fix PHA with KeyUpdate with HTTP

with HTTP flows and PHA we need some special handling of KeyUpdate so add it
tlsfuzzer · Dec 4, 2019 · 782b05f · 782b05f
1 parent ed727a7
commit 782b05f
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/tests/tlstest.py b/tests/tlstest.py
@@ -723,6 +723,25 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
+    synchro.recv(1)
+    for result in connection.send_keyupdate_request(
+            KeyUpdateMessageType.update_requested):
+        assert result in (0, 1)
+    b = connection.read(0, 0)
+    assert b == b''
+    testConnClient(connection)
+    assert(isinstance(connection.session.serverCertChain, X509CertChain))
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1995,6 +2014,26 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
+                               settings=settings)
+    assert connection.session.clientCertChain is None
+    for result in connection.request_post_handshake_auth(settings):
+        assert result in (0, 1)
+    synchro.send(b'R')
+    testConnServer(connection)
+
+    assert connection.session.clientCertChain is not None
+    assert isinstance(connection.session.clientCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.send(b'R')
     connection = connect()

diff --git a/tlslite/tlsrecordlayer.py b/tlslite/tlsrecordlayer.py
@@ -357,6 +357,9 @@ def readAsync(self, max=None, min=1):
                     elif isinstance(result, KeyUpdate):
                         for result in self._handle_keyupdate_request(result):
                             yield result
+                        # KeyUpdate messages are not solicited, while call with
+                        # min==0 are done to perform PHA
+                        try_once = True
                     elif isinstance(result, Certificate):
                         for result in self._handle_srv_pha(result):
                             yield result