From 782b05f2c8aaf17da1d00fdd53500ef48daf5950 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Wed, 4 Dec 2019 15:22:11 +0100
Subject: [PATCH] fix PHA with KeyUpdate with HTTP

with HTTP flows and PHA we need some special handling of KeyUpdate
so add it
---
 tests/tlstest.py          | 39 +++++++++++++++++++++++++++++++++++++++
 tlslite/tlsrecordlayer.py |  3 +++
 2 files changed, 42 insertions(+)

diff --git a/tests/tlstest.py b/tests/tlstest.py
index f9524096e..6adb33e64 100755
--- a/tests/tlstest.py
+++ b/tests/tlstest.py
@@ -723,6 +723,25 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
+    synchro.recv(1)
+    for result in connection.send_keyupdate_request(
+            KeyUpdateMessageType.update_requested):
+        assert result in (0, 1)
+    b = connection.read(0, 0)
+    assert b == b''
+    testConnClient(connection)
+    assert(isinstance(connection.session.serverCertChain, X509CertChain))
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1995,6 +2014,26 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
+                               settings=settings)
+    assert connection.session.clientCertChain is None
+    for result in connection.request_post_handshake_auth(settings):
+        assert result in (0, 1)
+    synchro.send(b'R')
+    testConnServer(connection)
+
+    assert connection.session.clientCertChain is not None
+    assert isinstance(connection.session.clientCertChain, X509CertChain)
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.send(b'R')
     connection = connect()
diff --git a/tlslite/tlsrecordlayer.py b/tlslite/tlsrecordlayer.py
index 1a2d113ae..49c3d5084 100644
--- a/tlslite/tlsrecordlayer.py
+++ b/tlslite/tlsrecordlayer.py
@@ -357,6 +357,9 @@ def readAsync(self, max=None, min=1):
                     elif isinstance(result, KeyUpdate):
                         for result in self._handle_keyupdate_request(result):
                             yield result
+                        # KeyUpdate messages are not solicited, while call with
+                        # min==0 are done to perform PHA
+                        try_once = True
                     elif isinstance(result, Certificate):
                         for result in self._handle_srv_pha(result):
                             yield result