/src/gnutls/lib/ext/dumbfw.c

Source (jump to first uncovered line)
/*
 * Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
 * Copyright (C) 2018 Red Hat, Inc.
 * 
 * This file is part of GnuTLS.
 *
 * The GnuTLS is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
 *
 */

#include "gnutls_int.h"
#include "auth.h"
#include "errors.h"
#include "num.h"
#include "ext/dumbfw.h"

/* This extension adds additional padding data in the TLS client hello.
 * There is an issue with some firewalls [0] rejecting TLS client hello
 * data that are between 256 and 511 bytes, and this extension will
 * make sure that client hello isn't in this range.
 *
 * [0]. https://www.ietf.org/mail-archive/web/tls/current/msg10423.html
 */

static int _gnutls_dumbfw_send_params(gnutls_session_t session,
              gnutls_buffer_st *extdata);

const hello_ext_entry_st ext_mod_dumbfw = {
  .name = "ClientHello Padding",
  .tls_id = 21,
  .gid = GNUTLS_EXTENSION_DUMBFW,
  .client_parse_point = GNUTLS_EXT_APPLICATION,
  .server_parse_point = GNUTLS_EXT_APPLICATION,
  .validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO,
  .recv_func = NULL,
  .send_func = _gnutls_dumbfw_send_params,
  .pack_func = NULL,
  .unpack_func = NULL,
  .deinit_func = NULL,
  .cannot_be_overriden = 0
};

static int _gnutls_dumbfw_send_params(gnutls_session_t session,
              gnutls_buffer_st *extdata)
{
  int total_size = 0, ret;
  uint8_t pad[257];
  unsigned pad_size;
  ssize_t len = extdata->length - sizeof(mbuffer_st);

  if (session->security_parameters.entity == GNUTLS_SERVER ||
      session->internals.dumbfw == 0 || IS_DTLS(session) != 0 ||
      (len < 256 || len >= 512)) {
    return 0;
  } else {
    /* 256 <= extdata->length < 512 */
    pad_size = 512 - len;
    memset(pad, 0, pad_size);

    ret = gnutls_buffer_append_data(extdata, pad, pad_size);
    if (ret < 0)
      return gnutls_assert_val(ret);

    total_size += pad_size;
  }

  return total_size;
}

Coverage Report

Created: 2025-03-06 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) 2013-2018 Nikos Mavrogiannopoulos
3		* Copyright (C) 2018 Red Hat, Inc.
4		*
5		* This file is part of GnuTLS.
6		*
7		* The GnuTLS is free software; you can redistribute it and/or
8		* modify it under the terms of the GNU Lesser General Public License
9		* as published by the Free Software Foundation; either version 2.1 of
10		* the License, or (at your option) any later version.
11		*
12		* This library is distributed in the hope that it will be useful, but
13		* WITHOUT ANY WARRANTY; without even the implied warranty of
14		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15		* Lesser General Public License for more details.
16		*
17		* You should have received a copy of the GNU Lesser General Public License
18		* along with this program. If not, see <https://www.gnu.org/licenses/>
19		*
20		*/
21
22		#include "gnutls_int.h"
23		#include "auth.h"
24		#include "errors.h"
25		#include "num.h"
26		#include "ext/dumbfw.h"
27
28		/* This extension adds additional padding data in the TLS client hello.
29		* There is an issue with some firewalls [0] rejecting TLS client hello
30		* data that are between 256 and 511 bytes, and this extension will
31		* make sure that client hello isn't in this range.
32		*
33		* [0]. https://www.ietf.org/mail-archive/web/tls/current/msg10423.html
34		*/
35
36		static int _gnutls_dumbfw_send_params(gnutls_session_t session,
37		gnutls_buffer_st *extdata);
38
39		const hello_ext_entry_st ext_mod_dumbfw = {
40		.name = "ClientHello Padding",
41		.tls_id = 21,
42		.gid = GNUTLS_EXTENSION_DUMBFW,
43		.client_parse_point = GNUTLS_EXT_APPLICATION,
44		.server_parse_point = GNUTLS_EXT_APPLICATION,
45		.validity = GNUTLS_EXT_FLAG_TLS \| GNUTLS_EXT_FLAG_CLIENT_HELLO,
46		.recv_func = NULL,
47		.send_func = _gnutls_dumbfw_send_params,
48		.pack_func = NULL,
49		.unpack_func = NULL,
50		.deinit_func = NULL,
51		.cannot_be_overriden = 0
52		};
53
54		static int _gnutls_dumbfw_send_params(gnutls_session_t session,
55		gnutls_buffer_st *extdata)
56	0	{
57	0	int total_size = 0, ret;
58	0	uint8_t pad[257];
59	0	unsigned pad_size;
60	0	ssize_t len = extdata->length - sizeof(mbuffer_st);
61
62	0	if (session->security_parameters.entity == GNUTLS_SERVER \|\|
63	0	session->internals.dumbfw == 0 \|\| IS_DTLS(session) != 0 \|\|
64	0	(len < 256 \|\| len >= 512)) {
65	0	return 0;
66	0	} else {
67		/* 256 <= extdata->length < 512 */
68	0	pad_size = 512 - len;
69	0	memset(pad, 0, pad_size);
70
71	0	ret = gnutls_buffer_append_data(extdata, pad, pad_size);
72	0	if (ret < 0)
73	0	return gnutls_assert_val(ret);
74
75	0	total_size += pad_size;
76	0	}
77
78	0	return total_size;
79	0	}