[gnutls-devel] GnuTLS | RFC7250 certificate type negotiation (!498)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Aug 16 18:32:34 CEST 2018


Nikos Mavrogiannopoulos commented on a discussion on lib/ext/server_cert_type.c:

> +			_gnutls_session_server_cert_type_set(session, cert_type);
> +			ret = GNUTLS_E_SUCCESS;
> +		} else {
> +			// No valid cert type found
> +			ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
> +		}
> +
> +		// Clean-up
> +		_gnutls_free_datum(&cert_types);
> +
> +		return ret;
> +
> +	} else		// server mode
> +	{
> +		// Compare packet length with expected packet length.
> +		DECR_LEN(len, 1);

The problem is that you cannot do that. The PSK extension must be sent last according to tls 1.3, and the order of parsing and sending is determined by the order in that structure. The preshared key extension has parse type `GNUTLS_EXT_TLS` which is the type to be parsed last from the "exported" parse types. However there is the type `_GNUTLS_EXT_TLS_POST_CS` which is used by internal extensions and is parsed after the `EXT_TLS` type by `read_client_hello`. Would that work?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/498#note_94961005
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180816/a69d97af/attachment-0001.html>


More information about the Gnutls-devel mailing list