void doit(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); /* Check that initially no session use the extension. */ if (gnutls_safe_renegotiation_status (server) || gnutls_safe_renegotiation_status (client)) { puts ("Client or server using extension before handshake?"); abort (); } HANDSHAKE(client, server); /* Check that both sessions use the extension. */ if (!gnutls_safe_renegotiation_status (server) || !gnutls_safe_renegotiation_status (client)) { puts ("Client or server not using safe renegotiation extension?"); abort (); } sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); /* Check that session still use the extension. */ if (!gnutls_safe_renegotiation_status (server) || !gnutls_safe_renegotiation_status (client)) { puts ("Client or server not using safe renegotiation extension?"); abort (); } /* Check that this API does not affect anything after first handshake. gnutls_safe_negotiation_set_initial (server, 0); */ sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); /* Check that disabling the extension will break rehandshakes. gnutls_safe_renegotiation_set (client, 0); */ sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug) { puts ("Self-test successful"); } return; }
void doit (void) { int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (2); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); gnutls_transport_set_ptr (server, (gnutls_transport_ptr_t)server); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); gnutls_transport_set_ptr (client, (gnutls_transport_ptr_t)client); HANDSHAKE(client, server); sret = gnutls_rehandshake (server); if (debug) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } HANDSHAKE(client, server); gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); gnutls_certificate_free_credentials (serverx509cred); gnutls_certificate_free_credentials (clientx509cred); gnutls_global_deinit (); if (debug) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } }
int main (int argc, char *argv[]) { int debug_level = argc - 1; int exit_code = EXIT_SUCCESS; /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (debug_level); /* Init server */ gnutls_certificate_allocate_credentials (&serverx509cred); gnutls_certificate_set_x509_key_mem (serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init (&server, GNUTLS_SERVER); gnutls_credentials_set (server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct (server, "NORMAL:%DISABLE_SAFE_RENEGOTIATION", NULL); gnutls_transport_set_push_function (server, server_push); gnutls_transport_set_pull_function (server, server_pull); /* Init client */ gnutls_certificate_allocate_credentials (&clientx509cred); gnutls_init (&client, GNUTLS_CLIENT); gnutls_credentials_set (client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct (client, "NORMAL", NULL); gnutls_transport_set_push_function (client, client_push); gnutls_transport_set_pull_function (client, client_pull); /* Check that initially no session use the extension. */ if (gnutls_safe_renegotiation_status (server) || gnutls_safe_renegotiation_status (client)) { puts ("Client or server using extension before handshake?"); abort (); } do { static int max_iter = 0; if (max_iter++ > 10) abort (); if (cret == GNUTLS_E_AGAIN) { cret = gnutls_handshake (client); if (debug_level > 0) { tls_log_func (0, "gnutls_handshake (client)...\n"); tls_log_func (0, gnutls_strerror (cret)); tls_log_func (0, "\n"); } } if (sret == GNUTLS_E_AGAIN) { sret = gnutls_handshake (server); if (debug_level > 0) { tls_log_func (0, "gnutls_handshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } } } while ( /* Not done: */ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) /* No error: */ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); if (cret != GNUTLS_E_SUCCESS && sret != GNUTLS_E_SUCCESS) exit_code = EXIT_FAILURE; if (gnutls_safe_renegotiation_status (client) || gnutls_safe_renegotiation_status (server)) { tls_log_func (0, "Session using safe renegotiation but shouldn't?!\n"); exit_code = EXIT_FAILURE; } sret = gnutls_rehandshake (server); if (debug_level > 0) { tls_log_func (0, "gnutls_rehandshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv (client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort (); } cret = GNUTLS_E_AGAIN; sret = GNUTLS_E_AGAIN; do { static int max_iter = 0; if (max_iter++ > 10) abort (); if (cret == GNUTLS_E_AGAIN) { cret = gnutls_handshake (client); if (debug_level > 0) { tls_log_func (0, "second gnutls_handshake (client)...\n"); tls_log_func (0, gnutls_strerror (cret)); tls_log_func (0, "\n"); } } if (sret == GNUTLS_E_AGAIN) { sret = gnutls_handshake (server); if (debug_level > 0) { tls_log_func (0, "second gnutls_handshake (server)...\n"); tls_log_func (0, gnutls_strerror (sret)); tls_log_func (0, "\n"); } } if (cret == GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED) break; } while ( /* Not done: */ !(cret == GNUTLS_E_SUCCESS && sret == GNUTLS_E_SUCCESS) /* No error: */ && (cret == GNUTLS_E_AGAIN || sret == GNUTLS_E_AGAIN)); if (cret != GNUTLS_E_UNSAFE_RENEGOTIATION_DENIED && sret != GNUTLS_E_SUCCESS) exit_code = 1; if (gnutls_safe_renegotiation_status (client) || gnutls_safe_renegotiation_status (server)) { tls_log_func (0, "Rehandshaked worked and uses safe reneg?!\n"); exit_code = EXIT_FAILURE; } gnutls_bye (client, GNUTLS_SHUT_RDWR); gnutls_bye (server, GNUTLS_SHUT_RDWR); gnutls_deinit (client); gnutls_deinit (server); free (to_server); free (to_client); gnutls_certificate_free_credentials (serverx509cred); gnutls_global_deinit (); if (debug_level > 0) { if (exit_code == 0) puts ("Self-test successful"); else puts ("Self-test failed"); } return exit_code; }
void doit(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(2); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); if (!gnutls_safe_renegotiation_status(client) || !gnutls_safe_renegotiation_status(server)) { tls_log_func(0, "Session not using safe renegotiation!\n"); exit(1); } if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) || !(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) { tls_log_func(0, "Session not using safe renegotiation!\n"); exit(1); } sret = gnutls_rehandshake(server); if (debug) { tls_log_func(0, "gnutls_rehandshake (server)...\n"); tls_log_func(0, gnutls_strerror(sret)); tls_log_func(0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv(client, b, 1); if (n != GNUTLS_E_REHANDSHAKE) abort(); } HANDSHAKE(client, server); if (!gnutls_safe_renegotiation_status(client) || !gnutls_safe_renegotiation_status(server)) { tls_log_func(0, "Rehandshaked session not using safe renegotiation!\n"); exit(1); } if (!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION) || !(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_SAFE_RENEGOTIATION)) { tls_log_func(0, "Rehandshaked session not using safe renegotiation!\n"); exit(1); } gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); if (debug) { puts("Self-test successful"); } return; }
static void server_initiated_handshake(void) { /* Server stuff. */ gnutls_certificate_credentials_t serverx509cred; gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; unsigned char buffer[64]; int cret = GNUTLS_E_AGAIN; size_t transferred = 0; success("testing server initiated re-handshake\n"); /* General init. */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(2); /* Init server */ gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); /* Init client */ gnutls_certificate_allocate_credentials(&clientx509cred); gnutls_init(&client, GNUTLS_CLIENT); gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_priority_set_direct(client, "NORMAL:+VERS-TLS1.3", NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); HANDSHAKE(client, server); if (gnutls_protocol_get_version(client) != GNUTLS_TLS1_3) fail("TLS1.3 was not negotiated\n"); sret = gnutls_rehandshake(server); if (debug) { tls_log_func(0, "gnutls_rehandshake (server)...\n"); tls_log_func(0, gnutls_strerror(sret)); tls_log_func(0, "\n"); } { ssize_t n; char b[1]; n = gnutls_record_recv(client, b, 1); /* in TLS1.2 we get REHANDSHAKE error, here nothing */ if (n != GNUTLS_E_AGAIN) { fail("error msg: %s\n", gnutls_strerror(n)); } } TRANSFER(client, server, "xxxx", 4, buffer, sizeof(buffer)); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); gnutls_certificate_free_credentials(serverx509cred); gnutls_certificate_free_credentials(clientx509cred); gnutls_global_deinit(); reset_buffers(); }