diff --git a/nfq/desync.c b/nfq/desync.c index f61d982..8090f5b 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -63,16 +63,6 @@ const uint8_t fake_tls_clienthello_default[648] = { 0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4 }; -static const char * tld[]={"com","org","net","edu","gov","biz"}; -void randomize_default_tls_payload(uint8_t *p) -{ - fill_random_bytes(p+11,32); - fill_random_bytes(p+44,32); - fill_random_az(p+125,1); - fill_random_az09(p+126,5); - memcpy(p+132,tld[random()%(sizeof(tld)/sizeof(*tld))],3); -} - #define PKTDATA_MAXDUMP 32 #define IP_MAXDUMP 80 @@ -613,6 +603,40 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip) #endif +// fake_mod buffer must at least sizeof(desync_profile->fake_tls) +// size does not change +// return : true - altered, false - not altered +static bool runtime_tls_mod(const struct desync_profile *dp, size_t encap_len, uint8_t *fake_mod) +{ + bool b=false; + if (dp->fake_tls_mod & FAKE_TLS_MOD_PADENCAP) + { + size_t sz_rec = pntoh16(dp->fake_tls+3) + encap_len; + size_t sz_handshake = pntoh24(dp->fake_tls+6) + encap_len; + size_t sz_ext = pntoh16(dp->fake_tls+dp->fake_tls_extlen_offset) + encap_len; + size_t sz_pad = pntoh16(dp->fake_tls+dp->fake_tls_padlen_offset) + encap_len; + if ((sz_rec & ~0xFFFF) || (sz_handshake & ~0xFFFFFF) || (sz_ext & ~0xFFFF) || (sz_pad & ~0xFFFF)) + DLOG("cannot apply tls mod. length overflow.\n"); + else + { + memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size); + phton16(fake_mod+3,(uint16_t)sz_rec); + phton24(fake_mod+6,(uint32_t)sz_handshake); + phton16(fake_mod+dp->fake_tls_extlen_offset,(uint16_t)sz_ext); + phton16(fake_mod+dp->fake_tls_padlen_offset,(uint16_t)sz_pad); + b=true; + } + } + if (dp->fake_tls_mod & FAKE_TLS_MOD_RND) + { + if (!b) memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size); + fill_random_bytes(fake_mod+11,32); // random + fill_random_bytes(fake_mod+44,fake_mod[43]); // session id + b=true; + } + return b; +} + static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint32_t fwmark, const char *ifout, struct dissect *dis) { uint8_t verdict=VERDICT_PASS; @@ -856,6 +880,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint int i; uint16_t ip_id; t_l7proto l7proto = UNKNOWN; + uint8_t fake_mod[sizeof(dp->fake_tls)]; if (replay) { @@ -1149,7 +1174,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint fake_size = dp->fake_http_size; break; case TLS: - fake = dp->fake_tls; + fake = runtime_tls_mod(dp,rlen_payload,fake_mod) ? fake_mod : dp->fake_tls; fake_size = dp->fake_tls_size; break; default: diff --git a/nfq/helpers.h b/nfq/helpers.h index 5e8e80c..d8ede1a 100644 --- a/nfq/helpers.h +++ b/nfq/helpers.h @@ -51,6 +51,14 @@ static inline void phton16(uint8_t *p, uint16_t v) { p[0] = (uint8_t)(v >> 8); p[1] = v & 0xFF; } +static inline uint32_t pntoh24(const uint8_t *p) { + return ((uint32_t)p[0] << 16) | ((uint32_t)p[1] << 8) | (uint32_t)p[2]; +} +static inline void phton24(uint8_t *p, uint32_t v) { + p[0] = (uint8_t)(v>>16); + p[1] = (uint8_t)(v>>8); + p[2] = (uint8_t)v; +} static inline uint32_t pntoh32(const uint8_t *p) { return ((uint32_t)p[0] << 24) | ((uint32_t)p[1] << 16) | ((uint32_t)p[2] << 8) | (uint32_t)p[3]; } diff --git a/nfq/nfqws.c b/nfq/nfqws.c index fdd4712..ad792dc 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -914,6 +914,36 @@ static bool parse_ip_list(char *opt, ipset *pp) return true; } +static bool parse_tlsmod_list(char *opt, uint8_t *mod) +{ + char *e,*p,c; + + *mod &= FAKE_TLS_MOD_SAVE_MASK; + *mod |= FAKE_TLS_MOD_SET; + for (p=opt ; p ; ) + { + if ((e = strchr(p,','))) + { + c=*e; + *e=0; + } + + if (!strcmp(p,"rnd")) + *mod |= FAKE_TLS_MOD_RND; + else if (!strcmp(p,"rndsni")) + *mod |= FAKE_TLS_MOD_RND_SNI; + else if (!strcmp(p,"padencap")) + *mod |= FAKE_TLS_MOD_PADENCAP; + else if (strcmp(p,"none")) + return false; + + if (e) *e++=c; + p = e; + } + return true; +} + + static void split_compat(struct desync_profile *dp) { if (!dp->split_count) @@ -942,6 +972,97 @@ static void SplitDebug(void) } } +static const char * tld[]={"com","org","net","edu","gov","biz"}; +static void onetime_tls_mod(struct desync_profile *dp) +{ + const uint8_t *ext; + size_t extlen, slen; + + if (dp->n && !(dp->fake_tls_mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE))) + dp->fake_tls_mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI; // old behavior compat + if (!(dp->fake_tls_mod & ~FAKE_TLS_MOD_SAVE_MASK)) + return; // nothing to do + if (!IsTLSClientHello(dp->fake_tls,dp->fake_tls_size,false)) + { + DLOG_ERR("profile %d tls mod set but tls fake structure invalid\n", dp->n); + exit_clean(1); + } + if (dp->fake_tls_mod & FAKE_TLS_MOD_PADENCAP) + { + if (!TLSFindExtLen(dp->fake_tls,dp->fake_tls_size,&dp->fake_tls_extlen_offset)) + { + DLOG_ERR("profile %d padencap set but tls fake structure invalid\n", dp->n); + exit_clean(1); + } + DLOG("profile %d fake tls extensions length offset : %zu\n", dp->n, dp->fake_tls_extlen_offset); + if (TLSFindExt(dp->fake_tls,dp->fake_tls_size,21,&ext,&extlen,false)) + { + if ((ext-dp->fake_tls+extlen)!=dp->fake_tls_size) + { + DLOG_ERR("profile %d fake tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", dp->n, ext-dp->fake_tls, extlen, dp->fake_tls_size); + exit_clean(1); + } + dp->fake_tls_padlen_offset = ext-dp->fake_tls-2; + DLOG("profile %d fake tls padding ext is present, padding length offset %zu\n", dp->n, dp->fake_tls_padlen_offset); + } + else + { + if ((dp->fake_tls_size+4)>sizeof(dp->fake_tls)) + { + DLOG_ERR("profile %d fake tls padding is absent and there's not space to add it\n", dp->n); + exit_clean(1); + } + phton16(dp->fake_tls+dp->fake_tls_size,21); + dp->fake_tls_size+=2; + dp->fake_tls_padlen_offset=dp->fake_tls_size; + phton16(dp->fake_tls+dp->fake_tls_size,0); + dp->fake_tls_size+=2; + phton16(dp->fake_tls+dp->fake_tls_extlen_offset,pntoh16(dp->fake_tls+dp->fake_tls_extlen_offset)+4); + phton16(dp->fake_tls+3,pntoh16(dp->fake_tls+3)+4); // increase tls record len + phton24(dp->fake_tls+6,pntoh24(dp->fake_tls+6)+4); // increase tls handshake len + DLOG("profile %d fake tls padding is absent. added. padding ledgth offset %zu\n", dp->n, dp->fake_tls_padlen_offset); + } + } + if (dp->fake_tls_mod & FAKE_TLS_MOD_RND_SNI) + { + if (!TLSFindExt(dp->fake_tls,dp->fake_tls_size,0,&ext,&extlen,false) || !TLSAdvanceToHostInSNI(&ext,&extlen,&slen)) + { + DLOG_ERR("profile %d rndsni set but tls fake structure invalid or does not have SNI\n", dp->n); + exit_clean(1); + } + uint8_t *sni = dp->fake_tls + (ext - dp->fake_tls); + + char *s1=NULL, *s2=NULL; + if (params.debug) + { + if (s1 = malloc(slen+1)) + { + memcpy(s1,sni,slen); s1[slen]=0; + } + } + + fill_random_az(sni,1); + if (slen>=7) // domain name in SNI must be at least 3 chars long to enable xxx.tls randomization + { + fill_random_az09(sni+1,slen-5); + sni[slen-4] = '.'; + memcpy(sni+slen-3,tld[random()%(sizeof(tld)/sizeof(*tld))],3); + } + else if (slen>=1) + fill_random_az09(sni+1,slen-1); + + if (params.debug) + { + if (s1 && (s2 = malloc(slen+1))) + { + memcpy(s2,sni,slen); s2[slen]=0; + DLOG("profile %d generated random SNI : %s -> %s\n",dp->n,s1,s2); + } + free(s1); free(s2); + } + } +} + #ifdef __CYGWIN__ static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *buf, size_t len) @@ -1160,6 +1281,7 @@ static void exithelp(void) " --dpi-desync-any-protocol=0|1\t\t\t; 0(default)=desync only http and tls 1=desync any nonempty data packet\n" " --dpi-desync-fake-http=|0xHEX\t; file containing fake http request\n" " --dpi-desync-fake-tls=|0xHEX\t\t; file containing fake TLS ClientHello (for https)\n" + " --dpi-desync-fake-tls-mod=mod[,mod]\t\t; comma list of TLS fake mods. available mods : none,rnd,rndsni,padencap\n" " --dpi-desync-fake-unknown=|0xHEX\t; file containing unknown protocol fake payload\n" " --dpi-desync-fake-syndata=|0xHEX\t; file containing SYN data payload\n" " --dpi-desync-fake-quic=|0xHEX\t; file containing fake QUIC Initial\n" @@ -1381,48 +1503,49 @@ int main(int argc, char **argv) {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=36 {"dpi-desync-fake-http",required_argument,0,0},// optidx=37 {"dpi-desync-fake-tls",required_argument,0,0},// optidx=38 - {"dpi-desync-fake-unknown",required_argument,0,0},// optidx=39 - {"dpi-desync-fake-syndata",required_argument,0,0},// optidx=40 - {"dpi-desync-fake-quic",required_argument,0,0},// optidx=41 - {"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=42 - {"dpi-desync-fake-dht",required_argument,0,0},// optidx=43 - {"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=44 - {"dpi-desync-udplen-increment",required_argument,0,0},// optidx=45 - {"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=46 - {"dpi-desync-cutoff",required_argument,0,0},// optidx=47 - {"dpi-desync-start",required_argument,0,0},// optidx=48 - {"hostlist",required_argument,0,0}, // optidx=49 - {"hostlist-domains",required_argument,0,0},// optidx=50 - {"hostlist-exclude",required_argument,0,0}, // optidx=51 - {"hostlist-exclude-domains",required_argument,0,0},// optidx=52 - {"hostlist-auto",required_argument,0,0}, // optidx=53 - {"hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=54 - {"hostlist-auto-fail-time",required_argument,0,0}, // optidx=55 - {"hostlist-auto-retrans-threshold",required_argument,0,0}, // optidx=56 - {"hostlist-auto-debug",required_argument,0,0}, // optidx=57 - {"new",no_argument,0,0}, // optidx=58 - {"skip",no_argument,0,0}, // optidx=59 - {"filter-l3",required_argument,0,0}, // optidx=60 - {"filter-tcp",required_argument,0,0}, // optidx=61 - {"filter-udp",required_argument,0,0}, // optidx=62 - {"filter-l7",required_argument,0,0}, // optidx=63 - {"ipset",required_argument,0,0}, // optidx=64 - {"ipset-ip",required_argument,0,0}, // optidx=65 - {"ipset-exclude",required_argument,0,0},// optidx=66 - {"ipset-exclude-ip",required_argument,0,0}, // optidx=67 + {"dpi-desync-fake-tls-mod",required_argument,0,0},// optidx=39 + {"dpi-desync-fake-unknown",required_argument,0,0},// optidx=40 + {"dpi-desync-fake-syndata",required_argument,0,0},// optidx=41 + {"dpi-desync-fake-quic",required_argument,0,0},// optidx=42 + {"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=43 + {"dpi-desync-fake-dht",required_argument,0,0},// optidx=44 + {"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=45 + {"dpi-desync-udplen-increment",required_argument,0,0},// optidx=46 + {"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=47 + {"dpi-desync-cutoff",required_argument,0,0},// optidx=48 + {"dpi-desync-start",required_argument,0,0},// optidx=49 + {"hostlist",required_argument,0,0}, // optidx=50 + {"hostlist-domains",required_argument,0,0},// optidx=51 + {"hostlist-exclude",required_argument,0,0}, // optidx=52 + {"hostlist-exclude-domains",required_argument,0,0},// optidx=53 + {"hostlist-auto",required_argument,0,0}, // optidx=54 + {"hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=55 + {"hostlist-auto-fail-time",required_argument,0,0}, // optidx=56 + {"hostlist-auto-retrans-threshold",required_argument,0,0}, // optidx=57 + {"hostlist-auto-debug",required_argument,0,0}, // optidx=58 + {"new",no_argument,0,0}, // optidx=59 + {"skip",no_argument,0,0}, // optidx=60 + {"filter-l3",required_argument,0,0}, // optidx=61 + {"filter-tcp",required_argument,0,0}, // optidx=62 + {"filter-udp",required_argument,0,0}, // optidx=63 + {"filter-l7",required_argument,0,0}, // optidx=64 + {"ipset",required_argument,0,0}, // optidx=65 + {"ipset-ip",required_argument,0,0}, // optidx=66 + {"ipset-exclude",required_argument,0,0},// optidx=67 + {"ipset-exclude-ip",required_argument,0,0}, // optidx=68 #ifdef __linux__ - {"bind-fix4",no_argument,0,0}, // optidx=68 - {"bind-fix6",no_argument,0,0}, // optidx=69 + {"bind-fix4",no_argument,0,0}, // optidx=69 + {"bind-fix6",no_argument,0,0}, // optidx=70 #elif defined(__CYGWIN__) - {"wf-iface",required_argument,0,0}, // optidx=68 - {"wf-l3",required_argument,0,0}, // optidx=69 - {"wf-tcp",required_argument,0,0}, // optidx=70 - {"wf-udp",required_argument,0,0}, // optidx=71 - {"wf-raw",required_argument,0,0}, // optidx=72 - {"wf-save",required_argument,0,0}, // optidx=73 - {"ssid-filter",required_argument,0,0}, // optidx=74 - {"nlm-filter",required_argument,0,0}, // optidx=75 - {"nlm-list",optional_argument,0,0}, // optidx=76 + {"wf-iface",required_argument,0,0}, // optidx=69 + {"wf-l3",required_argument,0,0}, // optidx=70 + {"wf-tcp",required_argument,0,0}, // optidx=71 + {"wf-udp",required_argument,0,0}, // optidx=72 + {"wf-raw",required_argument,0,0}, // optidx=73 + {"wf-save",required_argument,0,0}, // optidx=74 + {"ssid-filter",required_argument,0,0}, // optidx=75 + {"nlm-filter",required_argument,0,0}, // optidx=76 + {"nlm-list",optional_argument,0,0}, // optidx=77 #endif {NULL,0,NULL,0} }; @@ -1825,39 +1948,47 @@ int main(int argc, char **argv) case 38: /* dpi-desync-fake-tls */ dp->fake_tls_size = sizeof(dp->fake_tls); load_file_or_exit(optarg,dp->fake_tls,&dp->fake_tls_size); + dp->fake_tls_mod |= FAKE_TLS_MOD_CUSTOM_FAKE; break; - case 39: /* dpi-desync-fake-unknown */ + case 39: /* dpi-desync-fake-tls-mod */ + if (!parse_tlsmod_list(optarg,&dp->fake_tls_mod)) + { + DLOG_ERR("Invalid tls mod : %s\n",optarg); + exit_clean(1); + } + break; + case 40: /* dpi-desync-fake-unknown */ dp->fake_unknown_size = sizeof(dp->fake_unknown); load_file_or_exit(optarg,dp->fake_unknown,&dp->fake_unknown_size); break; - case 40: /* dpi-desync-fake-syndata */ + case 41: /* dpi-desync-fake-syndata */ dp->fake_syndata_size = sizeof(dp->fake_syndata); load_file_or_exit(optarg,dp->fake_syndata,&dp->fake_syndata_size); break; - case 41: /* dpi-desync-fake-quic */ + case 42: /* dpi-desync-fake-quic */ dp->fake_quic_size = sizeof(dp->fake_quic); load_file_or_exit(optarg,dp->fake_quic,&dp->fake_quic_size); break; - case 42: /* dpi-desync-fake-wireguard */ + case 43: /* dpi-desync-fake-wireguard */ dp->fake_wg_size = sizeof(dp->fake_wg); load_file_or_exit(optarg,dp->fake_wg,&dp->fake_wg_size); break; - case 43: /* dpi-desync-fake-dht */ + case 44: /* dpi-desync-fake-dht */ dp->fake_dht_size = sizeof(dp->fake_dht); load_file_or_exit(optarg,dp->fake_dht,&dp->fake_dht_size); break; - case 44: /* dpi-desync-fake-unknown-udp */ + case 45: /* dpi-desync-fake-unknown-udp */ dp->fake_unknown_udp_size = sizeof(dp->fake_unknown_udp); load_file_or_exit(optarg,dp->fake_unknown_udp,&dp->fake_unknown_udp_size); break; - case 45: /* dpi-desync-udplen-increment */ + case 46: /* dpi-desync-udplen-increment */ if (sscanf(optarg,"%d",&dp->udplen_increment)<1 || dp->udplen_increment>0x7FFF || dp->udplen_increment<-0x8000) { DLOG_ERR("dpi-desync-udplen-increment must be integer within -32768..32767 range\n"); exit_clean(1); } break; - case 46: /* dpi-desync-udplen-pattern */ + case 47: /* dpi-desync-udplen-pattern */ { char buf[sizeof(dp->udplen_pattern)]; size_t sz=sizeof(buf); @@ -1865,21 +1996,21 @@ int main(int argc, char **argv) fill_pattern(dp->udplen_pattern,sizeof(dp->udplen_pattern),buf,sz); } break; - case 47: /* desync-cutoff */ + case 48: /* desync-cutoff */ if (!parse_cutoff(optarg, &dp->desync_cutoff, &dp->desync_cutoff_mode)) { DLOG_ERR("invalid desync-cutoff value\n"); exit_clean(1); } break; - case 48: /* desync-start */ + case 49: /* desync-start */ if (!parse_cutoff(optarg, &dp->desync_start, &dp->desync_start_mode)) { DLOG_ERR("invalid desync-start value\n"); exit_clean(1); } break; - case 49: /* hostlist */ + case 50: /* hostlist */ if (bSkip) break; if (!RegisterHostlist(dp, false, optarg)) { @@ -1887,7 +2018,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 50: /* hostlist-domains */ + case 51: /* hostlist-domains */ if (bSkip) break; if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL))) { @@ -1900,7 +2031,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 51: /* hostlist-exclude */ + case 52: /* hostlist-exclude */ if (bSkip) break; if (!RegisterHostlist(dp, true, optarg)) { @@ -1908,7 +2039,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 52: /* hostlist-exclude-domains */ + case 53: /* hostlist-exclude-domains */ if (bSkip) break; if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL))) { @@ -1921,7 +2052,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 53: /* hostlist-auto */ + case 54: /* hostlist-auto */ if (bSkip) break; if (dp->hostlist_auto) { @@ -1949,7 +2080,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 54: /* hostlist-auto-fail-threshold */ + case 55: /* hostlist-auto-fail-threshold */ dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg); if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20) { @@ -1957,7 +2088,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 55: /* hostlist-auto-fail-time */ + case 56: /* hostlist-auto-fail-time */ dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg); if (dp->hostlist_auto_fail_time<1) { @@ -1965,7 +2096,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 56: /* hostlist-auto-retrans-threshold */ + case 57: /* hostlist-auto-retrans-threshold */ dp->hostlist_auto_retrans_threshold = (uint8_t)atoi(optarg); if (dp->hostlist_auto_retrans_threshold<2 || dp->hostlist_auto_retrans_threshold>10) { @@ -1973,7 +2104,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 57: /* hostlist-auto-debug */ + case 58: /* hostlist-auto-debug */ { FILE *F = fopen(optarg,"a+t"); if (!F) @@ -1987,7 +2118,7 @@ int main(int argc, char **argv) } break; - case 58: /* new */ + case 59: /* new */ if (bSkip) { dp_clear(dp); @@ -2009,18 +2140,18 @@ int main(int argc, char **argv) anon_hl = anon_hl_exclude = NULL; anon_ips = anon_ips_exclude = NULL; break; - case 59: /* skip */ + case 60: /* skip */ bSkip = true; break; - case 60: /* filter-l3 */ + case 61: /* filter-l3 */ if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6)) { DLOG_ERR("bad value for --filter-l3\n"); exit_clean(1); } break; - case 61: /* filter-tcp */ + case 62: /* filter-tcp */ if (!parse_pf_list(optarg,&dp->pf_tcp)) { DLOG_ERR("Invalid port filter : %s\n",optarg); @@ -2030,7 +2161,7 @@ int main(int argc, char **argv) if (!port_filters_deny_if_empty(&dp->pf_udp)) exit_clean(1); break; - case 62: /* filter-udp */ + case 63: /* filter-udp */ if (!parse_pf_list(optarg,&dp->pf_udp)) { DLOG_ERR("Invalid port filter : %s\n",optarg); @@ -2040,14 +2171,14 @@ int main(int argc, char **argv) if (!port_filters_deny_if_empty(&dp->pf_tcp)) exit_clean(1); break; - case 63: /* filter-l7 */ + case 64: /* filter-l7 */ if (!parse_l7_list(optarg,&dp->filter_l7)) { DLOG_ERR("Invalid l7 filter : %s\n",optarg); exit_clean(1); } break; - case 64: /* ipset */ + case 65: /* ipset */ if (bSkip) break; if (!RegisterIpset(dp, false, optarg)) { @@ -2055,7 +2186,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 65: /* ipset-ip */ + case 66: /* ipset-ip */ if (bSkip) break; if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL))) { @@ -2068,7 +2199,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 66: /* ipset-exclude */ + case 67: /* ipset-exclude */ if (bSkip) break; if (!RegisterIpset(dp, true, optarg)) { @@ -2076,7 +2207,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 67: /* ipset-exclude-ip */ + case 68: /* ipset-exclude-ip */ if (bSkip) break; if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL))) { @@ -2092,28 +2223,28 @@ int main(int argc, char **argv) #ifdef __linux__ - case 68: /* bind-fix4 */ + case 69: /* bind-fix4 */ params.bind_fix4 = true; break; - case 69: /* bind-fix6 */ + case 70: /* bind-fix6 */ params.bind_fix6 = true; break; #elif defined(__CYGWIN__) - case 68: /* wf-iface */ + case 69: /* wf-iface */ if (!sscanf(optarg,"%u.%u",&IfIdx,&SubIfIdx)) { DLOG_ERR("bad value for --wf-iface\n"); exit_clean(1); } break; - case 69: /* wf-l3 */ + case 70: /* wf-l3 */ if (!wf_make_l3(optarg,&wf_ipv4,&wf_ipv6)) { DLOG_ERR("bad value for --wf-l3\n"); exit_clean(1); } break; - case 70: /* wf-tcp */ + case 71: /* wf-tcp */ hash_wf_tcp=hash_jen(optarg,strlen(optarg)); if (!wf_make_pf(optarg,"tcp","SrcPort",wf_pf_tcp_src,sizeof(wf_pf_tcp_src)) || !wf_make_pf(optarg,"tcp","DstPort",wf_pf_tcp_dst,sizeof(wf_pf_tcp_dst))) @@ -2122,7 +2253,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 71: /* wf-udp */ + case 72: /* wf-udp */ hash_wf_udp=hash_jen(optarg,strlen(optarg)); if (!wf_make_pf(optarg,"udp","SrcPort",wf_pf_udp_src,sizeof(wf_pf_udp_src)) || !wf_make_pf(optarg,"udp","DstPort",wf_pf_udp_dst,sizeof(wf_pf_udp_dst))) @@ -2131,7 +2262,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 72: /* wf-raw */ + case 73: /* wf-raw */ hash_wf_raw=hash_jen(optarg,strlen(optarg)); if (optarg[0]=='@') { @@ -2145,11 +2276,11 @@ int main(int argc, char **argv) windivert_filter[sizeof(windivert_filter) - 1] = '\0'; } break; - case 73: /* wf-save */ + case 74: /* wf-save */ strncpy(wf_save_file, optarg, sizeof(wf_save_file)); wf_save_file[sizeof(wf_save_file) - 1] = '\0'; break; - case 74: /* ssid-filter */ + case 75: /* ssid-filter */ hash_ssid_filter=hash_jen(optarg,strlen(optarg)); { char *e,*p = optarg; @@ -2167,7 +2298,7 @@ int main(int argc, char **argv) } } break; - case 75: /* nlm-filter */ + case 76: /* nlm-filter */ hash_nlm_filter=hash_jen(optarg,strlen(optarg)); { char *e,*p = optarg; @@ -2185,7 +2316,7 @@ int main(int argc, char **argv) } } break; - case 76: /* nlm-list */ + case 77: /* nlm-list */ if (!nlm_list(optarg && !strcmp(optarg,"all"))) { DLOG_ERR("could not get list of NLM networks\n"); @@ -2294,6 +2425,7 @@ int main(int argc, char **argv) if (AUTOTTL_ENABLED(dp->desync_autottl6)) DLOG("profile %d autottl ipv6 %u:%u-%u\n",dp->n,dp->desync_autottl6.delta,dp->desync_autottl6.min,dp->desync_autottl6.max); split_compat(dp); + onetime_tls_mod(dp); #ifndef __CYGWIN__ if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1)) DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename); diff --git a/nfq/params.c b/nfq/params.c index 268c07c..2d6590e 100644 --- a/nfq/params.c +++ b/nfq/params.c @@ -186,7 +186,7 @@ void dp_init(struct desync_profile *dp) dp->desync_repeats = 1; dp->fake_tls_size = sizeof(fake_tls_clienthello_default); memcpy(dp->fake_tls,fake_tls_clienthello_default,dp->fake_tls_size); - randomize_default_tls_payload(dp->fake_tls); + dp->fake_tls_mod = 0; dp->fake_http_size = strlen(fake_http_request_default); memcpy(dp->fake_http,fake_http_request_default,dp->fake_http_size); dp->fake_quic_size = 620; // must be 601+ for TSPU hack diff --git a/nfq/params.h b/nfq/params.h index d556913..1008343 100644 --- a/nfq/params.h +++ b/nfq/params.h @@ -38,6 +38,13 @@ #define MAX_SPLITS 64 +#define FAKE_TLS_MOD_SAVE_MASK 0x0F +#define FAKE_TLS_MOD_SET 0x01 +#define FAKE_TLS_MOD_CUSTOM_FAKE 0x02 +#define FAKE_TLS_MOD_RND 0x10 +#define FAKE_TLS_MOD_RND_SNI 0x20 +#define FAKE_TLS_MOD_PADENCAP 0x40 + enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG }; struct desync_profile @@ -66,9 +73,13 @@ struct desync_profile autottl desync_autottl, desync_autottl6; uint32_t desync_fooling_mode; uint32_t desync_badseq_increment, desync_badseq_ack_increment; - uint8_t fake_http[1460],fake_tls[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460]; + uint8_t fake_http[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460]; uint8_t fake_unknown_udp[1472],udplen_pattern[1472],fake_quic[1472],fake_wg[1472],fake_dht[1472]; - size_t fake_http_size,fake_tls_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size; + size_t fake_http_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size; + + uint8_t fake_tls[1460],fake_tls_mod; + size_t fake_tls_size, fake_tls_extlen_offset, fake_tls_padlen_offset; + int udplen_increment; bool filter_ipv4,filter_ipv6; diff --git a/nfq/protocol.c b/nfq/protocol.c index 3be2ad8..ec93dd7 100644 --- a/nfq/protocol.c +++ b/nfq/protocol.c @@ -373,6 +373,46 @@ bool IsTLSHandshakeFull(const uint8_t *data, size_t len) } +bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off) +{ + // +0 + // u8 HandshakeType: ClientHello + // u24 Length + // u16 Version + // c[32] random + // u8 SessionIDLength + // + // u16 CipherSuitesLength + // + // u8 CompressionMethodsLength + // + // u16 ExtensionsLength + + size_t l; + + l = 1 + 3 + 2 + 32; + // SessionIDLength + if (len < (l + 1)) return false; + l += data[l] + 1; + // CipherSuitesLength + if (len < (l + 2)) return false; + l += pntoh16(data + l) + 2; + // CompressionMethodsLength + if (len < (l + 1)) return false; + l += data[l] + 1; + // ExtensionsLength + if (len < (l + 2)) return false; + *off = l; + return true; +} +bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off) +{ + if (!TLSFindExtLenOffsetInHandshake(data+5,len-5,off)) + return false; + *off+=5; + return true; +} + // bPartialIsOK=true - accept partial packets not containing the whole TLS message bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK) { @@ -393,18 +433,7 @@ bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const if (!bPartialIsOK && !IsTLSHandshakeFull(data,len)) return false; - l = 1 + 3 + 2 + 32; - // SessionIDLength - if (len < (l + 1)) return false; - l += data[l] + 1; - // CipherSuitesLength - if (len < (l + 2)) return false; - l += pntoh16(data + l) + 2; - // CompressionMethodsLength - if (len < (l + 1)) return false; - l += data[l] + 1; - // ExtensionsLength - if (len < (l + 2)) return false; + if (!TLSFindExtLenOffsetInHandshake(data,len,&l)) return false; data += l; len -= l; l = pntoh16(data); @@ -451,7 +480,7 @@ bool TLSFindExt(const uint8_t *data, size_t len, uint16_t type, const uint8_t ** if (reclen