Client sends a post-handshake-authentication extension if a client key and a certificate are available
This commit is contained in:
parent
0d52c79ea1
commit
d0ff533e0b
@ -0,0 +1,55 @@
|
||||
From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001
|
||||
From: Joe Orton <jorton@redhat.com>
|
||||
Date: Sat, 26 Jan 2019 11:16:08 +0100
|
||||
Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature)
|
||||
client-side iff available.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/IO/Socket/SSL.pm | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
|
||||
index f35211b..0a0eef6 100644
|
||||
--- a/lib/IO/Socket/SSL.pm
|
||||
+++ b/lib/IO/Socket/SSL.pm
|
||||
@@ -67,6 +67,7 @@ my $can_ecdh; # do we support ECDH key exchange
|
||||
my $can_ocsp; # do we support OCSP
|
||||
my $can_ocsp_staple; # do we support OCSP stapling
|
||||
my $can_tckt_keycb; # TLS ticket key callback
|
||||
+my $can_pha; # do we support PHA
|
||||
BEGIN {
|
||||
$can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000;
|
||||
$can_server_sni = defined &Net::SSLeay::get_servername;
|
||||
@@ -87,6 +88,7 @@ BEGIN {
|
||||
&& defined &Net::SSLeay::set_tlsext_status_type;
|
||||
$can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb
|
||||
&& $Net::SSLeay::VERSION >= 1.80;
|
||||
+ $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth;
|
||||
}
|
||||
|
||||
my $algo2digest = do {
|
||||
@@ -2018,6 +2020,7 @@ sub can_ecdh { return $can_ecdh }
|
||||
sub can_ipv6 { return CAN_IPV6 }
|
||||
sub can_ocsp { return $can_ocsp }
|
||||
sub can_ticket_keycb { return $can_tckt_keycb }
|
||||
+sub can_pha { return $can_pha }
|
||||
|
||||
sub DESTROY {
|
||||
my $self = shift or return;
|
||||
@@ -2602,6 +2605,9 @@ sub new {
|
||||
"Failed to load key from file (no PEM or DER)");
|
||||
}
|
||||
|
||||
+ Net::SSLeay::CTX_set_post_handshake_auth($ctx,1)
|
||||
+ if (!$is_server && $can_pha && $havecert && $havekey);
|
||||
+
|
||||
# replace arg_hash with created context
|
||||
$ctx{$host} = $ctx;
|
||||
}
|
||||
--
|
||||
2.17.2
|
||||
|
@ -0,0 +1,127 @@
|
||||
From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Fri, 8 Feb 2019 14:50:32 +0100
|
||||
Subject: [PATCH] Test client performs Post-Handshake-Authentication
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This test uses openssl tool because PHA is not yet supported by
|
||||
IO::Socket::SSL's server implementation. The openssl tool uses a fixed
|
||||
port. So the test can fail.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
MANIFEST | 1 +
|
||||
t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 88 insertions(+)
|
||||
create mode 100755 t/pha_client.t
|
||||
|
||||
diff --git a/MANIFEST b/MANIFEST
|
||||
index 5c2b87c..e46f919 100644
|
||||
--- a/MANIFEST
|
||||
+++ b/MANIFEST
|
||||
@@ -52,6 +52,7 @@ t/memleak_bad_handshake.t
|
||||
t/mitm.t
|
||||
t/nonblock.t
|
||||
t/npn.t
|
||||
+t/pha_client.t
|
||||
t/plain_upgrade_downgrade.t
|
||||
t/protocol_version.t
|
||||
t/public_suffix_lib.pl
|
||||
diff --git a/t/pha_client.t b/t/pha_client.t
|
||||
new file mode 100755
|
||||
index 0000000..6699443
|
||||
--- /dev/null
|
||||
+++ b/t/pha_client.t
|
||||
@@ -0,0 +1,87 @@
|
||||
+#!/usr/bin/perl
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+use Test::More;
|
||||
+use IPC::Run ();
|
||||
+use IO::Socket::SSL ();
|
||||
+use IO::Select ();
|
||||
+
|
||||
+if (!system('openssl', 'version')) {
|
||||
+ plan tests => 5;
|
||||
+} else {
|
||||
+ plan skip_all => 'openssl tool is not available';
|
||||
+}
|
||||
+
|
||||
+my $port = 2000;
|
||||
+my $ca_cert = 'certs/test-ca.pem';
|
||||
+
|
||||
+diag 'Starting a server';
|
||||
+my ($server, $input, $stdout, $stderr);
|
||||
+eval {
|
||||
+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
|
||||
+ '-Verify', '1',
|
||||
+ '-cert', 'certs/server-wildcard.pem',
|
||||
+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
|
||||
+ \$input, \$stdout, \$stderr);
|
||||
+ # subsequent \undef does not work
|
||||
+ # <https://github.com/toddr/IPC-Run/issues/124>
|
||||
+};
|
||||
+if (!$server or $@) {
|
||||
+ BAIL_OUT("Could not start a server: $@");
|
||||
+}
|
||||
+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
|
||||
+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
|
||||
+if ($stderr =~ /unable to bind socket/) {
|
||||
+ $server->kill_kill;
|
||||
+ BAIL_OUT("Could not start a server: $stderr");
|
||||
+}
|
||||
+ok($server, 'Server started');
|
||||
+
|
||||
+my $client = IO::Socket::SSL->new(
|
||||
+ PeerHost => 'localhost',
|
||||
+ PeerPort => $port,
|
||||
+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
|
||||
+ SSL_verifycn_scheme => 'www',
|
||||
+ SSL_verifycn_name => 'www.server.local',
|
||||
+ SSL_ca_file => $ca_cert,
|
||||
+ SSL_key_file => 'certs/client-key.pem',
|
||||
+ SSL_cert_file => 'certs/client-cert.pem'
|
||||
+);
|
||||
+ok($client, 'Client connected');
|
||||
+
|
||||
+SKIP: {
|
||||
+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
|
||||
+ unless $client;
|
||||
+ $client->blocking(0);
|
||||
+
|
||||
+ SKIP: {
|
||||
+ # Ask openssl s_server for PHA request and wait for the result.
|
||||
+ $input .= "c\n";
|
||||
+ while ($server->pumpable &&
|
||||
+ $stderr !~ /SSL_verify_client_post_handshake/ &&
|
||||
+ $stdout !~ /SSL_do_handshake -> 1/
|
||||
+ ) {
|
||||
+ # Push the PHA command to the server and read outputs.
|
||||
+ $server->pump;
|
||||
+
|
||||
+ # Client also must perform I/O to process the PHA request.
|
||||
+ my $select = IO::Select->new($client);
|
||||
+ while ($select->can_read(1)) { # 1 second time-out because of
|
||||
+ # blocking IPC::Run
|
||||
+ my $retval = $client->read(my $buf, 1);
|
||||
+ if (defined $buf and $buf eq 'c') {
|
||||
+ skip 'openssl tool does not support PHA command', 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
|
||||
+ }
|
||||
+
|
||||
+ ok($client->close, 'Client disconnected');
|
||||
+}
|
||||
+
|
||||
+eval {
|
||||
+ $server->kill_kill;
|
||||
+};
|
||||
+ok(!$@, 'Server terminated');
|
||||
+
|
||||
--
|
||||
2.17.2
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: perl-IO-Socket-SSL
|
||||
Version: 2.060
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Perl library for transparent SSL
|
||||
License: GPL+ or Artistic
|
||||
URL: https://metacpan.org/release/IO-Socket-SSL
|
||||
@ -10,6 +10,13 @@ Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
|
||||
# Prevent tests from dying on SIGPIPE, CPAN RT#126899,
|
||||
# in upstream after 2.060
|
||||
Patch2: IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
|
||||
# Client sends a post-handshake-authentication extension if a client key and
|
||||
# a certificate are available, bug #1632660,
|
||||
# <https://github.com/noxxi/p5-io-socket-ssl/pull/80>
|
||||
Patch3: IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch
|
||||
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
|
||||
# bug #1632660, requires openssl tool
|
||||
Patch4: IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
|
||||
BuildArch: noarch
|
||||
# Module Build
|
||||
BuildRequires: coreutils
|
||||
@ -36,11 +43,15 @@ BuildRequires: perl(strict)
|
||||
BuildRequires: perl(vars)
|
||||
BuildRequires: perl(warnings)
|
||||
# Test Suite
|
||||
# openssl for Test-client-performs-Post-Handshake-Authentication.patch
|
||||
BuildRequires: openssl
|
||||
BuildRequires: perl(Data::Dumper)
|
||||
BuildRequires: perl(File::Temp)
|
||||
BuildRequires: perl(FindBin)
|
||||
BuildRequires: perl(IO::Select)
|
||||
BuildRequires: perl(IO::Socket::INET)
|
||||
# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
|
||||
BuildRequires: perl(IPC::Run)
|
||||
BuildRequires: perl(Test::More) >= 0.88
|
||||
BuildRequires: perl(utf8)
|
||||
BuildRequires: procps
|
||||
@ -92,6 +103,10 @@ mod_perl.
|
||||
# Prevent tests from dying on SIGPIPE (CPAN RT#126899)
|
||||
%patch2 -p1
|
||||
|
||||
# Enable PHA on a client side
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
%build
|
||||
NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
|
||||
make %{?_smp_mflags}
|
||||
@ -117,6 +132,10 @@ make test
|
||||
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
|
||||
|
||||
%changelog
|
||||
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
|
||||
- Client sends a post-handshake-authentication extension if a client key and
|
||||
a certificate are available (bug #1632660)
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user