Client sends a post-handshake-authentication extension if a client key and a certificate are available

IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch

@@ -0,0 +1,55 @@
+From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@redhat.com>
+Date: Sat, 26 Jan 2019 11:16:08 +0100
+Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature)
+ client-side iff available.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/IO/Socket/SSL.pm | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
+index f35211b..0a0eef6 100644
+--- a/lib/IO/Socket/SSL.pm
++++ b/lib/IO/Socket/SSL.pm
+@@ -67,6 +67,7 @@ my $can_ecdh;        # do we support ECDH key exchange
+ my $can_ocsp;        # do we support OCSP
+ my $can_ocsp_staple; # do we support OCSP stapling
+ my $can_tckt_keycb;  # TLS ticket key callback
++my $can_pha;         # do we support PHA
+ BEGIN {
+     $can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000;
+     $can_server_sni = defined &Net::SSLeay::get_servername;
+@@ -87,6 +88,7 @@ BEGIN {
+ 	&& defined &Net::SSLeay::set_tlsext_status_type;
+     $can_tckt_keycb  = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb
+ 	&& $Net::SSLeay::VERSION >= 1.80;  
++    $can_pha         = defined &Net::SSLeay::CTX_set_post_handshake_auth;
+ }
+ 
+ my $algo2digest = do {
+@@ -2018,6 +2020,7 @@ sub can_ecdh       { return $can_ecdh }
+ sub can_ipv6       { return CAN_IPV6 }
+ sub can_ocsp       { return $can_ocsp }
+ sub can_ticket_keycb { return $can_tckt_keycb }
++sub can_pha        { return $can_pha }
+ 
+ sub DESTROY {
+     my $self = shift or return;
+@@ -2602,6 +2605,9 @@ sub new {
+ 		"Failed to load key from file (no PEM or DER)");
+ 	}
+ 
++        Net::SSLeay::CTX_set_post_handshake_auth($ctx,1)
++            if (!$is_server && $can_pha && $havecert && $havekey);
++
+ 	# replace arg_hash with created context
+ 	$ctx{$host} = $ctx;
+     }
+-- 
+2.17.2
+

IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch

@@ -0,0 +1,127 @@
+From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Feb 2019 14:50:32 +0100
+Subject: [PATCH] Test client performs Post-Handshake-Authentication
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This test uses openssl tool because PHA is not yet supported by
+IO::Socket::SSL's server implementation. The openssl tool uses a fixed
+port. So the test can fail.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ MANIFEST       |  1 +
+ t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 88 insertions(+)
+ create mode 100755 t/pha_client.t
+
+diff --git a/MANIFEST b/MANIFEST
+index 5c2b87c..e46f919 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -52,6 +52,7 @@ t/memleak_bad_handshake.t
+ t/mitm.t
+ t/nonblock.t
+ t/npn.t
++t/pha_client.t
+ t/plain_upgrade_downgrade.t
+ t/protocol_version.t
+ t/public_suffix_lib.pl
+diff --git a/t/pha_client.t b/t/pha_client.t
+new file mode 100755
+index 0000000..6699443
+--- /dev/null
++++ b/t/pha_client.t
+@@ -0,0 +1,87 @@
++#!/usr/bin/perl
++use strict;
++use warnings;
++use Test::More;
++use IPC::Run ();
++use IO::Socket::SSL ();
++use IO::Select ();
++
++if (!system('openssl', 'version')) {
++    plan tests => 5;
++} else {
++    plan skip_all => 'openssl tool is not available';
++}
++
++my $port = 2000;
++my $ca_cert = 'certs/test-ca.pem';
++
++diag 'Starting a server';
++my ($server, $input, $stdout, $stderr);
++eval {
++    $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
++            '-Verify', '1',
++            '-cert', 'certs/server-wildcard.pem',
++            '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
++        \$input, \$stdout, \$stderr);
++    # subsequent \undef does not work
++    # <https://github.com/toddr/IPC-Run/issues/124>
++};
++if (!$server or $@) {
++    BAIL_OUT("Could not start a server: $@");
++}
++# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
++while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
++if ($stderr =~ /unable to bind socket/) {
++    $server->kill_kill;
++    BAIL_OUT("Could not start a server: $stderr");
++}
++ok($server, 'Server started');
++
++my $client = IO::Socket::SSL->new(
++    PeerHost => 'localhost',
++    PeerPort => $port,
++    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
++    SSL_verifycn_scheme => 'www',
++    SSL_verifycn_name => 'www.server.local',
++    SSL_ca_file => $ca_cert,
++    SSL_key_file => 'certs/client-key.pem',
++    SSL_cert_file => 'certs/client-cert.pem'
++);
++ok($client, 'Client connected');
++
++SKIP: {
++    skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
++        unless $client;
++    $client->blocking(0);
++
++    SKIP: {
++        # Ask openssl s_server for PHA request and wait for the result.
++        $input .= "c\n";
++        while ($server->pumpable &&
++            $stderr !~ /SSL_verify_client_post_handshake/ &&
++            $stdout !~ /SSL_do_handshake -> 1/
++        ) {
++            # Push the PHA command to the server and read outputs.
++            $server->pump;
++
++            # Client also must perform I/O to process the PHA request.
++            my $select = IO::Select->new($client);
++            while ($select->can_read(1)) {  # 1 second time-out because of
++                                            # blocking IPC::Run
++                my $retval = $client->read(my $buf, 1);
++                if (defined $buf and $buf eq 'c') {
++                    skip 'openssl tool does not support PHA command', 1;
++                }
++            }
++        }
++        ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
++    }
++
++    ok($client->close, 'Client disconnected');
++}
++
++eval {
++    $server->kill_kill;
++};
++ok(!$@, 'Server terminated');
++
+-- 
+2.17.2
+

perl-IO-Socket-SSL.spec

@@ -1,6 +1,6 @@
 Name:		perl-IO-Socket-SSL
 Version:	2.060
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Perl library for transparent SSL
 License:	GPL+ or Artistic
 URL:		https://metacpan.org/release/IO-Socket-SSL
@@ -10,6 +10,13 @@ Patch1:		IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
 # Prevent tests from dying on SIGPIPE, CPAN RT#126899,
 # in upstream after 2.060
 Patch2:		IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
+# Client sends a post-handshake-authentication extension if a client key and
+# a certificate are available, bug #1632660,
+# <https://github.com/noxxi/p5-io-socket-ssl/pull/80>
+Patch3:     IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch
+# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
+# bug #1632660, requires openssl tool
+Patch4:     IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
 BuildArch:	noarch
 # Module Build
 BuildRequires:	coreutils
@@ -36,11 +43,15 @@ BuildRequires:	perl(strict)
 BuildRequires:	perl(vars)
 BuildRequires:	perl(warnings)
 # Test Suite
+# openssl for Test-client-performs-Post-Handshake-Authentication.patch
+BuildRequires:  openssl
 BuildRequires:	perl(Data::Dumper)
 BuildRequires:	perl(File::Temp)
 BuildRequires:	perl(FindBin)
 BuildRequires:	perl(IO::Select)
 BuildRequires:	perl(IO::Socket::INET)
+# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
+BuildRequires:  perl(IPC::Run)
 BuildRequires:	perl(Test::More) >= 0.88
 BuildRequires:	perl(utf8)
 BuildRequires:	procps
@@ -92,6 +103,10 @@ mod_perl.
 # Prevent tests from dying on SIGPIPE (CPAN RT#126899)
 %patch2 -p1
 
+# Enable PHA on a client side
+%patch3 -p1
+%patch4 -p1
+
 %build
 NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
 make %{?_smp_mflags}
@@ -117,6 +132,10 @@ make test
 %{_mandir}/man3/IO::Socket::SSL::Utils.3*
 
 %changelog
+* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
+- Client sends a post-handshake-authentication extension if a client key and
+  a certificate are available (bug #1632660)
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild