Merge pull request #380 from tomato42/pha-determinism

fix PHA with KeyUpdate with HTTP
tlsfuzzer · Dec 11, 2019 · f119252 · f119252
2 parents ed727a7 + ee4695c
commit f119252
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/tests/tlstest.py b/tests/tlstest.py
@@ -723,6 +723,25 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
+    for result in connection.send_keyupdate_request(
+            KeyUpdateMessageType.update_requested):
+        assert result in (0, 1)
+    synchro.recv(1)
+    b = connection.read(0, 0)
+    assert b == b''
+    testConnClient(connection)
+    assert(isinstance(connection.session.serverCertChain, X509CertChain))
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -1995,6 +2014,27 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - good mutual X.509, PHA and KeyUpdate, TLSv1.3".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 4)
+    settings.maxVersion = (3, 4)
+    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
+                               settings=settings)
+    assert connection.session.clientCertChain is None
+    for result in connection.request_post_handshake_auth(settings):
+        assert result in (0, 1)
+    synchro.send(b'R')
+    assert connection.read(0, 0) == b''
+    assert connection.session.clientCertChain is not None
+    assert isinstance(connection.session.clientCertChain, X509CertChain)
+    testConnServer(connection)
+
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mutual X.509, PHA, no client cert, TLSv1.3".format(test_no))
     synchro.send(b'R')
     connection = connect()

diff --git a/tlslite/tlsrecordlayer.py b/tlslite/tlsrecordlayer.py
@@ -357,6 +357,9 @@ def readAsync(self, max=None, min=1):
                     elif isinstance(result, KeyUpdate):
                         for result in self._handle_keyupdate_request(result):
                             yield result
+                        # KeyUpdate messages are not solicited, while call with
+                        # min==0 are done to perform PHA
+                        try_once = True
                     elif isinstance(result, Certificate):
                         for result in self._handle_srv_pha(result):
                             yield result