[glib-networking/mcatanzaro/drop-rehandshaking: 2/2] Remove TLS rehandshaking support
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/drop-rehandshaking: 2/2] Remove TLS rehandshaking support
- Date: Sat, 4 Jan 2020 23:35:46 +0000 (UTC)
commit 55061b1a919428331b8553cf32ef7c2a36140c4d
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Thu Jan 2 19:34:59 2020 -0600
Remove TLS rehandshaking support
Rehandshaking was removed from the TLS protocol in TLS 1.3. It's
possible that we still need to support it for TLS 1.2 connections, but
I'm pretty sure we don't. There are three ways a rehandshake could be
triggered: (1) by application API request, when calling
g_tls_connection_handshake() for a connection that has already
handshaked; (2) for a client connection, when the server peer requests a
rehandshake; (3) for a server connection, when the client requests a
rehandshake. Let's consider each case.
For (1), I previously deprecated this functionality in GLib 2.60.
Calling handshake multiple times is now undefined behavior, except it's
guaranteed to not break the connection in any way, for backwards
compatibility. See also glib!1305 for recent documentation
clarifications. I'm relatively confident that no real-world applications
are relying on this behavior; if they are, they're probably broken now
anyway, because we default to TLS 1.3 nowadays and have no documented
way to change that. (There's an undocumented environment variable.) If
your application is intentionally doing (1) and this causes problems for
you, please let us know (but I'll be surprised :)
In case (2), the client can simply ignore the rehandshake request. This
could in theory also break some applications... but again, I'm not
expecting much in the way of bug reports. I don't think this should
affect web browsers, at least. Maybe if a website decides it wants to
authenticate an existing connection without starting a new page load,
then it could be a problem? My suspicion is zero users will complain.
Finally, case (3). In this case, we have no choice but to terminate the
connection. However, this also should basically never happen. Almost all
users of GTlsConnection are using GTlsClientConnection, for starters.
The main user of GTlsServerConnection is probably cockpit. Since we
support TLS 1.3, and virtually all clients nowadays do too, almost all
negotiated connections should wind up using TLS 1.3. We need to
continue supporting TLS 1.2 indefinitely for *client* connections, until
web servers migrate to TLS 1.3 over the course of the next decade.
But clients have mostly already migrated. So for a server, rehandshaking
is pretty much out of the question already: a GTlsServerConnection
relying on this behavior is already broken.
Conclusion: I think we can get away with this. Now, we could keep the
rehandshaking code around forever if it doesn't cause problems, but I'm
trying to finish up a major refactor, during which I removed
rehandshaking support to simplify things, and bringing it back for
that would entail some additional complexity that I'd rather not have.
Also, now that support for TLS 1.2 session resumption has been removed,
rehandshakes are the only remaining legacy TLS feature that we support,
and it's kind of nice to clean house with an entirely modern
implementation as long as doing so doesn't break real-world
applications. Lack of bug reports will be interpreted as lack of
breakage.
Lastly, note that we still need to support TLS 1.3 post-handshake
authentication, #39. That's still a TODO item regardless of this change.
tls/base/gtlsconnection-base.c | 156 ++++++++---------------------------
tls/base/gtlsconnection-base.h | 6 --
tls/gnutls/gtlsconnection-gnutls.c | 64 ++++++--------
tls/openssl/gtlsconnection-openssl.c | 31 -------
tls/tests/connection.c | 86 +------------------
tls/tests/dtls-connection.c | 117 +-------------------------
6 files changed, 64 insertions(+), 396 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index 93cfc8e..45be2cb 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -131,7 +131,6 @@ typedef struct
GMainContext *handshake_context;
GTask *implicit_handshake;
GError *handshake_error;
- GByteArray *app_data_buf;
/* read_closed means the read direction has closed; write_closed similarly.
* If (and only if) both are set, the entire GTlsConnection is closed. */
@@ -274,8 +273,6 @@ g_tls_connection_base_finalize (GObject *object)
g_clear_object (&priv->waiting_for_op);
g_mutex_clear (&priv->op_mutex);
- g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
-
g_clear_pointer (&priv->advertised_protocols, g_strfreev);
g_clear_pointer (&priv->negotiated_protocol, g_free);
@@ -497,8 +494,6 @@ status_to_string (GTlsConnectionBaseStatus st)
return "WOULD_BLOCK";
case G_TLS_CONNECTION_BASE_TIMED_OUT:
return "TIMED_OUT";
- case G_TLS_CONNECTION_BASE_REHANDSHAKE:
- return "REHANDSHAKE";
case G_TLS_CONNECTION_BASE_TRY_AGAIN:
return "TRY_AGAIN";
case G_TLS_CONNECTION_BASE_ERROR:
@@ -714,8 +709,6 @@ yield_op (GTlsConnectionBase *tls,
if (op == G_TLS_CONNECTION_BASE_OP_HANDSHAKE)
priv->handshaking = FALSE;
- else if (status == G_TLS_CONNECTION_BASE_REHANDSHAKE && !priv->handshaking)
- priv->need_handshake = TRUE;
if (op == G_TLS_CONNECTION_BASE_OP_CLOSE_BOTH ||
op == G_TLS_CONNECTION_BASE_OP_CLOSE_READ)
@@ -1448,31 +1441,13 @@ handshake_thread (GTask *task,
if (priv->ever_handshaked && !priv->need_handshake)
{
- GTlsConnectionBaseStatus status;
-
- if (tls_class->handshake_thread_safe_renegotiation_status (tls) !=
G_TLS_SAFE_RENEGOTIATION_SUPPORTED_BY_PEER)
- {
- g_task_return_new_error (task, G_TLS_ERROR, G_TLS_ERROR_MISC,
- _("Peer does not support safe renegotiation"));
- g_tls_log_debug (tls, "TLS handshake thread failed: peer does not support safe renegotiation");
- return;
- }
-
- /* Adjust the timeout for the next operation in the sequence. */
- if (timeout > 0)
- {
- timeout -= (g_get_monotonic_time () - start_time);
- if (timeout <= 0)
- timeout = 1;
- }
-
- status = tls_class->handshake_thread_request_rehandshake (tls, timeout, cancellable, &error);
- if (status != G_TLS_CONNECTION_BASE_OK)
- {
- g_task_return_error (task, error);
- g_tls_log_debug (tls, "TLS handshake thread failed: %s", error ? error->message : "no error");
- return;
- }
+ /* Once upon a time, we allowed calling g_tls_connection_handshake()
+ * twice in order to request a rehandshake. Now that rehandshaking has
+ * been removed from TLS 1.3, we'll instead just ignore the request. We
+ * can't throw an error here because this used to be allowed.
+ */
+ g_warning ("Ignoring TLS handshake request for GTlsConnection that has already handshaked");
+ goto out;
}
/* Adjust the timeout for the next operation in the sequence. */
@@ -1487,6 +1462,7 @@ handshake_thread (GTask *task,
tls_class->handshake_thread_handshake (tls, timeout, cancellable, &error);
priv->need_handshake = FALSE;
+out:
if (error)
{
g_task_return_error (task, error);
@@ -1938,31 +1914,14 @@ g_tls_connection_base_read (GTlsConnectionBase *tls,
g_tls_log_debug (tls, "starting to read data from TLS connection");
- do
- {
- if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
- timeout, cancellable, error))
- return -1;
+ if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
+ timeout, cancellable, error))
+ return -1;
- if (priv->app_data_buf && !priv->handshaking)
- {
- nread = MIN (count, priv->app_data_buf->len);
- memcpy (buffer, priv->app_data_buf->data, nread);
- if (nread == priv->app_data_buf->len)
- g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
- else
- g_byte_array_remove_range (priv->app_data_buf, 0, nread);
- status = G_TLS_CONNECTION_BASE_OK;
- }
- else
- {
- status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
- read_fn (tls, buffer, count, timeout, &nread, cancellable, error);
- }
+ status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+ read_fn (tls, buffer, count, timeout, &nread, cancellable, error);
- yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
- }
- while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+ yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
if (status == G_TLS_CONNECTION_BASE_OK)
{
@@ -1989,41 +1948,15 @@ g_tls_connection_base_read_message (GTlsConnectionBase *tls,
g_tls_log_debug (tls, "starting to read messages from TLS connection");
- do {
- if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
- timeout, cancellable, error))
- return -1;
+ if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
+ timeout, cancellable, error))
+ return -1;
- /* Copy data out of the app data buffer first. */
- if (priv->app_data_buf && !priv->handshaking)
- {
- nread = 0;
-
- for (guint i = 0; i < num_vectors; i++)
- {
- gsize count;
- GInputVector *vec = &vectors[i];
-
- count = MIN (vec->size, priv->app_data_buf->len);
- nread += count;
-
- memcpy (vec->buffer, priv->app_data_buf->data, count);
- if (count == priv->app_data_buf->len)
- g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
- else
- g_byte_array_remove_range (priv->app_data_buf, 0, count);
- status = G_TLS_CONNECTION_BASE_OK;
- }
- }
- else
- {
- g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
- status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
- read_message_fn (tls, vectors, num_vectors, timeout, &nread, cancellable, error);
- }
-
- yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
- } while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+ g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
+ status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+ read_message_fn (tls, vectors, num_vectors, timeout, &nread, cancellable, error);
+
+ yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
if (status == G_TLS_CONNECTION_BASE_OK)
{
@@ -2127,18 +2060,14 @@ g_tls_connection_base_write (GTlsConnectionBase *tls,
g_tls_log_debug (tls, "starting to write %" G_GSIZE_FORMAT " bytes to TLS connection", count);
- do
- {
- if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
- timeout, cancellable, error))
- return -1;
+ if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
+ timeout, cancellable, error))
+ return -1;
- status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
- write_fn (tls, buffer, count, timeout, &nwrote, cancellable, error);
+ status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+ write_fn (tls, buffer, count, timeout, &nwrote, cancellable, error);
- yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
- }
- while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+ yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
if (status == G_TLS_CONNECTION_BASE_OK)
{
@@ -2165,17 +2094,15 @@ g_tls_connection_base_write_message (GTlsConnectionBase *tls,
g_tls_log_debug (tls, "starting to write messages to TLS connection");
- do {
- if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
- timeout, cancellable, error))
- return -1;
+ if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
+ timeout, cancellable, error))
+ return -1;
- g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
- status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
- write_message_fn (tls, vectors, num_vectors, timeout, &nwrote, cancellable, error);
+ g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
+ status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+ write_message_fn (tls, vectors, num_vectors, timeout, &nwrote, cancellable, error);
- yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
- } while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+ yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
if (status == G_TLS_CONNECTION_BASE_OK)
{
@@ -2650,19 +2577,6 @@ g_tls_connection_base_handshake_thread_request_certificate (GTlsConnectionBase *
return res != G_TLS_INTERACTION_FAILED;
}
-void
-g_tls_connection_base_handshake_thread_buffer_application_data (GTlsConnectionBase *tls,
- guint8 *data,
- gsize length)
-{
- GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
-
- if (!priv->app_data_buf)
- priv->app_data_buf = g_byte_array_new ();
-
- g_byte_array_append (priv->app_data_buf, data, length);
-}
-
static void
g_tls_connection_base_class_init (GTlsConnectionBaseClass *klass)
{
diff --git a/tls/base/gtlsconnection-base.h b/tls/base/gtlsconnection-base.h
index bacefab..36d6da5 100644
--- a/tls/base/gtlsconnection-base.h
+++ b/tls/base/gtlsconnection-base.h
@@ -36,7 +36,6 @@ typedef enum {
G_TLS_CONNECTION_BASE_OK,
G_TLS_CONNECTION_BASE_WOULD_BLOCK,
G_TLS_CONNECTION_BASE_TIMED_OUT,
- G_TLS_CONNECTION_BASE_REHANDSHAKE,
G_TLS_CONNECTION_BASE_TRY_AGAIN,
G_TLS_CONNECTION_BASE_ERROR,
} GTlsConnectionBaseStatus;
@@ -192,9 +191,4 @@ gboolean g_tls_connection_base_ever_handshaked (GTlsCon
gboolean g_tls_connection_base_handshake_thread_request_certificate
(GTlsConnectionBase *tls);
-void g_tls_connection_base_handshake_thread_buffer_application_data
- (GTlsConnectionBase *tls,
- guint8 *data,
- gsize length);
-
G_END_DECLS
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 39cc7c5..0c67d19 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -385,7 +385,31 @@ end_gnutls_io (GTlsConnectionGnutls *gnutls,
}
if (ret == GNUTLS_E_REHANDSHAKE)
- return G_TLS_CONNECTION_BASE_REHANDSHAKE;
+ {
+ if (ret == GNUTLS_E_REHANDSHAKE)
+ {
+ if (G_IS_TLS_CLIENT_CONNECTION (tls))
+ {
+ /* Ignore server's request for rehandshake, because we no longer
+ * support obsolete TLS rehandshakes.
+ *
+ * TODO: Send GNUTLS_A_NO_RENEGOTIATION here once we support alerts.
+ */
+ return G_TLS_CONNECTION_BASE_OK;
+ }
+ else
+ {
+ /* Are you hitting this error? If so, we may need to restore support
+ * for obsolete TLS rehandshakes. The server cannot simply ignore
+ * a rehandshake request like clients can, so this is fatal.
+ */
+ g_clear_error (&my_error);
+ g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+ _("Client requested TLS rehandshake, which is no longer supported"));
+ return G_TLS_CONNECTION_BASE_ERROR;
+ }
+ }
+ }
if (ret == GNUTLS_E_PREMATURE_TERMINATION)
{
@@ -772,31 +796,6 @@ g_tls_connection_gnutls_handshake_thread_safe_renegotiation_status (GTlsConnecti
: G_TLS_SAFE_RENEGOTIATION_UNSUPPORTED;
}
-static GTlsConnectionBaseStatus
-g_tls_connection_gnutls_handshake_thread_request_rehandshake (GTlsConnectionBase *tls,
- gint64 timeout,
- GCancellable *cancellable,
- GError **error)
-{
- GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (tls);
- GTlsConnectionGnutlsPrivate *priv = g_tls_connection_gnutls_get_instance_private (gnutls);
- GTlsConnectionBaseStatus status;
- int ret;
-
- /* On a client-side connection, gnutls_handshake() itself will start
- * a rehandshake, so we only need to do something special here for
- * server-side connections.
- */
- if (!G_IS_TLS_SERVER_CONNECTION (tls))
- return G_TLS_CONNECTION_BASE_OK;
-
- BEGIN_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, timeout, cancellable);
- ret = gnutls_rehandshake (priv->session);
- END_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, ret, status, _("Error performing TLS handshake: %s"), error);
-
- return status;
-}
-
static GTlsCertificate *
g_tls_connection_gnutls_retrieve_peer_certificate (GTlsConnectionBase *tls)
{
@@ -882,18 +881,6 @@ g_tls_connection_gnutls_handshake_thread_handshake (GTlsConnectionBase *tls,
BEGIN_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, timeout, cancellable);
ret = gnutls_handshake (priv->session);
- if (ret == GNUTLS_E_GOT_APPLICATION_DATA)
- {
- guint8 buf[1024];
-
- /* Got app data while waiting for rehandshake; buffer it and try again */
- ret = gnutls_record_recv (priv->session, buf, sizeof (buf));
- if (ret > -1)
- {
- g_tls_connection_base_handshake_thread_buffer_application_data (tls, buf, ret);
- ret = GNUTLS_E_AGAIN;
- }
- }
END_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, ret, status,
_("Error performing TLS handshake"), error);
@@ -1144,7 +1131,6 @@ g_tls_connection_gnutls_class_init (GTlsConnectionGnutlsClass *klass)
base_class->prepare_handshake = g_tls_connection_gnutls_prepare_handshake;
base_class->handshake_thread_safe_renegotiation_status =
g_tls_connection_gnutls_handshake_thread_safe_renegotiation_status;
- base_class->handshake_thread_request_rehandshake =
g_tls_connection_gnutls_handshake_thread_request_rehandshake;
base_class->handshake_thread_handshake =
g_tls_connection_gnutls_handshake_thread_handshake;
base_class->retrieve_peer_certificate = g_tls_connection_gnutls_retrieve_peer_certificate;
base_class->complete_handshake = g_tls_connection_gnutls_complete_handshake;
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index d751344..4c0a160 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -224,36 +224,6 @@ end_openssl_io (GTlsConnectionOpenssl *openssl,
status = end_openssl_io (openssl, direction, ret, timeout == -1, err, errmsg, error_str); \
} while (status == G_TLS_CONNECTION_BASE_TRY_AGAIN);
-static GTlsConnectionBaseStatus
-g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBase *tls,
- gint64 timeout,
- GCancellable *cancellable,
- GError **error)
-{
- GTlsConnectionOpenssl *openssl;
- GTlsConnectionBaseStatus status;
- SSL *ssl;
- int ret;
-
- /* On a client-side connection, SSL_renegotiate() itself will start
- * a rehandshake, so we only need to do something special here for
- * server-side connections.
- */
- if (!G_IS_TLS_SERVER_CONNECTION (tls))
- return G_TLS_CONNECTION_BASE_OK;
-
- openssl = G_TLS_CONNECTION_OPENSSL (tls);
-
- ssl = g_tls_connection_openssl_get_ssl (openssl);
-
- BEGIN_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, timeout, cancellable);
- ret = SSL_renegotiate (ssl);
- END_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, ret, timeout, status,
- _("Error performing TLS handshake"), error);
-
- return status;
-}
-
static GTlsCertificate *
g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
{
@@ -501,7 +471,6 @@ g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
object_class->finalize = g_tls_connection_openssl_finalize;
base_class->handshake_thread_safe_renegotiation_status =
g_tls_connection_openssl_handshake_thread_safe_renegotiation_status;
- base_class->handshake_thread_request_rehandshake =
g_tls_connection_openssl_handshake_thread_request_rehandshake;
base_class->handshake_thread_handshake =
g_tls_connection_openssl_handshake_thread_handshake;
base_class->retrieve_peer_certificate =
g_tls_connection_openssl_retrieve_peer_certificate;
base_class->push_io = g_tls_connection_openssl_push_io;
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index b900062..1d3bbf7 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -82,7 +82,6 @@ typedef struct {
GSocketConnectable *identity;
GSocketAddress *address;
GTlsAuthenticationMode auth_mode;
- gboolean rehandshake;
GTlsCertificateFlags accept_flags;
GError *read_error;
GError *server_error;
@@ -221,25 +220,6 @@ static void on_output_write_finish (GObject *object,
GAsyncResult *res,
gpointer user_data);
-static void
-on_rehandshake_finish (GObject *object,
- GAsyncResult *res,
- gpointer user_data)
-{
- TestConnection *test = user_data;
- GError *error = NULL;
- GOutputStream *stream;
-
- g_tls_connection_handshake_finish (G_TLS_CONNECTION (object), res, &error);
- g_assert_no_error (error);
-
- stream = g_io_stream_get_output_stream (test->server_connection);
- g_output_stream_write_async (stream, TEST_DATA + TEST_DATA_LENGTH / 2,
- TEST_DATA_LENGTH / 2,
- G_PRIORITY_DEFAULT, NULL,
- on_output_write_finish, test);
-}
-
static void
on_server_close_finish (GObject *object,
GAsyncResult *res,
@@ -272,15 +252,6 @@ on_output_write_finish (GObject *object,
g_assert_no_error (test->server_error);
g_output_stream_write_finish (G_OUTPUT_STREAM (object), res, &test->server_error);
- if (!test->server_error && test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_tls_connection_handshake_async (G_TLS_CONNECTION (test->server_connection),
- G_PRIORITY_DEFAULT, NULL,
- on_rehandshake_finish, test);
- return;
- }
-
if (test->connection_received_strategy == WRITE_THEN_CLOSE)
close_server_connection (test);
}
@@ -341,8 +312,8 @@ on_incoming_connection (GSocketService *service,
if (test->connection_received_strategy == WRITE_THEN_CLOSE ||
test->connection_received_strategy == WRITE_THEN_WAIT)
{
- g_output_stream_write_async (stream, TEST_DATA,
- test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH,
+ g_output_stream_write_async (stream,
+ TEST_DATA, TEST_DATA_LENGTH,
G_PRIORITY_DEFAULT, NULL,
on_output_write_finish, test);
}
@@ -440,13 +411,6 @@ run_echo_server (GThreadedSocketService *service,
nwrote = g_output_stream_write (ostream, buf + total, nread - total, NULL, &error);
g_assert_no_error (error);
}
-
- if (test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_tls_connection_handshake (tlsconn, NULL, &error);
- g_assert_no_error (error);
- }
}
g_io_stream_close (test->server_connection, NULL, &error);
@@ -1171,20 +1135,6 @@ test_client_auth_pkcs11_connection (TestConnection *test,
}
#endif
-static void
-test_client_auth_rehandshake (TestConnection *test,
- gconstpointer data)
-{
-#ifdef BACKEND_IS_OPENSSL
- /* FIXME: this doesn't make sense, we should support safe renegotation */
- g_test_skip ("the server avoids rehandshake to avoid the security problem CVE-2009-3555");
- return;
-#endif
-
- test->rehandshake = TRUE;
- test_client_auth_connection (test, data);
-}
-
static void
test_client_auth_failure (TestConnection *test,
gconstpointer data)
@@ -1886,19 +1836,6 @@ test_simultaneous_async (TestConnection *test,
g_assert_cmpstr (test->buf, ==, TEST_DATA);
}
-static void
-test_simultaneous_async_rehandshake (TestConnection *test,
- gconstpointer data)
-{
-#ifdef BACKEND_IS_OPENSSL
- g_test_skip ("this needs more research on openssl");
- return;
-#endif
-
- test->rehandshake = TRUE;
- test_simultaneous_async (test, data);
-}
-
static gpointer
simul_read_thread (gpointer user_data)
{
@@ -1985,19 +1922,6 @@ test_simultaneous_sync (TestConnection *test,
g_assert_no_error (error);
}
-static void
-test_simultaneous_sync_rehandshake (TestConnection *test,
- gconstpointer data)
-{
-#ifdef BACKEND_IS_OPENSSL
- g_test_skip ("this needs more research on openssl");
- return;
-#endif
-
- test->rehandshake = TRUE;
- test_simultaneous_sync (test, data);
-}
-
static void
test_close_immediately (TestConnection *test,
gconstpointer data)
@@ -2611,8 +2535,6 @@ main (int argc,
setup_connection, test_invalid_chain_with_alternative_ca_cert, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/client-auth", TestConnection, NULL,
setup_connection, test_client_auth_connection, teardown_connection);
- g_test_add ("/tls/" BACKEND "/connection/client-auth-rehandshake", TestConnection, NULL,
- setup_connection, test_client_auth_rehandshake, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/client-auth-failure", TestConnection, NULL,
setup_connection, test_client_auth_failure, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/client-auth-fail-missing-client-private-key", TestConnection,
NULL,
@@ -2642,10 +2564,6 @@ main (int argc,
setup_connection, test_simultaneous_async, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/simultaneous-sync", TestConnection, NULL,
setup_connection, test_simultaneous_sync, teardown_connection);
- g_test_add ("/tls/" BACKEND "/connection/simultaneous-async-rehandshake", TestConnection, NULL,
- setup_connection, test_simultaneous_async_rehandshake, teardown_connection);
- g_test_add ("/tls/" BACKEND "/connection/simultaneous-sync-rehandshake", TestConnection, NULL,
- setup_connection, test_simultaneous_sync_rehandshake, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/close-immediately", TestConnection, NULL,
setup_connection, test_close_immediately, teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/unclean-close-by-server", TestConnection, NULL,
diff --git a/tls/tests/dtls-connection.c b/tls/tests/dtls-connection.c
index 99a7986..e814e25 100644
--- a/tls/tests/dtls-connection.c
+++ b/tls/tests/dtls-connection.c
@@ -83,7 +83,6 @@ typedef struct {
GDatagramBased *client_connection;
GSocketConnectable *identity;
GSocketAddress *address;
- gboolean rehandshake;
GTlsCertificateFlags accept_flags;
GError *read_error;
gboolean expect_server_error;
@@ -221,100 +220,6 @@ on_accept_certificate (GTlsClientConnection *conn, GTlsCertificate *cert,
static void close_server_connection (TestConnection *test,
gboolean graceful);
-static void
-on_rehandshake_finish (GObject *object,
- GAsyncResult *res,
- gpointer user_data)
-{
- TestConnection *test = user_data;
- GError *error = NULL;
- GOutputVector vectors[2] = {
- { TEST_DATA + TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH / 4 },
- { TEST_DATA + 3 * TEST_DATA_LENGTH / 4, TEST_DATA_LENGTH / 4},
- };
- GOutputMessage message = { NULL, vectors, G_N_ELEMENTS (vectors), 0, NULL, 0 };
- gint n_sent;
-
- g_dtls_connection_handshake_finish (G_DTLS_CONNECTION (object), res, &error);
- g_assert_no_error (error);
-
- do
- {
- g_clear_error (&test->server_error);
- n_sent = g_datagram_based_send_messages (test->server_connection,
- &message, 1,
- G_SOCKET_MSG_NONE, 0, NULL,
- &test->server_error);
- g_main_context_iteration (NULL, FALSE);
- }
- while (g_error_matches (test->server_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK));
-
- if (!test->server_error)
- {
- g_assert_cmpint (n_sent, ==, 1);
- g_assert_cmpuint (message.bytes_sent, ==, TEST_DATA_LENGTH / 2);
- }
-
- if (!test->server_error && test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
- G_PRIORITY_DEFAULT, NULL,
- on_rehandshake_finish, test);
- return;
- }
-
- if (test->test_data->server_should_close)
- close_server_connection (test, TRUE);
-}
-
-static void
-on_rehandshake_finish_threaded (GObject *object,
- GAsyncResult *res,
- gpointer user_data)
-{
- TestConnection *test = user_data;
- GError *error = NULL;
- GOutputVector vectors[2] = {
- { TEST_DATA + TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH / 4 },
- { TEST_DATA + 3 * TEST_DATA_LENGTH / 4, TEST_DATA_LENGTH / 4},
- };
- GOutputMessage message = { NULL, vectors, G_N_ELEMENTS (vectors), 0, NULL, 0 };
- gint n_sent;
-
- g_dtls_connection_handshake_finish (G_DTLS_CONNECTION (object), res, &error);
- g_assert_no_error (error);
-
- do
- {
- g_clear_error (&test->server_error);
- n_sent = g_datagram_based_send_messages (test->server_connection,
- &message, 1,
- G_SOCKET_MSG_NONE, 0, NULL,
- &test->server_error);
- g_main_context_iteration (NULL, FALSE);
- }
- while (g_error_matches (test->server_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK));
-
- if (!test->server_error)
- {
- g_assert_cmpint (n_sent, ==, 1);
- g_assert_cmpuint (message.bytes_sent, ==, TEST_DATA_LENGTH / 2);
- }
-
- if (!test->server_error && test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
- G_PRIORITY_DEFAULT, NULL,
- on_rehandshake_finish_threaded, test);
- return;
- }
-
- if (test->test_data->server_should_close)
- close_server_connection (test, TRUE);
-}
-
static void
close_server_connection (TestConnection *test,
gboolean graceful)
@@ -346,7 +251,7 @@ on_incoming_connection (GSocket *socket,
GError *error = NULL;
GOutputVector vector = {
TEST_DATA,
- test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH
+ TEST_DATA_LENGTH
};
GOutputMessage message = { NULL, &vector, 1, 0, NULL, 0 };
gint n_sent;
@@ -427,15 +332,6 @@ on_incoming_connection (GSocket *socket,
g_assert_cmpuint (message.bytes_sent, ==, vector.size);
}
- if (!test->server_error && test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
- G_PRIORITY_DEFAULT, NULL,
- on_rehandshake_finish, test);
- return G_SOURCE_REMOVE;
- }
-
if (test->test_data->server_should_close)
close_server_connection (test, TRUE);
@@ -452,7 +348,7 @@ on_incoming_connection_threaded (GSocket *socket,
GError *error = NULL;
GOutputVector vector = {
TEST_DATA,
- test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH
+ TEST_DATA_LENGTH
};
GOutputMessage message = { NULL, &vector, 1, 0, NULL, 0 };
gint n_sent;
@@ -528,15 +424,6 @@ on_incoming_connection_threaded (GSocket *socket,
g_assert_cmpuint (message.bytes_sent, ==, vector.size);
}
- if (!test->server_error && test->rehandshake)
- {
- test->rehandshake = FALSE;
- g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
- G_PRIORITY_DEFAULT, NULL,
- on_rehandshake_finish_threaded, test);
- return G_SOURCE_REMOVE;
- }
-
if (test->test_data->server_should_close)
close_server_connection (test, TRUE);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]