From 598c878d860bb6c0d6a0158542afe54575a327ce Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 28 Dec 2025 13:11:31 +0000 Subject: [PATCH 1/5] Initial plan From c14d46fd68e48bad7605f0ea6ae422138014d96a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 28 Dec 2025 13:16:07 +0000 Subject: [PATCH 2/5] Fix Fake TLS (EE mode) not working with -D option Remove incorrect check that was rejecting 0xeeeeeeee tag when allow_only_tls flag is set. This allows EE mode (Fake-TLS + Padding) to work properly when -D domain option is specified. Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com> --- net/net-tcp-rpc-ext-server.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/net-tcp-rpc-ext-server.c b/net/net-tcp-rpc-ext-server.c index 636bfc6..8ceb856 100644 --- a/net/net-tcp-rpc-ext-server.c +++ b/net/net-tcp-rpc-ext-server.c @@ -1315,10 +1315,6 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) { unsigned tag = *(unsigned *)(random_header + 56); if (tag == 0xdddddddd || ((tag == 0xeeeeeeee || tag == 0xefefefef) && !ext_rand_pad_only)) { - if (tag != 0xdddddddd && allow_only_tls) { - vkprintf (1, "Expected random padding mode\n"); - RETURN_TLS_ERROR(default_domain_info); - } assert (rwm_skip_data (&c->in, 64) == 64); rwm_union (&c->in_u, &c->in); rwm_init (&c->in, 0); From 926ec36cc25b77e28d97aebd56d22cb163eb0e9e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 28 Dec 2025 13:24:25 +0000 Subject: [PATCH 3/5] Refine validation: reject DD mode when -D is used, allow EE/EF modes Instead of removing validation entirely, now properly validates that when -D (Fake-TLS) option is used: - DD mode (0xdddddddd - random padding only) is rejected - EE mode (0xeeeeeeee - Fake-TLS + Padding) is allowed - EF mode (0xefefefef - Fake-TLS compact) is allowed This maintains proper security validation while fixing the original bug. Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com> --- net/net-tcp-rpc-ext-server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/net-tcp-rpc-ext-server.c b/net/net-tcp-rpc-ext-server.c index 8ceb856..5e9b4eb 100644 --- a/net/net-tcp-rpc-ext-server.c +++ b/net/net-tcp-rpc-ext-server.c @@ -1315,6 +1315,10 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) { unsigned tag = *(unsigned *)(random_header + 56); if (tag == 0xdddddddd || ((tag == 0xeeeeeeee || tag == 0xefefefef) && !ext_rand_pad_only)) { + if (tag == 0xdddddddd && allow_only_tls) { + vkprintf (1, "Expected Fake-TLS mode (EE/EF), got random padding mode (DD)\n"); + RETURN_TLS_ERROR(default_domain_info); + } assert (rwm_skip_data (&c->in, 64) == 64); rwm_union (&c->in_u, &c->in); rwm_init (&c->in, 0); From e8e32d0ed0111d2f9c6c240b0526c866ef4f3402 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 28 Dec 2025 13:25:52 +0000 Subject: [PATCH 4/5] Complete: refined validation based on code review feedback Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com> --- _codeql_detected_source_root | 1 + 1 file changed, 1 insertion(+) create mode 120000 _codeql_detected_source_root diff --git a/_codeql_detected_source_root b/_codeql_detected_source_root new file mode 120000 index 0000000..945c9b4 --- /dev/null +++ b/_codeql_detected_source_root @@ -0,0 +1 @@ +. \ No newline at end of file From cdc422aa3f9232152a615edb7e798ecfa8b97979 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 28 Dec 2025 13:26:21 +0000 Subject: [PATCH 5/5] Remove CodeQL artifact from repository Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com> --- .gitignore | 1 + _codeql_detected_source_root | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 120000 _codeql_detected_source_root diff --git a/.gitignore b/.gitignore index e738d00..8a5600d 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ dep .idea proxy-multi.conf proxy-secret +_codeql_detected_source_root diff --git a/_codeql_detected_source_root b/_codeql_detected_source_root deleted file mode 120000 index 945c9b4..0000000 --- a/_codeql_detected_source_root +++ /dev/null @@ -1 +0,0 @@ -. \ No newline at end of file