Merge branch 'tmp-constate-fix' into 'master'

Fix re-handshake failure when interrupted by application data

Closes #426

See merge request gnutls/gnutls!620

30 files changed, 381 insertions, 393 deletions

diff --git a/lib/constate.c b/lib/constate.c
index bdafe91b5f..62a1239718 100644
--- a/lib/constate.c
+++ b/lib/constate.c
@@ -546,7 +546,7 @@ int _gnutls_epoch_dup(gnutls_session_t session)
 
 	ret = _gnutls_epoch_get(session, EPOCH_NEXT, &next);
 	if (ret < 0) {
-		ret = _gnutls_epoch_new(session, 0, &next);
+		ret = _gnutls_epoch_setup_next(session, 0, &next);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -817,22 +817,33 @@ _gnutls_epoch_get(gnutls_session_t session, unsigned int epoch_rel,
 	return 0;
 }
 
+/* Ensures that the next epoch is setup. When an epoch will null ciphers
+ * is to be setup, call with @null_epoch set to true. In that case
+ * the epoch is fully initialized after call.
+ */
 int
-_gnutls_epoch_new(gnutls_session_t session, unsigned null_epoch, record_parameters_st **newp)
+_gnutls_epoch_setup_next(gnutls_session_t session, unsigned null_epoch, record_parameters_st **newp)
 {
 	record_parameters_st **slot;
 
-	_gnutls_record_log("REC[%p]: Allocating epoch #%u\n", session,
-			   session->security_parameters.epoch_next);
-
 	slot = epoch_get_slot(session, session->security_parameters.epoch_next);
 
 	/* If slot out of range or not empty. */
 	if (slot == NULL)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	if (*slot != NULL)
-		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	if (*slot != NULL) { /* already initialized */
+		if (unlikely(null_epoch && !(*slot)->initialized))
+			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+		if (unlikely((*slot)->epoch != session->security_parameters.epoch_next))
+			return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+		goto finish;
+	}
+
+	_gnutls_record_log("REC[%p]: Allocating epoch #%u\n", session,
+			   session->security_parameters.epoch_next);
 
 	*slot = gnutls_calloc(1, sizeof(record_parameters_st));
 	if (*slot == NULL)
@@ -854,6 +865,7 @@ _gnutls_epoch_new(gnutls_session_t session, unsigned null_epoch, record_paramete
 				     UINT64DATA((*slot)->write.
 						sequence_number));
 
+ finish:
 	if (newp != NULL)
 		*newp = *slot;
 
diff --git a/lib/constate.h b/lib/constate.h
index 934cd3bba5..1d62edccfa 100644
--- a/lib/constate.h
+++ b/lib/constate.h
@@ -38,7 +38,7 @@ int _gnutls_epoch_dup(gnutls_session_t session);
 
 int _gnutls_epoch_get(gnutls_session_t session, unsigned int epoch_rel,
 		      record_parameters_st ** params_out);
-int _gnutls_epoch_new(gnutls_session_t session, unsigned null_epoch, record_parameters_st **newp);
+int _gnutls_epoch_setup_next(gnutls_session_t session, unsigned null_epoch, record_parameters_st **newp);
 void _gnutls_epoch_gc(gnutls_session_t session);
 void _gnutls_epoch_free(gnutls_session_t session,
 			record_parameters_st * state);
diff --git a/lib/handshake.c b/lib/handshake.c
index baae557c63..a530fb9a8c 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2531,7 +2531,7 @@ int gnutls_handshake(gnutls_session_t session)
 			return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
 
 		ret =
-		    _gnutls_epoch_new(session, 0, NULL);
+		    _gnutls_epoch_setup_next(session, 0, NULL);
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
diff --git a/lib/state.c b/lib/state.c
index 1062c446bf..a669cf3d6c 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -299,7 +299,7 @@ int gnutls_init(gnutls_session_t * session, unsigned int flags)
 	if (*session == NULL)
 		return GNUTLS_E_MEMORY_ERROR;
 
-	ret = _gnutls_epoch_new(*session, 1, NULL);
+	ret = _gnutls_epoch_setup_next(*session, 1, NULL);
 	if (ret < 0) {
 		gnutls_free(*session);
 		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 2536d3b8f1..88f56455c8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -32,7 +32,7 @@ SUBDIRS += suite
 endif
 
 EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
-	ocsp-common.h \
+	ocsp-common.h cmocka-common.h \
 	certs/ca-cert-ecc.pem  certs/cert-ecc256.pem  certs/cert-ecc521.pem \
 	certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem hex.h \
 	certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
@@ -130,9 +130,9 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
 	 crq_key_id x509sign-verify sign-verify cve-2009-1415 cve-2009-1416		\
 	 tls10-server-kx-neg tls11-server-kx-neg tls12-server-kx-neg ssl30-server-kx-neg \
 	 tls12-cipher-neg tls11-cipher-neg tls10-cipher-neg ssl30-cipher-neg \
-	 crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain	tls12-rehandshake-cert-3 \
+	 crq_apis init_roundtrip pkcs12_s2k_pem dn2 tls12-rehandshake-cert-3 \
 	 nul-in-x509-names x509_altname pkcs12_encode mini-x509	\
-	 tls12-rehandshake-cert rng-fork mini-eagain-dtls resume-dtls \
+	 rng-fork mini-eagain-dtls resume-dtls \
 	 tls13-rehandshake-cert gnutls_ext_raw_parse \
 	 x509cert x509cert-tl infoaccess mini-dtls-hello-verify sign-verify-ed25519-rfc8080 \
 	 trustdb-tofu dtls-rehandshake-anon mini-alpn mini-dtls-large \
@@ -201,7 +201,7 @@ endif
 if HAVE_CMOCKA
 CMOCKA_LDADD = $(COMMON_LDADD) $(CMOCKA_LIBS)
 ctests += dtls-sliding-window ip-utils name-constraints-ip conv-utf8 str-unicode str-idna \
-	tls10-prf tls12-prf gnutls_record_overhead
+	tls10-prf tls12-prf gnutls_record_overhead eagain tls12-rehandshake-cert
 
 gnutls_record_overhead_LDADD = $(CMOCKA_LDADD)
 dtls_sliding_window_LDADD = $(CMOCKA_LDADD)
@@ -212,6 +212,8 @@ str_unicode_LDADD = $(CMOCKA_LDADD)
 str_idna_LDADD = $(CMOCKA_LDADD)
 tls10_prf_LDADD = $(CMOCKA_LDADD)
 tls12_prf_LDADD = $(CMOCKA_LDADD)
+eagain_LDADD = $(CMOCKA_LDADD)
+tls12_rehandshake_cert_LDADD = $(CMOCKA_LDADD)
 
 gnutls_record_overhead_CPPFLAGS = $(AM_CPPFLAGS) \
 	-I$(top_srcdir)/gl	\
diff --git a/tests/auto-verify.c b/tests/auto-verify.c
index 404a1ea9eb..34cae5ccd2 100644
--- a/tests/auto-verify.c
+++ b/tests/auto-verify.c
@@ -183,7 +183,6 @@ const gnutls_datum_t server_key = { server_key_pem,
 static
 void test_failure(const char *name, const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -298,19 +297,11 @@ void test_failure(const char *name, const char *prio)
 
 	gnutls_certificate_free_credentials(serverx509cred);
 	gnutls_certificate_free_credentials(clientx509cred);
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			fprintf(stderr, "%s: Self-test successful", __func__);
-		else
-			fprintf(stderr, "%s: Self-test failed", __func__);
-	}
 }
 
 static
 void test_success1(const char *name, const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -425,19 +416,11 @@ void test_success1(const char *name, const char *prio)
 
 	gnutls_certificate_free_credentials(serverx509cred);
 	gnutls_certificate_free_credentials(clientx509cred);
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			fprintf(stderr, "%s: Self-test successful", __func__);
-		else
-			fprintf(stderr, "%s: Self-test failed", __func__);
-	}
 }
 
 static
 void test_success2(const char *name, const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -542,13 +525,6 @@ void test_success2(const char *name, const char *prio)
 
 	gnutls_certificate_free_credentials(serverx509cred);
 	gnutls_certificate_free_credentials(clientx509cred);
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			fprintf(stderr, "%s: Self-test successful", __func__);
-		else
-			fprintf(stderr, "%s: Self-test failed", __func__);
-	}
 }
 
 void doit(void)
diff --git a/tests/cmocka-common.h b/tests/cmocka-common.h
new file mode 100644
index 0000000000..2ac0dfbf9c
--- /dev/null
+++ b/tests/cmocka-common.h
@@ -0,0 +1,7 @@
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+#include <errno.h>
+
+#define USE_CMOCKA
+#include "eagain-common.h"
diff --git a/tests/eagain-common.h b/tests/eagain-common.h
index 80a1fda2ff..19084050b7 100644
--- a/tests/eagain-common.h
+++ b/tests/eagain-common.h
@@ -1,22 +1,36 @@
 #include <errno.h>
+#include <time.h>
+#include <stdio.h>
 
 #define min(x,y) ((x)<(y)?(x):(y))
 
 extern const char *side;
 
+#ifdef USE_CMOCKA
+# define failure() fail()
+# define client_transfer_failure(r) {fprintf(stderr, "client transfer failure: %s\n", gnutls_strerror(r)); fail();}
+# define server_transfer_failure(r) {fprintf(stderr, "server transfer failure: %s\n", gnutls_strerror(r)); fail();}
+# define switch_side(str)
+#else
+# define failure() fail("Handshake failed\n")
+# define client_transfer_failure(r) fail("client transfer failure: %s\n", gnutls_strerror(r))
+# define server_transfer_failure(r) fail("client transfer failure: %s\n", gnutls_strerror(r))
+# define switch_side(str) side = str
+#endif
+
 #define HANDSHAKE_EXPECT(c, s, clierr, serverr) \
   sret = cret = GNUTLS_E_AGAIN; \
   do \
     { \
       if (cret == GNUTLS_E_AGAIN) \
 	{ \
-	  side = "client"; \
+	  switch_side("client"); \
 	  cret = gnutls_handshake (c); \
 	  if (cret == GNUTLS_E_INTERRUPTED) cret = GNUTLS_E_AGAIN; \
 	} \
       if (sret == GNUTLS_E_AGAIN) \
 	{ \
-	  side = "server"; \
+	  switch_side("server"); \
 	  sret = gnutls_handshake (s); \
 	  if (sret == GNUTLS_E_INTERRUPTED) sret = GNUTLS_E_AGAIN; \
 	} \
@@ -26,8 +40,7 @@ extern const char *side;
     { \
       fprintf(stderr, "client[%d]: %s\n", cret, gnutls_strerror(cret)); \
       fprintf(stderr, "server[%d]: %s\n", sret, gnutls_strerror(sret)); \
-      fail("Handshake failed\n"); \
-      exit(1); \
+      failure(); \
     }
 
 #define HANDSHAKE(c, s) \
@@ -44,7 +57,7 @@ extern const char *side;
 	} \
       if (cret < 0 && gnutls_error_is_fatal(cret) == 0) \
 	{ \
-	  side = "client"; \
+	  switch_side("client"); \
 	  cret = gnutls_handshake (c); \
 	} \
       if (sret == GNUTLS_E_LARGE_PACKET) \
@@ -54,7 +67,7 @@ extern const char *side;
 	} \
       if (sret < 0 && gnutls_error_is_fatal(sret) == 0) \
 	{ \
-	  side = "server"; \
+	  switch_side("server"); \
 	  sret = gnutls_handshake (s); \
 	} \
     } \
@@ -63,8 +76,7 @@ extern const char *side;
     { \
       fprintf(stderr, "client: %s\n", gnutls_strerror(cret)); \
       fprintf(stderr, "server: %s\n", gnutls_strerror(sret)); \
-      fail("%s:%d: Handshake failed\n", __func__, __LINE__); \
-      exit(1); \
+      failure(); \
     }
 
 #define HANDSHAKE_DTLS(c, s) \
@@ -75,61 +87,51 @@ extern const char *side;
 
 #define TRANSFER2(c, s, msg, msglen, buf, buflen, retry_send_with_null) { \
   int _ret; \
-  side = "client"; \
+  switch_side("client"); \
   _ret = record_send_loop (c, msg, msglen, retry_send_with_null); \
   \
-  if (_ret < 0) fail ("client send error: %s\n", gnutls_strerror (_ret)); \
+  if (_ret < 0) client_transfer_failure(_ret); \
   \
   do \
     { \
       do \
 	{ \
-	  side = "server"; \
+	  switch_side("server"); \
 	  _ret = gnutls_record_recv (s, buf, buflen); \
 	} \
       while(_ret == GNUTLS_E_AGAIN); \
-      if (_ret == 0) \
-	fail ("server: didn't receive any data\n"); \
-      else if (_ret < 0) \
+      if (_ret <= 0) \
 	{ \
-	  fail ("server: error: %s\n", gnutls_strerror (_ret)); \
+	  server_transfer_failure(_ret); \
 	} \
       else \
 	{ \
 	  transferred += _ret; \
 	} \
-      side = "server"; \
+      switch_side("server"); \
       _ret = record_send_loop (server, msg, msglen, retry_send_with_null); \
-      if (_ret < 0) fail ("server send error: %s\n", gnutls_strerror (_ret)); \
+      if (_ret < 0) server_transfer_failure(_ret); \
       do \
 	{ \
-	  side = "client"; \
+	  switch_side("client"); \
 	  _ret = gnutls_record_recv (client, buf, buflen); \
 	} \
       while(_ret == GNUTLS_E_AGAIN); \
-      if (_ret == 0) \
+      if (_ret <= 0) \
 	{ \
-	  fail ("client: Peer has closed the TLS connection\n"); \
-	} \
-      else if (_ret < 0) \
-	{ \
-	  if (debug) \
-	    fputs ("!", stdout); \
-	  fail ("client: Error: %s\n", gnutls_strerror (_ret)); \
+	  client_transfer_failure(_ret); \
 	} \
       else \
 	{ \
 	  if (msglen != _ret || memcmp (buf, msg, msglen) != 0) \
 	    { \
-	      fail ("client: Transmitted data do not match\n"); \
+	      failure(); \
 	    } \
 	  /* echo back */ \
-	  side = "client"; \
+	  switch_side("client"); \
 	  _ret = record_send_loop (client, buf, msglen, retry_send_with_null); \
-	  if (_ret < 0) fail ("client send error: %s\n", gnutls_strerror (_ret)); \
+	  if (_ret < 0) client_transfer_failure(_ret); \
 	  transferred += _ret; \
-	  if (debug) \
-	    fputs (".", stdout); \
 	} \
     } \
   while (transferred < 70000); \
@@ -137,25 +139,25 @@ extern const char *side;
 
 #define EMPTY_BUF(s, c, buf, buflen) \
     { \
-      side = "client"; int _ret = 0; \
+      switch_side("client"); int _ret = 0; \
       while((_ret == GNUTLS_E_AGAIN && to_server_len > 0) || to_server_len > 0) \
 	{ \
-	  side = "server"; \
+	  switch_side("server"); \
 	  _ret = gnutls_record_recv (s, buf, buflen); \
 	} \
       if (_ret < 0 && _ret !=GNUTLS_E_AGAIN) \
 	{ \
-	  fail ("server: error: %s\n", gnutls_strerror (_ret)); \
+	  server_transfer_failure(_ret); \
 	} \
-      side = "server"; _ret = 0; \
+      switch_side("server"); _ret = 0; \
       while((to_client_len > 0 && _ret == GNUTLS_E_AGAIN) || to_client_len > 0) \
 	{ \
-	  side = "client"; \
+	  switch_side("client"); \
 	  _ret = gnutls_record_recv (client, buf, buflen); \
 	} \
       if (_ret < 0 && _ret !=GNUTLS_E_AGAIN) \
 	{ \
-	  fail ("client: Error: %s\n", gnutls_strerror (_ret)); \
+	  client_transfer_failure(_ret); \
 	} \
     }
 
@@ -169,10 +171,11 @@ static size_t to_server_len = 0;
 static char to_client[64 * 1024];
 static size_t to_client_len = 0;
 
+
 #ifdef RANDOMIZE
 #define RETURN_RND_EAGAIN(session) \
-  static unsigned char rnd = 0; \
-  if (rnd++ % 2 == 0) \
+  unsigned int rnd = time(0); \
+  if (rnd++ % 3 == 0) \
     { \
       gnutls_transport_set_errno (session, EAGAIN); \
       return -1; \
diff --git a/tests/eagain.c b/tests/eagain.c
new file mode 100644
index 0000000000..4eff818e5a
--- /dev/null
+++ b/tests/eagain.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2018 Red Hat, Inc.
+ *
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
+#define RANDOMIZE
+#include "cert-common.h"
+#include "cmocka-common.h"
+
+/* This tests operation under non-blocking mode in TLS1.2/TLS1.3
+ * as well as operation under TLS1.2 re-handshake.
+ */
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "<%d>| %s", level, str);
+}
+
+#define MAX_BUF 1024
+#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..."
+
+static void async_handshake(void **glob_state, const char *prio, unsigned rehsk)
+{
+	/* Server stuff. */
+	gnutls_certificate_credentials_t serverx509cred;
+	gnutls_session_t server;
+	int sret, cret;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t clientx509cred;
+	gnutls_session_t client;
+	/* Need to enable anonymous KX specifically. */
+	char buffer[MAX_BUF + 1];
+	int ret, transferred = 0, msglen;
+
+	/* General init. */
+	reset_buffers();
+	gnutls_global_init();
+	gnutls_global_set_log_function(tls_log_func);
+
+	/* Init server */
+	assert_return_code(gnutls_certificate_allocate_credentials(&serverx509cred), 0);
+	assert_return_code(gnutls_certificate_set_x509_key_mem(serverx509cred,
+					    &server_cert, &server_key,
+					    GNUTLS_X509_FMT_PEM), 0);
+	ret = gnutls_init(&server, GNUTLS_SERVER);
+	assert_return_code(ret, 0);
+
+	ret =
+	    gnutls_priority_set_direct(server,
+					prio,
+					NULL);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
+	assert_return_code(ret, 0);
+
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+
+	/* Init client */
+
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	ret =
+	    gnutls_priority_set_direct(client,
+					prio,
+					NULL);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred);
+	assert_return_code(ret, 0);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	HANDSHAKE(client, server);
+
+	if (rehsk == 1 || rehsk == 3) {
+		ssize_t n;
+		char b[1];
+
+		do {
+			sret = gnutls_rehandshake(server);
+		} while (sret == GNUTLS_E_AGAIN);
+
+		do {
+			n = gnutls_record_recv(client, b, 1);
+		} while(n == GNUTLS_E_AGAIN);
+
+		assert_int_equal(n, GNUTLS_E_REHANDSHAKE);
+
+		if (rehsk == 3) {
+			/* client sends app data and the server ignores them */
+			do {
+				cret = gnutls_record_send(client, "x", 1);
+			} while (cret == GNUTLS_E_AGAIN);
+
+			do {
+				sret = gnutls_handshake(server);
+			} while (sret == GNUTLS_E_AGAIN);
+			assert_int_equal(sret, GNUTLS_E_GOT_APPLICATION_DATA);
+
+			do {
+				n = gnutls_record_recv(server, buffer, sizeof(buffer));
+			} while(n == GNUTLS_E_AGAIN);
+		}
+
+		HANDSHAKE(client, server);
+	} else if (rehsk == 2) {
+		HANDSHAKE(client, server);
+	}
+
+	msglen = strlen(MSG);
+	TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);
+
+	gnutls_bye(client, GNUTLS_SHUT_WR);
+	gnutls_bye(server, GNUTLS_SHUT_WR);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(serverx509cred);
+	gnutls_certificate_free_credentials(clientx509cred);
+
+	gnutls_global_deinit();
+}
+
+static void tls12_async_handshake(void **glob_state)
+{
+	async_handshake(glob_state, "NORMAL:-VERS-ALL:+VERS-TLS1.2", 0);
+}
+
+static void tls12_async_rehandshake_client(void **glob_state)
+{
+	async_handshake(glob_state, "NORMAL:-VERS-ALL:+VERS-TLS1.2", 1);
+}
+
+static void tls12_async_rehandshake_server(void **glob_state)
+{
+	async_handshake(glob_state, "NORMAL:-VERS-ALL:+VERS-TLS1.2", 2);
+}
+
+static void tls12_async_rehandshake_server_appdata(void **glob_state)
+{
+	async_handshake(glob_state, "NORMAL:-VERS-ALL:+VERS-TLS1.2", 3);
+}
+
+static void tls13_async_handshake(void **glob_state)
+{
+	async_handshake(glob_state, "NORMAL:-VERS-ALL:+VERS-TLS1.3", 0);
+}
+
+int main(void)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(tls12_async_handshake),
+		cmocka_unit_test(tls12_async_rehandshake_client),
+		cmocka_unit_test(tls12_async_rehandshake_server),
+		cmocka_unit_test(tls12_async_rehandshake_server_appdata),
+		cmocka_unit_test(tls13_async_handshake),
+	};
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/tests/key-usage-ecdhe-rsa.c b/tests/key-usage-ecdhe-rsa.c
index 976c826026..4926d2be9a 100644
--- a/tests/key-usage-ecdhe-rsa.c
+++ b/tests/key-usage-ecdhe-rsa.c
@@ -108,7 +108,6 @@ const gnutls_datum_t enc_key = { encryption_key_pem,
 static
 void server_check(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -176,13 +175,6 @@ void server_check(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
 
 static gnutls_privkey_t g_pkey = NULL;
@@ -233,7 +225,6 @@ cert_callback(gnutls_session_t session,
 static
 void client_check(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -299,13 +290,6 @@ void client_check(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
 
 void doit(void)
diff --git a/tests/key-usage-rsa.c b/tests/key-usage-rsa.c
index 42490df250..5eb2cfef83 100644
--- a/tests/key-usage-rsa.c
+++ b/tests/key-usage-rsa.c
@@ -147,7 +147,6 @@ const gnutls_datum_t server_key = { server_key_pem,
 static
 void server_check(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -215,13 +214,6 @@ void server_check(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
 
 static gnutls_privkey_t g_pkey = NULL;
@@ -272,7 +264,6 @@ cert_callback(gnutls_session_t session,
 static
 void client_check(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -338,13 +329,6 @@ void client_check(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
 
 void doit(void)
diff --git a/tests/mini-eagain.c b/tests/mini-eagain.c
deleted file mode 100644
index d240ed6a01..0000000000
--- a/tests/mini-eagain.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2008-2012 Free Software Foundation, Inc.
- *
- * Author: Simon Josefsson, Nikos Mavrogiannopoulos
- *
- * This file is part of GnuTLS.
- *
- * GnuTLS is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * GnuTLS is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
-
-#include "utils.h"
-#define RANDOMIZE
-#include "eagain-common.h"
-
-const char *side = "";
-
-static void tls_log_func(int level, const char *str)
-{
-	fprintf(stderr, "%s|<%d>| %s", side, level, str);
-}
-
-static int handshake = 0;
-
-#define MAX_BUF 1024
-#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..."
-
-void doit(void)
-{
-	/* Server stuff. */
-	gnutls_anon_server_credentials_t s_anoncred;
-	const gnutls_datum_t p3 =
-	    { (unsigned char *) pkcs3, strlen(pkcs3) };
-	static gnutls_dh_params_t dh_params;
-	gnutls_session_t server;
-	int sret, cret;
-	/* Client stuff. */
-	gnutls_anon_client_credentials_t c_anoncred;
-	gnutls_session_t client;
-	/* Need to enable anonymous KX specifically. */
-	char buffer[MAX_BUF + 1];
-	int ret, transferred = 0, msglen;
-
-	/* General init. */
-	global_init();
-	gnutls_global_set_log_function(tls_log_func);
-	if (debug)
-		gnutls_global_set_log_level(2);
-
-	/* Init server */
-	gnutls_anon_allocate_server_credentials(&s_anoncred);
-	gnutls_dh_params_init(&dh_params);
-	gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
-	gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
-	gnutls_init(&server, GNUTLS_SERVER);
-	ret =
-	    gnutls_priority_set_direct(server,
-					"NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
-					NULL);
-	if (ret < 0)
-		exit(1);
-	gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
-	gnutls_transport_set_push_function(server, server_push);
-	gnutls_transport_set_pull_function(server, server_pull);
-	gnutls_transport_set_ptr(server, server);
-
-	/* Init client */
-	gnutls_anon_allocate_client_credentials(&c_anoncred);
-	gnutls_init(&client, GNUTLS_CLIENT);
-	ret =
-	    gnutls_priority_set_direct(client,
-					"NONE:+VERS-TLS1.2:+CIPHER-ALL:+MAC-ALL:+SIGN-ALL:+COMP-ALL:+ANON-DH",
-					NULL);
-	if (ret < 0)
-		exit(1);
-	gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
-	gnutls_transport_set_push_function(client, client_push);
-	gnutls_transport_set_pull_function(client, client_pull);
-	gnutls_transport_set_ptr(client, client);
-
-	handshake = 1;
-	HANDSHAKE(client, server);
-
-	handshake = 0;
-	if (debug)
-		success("Handshake established\n");
-
-	msglen = strlen(MSG);
-	TRANSFER(client, server, MSG, msglen, buffer, MAX_BUF);
-	if (debug)
-		fputs("\n", stdout);
-
-	gnutls_bye(client, GNUTLS_SHUT_WR);
-	gnutls_bye(server, GNUTLS_SHUT_WR);
-
-	gnutls_deinit(client);
-	gnutls_deinit(server);
-
-	gnutls_anon_free_client_credentials(c_anoncred);
-	gnutls_anon_free_server_credentials(s_anoncred);
-
-	gnutls_dh_params_deinit(dh_params);
-
-	gnutls_global_deinit();
-}
diff --git a/tests/mini-x509-2.c b/tests/mini-x509-2.c
index cab8c9ae2b..8badfc1ecb 100644
--- a/tests/mini-x509-2.c
+++ b/tests/mini-x509-2.c
@@ -182,7 +182,6 @@ const gnutls_datum_t server_key = { server_key_pem,
 static
 void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
diff --git a/tests/mini-x509-cas.c b/tests/mini-x509-cas.c
index 6edfd89c38..818d98ec53 100644
--- a/tests/mini-x509-cas.c
+++ b/tests/mini-x509-cas.c
@@ -47,7 +47,6 @@ static void tls_log_func(int level, const char *str)
 static
 void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	const char *ca_file;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
diff --git a/tests/mini-x509-default-prio.c b/tests/mini-x509-default-prio.c
index 62ef5b55ff..7f2308cde4 100644
--- a/tests/mini-x509-default-prio.c
+++ b/tests/mini-x509-default-prio.c
@@ -142,7 +142,6 @@ const gnutls_datum_t server_key = { server_key_pem,
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -283,11 +282,4 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/mini-x509-ipaddr.c b/tests/mini-x509-ipaddr.c
index 63d6fecd5c..81ce0525cc 100644
--- a/tests/mini-x509-ipaddr.c
+++ b/tests/mini-x509-ipaddr.c
@@ -58,7 +58,6 @@ static time_t mytime(time_t * t)
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -267,11 +266,4 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/mini-x509.c b/tests/mini-x509.c
index 280ffcbc49..4e9d27b639 100644
--- a/tests/mini-x509.c
+++ b/tests/mini-x509.c
@@ -54,7 +54,6 @@ static time_t mytime(time_t * t)
 static
 void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
diff --git a/tests/priority-mix.c b/tests/priority-mix.c
index ff9393738e..55053ae768 100644
--- a/tests/priority-mix.c
+++ b/tests/priority-mix.c
@@ -57,7 +57,6 @@ static time_t mytime(time_t * t)
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -162,11 +161,4 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/priority-set.c b/tests/priority-set.c
index 63f61dd01d..1834d800a1 100644
--- a/tests/priority-set.c
+++ b/tests/priority-set.c
@@ -57,7 +57,6 @@ static time_t mytime(time_t * t)
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -125,11 +124,4 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/priority-set2.c b/tests/priority-set2.c
index e1187e75a3..18b03d86ee 100644
--- a/tests/priority-set2.c
+++ b/tests/priority-set2.c
@@ -57,7 +57,6 @@ static time_t mytime(time_t * t)
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -126,11 +125,4 @@ void doit(void)
 	gnutls_priority_deinit(cache);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/rehandshake-ext-secret.c b/tests/rehandshake-ext-secret.c
index 4532f306bf..94279f0322 100644
--- a/tests/rehandshake-ext-secret.c
+++ b/tests/rehandshake-ext-secret.c
@@ -49,7 +49,6 @@ static void tls_log_func(int level, const char *str)
 
 static void try(unsigned onclient)
 {
-	int exit_code = EXIT_SUCCESS;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
 	gnutls_session_t server;
@@ -139,13 +138,6 @@ static void try(unsigned onclient)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
 
 void doit(void)
diff --git a/tests/resume-with-false-start.c b/tests/resume-with-false-start.c
index b0093b09e0..26f374c841 100644
--- a/tests/resume-with-false-start.c
+++ b/tests/resume-with-false-start.c
@@ -52,7 +52,6 @@ static time_t mytime(time_t * t)
 
 void doit(void)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -146,11 +145,4 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
-
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
 }
diff --git a/tests/session-rdn-read.c b/tests/session-rdn-read.c
index c308508596..19cbfb057c 100644
--- a/tests/session-rdn-read.c
+++ b/tests/session-rdn-read.c
@@ -86,7 +86,6 @@ cert_callback(gnutls_session_t session,
 
 static void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -164,13 +163,6 @@ static void start(const char *prio)
 
 	gnutls_global_deinit();
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	reset_buffers();
 }
 
diff --git a/tests/tls12-rehandshake-cert-2.c b/tests/tls12-rehandshake-cert-2.c
index ab48556110..f21f2cbd33 100644
--- a/tests/tls12-rehandshake-cert-2.c
+++ b/tests/tls12-rehandshake-cert-2.c
@@ -52,7 +52,8 @@ int main()
 
 static void terminate(void);
 
-/* This program tests client and server initiated rehandshake.
+/* This program tests client and server initiated rehandshake
+ * behavior when they are refused by the peer.
  */
 
 static void server_log_func(int level, const char *str)
@@ -395,7 +396,7 @@ void doit(void)
 	signal(SIGCHLD, ch_handler);
 	signal(SIGPIPE, SIG_IGN);
 
-//	start(0);
+	start(0);
 	start(1);
 }
 
diff --git a/tests/tls12-rehandshake-cert-3.c b/tests/tls12-rehandshake-cert-3.c
index 94ab1126a0..5d609d882f 100644
--- a/tests/tls12-rehandshake-cert-3.c
+++ b/tests/tls12-rehandshake-cert-3.c
@@ -53,7 +53,7 @@ int main()
 
 static void terminate(void);
 
-/* This program tests client and server initiated rehandshake.
+/* This program tests client initiated rehandshake.
  * On the initial handshake a certificate is requested from the
  * client, while on the following up not.
  */
@@ -69,7 +69,7 @@ static void client_log_func(int level, const char *str)
 }
 
 #define MAX_BUF 1024
-#define MAX_REHANDSHAKES 32
+#define MAX_REHANDSHAKES 16
 
 static void client(int fd)
 {
diff --git a/tests/tls12-rehandshake-cert.c b/tests/tls12-rehandshake-cert.c
index 00a7d381c5..226ee6e1f3 100644
--- a/tests/tls12-rehandshake-cert.c
+++ b/tests/tls12-rehandshake-cert.c
@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2018 Red Hat, Inc.
  *
- * Author: Simon Josefsson
+ * Author: Simon Josefsson, Nikos Mavrogiannopoulos
  *
  * This file is part of GnuTLS.
  *
@@ -15,9 +16,8 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
  */
 
 #ifdef HAVE_CONFIG_H
@@ -29,22 +29,21 @@
 #include <string.h>
 #include <errno.h>
 #include <gnutls/gnutls.h>
-#include "utils.h"
-#include "eagain-common.h"
+
 #include "cert-common.h"
+#include "cmocka-common.h"
 
 /* This program tests server initiated rehandshake */
 
-const char *side = "";
-
 static void tls_log_func(int level, const char *str)
 {
-	fprintf(stderr, "%s|<%d>| %s", side, level, str);
+	fprintf(stderr, "<%d>| %s", level, str);
 }
 
-void doit(void)
+#define MAX_REHANDSHAKES 16
+
+static void test_rehandshake(void **glob_state, unsigned appdata)
 {
-	int exit_code = EXIT_SUCCESS;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
 	gnutls_session_t server;
@@ -53,54 +52,103 @@ void doit(void)
 	gnutls_certificate_credentials_t clientx509cred;
 	gnutls_session_t client;
 	int cret = GNUTLS_E_AGAIN;
+	char buffer[64];
+	int ret;
+	unsigned i;
 
 	/* General init. */
-	global_init();
+	reset_buffers();
+	ret = gnutls_global_init();
+	assert_return_code(ret, 0);
+
 	gnutls_global_set_log_function(tls_log_func);
-	if (debug)
-		gnutls_global_set_log_level(2);
 
 	/* Init server */
-	gnutls_certificate_allocate_credentials(&serverx509cred);
-	gnutls_certificate_set_x509_key_mem(serverx509cred,
-					    &server_cert, &server_key,
-					    GNUTLS_X509_FMT_PEM);
-	gnutls_init(&server, GNUTLS_SERVER);
-	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
-				serverx509cred);
-	gnutls_priority_set_direct(server, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", NULL);
+	ret = gnutls_certificate_allocate_credentials(&serverx509cred);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
+						  &server_cert, &server_key,
+						  GNUTLS_X509_FMT_PEM);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_init(&server, GNUTLS_SERVER);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+				     serverx509cred);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_priority_set_direct(server, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", NULL);
+	assert_return_code(ret, 0);
+
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
 	gnutls_transport_set_ptr(server, server);
 
 	/* Init client */
-	gnutls_certificate_allocate_credentials(&clientx509cred);
-	gnutls_init(&client, GNUTLS_CLIENT);
-	gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
-				clientx509cred);
-	gnutls_priority_set_direct(client, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", NULL);
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				     clientx509cred);
+	assert_return_code(ret, 0);
+
+	ret = gnutls_priority_set_direct(client, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1:+VERS-TLS1.2", NULL);
+	assert_return_code(ret, 0);
+
 	gnutls_transport_set_push_function(client, client_push);
 	gnutls_transport_set_pull_function(client, client_pull);
 	gnutls_transport_set_ptr(client, client);
 
 	HANDSHAKE(client, server);
 
-	sret = gnutls_rehandshake(server);
-	if (debug) {
-		tls_log_func(0, "gnutls_rehandshake (server)...\n");
-		tls_log_func(0, gnutls_strerror(sret));
-		tls_log_func(0, "\n");
-	}
+	if (appdata) {
+		/* send application data prior to handshake */
+		ssize_t n;
+		char b[1];
+
+		do {
+			sret = gnutls_rehandshake(server);
+		} while (sret == GNUTLS_E_AGAIN);
+
+		do {
+			n = gnutls_record_recv(client, b, 1);
+		} while(n == GNUTLS_E_AGAIN);
 
-	{
+		assert_int_equal(n, GNUTLS_E_REHANDSHAKE);
+
+		/* client sends app data and the server ignores them */
+		do {
+			cret = gnutls_record_send(client, "x", 1);
+		} while (cret == GNUTLS_E_AGAIN);
+
+		do {
+			sret = gnutls_handshake(server);
+		} while (sret == GNUTLS_E_AGAIN);
+		assert_int_equal(sret, GNUTLS_E_GOT_APPLICATION_DATA);
+
+		do {
+			n = gnutls_record_recv(server, buffer, sizeof(buffer));
+		} while(n == GNUTLS_E_AGAIN);
+
+		HANDSHAKE(client, server);
+	} else {
 		ssize_t n;
 		char b[1];
-		n = gnutls_record_recv(client, b, 1);
-		if (n != GNUTLS_E_REHANDSHAKE)
-			abort();
-	}
 
-	HANDSHAKE(client, server);
+		for (i=0;i<MAX_REHANDSHAKES;i++) {
+			sret = gnutls_rehandshake(server);
+
+			n = gnutls_record_recv(client, b, 1);
+			assert_int_equal(n, GNUTLS_E_REHANDSHAKE);
+
+			HANDSHAKE(client, server);
+		}
+	}
 
 	gnutls_bye(client, GNUTLS_SHUT_RDWR);
 	gnutls_bye(server, GNUTLS_SHUT_RDWR);
@@ -112,11 +160,23 @@ void doit(void)
 	gnutls_certificate_free_credentials(clientx509cred);
 
 	gnutls_global_deinit();
+}
 
-	if (debug) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
+static void tls12_rehandshake_server(void **glob_state)
+{
+	test_rehandshake(glob_state, 0);
+}
+
+static void tls12_rehandshake_server_appdata(void **glob_state)
+{
+	test_rehandshake(glob_state, 1);
+}
+
+int main(void)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test(tls12_rehandshake_server),
+		cmocka_unit_test(tls12_rehandshake_server_appdata),
+	};
+	return cmocka_run_group_tests(tests, NULL, NULL);
 }
diff --git a/tests/utils-adv.c b/tests/utils-adv.c
index a084136646..8291e182ab 100644
--- a/tests/utils-adv.c
+++ b/tests/utils-adv.c
@@ -53,7 +53,6 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	      int serv_err,
 	      int cli_err)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_session_t server;
@@ -178,13 +177,6 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	gnutls_deinit(client);
 	gnutls_deinit(server);
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	return ret;
 }
 
@@ -203,7 +195,6 @@ test_cli_serv_anon(gnutls_anon_server_credentials_t server_cred,
 	      gnutls_anon_client_credentials_t client_cred,
 	      const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_session_t server;
@@ -248,13 +239,6 @@ test_cli_serv_anon(gnutls_anon_server_credentials_t server_cred,
 	gnutls_deinit(client);
 	gnutls_deinit(server);
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	return ret;
 }
 
@@ -263,7 +247,6 @@ test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred,
 	      gnutls_psk_client_credentials_t client_cred,
 	      const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_session_t server;
@@ -308,13 +291,6 @@ test_cli_serv_psk(gnutls_psk_server_credentials_t server_cred,
 	gnutls_deinit(client);
 	gnutls_deinit(server);
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	return ret;
 }
 
diff --git a/tests/x509-cert-callback-legacy.c b/tests/x509-cert-callback-legacy.c
index 98ae7dbd9c..2f7912bd89 100644
--- a/tests/x509-cert-callback-legacy.c
+++ b/tests/x509-cert-callback-legacy.c
@@ -136,7 +136,6 @@ server_cert_callback(gnutls_session_t session,
 
 static void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
diff --git a/tests/x509-cert-callback-ocsp.c b/tests/x509-cert-callback-ocsp.c
index 771b3c3b96..31325d1817 100644
--- a/tests/x509-cert-callback-ocsp.c
+++ b/tests/x509-cert-callback-ocsp.c
@@ -124,7 +124,6 @@ server_cert_callback(gnutls_session_t session,
 
 static void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t scred;
@@ -220,13 +219,6 @@ static void start(const char *prio)
 
 	gnutls_global_deinit();
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	reset_buffers();
 }
 
diff --git a/tests/x509-cert-callback.c b/tests/x509-cert-callback.c
index e673096195..2901208c12 100644
--- a/tests/x509-cert-callback.c
+++ b/tests/x509-cert-callback.c
@@ -173,7 +173,6 @@ server_cert_callback(gnutls_session_t session,
 
 static void start(const char *prio)
 {
-	int exit_code = EXIT_SUCCESS;
 	int ret;
 	/* Server stuff. */
 	gnutls_certificate_credentials_t serverx509cred;
@@ -416,13 +415,6 @@ static void start(const char *prio)
 
 	gnutls_global_deinit();
 
-	if (debug > 0) {
-		if (exit_code == 0)
-			puts("Self-test successful");
-		else
-			puts("Self-test failed");
-	}
-
 	reset_buffers();
 }