search

eduardsui / tlse

Single C file TLS 1.2/1.3 implementation, using tomcrypt as crypto library
Other
535 stars 87 forks source link

certificate_verify() is not called when using a TSL 1.3 client #61

Closed gurtlerc closed 3 years ago

gurtlerc commented 3 years ago

Using the sample applications tlsclienthello and tlssimple server I set the tlsclienthello to use TLS 1.3 on line 104 and when I ran the application it all worked fine, except validate_certificate() was not called. After debuging the application I found that CHECK_SIZE on line 6766 fails in the function tls_parse_certificate() which results in no certificates being loaded into the context. The value in size_of_all_certificates is 1 greater than buf_len - res so it fails with a need more data error. I changed the way the validation is done with the following code which ends up loading the certificates.

int size = size_of_all_certificates;

ifdef WITH_TLS_13

if ((context->version == TLS_V13) || (context->version == DTLS_V13)) {
    int context_size = buf[res];
    res++;
    size--;
    // must be 0
    if (context_size)
        res += context_size;
}

endif

CHECK_SIZE(size, buf_len - res, TLS_NEED_MORE_DATA);

After the call to tls_parse_certificate() completes I had to change the function tls_parse_payload() as follows because certificate_verify() was not called due to context->is_server being 0.

ifdef WITH_TLS_13

            if ((context->version == TLS_V13) || (context->version == DTLS_V13)) {
                if (context->connection_status == 2) {
                    payload_res = tls_parse_certificate(context, buf + 1, payload_size, context->is_server);
                    if (context->is_server) {
                        if ((certificate_verify) && (context->client_certificates_count))
                            certificate_verify_alert = certificate_verify(context, context->client_certificates, context->client_certificates_count);
                        // empty certificates are permitted for client
                        if (payload_res <= 0)
                            payload_res = 1;
                    }
                    else {
                        if ((certificate_verify) && (context->certificates_count))
                            certificate_verify_alert = certificate_verify(context, context->certificates, context->certificates_count);
                    }
                } else
                    payload_res = TLS_UNEXPECTED_MESSAGE;
            } else

endif

eduardsui commented 3 years ago

Thank you, it should be fine now.