tests: re-enabled post-handshake auth tests

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 56 insertions, 14 deletions

diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index 49a48d946a..22e4376e80 100644
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -50,9 +50,10 @@ int main()
 #include "tls13/ext-parse.h"
 #include "utils.h"
 
-/* This program tests the Post Handshake Auth extension present
- * in the client hello, and whether it is missing from server
- * hello.
+/* This program tests whether the Post Handshake Auth extension is
+ * present in the client hello, and whether it is missing from server
+ * hello. In addition it contains basic functionality test for
+ * post handshake authentication.
  */
 
 static void server_log_func(int level, const char *str)
@@ -72,6 +73,7 @@ static void client(int fd)
 	int ret;
 	gnutls_certificate_credentials_t x509_cred;
 	gnutls_session_t session;
+	char buf[64];
 
 	global_init();
 
@@ -84,7 +86,7 @@ static void client(int fd)
 
 	/* Initialize TLS session
 	 */
-	gnutls_init(&session, GNUTLS_CLIENT);
+	gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_POST_HANDSHAKE_AUTH);
 
 	gnutls_handshake_set_timeout(session, 20 * 1000);
 
@@ -110,6 +112,26 @@ static void client(int fd)
 	}
 	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 
+	if (ret != 0)
+		fail("handshake failed: %s\n", gnutls_strerror(ret));
+	success("client handshake completed\n");
+
+	do {
+		ret = gnutls_record_recv(session, buf, sizeof(buf));
+	} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+	if (ret != GNUTLS_E_REAUTH_REQUEST) {
+		fail("recv: unexpected error: %s\n", gnutls_strerror(ret));
+	}
+
+	success("received reauth request\n");
+	do {
+		ret = gnutls_reauth(session, 0);
+	} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+	if (ret != 0)
+		fail("client: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret));
+
 	close(fd);
 
 	gnutls_deinit(session);
@@ -176,7 +198,7 @@ static void server(int fd)
 					    &server_key,
 					    GNUTLS_X509_FMT_PEM);
 
-	gnutls_init(&session, GNUTLS_SERVER);
+	gnutls_init(&session, GNUTLS_SERVER|GNUTLS_POST_HANDSHAKE_AUTH);
 
 	gnutls_handshake_set_timeout(session, 20 * 1000);
 	gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY,
@@ -194,11 +216,10 @@ static void server(int fd)
 
 	do {
 		ret = gnutls_handshake(session);
-		if (ret == GNUTLS_E_INTERRUPTED) { /* expected */
-			break;
-		}
 	} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 
+	if (ret != 0)
+		fail("handshake failed: %s\n", gnutls_strerror(ret));
 
 	if (client_hello_ok == 0) {
 		fail("server: did not verify the client hello\n");
@@ -207,6 +228,16 @@ static void server(int fd)
 	if (server_hello_ok == 0) {
 		fail("server: did not verify the server hello contents\n");
 	}
+	success("server handshake completed\n");
+
+	gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE);
+	/* ask peer for re-authentication */
+	do {
+		ret = gnutls_reauth(session, 0);
+	} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+	if (ret != 0)
+		fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret));
 
 	close(fd);
 	gnutls_deinit(session);
@@ -233,9 +264,6 @@ void doit(void)
 	int ret;
 	pid_t child;
 
-	/* re-enable when post-handshake authentication is available */
-	exit(77);
-
 	signal(SIGCHLD, ch_handler);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
diff --git a/tests/tls13/post-handshake-without-cert.c b/tests/tls13/post-handshake-without-cert.c
index 9c02d5b272..4ee821b413 100644
--- a/tests/tls13/post-handshake-without-cert.c
+++ b/tests/tls13/post-handshake-without-cert.c
@@ -45,14 +45,14 @@ int main()
 #include <gnutls/gnutls.h>
 #include <gnutls/dtls.h>
 #include <signal.h>
+#include <assert.h>
 
 #include "cert-common.h"
 #include "tls13/ext-parse.h"
 #include "utils.h"
 
-/* This program tests the Post Handshake Auth extension present
- * in the client hello, and whether it is missing from server
- * hello.
+/* This program tests whether the Post Handshake Auth extension is missing
+ * from both hellos, when not enabled by client.
  */
 
 static void server_log_func(int level, const char *str)
@@ -82,6 +82,10 @@ static void client(int fd)
 
 	gnutls_certificate_allocate_credentials(&x509_cred);
 
+	assert(gnutls_certificate_set_x509_key_mem(x509_cred, &cli_ca3_cert,
+						   &cli_ca3_key,
+						   GNUTLS_X509_FMT_PEM) >= 0);
+
 	/* Initialize TLS session
 	 */
 	gnutls_init(&session, GNUTLS_CLIENT);
@@ -105,6 +109,11 @@ static void client(int fd)
 	}
 	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 
+	/* try if gnutls_reauth() would fail as expected */
+	ret = gnutls_reauth(session, 0);
+	if (ret != GNUTLS_E_INVALID_REQUEST)
+		fail("server: gnutls_reauth did not fail as expected: %s", gnutls_strerror(ret));
+
 	close(fd);
 
 	gnutls_deinit(session);
@@ -189,6 +198,11 @@ static void server(int fd)
 		fail("server: did not verify the server hello contents\n");
 	}
 
+	/* try if gnutls_reauth() would fail as expected */
+	ret = gnutls_reauth(session, 0);
+	if (ret != GNUTLS_E_INVALID_REQUEST)
+		fail("server: gnutls_reauth did not fail as expected: %s", gnutls_strerror(ret));
+
 	close(fd);
 	gnutls_deinit(session);