[gnutls-devel] GnuTLS | padded compressed certificate extension doesn't throw an error (#1586)

[Read-only notification of GnuTLS library development activities]

George Pantelakis created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1586



## Description of problem:
When support for the compressed certificate is negotiated. If we send the clientHello and extension for the compressed certificate that has some bytes in the end, the server continues the handshake instead of throwing an error. This extra bytes are reflected in the overall handshake size but not to the length of the list that has the compression algorithms.

For example if we have the length of the list set to 4 bytes (2 compression algorithms of 2 bytes) and we send in the list 6 bytes (3 compression algorithms of 2 bytes) then we expect to have a decode error, since we have unmet bytes, but the server continues the handshake.  

## Version of gnutls used:
gnutls-3.8.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
RHEL and Fedora

## How reproducible:
Always

Steps to Reproduce:

 * Run https://github.com/tlsfuzzer/tlsfuzzer/blob/master/scripts/test-tls13-certificate-compression.py against an GnuTLS server.

## Actual results:
Tests "padded extension" from test-tls13-client-certificate-compression.py fail

## Expected results:
Tests "padded extension" from test-tls13-client-certificate-compression.py should pass

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1586
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240927/1553ac09/attachment-0001.html>