From d25d0002048c6649298978a8effa5bc7b633e3a0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 2 Nov 2017 15:30:43 +0100 Subject: tests: re-enabled post-handshake auth tests Signed-off-by: Nikos Mavrogiannopoulos --- tests/tls13/post-handshake-with-cert.c | 50 ++++++++++++++++++++++++------- tests/tls13/post-handshake-without-cert.c | 20 +++++++++++-- 2 files changed, 56 insertions(+), 14 deletions(-) diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c index 49a48d946a..22e4376e80 100644 --- a/tests/tls13/post-handshake-with-cert.c +++ b/tests/tls13/post-handshake-with-cert.c @@ -50,9 +50,10 @@ int main() #include "tls13/ext-parse.h" #include "utils.h" -/* This program tests the Post Handshake Auth extension present - * in the client hello, and whether it is missing from server - * hello. +/* This program tests whether the Post Handshake Auth extension is + * present in the client hello, and whether it is missing from server + * hello. In addition it contains basic functionality test for + * post handshake authentication. */ static void server_log_func(int level, const char *str) @@ -72,6 +73,7 @@ static void client(int fd) int ret; gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; + char buf[64]; global_init(); @@ -84,7 +86,7 @@ static void client(int fd) /* Initialize TLS session */ - gnutls_init(&session, GNUTLS_CLIENT); + gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_POST_HANDSHAKE_AUTH); gnutls_handshake_set_timeout(session, 20 * 1000); @@ -110,6 +112,26 @@ static void client(int fd) } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + success("client handshake completed\n"); + + do { + ret = gnutls_record_recv(session, buf, sizeof(buf)); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != GNUTLS_E_REAUTH_REQUEST) { + fail("recv: unexpected error: %s\n", gnutls_strerror(ret)); + } + + success("received reauth request\n"); + do { + ret = gnutls_reauth(session, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) + fail("client: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); + close(fd); gnutls_deinit(session); @@ -176,7 +198,7 @@ static void server(int fd) &server_key, GNUTLS_X509_FMT_PEM); - gnutls_init(&session, GNUTLS_SERVER); + gnutls_init(&session, GNUTLS_SERVER|GNUTLS_POST_HANDSHAKE_AUTH); gnutls_handshake_set_timeout(session, 20 * 1000); gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY, @@ -194,11 +216,10 @@ static void server(int fd) do { ret = gnutls_handshake(session); - if (ret == GNUTLS_E_INTERRUPTED) { /* expected */ - break; - } } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); if (client_hello_ok == 0) { fail("server: did not verify the client hello\n"); @@ -207,6 +228,16 @@ static void server(int fd) if (server_hello_ok == 0) { fail("server: did not verify the server hello contents\n"); } + success("server handshake completed\n"); + + gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE); + /* ask peer for re-authentication */ + do { + ret = gnutls_reauth(session, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) + fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); close(fd); gnutls_deinit(session); @@ -233,9 +264,6 @@ void doit(void) int ret; pid_t child; - /* re-enable when post-handshake authentication is available */ - exit(77); - signal(SIGCHLD, ch_handler); ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); diff --git a/tests/tls13/post-handshake-without-cert.c b/tests/tls13/post-handshake-without-cert.c index 9c02d5b272..4ee821b413 100644 --- a/tests/tls13/post-handshake-without-cert.c +++ b/tests/tls13/post-handshake-without-cert.c @@ -45,14 +45,14 @@ int main() #include #include #include +#include #include "cert-common.h" #include "tls13/ext-parse.h" #include "utils.h" -/* This program tests the Post Handshake Auth extension present - * in the client hello, and whether it is missing from server - * hello. +/* This program tests whether the Post Handshake Auth extension is missing + * from both hellos, when not enabled by client. */ static void server_log_func(int level, const char *str) @@ -82,6 +82,10 @@ static void client(int fd) gnutls_certificate_allocate_credentials(&x509_cred); + assert(gnutls_certificate_set_x509_key_mem(x509_cred, &cli_ca3_cert, + &cli_ca3_key, + GNUTLS_X509_FMT_PEM) >= 0); + /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); @@ -105,6 +109,11 @@ static void client(int fd) } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + /* try if gnutls_reauth() would fail as expected */ + ret = gnutls_reauth(session, 0); + if (ret != GNUTLS_E_INVALID_REQUEST) + fail("server: gnutls_reauth did not fail as expected: %s", gnutls_strerror(ret)); + close(fd); gnutls_deinit(session); @@ -189,6 +198,11 @@ static void server(int fd) fail("server: did not verify the server hello contents\n"); } + /* try if gnutls_reauth() would fail as expected */ + ret = gnutls_reauth(session, 0); + if (ret != GNUTLS_E_INVALID_REQUEST) + fail("server: gnutls_reauth did not fail as expected: %s", gnutls_strerror(ret)); + close(fd); gnutls_deinit(session); -- cgit v1.2.1