rpms/perl-IO-Socket-SSL
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Client sends a post-handshake-authentication extension if a client key and a certificate are available

Browse Source
This commit is contained in:
Petr Písař 2019-02-07 15:15:47 +01:00
parent 0d52c79ea1
commit d0ff533e0b
3 changed files with 202 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch Normal file
View File

@ -0,0 +1,55 @@
From 270badae7595332807d71b946446a70137369bf0 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Sat, 26 Jan 2019 11:16:08 +0100
Subject: [PATCH] Enable Post-Handshake-Authentication (TLSv1.3 feature)
client-side iff available.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/IO/Socket/SSL.pm | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index f35211b..0a0eef6 100644
--- a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -67,6 +67,7 @@ my $can_ecdh; # do we support ECDH key exchange
my $can_ocsp; # do we support OCSP
my $can_ocsp_staple; # do we support OCSP stapling
my $can_tckt_keycb; # TLS ticket key callback
+my $can_pha; # do we support PHA
BEGIN {
$can_client_sni = Net::SSLeay::OPENSSL_VERSION_NUMBER() >= 0x01000000;
$can_server_sni = defined &Net::SSLeay::get_servername;
@@ -87,6 +88,7 @@ BEGIN {
&& defined &Net::SSLeay::set_tlsext_status_type;
$can_tckt_keycb = defined &Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb
&& $Net::SSLeay::VERSION >= 1.80;
+ $can_pha = defined &Net::SSLeay::CTX_set_post_handshake_auth;
}
my $algo2digest = do {
@@ -2018,6 +2020,7 @@ sub can_ecdh { return $can_ecdh }
sub can_ipv6 { return CAN_IPV6 }
sub can_ocsp { return $can_ocsp }
sub can_ticket_keycb { return $can_tckt_keycb }
+sub can_pha { return $can_pha }
sub DESTROY {
my $self = shift or return;
@@ -2602,6 +2605,9 @@ sub new {
"Failed to load key from file (no PEM or DER)");
}
+ Net::SSLeay::CTX_set_post_handshake_auth($ctx,1)
+ if (!$is_server && $can_pha && $havecert && $havekey);
+
# replace arg_hash with created context
$ctx{$host} = $ctx;
}
--
2.17.2

127
IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch Normal file
View File

@ -0,0 +1,127 @@
From 921d3a471156896a0d139e82a50d07441992c811 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 8 Feb 2019 14:50:32 +0100
Subject: [PATCH] Test client performs Post-Handshake-Authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This test uses openssl tool because PHA is not yet supported by
IO::Socket::SSL's server implementation. The openssl tool uses a fixed
port. So the test can fail.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
MANIFEST | 1 +
t/pha_client.t | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 88 insertions(+)
create mode 100755 t/pha_client.t
diff --git a/MANIFEST b/MANIFEST
index 5c2b87c..e46f919 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -52,6 +52,7 @@ t/memleak_bad_handshake.t
t/mitm.t
t/nonblock.t
t/npn.t
+t/pha_client.t
t/plain_upgrade_downgrade.t
t/protocol_version.t
t/public_suffix_lib.pl
diff --git a/t/pha_client.t b/t/pha_client.t
new file mode 100755
index 0000000..6699443
--- /dev/null
+++ b/t/pha_client.t
@@ -0,0 +1,87 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use Test::More;
+use IPC::Run ();
+use IO::Socket::SSL ();
+use IO::Select ();
+
+if (!system('openssl', 'version')) {
+ plan tests => 5;
+} else {
+ plan skip_all => 'openssl tool is not available';
+}
+
+my $port = 2000;
+my $ca_cert = 'certs/test-ca.pem';
+
+diag 'Starting a server';
+my ($server, $input, $stdout, $stderr);
+eval {
+ $server = IPC::Run::start(['openssl', 's_server', '-port', $port,
+ '-Verify', '1',
+ '-cert', 'certs/server-wildcard.pem',
+ '-key', 'certs/server-wildcard.pem', '-CAfile', $ca_cert],
+ \$input, \$stdout, \$stderr);
+ # subsequent \undef does not work
+ # <https://github.com/toddr/IPC-Run/issues/124>
+};
+if (!$server or $@) {
+ BAIL_OUT("Could not start a server: $@");
+}
+# openssl s_server does not return a non-zero exit code in case of bind(2) failure.
+while ($server->pumpable && $stdout !~ /\nACCEPT\n/) { $server->pump; }
+if ($stderr =~ /unable to bind socket/) {
+ $server->kill_kill;
+ BAIL_OUT("Could not start a server: $stderr");
+}
+ok($server, 'Server started');
+
+my $client = IO::Socket::SSL->new(
+ PeerHost => 'localhost',
+ PeerPort => $port,
+ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER,
+ SSL_verifycn_scheme => 'www',
+ SSL_verifycn_name => 'www.server.local',
+ SSL_ca_file => $ca_cert,
+ SSL_key_file => 'certs/client-key.pem',
+ SSL_cert_file => 'certs/client-cert.pem'
+);
+ok($client, 'Client connected');
+
+SKIP: {
+ skip "Connection failed: errno=$!, SSL errror=$IO::Socket::SSL::SSL_ERROR", 2
+ unless $client;
+ $client->blocking(0);
+
+ SKIP: {
+ # Ask openssl s_server for PHA request and wait for the result.
+ $input .= "c\n";
+ while ($server->pumpable &&
+ $stderr !~ /SSL_verify_client_post_handshake/ &&
+ $stdout !~ /SSL_do_handshake -> 1/
+ ) {
+ # Push the PHA command to the server and read outputs.
+ $server->pump;
+
+ # Client also must perform I/O to process the PHA request.
+ my $select = IO::Select->new($client);
+ while ($select->can_read(1)) { # 1 second time-out because of
+ # blocking IPC::Run
+ my $retval = $client->read(my $buf, 1);
+ if (defined $buf and $buf eq 'c') {
+ skip 'openssl tool does not support PHA command', 1;
+ }
+ }
+ }
+ ok($stdout =~ /SSL_do_handshake -> 1/, 'Client performed PHA');
+ }
+
+ ok($client->close, 'Client disconnected');
+}
+
+eval {
+ $server->kill_kill;
+};
+ok(!$@, 'Server terminated');
+
--
2.17.2

21
perl-IO-Socket-SSL.spec
View File

@ -1,6 +1,6 @@
Name: perl-IO-Socket-SSL
Version: 2.060
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Perl library for transparent SSL
License: GPL+ or Artistic
URL: https://metacpan.org/release/IO-Socket-SSL
@ -10,6 +10,13 @@ Patch1: IO-Socket-SSL-2.060-use-system-default-SSL-version.patch
# Prevent tests from dying on SIGPIPE, CPAN RT#126899,
# in upstream after 2.060
Patch2: IO-Socket-SSL-2.060-make-all-tests-which-use-fork-also-ignore-signal-PIP.patch
# Client sends a post-handshake-authentication extension if a client key and
# a certificate are available, bug #1632660,
# <https://github.com/noxxi/p5-io-socket-ssl/pull/80>
Patch3: IO-Socket-SSL-2.060-Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch
# A test for Enable-Post-Handshake-Authentication-TLSv1.3-feature.patch,
# bug #1632660, requires openssl tool
Patch4: IO-Socket-SSL-2.060-Test-client-performs-Post-Handshake-Authentication.patch
BuildArch: noarch
# Module Build
BuildRequires: coreutils
@ -36,11 +43,15 @@ BuildRequires: perl(strict)
BuildRequires: perl(vars)
BuildRequires: perl(warnings)
# Test Suite
# openssl for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: openssl
BuildRequires: perl(Data::Dumper)
BuildRequires: perl(File::Temp)
BuildRequires: perl(FindBin)
BuildRequires: perl(IO::Select)
BuildRequires: perl(IO::Socket::INET)
# IPC::Run for Test-client-performs-Post-Handshake-Authentication.patch
BuildRequires: perl(IPC::Run)
BuildRequires: perl(Test::More) >= 0.88
BuildRequires: perl(utf8)
BuildRequires: procps
@ -92,6 +103,10 @@ mod_perl.
# Prevent tests from dying on SIGPIPE (CPAN RT#126899)
%patch2 -p1
# Enable PHA on a client side
%patch3 -p1
%patch4 -p1
%build
NO_NETWORK_TESTING=1 perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
@ -117,6 +132,10 @@ make test
%{_mandir}/man3/IO::Socket::SSL::Utils.3*
%changelog
* Thu Feb 07 2019 Petr Pisar <ppisar@redhat.com> - 2.060-4
- Client sends a post-handshake-authentication extension if a client key and
a certificate are available (bug #1632660)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.060-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild