From 5b1dfa43c3dbc97e04d2fd0ce60f897d95a587ca Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Tue, 22 Jun 2021 20:15:32 -0500
Subject: [PATCH] Allow tls-unique channel binding test to fail

The tls-unique channel binding type is not supported under TLS 1.3.
Since GnuTLS 3.7.2, this now fails differently than before. Previously,
the call to g_tls_connection_get_channel_binding_data() would succeed
but return no data. That was a bug. Now it fails, as expected.

Since our tests are not supposed to have different behavior depending on
TLS backend or TLS version, let's just rewrite this test to allow
tls-unique to fail.

Fixes #164
---
 tls/tests/connection.c | 63 ++++++++++++++++++++++++++------------------------
 1 file changed, 33 insertions(+), 30 deletions(-)

diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 475285d..b0dd9d8 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -2562,6 +2562,8 @@ test_connection_binding_match_tls_unique (TestConnection *test,
   GIOStream *connection;
   GByteArray *client_cb, *server_cb;
   gchar *client_b64, *server_b64;
+  gboolean client_supports_tls_unique;
+  gboolean server_supports_tls_unique;
   GError *error = NULL;
 
   test->database = g_tls_file_database_new (tls_test_file_path ("ca-roots.pem"), &error);
@@ -2590,38 +2592,39 @@ test_connection_binding_match_tls_unique (TestConnection *test,
   read_test_data_async (test);
   g_main_loop_run (test->loop);
 
-  /* Smoke test: ensure both sides support tls-unique */
-  g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
-                                                  G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
-  g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
-                                                  G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL));
+  /* tls-unique is supported by the OpenSSL backend always. It's supported by
+   * the GnuTLS backend only with TLS 1.2 or older. Since the test needs to be
+   * independent of backend and TLS version, this is allowed to fail....
+   */
+  client_supports_tls_unique = g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
+                                                                          G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL);
+  server_supports_tls_unique = g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
+                                                                          G_TLS_CHANNEL_BINDING_TLS_UNIQUE, NULL, NULL);
+  g_assert_cmpint (client_supports_tls_unique, ==, server_supports_tls_unique);
 
   /* Real test: retrieve bindings and compare */
-  client_cb = g_byte_array_new ();
-  server_cb = g_byte_array_new ();
-  g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
-                                                  G_TLS_CHANNEL_BINDING_TLS_UNIQUE, client_cb, NULL));
-  g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
-                                                  G_TLS_CHANNEL_BINDING_TLS_UNIQUE, server_cb, NULL));
-
-#ifdef BACKEND_IS_OPENSSL
-  g_assert_cmpint (client_cb->len, >, 0);
-  g_assert_cmpint (server_cb->len, >, 0);
-#else
-  /* GnuTLS returns empty binding for TLS1.3, let's pretend it didn't happen
-   * see https://gitlab.com/gnutls/gnutls/-/issues/1041 */
-  if (client_cb->len == 0 && server_cb->len == 0)
-    g_test_skip ("GnuTLS missing support for tls-unique over TLS1.3");
-#endif
-
-  client_b64 = g_base64_encode (client_cb->data, client_cb->len);
-  server_b64 = g_base64_encode (server_cb->data, server_cb->len);
-  g_assert_cmpstr (client_b64, ==, server_b64);
-
-  g_free (client_b64);
-  g_free (server_b64);
-  g_byte_array_unref (client_cb);
-  g_byte_array_unref (server_cb);
+  if (client_supports_tls_unique)
+    {
+      client_cb = g_byte_array_new ();
+      server_cb = g_byte_array_new ();
+      g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->client_connection),
+                                                                G_TLS_CHANNEL_BINDING_TLS_UNIQUE, client_cb, NULL));
+      g_assert_true (g_tls_connection_get_channel_binding_data (G_TLS_CONNECTION (test->server_connection),
+                                                                G_TLS_CHANNEL_BINDING_TLS_UNIQUE, server_cb, NULL));
+      g_assert_cmpint (client_cb->len, >, 0);
+      g_assert_cmpint (server_cb->len, >, 0);
+
+      client_b64 = g_base64_encode (client_cb->data, client_cb->len);
+      server_b64 = g_base64_encode (server_cb->data, server_cb->len);
+      g_assert_cmpstr (client_b64, ==, server_b64);
+
+      g_free (client_b64);
+      g_free (server_b64);
+      g_byte_array_unref (client_cb);
+      g_byte_array_unref (server_cb);
+    }
+  else
+    g_test_skip ("tls-unique is not supported");
 
   /* drop the mic */
   close_server_connection (test);
-- 
1.8.3.1