rsa-sigs-on-certificate-verify - better error reporting on server alert

since server can abort right after Certificate or CertificateVerify it doesn't like then and close connection then, we may not be able to write to the socket, reporting a pipe error when in reality server did send an Alert message
tlsfuzzer · Mar 1, 2021 · f31b671 · f31b671
1 parent 1aa4333
commit f31b671
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/scripts/test-rsa-sigs-on-certificate-verify.py b/scripts/test-rsa-sigs-on-certificate-verify.py
@@ -15,7 +15,8 @@
         ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \
         FinishedGenerator, ApplicationDataGenerator, \
         CertificateGenerator, CertificateVerifyGenerator, \
-        AlertGenerator
+        AlertGenerator, TCPBufferingEnable, TCPBufferingDisable, \
+        TCPBufferingFlush
 from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
         ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
         ExpectAlert, ExpectClose, ExpectCertificateRequest, \
@@ -31,7 +32,7 @@
 from tlsfuzzer.utils.lists import natural_sort_keys
 
 
-version = 3
+version = 6
 
 
 def help_msg():
@@ -145,11 +146,14 @@ def main():
         node = node.add_child(ExpectServerKeyExchange())
     node = node.add_child(ExpectCertificateRequest())
     node = node.add_child(ExpectServerHelloDone())
+    node = node.add_child(TCPBufferingEnable())
     node = node.add_child(CertificateGenerator(X509CertChain([cert])))
     node = node.add_child(ClientKeyExchangeGenerator())
     node = node.add_child(CertificateVerifyGenerator(private_key))
     node = node.add_child(ChangeCipherSpecGenerator())
     node = node.add_child(FinishedGenerator())
+    node = node.add_child(TCPBufferingDisable())
+    node = node.add_child(TCPBufferingFlush())
     node = node.add_child(ExpectChangeCipherSpec())
     node = node.add_child(ExpectFinished())
     node = node.add_child(ApplicationDataGenerator(b"GET / HTTP/1.0\n\n"))
@@ -199,12 +203,15 @@ def main():
                 node = node.add_child(ExpectServerKeyExchange())
             node = node.add_child(ExpectCertificateRequest())
             node = node.add_child(ExpectServerHelloDone())
+            node = node.add_child(TCPBufferingEnable())
             node = node.add_child(CertificateGenerator(X509CertChain([cert])))
             node = node.add_child(ClientKeyExchangeGenerator())
             node = node.add_child(CertificateVerifyGenerator(
                 private_key, msg_alg=(getattr(HashAlgorithm, md), SignatureAlgorithm.rsa)))
             node = node.add_child(ChangeCipherSpecGenerator())
             node = node.add_child(FinishedGenerator())
+            node = node.add_child(TCPBufferingDisable())
+            node = node.add_child(TCPBufferingFlush())
             node = node.add_child(ExpectChangeCipherSpec())
             node = node.add_child(ExpectFinished())
             node = node.add_child(ApplicationDataGenerator(b"GET / HTTP/1.0\n\n"))
@@ -227,8 +234,6 @@ def main():
     if not num_limit:
         num_limit = len(conversations)
 
-    print("Certificate Verify test version 5")
-
     sanity_tests = [('sanity', conversations['sanity'])]
     if run_only:
         if num_limit > len(run_only):