diff --git a/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch deleted file mode 100644 index 86f4484..0000000 --- a/IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 8 Feb 2019 14:50:32 +0100 -Subject: [PATCH] Test client performs Post-Handshake-Authentication -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This test uses openssl tool because PHA is not yet supported by -IO::Socket::SSL's server implementation. The openssl tool uses a fixed -port. So the test can fail. - -Signed-off-by: Petr Písař ---- - MANIFEST | 1 + - t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 88 insertions(+) - create mode 100755 t/pha_client.t - -diff --git a/MANIFEST b/MANIFEST -index 5c2b87c..e46f919 100644 ---- a/MANIFEST -+++ b/MANIFEST -@@ -57,6 +57,7 @@ t/memleak_bad_handshake.t - t/multiple-cert-rsa-ecc.t - t/nonblock.t - t/npn.t -+t/pha_client.t - t/plain_upgrade_downgrade.t - t/protocol_version.t - t/public_suffix_lib_encode_idn.t -diff --git a/t/pha_client.t b/t/pha_client.t -new file mode 100755 -index 0000000..6699443 ---- /dev/null -+++ b/t/pha_client.t -@@ -0,0 +1,87 @@ -+#!/usr/bin/perl -+use strict; -+use warnings; -+use Test::More; -+use IPC::Run (); -+use IO::Socket::SSL (); -+use IO::Select (); -+ -+if (!system('openssl', 'version')) { -+ plan tests => 5; -+} else { -+ plan skip_all => 'openssl tool is not available'; -+} -+ -+my $port = 2000; -+my $ca_cert = 'certs/test-ca.pem'; -+ -+diag 'Starting a server'; -+my ($server, $input, $stdout, $stderr); -+eval { -+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port, -+ '-Verify', '1', -+ '-cert', 'certs/server-wildcard.pem', -+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert], -+ \$input, \$stdout, \$stderr); -+ # subsequent \undef does not work -+ # -+}; -+if (!$server or $@) { -+ BAIL_OUT("Could not start a server: $@"); -+} -+# openssl s_server does not return a non-zero exit code in case of bind(2) failure. -+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; } -+if ($stderr =~ /unable to bind socket/) { -+ $server->kill_kill; -+ BAIL_OUT("Could not start a server: $stderr"); -+} -+ok($server, 'Server started'); -+ -+my $client = IO::Socket::SSL->new( -+ PeerHost => 'localhost', -+ PeerPort => $port, -+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER, -+ SSL_verifycn_scheme => 'www', -+ SSL_verifycn_name => 'www.server.local', -+ SSL_ca_file => $ca_cert, -+ SSL_key_file => 'certs/client-key.pem', -+ SSL_cert_file => 'certs/client-cert.pem' -+); -+ok($client, 'Client connected'); -+ -+SKIP: { -+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2 -+ unless $client; -+ $client->blocking(0); -+ -+ SKIP: { -+ # Ask openssl s_server for PHA request and wait for the result. -+ $input .= "c\n"; -+ while ($server->pumpable && -+ $stderr !~ /SSL_verify_client_post_handshake/ && -+ $stdout !~ /SSL_do_handshake -> 1/ -+ ) { -+ # Push the PHA command to the server and read outputs. -+ $server->pump; -+ -+ # Client also must perform I/O to process the PHA request. -+ my $select = IO::Select->new($client); -+ while ($select->can_read(1)) { # 1 second time-out because of -+ # blocking IPC::Run -+ my $retval = $client->read(my $buf, 1); -+ if (defined $buf and $buf eq 'c') { -+ skip 'openssl tool does not support PHA command', 1; -+ } -+ } -+ } -+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA'); -+ } -+ -+ ok($client->close, 'Client disconnected'); -+} -+ -+eval { -+ $server->kill_kill; -+}; -+ok(!$@, 'Server terminated'); -+ --- -2.17.2 - diff --git a/IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch new file mode 100644 index 0000000..95f8ec0 --- /dev/null +++ b/IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch @@ -0,0 +1,130 @@ +From 6b05dc28e94e90ab4852c9977d7fbe66fec6cd48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 8 Feb 2019 14:50:32 +0100 +Subject: [PATCH] Test client performs Post-Handshake-Authentication +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This test uses openssl tool because PHA is not yet supported by +IO::Socket::SSL's server implementation. The openssl tool uses a fixed +port. So the test can fail. + +Signed-off-by: Petr Písař +--- + MANIFEST | 1 + + t/pha_client.t | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+) + create mode 100755 t/pha_client.t + +diff --git a/MANIFEST b/MANIFEST +index 20cddb6..2b8328d 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -57,6 +57,7 @@ t/mitm.t + t/multiple-cert-rsa-ecc.t + t/nonblock.t + t/npn.t ++t/pha_client.t + t/plain_upgrade_downgrade.t + t/protocol_version.t + t/public_suffix_lib_encode_idn.t +diff --git a/t/pha_client.t b/t/pha_client.t +new file mode 100755 +index 0000000..2413588 +--- /dev/null ++++ b/t/pha_client.t +@@ -0,0 +1,90 @@ ++#!/usr/bin/perl ++use strict; ++use warnings; ++use Test::More; ++use IPC::Run (); ++use IO::Socket::SSL (); ++use Net::SSLeay (); ++use IO::Select (); ++ ++if (system('openssl', 'version')) { ++ plan skip_all => 'openssl tool is not available'; ++} elsif (!defined &Net::SSLeay::CTX_set_post_handshake_auth) { ++ plan skip_all => 'Net::SSLeay does not expose PHA'; ++} else { ++ plan tests => 5; ++} ++ ++my $port = 2000; ++my $ca_cert = 'certs/test-ca.pem'; ++ ++diag 'Starting a server'; ++my ($server, $input, $stdout, $stderr); ++eval { ++ $server = IPC::Run::start(['openssl', 's_server', '-port', $port, ++ '-Verify', '1', ++ '-cert', 'certs/server-wildcard.pem', ++ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert], ++ \$input, \$stdout, \$stderr); ++ # subsequent \undef does not work ++ # ++}; ++if (!$server or $@) { ++ BAIL_OUT("Could not start a server: $@"); ++} ++# openssl s_server does not return a non-zero exit code in case of bind(2) failure. ++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; } ++if ($stderr =~ /unable to bind socket/) { ++ $server->kill_kill; ++ BAIL_OUT("Could not start a server: $stderr"); ++} ++ok($server, 'Server started'); ++ ++my $client = IO::Socket::SSL->new( ++ PeerHost => 'localhost', ++ PeerPort => $port, ++ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER, ++ SSL_verifycn_scheme => 'www', ++ SSL_verifycn_name => 'www.server.local', ++ SSL_ca_file => $ca_cert, ++ SSL_key_file => 'certs/client-key.pem', ++ SSL_cert_file => 'certs/client-cert.pem' ++); ++ok($client, 'Client connected'); ++ ++SKIP: { ++ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2 ++ unless $client; ++ $client->blocking(0); ++ ++ SKIP: { ++ # Ask openssl s_server for PHA request and wait for the result. ++ $input .= "c\n"; ++ while ($server->pumpable && ++ $stderr !~ /SSL_verify_client_post_handshake/ && ++ $stdout !~ /SSL_do_handshake -> 1/ ++ ) { ++ # Push the PHA command to the server and read outputs. ++ $server->pump; ++ ++ # Client also must perform I/O to process the PHA request. ++ my $select = IO::Select->new($client); ++ while ($select->can_read(1)) { # 1 second time-out because of ++ # blocking IPC::Run ++ my $retval = $client->read(my $buf, 1); ++ if (defined $buf and $buf eq 'c') { ++ skip 'openssl tool does not support PHA command', 1; ++ } ++ } ++ } ++ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA'); ++ } ++ ++ ok($client->close, 'Client disconnected'); ++} ++ ++eval { ++ $server->kill_kill; ++}; ++ok(!$@, 'Server terminated'); ++ +-- +2.20.1 + diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 37890d1..feaed8a 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -1,6 +1,6 @@ Name: perl-IO-Socket-SSL Version: 2.066 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Perl library for transparent SSL License: GPL+ or Artistic URL: https://metacpan.org/release/IO-Socket-SSL @@ -9,7 +9,7 @@ Patch0: IO-Socket-SSL-2.066-use-system-default-cipher-list.patch Patch1: IO-Socket-SSL-2.066-use-system-default-SSL-version.patch # A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch, # bug #1632660, requires openssl tool -Patch4: IO-Socket-SSL-2.063-Test-client-performs-Post-Handshake-Authentication.patch +Patch2: IO-Socket-SSL-2.066-Test-client-performs-Post-Handshake-Authentication.patch BuildArch: noarch # Module Build BuildRequires: coreutils @@ -93,8 +93,8 @@ mod_perl. # Use system-default SSL version too %patch1 -# Add test for PHA -%patch4 -p1 +# Add a test for PHA +%patch2 -p1 %build NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor @@ -121,6 +121,9 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Mon Jun 17 2019 Petr Pisar - 2.066-3 +- Skip a PHA test if Net::SSLeay does not expose the PHA (bug #1632660) + * Fri May 31 2019 Jitka Plesnikova - 2.066-2 - Perl 5.30 rebuild