...
 
Commits (2)
  • Michael Catanzaro's avatar
    Run GnuTLS connection tests with TLS 1.3 disabled · c77391f2
    Michael Catanzaro authored
    Some tests have regressed with TLS 1.2, but I didn't notice because we
    are currently not testing it anywhere. Run all the tests with TLS 1.2
    as well as TLS 1.3.
    
    This is currently expected to fail due to #84 and #88.
    c77391f2
  • Michael Catanzaro's avatar
    gnutls: don't call failed() when rehandshaking · 1fbc74fb
    Michael Catanzaro authored
    A rehandshake is not a real failure and should not result in the session
    being removed from the session cache. This is causing the client to fail
    to resume the session, causing the server to request the client cert
    again for rehandshakes, which is undesirable.
    
    When refactoring this code, I wasn't sure exactly where failed() should
    be called. I noticed it was not being called in many places where it
    really should have been, and overcorrected.
    
    Note that this also moves failed() to be a vfunc of GTlsConnectionGnutls
    instead of GTlsConnectionBase, since it's no longer called from Base and
    OpenSSL doesn't implement it anywhere.
    
    Fixes #84
    1fbc74fb
......@@ -709,10 +709,10 @@ g_tls_connection_base_real_pop_io (GTlsConnectionBase *tls,
GError **error)
{
GTlsConnectionBasePrivate *priv = g_tls_connection_base_get_instance_private (tls);
GTlsConnectionBaseClass *tls_class = G_TLS_CONNECTION_BASE_GET_CLASS (tls);
GError *my_error = NULL;
/* This function MAY or MAY NOT set error when it fails! */
if (direction & G_IO_IN)
{
priv->read_cancellable = NULL;
......@@ -752,9 +752,6 @@ g_tls_connection_base_real_pop_io (GTlsConnectionBase *tls,
else if (my_error)
g_propagate_error (error, my_error);
if (tls_class->failed)
tls_class->failed (tls);
return G_TLS_CONNECTION_BASE_ERROR;
}
......
......@@ -84,8 +84,6 @@ struct _GTlsConnectionBaseClass
gboolean success,
GError **error);
void (*failed) (GTlsConnectionBase *tls);
GTlsConnectionBaseStatus (*read_fn) (GTlsConnectionBase *tls,
void *buffer,
gsize count,
......
......@@ -397,9 +397,9 @@ g_tls_client_connection_gnutls_clear_session_data (GTlsClientConnectionGnutls *g
}
static void
g_tls_client_connection_gnutls_failed (GTlsConnectionBase *tls)
g_tls_client_connection_gnutls_failed (GTlsConnectionGnutls *gnutls)
{
g_tls_client_connection_gnutls_clear_session_data (G_TLS_CLIENT_CONNECTION_GNUTLS (tls));
g_tls_client_connection_gnutls_clear_session_data (G_TLS_CLIENT_CONNECTION_GNUTLS (gnutls));
}
static void
......@@ -494,6 +494,7 @@ g_tls_client_connection_gnutls_class_init (GTlsClientConnectionGnutlsClass *klas
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
GTlsConnectionGnutlsClass *gnutls_class = G_TLS_CONNECTION_GNUTLS_CLASS (klass);
gobject_class->get_property = g_tls_client_connection_gnutls_get_property;
gobject_class->set_property = g_tls_client_connection_gnutls_set_property;
......@@ -501,7 +502,8 @@ g_tls_client_connection_gnutls_class_init (GTlsClientConnectionGnutlsClass *klas
base_class->prepare_handshake = g_tls_client_connection_gnutls_prepare_handshake;
base_class->complete_handshake = g_tls_client_connection_gnutls_complete_handshake;
base_class->failed = g_tls_client_connection_gnutls_failed;
gnutls_class->failed = g_tls_client_connection_gnutls_failed;
g_object_class_override_property (gobject_class, PROP_VALIDATION_FLAGS, "validation-flags");
g_object_class_override_property (gobject_class, PROP_SERVER_IDENTITY, "server-identity");
......
......@@ -466,9 +466,12 @@ end_gnutls_io (GTlsConnectionGnutls *gnutls,
direction, timeout, cancellable); \
do {
#define END_GNUTLS_IO(gnutls, direction, ret, status, errmsg, err) \
status = end_gnutls_io (gnutls, direction, ret, err, errmsg); \
} while (status == G_TLS_CONNECTION_BASE_TRY_AGAIN);
#define END_GNUTLS_IO(gnutls, direction, ret, status, errmsg, err) \
status = end_gnutls_io (gnutls, direction, ret, err, errmsg); \
} while (status == G_TLS_CONNECTION_BASE_TRY_AGAIN); \
\
if (status == G_TLS_CONNECTION_BASE_ERROR) \
G_TLS_CONNECTION_GNUTLS_GET_CLASS (gnutls)->failed (gnutls);
static void
set_gnutls_error (GTlsConnectionGnutls *gnutls,
......
......@@ -40,6 +40,8 @@ G_DECLARE_DERIVABLE_TYPE (GTlsConnectionGnutls, g_tls_connection_gnutls, G, TLS_
struct _GTlsConnectionGnutlsClass
{
GTlsConnectionBaseClass parent_class;
void (*failed) (GTlsConnectionGnutls *tls);
};
gnutls_certificate_credentials_t g_tls_connection_gnutls_get_credentials (GTlsConnectionGnutls *connection);
......
......@@ -204,9 +204,9 @@ g_tls_server_connection_gnutls_retrieve_function (gnutls_session_t
}
static void
g_tls_server_connection_gnutls_failed (GTlsConnectionBase *tls)
g_tls_server_connection_gnutls_failed (GTlsConnectionGnutls *gnutls)
{
gnutls_db_remove_session (g_tls_connection_gnutls_get_session (G_TLS_CONNECTION_GNUTLS (tls)));
gnutls_db_remove_session (g_tls_connection_gnutls_get_session (gnutls));
}
static void
......@@ -238,7 +238,6 @@ g_tls_server_connection_gnutls_prepare_handshake (GTlsConnectionBase *tls,
}
/* Session cache management */
static int
g_tls_server_connection_gnutls_db_store (void *user_data,
gnutls_datum_t key,
......@@ -300,13 +299,15 @@ g_tls_server_connection_gnutls_class_init (GTlsServerConnectionGnutlsClass *klas
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
GTlsConnectionGnutlsClass *gnutls_class = G_TLS_CONNECTION_GNUTLS_CLASS (klass);
gobject_class->finalize = g_tls_server_connection_gnutls_finalize;
gobject_class->get_property = g_tls_server_connection_gnutls_get_property;
gobject_class->set_property = g_tls_server_connection_gnutls_set_property;
base_class->prepare_handshake = g_tls_server_connection_gnutls_prepare_handshake;
base_class->failed = g_tls_server_connection_gnutls_failed;
gnutls_class->failed = g_tls_server_connection_gnutls_failed;
g_object_class_override_property (gobject_class, PROP_AUTHENTICATION_MODE, "authentication-mode");
}
......
......@@ -74,6 +74,13 @@ foreach backend: backends
if backend != 'openssl'
test(program_name, exe, env: test_envs)
endif
# GnuTLS tests are run twice: once with TLS 1.3, then once again with
# TLS 1.2. (Assuming GnuTLS supports TLS 1.3.)
if backend == 'gnutls' and program_name.contains('connection')
test_envs += ['G_TLS_GNUTLS_PRIORITY=NORMAL:%COMPAT:-VERS-TLS1.3']
test(program_name + '-tls1.2', exe, env: test_envs)
endif
endif
endforeach
endforeach
......