From 93cc44b19242819a32b29a381d220e96a3c0fc41 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 27 Jun 2018 13:41:13 +0200
Subject: gnutls_session_get_flags: introduced
 GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH

This allows a server application to detect whether the client
would support post handshake authentication or not without initiating
via gnutls_reauth().

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/includes/gnutls/gnutls.h.in           | 4 +++-
 lib/state.c                               | 2 ++
 lib/tls13/post_handshake.c                | 4 +++-
 tests/tls13/post-handshake-with-cert.c    | 5 +++++
 tests/tls13/post-handshake-without-cert.c | 3 +++
 5 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 9111dfb557..1a04e6ff1e 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1443,6 +1443,7 @@ unsigned gnutls_session_etm_status(gnutls_session_t session);
  * @GNUTLS_SFLAGS_HB_PEER_SEND: The heartbeat negotiation allows the peer to send heartbeat messages
  * @GNUTLS_SFLAGS_FALSE_START: The appdata set with gnutls_handshake_set_appdata() were sent during handshake (false start)
  * @GNUTLS_SFLAGS_SESSION_TICKET: A session ticket has been received by the server.
+ * @GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH: Indicates client capability for post-handshake auth; set only on server side.
  *
  * Enumeration of different session parameters.
  */
@@ -1454,7 +1455,8 @@ typedef enum {
 	GNUTLS_SFLAGS_HB_PEER_SEND = 1<<4,
 	GNUTLS_SFLAGS_FALSE_START = 1<<5,
 	GNUTLS_SFLAGS_RFC7919 = 1<<6,
-	GNUTLS_SFLAGS_SESSION_TICKET = 1<<7
+	GNUTLS_SFLAGS_SESSION_TICKET = 1<<7,
+	GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH = 1<<8
 } gnutls_session_flags_t;
 
 unsigned gnutls_session_get_flags(gnutls_session_t session);
diff --git a/lib/state.c b/lib/state.c
index 7276c2c43f..d01475c84a 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -1355,6 +1355,8 @@ unsigned gnutls_session_get_flags(gnutls_session_t session)
 		flags |= GNUTLS_SFLAGS_RFC7919;
 	if (session->internals.hsk_flags & HSK_TICKET_RECEIVED)
 		flags |= GNUTLS_SFLAGS_SESSION_TICKET;
+	if (session->security_parameters.post_handshake_auth)
+		flags |= GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH;
 
 	return flags;
 }
diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c
index 9543ca896e..b12c0ba221 100644
--- a/lib/tls13/post_handshake.c
+++ b/lib/tls13/post_handshake.c
@@ -219,7 +219,9 @@ int _gnutls13_reauth_server(gnutls_session_t session)
  * When this function is called under TLS1.2 or earlier or the peer didn't
  * advertise post-handshake auth, it always fails with
  * %GNUTLS_E_INVALID_REQUEST. The verification of the received peers certificate
- * is delegated to the session or credentials verification callbacks.
+ * is delegated to the session or credentials verification callbacks. A
+ * server can check whether post handshake authentication is supported
+ * by the client by checking the session flags with gnutls_session_get_flags().
  *
  * Prior to calling this function in server side, the function
  * gnutls_certificate_server_set_request() must be called setting expectations
diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index 39565de6d2..e9940e79cb 100644
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -234,6 +234,11 @@ static void server(int fd, int err, int type, unsigned max_auths)
 	if (ret != 0)
 		fail("handshake failed: %s\n", gnutls_strerror(ret));
 
+	if (!(gnutls_session_get_flags(session) & GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH)) {
+		fail("server: session flags did not contain GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH\n");
+	}
+
+
 	if (client_hello_ok == 0) {
 		fail("server: did not verify the client hello\n");
 	}
diff --git a/tests/tls13/post-handshake-without-cert.c b/tests/tls13/post-handshake-without-cert.c
index 4ee821b413..827fbc8495 100644
--- a/tests/tls13/post-handshake-without-cert.c
+++ b/tests/tls13/post-handshake-without-cert.c
@@ -193,6 +193,9 @@ static void server(int fd)
 		}
 	} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 
+	if ((gnutls_session_get_flags(session) & GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH)) {
+		fail("server: session flags did contain GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH\n");
+	}
 
 	if (server_hello_ok == 0) {
 		fail("server: did not verify the server hello contents\n");
-- 
cgit v1.2.1


From 32fe53b2d71a396ddf3cdc245bb6a99c04366921 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 27 Jun 2018 14:19:02 +0200
Subject: tls13 handshake: allow certificate messages after handshake

This allows post-handshake authentication even when PSK
is negotiated.

Resolves #489

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/tls13/certificate.c         | 7 +++++--
 lib/tls13/certificate_request.c | 6 ++++--
 lib/tls13/certificate_verify.c  | 4 +++-
 lib/tls13/post_handshake.c      | 8 +++++++-
 4 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index 90bd366854..b9a54df355 100644
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -38,7 +38,8 @@ int _gnutls13_recv_certificate(gnutls_session_t session)
 	gnutls_buffer_st buf;
 	unsigned optional = 0;
 
-	if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+	if (!session->internals.initial_negotiation_completed &&
+	    session->internals.hsk_flags & HSK_PSK_SELECTED)
 		return 0;
 
 	if (session->security_parameters.entity == GNUTLS_SERVER) {
@@ -201,8 +202,10 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again)
 	gnutls_certificate_credentials_t cred;
 
 	if (again == 0) {
-		if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+		if (!session->internals.initial_negotiation_completed &&
+		    session->internals.hsk_flags & HSK_PSK_SELECTED)
 			return 0;
+
 		if (session->security_parameters.entity == GNUTLS_SERVER &&
 		    session->internals.resumed)
 			return 0;
diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
index 09fb56d0bd..a7ec0e2fd9 100644
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -192,7 +192,8 @@ int _gnutls13_recv_certificate_request(gnutls_session_t session)
 	int ret;
 	gnutls_buffer_st buf;
 
-	if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+	if (!session->internals.initial_negotiation_completed &&
+	    session->internals.hsk_flags & HSK_PSK_SELECTED)
 		return 0;
 
 	if (unlikely(session->security_parameters.entity != GNUTLS_CLIENT))
@@ -254,7 +255,8 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
 	if (again == 0) {
 		unsigned char rnd[12];
 
-		if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+		if (!session->internals.initial_negotiation_completed &&
+		    session->internals.hsk_flags & HSK_PSK_SELECTED)
 			return 0;
 
 		if (session->internals.send_cert_req == 0)
diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c
index f1dbabab05..96076e4e46 100644
--- a/lib/tls13/certificate_verify.c
+++ b/lib/tls13/certificate_verify.c
@@ -154,8 +154,10 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again)
 	bool server = 0;
 
 	if (again == 0) {
-		if (session->internals.hsk_flags & HSK_PSK_SELECTED)
+		if (!session->internals.initial_negotiation_completed &&
+		    session->internals.hsk_flags & HSK_PSK_SELECTED)
 			return 0;
+
 		if (session->security_parameters.entity == GNUTLS_SERVER &&
 		    session->internals.resumed)
 			return 0;
diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c
index b12c0ba221..ddab66f9a3 100644
--- a/lib/tls13/post_handshake.c
+++ b/lib/tls13/post_handshake.c
@@ -225,7 +225,13 @@ int _gnutls13_reauth_server(gnutls_session_t session)
  *
  * Prior to calling this function in server side, the function
  * gnutls_certificate_server_set_request() must be called setting expectations
- * for the received certificate (request or require).
+ * for the received certificate (request or require). If none are set
+ * this function will return with %GNUTLS_E_INVALID_REQUEST.
+ *
+ * Note that post handshake authentication is available irrespective
+ * of the initial negotiation type (PSK or certificate). In all cases
+ * however, certificate credentials must be set to the session prior
+ * to calling this function.
  *
  * Returns: %GNUTLS_E_SUCCESS on a successful authentication, otherwise a negative error code.
  **/
-- 
cgit v1.2.1


From 9caad776a796328132963fdd4961ad8e306ec842 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 27 Jun 2018 13:57:11 +0200
Subject: tests: introduced test for post-handshake auth + PSK

Relates #489

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 .gitignore                            |   1 +
 tests/Makefile.am                     |   3 +-
 tests/tls13/post-handshake-with-psk.c | 366 ++++++++++++++++++++++++++++++++++
 3 files changed, 369 insertions(+), 1 deletion(-)
 create mode 100644 tests/tls13/post-handshake-with-psk.c

diff --git a/.gitignore b/.gitignore
index 044a8d274d..11b00ef3c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -751,6 +751,7 @@ tests/tls12-rollback-detection
 tests/tls12-server-kx-neg
 tests/tls13-cert-key-exchange
 tests/tls13/change_cipher_spec
+tests/tls13/post-handshake-with-psk
 tests/tls13-cipher-neg
 tests/tls13/cookie
 tests/tls13/hello_random_value
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 437da63e6e..a8e72b6051 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -106,7 +106,8 @@ ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
 	tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
 	tls13/cookie tls13/key_share tls13/prf tls13/post-handshake-with-cert-ticket \
 	tls12-rollback-detection tls11-rollback-detection \
-	tls12-check-rollback-val tls11-check-rollback-val tls13/hello_random_value
+	tls12-check-rollback-val tls11-check-rollback-val tls13/hello_random_value \
+	tls13/post-handshake-with-psk
 
 ctests += tls13/psk-ext
 
diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c
new file mode 100644
index 0000000000..dd3d9b850e
--- /dev/null
+++ b/tests/tls13/post-handshake-with-psk.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2017-2018 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+
+int main()
+{
+	exit(77);
+}
+
+#else
+
+#include <string.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/dtls.h>
+#include <signal.h>
+#include <assert.h>
+
+#include "cert-common.h"
+#include "tls13/ext-parse.h"
+#include "utils.h"
+
+#define MAX_AUTHS 4
+
+/* This program tests whether the Post Handshake Auth would work
+ * under PSK authentication. */
+
+static void server_log_func(int level, const char *str)
+{
+	fprintf(stderr, "server|<%d>| %s", level, str);
+}
+
+static void client_log_func(int level, const char *str)
+{
+	fprintf(stderr, "client|<%d>| %s", level, str);
+}
+
+#define MAX_BUF 1024
+
+static void client(int fd, unsigned send_cert, unsigned max_auths)
+{
+	int ret;
+	gnutls_certificate_credentials_t x509_cred;
+	gnutls_psk_client_credentials_t pskcred;
+	const gnutls_datum_t key = { (void *) "DEADBEEF", 8 };
+	gnutls_session_t session;
+	char buf[64];
+	unsigned i;
+
+	global_init();
+
+	if (debug) {
+		gnutls_global_set_log_function(client_log_func);
+		gnutls_global_set_log_level(7);
+	}
+
+	assert(gnutls_psk_allocate_client_credentials(&pskcred)>=0);
+	assert(gnutls_psk_set_client_credentials(pskcred, "test", &key,
+						 GNUTLS_PSK_KEY_HEX)>=0);
+
+	assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
+
+	/* Initialize TLS session
+	 */
+	assert(gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_POST_HANDSHAKE_AUTH)>=0);
+
+	gnutls_handshake_set_timeout(session, 20 * 1000);
+
+	ret = gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.0:+ECDHE-PSK:+PSK", NULL);
+	if (ret < 0)
+		fail("cannot set TLS 1.3 priorities\n");
+
+
+	if (send_cert) {
+		assert(gnutls_certificate_set_x509_key_mem(x509_cred, &cli_ca3_cert,
+						    &cli_ca3_key,
+						    GNUTLS_X509_FMT_PEM)>=0);
+	}
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+	gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred);
+
+	gnutls_transport_set_int(session, fd);
+
+	/* Perform the TLS handshake
+	 */
+	do {
+		ret = gnutls_handshake(session);
+	}
+	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+	if (ret != 0)
+		fail("handshake failed: %s\n", gnutls_strerror(ret));
+
+	if (debug)
+		success("client handshake completed\n");
+
+	assert(gnutls_kx_get(session) == GNUTLS_KX_ECDHE_PSK);
+
+	gnutls_record_set_timeout(session, 20 * 1000);
+
+	for (i=0;i<max_auths;i++) {
+		if (debug)
+			success("waiting for post-handshake auth request\n");
+		do {
+			ret = gnutls_record_recv(session, buf, sizeof(buf));
+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+		if (ret != GNUTLS_E_REAUTH_REQUEST) {
+			fail("recv: unexpected error: %s\n", gnutls_strerror(ret));
+		}
+
+		if (debug)
+			success("received reauth request\n");
+		do {
+			ret = gnutls_reauth(session, 0);
+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+		if (ret != 0)
+			fail("client: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret));
+	}
+
+
+	close(fd);
+
+	gnutls_deinit(session);
+
+	gnutls_certificate_free_credentials(x509_cred);
+	gnutls_psk_free_client_credentials(pskcred);
+
+	gnutls_global_deinit();
+}
+
+static unsigned client_hello_ok = 0;
+static unsigned server_hello_ok = 0;
+
+#define TLS_EXT_POST_HANDSHAKE 49
+
+static void parse_ext(void *priv, gnutls_datum_t *msg)
+{
+	if (msg->size != 0) {
+		fail("error in extension length: %d\n", (int)msg->size);
+	}
+}
+
+static int hellos_callback(gnutls_session_t session, unsigned int htype,
+	unsigned post, unsigned int incoming, const gnutls_datum_t *msg)
+{
+	if (htype == GNUTLS_HANDSHAKE_SERVER_HELLO && post == GNUTLS_HOOK_POST) {
+		if (find_server_extension(msg, TLS_EXT_POST_HANDSHAKE, NULL, NULL)) {
+			fail("Post handshake extension seen in server hello!\n");
+		}
+		server_hello_ok = 1;
+
+		return GNUTLS_E_INTERRUPTED;
+	}
+
+	if (htype != GNUTLS_HANDSHAKE_CLIENT_HELLO || post != GNUTLS_HOOK_PRE)
+		return 0;
+
+	if (find_client_extension(msg, TLS_EXT_POST_HANDSHAKE, NULL, parse_ext))
+		client_hello_ok = 1;
+	else
+		fail("Post handshake extension NOT seen in client hello!\n");
+
+	return 0;
+}
+
+static int
+pskfunc(gnutls_session_t session, const char *username,
+	gnutls_datum_t * key)
+{
+	if (debug)
+		printf("psk: username %s\n", username);
+	key->data = gnutls_malloc(4);
+	key->data[0] = 0xDE;
+	key->data[1] = 0xAD;
+	key->data[2] = 0xBE;
+	key->data[3] = 0xEF;
+	key->size = 4;
+	return 0;
+}
+
+static void server(int fd, int err, int type, unsigned max_auths)
+{
+	int ret;
+	char buffer[MAX_BUF + 1];
+	gnutls_session_t session;
+	gnutls_certificate_credentials_t x509_cred;
+	gnutls_psk_server_credentials_t server_pskcred;
+	unsigned i;
+
+	/* this must be called once in the program
+	 */
+	global_init();
+	memset(buffer, 0, sizeof(buffer));
+
+	if (debug) {
+		gnutls_global_set_log_function(server_log_func);
+		gnutls_global_set_log_level(6);
+	}
+
+	assert(gnutls_psk_allocate_server_credentials(&server_pskcred)>=0);
+	gnutls_psk_set_server_credentials_function(server_pskcred,
+						   pskfunc);
+
+	assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
+	assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert,
+						   &server_key,
+						   GNUTLS_X509_FMT_PEM) >= 0);
+
+	assert(gnutls_init(&session, GNUTLS_SERVER|GNUTLS_POST_HANDSHAKE_AUTH)>=0);
+
+	gnutls_handshake_set_timeout(session, 20 * 1000);
+	gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY,
+					   GNUTLS_HOOK_BOTH,
+					   hellos_callback);
+
+	assert(gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+ECDHE-PSK", NULL)>=0);
+
+	gnutls_credentials_set(session, GNUTLS_CRD_PSK, server_pskcred);
+
+	gnutls_transport_set_int(session, fd);
+
+	do {
+		ret = gnutls_handshake(session);
+	} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+	if (ret != 0)
+		fail("handshake failed: %s\n", gnutls_strerror(ret));
+
+	if (!(gnutls_session_get_flags(session) & GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH)) {
+		fail("server: session flags did not contain GNUTLS_SFLAGS_POST_HANDSHAKE_AUTH\n");
+	}
+
+
+	if (client_hello_ok == 0) {
+		fail("server: did not verify the client hello\n");
+	}
+
+	if (server_hello_ok == 0) {
+		fail("server: did not verify the server hello contents\n");
+	}
+
+	if (debug)
+		success("server handshake completed\n");
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+	gnutls_certificate_server_set_request(session, type);
+
+	for (i=0;i<max_auths;i++) {
+		/* ask peer for re-authentication */
+		do {
+			ret = gnutls_reauth(session, 0);
+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+		if (err) {
+			if (ret != err)
+				fail("server: expected error %s, got: %s\n", gnutls_strerror(err),
+				     gnutls_strerror(ret));
+		} else if (ret != 0) {
+			fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret));
+		}
+
+		if (debug)
+			success("server: sent post-handshake auth request\n");
+	}
+
+	close(fd);
+	gnutls_deinit(session);
+
+	gnutls_certificate_free_credentials(x509_cred);
+	gnutls_psk_free_server_credentials(server_pskcred);
+
+	gnutls_global_deinit();
+
+	if (debug)
+		success("server: client/server hello were verified\n");
+}
+
+static void ch_handler(int sig)
+{
+	int status;
+	wait(&status);
+	check_wait_status(status);
+	return;
+}
+
+static
+void start(const char *name, int err, int type, unsigned max_auths, unsigned send_cert)
+{
+	int fd[2];
+	int ret;
+	pid_t child;
+
+	success("testing %s\n", name);
+
+	client_hello_ok = 0;
+	server_hello_ok = 0;
+
+	signal(SIGCHLD, ch_handler);
+
+	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
+	if (ret < 0) {
+		perror("socketpair");
+		exit(1);
+	}
+
+	child = fork();
+	if (child < 0) {
+		perror("fork");
+		fail("fork");
+		exit(1);
+	}
+
+	if (child) {
+		/* parent */
+		close(fd[1]);
+		server(fd[0], err, type, max_auths);
+		kill(child, SIGTERM);
+	} else {
+		close(fd[0]);
+		client(fd[1], send_cert, max_auths);
+		exit(0);
+	}
+
+}
+
+void doit(void)
+{
+	start("multi-reauth", 0, GNUTLS_CERT_REQUIRE, MAX_AUTHS, 1);
+	start("reauth-require with no-cert", GNUTLS_E_NO_CERTIFICATE_FOUND, GNUTLS_CERT_REQUIRE, 1, 0);
+	start("reauth-request with no-cert", 0, GNUTLS_CERT_REQUEST, 1, 0);
+}
+#endif				/* _WIN32 */
-- 
cgit v1.2.1


From c0ff5485481e6b035fdf588098e456a3e82be8b7 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 27 Jun 2018 14:38:40 +0200
Subject: post-handshake: return GNUTLS_E_GOT_APPLICATION_DATA as documented to

Relates #490

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/record.c               | 17 ++++++++++++++---
 lib/tls13/post_handshake.c |  3 ++-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/lib/record.c b/lib/record.c
index ce0ecb672a..ed82db20a5 100644
--- a/lib/record.c
+++ b/lib/record.c
@@ -838,7 +838,7 @@ record_add_to_buffers(gnutls_session_t session,
 				 */
 				gnutls_assert();
 				ret = GNUTLS_E_WARNING_ALERT_RECEIVED;
-				if (ver->tls13_sem || bufel->msg.data[0] == GNUTLS_AL_FATAL) {
+				if ((ver && ver->tls13_sem) || bufel->msg.data[0] == GNUTLS_AL_FATAL) {
 					session_unresumable(session);
 					session_invalidate(session);
 					ret =
@@ -875,8 +875,19 @@ record_add_to_buffers(gnutls_session_t session,
 				goto unexpected_packet;
 			}
 
+			/* In TLS1.3 post-handshake authentication allow application
+			 * data error code. */
+			if ((ver && ver->tls13_sem) && type == GNUTLS_HANDSHAKE &&
+			    htype == GNUTLS_HANDSHAKE_CERTIFICATE_PKT &&
+			    session->internals.initial_negotiation_completed) {
+				_gnutls_record_buffer_put(session, recv->type,
+							  seq, bufel);
+				return
+				    gnutls_assert_val
+				    (GNUTLS_E_GOT_APPLICATION_DATA);
+			}
 
-			/* the got_application data is only returned
+			/* The got_application data is only returned
 			 * if expecting client hello (for rehandshake
 			 * reasons). Otherwise it is an unexpected packet
 			 */
@@ -944,7 +955,7 @@ record_add_to_buffers(gnutls_session_t session,
 			}
 
 			/* retrieve async handshake messages */
-			if (ver->tls13_sem) {
+			if (ver && ver->tls13_sem) {
 				gnutls_buffer_st buf;
 
 				_gnutls_ro_buffer_from_datum(&buf, &bufel->msg);
diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c
index ddab66f9a3..c550c198a7 100644
--- a/lib/tls13/post_handshake.c
+++ b/lib/tls13/post_handshake.c
@@ -214,7 +214,8 @@ int _gnutls13_reauth_server(gnutls_session_t session)
  *
  * The former two interrupt the authentication procedure due to the transport
  * layer being interrupted, and the latter because there were pending data prior
- * to peer initiating the re-authentication.
+ * to peer initiating the re-authentication. The server should read/process that
+ * data as unauthenticated and retry calling gnutls_reauth().
  *
  * When this function is called under TLS1.2 or earlier or the peer didn't
  * advertise post-handshake auth, it always fails with
-- 
cgit v1.2.1


From ee16068f67d4d69f139cfdd2675c79dacb15dfcf Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 27 Jun 2018 15:00:13 +0200
Subject: tests: check for GNUTLS_E_GOT_APPLICATION_DATA on post-handshake auth

That is, check whether GNUTLS_E_GOT_APPLICATION_DATA is received as
documented, and whether post-handshake auth can complete while this
is being sent.

Resolves #490

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 tests/tls13/post-handshake-with-cert-ticket.c |  1 +
 tests/tls13/post-handshake-with-cert.c        | 61 ++++++++++++++++++++++++---
 tests/tls13/post-handshake-with-psk.c         |  1 +
 3 files changed, 57 insertions(+), 6 deletions(-)

diff --git a/tests/tls13/post-handshake-with-cert-ticket.c b/tests/tls13/post-handshake-with-cert-ticket.c
index edac74b30f..87b3ea4ea3 100644
--- a/tests/tls13/post-handshake-with-cert-ticket.c
+++ b/tests/tls13/post-handshake-with-cert-ticket.c
@@ -331,6 +331,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index e9940e79cb..803a77b196 100644
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -70,6 +70,7 @@ static void client_log_func(int level, const char *str)
 }
 
 #define MAX_BUF 1024
+#define MAX_APP_DATA 3
 
 static void client(int fd, unsigned send_cert, unsigned max_auths)
 {
@@ -77,7 +78,7 @@ static void client(int fd, unsigned send_cert, unsigned max_auths)
 	gnutls_certificate_credentials_t x509_cred;
 	gnutls_session_t session;
 	char buf[64];
-	unsigned i;
+	unsigned i, j;
 
 	global_init();
 
@@ -105,8 +106,6 @@ static void client(int fd, unsigned send_cert, unsigned max_auths)
 						    GNUTLS_X509_FMT_PEM)>=0);
 	}
 
-	/* put the anonymous credentials to the current session
-	 */
 	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
 
 	gnutls_transport_set_int(session, fd);
@@ -124,7 +123,12 @@ static void client(int fd, unsigned send_cert, unsigned max_auths)
 	if (debug)
 		success("client handshake completed\n");
 
+	gnutls_record_set_timeout(session, 20 * 1000);
+
 	for (i=0;i<max_auths;i++) {
+		if (debug)
+			success("waiting for auth nr %d\n", i);
+
 		do {
 			ret = gnutls_record_recv(session, buf, sizeof(buf));
 		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
@@ -133,6 +137,17 @@ static void client(int fd, unsigned send_cert, unsigned max_auths)
 			fail("recv: unexpected error: %s\n", gnutls_strerror(ret));
 		}
 
+		/* send application data to check if server tolerates them */
+		if (i==0) {
+			for (j=0;j<MAX_APP_DATA;j++) {
+				memset(buf, j, sizeof(buf));
+				do {
+					ret = gnutls_record_send(session, buf, sizeof(buf));
+				} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+				assert(ret>=0);
+			}
+		}
+
 		if (debug)
 			success("received reauth request\n");
 		do {
@@ -194,7 +209,7 @@ static void server(int fd, int err, int type, unsigned max_auths)
 	char buffer[MAX_BUF + 1];
 	gnutls_session_t session;
 	gnutls_certificate_credentials_t x509_cred;
-	unsigned i;
+	unsigned i, retries;
 
 	/* this must be called once in the program
 	 */
@@ -203,7 +218,7 @@ static void server(int fd, int err, int type, unsigned max_auths)
 
 	if (debug) {
 		gnutls_global_set_log_function(server_log_func);
-		gnutls_global_set_log_level(4711);
+		gnutls_global_set_log_level(6);
 	}
 
 	gnutls_certificate_allocate_credentials(&x509_cred);
@@ -252,7 +267,40 @@ static void server(int fd, int err, int type, unsigned max_auths)
 
 	gnutls_certificate_server_set_request(session, type);
 
-	for (i=0;i<max_auths;i++) {
+	/* i = 0 */
+	/* ask peer for re-authentication */
+	retries = 0;
+	do {
+		do {
+			ret = gnutls_reauth(session, 0);
+		} while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
+
+		if (ret == GNUTLS_E_GOT_APPLICATION_DATA) {
+			int ret2;
+			do {
+				ret2 = gnutls_record_recv(session, buffer, sizeof(buffer));
+			} while (ret2 == GNUTLS_E_AGAIN || ret2 == GNUTLS_E_INTERRUPTED);
+
+			if (ret2 < 0)
+				fail("error receiving app data: %s\n", gnutls_strerror(ret2));
+
+			/* sender memsets the message with the retry attempt */
+			assert((uint8_t)buffer[0] == retries);
+			assert(retries < MAX_APP_DATA);
+		}
+
+		retries++;
+	} while (ret == GNUTLS_E_GOT_APPLICATION_DATA);
+
+	if (err) {
+		if (ret != err)
+			fail("server: expected error %s, got: %s\n", gnutls_strerror(err),
+			     gnutls_strerror(ret));
+	} else if (ret != 0)
+		fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret));
+
+
+	for (i=1;i<max_auths;i++) {
 		/* ask peer for re-authentication */
 		do {
 			ret = gnutls_reauth(session, 0);
@@ -298,6 +346,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 	server_hello_ok = 0;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c
index dd3d9b850e..d104d0d460 100644
--- a/tests/tls13/post-handshake-with-psk.c
+++ b/tests/tls13/post-handshake-with-psk.c
@@ -330,6 +330,7 @@ void start(const char *name, int err, int type, unsigned max_auths, unsigned sen
 	server_hello_ok = 0;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
-- 
cgit v1.2.1


From eedcfa03415b29cdc6e9cd0be6c9f778c868e4d6 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 27 Jun 2018 21:31:43 +0200
Subject: tests: ignore PIPE signal on TLS1.3-related tests

This was inadvertently omitted and that could cause unexpected
issues when one of the peers would close the connection earlier
than expected.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 tests/tls13/change_cipher_spec.c              |  1 +
 tests/tls13/cookie.c                          |  2 +-
 tests/tls13/hello_random_value.c              |  2 +-
 tests/tls13/key_share.c                       |  4 +++-
 tests/tls13/no-psk-exts.c                     |  3 ++-
 tests/tls13/post-handshake-with-cert-ticket.c |  2 +-
 tests/tls13/post-handshake-with-cert.c        |  2 +-
 tests/tls13/post-handshake-with-psk.c         |  2 +-
 tests/tls13/post-handshake-without-cert.c     |  3 ++-
 tests/tls13/prf.c                             |  2 +-
 tests/tls13/psk-dumbfw.c                      | 15 ++++++++++++++-
 tests/tls13/rnd-check-rollback-val.c          |  3 ++-
 tests/tls13/rnd-rollback-detection.c          |  3 ++-
 tests/tls13/supported_versions.c              |  3 ++-
 tests/tls13/tls12-no-tls13-exts.c             |  3 ++-
 15 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/tests/tls13/change_cipher_spec.c b/tests/tls13/change_cipher_spec.c
index 23519d9fd4..1a9b80c817 100644
--- a/tests/tls13/change_cipher_spec.c
+++ b/tests/tls13/change_cipher_spec.c
@@ -309,6 +309,7 @@ void start(unsigned ccs_check)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/cookie.c b/tests/tls13/cookie.c
index 03d4f70ff4..562b9885f3 100644
--- a/tests/tls13/cookie.c
+++ b/tests/tls13/cookie.c
@@ -250,7 +250,7 @@ void doit(void)
 	}
 
 	if (child) {
-		int status;
+		int status = 0;
 		/* parent */
 		close(sockets[1]);
 		server(sockets[0]);
diff --git a/tests/tls13/hello_random_value.c b/tests/tls13/hello_random_value.c
index e14b4e786e..b0ef0b2309 100644
--- a/tests/tls13/hello_random_value.c
+++ b/tests/tls13/hello_random_value.c
@@ -248,7 +248,7 @@ void doit(void)
 	}
 
 	if (child) {
-		int status;
+		int status = 0;
 		/* parent */
 		close(sockets[1]);
 		client(sockets[0]);
diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
index 205f7d0056..c848fe5a15 100644
--- a/tests/tls13/key_share.c
+++ b/tests/tls13/key_share.c
@@ -258,7 +258,7 @@ static void server(int fd, gnutls_group_t exp_group, unsigned ngroups)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -271,6 +271,8 @@ static void start(const char *name, const char *prio, unsigned flag, gnutls_grou
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
+
 	testname = name;
 	success("== test %s ==\n", testname);
 
diff --git a/tests/tls13/no-psk-exts.c b/tests/tls13/no-psk-exts.c
index e8f1e2e84f..c1c25fdf16 100644
--- a/tests/tls13/no-psk-exts.c
+++ b/tests/tls13/no-psk-exts.c
@@ -216,7 +216,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -229,6 +229,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/post-handshake-with-cert-ticket.c b/tests/tls13/post-handshake-with-cert-ticket.c
index 87b3ea4ea3..8ece3f1b4c 100644
--- a/tests/tls13/post-handshake-with-cert-ticket.c
+++ b/tests/tls13/post-handshake-with-cert-ticket.c
@@ -318,7 +318,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c
index 803a77b196..d24e06db70 100644
--- a/tests/tls13/post-handshake-with-cert.c
+++ b/tests/tls13/post-handshake-with-cert.c
@@ -327,7 +327,7 @@ static void server(int fd, int err, int type, unsigned max_auths)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
diff --git a/tests/tls13/post-handshake-with-psk.c b/tests/tls13/post-handshake-with-psk.c
index d104d0d460..a85b57ab75 100644
--- a/tests/tls13/post-handshake-with-psk.c
+++ b/tests/tls13/post-handshake-with-psk.c
@@ -311,7 +311,7 @@ static void server(int fd, int err, int type, unsigned max_auths)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
diff --git a/tests/tls13/post-handshake-without-cert.c b/tests/tls13/post-handshake-without-cert.c
index 827fbc8495..e6075ab0a0 100644
--- a/tests/tls13/post-handshake-without-cert.c
+++ b/tests/tls13/post-handshake-without-cert.c
@@ -219,7 +219,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -232,6 +232,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c
index 22e7f0e08f..da27332d42 100644
--- a/tests/tls13/prf.c
+++ b/tests/tls13/prf.c
@@ -339,7 +339,7 @@ void doit(void)
 	}
 
 	if (child) {
-		int status;
+		int status = 0;
 		/* parent */
 
 		server(fd[0]);
diff --git a/tests/tls13/psk-dumbfw.c b/tests/tls13/psk-dumbfw.c
index c9c995801e..5d8ad8b152 100644
--- a/tests/tls13/psk-dumbfw.c
+++ b/tests/tls13/psk-dumbfw.c
@@ -48,6 +48,7 @@ int main(int argc, char **argv)
 #include <unistd.h>
 #include <gnutls/gnutls.h>
 #include <assert.h>
+#include <signal.h>
 
 #include "tls13/ext-parse.h"
 
@@ -279,6 +280,15 @@ static void server(int sd, const char *prio)
 		success("server: finished\n");
 }
 
+static void ch_handler(int sig)
+{
+	int status = 0;
+	wait(&status);
+	check_wait_status(status);
+	return;
+}
+
+
 static
 void run_test(const char *prio)
 {
@@ -286,6 +296,9 @@ void run_test(const char *prio)
 	int err;
 	int sockets[2];
 
+	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
+
 	success("trying with %s\n", prio);
 
 	err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
@@ -303,7 +316,7 @@ void run_test(const char *prio)
 	}
 
 	if (child) {
-		int status;
+		int status = 0;
 		/* parent */
 		close(sockets[1]);
 		server(sockets[0], prio);
diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c
index 5971bdb2f6..f573596c5e 100644
--- a/tests/tls13/rnd-check-rollback-val.c
+++ b/tests/tls13/rnd-check-rollback-val.c
@@ -210,7 +210,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -223,6 +223,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/rnd-rollback-detection.c b/tests/tls13/rnd-rollback-detection.c
index 7b136ea29a..0d1ef01498 100644
--- a/tests/tls13/rnd-rollback-detection.c
+++ b/tests/tls13/rnd-rollback-detection.c
@@ -194,7 +194,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -207,6 +207,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/supported_versions.c b/tests/tls13/supported_versions.c
index bb9c7b6b92..50ea986ca1 100644
--- a/tests/tls13/supported_versions.c
+++ b/tests/tls13/supported_versions.c
@@ -314,7 +314,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -327,6 +327,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
diff --git a/tests/tls13/tls12-no-tls13-exts.c b/tests/tls13/tls12-no-tls13-exts.c
index b7411fbdc8..ead25b4ad2 100644
--- a/tests/tls13/tls12-no-tls13-exts.c
+++ b/tests/tls13/tls12-no-tls13-exts.c
@@ -199,7 +199,7 @@ static void server(int fd)
 
 static void ch_handler(int sig)
 {
-	int status;
+	int status = 0;
 	wait(&status);
 	check_wait_status(status);
 	return;
@@ -212,6 +212,7 @@ void doit(void)
 	pid_t child;
 
 	signal(SIGCHLD, ch_handler);
+	signal(SIGPIPE, SIG_IGN);
 
 	ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
 	if (ret < 0) {
-- 
cgit v1.2.1