[glib-networking/mcatanzaro/drop-rehandshaking] Remove TLS rehandshaking support



commit f8b8d5dacd89e46679db06385e117c08856cae69
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Thu Jan 2 19:34:59 2020 -0600

    Remove TLS rehandshaking support
    
    Rehandshaking was removed from the TLS protocol in TLS 1.3. It's
    possible that we still need to support it for TLS 1.2 connections, but
    I'm pretty sure we don't. There are three ways a rehandshake could be
    triggered: (1) by application API request, when calling
    g_tls_connection_handshake() for a connection that has already
    handshaked; (2) for a client connection, when the server peer requests a
    rehandshake; (3) for a server connection, when the client requests a
    rehandshake. Let's consider each case.
    
    For (1), I previously deprecated this functionality in GLib 2.60.
    Calling handshake multiple times is now undefined behavior, except it's
    guaranteed to not break the connection in any way, for backwards
    compatibility. See also glib!1305 for recent documentation
    clarifications. I'm relatively confident that no real-world applications
    are relying on this behavior; if they are, they're probably broken now
    anyway, because we default to TLS 1.3 nowadays and have no documented
    way to change that. (There's an undocumented environment variable.) If
    your application is intentionally doing (1) and this causes problems for
    you, please let us know (but I'll be surprised :)
    
    In case (2), the client can simply ignore the rehandshake request. This
    could in theory also break some applications... but again, I'm not
    expecting much in the way of bug reports. I don't think this should
    affect web browsers, at least. Maybe if a website decides it wants to
    authenticate an existing connection without starting a new page load,
    then it could be a problem? My suspicion is zero users will complain.
    
    Finally, case (3). In this case, we have no choice but to terminate the
    connection. However, this also should basically never happen. Almost all
    users of GTlsConnection are using GTlsClientConnection, for starters.
    The main user of GTlsServerConnection is probably cockpit. Since we
    support TLS 1.3, and virtually all clients nowadays do too, almost all
    negotiated connections should wind up using TLS 1.3. We need to
    continue supporting TLS 1.2 indefinitely for *client* connections, until
    web servers migrate to TLS 1.3 over the course of the next decade.
    But clients have mostly already migrated. So for a server, rehandshaking
    is pretty much out of the question already: a GTlsServerConnection
    relying on this behavior is already broken.
    
    Conclusion: I think we can get away with this. Now, we could keep the
    rehandshaking code around forever if it doesn't cause problems, but I'm
    trying to finish up a major refactor, during which I removed
    rehandshaking support to simplify things, and bringing it back for
    that would entail some additional complexity that I'd rather not have.
    Also, now that support for TLS 1.2 session resumption has been removed,
    rehandshakes are the only remaining legacy TLS feature that we support,
    and it's kind of nice to clean house with an entirely modern
    implementation as long as doing so doesn't break real-world
    applications. Lack of bug reports will be interpreted as lack of
    breakage.
    
    Lastly, note that we still need to support TLS 1.3 post-handshake
    authentication, #39. That's still a TODO item regardless of this change.

 tls/base/gtlsconnection-base.c       | 156 ++++++++---------------------------
 tls/base/gtlsconnection-base.h       |   6 --
 tls/gnutls/gtlsconnection-gnutls.c   |  61 +++++---------
 tls/openssl/gtlsconnection-openssl.c |  31 -------
 tls/tests/connection.c               |  86 +------------------
 tls/tests/dtls-connection.c          | 117 +-------------------------
 6 files changed, 61 insertions(+), 396 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index 93cfc8e..45be2cb 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -131,7 +131,6 @@ typedef struct
   GMainContext  *handshake_context;
   GTask         *implicit_handshake;
   GError        *handshake_error;
-  GByteArray    *app_data_buf;
 
   /* read_closed means the read direction has closed; write_closed similarly.
    * If (and only if) both are set, the entire GTlsConnection is closed. */
@@ -274,8 +273,6 @@ g_tls_connection_base_finalize (GObject *object)
   g_clear_object (&priv->waiting_for_op);
   g_mutex_clear (&priv->op_mutex);
 
-  g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
-
   g_clear_pointer (&priv->advertised_protocols, g_strfreev);
   g_clear_pointer (&priv->negotiated_protocol, g_free);
 
@@ -497,8 +494,6 @@ status_to_string (GTlsConnectionBaseStatus st)
       return "WOULD_BLOCK";
     case G_TLS_CONNECTION_BASE_TIMED_OUT:
       return "TIMED_OUT";
-    case G_TLS_CONNECTION_BASE_REHANDSHAKE:
-      return "REHANDSHAKE";
     case G_TLS_CONNECTION_BASE_TRY_AGAIN:
       return "TRY_AGAIN";
     case G_TLS_CONNECTION_BASE_ERROR:
@@ -714,8 +709,6 @@ yield_op (GTlsConnectionBase       *tls,
 
   if (op == G_TLS_CONNECTION_BASE_OP_HANDSHAKE)
     priv->handshaking = FALSE;
-  else if (status == G_TLS_CONNECTION_BASE_REHANDSHAKE && !priv->handshaking)
-    priv->need_handshake = TRUE;
 
   if (op == G_TLS_CONNECTION_BASE_OP_CLOSE_BOTH ||
       op == G_TLS_CONNECTION_BASE_OP_CLOSE_READ)
@@ -1448,31 +1441,13 @@ handshake_thread (GTask        *task,
 
   if (priv->ever_handshaked && !priv->need_handshake)
     {
-      GTlsConnectionBaseStatus status;
-
-      if (tls_class->handshake_thread_safe_renegotiation_status (tls) != 
G_TLS_SAFE_RENEGOTIATION_SUPPORTED_BY_PEER)
-        {
-          g_task_return_new_error (task, G_TLS_ERROR, G_TLS_ERROR_MISC,
-                                   _("Peer does not support safe renegotiation"));
-          g_tls_log_debug (tls, "TLS handshake thread failed: peer does not support safe renegotiation");
-          return;
-        }
-
-      /* Adjust the timeout for the next operation in the sequence. */
-      if (timeout > 0)
-        {
-          timeout -= (g_get_monotonic_time () - start_time);
-          if (timeout <= 0)
-            timeout = 1;
-        }
-
-      status = tls_class->handshake_thread_request_rehandshake (tls, timeout, cancellable, &error);
-      if (status != G_TLS_CONNECTION_BASE_OK)
-        {
-          g_task_return_error (task, error);
-          g_tls_log_debug (tls, "TLS handshake thread failed: %s", error ? error->message : "no error");
-          return;
-        }
+      /* Once upon a time, we allowed calling g_tls_connection_handshake()
+       * twice in order to request a rehandshake. Now that rehandshaking has
+       * been removed from TLS 1.3, we'll instead just ignore the request. We
+       * can't throw an error here because this used to be allowed.
+       */
+      g_warning ("Ignoring TLS handshake request for GTlsConnection that has already handshaked");
+      goto out;
     }
 
   /* Adjust the timeout for the next operation in the sequence. */
@@ -1487,6 +1462,7 @@ handshake_thread (GTask        *task,
   tls_class->handshake_thread_handshake (tls, timeout, cancellable, &error);
   priv->need_handshake = FALSE;
 
+out:
   if (error)
     {
       g_task_return_error (task, error);
@@ -1938,31 +1914,14 @@ g_tls_connection_base_read (GTlsConnectionBase  *tls,
 
   g_tls_log_debug (tls, "starting to read data from TLS connection");
 
-  do
-    {
-      if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
-                     timeout, cancellable, error))
-        return -1;
+  if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
+                 timeout, cancellable, error))
+    return -1;
 
-      if (priv->app_data_buf && !priv->handshaking)
-        {
-          nread = MIN (count, priv->app_data_buf->len);
-          memcpy (buffer, priv->app_data_buf->data, nread);
-          if (nread == priv->app_data_buf->len)
-            g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
-          else
-            g_byte_array_remove_range (priv->app_data_buf, 0, nread);
-          status = G_TLS_CONNECTION_BASE_OK;
-        }
-      else
-        {
-          status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
-            read_fn (tls, buffer, count, timeout, &nread, cancellable, error);
-        }
+  status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+    read_fn (tls, buffer, count, timeout, &nread, cancellable, error);
 
-      yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
-    }
-  while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+  yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
 
   if (status == G_TLS_CONNECTION_BASE_OK)
     {
@@ -1989,41 +1948,15 @@ g_tls_connection_base_read_message (GTlsConnectionBase  *tls,
 
   g_tls_log_debug (tls, "starting to read messages from TLS connection");
 
-  do {
-    if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
-                   timeout, cancellable, error))
-      return -1;
+  if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_READ,
+                 timeout, cancellable, error))
+    return -1;
 
-    /* Copy data out of the app data buffer first. */
-    if (priv->app_data_buf && !priv->handshaking)
-      {
-        nread = 0;
-
-        for (guint i = 0; i < num_vectors; i++)
-          {
-            gsize count;
-            GInputVector *vec = &vectors[i];
-
-            count = MIN (vec->size, priv->app_data_buf->len);
-            nread += count;
-
-            memcpy (vec->buffer, priv->app_data_buf->data, count);
-            if (count == priv->app_data_buf->len)
-              g_clear_pointer (&priv->app_data_buf, g_byte_array_unref);
-            else
-              g_byte_array_remove_range (priv->app_data_buf, 0, count);
-            status = G_TLS_CONNECTION_BASE_OK;
-          }
-      }
-    else
-      {
-        g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
-        status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
-          read_message_fn (tls, vectors, num_vectors, timeout, &nread, cancellable, error);
-      }
-
-    yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
-  } while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+  g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
+  status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+    read_message_fn (tls, vectors, num_vectors, timeout, &nread, cancellable, error);
+
+  yield_op (tls, G_TLS_CONNECTION_BASE_OP_READ, status);
 
   if (status == G_TLS_CONNECTION_BASE_OK)
     {
@@ -2127,18 +2060,14 @@ g_tls_connection_base_write (GTlsConnectionBase  *tls,
 
   g_tls_log_debug (tls, "starting to write %" G_GSIZE_FORMAT " bytes to TLS connection", count);
 
-  do
-    {
-      if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
-                     timeout, cancellable, error))
-        return -1;
+  if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
+                 timeout, cancellable, error))
+    return -1;
 
-      status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
-        write_fn (tls, buffer, count, timeout, &nwrote, cancellable, error);
+  status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+    write_fn (tls, buffer, count, timeout, &nwrote, cancellable, error);
 
-      yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
-    }
-  while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+  yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
 
   if (status == G_TLS_CONNECTION_BASE_OK)
     {
@@ -2165,17 +2094,15 @@ g_tls_connection_base_write_message (GTlsConnectionBase  *tls,
 
   g_tls_log_debug (tls, "starting to write messages to TLS connection");
 
-  do {
-    if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
-                   timeout, cancellable, error))
-      return -1;
+  if (!claim_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE,
+                 timeout, cancellable, error))
+    return -1;
 
-    g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
-    status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
-      write_message_fn (tls, vectors, num_vectors, timeout, &nwrote, cancellable, error);
+  g_assert (G_TLS_CONNECTION_BASE_GET_CLASS (tls)->read_message_fn);
+  status = G_TLS_CONNECTION_BASE_GET_CLASS (tls)->
+    write_message_fn (tls, vectors, num_vectors, timeout, &nwrote, cancellable, error);
 
-    yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
-  } while (status == G_TLS_CONNECTION_BASE_REHANDSHAKE);
+  yield_op (tls, G_TLS_CONNECTION_BASE_OP_WRITE, status);
 
   if (status == G_TLS_CONNECTION_BASE_OK)
     {
@@ -2650,19 +2577,6 @@ g_tls_connection_base_handshake_thread_request_certificate (GTlsConnectionBase *
   return res != G_TLS_INTERACTION_FAILED;
 }
 
-void
-g_tls_connection_base_handshake_thread_buffer_application_data (GTlsConnectionBase *tls,
-                                                                guint8             *data,
-                                                                gsize               length)
-{
-  GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
-
-  if (!priv->app_data_buf)
-    priv->app_data_buf = g_byte_array_new ();
-
-  g_byte_array_append (priv->app_data_buf, data, length);
-}
-
 static void
 g_tls_connection_base_class_init (GTlsConnectionBaseClass *klass)
 {
diff --git a/tls/base/gtlsconnection-base.h b/tls/base/gtlsconnection-base.h
index bacefab..36d6da5 100644
--- a/tls/base/gtlsconnection-base.h
+++ b/tls/base/gtlsconnection-base.h
@@ -36,7 +36,6 @@ typedef enum {
   G_TLS_CONNECTION_BASE_OK,
   G_TLS_CONNECTION_BASE_WOULD_BLOCK,
   G_TLS_CONNECTION_BASE_TIMED_OUT,
-  G_TLS_CONNECTION_BASE_REHANDSHAKE,
   G_TLS_CONNECTION_BASE_TRY_AGAIN,
   G_TLS_CONNECTION_BASE_ERROR,
 } GTlsConnectionBaseStatus;
@@ -192,9 +191,4 @@ gboolean                  g_tls_connection_base_ever_handshaked         (GTlsCon
 gboolean                  g_tls_connection_base_handshake_thread_request_certificate
                                                                         (GTlsConnectionBase  *tls);
 
-void                      g_tls_connection_base_handshake_thread_buffer_application_data
-                                                                        (GTlsConnectionBase *tls,
-                                                                         guint8             *data,
-                                                                         gsize               length);
-
 G_END_DECLS
diff --git a/tls/gnutls/gtlsconnection-gnutls.c b/tls/gnutls/gtlsconnection-gnutls.c
index 39cc7c5..7a40430 100644
--- a/tls/gnutls/gtlsconnection-gnutls.c
+++ b/tls/gnutls/gtlsconnection-gnutls.c
@@ -385,7 +385,28 @@ end_gnutls_io (GTlsConnectionGnutls  *gnutls,
     }
 
   if (ret == GNUTLS_E_REHANDSHAKE)
-    return G_TLS_CONNECTION_BASE_REHANDSHAKE;
+    {
+      if (G_IS_TLS_CLIENT_CONNECTION (tls))
+        {
+          /* Ignore server's request for rehandshake, because we no longer
+           * support obsolete TLS rehandshakes.
+           *
+           * TODO: Send GNUTLS_A_NO_RENEGOTIATION here once we support alerts.
+           */
+          return G_TLS_CONNECTION_BASE_OK;
+        }
+      else
+        {
+          /* Are you hitting this error? If so, we may need to restore support
+           * for obsolete TLS rehandshakes. The server cannot simply ignore
+           * a rehandshake request like clients can, so this is fatal.
+           */
+          g_clear_error (&my_error);
+          g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                               _("Client requested TLS rehandshake, which is no longer supported"));
+          return G_TLS_CONNECTION_BASE_ERROR;
+        }
+    }
 
   if (ret == GNUTLS_E_PREMATURE_TERMINATION)
     {
@@ -772,31 +793,6 @@ g_tls_connection_gnutls_handshake_thread_safe_renegotiation_status (GTlsConnecti
                                                           : G_TLS_SAFE_RENEGOTIATION_UNSUPPORTED;
 }
 
-static GTlsConnectionBaseStatus
-g_tls_connection_gnutls_handshake_thread_request_rehandshake (GTlsConnectionBase  *tls,
-                                                              gint64               timeout,
-                                                              GCancellable        *cancellable,
-                                                              GError             **error)
-{
-  GTlsConnectionGnutls *gnutls = G_TLS_CONNECTION_GNUTLS (tls);
-  GTlsConnectionGnutlsPrivate *priv = g_tls_connection_gnutls_get_instance_private (gnutls);
-  GTlsConnectionBaseStatus status;
-  int ret;
-
-  /* On a client-side connection, gnutls_handshake() itself will start
-   * a rehandshake, so we only need to do something special here for
-   * server-side connections.
-   */
-  if (!G_IS_TLS_SERVER_CONNECTION (tls))
-    return G_TLS_CONNECTION_BASE_OK;
-
-  BEGIN_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, timeout, cancellable);
-  ret = gnutls_rehandshake (priv->session);
-  END_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, ret, status, _("Error performing TLS handshake: %s"), error);
-
-  return status;
-}
-
 static GTlsCertificate *
 g_tls_connection_gnutls_retrieve_peer_certificate (GTlsConnectionBase *tls)
 {
@@ -882,18 +878,6 @@ g_tls_connection_gnutls_handshake_thread_handshake (GTlsConnectionBase  *tls,
 
   BEGIN_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, timeout, cancellable);
   ret = gnutls_handshake (priv->session);
-  if (ret == GNUTLS_E_GOT_APPLICATION_DATA)
-    {
-      guint8 buf[1024];
-
-      /* Got app data while waiting for rehandshake; buffer it and try again */
-      ret = gnutls_record_recv (priv->session, buf, sizeof (buf));
-      if (ret > -1)
-        {
-          g_tls_connection_base_handshake_thread_buffer_application_data (tls, buf, ret);
-          ret = GNUTLS_E_AGAIN;
-        }
-    }
   END_GNUTLS_IO (gnutls, G_IO_IN | G_IO_OUT, ret, status,
                  _("Error performing TLS handshake"), error);
 
@@ -1144,7 +1128,6 @@ g_tls_connection_gnutls_class_init (GTlsConnectionGnutlsClass *klass)
 
   base_class->prepare_handshake                          = g_tls_connection_gnutls_prepare_handshake;
   base_class->handshake_thread_safe_renegotiation_status = 
g_tls_connection_gnutls_handshake_thread_safe_renegotiation_status;
-  base_class->handshake_thread_request_rehandshake       = 
g_tls_connection_gnutls_handshake_thread_request_rehandshake;
   base_class->handshake_thread_handshake                 = 
g_tls_connection_gnutls_handshake_thread_handshake;
   base_class->retrieve_peer_certificate                  = g_tls_connection_gnutls_retrieve_peer_certificate;
   base_class->complete_handshake                         = g_tls_connection_gnutls_complete_handshake;
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index d751344..4c0a160 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -224,36 +224,6 @@ end_openssl_io (GTlsConnectionOpenssl  *openssl,
     status = end_openssl_io (openssl, direction, ret, timeout == -1, err, errmsg, error_str); \
   } while (status == G_TLS_CONNECTION_BASE_TRY_AGAIN);
 
-static GTlsConnectionBaseStatus
-g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBase  *tls,
-                                                               gint64               timeout,
-                                                               GCancellable        *cancellable,
-                                                               GError             **error)
-{
-  GTlsConnectionOpenssl *openssl;
-  GTlsConnectionBaseStatus status;
-  SSL *ssl;
-  int ret;
-
-  /* On a client-side connection, SSL_renegotiate() itself will start
-   * a rehandshake, so we only need to do something special here for
-   * server-side connections.
-   */
-  if (!G_IS_TLS_SERVER_CONNECTION (tls))
-    return G_TLS_CONNECTION_BASE_OK;
-
-  openssl = G_TLS_CONNECTION_OPENSSL (tls);
-
-  ssl = g_tls_connection_openssl_get_ssl (openssl);
-
-  BEGIN_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, timeout, cancellable);
-  ret = SSL_renegotiate (ssl);
-  END_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, ret, timeout, status,
-                  _("Error performing TLS handshake"), error);
-
-  return status;
-}
-
 static GTlsCertificate *
 g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
 {
@@ -501,7 +471,6 @@ g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
   object_class->finalize                                 = g_tls_connection_openssl_finalize;
 
   base_class->handshake_thread_safe_renegotiation_status = 
g_tls_connection_openssl_handshake_thread_safe_renegotiation_status;
-  base_class->handshake_thread_request_rehandshake       = 
g_tls_connection_openssl_handshake_thread_request_rehandshake;
   base_class->handshake_thread_handshake                 = 
g_tls_connection_openssl_handshake_thread_handshake;
   base_class->retrieve_peer_certificate                  = 
g_tls_connection_openssl_retrieve_peer_certificate;
   base_class->push_io                                    = g_tls_connection_openssl_push_io;
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index b900062..1d3bbf7 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -82,7 +82,6 @@ typedef struct {
   GSocketConnectable *identity;
   GSocketAddress *address;
   GTlsAuthenticationMode auth_mode;
-  gboolean rehandshake;
   GTlsCertificateFlags accept_flags;
   GError *read_error;
   GError *server_error;
@@ -221,25 +220,6 @@ static void on_output_write_finish (GObject        *object,
                                     GAsyncResult   *res,
                                     gpointer        user_data);
 
-static void
-on_rehandshake_finish (GObject        *object,
-                       GAsyncResult   *res,
-                       gpointer        user_data)
-{
-  TestConnection *test = user_data;
-  GError *error = NULL;
-  GOutputStream *stream;
-
-  g_tls_connection_handshake_finish (G_TLS_CONNECTION (object), res, &error);
-  g_assert_no_error (error);
-
-  stream = g_io_stream_get_output_stream (test->server_connection);
-  g_output_stream_write_async (stream, TEST_DATA + TEST_DATA_LENGTH / 2,
-                               TEST_DATA_LENGTH / 2,
-                               G_PRIORITY_DEFAULT, NULL,
-                               on_output_write_finish, test);
-}
-
 static void
 on_server_close_finish (GObject        *object,
                         GAsyncResult   *res,
@@ -272,15 +252,6 @@ on_output_write_finish (GObject        *object,
   g_assert_no_error (test->server_error);
   g_output_stream_write_finish (G_OUTPUT_STREAM (object), res, &test->server_error);
 
-  if (!test->server_error && test->rehandshake)
-    {
-      test->rehandshake = FALSE;
-      g_tls_connection_handshake_async (G_TLS_CONNECTION (test->server_connection),
-                                        G_PRIORITY_DEFAULT, NULL,
-                                        on_rehandshake_finish, test);
-      return;
-    }
-
   if (test->connection_received_strategy == WRITE_THEN_CLOSE)
     close_server_connection (test);
 }
@@ -341,8 +312,8 @@ on_incoming_connection (GSocketService     *service,
   if (test->connection_received_strategy == WRITE_THEN_CLOSE ||
       test->connection_received_strategy == WRITE_THEN_WAIT)
     {
-      g_output_stream_write_async (stream, TEST_DATA,
-                                   test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH,
+      g_output_stream_write_async (stream,
+                                   TEST_DATA, TEST_DATA_LENGTH,
                                    G_PRIORITY_DEFAULT, NULL,
                                    on_output_write_finish, test);
     }
@@ -440,13 +411,6 @@ run_echo_server (GThreadedSocketService *service,
           nwrote = g_output_stream_write (ostream, buf + total, nread - total, NULL, &error);
           g_assert_no_error (error);
         }
-
-      if (test->rehandshake)
-        {
-          test->rehandshake = FALSE;
-          g_tls_connection_handshake (tlsconn, NULL, &error);
-          g_assert_no_error (error);
-        }
     }
 
   g_io_stream_close (test->server_connection, NULL, &error);
@@ -1171,20 +1135,6 @@ test_client_auth_pkcs11_connection (TestConnection *test,
 }
 #endif
 
-static void
-test_client_auth_rehandshake (TestConnection *test,
-                              gconstpointer   data)
-{
-#ifdef BACKEND_IS_OPENSSL
-  /* FIXME: this doesn't make sense, we should support safe renegotation */
-  g_test_skip ("the server avoids rehandshake to avoid the security problem CVE-2009-3555");
-  return;
-#endif
-
-  test->rehandshake = TRUE;
-  test_client_auth_connection (test, data);
-}
-
 static void
 test_client_auth_failure (TestConnection *test,
                           gconstpointer   data)
@@ -1886,19 +1836,6 @@ test_simultaneous_async (TestConnection *test,
   g_assert_cmpstr (test->buf, ==, TEST_DATA);
 }
 
-static void
-test_simultaneous_async_rehandshake (TestConnection *test,
-                                     gconstpointer   data)
-{
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this needs more research on openssl");
-  return;
-#endif
-
-  test->rehandshake = TRUE;
-  test_simultaneous_async (test, data);
-}
-
 static gpointer
 simul_read_thread (gpointer user_data)
 {
@@ -1985,19 +1922,6 @@ test_simultaneous_sync (TestConnection *test,
   g_assert_no_error (error);
 }
 
-static void
-test_simultaneous_sync_rehandshake (TestConnection *test,
-                                    gconstpointer   data)
-{
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this needs more research on openssl");
-  return;
-#endif
-
-  test->rehandshake = TRUE;
-  test_simultaneous_sync (test, data);
-}
-
 static void
 test_close_immediately (TestConnection *test,
                         gconstpointer   data)
@@ -2611,8 +2535,6 @@ main (int   argc,
               setup_connection, test_invalid_chain_with_alternative_ca_cert, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/client-auth", TestConnection, NULL,
               setup_connection, test_client_auth_connection, teardown_connection);
-  g_test_add ("/tls/" BACKEND "/connection/client-auth-rehandshake", TestConnection, NULL,
-              setup_connection, test_client_auth_rehandshake, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/client-auth-failure", TestConnection, NULL,
               setup_connection, test_client_auth_failure, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/client-auth-fail-missing-client-private-key", TestConnection, 
NULL,
@@ -2642,10 +2564,6 @@ main (int   argc,
               setup_connection, test_simultaneous_async, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/simultaneous-sync", TestConnection, NULL,
               setup_connection, test_simultaneous_sync, teardown_connection);
-  g_test_add ("/tls/" BACKEND "/connection/simultaneous-async-rehandshake", TestConnection, NULL,
-              setup_connection, test_simultaneous_async_rehandshake, teardown_connection);
-  g_test_add ("/tls/" BACKEND "/connection/simultaneous-sync-rehandshake", TestConnection, NULL,
-              setup_connection, test_simultaneous_sync_rehandshake, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/close-immediately", TestConnection, NULL,
               setup_connection, test_close_immediately, teardown_connection);
   g_test_add ("/tls/" BACKEND "/connection/unclean-close-by-server", TestConnection, NULL,
diff --git a/tls/tests/dtls-connection.c b/tls/tests/dtls-connection.c
index 99a7986..e814e25 100644
--- a/tls/tests/dtls-connection.c
+++ b/tls/tests/dtls-connection.c
@@ -83,7 +83,6 @@ typedef struct {
   GDatagramBased *client_connection;
   GSocketConnectable *identity;
   GSocketAddress *address;
-  gboolean rehandshake;
   GTlsCertificateFlags accept_flags;
   GError *read_error;
   gboolean expect_server_error;
@@ -221,100 +220,6 @@ on_accept_certificate (GTlsClientConnection *conn, GTlsCertificate *cert,
 static void close_server_connection (TestConnection *test,
                                      gboolean        graceful);
 
-static void
-on_rehandshake_finish (GObject        *object,
-                       GAsyncResult   *res,
-                       gpointer        user_data)
-{
-  TestConnection *test = user_data;
-  GError *error = NULL;
-  GOutputVector vectors[2] = {
-    { TEST_DATA + TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH / 4 },
-    { TEST_DATA + 3 * TEST_DATA_LENGTH / 4, TEST_DATA_LENGTH / 4},
-  };
-  GOutputMessage message = { NULL, vectors, G_N_ELEMENTS (vectors), 0, NULL, 0 };
-  gint n_sent;
-
-  g_dtls_connection_handshake_finish (G_DTLS_CONNECTION (object), res, &error);
-  g_assert_no_error (error);
-
-  do
-    {
-      g_clear_error (&test->server_error);
-      n_sent = g_datagram_based_send_messages (test->server_connection,
-                                               &message, 1,
-                                               G_SOCKET_MSG_NONE, 0, NULL,
-                                               &test->server_error);
-      g_main_context_iteration (NULL, FALSE);
-    }
-  while (g_error_matches (test->server_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK));
-
-  if (!test->server_error)
-    {
-      g_assert_cmpint (n_sent, ==, 1);
-      g_assert_cmpuint (message.bytes_sent, ==, TEST_DATA_LENGTH / 2);
-    }
-
-  if (!test->server_error && test->rehandshake)
-    {
-      test->rehandshake = FALSE;
-      g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
-                                         G_PRIORITY_DEFAULT, NULL,
-                                         on_rehandshake_finish, test);
-      return;
-    }
-
-  if (test->test_data->server_should_close)
-    close_server_connection (test, TRUE);
-}
-
-static void
-on_rehandshake_finish_threaded (GObject      *object,
-                                GAsyncResult *res,
-                                gpointer      user_data)
-{
-  TestConnection *test = user_data;
-  GError *error = NULL;
-  GOutputVector vectors[2] = {
-    { TEST_DATA + TEST_DATA_LENGTH / 2, TEST_DATA_LENGTH / 4 },
-    { TEST_DATA + 3 * TEST_DATA_LENGTH / 4, TEST_DATA_LENGTH / 4},
-  };
-  GOutputMessage message = { NULL, vectors, G_N_ELEMENTS (vectors), 0, NULL, 0 };
-  gint n_sent;
-
-  g_dtls_connection_handshake_finish (G_DTLS_CONNECTION (object), res, &error);
-  g_assert_no_error (error);
-
-  do
-    {
-      g_clear_error (&test->server_error);
-      n_sent = g_datagram_based_send_messages (test->server_connection,
-                                               &message, 1,
-                                               G_SOCKET_MSG_NONE, 0, NULL,
-                                               &test->server_error);
-      g_main_context_iteration (NULL, FALSE);
-    }
-  while (g_error_matches (test->server_error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK));
-
-  if (!test->server_error)
-    {
-      g_assert_cmpint (n_sent, ==, 1);
-      g_assert_cmpuint (message.bytes_sent, ==, TEST_DATA_LENGTH / 2);
-    }
-
-  if (!test->server_error && test->rehandshake)
-    {
-      test->rehandshake = FALSE;
-      g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
-                                         G_PRIORITY_DEFAULT, NULL,
-                                         on_rehandshake_finish_threaded, test);
-      return;
-    }
-
-  if (test->test_data->server_should_close)
-    close_server_connection (test, TRUE);
-}
-
 static void
 close_server_connection (TestConnection *test,
                          gboolean        graceful)
@@ -346,7 +251,7 @@ on_incoming_connection (GSocket       *socket,
   GError *error = NULL;
   GOutputVector vector = {
     TEST_DATA,
-    test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH
+    TEST_DATA_LENGTH
   };
   GOutputMessage message = { NULL, &vector, 1, 0, NULL, 0 };
   gint n_sent;
@@ -427,15 +332,6 @@ on_incoming_connection (GSocket       *socket,
       g_assert_cmpuint (message.bytes_sent, ==, vector.size);
     }
 
-  if (!test->server_error && test->rehandshake)
-    {
-      test->rehandshake = FALSE;
-      g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
-                                         G_PRIORITY_DEFAULT, NULL,
-                                         on_rehandshake_finish, test);
-      return G_SOURCE_REMOVE;
-    }
-
   if (test->test_data->server_should_close)
     close_server_connection (test, TRUE);
 
@@ -452,7 +348,7 @@ on_incoming_connection_threaded (GSocket      *socket,
   GError *error = NULL;
   GOutputVector vector = {
     TEST_DATA,
-    test->rehandshake ? TEST_DATA_LENGTH / 2 : TEST_DATA_LENGTH
+    TEST_DATA_LENGTH
   };
   GOutputMessage message = { NULL, &vector, 1, 0, NULL, 0 };
   gint n_sent;
@@ -528,15 +424,6 @@ on_incoming_connection_threaded (GSocket      *socket,
       g_assert_cmpuint (message.bytes_sent, ==, vector.size);
     }
 
-  if (!test->server_error && test->rehandshake)
-    {
-      test->rehandshake = FALSE;
-      g_dtls_connection_handshake_async (G_DTLS_CONNECTION (test->server_connection),
-                                         G_PRIORITY_DEFAULT, NULL,
-                                         on_rehandshake_finish_threaded, test);
-      return G_SOURCE_REMOVE;
-    }
-
   if (test->test_data->server_should_close)
     close_server_connection (test, TRUE);
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]