ENV{RANDFILE} = $randfile; + $file_name = Net::SSLeay::RAND_file_name(300); + if (Net::SSLeay::SSLeay() < 0x1010001f) { + # On Windows, and possibly other non-Unix systems, 1.0.2 + # series and earlier did not honour RANDFILE. 1.1.0a is an + # educated guess when it starts working with all platforms. + isnt($file_name, q{}, "RAND_file_name returns non-empty string when RANDFILE is set: $file_name"); + } else { + is($file_name, $randfile, "RAND_file_name return value '$file_name' is RANDFILE environment value"); + } + + # RANDFILE is longer than 2 octets. OpenSSL 1.1.0a and later + # return undef with short buffer + $file_name = Net::SSLeay::RAND_file_name(2); + if (Net::SSLeay::SSLeay() < 0x1010001f) { + is($file_name, q{}, "RAND_file_name return value is empty string with too short buffer"); + } else { + is($file_name, undef, "RAND_file_name return value is undef with too short buffer"); + } + + return; +} + +sub test_rand_bytes +{ + my ($ret, $rand_bytes, $rand_length, $rand_expected_length); + + my @rand_lengths = (0, 1, 1024, 65536, 1024**2); + + foreach $rand_expected_length (@rand_lengths) + { + $rand_length = $rand_expected_length; + $ret = Net::SSLeay::RAND_bytes($rand_bytes, $rand_length); + test_rand_bytes_results('RAND_bytes', $ret, $rand_bytes, $rand_length, $rand_expected_length); + } + + foreach $rand_expected_length (@rand_lengths) + { + $rand_length = $rand_expected_length; + $ret = Net::SSLeay::RAND_pseudo_bytes($rand_bytes, $rand_length); + test_rand_bytes_results('RAND_pseudo_bytes', $ret, $rand_bytes, $rand_length, $rand_expected_length); + } + + if (defined &Net::SSLeay::RAND_priv_bytes) + { + foreach $rand_expected_length (@rand_lengths) + { + $rand_length = $rand_expected_length; + $ret = Net::SSLeay::RAND_priv_bytes($rand_bytes, $rand_length); + test_rand_bytes_results('RAND_priv_bytes', $ret, $rand_bytes, $rand_length, $rand_expected_length); + } + } else { + SKIP : { + # Multiplier is the test count in test_rand_bytes_results + skip("Do not have Net::SSLeay::RAND_priv_bytes", ((scalar @rand_lengths) * 3)); + }; + } +} + +sub test_rand_bytes_results +{ + my ($func, $ret, $rand_bytes, $rand_length, $rand_expected_length) = @_; + + # RAND_bytes functions do not update their rand_length argument, but check for this + is($ret, 1, "$func: $rand_expected_length return value ok"); + is(length($rand_bytes), $rand_length, "$func: length of rand_bytes and rand_length match"); + is(length($rand_bytes), $rand_expected_length, "$func: length of rand_bytes is expected length $rand_length"); +} diff --git a/cpan/Net-SSLeay/t/local/11_read.t b/cpan/Net-SSLeay/t/local/11_read.t new file mode 100644 index 000000000000..bab0ec076aec --- /dev/null +++ b/cpan/Net-SSLeay/t/local/11_read.t @@ -0,0 +1,318 @@ +# Various SSL read and write related tests: SSL_read, SSL_peek, SSL_read_ex, +# SSL_peek_ex, SSL_write_ex, SSL_pending and SSL_has_pending + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl tcp_socket +); + +use Storable; + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} else { + plan tests => 53; +} + +initialise_libssl(); + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my $server = tcp_socket(); + +# See that lengths differ for all msgs +my $msg1 = "1 first message from server"; +my $msg2 = "2 second message from server"; +my $msg3 = "3 third message from server: pad"; + +my @rounds = qw(openssl openssl-1.1.0 openssl-1.1.1); + +sub server +{ + # SSL server - just handle connections, send to client and exit + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + foreach my $round (@rounds) + { + my ($ctx, $ssl, $cl); + + next if skip_round($round); + + $cl = $server->accept(); + + $ctx = Net::SSLeay::CTX_new(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + + $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + + Net::SSLeay::write($ssl, $msg1); + Net::SSLeay::write($ssl, $msg2); + + my $msg = Net::SSLeay::read($ssl); + Net::SSLeay::write($ssl, $msg); + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + } + $server->close() || die("server listen socket close: $!"); + exit(0); + } +} + +sub client +{ + foreach my $round (@rounds) + { + my ($ctx, $ssl, $cl); + + $cl = $server->connect(); + + $ctx = Net::SSLeay::CTX_new(); + $ssl = Net::SSLeay::new($ctx); + + my ($reason, $num_tests) = skip_round($round); + if ($reason) { + SKIP: { + skip($reason, $num_tests); + } + next; + } + + round_openssl($ctx, $ssl, $cl) if $round eq 'openssl'; + round_openssl_1_1_0($ctx, $ssl, $cl) if $round eq 'openssl-1.1.0'; + round_openssl_1_1_1($ctx, $ssl, $cl) if $round eq 'openssl-1.1.1'; + + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + } + $server->close() || die("client listen socket close: $!"); + return; +} + +# Returns list for skip() if we should skip this round, false if we +# shouldn't +sub skip_round +{ + my ($round) = @_; + + return if $round eq 'openssl'; + + if ($round eq 'openssl-1.1.0') { + if (Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") < 0x1010000f || + Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")) + { + return ("Need OpenSSL 1.1.0 or later", 6); + } else { + return; + } + } + + if ($round eq 'openssl-1.1.1') { + if (Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") < 0x1010100f || + Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")) + { + return ("Need OpenSSL 1.1.1 or later", 26); + } else { + return; + } + } + + diag("Unknown round: $round"); + return; +} + +sub round_openssl +{ + my ($ctx, $ssl, $cl) = @_; + + my ($peek_msg, $read_msg, $len, $err, $ret); + + # ssl is not connected yet + $peek_msg = Net::SSLeay::peek($ssl); + is($peek_msg, undef, "scalar: peek returns undef for closed ssl"); + + ($peek_msg, $len) = Net::SSLeay::peek($ssl); + is($peek_msg, undef, "list: peek returns undef for closed ssl"); + cmp_ok($len, '<=', 0, 'list: peek returns length <=0 for closed ssl'); + $err = Net::SSLeay::get_error($ssl, $len); + isnt($err, Net::SSLeay::ERROR_WANT_READ(), "peek err $err is not retryable WANT_READ"); + isnt($err, Net::SSLeay::ERROR_WANT_WRITE(), "peek err $err is not retryable WANT_WRITE"); + + $read_msg = Net::SSLeay::read($ssl); + is($read_msg, undef, "scalar: read returns undef for closed ssl"); + + ($read_msg, $len) = Net::SSLeay::read($ssl); + is($read_msg, undef, "list: read returns undef for closed ssl"); + cmp_ok($len, '<=', 0, 'list: read returns length <=0 for closed ssl'); + $err = Net::SSLeay::get_error($ssl, $len); + isnt($err, Net::SSLeay::ERROR_WANT_READ(), "read err $err is not retryable WANT_READ"); + isnt($err, Net::SSLeay::ERROR_WANT_WRITE(), "read err $err is not retryable WANT_WRITE"); + + $ret = Net::SSLeay::pending($ssl); + is($ret, 0, "pending returns 0 for closed ssl"); + + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::connect($ssl); + + # msg1 + $ret = Net::SSLeay::pending($ssl); + is($ret, 0, "pending returns 0"); + + $peek_msg = Net::SSLeay::peek($ssl); + is($peek_msg, $msg1, "scalar: peek returns msg1"); + + # processing was triggered by peek + $ret = Net::SSLeay::pending($ssl); + is($ret, length($msg1), "pending returns msg1 length"); + + ($peek_msg, $len) = Net::SSLeay::peek($ssl); + is($peek_msg, $msg1, "list: peek returns msg1"); + is($len, length($msg1), "list: peek returns msg1 length"); + + $read_msg = Net::SSLeay::read($ssl); + is($peek_msg, $read_msg, "scalar: read and peek agree about msg1"); + + # msg2 + $peek_msg = Net::SSLeay::peek($ssl); + is($peek_msg, $msg2, "scalar: peek returns msg2"); + + ($read_msg, $len) = Net::SSLeay::read($ssl); + is($peek_msg, $read_msg, "list: read and peek agree about msg2"); + is($len, length($msg2), "list: read returns msg2 length"); + + # msg3 + Net::SSLeay::write($ssl, $msg3); + is(Net::SSLeay::read($ssl), $msg3, "ping with msg3"); + + return; +} + +# Test has_pending and other functionality added in 1.1.0. +# Revisit: Better tests for has_pending +sub round_openssl_1_1_0 +{ + my ($ctx, $ssl, $cl) = @_; + + my ($peek_msg, $read_msg, $len, $err, $ret); + + # ssl is not connected yet + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 0, "1.1.0: has_pending returns 0 for closed ssl"); + + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::connect($ssl); + + # msg1 + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 0, "1.1.0: has_pending returns 0"); + + # This triggers processing after which we have pending data + $peek_msg = Net::SSLeay::peek($ssl); + is($peek_msg, $msg1, "1.1.0: peek returns msg1"); + + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 1, "1.1.0: has_pending returns 1"); + + Net::SSLeay::read($ssl); # Read and discard + + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 0, "1.1.0: has_pending returns 0 after read"); + + # msg2 + Net::SSLeay::read($ssl); # Read and discard + + # msg3 + Net::SSLeay::write($ssl, $msg3); + is(Net::SSLeay::read($ssl), $msg3, "1.1.0: ping with msg3"); + + return; +} + +sub round_openssl_1_1_1 +{ + my ($ctx, $ssl, $cl) = @_; + + my ($peek_msg, $read_msg, $len, $err, $err_ex, $ret); + + # ssl is not connected yet + ($peek_msg, $ret) = Net::SSLeay::peek_ex($ssl); + is($peek_msg, undef, "1.1.1: list: peek_ex returns undef message for closed ssl"); + is($ret, 0, '1.1.1: list: peek_ex returns 0 for closed ssl'); + $err = Net::SSLeay::get_error($ssl, $ret); + isnt($err, Net::SSLeay::ERROR_WANT_READ(), "1.1.1: peek_ex err $err is not retryable WANT_READ"); + isnt($err, Net::SSLeay::ERROR_WANT_WRITE(), "1.1.1: peek_ex err $err is not retryable WANT_WRITE"); + + ($read_msg, $len) = Net::SSLeay::read($ssl); + is($read_msg, undef, "1.1.1: list: read returns undef message for closed ssl"); + cmp_ok($len, '<=', 0, '1.1.1: list: read returns length <=0 for closed ssl'); + $err = Net::SSLeay::get_error($ssl, $len); + isnt($err, Net::SSLeay::ERROR_WANT_READ(), "1.1.1: read err $err is not retryable WANT_READ"); + isnt($err, Net::SSLeay::ERROR_WANT_WRITE(), "1.1.1: read err $err is not retryable WANT_WRITE"); + + ($read_msg, $ret) = Net::SSLeay::read_ex($ssl); + is($read_msg, undef, "1.1.1: list: read_ex returns undef message for closed sssl"); + is($ret, 0, "1.1.1: list: read_ex returns 0 for closed sssl"); + $err_ex = Net::SSLeay::get_error($ssl, $ret); + is ($err_ex, $err, '1.1.1: read_ex and read err are equal'); + + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::connect($ssl); + + # msg1 + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 0, "1.1.1: has_pending returns 0"); + + # This triggers processing after which we have pending data + ($peek_msg, $ret) = Net::SSLeay::peek_ex($ssl); + is($peek_msg, $msg1, "1.1.1: list: peek_ex returns msg1"); + is($ret, 1, "1.1.1: list: peek_ex returns 1"); + + $len = Net::SSLeay::pending($ssl); + is($len, length($msg1), "1.1.1: pending returns msg1 length"); + + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 1, "1.1.1: has_pending returns 1"); + + ($read_msg, $ret) = Net::SSLeay::read_ex($ssl); + is($read_msg, $msg1, "1.1.1: list: read_ex returns msg1"); + is($ret, 1, "1.1.1: list: read_ex returns 1"); + + $len = Net::SSLeay::pending($ssl); + is($len, 0, "1.1.1: pending returns 0 after read_ex"); + + $ret = Net::SSLeay::has_pending($ssl); + is($ret, 0, "1.1.1: has_pending returns 0 after read_ex"); + + # msg2 + Net::SSLeay::read($ssl); # Read and discard + + # msg3 + ($len, $ret) = Net::SSLeay::write_ex($ssl, $msg3); + is($len, length($msg3), "1.1.1: write_ex wrote all"); + is($ret, 1, "1.1.1: write_ex returns 1"); + + my ($read_msg1, $ret1) = Net::SSLeay::read_ex($ssl, 5); + my ($read_msg2, $ret2) = Net::SSLeay::read_ex($ssl, (length($msg3) - 5)); + + is($ret1, 1, '1.1.1: ping with msg3 part1 ok'); + is($ret2, 1, '1.1.1: ping with msg3 part2 ok'); + is(length($read_msg1), 5, '1.1.1: ping with msg3, part1 length was 5'); + is($read_msg1 . $read_msg2, $msg3, "1.1.1: ping with msg3 in two parts"); + + return; +} + +server(); +client(); +waitpid $pid, 0; +exit(0); diff --git a/cpan/Net-SSLeay/t/local/15_bio.t b/cpan/Net-SSLeay/t/local/15_bio.t new file mode 100644 index 000000000000..1a7751f47dbb --- /dev/null +++ b/cpan/Net-SSLeay/t/local/15_bio.t @@ -0,0 +1,23 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(initialise_libssl); + +plan tests => 7; + +initialise_libssl(); + +my $data = '0123456789' x 100; +my $len = length $data; + +ok( my $bio = Net::SSLeay::BIO_new( &Net::SSLeay::BIO_s_mem ), 'BIO_new' ); +is( Net::SSLeay::BIO_write($bio, $data), $len, 'BIO_write' ); +is( Net::SSLeay::BIO_pending($bio), $len, 'BIO_pending' ); + +my $read_len = 9; +is( Net::SSLeay::BIO_read($bio, $read_len), substr($data, 0, $read_len), 'BIO_read part' ); +is( Net::SSLeay::BIO_pending($bio), $len - $read_len, 'BIO_pending' ); + +is( Net::SSLeay::BIO_read($bio), substr($data, $read_len), 'BIO_read rest' ); + +ok( Net::SSLeay::BIO_free($bio), 'BIO_free' ); diff --git a/cpan/Net-SSLeay/t/local/20_functions.t b/cpan/Net-SSLeay/t/local/20_functions.t new file mode 100644 index 000000000000..98bdba9ce70e --- /dev/null +++ b/cpan/Net-SSLeay/t/local/20_functions.t @@ -0,0 +1,53 @@ +# Checks whether (a subset of) the functions that should be exported by +# Net::SSLeay can be autoloaded. This script does not check whether constants +# can be autoloaded - see t/local/21_constants.t for that. + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(dies_like); + +my @functions = qw( + die_if_ssl_error + die_now + do_https + dump_peer_certificate + get_http + get_http4 + get_https + get_https3 + get_https4 + get_httpx + get_httpx4 + make_form + make_headers + post_http + post_http4 + post_https + post_https3 + post_https4 + post_httpx + post_httpx4 + print_errs + set_cert_and_key + set_server_cert_and_key + sslcat + tcpcat + tcpxcat +); + +plan tests => @functions + 1; + +for (@functions) { + dies_like( + sub { "Net::SSLeay::$_"->(); die "ok\n" }, + qr/^(?!Can't locate .*\.al in \@INC)/, + "function is autoloadable: $_" + ); +} + +dies_like( + sub { Net::SSLeay::doesnt_exist() }, + qr/^Can't locate .*\.al in \@INC/, + 'nonexistent function is not autoloadable' +); diff --git a/cpan/Net-SSLeay/t/local/21_constants.t b/cpan/Net-SSLeay/t/local/21_constants.t new file mode 100644 index 000000000000..611583a63e57 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/21_constants.t @@ -0,0 +1,646 @@ +# This file is automatically generated - do not manually modify it. +# +# To add or remove a constant, edit helper_script/constants.txt, then run +# helper_script/update-exported-constants. + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(dies_like); + +# We rely on symbolic references in the dies_like() tests: +no strict 'refs'; + +plan tests => 607; + +my @constants = qw( + ASN1_STRFLGS_ESC_CTRL + ASN1_STRFLGS_ESC_MSB + ASN1_STRFLGS_ESC_QUOTE + ASN1_STRFLGS_RFC2253 + CB_ACCEPT_EXIT + CB_ACCEPT_LOOP + CB_ALERT + CB_CONNECT_EXIT + CB_CONNECT_LOOP + CB_EXIT + CB_HANDSHAKE_DONE + CB_HANDSHAKE_START + CB_LOOP + CB_READ + CB_READ_ALERT + CB_WRITE + CB_WRITE_ALERT + ERROR_NONE + ERROR_SSL + ERROR_SYSCALL + ERROR_WANT_ACCEPT + ERROR_WANT_CONNECT + ERROR_WANT_READ + ERROR_WANT_WRITE + ERROR_WANT_X509_LOOKUP + ERROR_ZERO_RETURN + EVP_PKS_DSA + EVP_PKS_EC + EVP_PKS_RSA + EVP_PKT_ENC + EVP_PKT_EXCH + EVP_PKT_EXP + EVP_PKT_SIGN + EVP_PK_DH + EVP_PK_DSA + EVP_PK_EC + EVP_PK_RSA + FILETYPE_ASN1 + FILETYPE_PEM + F_CLIENT_CERTIFICATE + F_CLIENT_HELLO + F_CLIENT_MASTER_KEY + F_D2I_SSL_SESSION + F_GET_CLIENT_FINISHED + F_GET_CLIENT_HELLO + F_GET_CLIENT_MASTER_KEY + F_GET_SERVER_FINISHED + F_GET_SERVER_HELLO + F_GET_SERVER_VERIFY + F_I2D_SSL_SESSION + F_READ_N + F_REQUEST_CERTIFICATE + F_SERVER_HELLO + F_SSL_CERT_NEW + F_SSL_GET_NEW_SESSION + F_SSL_NEW + F_SSL_READ + F_SSL_RSA_PRIVATE_DECRYPT + F_SSL_RSA_PUBLIC_ENCRYPT + F_SSL_SESSION_NEW + F_SSL_SESSION_PRINT_FP + F_SSL_SET_FD + F_SSL_SET_RFD + F_SSL_SET_WFD + F_SSL_USE_CERTIFICATE + F_SSL_USE_CERTIFICATE_ASN1 + F_SSL_USE_CERTIFICATE_FILE + F_SSL_USE_PRIVATEKEY + F_SSL_USE_PRIVATEKEY_ASN1 + F_SSL_USE_PRIVATEKEY_FILE + F_SSL_USE_RSAPRIVATEKEY + F_SSL_USE_RSAPRIVATEKEY_ASN1 + F_SSL_USE_RSAPRIVATEKEY_FILE + F_WRITE_PENDING + GEN_DIRNAME + GEN_DNS + GEN_EDIPARTY + GEN_EMAIL + GEN_IPADD + GEN_OTHERNAME + GEN_RID + GEN_URI + GEN_X400 + LIBRESSL_VERSION_NUMBER + MBSTRING_ASC + MBSTRING_BMP + MBSTRING_FLAG + MBSTRING_UNIV + MBSTRING_UTF8 + MIN_RSA_MODULUS_LENGTH_IN_BYTES + MODE_ACCEPT_MOVING_WRITE_BUFFER + MODE_AUTO_RETRY + MODE_ENABLE_PARTIAL_WRITE + MODE_RELEASE_BUFFERS + NID_OCSP_sign + NID_SMIMECapabilities + NID_X500 + NID_X509 + NID_ad_OCSP + NID_ad_ca_issuers + NID_algorithm + NID_authority_key_identifier + NID_basic_constraints + NID_bf_cbc + NID_bf_cfb64 + NID_bf_ecb + NID_bf_ofb64 + NID_cast5_cbc + NID_cast5_cfb64 + NID_cast5_ecb + NID_cast5_ofb64 + NID_certBag + NID_certificate_policies + NID_client_auth + NID_code_sign + NID_commonName + NID_countryName + NID_crlBag + NID_crl_distribution_points + NID_crl_number + NID_crl_reason + NID_delta_crl + NID_des_cbc + NID_des_cfb64 + NID_des_ecb + NID_des_ede + NID_des_ede3 + NID_des_ede3_cbc + NID_des_ede3_cfb64 + NID_des_ede3_ofb64 + NID_des_ede_cbc + NID_des_ede_cfb64 + NID_des_ede_ofb64 + NID_des_ofb64 + NID_description + NID_desx_cbc + NID_dhKeyAgreement + NID_dnQualifier + NID_dsa + NID_dsaWithSHA + NID_dsaWithSHA1 + NID_dsaWithSHA1_2 + NID_dsa_2 + NID_email_protect + NID_ext_key_usage + NID_ext_req + NID_friendlyName + NID_givenName + NID_hmacWithSHA1 + NID_id_ad + NID_id_ce + NID_id_kp + NID_id_pbkdf2 + NID_id_pe + NID_id_pkix + NID_id_qt_cps + NID_id_qt_unotice + NID_idea_cbc + NID_idea_cfb64 + NID_idea_ecb + NID_idea_ofb64 + NID_info_access + NID_initials + NID_invalidity_date + NID_issuer_alt_name + NID_keyBag + NID_key_usage + NID_localKeyID + NID_localityName + NID_md2 + NID_md2WithRSAEncryption + NID_md5 + NID_md5WithRSA + NID_md5WithRSAEncryption + NID_md5_sha1 + NID_mdc2 + NID_mdc2WithRSA + NID_ms_code_com + NID_ms_code_ind + NID_ms_ctl_sign + NID_ms_efs + NID_ms_ext_req + NID_ms_sgc + NID_name + NID_netscape + NID_netscape_base_url + NID_netscape_ca_policy_url + NID_netscape_ca_revocation_url + NID_netscape_cert_extension + NID_netscape_cert_sequence + NID_netscape_cert_type + NID_netscape_comment + NID_netscape_data_type + NID_netscape_renewal_url + NID_netscape_revocation_url + NID_netscape_ssl_server_name + NID_ns_sgc + NID_organizationName + NID_organizationalUnitName + NID_pbeWithMD2AndDES_CBC + NID_pbeWithMD2AndRC2_CBC + NID_pbeWithMD5AndCast5_CBC + NID_pbeWithMD5AndDES_CBC + NID_pbeWithMD5AndRC2_CBC + NID_pbeWithSHA1AndDES_CBC + NID_pbeWithSHA1AndRC2_CBC + NID_pbe_WithSHA1And128BitRC2_CBC + NID_pbe_WithSHA1And128BitRC4 + NID_pbe_WithSHA1And2_Key_TripleDES_CBC + NID_pbe_WithSHA1And3_Key_TripleDES_CBC + NID_pbe_WithSHA1And40BitRC2_CBC + NID_pbe_WithSHA1And40BitRC4 + NID_pbes2 + NID_pbmac1 + NID_pkcs + NID_pkcs3 + NID_pkcs7 + NID_pkcs7_data + NID_pkcs7_digest + NID_pkcs7_encrypted + NID_pkcs7_enveloped + NID_pkcs7_signed + NID_pkcs7_signedAndEnveloped + NID_pkcs8ShroudedKeyBag + NID_pkcs9 + NID_pkcs9_challengePassword + NID_pkcs9_contentType + NID_pkcs9_countersignature + NID_pkcs9_emailAddress + NID_pkcs9_extCertAttributes + NID_pkcs9_messageDigest + NID_pkcs9_signingTime + NID_pkcs9_unstructuredAddress + NID_pkcs9_unstructuredName + NID_private_key_usage_period + NID_rc2_40_cbc + NID_rc2_64_cbc + NID_rc2_cbc + NID_rc2_cfb64 + NID_rc2_ecb + NID_rc2_ofb64 + NID_rc4 + NID_rc4_40 + NID_rc5_cbc + NID_rc5_cfb64 + NID_rc5_ecb + NID_rc5_ofb64 + NID_ripemd160 + NID_ripemd160WithRSA + NID_rle_compression + NID_rsa + NID_rsaEncryption + NID_rsadsi + NID_safeContentsBag + NID_sdsiCertificate + NID_secretBag + NID_serialNumber + NID_server_auth + NID_sha + NID_sha1 + NID_sha1WithRSA + NID_sha1WithRSAEncryption + NID_shaWithRSAEncryption + NID_stateOrProvinceName + NID_subject_alt_name + NID_subject_key_identifier + NID_surname + NID_sxnet + NID_time_stamp + NID_title + NID_undef + NID_uniqueIdentifier + NID_x509Certificate + NID_x509Crl + NID_zlib_compression + NOTHING + OCSP_RESPONSE_STATUS_INTERNALERROR + OCSP_RESPONSE_STATUS_MALFORMEDREQUEST + OCSP_RESPONSE_STATUS_SIGREQUIRED + OCSP_RESPONSE_STATUS_SUCCESSFUL + OCSP_RESPONSE_STATUS_TRYLATER + OCSP_RESPONSE_STATUS_UNAUTHORIZED + OPENSSL_BUILT_ON + OPENSSL_CFLAGS + OPENSSL_CPU_INFO + OPENSSL_DIR + OPENSSL_ENGINES_DIR + OPENSSL_FULL_VERSION_STRING + OPENSSL_INFO_CONFIG_DIR + OPENSSL_INFO_CPU_SETTINGS + OPENSSL_INFO_DIR_FILENAME_SEPARATOR + OPENSSL_INFO_DSO_EXTENSION + OPENSSL_INFO_ENGINES_DIR + OPENSSL_INFO_LIST_SEPARATOR + OPENSSL_INFO_MODULES_DIR + OPENSSL_INFO_SEED_SOURCE + OPENSSL_MODULES_DIR + OPENSSL_PLATFORM + OPENSSL_VERSION + OPENSSL_VERSION_MAJOR + OPENSSL_VERSION_MINOR + OPENSSL_VERSION_NUMBER + OPENSSL_VERSION_PATCH + OPENSSL_VERSION_STRING + OP_ALL + OP_ALLOW_NO_DHE_KEX + OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + OP_CIPHER_SERVER_PREFERENCE + OP_CISCO_ANYCONNECT + OP_COOKIE_EXCHANGE + OP_CRYPTOPRO_TLSEXT_BUG + OP_DONT_INSERT_EMPTY_FRAGMENTS + OP_ENABLE_MIDDLEBOX_COMPAT + OP_EPHEMERAL_RSA + OP_LEGACY_SERVER_CONNECT + OP_MICROSOFT_BIG_SSLV3_BUFFER + OP_MICROSOFT_SESS_ID_BUG + OP_MSIE_SSLV2_RSA_PADDING + OP_NETSCAPE_CA_DN_BUG + OP_NETSCAPE_CHALLENGE_BUG + OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + OP_NON_EXPORT_FIRST + OP_NO_ANTI_REPLAY + OP_NO_CLIENT_RENEGOTIATION + OP_NO_COMPRESSION + OP_NO_ENCRYPT_THEN_MAC + OP_NO_QUERY_MTU + OP_NO_RENEGOTIATION + OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + OP_NO_SSL_MASK + OP_NO_SSLv2 + OP_NO_SSLv3 + OP_NO_TICKET + OP_NO_TLSv1 + OP_NO_TLSv1_1 + OP_NO_TLSv1_2 + OP_NO_TLSv1_3 + OP_PKCS1_CHECK_1 + OP_PKCS1_CHECK_2 + OP_PRIORITIZE_CHACHA + OP_SAFARI_ECDHE_ECDSA_BUG + OP_SINGLE_DH_USE + OP_SINGLE_ECDH_USE + OP_SSLEAY_080_CLIENT_DH_BUG + OP_SSLREF2_REUSE_CERT_TYPE_BUG + OP_TLSEXT_PADDING + OP_TLS_BLOCK_PADDING_BUG + OP_TLS_D5_BUG + OP_TLS_ROLLBACK_BUG + READING + RECEIVED_SHUTDOWN + RSA_3 + RSA_F4 + R_BAD_AUTHENTICATION_TYPE + R_BAD_CHECKSUM + R_BAD_MAC_DECODE + R_BAD_RESPONSE_ARGUMENT + R_BAD_SSL_FILETYPE + R_BAD_SSL_SESSION_ID_LENGTH + R_BAD_STATE + R_BAD_WRITE_RETRY + R_CHALLENGE_IS_DIFFERENT + R_CIPHER_TABLE_SRC_ERROR + R_INVALID_CHALLENGE_LENGTH + R_NO_CERTIFICATE_SET + R_NO_CERTIFICATE_SPECIFIED + R_NO_CIPHER_LIST + R_NO_CIPHER_MATCH + R_NO_PRIVATEKEY + R_NO_PUBLICKEY + R_NULL_SSL_CTX + R_PEER_DID_NOT_RETURN_A_CERTIFICATE + R_PEER_ERROR + R_PEER_ERROR_CERTIFICATE + R_PEER_ERROR_NO_CIPHER + R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE + R_PUBLIC_KEY_ENCRYPT_ERROR + R_PUBLIC_KEY_IS_NOT_RSA + R_READ_WRONG_PACKET_TYPE + R_SHORT_READ + R_SSL_SESSION_ID_IS_DIFFERENT + R_UNABLE_TO_EXTRACT_PUBLIC_KEY + R_UNKNOWN_REMOTE_ERROR_TYPE + R_UNKNOWN_STATE + R_X509_LIB + SENT_SHUTDOWN + SESSION_ASN1_VERSION + SESS_CACHE_BOTH + SESS_CACHE_CLIENT + SESS_CACHE_NO_AUTO_CLEAR + SESS_CACHE_NO_INTERNAL + SESS_CACHE_NO_INTERNAL_LOOKUP + SESS_CACHE_NO_INTERNAL_STORE + SESS_CACHE_OFF + SESS_CACHE_SERVER + SSL2_MT_CLIENT_CERTIFICATE + SSL2_MT_CLIENT_FINISHED + SSL2_MT_CLIENT_HELLO + SSL2_MT_CLIENT_MASTER_KEY + SSL2_MT_ERROR + SSL2_MT_REQUEST_CERTIFICATE + SSL2_MT_SERVER_FINISHED + SSL2_MT_SERVER_HELLO + SSL2_MT_SERVER_VERIFY + SSL2_VERSION + SSL3_MT_CCS + SSL3_MT_CERTIFICATE + SSL3_MT_CERTIFICATE_REQUEST + SSL3_MT_CERTIFICATE_STATUS + SSL3_MT_CERTIFICATE_URL + SSL3_MT_CERTIFICATE_VERIFY + SSL3_MT_CHANGE_CIPHER_SPEC + SSL3_MT_CLIENT_HELLO + SSL3_MT_CLIENT_KEY_EXCHANGE + SSL3_MT_ENCRYPTED_EXTENSIONS + SSL3_MT_END_OF_EARLY_DATA + SSL3_MT_FINISHED + SSL3_MT_HELLO_REQUEST + SSL3_MT_KEY_UPDATE + SSL3_MT_MESSAGE_HASH + SSL3_MT_NEWSESSION_TICKET + SSL3_MT_NEXT_PROTO + SSL3_MT_SERVER_DONE + SSL3_MT_SERVER_HELLO + SSL3_MT_SERVER_KEY_EXCHANGE + SSL3_MT_SUPPLEMENTAL_DATA + SSL3_RT_ALERT + SSL3_RT_APPLICATION_DATA + SSL3_RT_CHANGE_CIPHER_SPEC + SSL3_RT_HANDSHAKE + SSL3_RT_HEADER + SSL3_RT_INNER_CONTENT_TYPE + SSL3_VERSION + SSLEAY_BUILT_ON + SSLEAY_CFLAGS + SSLEAY_DIR + SSLEAY_PLATFORM + SSLEAY_VERSION + ST_ACCEPT + ST_BEFORE + ST_CONNECT + ST_INIT + ST_OK + ST_READ_BODY + ST_READ_HEADER + TLS1_1_VERSION + TLS1_2_VERSION + TLS1_3_VERSION + TLS1_VERSION + TLSEXT_STATUSTYPE_ocsp + VERIFY_CLIENT_ONCE + VERIFY_FAIL_IF_NO_PEER_CERT + VERIFY_NONE + VERIFY_PEER + VERIFY_POST_HANDSHAKE + V_OCSP_CERTSTATUS_GOOD + V_OCSP_CERTSTATUS_REVOKED + V_OCSP_CERTSTATUS_UNKNOWN + WRITING + X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT + X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS + X509_CHECK_FLAG_NEVER_CHECK_SUBJECT + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS + X509_CHECK_FLAG_NO_WILDCARDS + X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS + X509_FILETYPE_ASN1 + X509_FILETYPE_DEFAULT + X509_FILETYPE_PEM + X509_LOOKUP + X509_PURPOSE_ANY + X509_PURPOSE_CRL_SIGN + X509_PURPOSE_NS_SSL_SERVER + X509_PURPOSE_OCSP_HELPER + X509_PURPOSE_SMIME_ENCRYPT + X509_PURPOSE_SMIME_SIGN + X509_PURPOSE_SSL_CLIENT + X509_PURPOSE_SSL_SERVER + X509_PURPOSE_TIMESTAMP_SIGN + X509_TRUST_COMPAT + X509_TRUST_EMAIL + X509_TRUST_OBJECT_SIGN + X509_TRUST_OCSP_REQUEST + X509_TRUST_OCSP_SIGN + X509_TRUST_SSL_CLIENT + X509_TRUST_SSL_SERVER + X509_TRUST_TSA + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + X509_V_ERR_AKID_SKID_MISMATCH + X509_V_ERR_APPLICATION_VERIFICATION + X509_V_ERR_CA_KEY_TOO_SMALL + X509_V_ERR_CA_MD_TOO_WEAK + X509_V_ERR_CERT_CHAIN_TOO_LONG + X509_V_ERR_CERT_HAS_EXPIRED + X509_V_ERR_CERT_NOT_YET_VALID + X509_V_ERR_CERT_REJECTED + X509_V_ERR_CERT_REVOKED + X509_V_ERR_CERT_SIGNATURE_FAILURE + X509_V_ERR_CERT_UNTRUSTED + X509_V_ERR_CRL_HAS_EXPIRED + X509_V_ERR_CRL_NOT_YET_VALID + X509_V_ERR_CRL_PATH_VALIDATION_ERROR + X509_V_ERR_CRL_SIGNATURE_FAILURE + X509_V_ERR_DANE_NO_MATCH + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + X509_V_ERR_DIFFERENT_CRL_SCOPE + X509_V_ERR_EE_KEY_TOO_SMALL + X509_V_ERR_EMAIL_MISMATCH + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + X509_V_ERR_EXCLUDED_VIOLATION + X509_V_ERR_HOSTNAME_MISMATCH + X509_V_ERR_INVALID_CA + X509_V_ERR_INVALID_CALL + X509_V_ERR_INVALID_EXTENSION + X509_V_ERR_INVALID_NON_CA + X509_V_ERR_INVALID_POLICY_EXTENSION + X509_V_ERR_INVALID_PURPOSE + X509_V_ERR_IP_ADDRESS_MISMATCH + X509_V_ERR_KEYUSAGE_NO_CERTSIGN + X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + X509_V_ERR_NO_EXPLICIT_POLICY + X509_V_ERR_NO_VALID_SCTS + X509_V_ERR_OCSP_CERT_UNKNOWN + X509_V_ERR_OCSP_VERIFY_FAILED + X509_V_ERR_OCSP_VERIFY_NEEDED + X509_V_ERR_OUT_OF_MEM + X509_V_ERR_PATH_LENGTH_EXCEEDED + X509_V_ERR_PATH_LOOP + X509_V_ERR_PERMITTED_VIOLATION + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + X509_V_ERR_STORE_LOOKUP + X509_V_ERR_SUBJECT_ISSUER_MISMATCH + X509_V_ERR_SUBTREE_MINMAX + X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 + X509_V_ERR_SUITE_B_INVALID_ALGORITHM + X509_V_ERR_SUITE_B_INVALID_CURVE + X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM + X509_V_ERR_SUITE_B_INVALID_VERSION + X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + X509_V_ERR_UNABLE_TO_GET_CRL + X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + X509_V_ERR_UNNESTED_RESOURCE + X509_V_ERR_UNSPECIFIED + X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + X509_V_FLAG_ALLOW_PROXY_CERTS + X509_V_FLAG_CB_ISSUER_CHECK + X509_V_FLAG_CHECK_SS_SIGNATURE + X509_V_FLAG_CRL_CHECK + X509_V_FLAG_CRL_CHECK_ALL + X509_V_FLAG_EXPLICIT_POLICY + X509_V_FLAG_EXTENDED_CRL_SUPPORT + X509_V_FLAG_IGNORE_CRITICAL + X509_V_FLAG_INHIBIT_ANY + X509_V_FLAG_INHIBIT_MAP + X509_V_FLAG_LEGACY_VERIFY + X509_V_FLAG_NOTIFY_POLICY + X509_V_FLAG_NO_ALT_CHAINS + X509_V_FLAG_NO_CHECK_TIME + X509_V_FLAG_PARTIAL_CHAIN + X509_V_FLAG_POLICY_CHECK + X509_V_FLAG_POLICY_MASK + X509_V_FLAG_SUITEB_128_LOS + X509_V_FLAG_SUITEB_128_LOS_ONLY + X509_V_FLAG_SUITEB_192_LOS + X509_V_FLAG_TRUSTED_FIRST + X509_V_FLAG_USE_CHECK_TIME + X509_V_FLAG_USE_DELTAS + X509_V_FLAG_X509_STRICT + X509_V_OK + XN_FLAG_COMPAT + XN_FLAG_DN_REV + XN_FLAG_DUMP_UNKNOWN_FIELDS + XN_FLAG_FN_ALIGN + XN_FLAG_FN_LN + XN_FLAG_FN_MASK + XN_FLAG_FN_NONE + XN_FLAG_FN_OID + XN_FLAG_FN_SN + XN_FLAG_MULTILINE + XN_FLAG_ONELINE + XN_FLAG_RFC2253 + XN_FLAG_SEP_COMMA_PLUS + XN_FLAG_SEP_CPLUS_SPC + XN_FLAG_SEP_MASK + XN_FLAG_SEP_MULTILINE + XN_FLAG_SEP_SPLUS_SPC + XN_FLAG_SPC_EQ +); + +my %exported = map { $_ => 1 } @Net::SSLeay::EXPORT_OK; +my @missing; + +for my $c (@constants) { + dies_like( + sub { "Net::SSLeay::$c"->(); die "ok\n"; }, + qr/^(?:ok\n$|Your vendor has not defined SSLeay macro )/, + "constant is exported or not defined: $c" + ); + push @missing, $c if !exists $exported{$c}; +} + +is( + join( q{,}, sort @missing ), + '', + 'no constants missing from @EXPORT_OK (total missing: ' . scalar(@missing) . ')' +); + +dies_like( + sub { Net::SSLeay::_NET_SSLEAY_TEST_UNDEFINED_CONSTANT() }, + qr/^Your vendor has not defined SSLeay macro _NET_SSLEAY_TEST_UNDEFINED_CONSTANT/, + 'referencing an undefined constant raises an exception' +); diff --git a/cpan/Net-SSLeay/t/local/22_provider.t b/cpan/Net-SSLeay/t/local/22_provider.t new file mode 100644 index 000000000000..74c89d2387a7 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/22_provider.t @@ -0,0 +1,106 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay (initialise_libssl); + +# We don't do intialise_libssl() now because we want to want to +# trigger automatic loading of the default provider. +# +# Quote from +# https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html +# about default provider: +# +# It is loaded automatically the first time that an algorithm is +# fetched from a provider or a function acting on providers is +# called and no other provider has been loaded yet. +# +#initialise_libssl(); # Don't do this + +if (defined &Net::SSLeay::OSSL_PROVIDER_load) { + plan(tests => 16); +} else { + plan(skip_all => "no support for providers"); +} + +# Supplied OpenSSL configuration file may load unwanted providers. +local $ENV{OPENSSL_CONF} = ''; + +# provider loading, availability and unloading +{ + # See top of file why things are done in this order. We don't want + # to load the default provider automatically. + + my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null'); + ok($null_provider, 'null provider load returns a pointer'); + my $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null'); + is($null_avail, 1, 'null provider loaded and available'); + + my $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default'); + is($default_avail, 0, 'default provider not loaded, not available'); + if ($default_avail) + { + diag('Default provider was already available. More provider tests in this and other provider test files may fail'); + diag('If your configuration loads the default provider, consider ignoring the errors or using OPENSSL_CONF environment variable'); + diag('For example: OPENSSL_CONF=/path/to/openssl/ssl/openssl.cnf.dist make test'); + } + + my $null_unload = Net::SSLeay::OSSL_PROVIDER_unload($null_provider); + is($null_unload, 1, 'null provider successfully unloaded'); + $null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null'); + is($null_avail, 0, 'null provider is no longer available'); + + $default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default'); + is($default_avail, 0, 'default provider still not loaded, not available'); + + my $default_provider_undef_libctx = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default'); + ok($default_provider_undef_libctx, 'default provider with NULL libctx loaded successfully'); + + my $libctx = Net::SSLeay::OSSL_LIB_CTX_get0_global_default(); + ok($libctx, 'OSSL_LIB_CTX_get0_global_default() returns a pointer'); + + my $default_provider_default_libctx = Net::SSLeay::OSSL_PROVIDER_load($libctx, 'default'); + ok($default_provider_default_libctx, 'default provider with default libctx loaded successfully'); + is($default_provider_default_libctx, $default_provider_undef_libctx, 'OSSL_PROVIDER_load with undef and defined libctx return the same pointer'); +} + + +# get0_name, selftest +{ + my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null'); + my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default'); + + is(Net::SSLeay::OSSL_PROVIDER_get0_name($null_provider), 'null', 'get0_name for null provider'); + is(Net::SSLeay::OSSL_PROVIDER_get0_name($default_provider), 'default', 'get0_name for default provider'); + + is(Net::SSLeay::OSSL_PROVIDER_self_test($null_provider), 1, 'self_test for null provider'); + is(Net::SSLeay::OSSL_PROVIDER_self_test($default_provider), 1, 'self_test for default provider'); +} + + +# do_all +{ + my %seen_providers; + sub all_cb { + my ($provider_cb, $cbdata_cb) = @_; + + fail('provider already seen') if exists $seen_providers{$provider_cb}; + $seen_providers{$provider_cb} = $cbdata_cb; + return 1; + }; + + my $null_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'null'); + my $default_provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'default'); + my $cbdata = 'data for cb'; + + Net::SSLeay::OSSL_PROVIDER_do_all(undef, \&all_cb, $cbdata); + foreach my $provider ($null_provider, $default_provider) + { + my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider); + is(delete $seen_providers{$provider}, $cbdata, "provider '$name' was seen"); + } + foreach my $provider (keys(%seen_providers)) + { + my $name = Net::SSLeay::OSSL_PROVIDER_get0_name($provider); + diag("Provider '$name' was also seen by the callback"); + } +} diff --git a/cpan/Net-SSLeay/t/local/22_provider_try_load.t b/cpan/Net-SSLeay/t/local/22_provider_try_load.t new file mode 100644 index 000000000000..15dd88df5368 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/22_provider_try_load.t @@ -0,0 +1,32 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay (initialise_libssl); + +# Avoid default provider automatic loading. See 22_provider.t for more +# information. +# +#initialise_libssl(); # Don't do this +# +# We use a separate test file so that we get a newly loaded library +# that still has triggers for automatic loading enabled. + +if (defined &Net::SSLeay::OSSL_PROVIDER_load) { + plan(tests => 3); +} else { + plan(skip_all => "no support for providers"); +} + +# Supplied OpenSSL configuration file may load unwanted providers. +local $ENV{OPENSSL_CONF} = ''; + +my ($null_provider, $default_avail, $null_avail); + +$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 1); +ok($null_provider, 'try_load("null", retain_fallbacks = 1) returns a pointer'); + +$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default'); +is($default_avail, 1, 'default provider automatically loaded after try_load("null", retain_fallbacks = 1)'); + +$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null'); +is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 1)'); diff --git a/cpan/Net-SSLeay/t/local/22_provider_try_load_zero_retain.t b/cpan/Net-SSLeay/t/local/22_provider_try_load_zero_retain.t new file mode 100644 index 000000000000..554443bdba64 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/22_provider_try_load_zero_retain.t @@ -0,0 +1,32 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay (initialise_libssl); + +# Avoid default provider automatic loading. See 22_provider.t for more +# information. +# +#initialise_libssl(); # Don't do this +# +# We use a separate test file so that we get a newly loaded library +# that still has triggers for automatic loading enabled. + +if (defined &Net::SSLeay::OSSL_PROVIDER_load) { + plan(tests => 3); +} else { + plan(skip_all => "no support for providers"); +} + +# Supplied OpenSSL configuration file may load unwanted providers. +local $ENV{OPENSSL_CONF} = ''; + +my ($null_provider, $default_avail, $null_avail); + +$null_provider = Net::SSLeay::OSSL_PROVIDER_try_load(undef, 'null', 0); +ok($null_provider, 'try_load("null", retain_fallbacks = 0) returns a pointer'); + +$default_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'default'); +is($default_avail, 0, 'default provider not automatically loaded after try_load("null", retain_fallbacks = 0)'); + +$null_avail = Net::SSLeay::OSSL_PROVIDER_available(undef, 'null'); +is($null_avail, 1, 'null provider loaded after try_load("null", retain_fallbacks = 0)'); diff --git a/cpan/Net-SSLeay/t/local/30_error.t b/cpan/Net-SSLeay/t/local/30_error.t new file mode 100644 index 000000000000..8ad156044ef3 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/30_error.t @@ -0,0 +1,103 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + dies_like doesnt_warn initialise_libssl lives_ok warns_like +); + +plan tests => 11; + +doesnt_warn('tests run without outputting unexpected warnings'); + +initialise_libssl(); + +# See below near 'sub put_err' for more about how error string and +# erro code contents have changed between library versions. +my $err_string = "foo $$: 1 - error:10000080:BIO routines:"; +$err_string = "foo $$: 1 - error:20000080:BIO routines:" + if Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()) =~ m/^OpenSSL 3.0.0-alpha[1-4] /s; +$err_string = "foo $$: 1 - error:2006D080:BIO routines:" + if (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") < 0x30000000); + +# Note, die_now usually just prints the process id and the argument string eg: +# 57611: test +# but on some systems, perhaps if diagnostics are enabled, it might [roduce something like: +# found: Uncaught exception from user code: +# 57611: test +# therefore the qr match strings below have been chnaged so they dont have tooccur at the +# beginning of the line. +{ + dies_like(sub { + Net::SSLeay::die_now('test') + }, qr/$$: test\n$/, 'die_now dies without errors'); + + lives_ok(sub { + Net::SSLeay::die_if_ssl_error('test'); + }, 'die_if_ssl_error lives without errors'); + + put_err(); + dies_like(sub { + Net::SSLeay::die_now('test'); + }, qr/$$: test\n$/, 'die_now dies with errors'); + + put_err(); + dies_like(sub { + Net::SSLeay::die_if_ssl_error('test'); + }, qr/$$: test\n$/, 'die_if_ssl_error dies with errors'); +} + +{ + local $Net::SSLeay::trace = 1; + + dies_like(sub { + Net::SSLeay::die_now('foo'); + }, qr/$$: foo\n$/, 'die_now dies without arrors and with trace'); + + lives_ok(sub { + Net::SSLeay::die_if_ssl_error('foo'); + }, 'die_if_ssl_error lives without errors and with trace'); + + put_err(); + warns_like(sub { + dies_like(sub { + Net::SSLeay::die_now('foo'); + }, qr/^$$: foo\n$/, 'die_now dies with errors and trace'); + }, qr/$err_string/i, 'die_now raises warnings about the occurred error when tracing'); + + put_err(); + warns_like(sub { + dies_like(sub { + Net::SSLeay::die_if_ssl_error('foo'); + }, qr/^$$: foo\n$/, 'die_if_ssl_error dies with errors and trace'); + }, qr/$err_string/i, 'die_if_ssl_error raises warnings about the occurred error when tracing'); +} + +# The resulting error strings looks something like below. The number +# after 'foo' is the process id. OpenSSL 3.0.0 drops function name and +# changes how error code is packed. +# - OpenSSL 3.0.0: foo 61488: 1 - error:10000080:BIO routines::no such file +# - OpenSSL 3.0.0-alpha5: foo 16380: 1 - error:10000080:BIO routines::no such file +# - OpenSSL 3.0.0-alpha1: foo 16293: 1 - error:20000080:BIO routines::no such file +# - OpenSSL 1.1.1l: foo 61202: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 1.1.0l: foo 61295: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 1.0.2u: foo 61400: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 1.0.1u: foo 13621: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 1.0.0t: foo 14349: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 0.9.8zh: foo 14605: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# - OpenSSL 0.9.8f: foo 14692: 1 - error:2006D080:BIO routines:BIO_new_file:no such file +# +# 1.1.1 series and earlier create error by ORing together lib, func +# and reason with 24 bit left shift, 12 bit left shift and without bit +# shift, respectively. +# 3.0.0 alpha1 drops function name from error string and alpha5 +# changes bit shift of lib to 23. +# LibreSSL 2.5.1 drops function name from error string. +sub put_err { + Net::SSLeay::ERR_put_error( + 32, #lib - 0x20 ERR_LIB_BIO 'BIO routines' + 109, #func - 0x6D BIO_F_BIO_NEW_FILE 'BIO_new_file' + 128, #reason - 0x80 BIO_R_NO_SUCH_FILE 'no such file' + 1, #file - file name (not packed into error code) + 1, #line - line number (not packed into error code) + ); +} diff --git a/cpan/Net-SSLeay/t/local/31_rsa_generate_key.t b/cpan/Net-SSLeay/t/local/31_rsa_generate_key.t new file mode 100644 index 000000000000..dec3e8075e1a --- /dev/null +++ b/cpan/Net-SSLeay/t/local/31_rsa_generate_key.t @@ -0,0 +1,65 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( dies_like initialise_libssl lives_ok ); + +plan tests => 14; + +initialise_libssl(); + +lives_ok(sub { + Net::SSLeay::RSA_generate_key(2048, 0x10001); +}, 'RSA_generate_key with valid callback'); + +dies_like(sub { + Net::SSLeay::RSA_generate_key(2048, 0x10001, 1); +}, qr/Undefined subroutine &main::1 called/, 'RSA_generate_key with invalid callback'); + +{ + my $called = 0; + + lives_ok(sub { + Net::SSLeay::RSA_generate_key(2048, 0x10001, \&cb); + }, 'RSA_generate_key with valid callback'); + + cmp_ok( $called, '>', 0, 'callback has been called' ); + + sub cb { + my ($i, $n, $d) = @_; + + if ($called == 0) { + is( wantarray(), undef, 'RSA_generate_key callback is executed in void context' ); + is( $d, undef, 'userdata will be undef if no userdata was given' ); + + ok( defined $i, 'first argument is defined' ); + ok( defined $n, 'second argument is defined' ); + } + + $called++; + } +} + +{ + my $called = 0; + my $userdata = 'foo'; + + lives_ok(sub { + Net::SSLeay::RSA_generate_key(2048, 0x10001, \&cb_data, $userdata); + }, 'RSA_generate_key with valid callback and userdata'); + + cmp_ok( $called, '>', 0, 'callback has been called' ); + + sub cb_data { + my ($i, $n, $d) = @_; + + if ($called == 0) { + is( wantarray(), undef, 'RSA_generate_key callback is executed in void context' ); + + ok( defined $i, 'first argument is defined' ); + ok( defined $n, 'second argument is defined' ); + is( $d, $userdata, 'third argument is the userdata we passed in' ); + } + + $called++; + } +} diff --git a/cpan/Net-SSLeay/t/local/32_x509_get_cert_info.t b/cpan/Net-SSLeay/t/local/32_x509_get_cert_info.t new file mode 100644 index 000000000000..1f0f20a863e5 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/32_x509_get_cert_info.t @@ -0,0 +1,407 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + data_file_path initialise_libssl is_libressl is_openssl +); + +use lib '.'; + +my $tests = ( is_openssl() && Net::SSLeay::SSLeay < 0x10100003 ) || is_libressl() + ? 723 + : 726; + +plan tests => $tests; + +initialise_libssl(); + +# Check some basic X509 features added in 1.54: +my $name = Net::SSLeay::X509_NAME_new(); +ok ($name, "X509_NAME_new"); +my $hash = Net::SSLeay::X509_NAME_hash($name); +ok ($hash = 4003674586, "X509_NAME_hash"); + +# Caution from perl 25 onwards, need use lib '.'; above in order to 'do' these files +my $dump = {}; +for my $cert ( qw( extended-cert simple-cert strange-cert wildcard-cert ) ) { + $dump->{"$cert.cert.pem"} = do( data_file_path("$cert.cert.dump") ); +} + +my %available_digests = map {$_=>1} qw( md5 sha1 ); +if (Net::SSLeay::SSLeay >= 0x1000000f) { + my $ctx = Net::SSLeay::EVP_MD_CTX_create(); + %available_digests = map { $_=>1 } grep { + # P_EVP_MD_list_all() does not remove digests disabled in FIPS + my $md; + $md = Net::SSLeay::EVP_get_digestbyname($_) and + Net::SSLeay::EVP_DigestInit($ctx, $md) + } @{Net::SSLeay::P_EVP_MD_list_all()}; +} + +for my $f (keys (%$dump)) { + my $filename = data_file_path($f); + ok(my $bio = Net::SSLeay::BIO_new_file($filename, 'rb'), "BIO_new_file\t$f"); + ok(my $x509 = Net::SSLeay::PEM_read_bio_X509($bio), "PEM_read_bio_X509\t$f"); + ok(Net::SSLeay::X509_get_pubkey($x509), "X509_get_pubkey\t$f"); #only test whether the function works + + ok(my $subj_name = Net::SSLeay::X509_get_subject_name($x509), "X509_get_subject_name\t$f"); + is(my $subj_count = Net::SSLeay::X509_NAME_entry_count($subj_name), $dump->{$f}->{subject}->{count}, "X509_NAME_entry_count\t$f"); + + #BEWARE: values are not the same across different openssl versions therefore cannot test exact match + #is(Net::SSLeay::X509_NAME_oneline($subj_name), $dump->{$f}->{subject}->{oneline}, "X509_NAME_oneline\t$f"); + #is(Net::SSLeay::X509_NAME_print_ex($subj_name), $dump->{$f}->{subject}->{print_rfc2253}, "X509_NAME_print_ex\t$f"); + like(Net::SSLeay::X509_NAME_oneline($subj_name), qr|/OU=.*?/CN=|, "X509_NAME_oneline\t$f"); + like(Net::SSLeay::X509_NAME_print_ex($subj_name), qr|CN=.*?,OU=|, "X509_NAME_print_ex\t$f"); + + for my $i (0..$subj_count-1) { + ok(my $entry = Net::SSLeay::X509_NAME_get_entry($subj_name, $i), "X509_NAME_get_entry\t$f:$i"); + ok(my $asn1_string = Net::SSLeay::X509_NAME_ENTRY_get_data($entry), "X509_NAME_ENTRY_get_data\t$f:$i"); + ok(my $asn1_object = Net::SSLeay::X509_NAME_ENTRY_get_object($entry), "X509_NAME_ENTRY_get_object\t$f:$i"); + is(Net::SSLeay::OBJ_obj2txt($asn1_object,1), $dump->{$f}->{subject}->{entries}->[$i]->{oid}, "OBJ_obj2txt\t$f:$i"); + is(Net::SSLeay::P_ASN1_STRING_get($asn1_string), $dump->{$f}->{subject}->{entries}->[$i]->{data}, "P_ASN1_STRING_get.1\t$f:$i"); + is(Net::SSLeay::P_ASN1_STRING_get($asn1_string, 1), $dump->{$f}->{subject}->{entries}->[$i]->{data_utf8_decoded}, "P_ASN1_STRING_get.2\t$f:$i"); + if (defined $dump->{$f}->{entries}->[$i]->{nid}) { + is(my $nid = Net::SSLeay::OBJ_obj2nid($asn1_object), $dump->{$f}->{subject}->{entries}->[$i]->{nid}, "OBJ_obj2nid\t$f:$i"); + is(Net::SSLeay::OBJ_nid2ln($nid), $dump->{$f}->{subject}->{entries}->[$i]->{ln}, "OBJ_nid2ln\t$f:$i"); + is(Net::SSLeay::OBJ_nid2sn($nid), $dump->{$f}->{subject}->{entries}->[$i]->{sn}, "OBJ_nid2sn\t$f:$i"); + } + } + + ok(my $issuer_name = Net::SSLeay::X509_get_issuer_name($x509), "X509_get_subject_name\t$f"); + is(my $issuer_count = Net::SSLeay::X509_NAME_entry_count($issuer_name), $dump->{$f}->{issuer}->{count}, "X509_NAME_entry_count\t$f"); + is(Net::SSLeay::X509_NAME_oneline($issuer_name), $dump->{$f}->{issuer}->{oneline}, "X509_NAME_oneline\t$f"); + is(Net::SSLeay::X509_NAME_print_ex($issuer_name), $dump->{$f}->{issuer}->{print_rfc2253}, "X509_NAME_print_ex\t$f"); + + for my $i (0..$issuer_count-1) { + ok(my $entry = Net::SSLeay::X509_NAME_get_entry($issuer_name, $i), "X509_NAME_get_entry\t$f:$i"); + ok(my $asn1_string = Net::SSLeay::X509_NAME_ENTRY_get_data($entry), "X509_NAME_ENTRY_get_data\t$f:$i"); + ok(my $asn1_object = Net::SSLeay::X509_NAME_ENTRY_get_object($entry), "X509_NAME_ENTRY_get_object\t$f:$i"); + is(Net::SSLeay::OBJ_obj2txt($asn1_object,1), $dump->{$f}->{issuer}->{entries}->[$i]->{oid}, "OBJ_obj2txt\t$f:$i"); + is(Net::SSLeay::P_ASN1_STRING_get($asn1_string), $dump->{$f}->{issuer}->{entries}->[$i]->{data}, "P_ASN1_STRING_get.1\t$f:$i"); + is(Net::SSLeay::P_ASN1_STRING_get($asn1_string, 1), $dump->{$f}->{issuer}->{entries}->[$i]->{data_utf8_decoded}, "P_ASN1_STRING_get.2\t$f:$i"); + if (defined $dump->{$f}->{entries}->[$i]->{nid}) { + is(my $nid = Net::SSLeay::OBJ_obj2nid($asn1_object), $dump->{$f}->{issuer}->{entries}->[$i]->{nid}, "OBJ_obj2nid\t$f:$i"); + is(Net::SSLeay::OBJ_nid2ln($nid), $dump->{$f}->{issuer}->{entries}->[$i]->{ln}, "OBJ_nid2ln\t$f:$i"); + is(Net::SSLeay::OBJ_nid2sn($nid), $dump->{$f}->{issuer}->{entries}->[$i]->{sn}, "OBJ_nid2sn\t$f:$i"); + } + } + + my @subjectaltnames = Net::SSLeay::X509_get_subjectAltNames($x509); + is(scalar(@subjectaltnames), scalar(@{$dump->{$f}->{subject}->{altnames}}), "subjectaltnames size\t$f"); + for my $i (0..$#subjectaltnames) { + SKIP: { + skip('altname types are different on pre-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f || ($i%2)==1; + is($subjectaltnames[$i], $dump->{$f}->{subject}->{altnames}->[$i], "subjectaltnames match\t$f:$i"); + } + } + + #BEWARE: values are not the same across different openssl versions or FIPS mode, therefore testing just >0 + #is(Net::SSLeay::X509_subject_name_hash($x509), $dump->{$f}->{hash}->{subject}->{dec}, 'X509_subject_name_hash dec'); + #is(Net::SSLeay::X509_issuer_name_hash($x509), $dump->{$f}->{hash}->{issuer}->{dec}, 'X509_issuer_name_hash dec'); + #is(Net::SSLeay::X509_issuer_and_serial_hash($x509), $dump->{$f}->{hash}->{issuer_and_serial}->{dec}, "X509_issuer_and_serial_hash dec\t$f"); + cmp_ok(Net::SSLeay::X509_subject_name_hash($x509), '>', 0, "X509_subject_name_hash dec\t$f"); + cmp_ok(Net::SSLeay::X509_issuer_name_hash($x509), '>', 0, "X509_issuer_name_hash dec\t$f"); + cmp_ok(Net::SSLeay::X509_issuer_and_serial_hash($x509), '>', 0, "X509_issuer_and_serial_hash dec\t$f"); + + for my $digest (qw( md5 sha1 )) { + is(Net::SSLeay::X509_get_fingerprint($x509, $digest), + (exists $available_digests{$digest} ? + $dump->{$f}->{fingerprint}->{$digest} : + undef), + "X509_get_fingerprint $digest\t$f"); + } + + my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"); + SKIP: { + skip('requires openssl-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f; + is(Net::SSLeay::X509_pubkey_digest($x509, $sha1_digest), $dump->{$f}->{digest_sha1}->{pubkey}, "X509_pubkey_digest\t$f"); + } + is(Net::SSLeay::X509_digest($x509, $sha1_digest), $dump->{$f}->{digest_sha1}->{x509}, "X509_digest\t$f"); + + + SKIP: { + skip('P_ASN1_TIME_get_isotime requires 0.9.7e+', 2) unless Net::SSLeay::SSLeay >= 0x0090705f; + is(Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notBefore($x509)), $dump->{$f}->{not_before}, "X509_get_notBefore\t$f"); + is(Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($x509)), $dump->{$f}->{not_after}, "X509_get_notAfter\t$f"); + } + + ok(my $ai = Net::SSLeay::X509_get_serialNumber($x509), "X509_get_serialNumber\t$f"); + + is(Net::SSLeay::P_ASN1_INTEGER_get_hex($ai), $dump->{$f}->{serial}->{hex}, "serial P_ASN1_INTEGER_get_hex\t$f"); + is(Net::SSLeay::P_ASN1_INTEGER_get_dec($ai), $dump->{$f}->{serial}->{dec}, "serial P_ASN1_INTEGER_get_dec\t$f"); + + SKIP: { + # X509_get0_serialNumber should function the same as X509_get_serialNumber + skip('X509_get0_serialNumber requires OpenSSL 1.1.0+ or LibreSSL 2.8.1+', 3) unless defined (&Net::SSLeay::X509_get0_serialNumber); + ok(my $ai = Net::SSLeay::X509_get0_serialNumber($x509), "X509_get0_serialNumber\t$f"); + + is(Net::SSLeay::P_ASN1_INTEGER_get_hex($ai), $dump->{$f}->{serial}->{hex}, "serial P_ASN1_INTEGER_get_hex\t$f"); + is(Net::SSLeay::P_ASN1_INTEGER_get_dec($ai), $dump->{$f}->{serial}->{dec}, "serial P_ASN1_INTEGER_get_dec\t$f"); + } + + # On platforms with 64-bit long int returns 4294967295 rather than -1 + # Caution, there is much difference between 32 and 64 bit behaviours with + # Net::SSLeay::ASN1_INTEGER_get. + # This test is deleted +# my $asn1_integer = Net::SSLeay::ASN1_INTEGER_get($ai); +# if ($asn1_integer == 4294967295) { +# $asn1_integer = -1; +# } +# is($asn1_integer, $dump->{$f}->{serial}->{long}, "serial ASN1_INTEGER_get\t$f"); + + is(Net::SSLeay::X509_get_version($x509), $dump->{$f}->{version}, "X509_get_version\t$f"); + + is(my $ext_count = Net::SSLeay::X509_get_ext_count($x509), $dump->{$f}->{extensions}->{count}, "X509_get_ext_count\t$f"); + for my $i (0..$ext_count-1) { + ok(my $ext = Net::SSLeay::X509_get_ext($x509,$i), "X509_get_ext\t$f:$i"); + ok(my $asn1_string = Net::SSLeay::X509_EXTENSION_get_data($ext), "X509_EXTENSION_get_data\t$f:$i"); + ok(my $asn1_object = Net::SSLeay::X509_EXTENSION_get_object($ext), "X509_EXTENSION_get_object\t$f:$i"); + SKIP: { + skip('X509_EXTENSION_get_critical works differently on pre-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f; + is(Net::SSLeay::X509_EXTENSION_get_critical($ext), $dump->{$f}->{extensions}->{entries}->[$i]->{critical}, "X509_EXTENSION_get_critical\t$f:$i"); + } + is(Net::SSLeay::OBJ_obj2txt($asn1_object,1), $dump->{$f}->{extensions}->{entries}->[$i]->{oid}, "OBJ_obj2txt\t$f:$i"); + + if (defined $dump->{$f}->{extensions}->{entries}->[$i]->{nid}) { + is(my $nid = Net::SSLeay::OBJ_obj2nid($asn1_object), $dump->{$f}->{extensions}->{entries}->[$i]->{nid}, "OBJ_obj2nid\t$f:$i"); + is(Net::SSLeay::OBJ_nid2ln($nid), $dump->{$f}->{extensions}->{entries}->[$i]->{ln}, "OBJ_nid2ln nid=$nid\t$f:$i"); + is(Net::SSLeay::OBJ_nid2sn($nid), $dump->{$f}->{extensions}->{entries}->[$i]->{sn}, "OBJ_nid2sn nid=$nid\t$f:$i"); + #BEARE: handling some special cases - mostly things that varies with different openssl versions + SKIP: { + my $ext_data = $dump->{$f}->{extensions}->{entries}->[$i]->{data}; + + if ( is_openssl() ) { + if ( $nid == 85 + || $nid == 86 ) { + # IPv6 address formatting is broken in a way that loses + # information between OpenSSL 3.0.0-alpha1 and 3.0.0-alpha7, + # so there's no point in running this test + if ( $ext_data =~ /IP Address:(?!(?:\d{1,3}\.){3}\d{1,3})/ + && Net::SSLeay::SSLeay == 0x30000000 + && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha[2-6]/ ) { + skip( 'This OpenSSL version does not correctly format IPv6 addresses', 1 ); + } + + # "othername" fields in subject and issuer alternative name + # output are unsupported before OpenSSL 3.0.0-alpha2 + if ( + $ext_data =~ m|othername:| + && ( + Net::SSLeay::SSLeay < 0x30000000 + || ( + Net::SSLeay::SSLeay == 0x30000000 + && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) =~ /-alpha1\ / + ) + ) + ) { + $ext_data =~ s{(othername:) [^, ]+}{$1}g; + } + } + elsif ( $nid == 89 ) { + # The output formatting for certificate policies has a + # trailing newline before OpenSSL 3.0.0-alpha1 + if ( Net::SSLeay::SSLeay < 0x30000000 ) { + $ext_data .= "\n"; + } + } + elsif ( $nid == 90 ) { + # Authority key identifier formatting has a "keyid:" prefix + # and a trailing newline before OpenSSL 3.0.0-alpha1 + if ( Net::SSLeay::SSLeay < 0x30000000 ) { + $ext_data = 'keyid:' . $ext_data . "\n"; + } + } + elsif ( $nid == 103 ) { + # The output format for CRL distribution points varies between + # different OpenSSL major versions + if ( Net::SSLeay::SSLeay < 0x10000001 ) { + # OpenSSL 0.9.8: + $ext_data =~ s{Full Name:\n }{}g; + $ext_data .= "\n"; + } elsif ( Net::SSLeay::SSLeay < 0x30000000 ) { + # OpenSSL 1.0.0 to 1.1.1: + $ext_data =~ s{(Full Name:\n )}{\n$1}g; + $ext_data .= "\n"; + } + } + elsif ( $nid == 126 ) { + # OID 1.3.6.1.5.5.7.3.17 ("ipsec Internet Key Exchange") isn't + # given its name in extended key usage formatted output before + # OpenSSL 1.1.0-pre3 + if ( Net::SSLeay::SSLeay < 0x10100003 ) { + $ext_data =~ s{ipsec Internet Key Exchange(,|$)}{1.3.6.1.5.5.7.3.17$1}g; + } + } + elsif ( $nid == 177 ) { + # Authority information access formatting has a trailing + # newline before OpenSSL 3.0.0-alpha1 + if ( Net::SSLeay::SSLeay < 0x30000000 ) { + $ext_data .= "\n"; + } + } + } + # LibreSSL is a fork of OpenSSL 1.0.1g, so any pre-1.0.2 changes above + # also apply here: + elsif ( is_libressl() ) { + if ( $nid == 85 + || $nid == 86 ) { + # "othername" fields in subject and issuer alternative name + # output are unsupported + $ext_data =~ s{(othername:) [^, ]+}{$1}g; + } + elsif ( $nid == 89 ) { + # The output formatting for certificate policies has a + # trailing newline + $ext_data .= "\n"; + } + elsif ( $nid == 90 ) { + # Authority key identifier formatting has a "keyid:" prefix + # and a trailing newline + $ext_data = 'keyid:' . $ext_data . "\n"; + } + elsif ( $nid == 103 ) { + # The output format for CRL distribution points contains + # extra newlines between the values, and has leading and + # trailing newlines + $ext_data =~ s{(Full Name:\n )}{\n$1}g; + $ext_data .= "\n"; + } + elsif ( $nid == 126 ) { + # OID 1.3.6.1.5.5.7.3.17 ("ipsec Internet Key Exchange") isn't + # given its name in extended key usage formatted output + $ext_data =~ s{ipsec Internet Key Exchange(,|$)}{1.3.6.1.5.5.7.3.17$1}g; + } + elsif ( $nid == 177 ) { + # Authority information access formatting has a trailing + # newline + $ext_data .= "\n"; + } + } + + is( Net::SSLeay::X509V3_EXT_print($ext), $ext_data, "X509V3_EXT_print nid=$nid\t$f:$i" ); + } + } + } + + SKIP: { + skip('crl_distribution_points requires 0.9.7+', int(@{$dump->{$f}->{cdp}})+1) unless Net::SSLeay::SSLeay >= 0x0090700f; + my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509); + is(scalar(@cdp), scalar(@{$dump->{$f}->{cdp}}), "cdp size\t$f"); + for my $i (0..$#cdp) { + is($cdp[$i], $dump->{$f}->{cdp}->[$i], "cdp match\t$f:$i"); + } + } + + my @keyusage = Net::SSLeay::P_X509_get_key_usage($x509); + my @ns_cert_type = Net::SSLeay::P_X509_get_netscape_cert_type($x509); + is(scalar(@keyusage), scalar(@{$dump->{$f}->{keyusage}}), "keyusage size\t$f"); + is(scalar(@ns_cert_type), scalar(@{$dump->{$f}->{ns_cert_type}}), "ns_cert_type size\t$f"); + for my $i (0..$#keyusage) { + is($keyusage[$i], $dump->{$f}->{keyusage}->[$i], "keyusage match\t$f:$i"); + } + for my $i (0..$#ns_cert_type) { + is($ns_cert_type[$i], $dump->{$f}->{ns_cert_type}->[$i], "ns_cert_type match\t$f:$i"); + } + + SKIP: { + # "ipsec Internet Key Exchange" isn't known by its name in OpenSSL + # 1.1.0-pre2 and below or in LibreSSL + if ( is_openssl() && Net::SSLeay::SSLeay < 0x10100003 + || is_libressl() ) { + @{ $dump->{$f}->{extkeyusage}->{ln} } = + grep { $_ ne 'ipsec Internet Key Exchange' } + @{ $dump->{$f}->{extkeyusage}->{ln} }; + + @{ $dump->{$f}->{extkeyusage}->{nid} } = + grep { $_ != 1022 } + @{ $dump->{$f}->{extkeyusage}->{nid} }; + + @{ $dump->{$f}->{extkeyusage}->{sn} } = + grep { $_ ne 'ipsecIKE' } + @{ $dump->{$f}->{extkeyusage}->{sn} }; + } + + my $test_count = 4 + scalar(@{$dump->{$f}->{extkeyusage}->{oid}}) + + scalar(@{$dump->{$f}->{extkeyusage}->{nid}}) + + scalar(@{$dump->{$f}->{extkeyusage}->{sn}}) + + scalar(@{$dump->{$f}->{extkeyusage}->{ln}}); + + skip('extended key usage requires 0.9.7+', $test_count) unless Net::SSLeay::SSLeay >= 0x0090700f; + my @extkeyusage_oid = Net::SSLeay::P_X509_get_ext_key_usage($x509,0); + my @extkeyusage_nid = Net::SSLeay::P_X509_get_ext_key_usage($x509,1); + my @extkeyusage_sn = Net::SSLeay::P_X509_get_ext_key_usage($x509,2); + my @extkeyusage_ln = Net::SSLeay::P_X509_get_ext_key_usage($x509,3); + + is(scalar(@extkeyusage_oid), scalar(@{$dump->{$f}->{extkeyusage}->{oid}}), "extku_oid size\t$f"); + is(scalar(@extkeyusage_nid), scalar(@{$dump->{$f}->{extkeyusage}->{nid}}), "extku_nid size\t$f"); + is(scalar(@extkeyusage_sn), scalar(@{$dump->{$f}->{extkeyusage}->{sn}}), "extku_sn size\t$f"); + is(scalar(@extkeyusage_ln), scalar(@{$dump->{$f}->{extkeyusage}->{ln}}), "extku_ln size\t$f"); + + for my $i (0..$#extkeyusage_oid) { + is($extkeyusage_oid[$i], $dump->{$f}->{extkeyusage}->{oid}->[$i], "extkeyusage_oid match\t$f:$i"); + } + for my $i (0..$#extkeyusage_nid) { + is($extkeyusage_nid[$i], $dump->{$f}->{extkeyusage}->{nid}->[$i], "extkeyusage_nid match\t$f:$i"); + } + for my $i (0..$#extkeyusage_sn) { + is($extkeyusage_sn[$i], $dump->{$f}->{extkeyusage}->{sn}->[$i], "extkeyusage_sn match\t$f:$i"); + } + for my $i (0..$#extkeyusage_ln) { + is($extkeyusage_ln[$i], $dump->{$f}->{extkeyusage}->{ln}->[$i], "extkeyusage_ln match\t$f:$i"); + } + } + + ok(my $pubkey = Net::SSLeay::X509_get_pubkey($x509), "X509_get_pubkey"); + is(Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_signature_alg($x509)), $dump->{$f}->{signature_alg}, "P_X509_get_signature_alg"); + is(Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_pubkey_alg($x509)), $dump->{$f}->{pubkey_alg}, "P_X509_get_pubkey_alg"); + is(Net::SSLeay::EVP_PKEY_size($pubkey), $dump->{$f}->{pubkey_size}, "EVP_PKEY_size"); + is(Net::SSLeay::EVP_PKEY_bits($pubkey), $dump->{$f}->{pubkey_bits}, "EVP_PKEY_bits"); + SKIP: { + skip('EVP_PKEY_id requires OpenSSL 1.0.0+', 1) unless Net::SSLeay::SSLeay >= 0x1000000f; + is(Net::SSLeay::EVP_PKEY_id($pubkey), $dump->{$f}->{pubkey_id}, "EVP_PKEY_id"); + } + +} + +my $ctx = Net::SSLeay::X509_STORE_CTX_new(); +my $filename = data_file_path('simple-cert.cert.pem'); +my $bio = Net::SSLeay::BIO_new_file($filename, 'rb'); +my $x509 = Net::SSLeay::PEM_read_bio_X509($bio); +my $x509_store = Net::SSLeay::X509_STORE_new(); +Net::SSLeay::X509_STORE_CTX_set_cert($ctx,$x509); + +my $ca_filename = data_file_path('root-ca.cert.pem'); +my $ca_bio = Net::SSLeay::BIO_new_file($ca_filename, 'rb'); +my $ca_x509 = Net::SSLeay::PEM_read_bio_X509($ca_bio); +is (Net::SSLeay::X509_STORE_add_cert($x509_store,$ca_x509), 1, 'X509_STORE_add_cert'); +is (Net::SSLeay::X509_STORE_CTX_init($ctx, $x509_store, $x509), 1, 'X509_STORE_CTX_init'); +SKIP: { + skip('X509_STORE_CTX_get0_cert requires OpenSSL 1.1.0-pre5+ or LibreSSL 2.7.0+', 1) unless defined (&Net::SSLeay::X509_STORE_CTX_get0_cert); + ok (my $x509_from_cert = Net::SSLeay::X509_STORE_CTX_get0_cert($ctx),'Get x509 from store ctx'); +}; +Net::SSLeay::X509_verify_cert($ctx); +ok (my $sk_x509 = Net::SSLeay::X509_STORE_CTX_get1_chain($ctx),'Get STACK_OF(x509) from store ctx'); +my $size; +ok ($size = Net::SSLeay::sk_X509_num($sk_x509),'STACK_OF(X509) size '.$size); +ok (Net::SSLeay::sk_X509_value($sk_x509,0),'STACK_OF(X509) value at 0'); + +my $new_filename = data_file_path('wildcard-cert.cert.pem'); +my $new_bio = Net::SSLeay::BIO_new_file($new_filename,'rb'); +my $new_x509 = Net::SSLeay::PEM_read_bio_X509($new_bio); + +ok (Net::SSLeay::sk_X509_insert($sk_x509,$new_x509,1),'STACK_OK(X509) insert'); +my $new_size; +$new_size = Net::SSLeay::sk_X509_num($sk_x509); +ok ($new_size == $size + 1, 'size is ' . ($size + 1) . ' after insert'); +ok (Net::SSLeay::sk_X509_delete($sk_x509, 1),'STACK_OK(X509) delete'); +$new_size = Net::SSLeay::sk_X509_num($sk_x509); +ok ($new_size == $size, "size is $size after delete"); +ok (Net::SSLeay::sk_X509_unshift($sk_x509,$new_x509),'STACK_OF(X509) unshift'); +$new_size = Net::SSLeay::sk_X509_num($sk_x509); +ok ($new_size == $size + 1, 'size is ' . ($size + 1) . ' after unshift'); +ok (Net::SSLeay::sk_X509_shift($sk_x509),'STACK_OF(X509) shift'); +$new_size = Net::SSLeay::sk_X509_num($sk_x509); +ok ($new_size == $size, "size is $size after shift"); +ok (Net::SSLeay::sk_X509_pop($sk_x509),'STACK_OF(X509) pop'); +$new_size = Net::SSLeay::sk_X509_num($sk_x509); +ok ($new_size == $size - 1, 'size is ' . ($size + 1) . ' after pop'); diff --git a/cpan/Net-SSLeay/t/local/33_x509_create_cert.t b/cpan/Net-SSLeay/t/local/33_x509_create_cert.t new file mode 100644 index 000000000000..3cad03404a68 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/33_x509_create_cert.t @@ -0,0 +1,331 @@ +use lib 'inc'; + +use Net::SSLeay qw(MBSTRING_ASC MBSTRING_UTF8 EVP_PK_RSA EVP_PKT_SIGN EVP_PKT_ENC); +use Test::Net::SSLeay qw( data_file_path initialise_libssl is_openssl ); + +use utf8; + +plan tests => 139; + +initialise_libssl(); + +if (defined &Net::SSLeay::OSSL_PROVIDER_load) +{ + my $provider = Net::SSLeay::OSSL_PROVIDER_load(undef, 'legacy'); + diag('Failed to load legacy provider: PEM_get_string_PrivateKey may fail') + unless $provider; +} + +my $ca_crt_pem = data_file_path('root-ca.cert.pem'); +my $ca_key_pem = data_file_path('root-ca.key.pem'); + +ok(my $bio1 = Net::SSLeay::BIO_new_file($ca_crt_pem, 'r'), "BIO_new_file 1"); +ok(my $ca_cert = Net::SSLeay::PEM_read_bio_X509($bio1), "PEM_read_bio_X509"); +ok(my $bio2 = Net::SSLeay::BIO_new_file($ca_key_pem, 'r'), "BIO_new_file 2"); +ok(my $ca_pk = Net::SSLeay::PEM_read_bio_PrivateKey($bio2), "PEM_read_bio_PrivateKey"); +is(Net::SSLeay::X509_verify($ca_cert, $ca_pk), 1, "X509_verify"); + +ok(my $ca_subject = Net::SSLeay::X509_get_subject_name($ca_cert), "X509_get_subject_name"); +ok(my $ca_issuer = Net::SSLeay::X509_get_issuer_name($ca_cert), "X509_get_issuer_name"); +is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp"); + +{ ### X509 certificate - create directly, sign with $ca_pk + ok(my $pk = Net::SSLeay::EVP_PKEY_new(), "EVP_PKEY_new"); + ok(my $rsa = Net::SSLeay::RSA_generate_key(2048, &Net::SSLeay::RSA_F4), "RSA_generate_key"); + ok(Net::SSLeay::EVP_PKEY_assign_RSA($pk,$rsa), "EVP_PKEY_assign_RSA"); + + SKIP: + { + skip 'openssl<1.1.0 required', 1 unless Net::SSLeay::SSLeay < 0x10100000 + or Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER"); + my @params = Net::SSLeay::RSA_get_key_parameters($rsa); + ok(@params == 8, "RSA_get_key_parameters"); + } + + ok(my $x509 = Net::SSLeay::X509_new(), "X509_new"); + ok(Net::SSLeay::X509_set_pubkey($x509,$pk), "X509_set_pubkey"); + ok(my $name = Net::SSLeay::X509_get_subject_name($x509), "X509_get_subject_name"); + + ok(Net::SSLeay::X509_NAME_add_entry_by_NID($name, &Net::SSLeay::NID_commonName, MBSTRING_UTF8, "Common name text X509"), "X509_NAME_add_entry_by_NID"); + #set countryName via add_entry_by_OBJ + ok(my $obj = Net::SSLeay::OBJ_nid2obj(&Net::SSLeay::NID_countryName), "OBJ_nid2obj"); + ok(Net::SSLeay::X509_NAME_add_entry_by_OBJ($name, $obj, MBSTRING_UTF8, "UK"), "X509_NAME_add_entry_by_OBJ"); + #set organizationName via add_entry_by_txt + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "organizationName", MBSTRING_UTF8, "Company Name"), "X509_NAME_add_entry_by_txt"); + + ok(Net::SSLeay::X509_set_version($x509, 3), "X509_set_version"); + ok(my $sn = Net::SSLeay::X509_get_serialNumber($x509), "X509_get_serialNumber"); + + my $pubkey = Net::SSLeay::X509_get_X509_PUBKEY($x509); + ok($pubkey ne '', "X509_get_X509_PUBKEY"); + + ##let us do some ASN1_INTEGER related testing + #test big integer via P_ASN1_INTEGER_set_dec + Net::SSLeay::P_ASN1_INTEGER_set_dec($sn, '123456789123456789123456789123456789123456789'); + # On platforms with 64-bit long int returns 4294967295 rather than -1 + my $asn1_integer = Net::SSLeay::ASN1_INTEGER_get(Net::SSLeay::X509_get_serialNumber($x509)); + if ($asn1_integer == 4294967295) { + $asn1_integer = -1; + } + is($asn1_integer, -1, "ASN1_INTEGER_get"); + is(Net::SSLeay::P_ASN1_INTEGER_get_hex(Net::SSLeay::X509_get_serialNumber($x509)), '058936E53D139AFEFABB2683F150B684045F15', "P_ASN1_INTEGER_get_hex"); + #test short integer via P_ASN1_INTEGER_set_hex + Net::SSLeay::P_ASN1_INTEGER_set_hex($sn, 'D05F14'); + is(Net::SSLeay::ASN1_INTEGER_get(Net::SSLeay::X509_get_serialNumber($x509)), 13655828, "ASN1_INTEGER_get"); + is(Net::SSLeay::P_ASN1_INTEGER_get_dec(Net::SSLeay::X509_get_serialNumber($x509)), '13655828', "P_ASN1_INTEGER_get_dec"); + #test short integer via ASN1_INTEGER_set + Net::SSLeay::ASN1_INTEGER_set($sn, 123456); + is(Net::SSLeay::P_ASN1_INTEGER_get_hex(Net::SSLeay::X509_get_serialNumber($x509)), '01E240', "P_ASN1_INTEGER_get_hex"); + + Net::SSLeay::X509_set_issuer_name($x509, Net::SSLeay::X509_get_subject_name($ca_cert)); + SKIP: { + skip 'openssl-0.9.7e required', 2 unless Net::SSLeay::SSLeay >= 0x0090705f; + ok(Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_get_notBefore($x509), "2010-02-01T00:00:00Z"), "P_ASN1_TIME_set_isotime+X509_get_notBefore"); + ok(Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_get_notAfter($x509), "2099-02-01T00:00:00Z"), "P_ASN1_TIME_set_isotime+X509_get_notAfter"); + } + + ok(Net::SSLeay::P_X509_add_extensions($x509,$ca_cert, + &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment', + &Net::SSLeay::NID_basic_constraints => 'CA:FALSE', + &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth', + &Net::SSLeay::NID_netscape_cert_type => 'server', + &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.dom.com,DNS:s2.dom.com,DNS:s3.dom.com', + &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.dom.com/crl1.pem,URI:http://pki.dom.com/crl2.pem', + ), "P_X509_add_extensions"); + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha1_digest), "X509_sign"); + + is(Net::SSLeay::X509_get_version($x509), 3, "X509_get_version"); + is(Net::SSLeay::X509_verify($x509, Net::SSLeay::X509_get_pubkey($ca_cert)), 1, "X509_verify"); + + like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509"); + + like(my $key_pem1 = Net::SSLeay::PEM_get_string_PrivateKey($pk), qr/-----BEGIN (RSA )?PRIVATE KEY-----/, "PEM_get_string_PrivateKey+nopasswd"); + like(my $key_pem2 = Net::SSLeay::PEM_get_string_PrivateKey($pk,"password"), qr/-----BEGIN (ENCRYPTED|RSA) PRIVATE KEY-----/, "PEM_get_string_PrivateKey+passwd"); + + ok(my $alg1 = Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC"), "EVP_get_cipherbyname"); + like(my $key_pem3 = Net::SSLeay::PEM_get_string_PrivateKey($pk,"password",$alg1), qr/-----BEGIN (ENCRYPTED|RSA) PRIVATE KEY-----/, "PEM_get_string_PrivateKey+passwd+enc_alg"); + +# DES-EDE3-OFB has no ASN1 support, detected by changes to do_pk8pkey as of openssl 1.0.1n +# https://git.openssl.org/?p=openssl.git;a=commit;h=4d9dc0c269be87b92da188df1fbd8bfee4700eb3 +# this test now fails +# ok(my $alg2 = Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-OFB"), "EVP_get_cipherbyname"); +# like(my $key_pem4 = Net::SSLeay::PEM_get_string_PrivateKey($pk,"password",$alg2), qr/-----BEGIN (ENCRYPTED|RSA) PRIVATE KEY-----/, "PEM_get_string_PrivateKey+passwd+enc_alg"); + + is(Net::SSLeay::X509_NAME_print_ex($name), "O=Company Name,C=UK,CN=Common name text X509", "X509_NAME_print_ex"); + + # 2014-06-06: Sigh, some versions of openssl have this patch, which afffects the results of this test: + # https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431 + # with this patch, the result is "ce83889f1beab8e70aa142e07e94b0ebbd9d59e0" +# is(unpack("H*",Net::SSLeay::X509_NAME_digest($name, $sha1_digest)), "044d7ea7fddced7b9b63799600b9989a63b36819", "X509_NAME_digest"); + + ok(my $ext_idx = Net::SSLeay::X509_get_ext_by_NID($x509, &Net::SSLeay::NID_ext_key_usage), "X509_get_ext_by_NID"); + ok(my $ext = Net::SSLeay::X509_get_ext($x509, $ext_idx), "X509_get_ext"); + is(Net::SSLeay::X509V3_EXT_print($ext), 'TLS Web Server Authentication, TLS Web Client Authentication', "X509V3_EXT_print"); + + #write_file("tmp_cert1.crt.pem", $crt_pem); + #write_file("tmp_cert1.key1.pem", $key_pem1); + #write_file("tmp_cert1.key2.pem", $key_pem2); + #write_file("tmp_cert1.key3.pem", $key_pem3); + #write_file("tmp_cert1.key4.pem", $key_pem4); +} + +{ ### X509_REQ certificate request >> sign >> X509 certificate + + ## PHASE1 - create certificate request + ok(my $pk = Net::SSLeay::EVP_PKEY_new(), "EVP_PKEY_new"); + ok(my $rsa = Net::SSLeay::RSA_generate_key(2048, &Net::SSLeay::RSA_F4), "RSA_generate_key"); + ok(Net::SSLeay::EVP_PKEY_assign_RSA($pk,$rsa), "EVP_PKEY_assign_RSA"); + + ok(my $req = Net::SSLeay::X509_REQ_new(), "X509_REQ_new"); + ok(Net::SSLeay::X509_REQ_set_pubkey($req,$pk), "X509_REQ_set_pubkey"); + ok(my $name = Net::SSLeay::X509_REQ_get_subject_name($req), "X509_REQ_get_subject_name"); + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "commonName", MBSTRING_UTF8, "Common name text X509_REQ"), "X509_NAME_add_entry_by_txt"); + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "countryName", MBSTRING_UTF8, "UK"), "X509_NAME_add_entry_by_txt"); + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "organizationName", MBSTRING_UTF8, "Company Name"), "X509_NAME_add_entry_by_txt"); + + # All these subjectAltNames should be copied to the + # certificate. This array is also used later when checking the + # signed certificate. + my @req_altnames = ( + # Numeric type, Type name, Value to add, Value to expect back, if not equal + #[ Net::SSLeay::GEN_DIRNAME(), 'dirName', 'dir_sect' ], # Would need config file + [ Net::SSLeay::GEN_DNS(), 'DNS', 's1.com' ], + [ Net::SSLeay::GEN_DNS(), 'DNS', 's2.com' ], + #[ Net::SSLeay::GEN_EDIPARTY(), 'EdiPartyName?', '' ], # Name not in OpenSSL source + [ Net::SSLeay::GEN_EMAIL(), 'email', 'foo@xample.com.com' ], + [ Net::SSLeay::GEN_IPADD(), 'IP', '10.20.30.41', pack('CCCC', '10', '20', '30', '41') ], + [ Net::SSLeay::GEN_IPADD(), 'IP', '2001:db8:23::1', pack('nnnnnnnn', 0x2001, 0x0db8, 0x23, 0, 0, 0, 0, 0x01) ], + [ Net::SSLeay::GEN_OTHERNAME(), 'otherName', '2.3.4.5;UTF8:some other identifier', 'some other identifier' ], + [ Net::SSLeay::GEN_RID(), 'RID', '1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.1.2.3.4.99.1234' ], + [ Net::SSLeay::GEN_URI(), 'URI', 'https://john.doe@www.example.com:123/forum/questions/?tag=networking&order=newest#top' ], + #[ Net::SSLeay::GEN_X400(), 'X400Name?', '' ], # Name not in OpenSSL source + ); + + # Create a comma separated list of typename:value altnames + my $req_ext_altname = ''; + foreach my $alt (@req_altnames) { + $req_ext_altname .= "$alt->[1]:$alt->[2],"; + } + chop $req_ext_altname; # Remove trailing comma + + ok(Net::SSLeay::P_X509_REQ_add_extensions($req, + &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment', + &Net::SSLeay::NID_basic_constraints => 'CA:FALSE', + &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth', + &Net::SSLeay::NID_netscape_cert_type => 'server', + &Net::SSLeay::NID_subject_alt_name => $req_ext_altname, + &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.com/crl1,URI:http://pki.com/crl2', + ), "P_X509_REQ_add_extensions"); + + #54 = NID_pkcs9_challengePassword - XXX-TODO add new constant + ok(Net::SSLeay::X509_REQ_add1_attr_by_NID($req, 54, MBSTRING_ASC, 'password xyz'), "X509_REQ_add1_attr_by_NID"); + #49 = NID_pkcs9_unstructuredName - XXX-TODO add new constant + ok(Net::SSLeay::X509_REQ_add1_attr_by_NID($req, 49, MBSTRING_ASC, 'Any Uns.name'), "X509_REQ_add1_attr_by_NID"); + + ok(Net::SSLeay::X509_REQ_set_version($req, 2), "X509_REQ_set_version"); + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + ok(Net::SSLeay::X509_REQ_sign($req, $pk, $sha1_digest), "X509_REQ_sign"); + + ok(my $req_pubkey = Net::SSLeay::X509_REQ_get_pubkey($req), "X509_REQ_get_pubkey"); + is(Net::SSLeay::X509_REQ_verify($req, $req_pubkey), 1, "X509_REQ_verify"); + + is(Net::SSLeay::X509_REQ_get_version($req), 2, "X509_REQ_get_version"); + ok(my $obj_challengePassword = Net::SSLeay::OBJ_txt2obj('1.2.840.113549.1.9.7'), "OBJ_txt2obj"); + ok(my $nid_challengePassword = Net::SSLeay::OBJ_obj2nid($obj_challengePassword), "OBJ_obj2nid"); + is(Net::SSLeay::X509_REQ_get_attr_count($req), 3, "X509_REQ_get_attr_count"); + is(my $n1 = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid_challengePassword,-1), 1, "X509_REQ_get_attr_by_NID"); + is(my $n2 = Net::SSLeay::X509_REQ_get_attr_by_OBJ($req, $obj_challengePassword,-1), 1, "X509_REQ_get_attr_by_OBJ"); + + SKIP: { + skip('requires openssl-0.9.7', 3) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $n1), "P_X509_REQ_get_attr"); + is(scalar(@attr_values), 1, "attr_values size"); + is(Net::SSLeay::P_ASN1_STRING_get($attr_values[0]), "password xyz", "attr_values[0]"); + } + + like(my $req_pem = Net::SSLeay::PEM_get_string_X509_REQ($req), qr/-----BEGIN CERTIFICATE REQUEST-----/, "PEM_get_string_X509_REQ"); + like(my $key_pem = Net::SSLeay::PEM_get_string_PrivateKey($pk), qr/-----BEGIN (RSA )?PRIVATE KEY-----/, "PEM_get_string_PrivateKey"); + + #write_file("tmp_cert2.req.pem", $req_pem); + #write_file("tmp_cert2.key.pem", $key_pem); + + ## PHASE2 - turn X509_REQ into X509 cert + sign with CA key + ok(my $x509ss = Net::SSLeay::X509_new(), "X509_new"); + ok(Net::SSLeay::X509_set_version($x509ss, 2), "X509_set_version"); + ok(my $sn = Net::SSLeay::X509_get_serialNumber($x509ss), "X509_get_serialNumber"); + Net::SSLeay::P_ASN1_INTEGER_set_hex($sn, 'ABCDEF'); + Net::SSLeay::X509_set_issuer_name($x509ss, Net::SSLeay::X509_get_subject_name($ca_cert)); + ok(Net::SSLeay::X509_gmtime_adj(Net::SSLeay::X509_get_notBefore($x509ss), 0), "X509_gmtime_adj + X509_get_notBefore"); + ok(Net::SSLeay::X509_gmtime_adj(Net::SSLeay::X509_get_notAfter($x509ss), 60*60*24*100), "X509_gmtime_adj + X509_get_notAfter"); + ok(Net::SSLeay::X509_set_subject_name($x509ss, Net::SSLeay::X509_REQ_get_subject_name($req)), "X509_set_subject_name + X509_REQ_get_subject_name"); + + ok(Net::SSLeay::P_X509_copy_extensions($req, $x509ss), "P_X509_copy_extensions"); + + ok(my $tmppkey = Net::SSLeay::X509_REQ_get_pubkey($req), "X509_REQ_get_pubkey"); + ok(Net::SSLeay::X509_set_pubkey($x509ss,$tmppkey), "X509_set_pubkey"); + Net::SSLeay::EVP_PKEY_free($tmppkey); + + ok(Net::SSLeay::X509_sign($x509ss, $ca_pk, $sha1_digest), "X509_sign"); + like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509ss), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509"); + + #write_file("tmp_cert2.crt.pem", $crt_pem); + + ## PHASE3 - check some certificate parameters + is(Net::SSLeay::X509_NAME_print_ex(Net::SSLeay::X509_get_subject_name($x509ss)), "O=Company Name,C=UK,CN=Common name text X509_REQ", "X509_NAME_print_ex 1"); + is(Net::SSLeay::X509_NAME_print_ex(Net::SSLeay::X509_get_issuer_name($x509ss)), 'CN=Root CA,OU=Test Suite,O=Net-SSLeay,C=PL', "X509_NAME_print_ex 2"); + SKIP: { + skip 'openssl-0.9.7e required', 2 unless Net::SSLeay::SSLeay >= 0x0090705f; + like(Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notBefore($x509ss)), qr/^\d\d\d\d-\d\d-\d\d/, "X509_get_notBefore"); + like(Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($x509ss)), qr/^\d\d\d\d-\d\d-\d\d/, "X509_get_notAfter"); + } + + # See that all subjectAltNames added to request were copied to the certificate + my @altnames = Net::SSLeay::X509_get_subjectAltNames($x509ss); + for (my $i = 0; $i < @req_altnames; $i++) + { + my ($type, $name) = ($altnames[2*$i], $altnames[2*$i+1]); + my $test_vec = $req_altnames[$i]; + my $expected = defined $test_vec->[3] ? $test_vec->[3] : $test_vec->[2]; + + is($type, $test_vec->[0], "subjectAltName type in certificate matches request: $type"); + is($name, $expected, "subjectAltName value in certificate matches request: $test_vec->[2]"); + } + + my $mask = EVP_PK_RSA | EVP_PKT_SIGN | EVP_PKT_ENC; + is(Net::SSLeay::X509_certificate_type($x509ss)&$mask, $mask, "X509_certificate_type"); + + is(Net::SSLeay::X509_REQ_free($req), undef, "X509_REQ_free"); + is(Net::SSLeay::X509_free($x509ss), undef, "X509_free"); +} + +{ ### X509 certificate - unicode + ok(my $x509 = Net::SSLeay::X509_new(), "X509_new"); + ok(my $name = Net::SSLeay::X509_get_subject_name($x509), "X509_get_subject_name"); + my $txt = "\x{17E}lut\xFD"; + utf8::encode($txt); + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "CN", MBSTRING_UTF8, $txt), "X509_NAME_add_entry_by_txt"); + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "OU", MBSTRING_UTF8, "Unit"), "X509_NAME_add_entry_by_txt"); + is(Net::SSLeay::X509_NAME_print_ex($name), 'OU=Unit,CN=\C5\BElut\C3\BD', "X509_NAME_print_ex"); +} + +{ ### X509 certificate - copy some fields from other certificate + + my $orig_crt_pem = data_file_path('wildcard-cert.cert.pem'); + ok(my $bio = Net::SSLeay::BIO_new_file($orig_crt_pem, 'r'), "BIO_new_file"); + ok(my $orig_cert = Net::SSLeay::PEM_read_bio_X509($bio), "PEM_read_bio_X509"); + + ok(my $pk = Net::SSLeay::EVP_PKEY_new(), "EVP_PKEY_new"); + ok(my $rsa = Net::SSLeay::RSA_generate_key(2048, &Net::SSLeay::RSA_F4), "RSA_generate_key"); + ok(Net::SSLeay::EVP_PKEY_assign_RSA($pk,$rsa), "EVP_PKEY_assign_RSA"); + + ok(my $x509 = Net::SSLeay::X509_new(), "X509_new"); + ok(Net::SSLeay::X509_set_pubkey($x509,$pk), "X509_set_pubkey"); + ok(my $name = Net::SSLeay::X509_get_subject_name($orig_cert), "X509_get_subject_name"); + ok(Net::SSLeay::X509_set_subject_name($x509, $name), "X509_set_subject_name"); + + ok(my $sn = Net::SSLeay::X509_get_serialNumber($orig_cert), "X509_get_serialNumber"); + ok(Net::SSLeay::X509_set_serialNumber($x509, $sn), "X509_get_serialNumber"); + + Net::SSLeay::X509_set_issuer_name($x509, Net::SSLeay::X509_get_subject_name($ca_cert)); + SKIP: { + skip 'openssl-0.9.7e required', 2 unless Net::SSLeay::SSLeay >= 0x0090705f; + ok(Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_get_notBefore($x509), "2010-02-01T00:00:00Z") , "P_ASN1_TIME_set_isotime+X509_get_notBefore"); + ok(Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_get_notAfter($x509), "2038-01-01T00:00:00Z"), "P_ASN1_TIME_set_isotime+X509_get_notAfter"); + } + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha1_digest), "X509_sign"); + + like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509"); + like(my $key_pem = Net::SSLeay::PEM_get_string_PrivateKey($pk), qr/-----BEGIN (RSA )?PRIVATE KEY-----/, "PEM_get_string_PrivateKey"); + + #write_file("tmp_cert3.crt.pem", $crt_pem); + #write_file("tmp_cert3.key.pem", $key_pem); +} + +{ ### X509 request from file + some special tests + my $req_pem = data_file_path('simple-cert.csr.pem'); + ok(my $bio = Net::SSLeay::BIO_new_file($req_pem, 'r'), "BIO_new_file"); + ok(my $req = Net::SSLeay::PEM_read_bio_X509_REQ($bio), "PEM_read_bio_X509"); + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + is(unpack("H*", Net::SSLeay::X509_REQ_digest($req, $sha1_digest)), "372c21a20a6d4e15bf8ecefb487cc604d9a10960", "X509_REQ_digest"); + + ok(my $req2 = Net::SSLeay::X509_REQ_new(), "X509_REQ_new"); + ok(my $name = Net::SSLeay::X509_REQ_get_subject_name($req), "X509_REQ_get_subject_name"); + ok(Net::SSLeay::X509_REQ_set_subject_name($req2, $name), "X509_REQ_set_subject_name"); + is(Net::SSLeay::X509_REQ_free($req), undef, "X509_REQ_free"); +} + +{ ### X509 + X509_REQ loading DER format + my $req_der = data_file_path('simple-cert.csr.der'); + ok(my $bio1 = Net::SSLeay::BIO_new_file($req_der, 'rb'), "BIO_new_file"); + ok(my $req = Net::SSLeay::d2i_X509_REQ_bio($bio1), "d2i_X509_REQ_bio"); + + my $x509_der = data_file_path('simple-cert.cert.der'); + ok(my $bio2 = Net::SSLeay::BIO_new_file($x509_der, 'rb'), "BIO_new_file"); + ok(my $x509 = Net::SSLeay::d2i_X509_bio($bio2), "d2i_X509_bio"); +} diff --git a/cpan/Net-SSLeay/t/local/34_x509_crl.t b/cpan/Net-SSLeay/t/local/34_x509_crl.t new file mode 100644 index 000000000000..0e989878b6a4 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/34_x509_crl.t @@ -0,0 +1,139 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( data_file_path initialise_libssl is_openssl ); + +plan tests => 42; + +initialise_libssl(); + +my $ca_crt_pem = data_file_path('intermediate-ca.cert.pem'); +my $ca_key_pem = data_file_path('intermediate-ca.key.pem'); +ok(my $bio1 = Net::SSLeay::BIO_new_file($ca_crt_pem, 'r'), "BIO_new_file 1"); +ok(my $ca_cert = Net::SSLeay::PEM_read_bio_X509($bio1), "PEM_read_bio_X509"); +ok(my $bio2 = Net::SSLeay::BIO_new_file($ca_key_pem, 'r'), "BIO_new_file 2"); +ok(my $ca_pk = Net::SSLeay::PEM_read_bio_PrivateKey($bio2), "PEM_read_bio_PrivateKey"); + +{ ### X509_CRL show info + my $crl_der = data_file_path('intermediate-ca.crl.der'); + my $crl_pem = data_file_path('intermediate-ca.crl.pem'); + + ok(my $bio1 = Net::SSLeay::BIO_new_file($crl_der, 'rb'), "BIO_new_file 1"); + ok(my $bio2 = Net::SSLeay::BIO_new_file($crl_pem, 'r'), "BIO_new_file 2"); + + ok(my $crl1 = Net::SSLeay::d2i_X509_CRL_bio($bio1), "d2i_X509_CRL_bio"); + ok(my $crl2 = Net::SSLeay::PEM_read_bio_X509_CRL($bio2), "PEM_read_bio_X509_CRL"); + + ok(my $name1 = Net::SSLeay::X509_CRL_get_issuer($crl1), "X509_CRL_get_issuer 1"); + ok(my $name2 = Net::SSLeay::X509_CRL_get_issuer($crl2), "X509_CRL_get_issuer 2"); + is(Net::SSLeay::X509_NAME_cmp($name1, $name2), 0, "X509_NAME_cmp"); + + is(Net::SSLeay::X509_NAME_print_ex($name1), 'CN=Intermediate CA,OU=Test Suite,O=Net-SSLeay,C=PL', "X509_NAME_print_ex"); + + ok(my $time_last = Net::SSLeay::X509_CRL_get_lastUpdate($crl1), "X509_CRL_get_lastUpdate"); + ok(my $time_next = Net::SSLeay::X509_CRL_get_nextUpdate($crl1), "X509_CRL_get_nextUpdate"); + SKIP: { + skip 'openssl-0.9.7e required', 2 unless Net::SSLeay::SSLeay >= 0x0090705f; + is(Net::SSLeay::P_ASN1_TIME_get_isotime($time_last), '2020-07-01T00:00:00Z', "P_ASN1_TIME_get_isotime last"); + is(Net::SSLeay::P_ASN1_TIME_get_isotime($time_next), '2020-07-08T00:00:00Z', "P_ASN1_TIME_get_isotime next"); + } + + is(Net::SSLeay::X509_CRL_get_version($crl1), 1, "X509_CRL_get_version"); + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + is(unpack("H*",Net::SSLeay::X509_CRL_digest($crl1, $sha1_digest)), 'f0e5c853477a206c03f7347aee09a01d91df0ac5', "X509_CRL_digest"); +} + +{ ### X509_CRL create + ok(my $crl = Net::SSLeay::X509_CRL_new(), "X509_CRL_new"); + + ok(my $name = Net::SSLeay::X509_get_subject_name($ca_cert), "X509_get_subject_name"); + SKIP: { + skip('requires openssl-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(Net::SSLeay::X509_CRL_set_issuer_name($crl, $name), "X509_CRL_set_issuer_name"); + } + + if (Net::SSLeay::SSLeay >= 0x0090705f) { + Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_CRL_get_lastUpdate($crl), "2010-02-01T00:00:00Z"); + Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_CRL_get_nextUpdate($crl), "2011-02-01T00:00:00Z"); + } + else { + # P_ASN1_TIME_set_isotime not available before openssl-0.9.7e + Net::SSLeay::X509_gmtime_adj(Net::SSLeay::X509_CRL_get_lastUpdate($crl), 0); + Net::SSLeay::X509_gmtime_adj(Net::SSLeay::X509_CRL_get_lastUpdate($crl), 0); + } + + SKIP: { + skip('requires openssl-0.9.7', 2) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(Net::SSLeay::X509_CRL_set_version($crl, 1), "X509_CRL_set_version"); + my $ser = Net::SSLeay::ASN1_INTEGER_new(); + Net::SSLeay::P_ASN1_INTEGER_set_hex($ser, "4AFED5654654BCEDED4AFED5654654BCEDED"); + ok(Net::SSLeay::P_X509_CRL_set_serial($crl, $ser), "P_X509_CRL_set_serial"); + Net::SSLeay::ASN1_INTEGER_free($ser); + } + + my @rev_table = ( + { serial_hex=>'1A2B3D', rev_datetime=>"2011-02-01T00:00:00Z", comp_datetime=>"2911-11-11T00:00:00Z", reason=>2 }, # 2 = cACompromise + { serial_hex=>'2A2B3D', rev_datetime=>"2011-03-01T00:00:00Z", comp_datetime=>"2911-11-11T00:00:00Z", reason=>3 }, # 3 = affiliationChanged + ); + + my $rev_datetime = Net::SSLeay::ASN1_TIME_new(); + my $comp_datetime = Net::SSLeay::ASN1_TIME_new(); + for my $item (@rev_table) { + if (Net::SSLeay::SSLeay >= 0x0090705f) { + Net::SSLeay::P_ASN1_TIME_set_isotime($rev_datetime, $item->{rev_datetime}); + Net::SSLeay::P_ASN1_TIME_set_isotime($comp_datetime, $item->{comp_datetime}); + } + else { + # P_ASN1_TIME_set_isotime not available before openssl-0.9.7e + Net::SSLeay::X509_gmtime_adj($rev_datetime, 0); + Net::SSLeay::X509_gmtime_adj($comp_datetime, 0); + } + SKIP: { + skip('requires openssl-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(Net::SSLeay::P_X509_CRL_add_revoked_serial_hex($crl, $item->{serial_hex}, $rev_datetime, $item->{reason}, $comp_datetime), "P_X509_CRL_add_revoked_serial_hex"); + } + } + Net::SSLeay::ASN1_TIME_free($rev_datetime); + Net::SSLeay::ASN1_TIME_free($comp_datetime); + + ok(Net::SSLeay::P_X509_CRL_add_extensions($crl,$ca_cert, + &Net::SSLeay::NID_authority_key_identifier => 'keyid:always,issuer:always', + ), "P_X509_CRL_add_extensions"); + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + SKIP: { + skip('requires openssl-0.9.7', 1) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(Net::SSLeay::X509_CRL_sort($crl), "X509_CRL_sort"); + } + ok(Net::SSLeay::X509_CRL_sign($crl, $ca_pk, $sha1_digest), "X509_CRL_sign"); + + like(my $crl_pem = Net::SSLeay::PEM_get_string_X509_CRL($crl), qr/-----BEGIN X509 CRL-----/, "PEM_get_string_X509_CRL"); + + #write_file("tmp.crl.pem", $crl_pem); + + is(Net::SSLeay::X509_CRL_free($crl), undef, "X509_CRL_free"); +} + +{ ### special tests + my $crl_der = data_file_path('intermediate-ca.crl.der'); + ok(my $bio = Net::SSLeay::BIO_new_file($crl_der, 'rb'), "BIO_new_file"); + ok(my $crl = Net::SSLeay::d2i_X509_CRL_bio($bio), "d2i_X509_CRL_bio"); + is(Net::SSLeay::X509_CRL_verify($crl, Net::SSLeay::X509_get_pubkey($ca_cert)), 1, "X509_CRL_verify"); + + ok(my $time_last = Net::SSLeay::X509_CRL_get_lastUpdate($crl), "X509_CRL_get_lastUpdate"); + ok(my $time_next = Net::SSLeay::X509_CRL_get_nextUpdate($crl), "X509_CRL_get_nextUpdate"); + + SKIP: { + skip('requires openssl-0.9.7', 2) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(my $sn = Net::SSLeay::P_X509_CRL_get_serial($crl), "P_X509_CRL_get_serial"); + is(Net::SSLeay::ASN1_INTEGER_get($sn), 1, "ASN1_INTEGER_get"); + } + + SKIP: { + skip('requires openssl-0.9.7', 3) unless Net::SSLeay::SSLeay >= 0x0090700f; + ok(my $crl2 = Net::SSLeay::X509_CRL_new(), "X509_CRL_new"); + ok(Net::SSLeay::X509_CRL_set_lastUpdate($crl2, $time_last), "X509_CRL_set_lastUpdate"); + ok(Net::SSLeay::X509_CRL_set_nextUpdate($crl2, $time_next), "X509_CRL_set_nextUpdate"); + Net::SSLeay::X509_CRL_free($crl2); + } +} diff --git a/cpan/Net-SSLeay/t/local/35_ephemeral.t b/cpan/Net-SSLeay/t/local/35_ephemeral.t new file mode 100644 index 000000000000..f86a80dc05cd --- /dev/null +++ b/cpan/Net-SSLeay/t/local/35_ephemeral.t @@ -0,0 +1,16 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(initialise_libssl); + +if (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") || Net::SSLeay::constant("OPENSSL_VERSION_NUMBER") >= 0x10100000) { + plan skip_all => "LibreSSL and OpenSSL 1.1.0 removed support for ephemeral/temporary RSA private keys"; +} else { + plan tests => 3; +} + +initialise_libssl(); + +ok( my $ctx = Net::SSLeay::CTX_new(), 'CTX_new' ); +ok( my $rsa = Net::SSLeay::RSA_generate_key(2048, Net::SSLeay::RSA_F4()), 'RSA_generate_key' ); +ok( Net::SSLeay::CTX_set_tmp_rsa($ctx, $rsa), 'CTX_set_tmp_rsa' ); diff --git a/cpan/Net-SSLeay/t/local/36_verify.t b/cpan/Net-SSLeay/t/local/36_verify.t new file mode 100644 index 000000000000..393798fed2a2 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/36_verify.t @@ -0,0 +1,372 @@ +# Test various verify and ASN functions + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl is_libressl is_openssl new_ctx + tcp_socket +); + +plan tests => 105; + +initialise_libssl(); + +my $root_ca_pem = data_file_path('root-ca.cert.pem'); +my $ca_pem = data_file_path('verify-ca.certchain.pem'); +my $ca_dir = ''; +my $cert_pem = data_file_path('verify-cert.cert.pem'); +my $certchain_pem = data_file_path('verify-cert.certchain.pem'); +my $key_pem = data_file_path('verify-cert.key.pem'); + +# The above certificate must specify the following policy OID: +my $required_oid = '1.2.3.4.5'; + +my $pm; +my $pm2; +my $verify_result = -1; + +SKIP: { + skip 'openssl-0.9.8 required', 7 unless Net::SSLeay::SSLeay >= 0x0090800f; + $pm = Net::SSLeay::X509_VERIFY_PARAM_new(); + ok($pm, 'X509_VERIFY_PARAM_new'); + $pm2 = Net::SSLeay::X509_VERIFY_PARAM_new(); + ok($pm2, 'X509_VERIFY_PARAM_new 2'); + ok(Net::SSLeay::X509_VERIFY_PARAM_inherit($pm2, $pm), 'X509_VERIFY_PARAM_inherit'); + ok(Net::SSLeay::X509_VERIFY_PARAM_set1($pm2, $pm), 'X509_VERIFY_PARAM_inherit'); + ok(Net::SSLeay::X509_VERIFY_PARAM_set1_name($pm, 'fred'), 'X509_VERIFY_PARAM_set1_name'); + ok(Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS() == 0x40, 'X509_V_FLAG_ALLOW_PROXY_CERTS'); + ok(Net::SSLeay::X509_VERIFY_PARAM_set_flags($pm, Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_set_flags'); +} + +SKIP: { + skip 'openssl-0.9.8a required', 3 unless Net::SSLeay::SSLeay >= 0x0090801f; + + # Between versions 3.2.4 and 3.4.0, LibreSSL signals the use of its legacy + # X.509 verifier via the X509_V_FLAG_LEGACY_VERIFY flag; this flag persists + # even after X509_VERIFY_PARAM_clear_flags() is called + my $base_flags = + is_libressl() + && Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") >= 0x3020400f + && Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") <= 0x3040000f + ? Net::SSLeay::X509_V_FLAG_LEGACY_VERIFY() + : 0; + + ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_get_flags'); + ok(Net::SSLeay::X509_VERIFY_PARAM_clear_flags($pm, Net::SSLeay::X509_V_FLAG_ALLOW_PROXY_CERTS()), 'X509_VERIFY_PARAM_clear_flags'); + ok(Net::SSLeay::X509_VERIFY_PARAM_get_flags($pm) == ($base_flags | 0), 'X509_VERIFY_PARAM_get_flags'); +}; + +SKIP: { + skip 'openssl-0.9.8 required', 4 unless Net::SSLeay::SSLeay >= 0x0090800f; + ok(Net::SSLeay::X509_PURPOSE_SSL_CLIENT() == 1, 'X509_PURPOSE_SSL_CLIENT'); + ok(Net::SSLeay::X509_VERIFY_PARAM_set_purpose($pm, Net::SSLeay::X509_PURPOSE_SSL_CLIENT()), 'X509_VERIFY_PARAM_set_purpose'); + ok(Net::SSLeay::X509_TRUST_EMAIL() == 4, 'X509_TRUST_EMAIL'); + ok(Net::SSLeay::X509_VERIFY_PARAM_set_trust($pm, Net::SSLeay::X509_TRUST_EMAIL()), 'X509_VERIFY_PARAM_set_trust'); + Net::SSLeay::X509_VERIFY_PARAM_set_depth($pm, 5); + Net::SSLeay::X509_VERIFY_PARAM_set_time($pm, time); + Net::SSLeay::X509_VERIFY_PARAM_free($pm); + Net::SSLeay::X509_VERIFY_PARAM_free($pm2); +} + +# Test ASN1 objects +my $asn_object = Net::SSLeay::OBJ_txt2obj('1.2.3.4', 0); +ok($asn_object, 'OBJ_txt2obj'); +ok(Net::SSLeay::OBJ_obj2txt($asn_object, 0) eq '1.2.3.4', 'OBJ_obj2txt'); + +ok(Net::SSLeay::OBJ_txt2nid('1.2.840.113549.1') == 2, 'OBJ_txt2nid'); # NID_pkcs +ok(Net::SSLeay::OBJ_txt2nid('1.2.840.113549.2.5') == 4, 'OBJ_txt2nid'); # NID_md5 + +ok(Net::SSLeay::OBJ_ln2nid('RSA Data Security, Inc. PKCS') == 2, 'OBJ_ln2nid'); # NID_pkcs +ok(Net::SSLeay::OBJ_ln2nid('md5') == 4, 'OBJ_ln2nid'); # NID_md5 + +ok(Net::SSLeay::OBJ_sn2nid('pkcs') == 2, 'OBJ_sn2nid'); # NID_pkcs +ok(Net::SSLeay::OBJ_sn2nid('MD5') == 4, 'OBJ_sn2nid'); # NID_md5 + +my $asn_object2 = Net::SSLeay::OBJ_txt2obj('1.2.3.4', 0); +ok(Net::SSLeay::OBJ_cmp($asn_object2, $asn_object) == 0, 'OBJ_cmp'); +$asn_object2 = Net::SSLeay::OBJ_txt2obj('1.2.3.5', 0); +ok(Net::SSLeay::OBJ_cmp($asn_object2, $asn_object) != 0, 'OBJ_cmp'); + +ok(1, "Finished with tests that don't need fork"); + +my $server; +SKIP: { + if (not can_fork()) { + skip "fork() not supported on this system", 54; + } + + $server = tcp_socket(); + + run_server(); # Forks: child does not return + $server->close() || die("client listen socket close: $!"); + client(); +} + +verify_local_trust(); + +sub test_policy_checks +{ + my ($ctx, $cl, $ok) = @_; + + $pm = Net::SSLeay::X509_VERIFY_PARAM_new(); + + # Certificate must have this policy + Net::SSLeay::X509_VERIFY_PARAM_set_flags($pm, Net::SSLeay::X509_V_FLAG_POLICY_CHECK() | Net::SSLeay::X509_V_FLAG_EXPLICIT_POLICY()); + + my $oid = $ok ? $required_oid : ( $required_oid . '.1' ); + my $pobject = Net::SSLeay::OBJ_txt2obj($oid, 1); + ok($pobject, "OBJ_txt2obj($oid)"); + is(Net::SSLeay::X509_VERIFY_PARAM_add0_policy($pm, $pobject), 1, "X509_VERIFY_PARAM_add0_policy($oid)"); + + my $ssl = client_get_ssl($ctx, $cl, $pm); + my $ret = Net::SSLeay::connect($ssl); + is($verify_result, Net::SSLeay::get_verify_result($ssl), 'Verify callback result and get_verify_result are equal'); + if ($ok) { + is($ret, 1, 'connect ok: policy checks succeeded'); + is($verify_result, Net::SSLeay::X509_V_OK(), 'Verify result is X509_V_OK'); + print "connect failed: $ret: " . Net::SSLeay::print_errs() . "\n" unless $ret == 1; + } else { + isnt($ret, 1, 'connect not ok: policy checks must fail') if !$ok; + is($verify_result, Net::SSLeay::X509_V_ERR_NO_EXPLICIT_POLICY(), 'Verify result is X509_V_ERR_NO_EXPLICIT_POLICY'); + } + + Net::SSLeay::X509_VERIFY_PARAM_free($pm); +} + +# These need at least OpenSSL 1.0.2 or LibreSSL 2.7.0 +sub test_hostname_checks +{ + my ($ctx, $cl, $ok) = @_; + SKIP: { + skip 'No Net::SSLeay::X509_VERIFY_PARAM_set1_host, skipping hostname_checks', 13 unless (exists &Net::SSLeay::X509_VERIFY_PARAM_set1_host); + + $pm = Net::SSLeay::X509_VERIFY_PARAM_new(); + + # Note: wildcards are supported by default + is(Net::SSLeay::X509_VERIFY_PARAM_set1_host($pm, 'test.johndoe.net-ssleay.example'), 1, 'X509_VERIFY_PARAM_set1_host(test.johndoe.net-ssleay.example)') if $ok; + is(Net::SSLeay::X509_VERIFY_PARAM_add1_host($pm, 'invalid.net-ssleay.example'), 1, 'X509_VERIFY_PARAM_add1_host(invalid.net-ssleay.example)') if !$ok; + + is(Net::SSLeay::X509_VERIFY_PARAM_set1_email($pm, 'john.doe@net-ssleay.example'), 1, 'X509_VERIFY_PARAM_set1_email(john.doe@net-ssleay.example)'); + + # Note: 'set' means that only one successfully set can be active + # set1_ip: IPv4 or IPv6 address as 4 or 16 octet binary. + # setip_ip_asc: IPv4 or IPv6 address as ASCII string + is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip($pm, pack('CCCC', 192, 168, 0, 3)), 1, 'X509_VERIFY_PARAM_set1_ip(192.168.0.3)'); +# is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip($pm, pack('NNNN', hex('20010db8'), hex('01480100'), 0, hex('31'))), 1, 'X509_VERIFY_PARAM_set1_ip(2001:db8:148:100::31)'); +# is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip_asc($pm, '10.20.30.40'), 1, 'X509_VERIFY_PARAM_set1_ip_asc(10.20.30.40)'); +# is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip_asc($pm, '2001:db8:148:100::31'), 1, 'X509_VERIFY_PARAM_set1_ip_asc(2001:db8:148:100::31))'); + + # Also see that incorrect values do not change anything. + is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip($pm, '123'), 0, 'X509_VERIFY_PARAM_set1_ip(123)'); + is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip($pm, '123456789012345'), 0, 'X509_VERIFY_PARAM_set1_ip(123456789012345)'); + is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip_asc($pm, '10.20.30.256'), 0, 'X509_VERIFY_PARAM_set1_ip_asc(10.20.30.256)'); + is(Net::SSLeay::X509_VERIFY_PARAM_set1_ip_asc($pm, '12345::'), 0, 'X509_VERIFY_PARAM_set1_ip_asc(12345::)'); + + my $ssl = client_get_ssl($ctx, $cl, $pm); + my $ret = Net::SSLeay::connect($ssl); + is($verify_result, Net::SSLeay::get_verify_result($ssl), 'Verify callback result and get_verify_result are equal'); + if ($ok) { + is($ret, 1, 'connect ok: hostname checks succeeded'); + is($verify_result, Net::SSLeay::X509_V_OK(), 'Verify result is X509_V_OK'); + print "connect failed: $ret: " . Net::SSLeay::print_errs() . "\n" unless $ret == 1; + } else { + isnt($ret, 1, 'connect not ok: hostname checks must fail') if !$ok; + is($verify_result, Net::SSLeay::X509_V_ERR_HOSTNAME_MISMATCH(), 'Verify result is X509_V_ERR_HOSTNAME_MISMATCH'); + } + + # For some reason OpenSSL 1.0.2 and LibreSSL return undef for get0_peername. Are we doing this wrong? + $pm2 = Net::SSLeay::get0_param($ssl); + my $peername = Net::SSLeay::X509_VERIFY_PARAM_get0_peername($pm2); + if ($ok) { + is($peername, '*.johndoe.net-ssleay.example', 'X509_VERIFY_PARAM_get0_peername returns *.johndoe.net-ssleay.example') + if (Net::SSLeay::SSLeay >= 0x10100000 && is_openssl()); + is($peername, undef, 'X509_VERIFY_PARAM_get0_peername returns undefined for OpenSSL 1.0.2 and LibreSSL') + if (Net::SSLeay::SSLeay < 0x10100000 || is_libressl()); + } else { + is($peername, undef, 'X509_VERIFY_PARAM_get0_peername returns undefined'); + } + + Net::SSLeay::X509_VERIFY_PARAM_free($pm); + Net::SSLeay::X509_VERIFY_PARAM_free($pm2); + } +} + +sub test_wildcard_checks +{ + my ($ctx, $cl) = @_; + SKIP: { + skip 'No Net::SSLeay::X509_VERIFY_PARAM_set1_host, skipping wildcard_checks', 7 unless (exists &Net::SSLeay::X509_VERIFY_PARAM_set1_host); + + $pm = Net::SSLeay::X509_VERIFY_PARAM_new(); + + # Wildcards are allowed by default: disallow + is(Net::SSLeay::X509_VERIFY_PARAM_set1_host($pm, 'test.johndoe.net-ssleay.example'), 1, 'X509_VERIFY_PARAM_set1_host'); + is(Net::SSLeay::X509_VERIFY_PARAM_set_hostflags($pm, Net::SSLeay::X509_CHECK_FLAG_NO_WILDCARDS()), undef, 'X509_VERIFY_PARAM_set_hostflags(X509_CHECK_FLAG_NO_WILDCARDS)'); + + my $ssl = client_get_ssl($ctx, $cl, $pm); + my $ret = Net::SSLeay::connect($ssl); + isnt($ret, 1, 'Connect must fail in wildcard test'); + is($verify_result, Net::SSLeay::get_verify_result($ssl), 'Verify callback result and get_verify_result are equal'); + is($verify_result, Net::SSLeay::X509_V_ERR_HOSTNAME_MISMATCH(), 'Verify result is X509_V_ERR_HOSTNAME_MISMATCH'); + + Net::SSLeay::X509_VERIFY_PARAM_free($pm); + } +} + +sub verify_local_trust { + # Read entire certificate chain + my $bio = Net::SSLeay::BIO_new_file($certchain_pem, 'r'); + ok(my $x509_info_sk = Net::SSLeay::PEM_X509_INFO_read_bio($bio), "PEM_X509_INFO_read_bio able to read in entire chain"); + Net::SSLeay::BIO_free($bio); + # Read just the leaf certificate from the chain + $bio = Net::SSLeay::BIO_new_file($certchain_pem, 'r'); + ok(my $cert = Net::SSLeay::PEM_read_bio_X509($bio), "PEM_read_bio_X509 able to read in single cert from chain"); + Net::SSLeay::BIO_free($bio); + # Read root CA certificate + $bio = Net::SSLeay::BIO_new_file($root_ca_pem, 'r'); + ok(my $ca = Net::SSLeay::PEM_read_bio_X509($bio), "PEM_read_bio_X509 able to read in root CA"); + Net::SSLeay::BIO_free($bio); + + ok(my $x509_sk = Net::SSLeay::sk_X509_new_null(), "sk_X509_new_null creates STACK_OF(X509) successfully"); + ok(my $num = Net::SSLeay::sk_X509_INFO_num($x509_info_sk), "sk_X509_INFO_num is nonzero"); + + # Set up STORE_CTX and verify leaf certificate using only root CA (should fail due to incomplete chain) + ok(my $store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store"); + ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert"); + ok(my $ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context"); + is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert), 1, 'X509_STORE_CTX_init succeeds'); + ok(!Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly fails'); + is(Net::SSLeay::X509_STORE_CTX_get_error($ctx), + Net::SSLeay::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(), "X509_STORE_CTX_get_error returns unable to get local issuer certificate"); + Net::SSLeay::X509_STORE_free($store); + Net::SSLeay::X509_STORE_CTX_free($ctx); + + # Add all certificates from entire certificate chain to X509 stack + for (my $i = 0; $i < $num; $i++) { + ok(my $x509_info = Net::SSLeay::sk_X509_INFO_value($x509_info_sk, $i), "sk_X509_INFO_value"); + ok(my $x509 = Net::SSLeay::P_X509_INFO_get_x509($x509_info), "P_X509_INFO_get_x509"); + ok(Net::SSLeay::sk_X509_push($x509_sk, $x509), "sk_X509_push"); + } + + # set up STORE_CTX and verify leaf certificate using root CA and chain (should succeed) + ok($store = Net::SSLeay::X509_STORE_new(), "X509_STORE_new creates new store"); + ok(Net::SSLeay::X509_STORE_add_cert($store, $ca), "X509_STORE_add_cert CA cert"); + ok($ctx = Net::SSLeay::X509_STORE_CTX_new(), "X509_STORE_CTX_new creates new store context"); + is(Net::SSLeay::X509_STORE_CTX_init($ctx, $store, $cert, $x509_sk), 1, 'X509_STORE_CTX_init succeeds'); + ok(Net::SSLeay::X509_verify_cert($ctx), 'X509_verify_cert correctly succeeds'); + is(Net::SSLeay::X509_STORE_CTX_get_error($ctx), Net::SSLeay::X509_V_OK(), "X509_STORE_CTX_get_error returns ok"); + Net::SSLeay::X509_STORE_free($store); + Net::SSLeay::X509_STORE_CTX_free($ctx); + + Net::SSLeay::sk_X509_free($x509_sk); +} + +# Prepare and return a new $ssl based on callers verification needs +# Note that this adds tests to caller's test count. +sub client_get_ssl +{ + my ($ctx, $cl, $pm) = @_; + + my $store = Net::SSLeay::CTX_get_cert_store($ctx); + ok($store, 'CTX_get_cert_store'); + is(Net::SSLeay::X509_STORE_set1_param($store, $pm), 1, 'X509_STORE_set1_param'); + + # Needs OpenSSL 1.0.0 or later + #Net::SSLeay::CTX_set1_param($ctx, $pm); + + $verify_result = -1; # Last verification result, set by callback below + my $verify_cb = sub { $verify_result = Net::SSLeay::X509_STORE_CTX_get_error($_[1]); return $_[0];}; + + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_verify($ssl, Net::SSLeay::VERIFY_PEER(), $verify_cb); + Net::SSLeay::set_fd($ssl, $cl); + + return $ssl; +} + +# SSL client - connect to server and test different verification +# settings +sub client { + my ($ctx, $cl); + foreach my $task (qw( + policy_checks_ok policy_checks_fail + hostname_checks_ok hostname_checks_fail + wildcard_checks + finish)) + { + $ctx = new_ctx(); + is(Net::SSLeay::CTX_load_verify_locations($ctx, $ca_pem, $ca_dir), 1, "load_verify_locations($ca_pem $ca_dir)"); + + $cl = $server->connect(); + + test_policy_checks($ctx, $cl, 1) if $task eq 'policy_checks_ok'; + test_policy_checks($ctx, $cl, 0) if $task eq 'policy_checks_fail'; + test_hostname_checks($ctx, $cl, 1) if $task eq 'hostname_checks_ok'; + test_hostname_checks($ctx, $cl, 0) if $task eq 'hostname_checks_fail'; + test_wildcard_checks($ctx, $cl) if $task eq 'wildcard_checks'; + last if $task eq 'finish'; # Leaves $cl alive + + close($cl) || die("client close: $!"); + } + + # Tell the server to quit and see that our connection is still up + $ctx = new_ctx(); + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::connect($ssl); + my $end = "end"; + Net::SSLeay::ssl_write_all($ssl, $end); + Net::SSLeay::shutdown($ssl); + ok($end eq Net::SSLeay::ssl_read_all($ssl), 'Successful termination'); + Net::SSLeay::free($ssl); + close($cl) || die("client final close: $!"); + return; +} + +# SSL server - just accept connnections and exit when told to by +# the client +sub run_server +{ + my $pid; + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + + return if $pid != 0; + + $SIG{'PIPE'} = 'IGNORE'; + my $ctx = new_ctx(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + my $ret = Net::SSLeay::CTX_check_private_key($ctx); + BAIL_OUT("Server: CTX_check_private_key failed: $cert_pem, $key_pem") unless $ret == 1; + if (defined &Net::SSLeay::CTX_set_num_tickets) { + # TLS 1.3 server sends session tickets after a handhake as part of + # the SSL_accept(). If a client finishes all its job including closing + # TCP connectino before a server sends the tickets, SSL_accept() fails + # with SSL_ERROR_SYSCALL and EPIPE errno and the server receives + # SIGPIPE signal. + my $ret = Net::SSLeay::CTX_set_num_tickets($ctx, 0); + BAIL_OUT("Session tickets disabled") unless $ret; + } + + while (1) + { + my $cl = $server->accept() or BAIL_OUT("accept failed: $!"); + my $ssl = Net::SSLeay::new($ctx); + + Net::SSLeay::set_fd($ssl, fileno($cl)); + my $ret = Net::SSLeay::accept($ssl); + next unless $ret == 1; + + # Termination request or other message from client + my $msg = Net::SSLeay::ssl_read_all($ssl); + if (defined $msg and $msg eq 'end') + { + Net::SSLeay::ssl_write_all($ssl, 'end'); + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("server close: $!"); + $server->close() || die("server listen socket close: $!"); + exit (0); + } + } +} diff --git a/cpan/Net-SSLeay/t/local/37_asn1_time.t b/cpan/Net-SSLeay/t/local/37_asn1_time.t new file mode 100644 index 000000000000..bc5cef3cd7ed --- /dev/null +++ b/cpan/Net-SSLeay/t/local/37_asn1_time.t @@ -0,0 +1,42 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw(initialise_libssl); + +plan tests => 10; + +initialise_libssl(); + +my $atime1 = Net::SSLeay::ASN1_TIME_new(); +ok($atime1, 'ASN1_TIME_new [1]'); + +Net::SSLeay::ASN1_TIME_set($atime1, 1999888777); +SKIP: { + skip 'openssl-0.9.8i is buggy', 2 if Net::SSLeay::SSLeay == 0x0090809f; + is(Net::SSLeay::P_ASN1_TIME_put2string($atime1), 'May 16 20:39:37 2033 GMT', 'P_ASN1_TIME_put2string'); + is(Net::SSLeay::P_ASN1_UTCTIME_put2string($atime1), 'May 16 20:39:37 2033 GMT', 'P_ASN1_UTCTIME_put2string'); +} +SKIP: { + skip 'openssl-0.9.7e required', 1 unless Net::SSLeay::SSLeay >= 0x0090705f; + is(Net::SSLeay::P_ASN1_TIME_get_isotime($atime1), '2033-05-16T20:39:37Z', 'P_ASN1_TIME_get_isotime'); +} +Net::SSLeay::ASN1_TIME_free($atime1); + +my $atime2 = Net::SSLeay::ASN1_TIME_new(); +ok($atime2, 'ASN1_TIME_new [2]'); +SKIP: { + skip 'openssl-0.9.7e required', 2 unless Net::SSLeay::SSLeay >= 0x0090705f; + Net::SSLeay::P_ASN1_TIME_set_isotime($atime2, '2075-06-19T13:08:52Z'); + SKIP: { + skip 'openssl-0.9.8i is buggy', 1 if Net::SSLeay::SSLeay == 0x0090809f; + is(Net::SSLeay::P_ASN1_TIME_put2string($atime2), 'Jun 19 13:08:52 2075 GMT', 'P_ASN1_TIME_put2string y=2075'); + } + is(Net::SSLeay::P_ASN1_TIME_get_isotime($atime2), '2075-06-19T13:08:52Z', 'P_ASN1_TIME_get_isotime y=2075'); +} +Net::SSLeay::ASN1_TIME_free($atime2); + +my $atime3 = Net::SSLeay::ASN1_TIME_new(); +ok($atime1, 'ASN1_TIME_new [3]'); +ok(Net::SSLeay::X509_gmtime_adj($atime3, 60*60*24*365*2)); +like(Net::SSLeay::P_ASN1_TIME_put2string($atime3), qr/[A-Z][a-z]+ +\d+ +\d+:\d+:\d+ +20\d\d/, 'X509_gmtime_adj'); +Net::SSLeay::ASN1_TIME_free($atime3); diff --git a/cpan/Net-SSLeay/t/local/38_priv-key.t b/cpan/Net-SSLeay/t/local/38_priv-key.t new file mode 100644 index 000000000000..ce7090f5e5e6 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/38_priv-key.t @@ -0,0 +1,37 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( data_file_path initialise_libssl ); + +plan tests => 10; + +initialise_libssl(); + +my $key_pem = data_file_path('simple-cert.key.pem'); +my $key_pem_encrypted = data_file_path('simple-cert.key.enc.pem'); +my $key_password = 'test'; + +{ + ok(my $bio_pem = Net::SSLeay::BIO_new_file($key_pem, 'r'), "BIO_new_file 3"); + ok(Net::SSLeay::PEM_read_bio_PrivateKey($bio_pem), "PEM_read_bio_PrivateKey no password"); +} + +{ + ok(my $bio_pem_encrypted = Net::SSLeay::BIO_new_file($key_pem_encrypted, 'r'), "BIO_new_file"); + ok(Net::SSLeay::PEM_read_bio_PrivateKey($bio_pem_encrypted, sub { $key_password }), "PEM_read_bio_PrivateKey encrypted - callback"); +} + +{ + ok(my $bio_pem_encrypted = Net::SSLeay::BIO_new_file($key_pem_encrypted, 'r'), "BIO_new_file"); + ok(Net::SSLeay::PEM_read_bio_PrivateKey($bio_pem_encrypted, undef, $key_password), "PEM_read_bio_PrivateKey encrypted - password"); +} + +{ + ok(my $bio_pem_encrypted = Net::SSLeay::BIO_new_file($key_pem_encrypted, 'r'), "BIO_new_file"); + ok(!Net::SSLeay::PEM_read_bio_PrivateKey($bio_pem_encrypted, sub { $key_password . 'invalid' }), "PEM_read_bio_PrivateKey encrypted - callback (wrong password)"); +} + +{ + ok(my $bio_pem_encrypted = Net::SSLeay::BIO_new_file($key_pem_encrypted, 'r'), "BIO_new_file"); + ok(!Net::SSLeay::PEM_read_bio_PrivateKey($bio_pem_encrypted, undef, $key_password . 'invalid'), "PEM_read_bio_PrivateKey encrypted - password (wrong password)"); +} diff --git a/cpan/Net-SSLeay/t/local/39_pkcs12.t b/cpan/Net-SSLeay/t/local/39_pkcs12.t new file mode 100644 index 000000000000..5083331ae564 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/39_pkcs12.t @@ -0,0 +1,74 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( data_file_path initialise_libssl ); + +plan tests => 17; + +initialise_libssl(); + +# Encrypted PKCS#12 archive, no chain: +my $filename1 = data_file_path('simple-cert.enc.p12'); +my $filename1_password = 'test'; + +# Encrypted PKCS#12 archive, full chain: +my $filename2 = data_file_path('simple-cert.certchain.enc.p12'); +my $filename2_password = 'test'; + +# PKCS#12 archive, no chain: +my $filename3 = data_file_path('simple-cert.p12'); + +{ + my($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename1, 1, $filename1_password); + ok($privkey, '$privkey [1]'); + ok($cert, '$cert [1]'); + is(scalar(@cachain), 0, 'size of @cachain [1]'); + my $subj_name = Net::SSLeay::X509_get_subject_name($cert); + is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [1]"); +} + +{ + my($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename2, 1, $filename2_password); + ok($privkey, '$privkey [2]'); + ok($cert, '$cert [2]'); + is(scalar(@cachain), 2, 'size of @cachain [2]'); + my $subj_name = Net::SSLeay::X509_get_subject_name($cert); + my $ca1_subj_name = Net::SSLeay::X509_get_subject_name($cachain[0]); + my $ca2_subj_name = Net::SSLeay::X509_get_subject_name($cachain[1]); + is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [2/1]"); + # OpenSSL versions 1.0.0-beta2 to 3.0.0-alpha6 inclusive and all versions of + # LibreSSL return the CA certificate chain with the root CA certificate at the + # end; all other versions return the certificate chain with the root CA + # certificate at the start + if ( + Net::SSLeay::SSLeay < 0x10000002 + || ( + Net::SSLeay::SSLeay == 0x30000000 + && Net::SSLeay::SSLeay_version( Net::SSLeay::SSLEAY_VERSION() ) !~ /-alpha[1-6] / + ) + || Net::SSLeay::SSLeay > 0x30000000 + ) { + is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/3]"); + is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/4]"); + } + else { + is(Net::SSLeay::X509_NAME_oneline($ca1_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Root CA', "X509_NAME_oneline [2/3]"); + is(Net::SSLeay::X509_NAME_oneline($ca2_subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=Intermediate CA', "X509_NAME_oneline [2/4]"); + } +} + +{ + my($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename3, 1); + ok($privkey, '$privkey [3]'); + ok($cert, '$cert [3]'); + is(scalar(@cachain), 0, 'size of @cachain [3]'); + my $subj_name = Net::SSLeay::X509_get_subject_name($cert); + is(Net::SSLeay::X509_NAME_oneline($subj_name), '/C=PL/O=Net-SSLeay/OU=Test Suite/CN=simple-cert.net-ssleay.example', "X509_NAME_oneline [3]"); +} + +{ + my($privkey, $cert, @should_be_empty) = Net::SSLeay::P_PKCS12_load_file($filename2, 0, $filename2_password); + ok($privkey, '$privkey [4]'); + ok($cert, '$cert [4]'); + is(scalar(@should_be_empty), 0, 'size of @should_be_empty'); +} diff --git a/cpan/Net-SSLeay/t/local/40_npn_support.t b/cpan/Net-SSLeay/t/local/40_npn_support.t new file mode 100644 index 000000000000..ea2d09bf56fc --- /dev/null +++ b/cpan/Net-SSLeay/t/local/40_npn_support.t @@ -0,0 +1,96 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl new_ctx tcp_socket +); + +BEGIN { + if (Net::SSLeay::SSLeay < 0x10001000) { + plan skip_all => "OpenSSL 1.0.1 or above required"; + } elsif (Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER")) { + plan skip_all => "LibreSSL removed support for NPN"; + } elsif (not can_fork()) { + plan skip_all => "fork() not supported on this system"; + } elsif ( !eval { new_ctx( undef, 'TLSv1.2' ); 1 } ) { + # NPN isn't well-defined for TLSv1.3, so these tests can't be run if + # that's the only available protocol version + plan skip_all => 'TLSv1.2 or below not available in this libssl'; + } else { + plan tests => 7; + } +} + +initialise_libssl(); + +my $server = tcp_socket(); +my $msg = 'ssleay-npn-test'; + +my $pid; + +my $cert_pem = data_file_path('simple-cert.cert.pem'); +my $key_pem = data_file_path('simple-cert.key.pem'); + +my @results; + +{ + # SSL server + $pid = fork(); + BAIL_OUT("failed to fork: $!") unless defined $pid; + if ($pid == 0) { + my $ns = $server->accept(); + + my ( $ctx, $proto ) = new_ctx( undef, 'TLSv1.2' ); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + + my $rv = Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, ['spdy/2','http1.1']); + is($rv, 1, 'CTX_set_next_protos_advertised_cb'); + + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($ns)); + Net::SSLeay::accept($ssl); + + is('spdy/2' , Net::SSLeay::P_next_proto_negotiated($ssl), 'P_next_proto_negotiated/server'); + + my $got = Net::SSLeay::ssl_read_all($ssl); + is($got, $msg, 'ssl_read_all compare'); + + Net::SSLeay::ssl_write_all($ssl, uc($got)); + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + close($ns) || die("server close: $!"); + $server->close() || die("server listen socket close: $!"); + exit; + } +} + +{ + # SSL client + my $s1 = $server->connect(); + + my $ctx1 = new_ctx( undef, 'TLSv1.2' ); + + my $rv = Net::SSLeay::CTX_set_next_proto_select_cb($ctx1, ['http1.1','spdy/2']); + push @results, [ $rv==1, 'CTX_set_next_proto_select_cb']; + + Net::SSLeay::CTX_set_options($ctx1, &Net::SSLeay::OP_ALL); + my $ssl1 = Net::SSLeay::new($ctx1); + Net::SSLeay::set_fd($ssl1, $s1); + Net::SSLeay::connect($ssl1); + Net::SSLeay::ssl_write_all($ssl1, $msg); + + push @results, [ 'spdy/2' eq Net::SSLeay::P_next_proto_negotiated($ssl1), 'P_next_proto_negotiated/client']; + push @results, [ 1 == Net::SSLeay::P_next_proto_last_status($ssl1), 'P_next_proto_last_status/client']; + + Net::SSLeay::free($ssl1); + Net::SSLeay::CTX_free($ctx1); + close($s1) || die("client close: $!"); + $server->close() || die("client listen socket close: $!"); +} + +waitpid $pid, 0; +push @results, [$? == 0, 'server exited with 0']; +END { + Test::More->builder->current_test(3); + ok( $_->[0], $_->[1] ) for (@results); +} diff --git a/cpan/Net-SSLeay/t/local/41_alpn_support.t b/cpan/Net-SSLeay/t/local/41_alpn_support.t new file mode 100644 index 000000000000..c3d5aa03945f --- /dev/null +++ b/cpan/Net-SSLeay/t/local/41_alpn_support.t @@ -0,0 +1,100 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl new_ctx tcp_socket +); + +BEGIN { + if (Net::SSLeay::SSLeay < 0x10002000) { + plan skip_all => "OpenSSL 1.0.2 or above required"; + } elsif (not can_fork()) { + plan skip_all => "fork() not supported on this system"; + } else { + plan tests => 6; + } +} + +initialise_libssl(); + +my $server = tcp_socket(); +my $pid; + +my $msg = 'ssleay-alpn-test'; + +my $cert_pem = data_file_path('simple-cert.cert.pem'); +my $key_pem = data_file_path('simple-cert.key.pem'); + +my @results; + +{ + # SSL server + $pid = fork(); + BAIL_OUT("failed to fork: $!") unless defined $pid; + if ($pid == 0) { + my $ns = $server->accept(); + + my ( $ctx, $proto ) = new_ctx(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + + # TLSv1.3 servers send session tickets after the handshake; if a client + # closes the connection before the server sends the tickets, accept() + # fails with SSL_ERROR_SYSCALL and errno=EPIPE, which will cause this + # process to receive a SIGPIPE signal and exit unsuccessfully + if ( + $proto eq 'TLSv1.3' + && defined &Net::SSLeay::CTX_set_num_tickets + ) { + Net::SSLeay::CTX_set_num_tickets( $ctx, 0 ); + } + + my $rv = Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1','spdy/2']); + is($rv, 1, 'CTX_set_alpn_select_cb'); + + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($ns)); + Net::SSLeay::accept($ssl); + + is(Net::SSLeay::P_alpn_selected($ssl), 'spdy/2', 'P_alpn_selected/server'); + + my $got = Net::SSLeay::ssl_read_all($ssl); + is($got, $msg, 'ssl_read_all compare'); + + Net::SSLeay::ssl_write_all($ssl, uc($got)); + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + close($ns) || die("server close: $!"); + $server->close() || die("server listen socket close: $!"); + exit; + } +} + +{ + # SSL client + my $s1 = $server->connect(); + + my $ctx1 = new_ctx(); + + my $rv = Net::SSLeay::CTX_set_alpn_protos($ctx1, ['spdy/2','http/1.1']); + push @results, [ $rv==0, 'CTX_set_alpn_protos']; + + Net::SSLeay::CTX_set_options($ctx1, &Net::SSLeay::OP_ALL); + my $ssl1 = Net::SSLeay::new($ctx1); + Net::SSLeay::set_fd($ssl1, $s1); + Net::SSLeay::connect($ssl1); + Net::SSLeay::ssl_write_all($ssl1, $msg); + + push @results, [ 'spdy/2' eq Net::SSLeay::P_alpn_selected($ssl1), 'P_alpn_selected/client']; + + Net::SSLeay::free($ssl1); + Net::SSLeay::CTX_free($ctx1); + close($s1) || die("client close: $!"); + $server->close() || die("client listen socket close: $!"); +} + +waitpid $pid, 0; +push @results, [$? == 0, 'server exited with 0']; +END { + Test::More->builder->current_test(3); + ok( $_->[0], $_->[1] ) for (@results); +} diff --git a/cpan/Net-SSLeay/t/local/42_info_callback.t b/cpan/Net-SSLeay/t/local/42_info_callback.t new file mode 100644 index 000000000000..8ddcb0c81f47 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/42_info_callback.t @@ -0,0 +1,110 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl new_ctx tcp_socket +); + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} else { + plan tests => 2; +} + +initialise_libssl(); + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my $server = tcp_socket(); + +{ + # SSL server - just handle single connect and shutdown connection + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + for(qw(ctx ssl)) { + my $cl = $server->accept(); + my $ctx = new_ctx(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + for(1,2) { + last if Net::SSLeay::shutdown($ssl)>0; + } + close($cl) || die("server close: $!"); + } + $server->close() || die("server listen socket close: $!"); + exit; + } +} + +sub client { + my ($where,$expect) = @_; + # SSL client - connect and shutdown, all the while getting state updates + # with info callback + + my @states; + my $infocb = sub { + my ($ssl,$where,$ret) = @_; + push @states,[$where,$ret]; + }; + + my $cl = $server->connect(); + my $ctx = new_ctx(); + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::CTX_set_info_callback($ctx, $infocb) if $where eq 'ctx'; + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::set_info_callback($ssl, $infocb) if $where eq 'ssl'; + Net::SSLeay::connect($ssl); + for(1,2) { + last if Net::SSLeay::shutdown($ssl)>0; + } + + for my $st (@states) { + my @txt; + for(qw( + CB_READ_ALERT CB_WRITE_ALERT + CB_ACCEPT_EXIT CB_ACCEPT_LOOP + CB_CONNECT_EXIT CB_CONNECT_LOOP + CB_HANDSHAKE_START CB_HANDSHAKE_DONE + CB_READ CB_WRITE CB_ALERT + CB_LOOP CB_EXIT + )) { + my $i = eval "Net::SSLeay::$_()" + or BAIL_OUT("no state $_ known"); + if (($st->[0] & $i) == $i) { + $st->[0] &= ~$i; + push @txt,$_; + } + } + die "incomplete: @txt | $st->[0]" if $st->[0]; + $st = join("|",@txt); + } + + if ("@states" =~ $expect) { + pass("$where: @states"); + } else { + fail("$where: @states"); + } + close($cl) || die("client close: $!"); + +} + +my $expect = qr{^ + CB_HANDSHAKE_START\s + (CB_CONNECT_LOOP\s)+ + CB_HANDSHAKE_DONE\s + CB_CONNECT_EXIT\b +}x; + +client('ctx',$expect); +client('ssl',$expect); +$server->close() || die("client listen socket close: $!"); +waitpid $pid, 0; + diff --git a/cpan/Net-SSLeay/t/local/43_misc_functions.t b/cpan/Net-SSLeay/t/local/43_misc_functions.t new file mode 100644 index 000000000000..0e03cb495769 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/43_misc_functions.t @@ -0,0 +1,368 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl is_libressl new_ctx tcp_socket +); + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} else { + plan tests => 46; +} + +initialise_libssl(); + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +# Values that were previously looked up for get_keyblock_size test +# Revisit: currently the only known user for get_keyblock_size is +# EAP-FAST. How it works with AEAD ciphers is for future study. +our %non_aead_cipher_to_keyblock_size = + ( + 'RC4-MD5' => 64, + 'RC4-SHA' => 72, + 'AES256-SHA256' => 160, + 'AES128-SHA256' => 128, + 'AES128-SHA' => 104, + 'AES256-SHA' => 136, + ); + +our %tls_1_2_aead_cipher_to_keyblock_size = ( + 'AES128-GCM-SHA256' => 56, + 'AES256-GCM-SHA384' => 88, + ); + +# LibreSSL uses different names for the TLSv1.3 ciphersuites: +our %tls_1_3_aead_cipher_to_keyblock_size = + is_libressl() + ? ( + 'AEAD-AES128-GCM-SHA256' => 56, + 'AEAD-AES256-GCM-SHA384' => 88, + 'AEAD-CHACHA20-POLY1305-SHA256' => 88, + ) + : ( + 'TLS_AES_128_GCM_SHA256' => 56, + 'TLS_AES_256_GCM_SHA384' => 88, + 'TLS_CHACHA20_POLY1305_SHA256' => 88, + ); + +# Combine the AEAD hashes +our %aead_cipher_to_keyblock_size = (%tls_1_2_aead_cipher_to_keyblock_size, %tls_1_3_aead_cipher_to_keyblock_size); + +# Combine the hashes +our %cipher_to_keyblock_size = (%non_aead_cipher_to_keyblock_size, %aead_cipher_to_keyblock_size); + +our %version_str2int = ( + 'SSLv3' => sub { return eval { Net::SSLeay::SSL3_VERSION(); } }, + 'TLSv1' => sub { return eval { Net::SSLeay::TLS1_VERSION(); } }, + 'TLSv1.1' => sub { return eval { Net::SSLeay::TLS1_1_VERSION(); } }, + 'TLSv1.2' => sub { return eval { Net::SSLeay::TLS1_2_VERSION(); } }, + 'TLSv1.3' => sub { return eval { Net::SSLeay::TLS1_3_VERSION(); } }, +); + +# Tests that don't need a connection +client_test_ciphersuites(); +test_cipher_funcs(); + +# Tests that need a connection +my $server = tcp_socket(); + +{ + # SSL server - just handle single connect, send information to + # client and exit + + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + my $cl = $server->accept(); + my $ctx = new_ctx(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); +# my $get_keyblock_size_ciphers = join(':', keys(%cipher_to_keyblock_size)); + my $get_keyblock_size_ciphers = join(':', keys(%non_aead_cipher_to_keyblock_size)); + Net::SSLeay::CTX_set_cipher_list($ctx, $get_keyblock_size_ciphers); + my $ssl = Net::SSLeay::new($ctx); + + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + + # Send our idea of Finished messages to the client. + my ($f_len, $finished_s, $finished_c); + + $f_len = Net::SSLeay::get_finished($ssl, $finished_s); + Net::SSLeay::write($ssl, "server: $f_len ". unpack('H*', $finished_s)); + + $f_len = Net::SSLeay::get_peer_finished($ssl, $finished_c); + Net::SSLeay::write($ssl, "client: $f_len ". unpack('H*', $finished_c)); + + # Echo back the termination request from client + my $end = Net::SSLeay::read($ssl); + Net::SSLeay::write($ssl, $end); + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("server close: $!"); + $server->close() || die("server listen socket close: $!"); + exit(0); + } +} + +sub client { + # SSL client - connect to server and receive information that we + # compare to our expected values + + my ($f_len, $f_len_trunc, $finished_s, $finished_c, $msg, $expected); + + my $cl = $server->connect(); + my $ctx = new_ctx(); + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + my $ssl = Net::SSLeay::new($ctx); + + Net::SSLeay::set_fd($ssl, $cl); + + client_test_finished($ssl); + client_test_keyblock_size($ssl); + client_test_version_funcs($ssl); + + # Tell the server to quit and see that our connection is still up + my $end = "end"; + Net::SSLeay::write($ssl, $end); + ok($end eq Net::SSLeay::read($ssl), 'Successful termination'); + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + $server->close() || die("client listen socket close: $!"); + return; +} + +client(); +waitpid $pid, 0; +exit(0); + +# Test get_finished() and get_peer_finished() with server. +sub client_test_finished +{ + my ($ssl) = @_; + my ($f_len, $f_len_trunc, $finished_s, $finished_c, $msg, $expected); + + # Finished messages have not been sent yet + $f_len = Net::SSLeay::get_peer_finished($ssl, $finished_s); + ok($f_len == 0, 'Return value for get_peer_finished is empty before connect for server'); + ok(defined $finished_s && $finished_s eq '', 'Server Finished is empty'); + + $f_len = Net::SSLeay::get_finished($ssl, $finished_c); + ok($f_len == 0, 'Finished is empty before connect for client'); + ok(defined $finished_c && $finished_c eq '', 'Client Finished is empty'); + + # Complete connection. After this we have Finished messages from both peers. + Net::SSLeay::connect($ssl); + + $f_len = Net::SSLeay::get_peer_finished($ssl, $finished_s); + ok($f_len, 'Server Finished is not empty'); + ok($f_len == length($finished_s), 'Return value for get_peer_finished equals to Finished length'); + $expected = "server: $f_len " . unpack('H*', $finished_s); + $msg = Net::SSLeay::read($ssl); + ok($msg eq $expected, 'Server Finished is equal'); + + $f_len = Net::SSLeay::get_finished($ssl, $finished_c); + ok($f_len, 'Client Finished is not empty'); + ok($f_len == length($finished_c), 'Return value for get_finished equals to Finished length'); + $expected = "client: $f_len " . unpack('H*', $finished_c); + $msg = Net::SSLeay::read($ssl); + ok($msg eq $expected, 'Client Finished is equal'); + + ok($finished_s ne $finished_c, 'Server and Client Finished are not equal'); + + # Finished should still be the same. See that we can fetch truncated values. + my $trunc8_s = substr($finished_s, 0, 8); + $f_len_trunc = Net::SSLeay::get_peer_finished($ssl, $finished_s, 8); + ok($f_len_trunc == $f_len, 'Return value for get_peer_finished is unchanged when count is set'); + ok($trunc8_s eq $finished_s, 'Count works for get_peer_finished'); + + my $trunc8_c = substr($finished_c, 0, 8); + $f_len_trunc = Net::SSLeay::get_finished($ssl, $finished_c, 8); + ok($f_len_trunc == $f_len, 'Return value for get_finished is unchanged when count is set'); + ok($trunc8_c eq $finished_c, 'Count works for get_finished'); + +} + +# Test get_keyblock_size +# Notes: With TLS 1.3 the cipher is always an AEAD cipher. If AEAD +# ciphers are enabled for TLS 1.2 and earlier, with LibreSSL +# get_keyblock_size returns -1 when AEAD cipher is chosen. +sub client_test_keyblock_size +{ + my ($ssl) = @_; + + my $cipher = Net::SSLeay::get_cipher($ssl); + ok($cipher, "get_cipher returns a value: $cipher"); + + my $keyblock_size = &Net::SSLeay::get_keyblock_size($ssl); + ok(defined $keyblock_size, 'get_keyblock_size return value is defined'); + if ($keyblock_size == -1) + { + # Accept -1 with AEAD ciphers with LibreSSL + ok(is_libressl(), 'get_keyblock_size returns -1 with LibreSSL'); + ok(defined $aead_cipher_to_keyblock_size{$cipher}, 'keyblock size is -1 for an AEAD cipher'); + } + else + { + ok($keyblock_size >= 0, 'get_keyblock_size return value is not negative'); + ok($cipher_to_keyblock_size{$cipher} == $keyblock_size, "keyblock size $keyblock_size is the expected value $cipher_to_keyblock_size{$cipher}"); + } +} + +# Test SSL_get_version and related functions +sub client_test_version_funcs +{ + my ($ssl) = @_; + + my $version_str = Net::SSLeay::get_version($ssl); + my $version_const = $version_str2int{$version_str}; + my $version = Net::SSLeay::version($ssl); + + ok(defined $version_const, "Net::SSLeay::get_version return value $version_str is known"); + is(&$version_const, $version, "Net:SSLeay::version return value $version matches get_version string"); + + if (defined &Net::SSLeay::client_version) { + if ($version_str eq 'TLSv1.3') { + # Noticed that client_version and version are equal for all SSL/TLS versions except of TLSv1.3 + # For more, see https://github.com/openssl/openssl/issues/7079 + is(Net::SSLeay::client_version($ssl), &{$version_str2int{'TLSv1.2'}}, + 'Net::SSLeay::client_version TLSv1.2 is expected when Net::SSLeay::version indicates TLSv1.3'); + } else { + is(Net::SSLeay::client_version($ssl), $version, 'Net::SSLeay::client_version equals to Net::SSLeay::version'); + } + is(Net::SSLeay::is_dtls($ssl), 0, 'Net::SSLeay::is_dtls returns 0'); + } else + { + SKIP: { + skip('Do not have Net::SSLeay::client_version nor Net::SSLeay::is_dtls', 2); + }; + } + + return; +} + +sub client_test_ciphersuites +{ + unless (defined &Net::SSLeay::CTX_set_ciphersuites) + { + SKIP: { + skip('Do not have Net::SSLeay::CTX_set_ciphersuites', 10); + } + return; + } + + my $ciphersuites = join(':', keys(%tls_1_3_aead_cipher_to_keyblock_size)); + + # In OpenSSL 3.0.0 alpha 11 (commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9) + # SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() were + # changed to ignore unknown ciphers + my $ret_partially_bad_ciphersuites = 1; + if (Net::SSLeay::SSLeay() == 0x30000000) { + my $ssleay_version = Net::SSLeay::SSLeay_version(Net::SSLeay::SSLEAY_VERSION()); + $ret_partially_bad_ciphersuites = 0 if ($ssleay_version =~ m/-alpha(\d+)/s) && $1 < 11; + } elsif (Net::SSLeay::SSLeay() < 0x30000000) { + $ret_partially_bad_ciphersuites = 0; + } + + my ($ctx, $rv, $ssl); + $ctx = new_ctx(); + $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $ciphersuites); + is($rv, 1, 'CTX set good ciphersuites'); + $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, ''); + is($rv, 1, 'CTX set empty ciphersuites'); + { + no warnings 'uninitialized'; + $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, undef); + }; + is($rv, 1, 'CTX set undef ciphersuites'); + $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:' . $ciphersuites); + is($rv, $ret_partially_bad_ciphersuites, 'CTX set partially bad ciphersuites'); + $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, 'nosuchthing:'); + is($rv, 0, 'CTX set bad ciphersuites'); + + $ssl = Net::SSLeay::new($ctx); + $rv = Net::SSLeay::set_ciphersuites($ssl, $ciphersuites); + is($rv, 1, 'SSL set good ciphersuites'); + $rv = Net::SSLeay::set_ciphersuites($ssl, ''); + is($rv, 1, 'SSL set empty ciphersuites'); + { + no warnings 'uninitialized'; + $rv = Net::SSLeay::set_ciphersuites($ssl, undef); + }; + is($rv, 1, 'SSL set undef ciphersuites'); + $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:' . $ciphersuites); + is($rv, $ret_partially_bad_ciphersuites, 'SSL set partially bad ciphersuites'); + $rv = Net::SSLeay::set_ciphersuites($ssl, 'nosuchthing:'); + is($rv, 0, 'SSL set bad ciphersuites'); + + return; +} + +sub test_cipher_funcs +{ + + my ($ctx, $rv, $ssl); + $ctx = new_ctx(); + $ssl = Net::SSLeay::new($ctx); + + # OpenSSL API says these can accept NULL ssl + { + no warnings 'uninitialized'; + my @a = Net::SSLeay::get_ciphers(undef); + is(@a, 0, 'SSL_get_ciphers with undefined ssl'); + + is(Net::SSLeay::get_cipher_list(undef, 0), undef, 'SSL_get_cipher_list with undefined ssl'); + is(Net::SSLeay::CIPHER_get_name(undef), '(NONE)', 'SSL_CIPHER_get_name with undefined ssl'); + is(Net::SSLeay::CIPHER_get_bits(undef), 0, 'SSL_CIPHER_get_bits with undefined ssl'); + is(Net::SSLeay::CIPHER_get_version(undef), '(NONE)', 'SSL_CIPHER_get_version with undefined ssl'); + } + + # 10 is based on experimentation. Lowest count seen was 15 in + # OpenSSL 0.9.8zh. + my @ciphers = Net::SSLeay::get_ciphers($ssl); + cmp_ok(@ciphers, '>=', 10, 'SSL_get_ciphers: number of ciphers: ' . @ciphers); + + my $first; + my ($name_failed, $desc_failed, $vers_failed, $bits_failed, $alg_bits_failed) = (0, 0, 0, 0, 0); + foreach my $c (@ciphers) + { + # Shortest seen: RC4-MD5 + my $name = Net::SSLeay::CIPHER_get_name($c); + $name_failed++ if $name !~ m/^[A-Z0-9_-]{7,}\z/s; + $first = $name unless $first; + + # Cipher description should begin with its name + my $desc = Net::SSLeay::CIPHER_description($c); + $desc_failed++ if $desc !~ m/^$name\s+/s; + + # For example: TLSv1/SSLv3, SSLv2 + my $vers = Net::SSLeay::CIPHER_get_version($c); + $vers_failed++ if length($vers) < 5; + + # See that get_bits returns the same no matter how it's called + my $alg_bits; + my $bits = Net::SSLeay::CIPHER_get_bits($c, $alg_bits); + $bits_failed++ if $bits ne Net::SSLeay::CIPHER_get_bits($c); + + # Once again, a value that should be reasonable + $alg_bits_failed++ if $alg_bits < 56; + } + + is($name_failed, 0, 'CIPHER_get_name'); + is($desc_failed, 0, 'CIPHER_description matches with CIPHER_name'); + is($vers_failed, 0, 'CIPHER_get_version'); + is($bits_failed, 0, 'CIPHER_get_bits'); + is($alg_bits_failed, 0, 'CIPHER_get_bits with alg_bits'); + is($first, Net::SSLeay::get_cipher_list($ssl, 0), 'SSL_get_cipher_list'); + + Net::SSLeay::free($ssl); + Net::SSLeay::CTX_free($ctx); + + return; +} diff --git a/cpan/Net-SSLeay/t/local/44_sess.t b/cpan/Net-SSLeay/t/local/44_sess.t new file mode 100644 index 000000000000..ce14422a4412 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/44_sess.t @@ -0,0 +1,369 @@ +# Test session-related functions + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl is_protocol_usable new_ctx + tcp_socket +); + +use Storable; + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} else { + plan tests => 58; +} + +initialise_libssl(); + +my @rounds = qw( + TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 TLSv1.3-num-tickets-ssl + TLSv1.3-num-tickets-ctx-6 TLSv1.3-num-tickets-ctx-0 +); + +my %usable = + map { + ( my $proto = $_ ) =~ s/-.*$//; + + $_ => is_protocol_usable($proto) + } + @rounds; + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my (%server_stats, %client_stats); + +# Update client and server stats so that when something fails, it +# remains in failed state +sub set_client_stat +{ + my ($round, $param, $is_ok) = @_; + + if ($is_ok) { + $client_stats{$round}->{$param} = 1 unless defined $client_stats{$round}->{$param}; + return; + } + $client_stats{$round}->{$param} = 0; +} + +sub set_server_stat +{ + my ($round, $param, $is_ok) = @_; + + if ($is_ok) { + $server_stats{$round}->{$param} = 1 unless defined $server_stats{$round}->{$param}; + return; + } + $server_stats{$round}->{$param} = 0; +} + +# Separate session callbacks for client and server. The callbacks +# update stats and check that SSL_CTX, SSL and SESSION are as +# expected. +sub client_new_cb +{ + my ($ssl, $ssl_session, $expected_ctx, $round) = @_; + + $client_stats{$round}->{new_cb_called}++; + + my $ctx = Net::SSLeay::get_SSL_CTX($ssl); + my $ssl_version = Net::SSLeay::get_version($ssl); + my $is_ok = ($ctx eq $expected_ctx && + $ssl_session eq Net::SSLeay::SSL_get0_session($ssl) && + $round =~ m/^$ssl_version/); + diag("client_new_cb params not ok: $round") unless $is_ok; + set_client_stat($round, 'new_params_ok', $is_ok); + + if (defined &Net::SSLeay::SESSION_is_resumable) { + my $is_resumable = Net::SSLeay::SESSION_is_resumable($ssl_session); + BAIL_OUT("is_resumable is not 0 or 1: $round") unless defined $is_resumable && ($is_resumable == 0 || $is_resumable == 1); + set_client_stat($round, 'new_session_is_resumable', $is_resumable); + } + + #Net::SSLeay::SESSION_print_fp(*STDOUT, $ssl_session); + return 0; +} + +sub client_remove_cb +{ + my ($ctx, $ssl_session, $expected_ctx, $round) = @_; + + $client_stats{$round}->{remove_cb_called}++; + + my $is_ok = ($ctx eq $expected_ctx); + diag("client_remove_cb params not ok: $round") unless $is_ok; + set_client_stat($round, 'remove_params_ok', $is_ok); + + #Net::SSLeay::SESSION_print_fp(*STDOUT, $ssl_session); + return; +} + +sub server_new_cb +{ + my ($ssl, $ssl_session, $expected_ctx, $round) = @_; + + $server_stats{$round}->{new_cb_called}++; + + my $ctx = Net::SSLeay::get_SSL_CTX($ssl); + my $ssl_version = Net::SSLeay::get_version($ssl); + my $is_ok = ($ctx eq $expected_ctx && + $ssl_session eq Net::SSLeay::SSL_get0_session($ssl) && + $round =~ m/^$ssl_version/); + diag("server_new_cb params not ok: $round") unless $is_ok; + set_server_stat($round, 'new_params_ok', $is_ok); + + if (defined &Net::SSLeay::SESSION_is_resumable) { + my $is_resumable = Net::SSLeay::SESSION_is_resumable($ssl_session); + BAIL_OUT("is_resumable is not 0 or 1: $round") unless defined $is_resumable && ($is_resumable == 0 || $is_resumable == 1); + set_server_stat($round, 'new_session_is_resumable', $is_resumable); + } + + #Net::SSLeay::SESSION_print_fp(*STDOUT, $ssl_session); + return 0; +} + +sub server_remove_cb +{ + my ($ctx, $ssl_session, $expected_ctx, $round) = @_; + + $server_stats{$round}->{remove_cb_called}++; + + my $is_ok = ($ctx eq $expected_ctx); + diag("server_remove_cb params not ok: $round") unless $is_ok; + set_server_stat($round, 'remove_params_ok', $is_ok); + + return; +} + +my ($server_ctx, $client_ctx, $server_ssl, $client_ssl); + +my $server = tcp_socket(); + +sub server +{ + # SSL server - just handle connections, send information to + # client and exit + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + my ($ctx, $ssl, $ret, $cl); + + foreach my $round (@rounds) + { + ( my $proto = $round ) =~ s/-.*?$//; + next unless $usable{$proto}; + + $cl = $server->accept(); + + $ctx = new_ctx( $proto, $proto ); + + Net::SSLeay::CTX_set_security_level($ctx, 0) + if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1'); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_SERVER()); + # Need OP_NO_TICKET to enable server side (Session ID based) resumption. + # See also SSL_CTX_set_options documenation about its use with TLSv1.3 + if ( $round !~ /^TLSv1\.3/ ) { + my $ctx_options = Net::SSLeay::OP_ALL(); + + # OP_NO_TICKET requires OpenSSL 0.9.8f or above + if ( eval { Net::SSLeay::OP_NO_TICKET(); 1; } ) { + $ctx_options |= Net::SSLeay::OP_NO_TICKET(); + } + + Net::SSLeay::CTX_set_options($ctx, $ctx_options); + } + + Net::SSLeay::CTX_sess_set_new_cb($ctx, sub {server_new_cb(@_, $ctx, $round);}); + Net::SSLeay::CTX_sess_set_remove_cb($ctx, sub {server_remove_cb(@_, $ctx, $round);}); + + # Test set_num_tickets separately for CTX and SSL + if (defined &Net::SSLeay::CTX_set_num_tickets) + { + Net::SSLeay::CTX_set_num_tickets($ctx, 6) if ($round eq 'TLSv1.3-num-tickets-ctx-6'); + Net::SSLeay::CTX_set_num_tickets($ctx, 0) if ($round eq 'TLSv1.3-num-tickets-ctx-0'); + $server_stats{$round}->{get_num_tickets} = Net::SSLeay::CTX_get_num_tickets($ctx); + } + + $ssl = Net::SSLeay::new($ctx); + if (defined &Net::SSLeay::set_num_tickets) + { + Net::SSLeay::set_num_tickets($ssl, 4) if ($round eq 'TLSv1.3-num-tickets-ssl'); + $server_stats{$round}->{get_num_tickets} = Net::SSLeay::get_num_tickets($ssl); + } + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + + Net::SSLeay::write($ssl, "msg from server: $round"); + Net::SSLeay::read($ssl); + Net::SSLeay::shutdown($ssl); + my $sess = Net::SSLeay::get1_session($ssl); + $ret = Net::SSLeay::CTX_remove_session($ctx, $sess); + + if (defined &Net::SSLeay::SESSION_is_resumable) { + my $is_resumable = Net::SSLeay::SESSION_is_resumable($sess); + BAIL_OUT("is_resumable is not 0 or 1: $round") unless defined $is_resumable && ($is_resumable == 0 || $is_resumable == 1); + set_server_stat($round, 'old_session_is_resumable', $is_resumable); + } + + Net::SSLeay::SESSION_free($sess) unless $ret; # Not cached, undo get1 + Net::SSLeay::free($ssl); + close($cl) || die("server close: $!"); + } + + $cl = $server->accept(); + + print $cl "end\n"; + print $cl unpack( 'H*', Storable::freeze(\%server_stats) ), "\n"; + + close($cl) || die("server close stats socket: $!"); + $server->close() || die("server listen socket close: $!"); + + #use Data::Dumper; print "Server:\n" . Dumper(\%server_stats); + exit(0); + } +} + +sub client { + # SSL client - connect to server and receive information that we + # compare to our expected values + + my ($ctx, $ssl, $ret, $cl); + + foreach my $round (@rounds) + { + ( my $proto = $round ) =~ s/-.*?$//; + next unless $usable{$proto}; + + $cl = $server->connect(); + + $ctx = new_ctx( $proto, $proto ); + + Net::SSLeay::CTX_set_security_level($ctx, 0) + if Net::SSLeay::SSLeay() >= 0x30000000 && ($proto eq 'TLSv1' || $proto eq 'TLSv1.1'); + Net::SSLeay::CTX_set_session_cache_mode($ctx, Net::SSLeay::SESS_CACHE_CLIENT()); + Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL()); + Net::SSLeay::CTX_sess_set_new_cb($ctx, sub {client_new_cb(@_, $ctx, $round);}); + Net::SSLeay::CTX_sess_set_remove_cb($ctx, sub {client_remove_cb(@_, $ctx, $round);}); + $ssl = Net::SSLeay::new($ctx); + + Net::SSLeay::set_fd($ssl, $cl); + my $ret = Net::SSLeay::connect($ssl); + if ($ret <= 0) { + diag("Protocol $proto, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error())); + } + my $msg = Net::SSLeay::read($ssl); + #print "server said: $msg\n"; + + Net::SSLeay::write($ssl, "continue"); + my $sess = Net::SSLeay::get1_session($ssl); + $ret = Net::SSLeay::CTX_remove_session($ctx, $sess); + Net::SSLeay::SESSION_free($sess) unless $ret; # Not cached, undo get1 + + if (defined &Net::SSLeay::SESSION_is_resumable) { + my $is_resumable = Net::SSLeay::SESSION_is_resumable($sess); + BAIL_OUT("is_resumable is not 0 or 1: $round") unless defined $is_resumable && ($is_resumable == 0 || $is_resumable == 1); + set_client_stat($round, 'old_session_is_resumable', $is_resumable); + } + + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + } + + $cl = $server->connect(); + chomp( my $server_end = <$cl> ); + is( $server_end, 'end', 'Successful termination' ); + + # Stats from server + chomp( my $server_stats = <$cl> ); + my $server_stats_ref = Storable::thaw( pack( 'H*', $server_stats ) ); + + close($cl) || die("client close stats socket: $!"); + $server->close() || die("client listen socket close: $!"); + + test_stats($server_stats_ref, \%client_stats); + + return; +} + +sub test_stats { + my ($srv_stats, $clt_stats) = @_; + + for my $round (@rounds) { + # The TLSv1.3-specific results will be checked separately later + next if $round =~ /-/; + + if (!$usable{$round}) { + SKIP: { + skip( "$round not available in this libssl", 12 ); + } + next; + } + + my $s = $srv_stats->{$round}; + my $c = $clt_stats->{$round}; + + # With TLSv1.3, two session tickets are sent by default, so new_cb is + # called twice; with all other protocol versions, new_cb is called once + my $cbs = ( $round =~ /^TLSv1\.3/ ? 2 : 1 ); + + is( $s->{new_cb_called}, $cbs, "Server $round new_cb call count" ); + is( $s->{new_params_ok}, 1, "Server $round new_cb params were correct" ); + is( $s->{remove_cb_called}, 1, "Server $round remove_cb call count" ); + is( $s->{remove_params_ok}, 1, "Server $round remove_cb params were correct" ); + + is( $c->{new_cb_called}, $cbs, "Client $round new_cb call count" ); + is( $c->{new_params_ok}, 1, "Client $round new_cb params were correct" ); + is( $c->{remove_cb_called}, 1, "Client $round remove_cb call count" ); + is( $c->{remove_params_ok}, 1, "Client $round remove_cb params were correct" ); + + if ( + defined &Net::SSLeay::SESSION_is_resumable + || $round =~ /^TLSv1\.3/ + ) { + is( $s->{new_session_is_resumable}, 1, "Server $round session is resumable" ); + is( $s->{old_session_is_resumable}, 0, "Server $round session is no longer resumable" ); + + is( $c->{new_session_is_resumable}, 1, "Client $round session is resumable" ); + is( $c->{old_session_is_resumable}, 0, "Client $round session is no longer resumable" ); + } else { + SKIP: { + skip( 'Do not have Net::SSLeay::SESSION_is_resumable', 4 ); + } + } + } + + if ($usable{'TLSv1.3'}) { + is( $srv_stats->{'TLSv1.3-num-tickets-ssl'}->{get_num_tickets}, 4, 'Server TLSv1.3 get_num_tickets 4' ); + is( $srv_stats->{'TLSv1.3-num-tickets-ssl'}->{new_cb_called}, 4, 'Server TLSv1.3 new_cb call count with set_num_tickets 4' ); + is( $clt_stats->{'TLSv1.3-num-tickets-ssl'}->{new_cb_called}, 4, 'Client TLSv1.3 new_cb call count with set_num_tickets 4' ); + + is( $srv_stats->{'TLSv1.3-num-tickets-ctx-6'}->{get_num_tickets}, 6, 'Server TLSv1.3 CTX_get_num_tickets 6' ); + is( $srv_stats->{'TLSv1.3-num-tickets-ctx-6'}->{new_cb_called}, 6, 'Server TLSv1.3 new_cb call count with CTX_set_num_tickets 6' ); + is( $clt_stats->{'TLSv1.3-num-tickets-ctx-6'}->{new_cb_called}, 6, 'Client TLSv1.3 new_cb call count with CTX_set_num_tickets 6' ); + + is( $srv_stats->{'TLSv1.3-num-tickets-ctx-0'}->{get_num_tickets}, 0, 'Server TLSv1.3 CTX_get_num_tickets 0' ); + is( $srv_stats->{'TLSv1.3-num-tickets-ctx-0'}->{new_cb_called}, undef, 'Server TLSv1.3 new_cb call count with CTX_set_num_tickets 0' ); + is( $clt_stats->{'TLSv1.3-num-tickets-ctx-0'}->{new_cb_called}, undef, 'Client TLSv1.3 new_cb call count with CTX_set_num_tickets 0' ); + } + else { + SKIP: { + skip( 'TLSv1.3 not available in this libssl', 9 ); + } + } + + # use Data::Dumper; print "Server:\n" . Dumper(\%srv_stats); + # use Data::Dumper; print "Client:\n" . Dumper(\%clt_stats); +} + +server(); +client(); +waitpid $pid, 0; +exit(0); diff --git a/cpan/Net-SSLeay/t/local/45_exporter.t b/cpan/Net-SSLeay/t/local/45_exporter.t new file mode 100644 index 000000000000..aaacc7b189ed --- /dev/null +++ b/cpan/Net-SSLeay/t/local/45_exporter.t @@ -0,0 +1,171 @@ +# Various TLS exporter-related tests + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl is_protocol_usable new_ctx + tcp_socket +); + +use Storable; + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} elsif (!defined &Net::SSLeay::export_keying_material) { + plan skip_all => "No export_keying_material()"; +} else { + plan tests => 36; +} + +initialise_libssl(); + +my @rounds = qw( TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ); + +my %usable = + map { + $_ => is_protocol_usable($_) + } + @rounds; + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my (%server_stats, %client_stats); + +my ($server_ctx, $client_ctx, $server_ssl, $client_ssl); + +my $server = tcp_socket(); + +sub server +{ + # SSL server - just handle connections, write, wait for read and repeat + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + my ($ctx, $ssl, $ret, $cl); + + foreach my $round (@rounds) + { + next unless $usable{$round}; + + $cl = $server->accept(); + + $ctx = new_ctx( $round, $round ); + + Net::SSLeay::CTX_set_security_level($ctx, 0) + if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1'); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + + Net::SSLeay::write($ssl, $round); + my $msg = Net::SSLeay::read($ssl); + + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("server close: $!"); + } + $server->close() || die("server listen socket close: $!"); + exit(0); + } +} + +# SSL client - connect to server, read, test and repeat +sub client { + for my $round (@rounds) { + if ($usable{$round}) { + my $cl = $server->connect(); + + my $ctx = new_ctx( $round, $round ); + Net::SSLeay::CTX_set_security_level($ctx, 0) + if Net::SSLeay::SSLeay() >= 0x30000000 && ($round eq 'TLSv1' || $round eq 'TLSv1.1'); + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd( $ssl, $cl ); + my $ret = Net::SSLeay::connect($ssl); + if ($ret <= 0) { + diag("Protocol $round, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error())); + } + + my $msg = Net::SSLeay::read($ssl); + + test_export($ssl); + + Net::SSLeay::write( $ssl, $msg ); + + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + } + else { + SKIP: { + skip( "$round not available in this libssl", 9 ); + } + } + } + $server->close() || die("client listen socket close: $!"); + + return 1; +} + +sub test_export +{ + my ($ssl) = @_; + + my ($bytes1_0, $bytes1_1, $bytes1_2, $bytes1_3, $bytes2_0, $bytes2_2_64); + + my $tls_version = Net::SSLeay::get_version($ssl); + + $bytes1_0 = Net::SSLeay::export_keying_material($ssl, 64, 'label 1'); + $bytes1_1 = Net::SSLeay::export_keying_material($ssl, 64, 'label 1', undef); + $bytes1_2 = Net::SSLeay::export_keying_material($ssl, 64, 'label 1', ''); + $bytes1_3 = Net::SSLeay::export_keying_material($ssl, 64, 'label 1', 'context'); + $bytes2_0 = Net::SSLeay::export_keying_material($ssl, 128, 'label 1', ''); + $bytes2_2_64 = substr($bytes2_0, 0, 64); + + is(length($bytes1_0), 64, "$tls_version: Got enough for bytes1_0"); + is(length($bytes1_1), 64, "$tls_version: Got enough for bytes1_1"); + is(length($bytes1_2), 64, "$tls_version: Got enough for bytes1_2"); + is(length($bytes1_3), 64, "$tls_version: Got enough for bytes1_3"); + is(length($bytes2_0), 128, "$tls_version: Got enough for bytes2_0"); + + $bytes1_0 = unpack('H*', $bytes1_0); + $bytes1_1 = unpack('H*', $bytes1_1); + $bytes1_2 = unpack('H*', $bytes1_2); + $bytes1_3 = unpack('H*', $bytes1_3); + $bytes2_0 = unpack('H*', $bytes2_0); + $bytes2_2_64 = unpack('H*', $bytes2_2_64); + + # Last argument should default to undef + is($bytes1_0, $bytes1_1, "$tls_version: context default param is undef"); + + # Empty and undefined context are the same for TLSv1.3. + # Different length export changes the whole values for TLSv1.3. + if ($tls_version eq 'TLSv1.3') { + is($bytes1_0, $bytes1_2, "$tls_version: empty and undefined context yields equal values"); + isnt($bytes2_2_64, $bytes1_2, "$tls_version: export length does matter"); + } else { + isnt($bytes1_0, $bytes1_2, "$tls_version: empty and undefined context yields different values"); + is($bytes2_2_64, $bytes1_2, "$tls_version: export length does not matter"); + } + + isnt($bytes1_3, $bytes1_0, "$tls_version: different context"); + + return; +} + +# For SSL_export_keying_material_early available with TLSv1.3 +sub test_export_early +{ + + return; +} + +server(); +client(); +waitpid $pid, 0; +exit(0); diff --git a/cpan/Net-SSLeay/t/local/46_msg_callback.t b/cpan/Net-SSLeay/t/local/46_msg_callback.t new file mode 100644 index 000000000000..587e5a0e0b82 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/46_msg_callback.t @@ -0,0 +1,114 @@ +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl new_ctx tcp_socket +); + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} else { + plan tests => 10; +} + +initialise_libssl(); + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my $server = tcp_socket(); + +{ + # SSL server - just handle single connect and shutdown connection + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + for(qw(ctx ssl)) { + my $cl = $server->accept(); + my $ctx = new_ctx(); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + for(1,2) { + last if Net::SSLeay::shutdown($ssl)>0; + } + close($cl) || die("server close: $!"); + } + $server->close() || die("server listen socket close: $!"); + exit; + } +} + +sub client { + my ($where) = @_; + # SSL client - connect and shutdown, all the while getting state updates + # with info callback + + my @cb_data; + my @states; + my $msgcb = sub { + my ($write_p,$version,$content_type,$buf,$len,$ssl,$cb_data) = @_; + # buffer is of course randomized/timestamped, this is hard to test, so + # skip this + my $hex_buf = unpack("H*", $buf||''); + + # version appears to be different running in different test envs that + # have a different openssl version, so we skip that too. This isn't a + # good test for that, and it's not up to Net::SSLeay to make all + # openssl implementations look the same + + # the 3 things this sub needs to do: + # 1. not die + # 2. no memory leak + # 3. provide information + # + # The validness of the buffer can be checked, so we use this as a + # validation instead. This selftest is not here to validate the + # protocol and the intricacies of the possible implementation or + # version (ssl3 vs tls1 etc) + + push @states,(defined $buf and length($buf) == $len)||0; + + # cb_data can act as a check + push @cb_data, $cb_data; + }; + + my $cl = $server->connect(); + my $ctx = new_ctx(); + Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); + Net::SSLeay::CTX_set_msg_callback($ctx, $msgcb, "CB_DATA") if $where eq 'ctx'; + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, $cl); + Net::SSLeay::set_msg_callback($ssl, $msgcb, "CB_DATA") if $where eq 'ssl'; + Net::SSLeay::connect($ssl); + for(1,2) { + last if Net::SSLeay::shutdown($ssl)>0; + } + close($cl) || die("client close: $!"); + + ok(scalar(@states) > 1, "at least 2 messages logged: $where"); + my $all_ok = 1; + $all_ok &= $_ for @states; + is($all_ok, 1, "all states are OK: length(buf) = len for $where"); + + ok(scalar(@cb_data) > 1, "all cb data SV's are OK for $where (at least 2)"); + my $all_cb_data_ok = 0; + $all_cb_data_ok++ for grep {$_ eq "CB_DATA"} grep {defined} @cb_data; + is(scalar(@cb_data), $all_cb_data_ok, "all cb data SV's are OK for $where"); + + eval { + Net::SSLeay::CTX_set_msg_callback($ctx, undef) if $where eq 'ctx'; + Net::SSLeay::set_msg_callback($ssl, undef) if $where eq 'ssl'; + }; + is($@, '', "no error during set_msg_callback() for $where"); +} + +client('ctx'); +client('ssl'); +$server->close() || die("client listen socket close: $!"); +waitpid $pid, 0; + diff --git a/cpan/Net-SSLeay/t/local/47_keylog.t b/cpan/Net-SSLeay/t/local/47_keylog.t new file mode 100644 index 000000000000..b2bfce5af2b9 --- /dev/null +++ b/cpan/Net-SSLeay/t/local/47_keylog.t @@ -0,0 +1,208 @@ +# Tests for logging TLS key material + +use lib 'inc'; + +use Net::SSLeay; +use Test::Net::SSLeay qw( + can_fork data_file_path initialise_libssl is_protocol_usable new_ctx + tcp_socket +); + +if (not can_fork()) { + plan skip_all => "fork() not supported on this system"; +} elsif (!defined &Net::SSLeay::CTX_set_keylog_callback) { + plan skip_all => "No CTX_set_keylog_callback()"; +} else { + plan tests => 11; +} + +initialise_libssl(); + +# TLSv1.3 keylog is different from previous TLS versions. We expect +# that both types can be tested +my @rounds = qw( TLSv1.2 TLSv1.3 ); +my %keylog = ( + 'TLSv1.2' => {}, + 'TLSv1.3' => {}, + ); + +# %keylog ends up looking like this if everything goes as planned +# See below for more information about the keys and the values. +# $VAR1 = { +# 'TLSv1.2' => { +# 'CLIENT_RANDOM' => '54f8fdb2... 2232f0ab...' +# }, +# 'TLSv1.3' => { +# 'CLIENT_HANDSHAKE_TRAFFIC_SECRET' => '0d862c40... d85e3d34...', +# 'CLIENT_TRAFFIC_SECRET_0' => '0d862c40... 5c211de7...', +# 'EXPORTER_SECRET' => '0d862c40... 332b80bb...', +# 'SERVER_HANDSHAKE_TRAFFIC_SECRET' => '0d862c40... 93a9c58e...', +# 'SERVER_TRAFFIC_SECRET_0' => '0d862c40... 34b7afff...' +# } +# }; + +# This will trigger diagnostics if the desired TLS versions are not +# available. +my %usable = + map { + $_ => is_protocol_usable($_) + } + @rounds; + +my $pid; +alarm(30); +END { kill 9,$pid if $pid } + +my $server = tcp_socket(); + +sub server +{ + # SSL server - just handle connections, write, wait for read and repeat + my $cert_pem = data_file_path('simple-cert.cert.pem'); + my $key_pem = data_file_path('simple-cert.key.pem'); + + defined($pid = fork()) or BAIL_OUT("failed to fork: $!"); + if ($pid == 0) { + my ($ctx, $ssl, $ret, $cl); + + foreach my $round (@rounds) + { + next unless $usable{$round}; + + $cl = $server->accept(); + + $ctx = new_ctx( $round, $round ); + Net::SSLeay::CTX_set_keylog_callback($ctx, \&keylog_cb); + Net::SSLeay::set_cert_and_key($ctx, $cert_pem, $key_pem); + $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd($ssl, fileno($cl)); + Net::SSLeay::accept($ssl); + + # Keylog data has been collected at this point. Doing some + # reads and writes allows us to see our connection works. + my $ssl_version = Net::SSLeay::read($ssl); + Net::SSLeay::write($ssl, $ssl_version); + my $keys = $keylog{$ssl_version}; + foreach my $label (keys %{$keylog{$round}}) + { + Net::SSLeay::write($ssl, $label); + Net::SSLeay::write($ssl, $keylog{$ssl_version}->{$label}); + } + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("server close: $!"); + } + $server->close() || die("server listen socket close: $!"); + + exit(0); + } +} + +# SSL client - connect to server, read, test and repeat +sub client { + + # For storing keylog information the server sends + my %server_keylog; + + for my $round (@rounds) { + if ($usable{$round}) { + my $cl = $server->connect(); + + my $ctx = new_ctx( $round, $round ); + Net::SSLeay::CTX_set_keylog_callback($ctx, \&keylog_cb); + my $ssl = Net::SSLeay::new($ctx); + Net::SSLeay::set_fd( $ssl, $cl ); + my $ret = Net::SSLeay::connect($ssl); + if ($ret <= 0) { + diag("Protocol $round, connect() returns $ret, Error: " . Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error())); + } + + # Pull server's keylog for this TLS version. + Net::SSLeay::write($ssl, $round); + my $ssl_version = Net::SSLeay::read($ssl); + my %keys; + while (my $label = Net::SSLeay::read($ssl)) + { + $keys{$label} = Net::SSLeay::read($ssl); + } + $server_keylog{$round} = \%keys; + + Net::SSLeay::shutdown($ssl); + Net::SSLeay::free($ssl); + close($cl) || die("client close: $!"); + } + else { + diag("$round not available in this libssl but required by test"); + } + } + $server->close() || die("client listen socket close: $!"); + + # Server and connections are gone but the client has all the data + # it needs for the tests + + # Start with set/get test + { + my $ctx = new_ctx(); + my $cb = Net::SSLeay::CTX_get_keylog_callback($ctx); + is($cb, undef, 'Keylog callback is initially undefined'); + + Net::SSLeay::CTX_set_keylog_callback($ctx, \&keylog_cb); + $cb = Net::SSLeay::CTX_get_keylog_callback($ctx); + is($cb, \&keylog_cb, 'CTX_get_keylog_callback'); + + Net::SSLeay::CTX_set_keylog_callback($ctx, undef); + $cb = Net::SSLeay::CTX_get_keylog_callback($ctx); + is($cb, undef, 'Keylog callback successfully unset'); + } + + # Make it clear we have separate keylog hashes. The also align + # nicely below. The compare server and client keylogs. + my %client_keylog = %keylog; + foreach my $round (@rounds) + { + ok(exists $server_keylog{$round}, "Server keylog for $round exists"); + ok(exists $client_keylog{$round}, "Client keylog for $round exists"); + + my $s_kl = delete $server_keylog{$round}; + my $c_kl = delete $client_keylog{$round}; + is_deeply($s_kl, $c_kl, "Client and Server have equal keylog for $round"); + } + is_deeply(\%server_keylog, {}, 'Server keylog has no unexpected entries'); + is_deeply(\%client_keylog, {}, 'Client keylog has no unexpected entries'); + + return 1; +} + + +# The keylog file format is specified by Mozilla: +# https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format +# Quote: +# This key log file is a series of lines. Comment lines begin with +# a sharp character ('#') and are ignored. Secrets follow the +# format