Cleanups required in TLS channel bindings implementation and tests
Hi @rufferson, since https://gitlab.com/gnutls/gnutls/-/merge_requests/1422 our channel binding tests are now failing. The problem is here:
/* Smoke test: ensure both sides support tls-unique */
g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
That now fails with GNUTLS_E_INVALID_REQUEST. It looks like you intentionally decided to do that since the tls-unique channel binding type is not defined for TLS 1.3.
Minor problems:
- Our tests don't distinguish between TLS 1.3 and TLS 1.2.
- The OpenSSL backend seems to handle tls-unique just fine with TLS 1.3. I guess this is OK?
My temptation is to just remove the tls-unique test, or rewrite it such that it's allowed to fail. Thoughts?
Edited by Michael Catanzaro