main/perl-net-ssleay: and another patch from fedora

2 files changed, 46 insertions, 2 deletions

diff --git a/main/perl-net-ssleay/APKBUILD b/main/perl-net-ssleay/APKBUILD
index 5d65f81b3a..1f738eb277 100644
--- a/main/perl-net-ssleay/APKBUILD
+++ b/main/perl-net-ssleay/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=perl-net-ssleay
 _realname=Net-SSLeay
 pkgver=1.85
-pkgrel=3
+pkgrel=4
 pkgdesc="Perl extension for using OpenSSL"
 url="http://search.cpan.org/dist/Net-SSLeay"
 arch="all"
@@ -16,6 +16,7 @@ source="http://search.cpan.org/CPAN/authors/id/M/MI/MIKEM/Net-SSLeay-$pkgver.tar
 	Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch
 	Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch
 	Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch
+	Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
 	"
 builddir="$srcdir/$_realname-$pkgver"
 
@@ -41,4 +42,5 @@ package() {
 sha512sums="74e0f2f56b707f1ff845c78c1fa7ce26a71b8f943bb99e994d4e065d1f42259fe4cd1a6a17d333459727534158f9541f116dbc8515122380807d9450b0faa26b  Net-SSLeay-1.85.tar.gz
 7abce82d34378c404bdfc1143a58b7f9eb9be197e4a8b5149ef5c0d28da8a8844e5fd9b0f287f1f01b31bbaa7658c1cb0fc22a1674283e1cbcb1a761b35c90bb  Net-SSLeay-1.85-Adapt-to-OpenSSL-1.1.1.patch
 776c925cb85df004b95f42b6cf83f8ebc5ab6b9a3048f4b1239bfddc255ad581d6698d43bae5ba0fd86bcbd77bfe36662698443bde8f8fac16e88e94dbc738a2  Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-.patch
-d227dd780caee32e2e4c48d7536b399bf26514b1e081c514f6a2a80194fd9ec13ed264d652c840dcfcd723021b5370deebeabdc86f77e79395329bb80b710c53  Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch"
+d227dd780caee32e2e4c48d7536b399bf26514b1e081c514f6a2a80194fd9ec13ed264d652c840dcfcd723021b5370deebeabdc86f77e79395329bb80b710c53  Net-SSLeay-1.85-Move-SSL_ERROR_WANT_READ-SSL_ERROR_WANT_WRITE-retry-from_write_partial.patch
+f767adcf6ffe72f1558b4bea115f742980c6e4e75bac8c43e94e781b3e1cbecb5522b8e1f395e7ee5369f59913b40b2cff6ced6c343ac19128fd8c4c8eb34267  Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch"
diff --git a/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch b/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
new file mode 100644
index 0000000000..452e6e2355
--- /dev/null
+++ b/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch
@@ -0,0 +1,42 @@
+commit 6a6bcf3d96115a6ef62289838cea418c185d8c88
+Author: Paul Howarth <paul@city-fan.org>
+Date:   Wed Sep 19 09:38:40 2018 +0100
+
+    Expose SSL_CTX_set_post_handshake_auth
+    
+    TLS 1.3 removed renegotiation in favor of rekeying and post handshake
+    authentication (PHA). With PHA, a server can request a client certificate from
+    a client at some point after the handshake. The feature is commonly used by
+    HTTP servers for conditional and path specific TLS client auth. For example, a
+    server can decide to require a cert based on HTTP method and/or path. A client
+    must announce support for PHA during the handshake.
+    
+    Apache mod_ssl uses PHA:
+    https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207
+    
+    As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3
+    clients no longer send the PHA TLS extension by default. For on-demand auth,
+    PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(),
+    https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html .
+    
+    This function is needed for the Apache httpd upstream test suite:
+    https://bugzilla.redhat.com/show_bug.cgi?id=1630391 .
+
+diff --git a/SSLeay.xs b/SSLeay.xs
+index a4dcb0a..5777ffc 100644
+--- a/SSLeay.xs
++++ b/SSLeay.xs
+@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p)
+ 
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */
++
++void
++SSL_CTX_set_post_handshake_auth(s,val)
++    SSL_CTX * s
++    int val
++
++#endif
++
+ #define REM_EOF "/* EOF - SSLeay.xs */"