diff --git a/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch b/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch new file mode 100644 index 0000000..f2dfcc9 --- /dev/null +++ b/IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch @@ -0,0 +1,55 @@ +From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Sat, 26 Jan 2019 11:16:08 +0100 +Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature) + client-side iff available. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Petr Písař +--- + lib/IO/Socket/SSL.pm | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm +index f35211b..0a0eef6 100644 +--- a/lib/IO/Socket/SSL.pm ++++ b/lib/IO/Socket/SSL.pm +@@ -67,6 +67,7 @@ my $can_ecdh; # do we support ECDH key exchange + my $can_ocsp; # do we support OCSP + my $can_ocsp_staple; # do we support OCSP stapling + my $can_tckt_keycb; # TLS ticket key callback ++my $can_pha; # do we support PHA + BEGIN { + $can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000; + $can_server_sni = defined &Net::SSLeay::get_servername; +@@ -87,6 +88,7 @@ BEGIN { + && defined &Net::SSLeay::set_tlsext_status_type; + $can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb + && $Net::SSLeay::VERSION >= 1.80; ++ $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth; + } + + my $algo2digest = do { +@@ -2018,6 +2020,7 @@ sub can_ecdh { return $can_ecdh } + sub can_ipv6 { return CAN_IPV6 } + sub can_ocsp { return $can_ocsp } + sub can_ticket_keycb { return $can_tckt_keycb } ++sub can_pha { return $can_pha } + + sub DESTROY { + my $self = shift or return; +@@ -2602,6 +2605,9 @@ sub new { + "Failed to load key from file (no PEM or DER)"); + } + ++ Net::SSLeay::CTX_set_post_handshake_auth($ctx,1) ++ if (!$is_server && $can_pha && $havecert && $havekey); ++ + # replace arg_hash with created context + $ctx{$host} = $ctx; + } +-- +2.17.2 + diff --git a/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch b/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch new file mode 100644 index 0000000..83191e7 --- /dev/null +++ b/IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch @@ -0,0 +1,127 @@ +From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Fri, 8 Feb 2019 14:50:32 +0100 +Subject: [PATCH] Test client performs Post-Handshake-Authentication +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This test uses openssl tool because PHA is not yet supported by +IO::Socket::SSL's server implementation. The openssl tool uses a fixed +port. So the test can fail. + +Signed-off-by: Petr Písař +--- + MANIFEST | 1 + + t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + create mode 100755 t/pha_client.t + +diff --git a/MANIFEST b/MANIFEST +index 5c2b87c..e46f919 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -52,6 +52,7 @@ t/memleak_bad_handshake.t + t/mitm.t + t/nonblock.t + t/npn.t ++t/pha_client.t + t/plain_upgrade_downgrade.t + t/protocol_version.t + t/public_suffix_lib.pl +diff --git a/t/pha_client.t b/t/pha_client.t +new file mode 100755 +index 0000000..6699443 +--- /dev/null ++++ b/t/pha_client.t +@@ -0,0 +1,87 @@ ++#!/usr/bin/perl ++use strict; ++use warnings; ++use Test::More; ++use IPC::Run (); ++use IO::Socket::SSL (); ++use IO::Select (); ++ ++if (!system('openssl', 'version')) { ++ plan tests => 5; ++} else { ++ plan skip_all => 'openssl tool is not available'; ++} ++ ++my $port = 2000; ++my $ca_cert = 'certs/test-ca.pem'; ++ ++diag 'Starting a server'; ++my ($server, $input, $stdout, $stderr); ++eval { ++ $server = IPC::Run::start(['openssl', 's_server', '-port', $port, ++ '-Verify', '1', ++ '-cert', 'certs/server-wildcard.pem', ++ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert], ++ \$input, \$stdout, \$stderr); ++ # subsequent \undef does not work ++ # ++}; ++if (!$server or $@) { ++ BAIL_OUT("Could not start a server: $@"); ++} ++# openssl s_server does not return a non-zero exit code in case of bind(2) failure. ++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; } ++if ($stderr =~ /unable to bind socket/) { ++ $server->kill_kill; ++ BAIL_OUT("Could not start a server: $stderr"); ++} ++ok($server, 'Server started'); ++ ++my $client = IO::Socket::SSL->new( ++ PeerHost => 'localhost', ++ PeerPort => $port, ++ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER, ++ SSL_verifycn_scheme => 'www', ++ SSL_verifycn_name => 'www.server.local', ++ SSL_ca_file => $ca_cert, ++ SSL_key_file => 'certs/client-key.pem', ++ SSL_cert_file => 'certs/client-cert.pem' ++); ++ok($client, 'Client connected'); ++ ++SKIP: { ++ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2 ++ unless $client; ++ $client->blocking(0); ++ ++ SKIP: { ++ # Ask openssl s_server for PHA request and wait for the result. ++ $input .= "c\n"; ++ while ($server->pumpable && ++ $stderr !~ /SSL_verify_client_post_handshake/ && ++ $stdout !~ /SSL_do_handshake -> 1/ ++ ) { ++ # Push the PHA command to the server and read outputs. ++ $server->pump; ++ ++ # Client also must perform I/O to process the PHA request. ++ my $select = IO::Select->new($client); ++ while ($select->can_read(1)) { # 1 second time-out because of ++ # blocking IPC::Run ++ my $retval = $client->read(my $buf, 1); ++ if (defined $buf and $buf eq 'c') { ++ skip 'openssl tool does not support PHA command', 1; ++ } ++ } ++ } ++ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA'); ++ } ++ ++ ok($client->close, 'Client disconnected'); ++} ++ ++eval { ++ $server->kill_kill; ++}; ++ok(!$@, 'Server terminated'); ++ +-- +2.17.2 + diff --git a/perl-IO-Socket-SSL.spec b/perl-IO-Socket-SSL.spec index 81ce201..00ff614 100644 --- a/perl-IO-Socket-SSL.spec +++ b/perl-IO-Socket-SSL.spec @@ -1,6 +1,6 @@ Name: perl-IO-Socket-SSL Version: 2.060 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Perl library for transparent SSL License: GPL+ or Artistic URL: https://metacpan.org/release/IO-Socket-SSL @@ -10,6 +10,13 @@ Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch # Prevent tests from dying on SIGPIPE, CPAN RT#126899, # in upstream after 2.060 Patch2: IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch +# Client sends a post-handshake-authentication extension if a client key and +# a certificate are available, bug #1632660, +# +Patch3: IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch +# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch, +# bug #1632660, requires openssl tool +Patch4: IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch BuildArch: noarch # Module Build BuildRequires: coreutils @@ -36,11 +43,15 @@ BuildRequires: perl(strict) BuildRequires: perl(vars) BuildRequires: perl(warnings) # Test Suite +# openssl for Test-client-performs-Post-Handshake-Authentication.patch +BuildRequires: openssl BuildRequires: perl(Data::Dumper) BuildRequires: perl(File::Temp) BuildRequires: perl(FindBin) BuildRequires: perl(IO::Select) BuildRequires: perl(IO::Socket::INET) +# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch +BuildRequires: perl(IPC::Run) BuildRequires: perl(Test::More) >= 0.88 BuildRequires: perl(utf8) BuildRequires: procps @@ -92,6 +103,10 @@ mod_perl. # Prevent tests from dying on SIGPIPE (CPAN RT#126899) %patch2 -p1 +# Enable PHA on a client side +%patch3 -p1 +%patch4 -p1 + %build NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor make %{?_smp_mflags} @@ -117,6 +132,10 @@ make test %{_mandir}/man3/IO::Socket::SSL::Utils.3* %changelog +* Thu Feb 07 2019 Petr Pisar - 2.060-4 +- Client sends a post-handshake-authentication extension if a client key and + a certificate are available (bug #1632660) + * Fri Feb 01 2019 Fedora Release Engineering - 2.060-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild