From 9be316eea198f1bf9647692c3386f90325104192 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 11 Oct 2018 16:06:50 +0200
Subject: [PATCH] enable TLS 1.3 post-handshake auth in OpenSSL

Bug: https://github.com/curl/curl/pull/3027
---
 0003-curl-7.61.1-TLS-1.3-PHA.patch | 46 ++++++++++++++++++++++++++++++
 curl.spec                          |  5 ++++
 2 files changed, 51 insertions(+)
 create mode 100644 0003-curl-7.61.1-TLS-1.3-PHA.patch

diff --git a/0003-curl-7.61.1-TLS-1.3-PHA.patch b/0003-curl-7.61.1-TLS-1.3-PHA.patch
new file mode 100644
index 0000000..99273ac
--- /dev/null
+++ b/0003-curl-7.61.1-TLS-1.3-PHA.patch
@@ -0,0 +1,46 @@
+From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Fri, 21 Sep 2018 10:37:43 +0200
+Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
+
+OpenSSL 1.1.1 requires clients to opt-in for post-handshake
+authentication.
+
+Fixes: https://github.com/curl/curl/issues/3026
+Signed-off-by: Christian Heimes <christian@python.org>
+
+Closes https://github.com/curl/curl/pull/3027
+
+Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a487f55..78970d1 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
+      !defined(LIBRESSL_VERSION_NUMBER) &&       \
+      !defined(OPENSSL_IS_BORINGSSL))
+ #define HAVE_SSL_CTX_SET_CIPHERSUITES
++#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+ #endif
+ 
+ #if defined(LIBRESSL_VERSION_NUMBER)
+@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+   }
+ #endif
+ 
++#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
++  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
++  SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
++#endif
++
+ #ifdef USE_TLS_SRP
+   if(ssl_authtype == CURL_TLSAUTH_SRP) {
+     char * const ssl_username = SSL_SET_OPTION(username);
+-- 
+2.17.1
+
diff --git a/curl.spec b/curl.spec
index 946836a..d3366ac 100644
--- a/curl.spec
+++ b/curl.spec
@@ -11,6 +11,9 @@ Patch1:   0001-curl-7.61.1-test320-gnutls.patch
 # update the documentation of --tlsv1.0 in curl(1) man page
 Patch2:   0002-curl-7.61.1-tlsv1.0-man.patch
 
+# enable TLS 1.3 post-handshake auth in OpenSSL
+Patch3:   0003-curl-7.61.1-TLS-1.3-PHA.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -171,6 +174,7 @@ be installed.
 # upstream patches
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -338,6 +342,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
 %changelog
 * Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
+- enable TLS 1.3 post-handshake auth in OpenSSL
 - update the documentation of --tlsv1.0 in curl(1) man page
 
 * Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2