[gnutls-devel] GnuTLS | Impossible to test post handshake authentication with tlsfuzzer (#868)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Dec 4 17:05:33 CET 2019 


Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/868



I was testing a new tlsfuzzer script for PHA and it doesn't look to me like it is possible to test PHA with a single script against one instance of GnuTLS.

https://github.com/tomato42/tlsfuzzer/pull/551

I executed the script with 
```
--query '**REAUTH**                                
' --pha-as-reply
```
options set, and started `gnutls-serv` with `--echo`.

While executing the 'post-handshake authentication' script works as expected, even multiple times, any other conversation, including 'post-handshake authentication with no client cert' results in an abort from server:
```
|<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<5>| REC[0xcad710]: SSL 3.3 Application Data packet received. Epoch 2, length: 37
|<5>| REC[0xcad710]: Expected Packet Handshake(22)
|<5>| REC[0xcad710]: Received Packet Application Data(23) with length: 37
|<5>| REC[0xcad710]: Decrypted Packet[1] Handshake(22) with length: 20
|<4>| HSK[0xcad710]: CERTIFICATE (11) was received. Length 16[16], frag offset 0, frag length: 16, sequence: 0
|<4>| HSK[0xcad710]: parsing certificate message
|<3>| ASSERT: tls13/certificate.c[parse_cert_list]:407
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:110
|<3>| ASSERT: tls13/post_handshake.c[_gnutls13_reauth_server]:175
reauth: Certificate is required.
$ 
```

and no Alert sent to client:
```
Error encountered while processing node ExpectNewSessionTicket(note='second set') (child: ExpectNewSessionTicket(note='second set')) with last message being: None
Error while processing
Traceback (most recent call last):
  File "scripts/test-tls13-post-handshake-auth.py", line 446, in main
    runner.run()
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 221, in run
    "Unexpected closure from peer")
AssertionError: Unexpected closure from peer
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/868
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191204/f4ac4c64/attachment.html>

More information about the Gnutls-devel mailing list