From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 30554 invoked from network); 18 Oct 2021 09:12:47 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 18 Oct 2021 09:12:47 -0000 Received: from mail-yb1-f174.google.com ([209.85.219.174]) by 4ess; Sun Oct 17 13:38:37 -0400 2021 Received: by mail-yb1-f174.google.com with SMTP id n65so7980ybb.7 for <9front@9front.org>; Sun, 17 Oct 2021 10:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=X0kgw1f2EtbS+yxF9UN92+vA/80nRCkh66nHPGgl13k=; b=j2HEeEx+xim+skZUQaqmtmS/zVc/34gzSqLyREl6F4KJOEKtsOOpZak/vpCrmltpJV jdTCRyGoPG6y75NdRdnH6wxWTBIelKu2ftkx8gOtPEoBBhM8ndHQNM3gFl65Aw/KUL9+ DJWdDLhfNvqZI958NEKJCfNVfGobhJqUhZbLOm8EZr89h3CBlo2QPegAkxtNXPicY7uA /H+xkjnDgIiLU8j49mx5ZUlT4heW9DePA27tqZhRBi+z4qa9ACLvvIBNRqPADI92j+ub v0jDPussvjX1ATXeVoUQlBmJWQavwJt9WsJJyziAXE9sEeHhOZR3yE9YZZWaHRtyZ2Up CvjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=X0kgw1f2EtbS+yxF9UN92+vA/80nRCkh66nHPGgl13k=; b=TRxgpi1syJ0b3KeZmQ7o8m0wtsKFaL3ZXYMSMMPFs/ueVbb5cWZdOvL3a809RpYLJE YhVNL4tf44g98vWO1+/BXMyeSYyP7bmRcovra1U630D05GrGMSMccs+3QFYGt6grwiId yDnP0vq+ZHNknr8mr+6bLwPtUcJk7YWVtu9Td7jT9Wv7Z3ul7s35/GhRbYLRvh9gnGnZ zmchYBk2tzko0xqYeTzjtMoxLVKo6E1AIktfq55RGbkjY2TPopizjdiqvctYADzQTM54 BbQmjbQDAAoFb7mHzOLPWPEZzPOmaHaOtAcRqRFvVEM4IOakHfAHMSfMZPbcwSPtP4oE JaQw== X-Gm-Message-State: AOAM531u5zYdv64yhLHn6PfY4kjoeS48osukDQGWygcXMAZXTvrhhKPI fTAvtJBU419kR3dvza4A3Jq15LbV2YZXjJ7n46aR9TUY/okZ4A== X-Google-Smtp-Source: ABdhPJz9yiM2eQ7wg+43CQo81urBXvAE9uDFc3JaAFBT3uT1mjix+j4CPHWis9IAiwNtRMaJpdCwtEnVmpLfFVHIcgc= X-Received: by 2002:a25:c006:: with SMTP id c6mr26055027ybf.480.1634492308219; Sun, 17 Oct 2021 10:38:28 -0700 (PDT) MIME-Version: 1.0 From: kemal Date: Sun, 17 Oct 2021 17:38:13 +0000 Message-ID: To: 9front@9front.org Content-Type: multipart/mixed; boundary="0000000000006b9e9d05ce8fe523" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: DOM-scale firewall Subject: [9front] libsec: fix bugs in tls extension handling Reply-To: 9front@9front.org Precedence: bulk --0000000000006b9e9d05ce8fe523 Content-Type: text/plain; charset="UTF-8" hello, this patch fixes bugs in tls extension handling: 1. if conn->serverName is an empty string, tlsClientExtensions will generate a SNI with an empty hostname, which is forbidden according to RFC 6066: opaque HostName<1..2^16-1>; check if conn->serverName has at least one char. 2. checkClientExtensions fail with clients that doesn't have extensions, because it doesn't check if ext is nil. fix that up. 3. rewrite checkClientExtensions. some parts of the code does not check the length properly, and it could be simplified heavily. -kemal --0000000000006b9e9d05ce8fe523 Content-Type: text/plain; charset="US-ASCII"; name="patch.txt" Content-Disposition: attachment; filename="patch.txt" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kuvii6wk0 RnJvbToga2VtYWwgPGtlbWFsaW5hbmM4QGdtYWlsLmNvbT4KRGF0ZTogU3VuLCAxNyBPY3QgMjAy MSAxNzozMDoxNSArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIGxpYnNlYzogZml4IGJ1Z3MgaW4gdGxz IGV4dGVuc2lvbiBoYW5kbGluZwoKCnRoaXMgcGF0Y2ggZml4ZXMgYnVncyBpbiB0bHMgZXh0ZW5z aW9uIGhhbmRsaW5nOgoKMS4gaWYgY29ubi0+c2VydmVyTmFtZSBpcyBhbiBlbXB0eSBzdHJpbmcs IHRsc0NsaWVudEV4dGVuc2lvbnMKd2lsbCBnZW5lcmF0ZSBhIFNOSSB3aXRoIGFuIGVtcHR5IGhv c3RuYW1lLCB3aGljaCBpcyBmb3JiaWRkZW4KYWNjb3JkaW5nIHRvIFJGQyA2MDY2OgoKb3BhcXVl IEhvc3ROYW1lPDEuLjJeMTYtMT47CgpjaGVjayBpZiBjb25uLT5zZXJ2ZXJOYW1lIGhhcyBhdCBs ZWFzdCBvbmUgY2hhci4KCjIuIGNoZWNrQ2xpZW50RXh0ZW5zaW9ucyBmYWlsIHdpdGggY2xpZW50 cyB0aGF0IGRvZXNuJ3QgaGF2ZQpleHRlbnNpb25zLCBiZWNhdXNlIGl0IGRvZXNuJ3QgY2hlY2sg aWYgZXh0IGlzIG5pbC4gZml4IHRoYXQKdXAuCgozLiByZXdyaXRlIGNoZWNrQ2xpZW50RXh0ZW5z aW9ucy4gc29tZSBwYXJ0cyBvZiB0aGUgY29kZSBkb2VzCm5vdCBjaGVjayB0aGUgbGVuZ3RoIHBy b3Blcmx5LCBhbmQgaXQgY291bGQgYmUgc2ltcGxpZmllZApoZWF2aWx5LgotLS0KZGlmZiA3MmQw ODgxNmFiYWEyOTM1ZTgwNTVkOWNkZmQ3M2I1OWRmNWY5YmQzIGFlNjRmYTUzZGM5OGRlNmM1MWM0 YjI2MzFkYTExMTQwODI2NDExOTYKLS0tIGEvc3lzL3NyYy9saWJzZWMvcG9ydC90bHNoYW5kLmMJ U2F0IE9jdCAxNiAxODowNzozOSAyMDIxCisrKyBiL3N5cy9zcmMvbGlic2VjL3BvcnQvdGxzaGFu ZC5jCVN1biBPY3QgMTcgMjA6MzA6MTUgMjAyMQpAQCAtMzIxLDEwICszMjEsNiBAQAogCTB4MDAx OCwgc2VjcDM4NHIxLAogfTsKIAotc3RhdGljIHVjaGFyIHBvaW50Zm9ybWF0c1tdID0gewotCUNv bXByZXNzaW9uTnVsbCAvKiBzdXBwb3J0IG9mIHVuY29tcHJlc3NlZCBwb2ludCBmb3JtYXQgaXMg bWFuZGF0b3J5ICovCi19OwotCiBzdGF0aWMgc3RydWN0IHsKIAlEaWdlc3RTdGF0ZSogKCpmdW4p KHVjaGFyKiwgdWxvbmcsIHVjaGFyKiwgRGlnZXN0U3RhdGUqKTsKIAlpbnQgbGVuOwpAQCAtNDk2 LDkgKzQ5Miw3IEBACiAJcCA9IGIgPSBuaWw7CiAKIAkvLyBSRkM2MDY2IC0gU2VydmVyIE5hbWUg SWRlbnRpZmljYXRpb24KLQlpZihjb25uLT5zZXJ2ZXJOYW1lICE9IG5pbCl7Ci0JCW4gPSBzdHJs ZW4oY29ubi0+c2VydmVyTmFtZSk7Ci0KKwlpZihjb25uLT5zZXJ2ZXJOYW1lICE9IG5pbCAmJiAo biA9IHN0cmxlbihjb25uLT5zZXJ2ZXJOYW1lKSkgPiAwKXsKIAkJbSA9IHAgLSBiOwogCQliID0g ZXJlYWxsb2MoYiwgbSArIDIrMisyKzErMituKTsKIAkJcCA9IGIgKyBtOwpAQCAtNTE0LDExICs1 MDgsMTIgQEAKIAogCS8vIEVsbGlwdGljIEN1cnZlcyAoYWxzbyBjYWxsZWQgU3VwcG9ydGVkIEdy b3VwcykKIAlpZihQcm90b2NvbFZlcnNpb24gPj0gVExTMTBWZXJzaW9uKXsKKwkJbiA9IG5lbGVt KG5hbWVkY3VydmVzKTsKKwogCQltID0gcCAtIGI7Ci0JCWIgPSBlcmVhbGxvYyhiLCBtICsgMisy KzIrbmVsZW0obmFtZWRjdXJ2ZXMpKjIgKyAyKzIrMStuZWxlbShwb2ludGZvcm1hdHMpKTsKKwkJ YiA9IGVyZWFsbG9jKGIsIG0gKyAyKzIrMituKjIgKyAyKzIrMStuKTsKIAkJcCA9IGIgKyBtOwog Ci0JCW4gPSBuZWxlbShuYW1lZGN1cnZlcyk7CiAJCXB1dDE2KHAsIEV4dGVjKSwgcCArPSAyOwkv KiBUeXBlOiBlbGxpcHRpY19jdXJ2ZXMgLyBzdXBwb3J0ZWRfZ3JvdXBzICovCiAJCXB1dDE2KHAs IChuKzEpKjIpLCBwICs9IDI7CS8qIExlbmd0aCAqLwogCQlwdXQxNihwLCBuKjIpLCBwICs9IDI7 CQkvKiBFbGxpcHRpYyBDdXJ2ZXMgTGVuZ3RoICovCkBAIC01MjcsMTIgKzUyMiwxMCBAQAogCQkJ cCArPSAyOwogCQl9CiAKLQkJbiA9IG5lbGVtKHBvaW50Zm9ybWF0cyk7CiAJCXB1dDE2KHAsIEV4 dGVjcCksIHAgKz0gMjsJLyogVHlwZTogZWNfcG9pbnRfZm9ybWF0cyAqLwotCQlwdXQxNihwLCBu KzEpLCBwICs9IDI7CQkvKiBMZW5ndGggKi8KLQkJKnArKyA9IG47CQkJLyogRUMgcG9pbnQgZm9y bWF0cyBMZW5ndGggKi8KLQkJZm9yKGk9MDsgaSA8IG47IGkrKykJCS8qIEVDIHBvaW50IGZvcm1h dHMgKi8KLQkJCSpwKysgPSBwb2ludGZvcm1hdHNbaV07CisJCXB1dDE2KHAsIDIpLCBwICs9IDI7 CQkvKiBMZW5ndGggKi8KKwkJKnArKyA9IDE7CQkJLyogRUMgUG9pbnQgRm9ybWF0cyBMZW5ndGgg Ki8KKwkJKnArKyA9IDA7CQkJLyogUG9pbnQgRm9ybWF0OiB1bmNvbXByZXNzZWQgKi8KIAl9CiAK IAkvLyBzaWduYXR1cmUgYWxnb3JpdGhtcwpAQCAtNjUxLDM3ICs2NDQsMjYgQEAKIAl1Y2hhciAq cCwgKmU7CiAJaW50IGksIGosIG47CiAKLQlwID0gZXh0LT5kYXRhOwotCWUgPSBwK2V4dC0+bGVu OwotCXdoaWxlKHAgPCBlKXsKLQkJaWYoZS1wIDwgMikKKwlpZihleHQgPT0gbmlsKQorCQlyZXR1 cm4gMDsKKworCWZvcihwID0gZXh0LT5kYXRhLCBlID0gcCtleHQtPmxlbjsgcCA8IGU7IHAgKz0g bil7CisJCWlmKGUtcCA8IDQpCiAJCQlnb3RvIFNob3J0OwotCQlzd2l0Y2goZ2V0MTYocCkpewot CQljYXNlIEV4dGVjOgkKLQkJCXAgKz0gMjsKLQkJCW4gPSBnZXQxNihwKTsKLQkJCWlmKGUtcCA8 IG4gfHwgbiA8IDIpCisJCXAgKz0gNDsKKwkJaWYoZS1wIDwgKG4gPSBnZXQxNihwLTIpKSkKKwkJ CWdvdG8gU2hvcnQ7CisJCXN3aXRjaChnZXQxNihwLTQpKXsKKwkJY2FzZSBFeHRlYzoKKwkJCWlm KG4gPCA0IHx8IG4gJSAyIHx8IGdldDE2KHApICE9IChuIC09IDIpKQogCQkJCWdvdG8gU2hvcnQ7 CiAJCQlwICs9IDI7Ci0JCQluID0gZ2V0MTYocCk7Ci0JCQlwICs9IDI7Ci0JCQlpZihlLXAgPCBu IHx8IG4gJiAxIHx8IG4gPT0gMCkKLQkJCQlnb3RvIFNob3J0OwogCQkJZm9yKGkgPSAwOyBpIDwg bmVsZW0obmFtZWRjdXJ2ZXMpICYmIGMtPnNlYy0+bmMgPT0gbmlsOyBpKyspCiAJCQkJZm9yKGog PSAwOyBqIDwgbjsgaiArPSAyKQogCQkJCQlpZihuYW1lZGN1cnZlc1tpXS50bHNpZCA9PSBnZXQx NihwK2opKXsKIAkJCQkJCWMtPnNlYy0+bmMgPSAmbmFtZWRjdXJ2ZXNbaV07CiAJCQkJCQlicmVh azsKIAkJCQkJfQotCQkJcCArPSBuOwotCQkJYnJlYWs7Ci0JCWRlZmF1bHQ6Ci0JCQlwICs9IDI7 Ci0JCQluID0gZ2V0MTYocCk7Ci0JCQlwICs9IDI7Ci0JCQlpZihlLXAgPCBuKQotCQkJCWdvdG8g U2hvcnQ7Ci0JCQlwICs9IG47CiAJCQlicmVhazsKIAkJfQogCX0KQEAgLTY4OSw4ICs2NzEsOCBA QAogCXJldHVybiAwOwogU2hvcnQ6CiAJdGxzRXJyb3IoYywgRURlY29kZUVycm9yLCAiY2xpZW50 aGVsbG8gZXh0ZW5zaW9ucyBoYXMgaW52YWxpZCBsZW5ndGgiKTsKLQlyZXR1cm4gLTE7IAotfSAK KwlyZXR1cm4gLTE7Cit9CiAKIHN0YXRpYyBUbHNDb25uZWN0aW9uICoKIHRsc1NlcnZlcjIoaW50 IGN0bCwgaW50IGhhbmQsCkBAIC0xNTg3LDcgKzE1NjksNyBAQAogCQlubiA9IGdldDE2KHApOwog CQlwICs9IDIsIG4gLT0gMjsKIAotCQlpZigobm4gJiAxKSB8fCBuIDwgbm4gfHwgbm4gPCAyKQor CQlpZihubiAlIDIgfHwgbiA8IG5uIHx8IG5uIDwgMikKIAkJCWdvdG8gU2hvcnQ7CiAJCW0tPnUu Y2xpZW50SGVsbG8uY2lwaGVycyA9IG5ld2ludHMobm4gPj4gMSk7CiAJCWZvcihpID0gMDsgaSA8 IG5uOyBpICs9IDIpCkBAIC0xNjc2LDcgKzE2NTgsNyBAQAogCQkJCWdvdG8gU2hvcnQ7CiAJCQlu biA9IGdldDE2KHApOwogCQkJcCArPSAyLCBuIC09IDI7Ci0JCQlpZihubiAmIDEpCisJCQlpZihu biAlIDIpCiAJCQkJZ290byBTaG9ydDsKIAkJCW0tPnUuY2VydGlmaWNhdGVSZXF1ZXN0LnNpZ2Fs Z3MgPSBuZXdpbnRzKG5uPj4xKTsKIAkJCWZvcihpID0gMDsgaSA8IG5uOyBpICs9IDIpCg== --0000000000006b9e9d05ce8fe523--