[gnutls-devel] GnuTLS | decode_error with a very big compress certificate message (#1594)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Oct 16 11:45:20 CEST 2024



George Pantelakis created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1594



## Description of problem:
When we have a very big compressed certificate message then we get a decode_error from the server but the message has the correct format. The message should pass the decoding error and pass. For example, if we have the message "0x19 + 0x4c4b48 + 0x0001 + 0x000fff + 0x4c4b40 + (5000000 * 0x00)", which is a valid message according to RFC, it should be decoded correctly and then sent back a bad_certificate alert since the compressed message cannot be decompressed.

## Version of gnutls used:
gnutls-3.8.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
RHEL and Fedora

## How reproducible:
Always

Steps to Reproduce:

 * Run https://github.com/tlsfuzzer/tlsfuzzer/blob/master/scripts/test-tls13-client-certificate-compression.py with "--random-fuzz-size 5" against a GnuTLS server.

## Actual results:
Tests "fuzzing of * bytes" from test-tls13-client-certificate-compression.py fail

## Expected results:
Tests "fuzzing of * bytes" from test-tls13-client-certificate-compression.py should pass

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1594
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241016/dbaa231d/attachment.html>


More information about the Gnutls-devel mailing list