Skip to content

Commit

Permalink
Revert Workaround TLS fragmented records but keep invalid UTF check
Browse files Browse the repository at this point in the history
  • Loading branch information
aitorvs committed Nov 29, 2023
1 parent b6ebf5d commit 478946d
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 30 deletions.
41 changes: 22 additions & 19 deletions src/netguard/tls_parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -70,18 +70,19 @@ static int parse_tls_server_name(const uint8_t *data, const size_t data_len, cha
}

/* TLS record length */
// uint16_t len = ((size_t)data[3] << 8) + (size_t)data[4] + TLS_HEADER_LEN;
size_t len = ntohs(*((uint16_t *) (data + 3))) + TLS_HEADER_LEN;
log_print(PLATFORM_LOG_PRIORITY_INFO, "data len %d, record len %d\n", data_len, len);
// data_len = MIN(len, data_len);
if (data_len < len) {
// purposely don't return as we have checks later on
log_print(PLATFORM_LOG_PRIORITY_WARN, "TLS data length smaller than expected, proceed anyways");
}

/* handshake */
size_t pos = TLS_HEADER_LEN;
if (pos + 1 > data_len) {
return -5;
}
// if (pos + 1 > data_len) {
// return -5;
// }

if (data[pos] != 0x1) {
// not a client hello
Expand All @@ -98,17 +99,18 @@ static int parse_tls_server_name(const uint8_t *data, const size_t data_len, cha
pos += 38;

// Session ID
if (pos + 1 > data_len) return -7;
// if (pos + 1 > data_len) return -7;
len = (size_t)data[pos];
pos += 1 + len;

/* Cipher Suites */
if (pos + 2 > data_len) return -8;
// if (pos + 2 > data_len) return -8;
// len = ((size_t)data[pos] << 8) + (size_t)data[pos + 1];
len = ntohs(*((uint16_t *) (data + pos)));
pos += 2 + len;

/* Compression Methods */
if (pos + 1 > data_len) return -9;
// if (pos + 1 > data_len) return -9;
len = (size_t)data[pos];
pos += 1 + len;

Expand All @@ -118,17 +120,16 @@ static int parse_tls_server_name(const uint8_t *data, const size_t data_len, cha
}

/* Extensions */
if (pos + 2 > data_len) {
return -11;
}
// if (pos + 2 > data_len) {
// return -11;
// }
// len = ((size_t)data[pos] << 8) + (size_t)data[pos + 1];
len = ntohs(*((uint16_t *) (data + pos)));
pos += 2;

if (pos + len > data_len) {
// Possibly a TLS fragmented record, continue anyways to see if we find SNI in the fragment
log_print(PLATFORM_LOG_PRIORITY_WARN, "Out of bounds at extensions length, pos(%d) + len(%d) > data_len(%d)", pos, len, data_len);
// if (pos + len > data_len) {
// return -12;
}
// }
return parse_extensions(data + pos, len, server_name);
}

Expand All @@ -139,14 +140,15 @@ static int parse_extensions(const uint8_t *data, size_t data_len, char *hostname
/* Parse each 4 bytes for the extension header */
while (pos + 4 <= data_len) {
/* Extension Length */
// len = ((size_t)data[pos + 2] << 8) +(size_t)data[pos + 3];
len = ntohs(*((uint16_t *) (data + pos + 2)));

/* Check if it's a server name extension */
if (data[pos] == 0x00 && data[pos + 1] == 0x00) {
/* There can be only one extension of each type, so we break
our state and move p to beinnging of the extension here */
if (pos + 4 + len > data_len)
return -20;
// if (pos + 4 + len > data_len)
// return -20;
return parse_server_name_extension(data + pos + 4, len, hostname);
}
pos += 4 + len; /* Advance to the next extension header */
Expand All @@ -163,11 +165,12 @@ static int parse_server_name_extension(const uint8_t *data, size_t data_len, cha
size_t len;

while (pos + 3 < data_len) {
// len = ((size_t)data[pos + 1] << 8) + (size_t)data[pos + 2];
len = ntohs(*((uint16_t *) (data + pos + 1)));

if (pos + 3 + len > data_len) {
return -30;
}
// if (pos + 3 + len > data_len) {
// return -30;
// }

switch (data[pos]) { /* name type */
case 0x00: /* host_name */
Expand Down
5 changes: 4 additions & 1 deletion src/test/stubs.c
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
#include <string.h>

int is_valid_utf8(const char *str) {
return 1;
const char pattern[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0};
return strcmp((char*)pattern, str) != 0;
}
27 changes: 17 additions & 10 deletions src/test/test_tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -376,14 +376,14 @@ const unsigned char bad_data_3[] = {
0x16, 0x03, 0x01, 0x00
};

const unsigned char bad_data_4[] = {
const unsigned char sni_invalid_utf[] = {
// TLS record
0x16, // Content Type: Handshake
0x03, 0x01, // Version: TLS 1.0
0x00, 0x48, // Length
0x00, 0x47, // Length
// Handshake
0x01, // Handshake Type: Client Hello
0x00, 0x00, 0x42, // Length
0x00, 0x00, 0x41, // Length
0x03, 0x03, // Version: TLS 1.2
// Random
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
Expand All @@ -396,19 +396,18 @@ const unsigned char bad_data_4[] = {
0x00, 0xff, // RENEGOTIATION INFO SCSV
0x01, // Compression Methods
0x00, // NULL
0x00, 0x17, // Extensions Length
0x00, 0x16, // Extensions Length
// Extension
0x00, 0x00, // Extension Type: Server Name
0x00, 0x0e, // Length
0x00, 0x0c, // Server Name Indication Length
0x00, // Server Name Type: host_name
0x00, 0x09, // Length
// "localhost"
0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
// Extension
0x00, 0x0f, // Extension Type: Heart Beat
0x00, 0x01, // Length
0x01 // Mode: Peer allows to send requests
0x00, 0x23, // Extension Type: Session Ticket TLS
0x00, 0x00, // Length
};

const unsigned char wrong_sni_length[] = {
Expand Down Expand Up @@ -569,7 +568,7 @@ int main() {
error = get_server_name(pkt, sizeof(bad_data_2), pkt, sn);
assert(strcmp("localhost", sn) != 0);
assert(strlen(sn) == 0);
assert(error == -30);
assert(error == -31);

pkt = (uint8_t *)bad_data_3;
memset(sn, 0, FQDN_LENGTH);
Expand All @@ -585,7 +584,7 @@ int main() {
error = get_server_name(pkt, sizeof(wrong_sni_length), pkt, sn);
assert(strcmp("localhost", sn) != 0);
assert(strlen(sn) == 0);
assert(error == -30);
assert(error == -33);

pkt = (uint8_t *)fragmentedSNI2;
memset(sn, 0, FQDN_LENGTH);
Expand All @@ -603,5 +602,13 @@ int main() {
assert(strlen(sn) == 9);
assert(error == 9);

pkt = (uint8_t *)sni_invalid_utf;
memset(sn, 0, FQDN_LENGTH);
*sn = 0;
error = get_server_name(pkt, sizeof(sni_invalid_utf), pkt, sn);
assert(strcmp("localhost", sn) != 0);
assert(strlen(sn) == 0);
assert(error == -34);

return 0;
}

0 comments on commit 478946d

Please sign in to comment.