nfqws: --dpi-desync-fake-tls-mod

nfq/desync.c

@@ -63,16 +63,6 @@ const uint8_t fake_tls_clienthello_default[648] = {
 0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
 };
 
-static const char * tld[]={"com","org","net","edu","gov","biz"};
-void randomize_default_tls_payload(uint8_t *p)
-{
-	fill_random_bytes(p+11,32);
-	fill_random_bytes(p+44,32);
-	fill_random_az(p+125,1);
-	fill_random_az09(p+126,5);
-	memcpy(p+132,tld[random()%(sizeof(tld)/sizeof(*tld))],3);
-}
-
 #define PKTDATA_MAXDUMP 32
 #define IP_MAXDUMP 80
 
@@ -613,6 +603,40 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
 #endif
 
 
+// fake_mod buffer must at least sizeof(desync_profile->fake_tls)
+// size does not change
+// return : true - altered, false - not altered
+static bool runtime_tls_mod(const struct desync_profile *dp, size_t encap_len, uint8_t *fake_mod)
+{
+	bool b=false;
+	if (dp->fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	{
+		size_t sz_rec = pntoh16(dp->fake_tls+3) + encap_len;
+		size_t sz_handshake = pntoh24(dp->fake_tls+6) + encap_len;
+		size_t sz_ext = pntoh16(dp->fake_tls+dp->fake_tls_extlen_offset) + encap_len;
+		size_t sz_pad = pntoh16(dp->fake_tls+dp->fake_tls_padlen_offset) + encap_len;
+		if ((sz_rec & ~0xFFFF) || (sz_handshake & ~0xFFFFFF) || (sz_ext & ~0xFFFF) || (sz_pad & ~0xFFFF))
+			DLOG("cannot apply tls mod. length overflow.\n");
+		else
+		{
+			memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size);
+			phton16(fake_mod+3,(uint16_t)sz_rec);
+			phton24(fake_mod+6,(uint32_t)sz_handshake);
+			phton16(fake_mod+dp->fake_tls_extlen_offset,(uint16_t)sz_ext);
+			phton16(fake_mod+dp->fake_tls_padlen_offset,(uint16_t)sz_pad);
+			b=true;
+		}
+	}
+	if (dp->fake_tls_mod & FAKE_TLS_MOD_RND)
+	{
+		if (!b)	memcpy(fake_mod,dp->fake_tls,dp->fake_tls_size);
+		fill_random_bytes(fake_mod+11,32); // random
+		fill_random_bytes(fake_mod+44,fake_mod[43]); // session id
+		b=true;
+	}
+	return b;
+}
+
 static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint32_t fwmark, const char *ifout, struct dissect *dis)
 {
 	uint8_t verdict=VERDICT_PASS;
@@ -856,6 +880,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 		int i;
 		uint16_t ip_id;
 		t_l7proto l7proto = UNKNOWN;
+		uint8_t fake_mod[sizeof(dp->fake_tls)];
 
 		if (replay)
 		{
@@ -1149,7 +1174,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 				fake_size = dp->fake_http_size;
 				break;
 			case TLS:
-				fake = dp->fake_tls;
+				fake = runtime_tls_mod(dp,rlen_payload,fake_mod) ? fake_mod : dp->fake_tls;
 				fake_size = dp->fake_tls_size;
 				break;
 			default:

nfq/helpers.h

@@ -51,6 +51,14 @@ static inline void phton16(uint8_t *p, uint16_t v) {
 	p[0] = (uint8_t)(v >> 8);
 	p[1] = v & 0xFF;
 }
+static inline uint32_t pntoh24(const uint8_t *p) {
+	return ((uint32_t)p[0] << 16) | ((uint32_t)p[1] << 8) | (uint32_t)p[2];
+}
+static inline void phton24(uint8_t *p, uint32_t v) {
+	p[0] = (uint8_t)(v>>16);
+	p[1] = (uint8_t)(v>>8);
+	p[2] = (uint8_t)v;
+}
 static inline uint32_t pntoh32(const uint8_t *p) {
 	return ((uint32_t)p[0] << 24) | ((uint32_t)p[1] << 16) | ((uint32_t)p[2] << 8) | (uint32_t)p[3];
 }

nfq/nfqws.c

@@ -914,6 +914,36 @@ static bool parse_ip_list(char *opt, ipset *pp)
 	return true;
 }
 
+static bool parse_tlsmod_list(char *opt, uint8_t *mod)
+{
+	char *e,*p,c;
+
+	*mod &= FAKE_TLS_MOD_SAVE_MASK;
+	*mod |= FAKE_TLS_MOD_SET;
+	for (p=opt ; p ; )
+	{
+		if ((e = strchr(p,',')))
+		{
+			c=*e;
+			*e=0;
+		}
+
+		if (!strcmp(p,"rnd"))
+			*mod |= FAKE_TLS_MOD_RND;
+		else if (!strcmp(p,"rndsni"))
+			*mod |= FAKE_TLS_MOD_RND_SNI;
+		else if (!strcmp(p,"padencap"))
+			*mod |= FAKE_TLS_MOD_PADENCAP;
+		else if (strcmp(p,"none"))
+			return false;
+
+		if (e) *e++=c;
+		p = e;
+	}
+	return true;
+}
+
+
 static void split_compat(struct desync_profile *dp)
 {
 	if (!dp->split_count)
@@ -942,6 +972,97 @@ static void SplitDebug(void)
 	}
 }
 
+static const char * tld[]={"com","org","net","edu","gov","biz"};
+static void onetime_tls_mod(struct desync_profile *dp)
+{
+	const uint8_t *ext;
+	size_t extlen, slen;
+
+	if (dp->n && !(dp->fake_tls_mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
+		dp->fake_tls_mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI; // old behavior compat
+	if (!(dp->fake_tls_mod & ~FAKE_TLS_MOD_SAVE_MASK))
+		return; // nothing to do
+	if (!IsTLSClientHello(dp->fake_tls,dp->fake_tls_size,false))
+	{
+		DLOG_ERR("profile %d tls mod set but tls fake structure invalid\n", dp->n);
+		exit_clean(1);
+	}
+	if (dp->fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
+	{
+		if (!TLSFindExtLen(dp->fake_tls,dp->fake_tls_size,&dp->fake_tls_extlen_offset))
+		{
+			DLOG_ERR("profile %d padencap set but tls fake structure invalid\n", dp->n);
+			exit_clean(1);
+		}
+		DLOG("profile %d fake tls extensions length offset : %zu\n", dp->n, dp->fake_tls_extlen_offset);
+		if (TLSFindExt(dp->fake_tls,dp->fake_tls_size,21,&ext,&extlen,false))
+		{
+			if ((ext-dp->fake_tls+extlen)!=dp->fake_tls_size)
+			{
+				DLOG_ERR("profile %d fake tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", dp->n, ext-dp->fake_tls, extlen, dp->fake_tls_size);
+				exit_clean(1);
+			}
+			dp->fake_tls_padlen_offset = ext-dp->fake_tls-2;
+			DLOG("profile %d fake tls padding ext is present, padding length offset %zu\n", dp->n, dp->fake_tls_padlen_offset);
+		}
+		else
+		{
+			if ((dp->fake_tls_size+4)>sizeof(dp->fake_tls))
+			{
+				DLOG_ERR("profile %d fake tls padding is absent and there's not space to add it\n", dp->n);
+				exit_clean(1);
+			}
+			phton16(dp->fake_tls+dp->fake_tls_size,21);
+			dp->fake_tls_size+=2;
+			dp->fake_tls_padlen_offset=dp->fake_tls_size;
+			phton16(dp->fake_tls+dp->fake_tls_size,0);
+			dp->fake_tls_size+=2;
+			phton16(dp->fake_tls+dp->fake_tls_extlen_offset,pntoh16(dp->fake_tls+dp->fake_tls_extlen_offset)+4);
+			phton16(dp->fake_tls+3,pntoh16(dp->fake_tls+3)+4); // increase tls record len
+			phton24(dp->fake_tls+6,pntoh24(dp->fake_tls+6)+4); // increase tls handshake len
+			DLOG("profile %d fake tls padding is absent. added. padding ledgth offset %zu\n", dp->n, dp->fake_tls_padlen_offset);
+		}
+	}
+	if (dp->fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
+	{
+		if (!TLSFindExt(dp->fake_tls,dp->fake_tls_size,0,&ext,&extlen,false) || !TLSAdvanceToHostInSNI(&ext,&extlen,&slen))
+		{
+			DLOG_ERR("profile %d rndsni set but tls fake structure invalid or does not have SNI\n", dp->n);
+			exit_clean(1);
+		}
+		uint8_t *sni = dp->fake_tls + (ext - dp->fake_tls);
+
+		char *s1=NULL, *s2=NULL;
+		if (params.debug)
+		{
+			if (s1 = malloc(slen+1))
+			{
+				memcpy(s1,sni,slen); s1[slen]=0;
+			}
+		}
+
+		fill_random_az(sni,1);
+		if (slen>=7) // domain name in SNI must be at least 3 chars long to enable xxx.tls randomization
+		{
+			fill_random_az09(sni+1,slen-5);
+			sni[slen-4] = '.';
+			memcpy(sni+slen-3,tld[random()%(sizeof(tld)/sizeof(*tld))],3);
+		}
+		else if (slen>=1)
+			fill_random_az09(sni+1,slen-1);
+
+		if (params.debug)
+		{
+			if (s1 && (s2 = malloc(slen+1)))
+			{
+				memcpy(s2,sni,slen); s2[slen]=0;
+				DLOG("profile %d generated random SNI : %s -> %s\n",dp->n,s1,s2);
+			}
+			free(s1); free(s2);
+		}
+	}
+}
+
 
 #ifdef __CYGWIN__
 static bool wf_make_pf(char *opt, const char *l4, const char *portname, char *buf, size_t len)
@@ -1160,6 +1281,7 @@ static void exithelp(void)
 		" --dpi-desync-any-protocol=0|1\t\t\t; 0(default)=desync only http and tls  1=desync any nonempty data packet\n"
 		" --dpi-desync-fake-http=<filename>|0xHEX\t; file containing fake http request\n"
 		" --dpi-desync-fake-tls=<filename>|0xHEX\t\t; file containing fake TLS ClientHello (for https)\n"
+		" --dpi-desync-fake-tls-mod=mod[,mod]\t\t; comma list of TLS fake mods. available mods : none,rnd,rndsni,padencap\n"
 		" --dpi-desync-fake-unknown=<filename>|0xHEX\t; file containing unknown protocol fake payload\n"
 		" --dpi-desync-fake-syndata=<filename>|0xHEX\t; file containing SYN data payload\n"
 		" --dpi-desync-fake-quic=<filename>|0xHEX\t; file containing fake QUIC Initial\n"
@@ -1381,48 +1503,49 @@ int main(int argc, char **argv)
 		{"dpi-desync-any-protocol",optional_argument,0,0},// optidx=36
 		{"dpi-desync-fake-http",required_argument,0,0},// optidx=37
 		{"dpi-desync-fake-tls",required_argument,0,0},// optidx=38
-		{"dpi-desync-fake-unknown",required_argument,0,0},// optidx=39
+		{"dpi-desync-fake-tls-mod",required_argument,0,0},// optidx=39
-		{"dpi-desync-fake-syndata",required_argument,0,0},// optidx=40
+		{"dpi-desync-fake-unknown",required_argument,0,0},// optidx=40
-		{"dpi-desync-fake-quic",required_argument,0,0},// optidx=41
+		{"dpi-desync-fake-syndata",required_argument,0,0},// optidx=41
-		{"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=42
+		{"dpi-desync-fake-quic",required_argument,0,0},// optidx=42
-		{"dpi-desync-fake-dht",required_argument,0,0},// optidx=43
+		{"dpi-desync-fake-wireguard",required_argument,0,0},// optidx=43
-		{"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=44
+		{"dpi-desync-fake-dht",required_argument,0,0},// optidx=44
-		{"dpi-desync-udplen-increment",required_argument,0,0},// optidx=45
+		{"dpi-desync-fake-unknown-udp",required_argument,0,0},// optidx=45
-		{"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=46
+		{"dpi-desync-udplen-increment",required_argument,0,0},// optidx=46
-		{"dpi-desync-cutoff",required_argument,0,0},// optidx=47
+		{"dpi-desync-udplen-pattern",required_argument,0,0},// optidx=47
-		{"dpi-desync-start",required_argument,0,0},// optidx=48
+		{"dpi-desync-cutoff",required_argument,0,0},// optidx=48
-		{"hostlist",required_argument,0,0},		// optidx=49
+		{"dpi-desync-start",required_argument,0,0},// optidx=49
-		{"hostlist-domains",required_argument,0,0},// optidx=50
+		{"hostlist",required_argument,0,0},		// optidx=50
-		{"hostlist-exclude",required_argument,0,0},	// optidx=51
+		{"hostlist-domains",required_argument,0,0},// optidx=51
-		{"hostlist-exclude-domains",required_argument,0,0},// optidx=52
+		{"hostlist-exclude",required_argument,0,0},	// optidx=52
-		{"hostlist-auto",required_argument,0,0},	// optidx=53
+		{"hostlist-exclude-domains",required_argument,0,0},// optidx=53
-		{"hostlist-auto-fail-threshold",required_argument,0,0},	// optidx=54
+		{"hostlist-auto",required_argument,0,0},	// optidx=54
-		{"hostlist-auto-fail-time",required_argument,0,0},	// optidx=55
+		{"hostlist-auto-fail-threshold",required_argument,0,0},	// optidx=55
-		{"hostlist-auto-retrans-threshold",required_argument,0,0},	// optidx=56
+		{"hostlist-auto-fail-time",required_argument,0,0},	// optidx=56
-		{"hostlist-auto-debug",required_argument,0,0},	// optidx=57
+		{"hostlist-auto-retrans-threshold",required_argument,0,0},	// optidx=57
-		{"new",no_argument,0,0},	// optidx=58
+		{"hostlist-auto-debug",required_argument,0,0},	// optidx=58
-		{"skip",no_argument,0,0},	// optidx=59
+		{"new",no_argument,0,0},	// optidx=59
-		{"filter-l3",required_argument,0,0},	// optidx=60
+		{"skip",no_argument,0,0},	// optidx=60
-		{"filter-tcp",required_argument,0,0},	// optidx=61
+		{"filter-l3",required_argument,0,0},	// optidx=61
-		{"filter-udp",required_argument,0,0},	// optidx=62
+		{"filter-tcp",required_argument,0,0},	// optidx=62
-		{"filter-l7",required_argument,0,0},	// optidx=63
+		{"filter-udp",required_argument,0,0},	// optidx=63
-		{"ipset",required_argument,0,0},	// optidx=64
+		{"filter-l7",required_argument,0,0},	// optidx=64
-		{"ipset-ip",required_argument,0,0},	// optidx=65
+		{"ipset",required_argument,0,0},	// optidx=65
-		{"ipset-exclude",required_argument,0,0},// optidx=66
+		{"ipset-ip",required_argument,0,0},	// optidx=66
-		{"ipset-exclude-ip",required_argument,0,0},	// optidx=67
+		{"ipset-exclude",required_argument,0,0},// optidx=67
+		{"ipset-exclude-ip",required_argument,0,0},	// optidx=68
 #ifdef __linux__
-		{"bind-fix4",no_argument,0,0},		// optidx=68
+		{"bind-fix4",no_argument,0,0},		// optidx=69
-		{"bind-fix6",no_argument,0,0},		// optidx=69
+		{"bind-fix6",no_argument,0,0},		// optidx=70
 #elif defined(__CYGWIN__)
-		{"wf-iface",required_argument,0,0},	// optidx=68
+		{"wf-iface",required_argument,0,0},	// optidx=69
-		{"wf-l3",required_argument,0,0},	// optidx=69
+		{"wf-l3",required_argument,0,0},	// optidx=70
-		{"wf-tcp",required_argument,0,0},	// optidx=70
+		{"wf-tcp",required_argument,0,0},	// optidx=71
-		{"wf-udp",required_argument,0,0},	// optidx=71
+		{"wf-udp",required_argument,0,0},	// optidx=72
-		{"wf-raw",required_argument,0,0},	// optidx=72
+		{"wf-raw",required_argument,0,0},	// optidx=73
-		{"wf-save",required_argument,0,0},	// optidx=73
+		{"wf-save",required_argument,0,0},	// optidx=74
-		{"ssid-filter",required_argument,0,0},	// optidx=74
+		{"ssid-filter",required_argument,0,0},	// optidx=75
-		{"nlm-filter",required_argument,0,0},	// optidx=75
+		{"nlm-filter",required_argument,0,0},	// optidx=76
-		{"nlm-list",optional_argument,0,0},	// optidx=76
+		{"nlm-list",optional_argument,0,0},	// optidx=77
 #endif
 		{NULL,0,NULL,0}
 	};
@@ -1825,39 +1948,47 @@ int main(int argc, char **argv)
 		case 38: /* dpi-desync-fake-tls */
 			dp->fake_tls_size = sizeof(dp->fake_tls);
 			load_file_or_exit(optarg,dp->fake_tls,&dp->fake_tls_size);
+			dp->fake_tls_mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
 			break;
-		case 39: /* dpi-desync-fake-unknown */
+		case 39: /* dpi-desync-fake-tls-mod */
+			if (!parse_tlsmod_list(optarg,&dp->fake_tls_mod))
+			{
+				DLOG_ERR("Invalid tls mod : %s\n",optarg);
+				exit_clean(1);
+			}
+			break;
+		case 40: /* dpi-desync-fake-unknown */
 			dp->fake_unknown_size = sizeof(dp->fake_unknown);
 			load_file_or_exit(optarg,dp->fake_unknown,&dp->fake_unknown_size);
 			break;
-		case 40: /* dpi-desync-fake-syndata */
+		case 41: /* dpi-desync-fake-syndata */
 			dp->fake_syndata_size = sizeof(dp->fake_syndata);
 			load_file_or_exit(optarg,dp->fake_syndata,&dp->fake_syndata_size);
 			break;
-		case 41: /* dpi-desync-fake-quic */
+		case 42: /* dpi-desync-fake-quic */
 			dp->fake_quic_size = sizeof(dp->fake_quic);
 			load_file_or_exit(optarg,dp->fake_quic,&dp->fake_quic_size);
 			break;
-		case 42: /* dpi-desync-fake-wireguard */
+		case 43: /* dpi-desync-fake-wireguard */
 			dp->fake_wg_size = sizeof(dp->fake_wg);
 			load_file_or_exit(optarg,dp->fake_wg,&dp->fake_wg_size);
 			break;
-		case 43: /* dpi-desync-fake-dht */
+		case 44: /* dpi-desync-fake-dht */
 			dp->fake_dht_size = sizeof(dp->fake_dht);
 			load_file_or_exit(optarg,dp->fake_dht,&dp->fake_dht_size);
 			break;
-		case 44: /* dpi-desync-fake-unknown-udp */
+		case 45: /* dpi-desync-fake-unknown-udp */
 			dp->fake_unknown_udp_size = sizeof(dp->fake_unknown_udp);
 			load_file_or_exit(optarg,dp->fake_unknown_udp,&dp->fake_unknown_udp_size);
 			break;
-		case 45: /* dpi-desync-udplen-increment */
+		case 46: /* dpi-desync-udplen-increment */
 			if (sscanf(optarg,"%d",&dp->udplen_increment)<1 || dp->udplen_increment>0x7FFF || dp->udplen_increment<-0x8000)
 			{
 				DLOG_ERR("dpi-desync-udplen-increment must be integer within -32768..32767 range\n");
 				exit_clean(1);
 			}
 			break;
-		case 46: /* dpi-desync-udplen-pattern */
+		case 47: /* dpi-desync-udplen-pattern */
 			{
 				char buf[sizeof(dp->udplen_pattern)];
 				size_t sz=sizeof(buf);
@@ -1865,21 +1996,21 @@ int main(int argc, char **argv)
 				fill_pattern(dp->udplen_pattern,sizeof(dp->udplen_pattern),buf,sz);
 			}
 			break;
-		case 47: /* desync-cutoff */
+		case 48: /* desync-cutoff */
 			if (!parse_cutoff(optarg, &dp->desync_cutoff, &dp->desync_cutoff_mode))
 			{
 				DLOG_ERR("invalid desync-cutoff value\n");
 				exit_clean(1);
 			}
 			break;
-		case 48: /* desync-start */
+		case 49: /* desync-start */
 			if (!parse_cutoff(optarg, &dp->desync_start, &dp->desync_start_mode))
 			{
 				DLOG_ERR("invalid desync-start value\n");
 				exit_clean(1);
 			}
 			break;
-		case 49: /* hostlist */
+		case 50: /* hostlist */
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, false, optarg))
 			{
@@ -1887,7 +2018,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 50: /* hostlist-domains */
+		case 51: /* hostlist-domains */
 			if (bSkip) break;
 			if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL)))
 			{
@@ -1900,7 +2031,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 51: /* hostlist-exclude */
+		case 52: /* hostlist-exclude */
 			if (bSkip) break;
 			if (!RegisterHostlist(dp, true, optarg))
 			{
@@ -1908,7 +2039,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 52: /* hostlist-exclude-domains */
+		case 53: /* hostlist-exclude-domains */
 			if (bSkip) break;
 			if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL)))
 			{
@@ -1921,7 +2052,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 53: /* hostlist-auto */
+		case 54: /* hostlist-auto */
 			if (bSkip) break;
 			if (dp->hostlist_auto)
 			{
@@ -1949,7 +2080,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 54: /* hostlist-auto-fail-threshold */
+		case 55: /* hostlist-auto-fail-threshold */
 			dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20)
 			{
@@ -1957,7 +2088,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 55: /* hostlist-auto-fail-time */
+		case 56: /* hostlist-auto-fail-time */
 			dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_fail_time<1)
 			{
@@ -1965,7 +2096,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 56: /* hostlist-auto-retrans-threshold */
+		case 57: /* hostlist-auto-retrans-threshold */
 			dp->hostlist_auto_retrans_threshold = (uint8_t)atoi(optarg);
 			if (dp->hostlist_auto_retrans_threshold<2 || dp->hostlist_auto_retrans_threshold>10)
 			{
@@ -1973,7 +2104,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 57: /* hostlist-auto-debug */
+		case 58: /* hostlist-auto-debug */
 			{
 				FILE *F = fopen(optarg,"a+t");
 				if (!F)
@@ -1987,7 +2118,7 @@ int main(int argc, char **argv)
 			}
 			break;
 
-		case 58: /* new */
+		case 59: /* new */
 			if (bSkip)
 			{
 				dp_clear(dp);
@@ -2009,18 +2140,18 @@ int main(int argc, char **argv)
 			anon_hl = anon_hl_exclude = NULL;
 			anon_ips = anon_ips_exclude = NULL;
 			break;
-		case 59: /* skip */
+		case 60: /* skip */
 			bSkip = true;
 			break;
 
-		case 60: /* filter-l3 */
+		case 61: /* filter-l3 */
 			if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
 			{
 				DLOG_ERR("bad value for --filter-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 61: /* filter-tcp */
+		case 62: /* filter-tcp */
 			if (!parse_pf_list(optarg,&dp->pf_tcp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
@@ -2030,7 +2161,7 @@ int main(int argc, char **argv)
 			if (!port_filters_deny_if_empty(&dp->pf_udp))
 				exit_clean(1);
 			break;
-		case 62: /* filter-udp */
+		case 63: /* filter-udp */
 			if (!parse_pf_list(optarg,&dp->pf_udp))
 			{
 				DLOG_ERR("Invalid port filter : %s\n",optarg);
@@ -2040,14 +2171,14 @@ int main(int argc, char **argv)
 			if (!port_filters_deny_if_empty(&dp->pf_tcp))
 				exit_clean(1);
 			break;
-		case 63: /* filter-l7 */
+		case 64: /* filter-l7 */
 			if (!parse_l7_list(optarg,&dp->filter_l7))
 			{
 				DLOG_ERR("Invalid l7 filter : %s\n",optarg);
 				exit_clean(1);
 			}
 			break;
-		case 64: /* ipset */
+		case 65: /* ipset */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, false, optarg))
 			{
@@ -2055,7 +2186,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 65: /* ipset-ip */
+		case 66: /* ipset-ip */
 			if (bSkip) break;
 			if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
 			{
@@ -2068,7 +2199,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 66: /* ipset-exclude */
+		case 67: /* ipset-exclude */
 			if (bSkip) break;
 			if (!RegisterIpset(dp, true, optarg))
 			{
@@ -2076,7 +2207,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 67: /* ipset-exclude-ip */
+		case 68: /* ipset-exclude-ip */
 			if (bSkip) break;
 			if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
 			{
@@ -2092,28 +2223,28 @@ int main(int argc, char **argv)
 
 
 #ifdef __linux__
-		case 68: /* bind-fix4 */
+		case 69: /* bind-fix4 */
 			params.bind_fix4 = true;
 			break;
-		case 69: /* bind-fix6 */
+		case 70: /* bind-fix6 */
 			params.bind_fix6 = true;
 			break;
 #elif defined(__CYGWIN__)
-		case 68: /* wf-iface */
+		case 69: /* wf-iface */
 			if (!sscanf(optarg,"%u.%u",&IfIdx,&SubIfIdx))
 			{
 				DLOG_ERR("bad value for --wf-iface\n");
 				exit_clean(1);
 			}
 			break;
-		case 69: /* wf-l3 */
+		case 70: /* wf-l3 */
 			if (!wf_make_l3(optarg,&wf_ipv4,&wf_ipv6))
 			{
 				DLOG_ERR("bad value for --wf-l3\n");
 				exit_clean(1);
 			}
 			break;
-		case 70: /* wf-tcp */
+		case 71: /* wf-tcp */
 			hash_wf_tcp=hash_jen(optarg,strlen(optarg));
 			if (!wf_make_pf(optarg,"tcp","SrcPort",wf_pf_tcp_src,sizeof(wf_pf_tcp_src)) ||
 				!wf_make_pf(optarg,"tcp","DstPort",wf_pf_tcp_dst,sizeof(wf_pf_tcp_dst)))
@@ -2122,7 +2253,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 71: /* wf-udp */
+		case 72: /* wf-udp */
 			hash_wf_udp=hash_jen(optarg,strlen(optarg));
 			if (!wf_make_pf(optarg,"udp","SrcPort",wf_pf_udp_src,sizeof(wf_pf_udp_src)) ||
 				!wf_make_pf(optarg,"udp","DstPort",wf_pf_udp_dst,sizeof(wf_pf_udp_dst)))
@@ -2131,7 +2262,7 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
-		case 72: /* wf-raw */
+		case 73: /* wf-raw */
 			hash_wf_raw=hash_jen(optarg,strlen(optarg));
 			if (optarg[0]=='@')
 			{
@@ -2145,11 +2276,11 @@ int main(int argc, char **argv)
 				windivert_filter[sizeof(windivert_filter) - 1] = '\0';
 			}
 			break;
-		case 73: /* wf-save */
+		case 74: /* wf-save */
 			strncpy(wf_save_file, optarg, sizeof(wf_save_file));
 			wf_save_file[sizeof(wf_save_file) - 1] = '\0';
 			break;
-		case 74: /* ssid-filter */
+		case 75: /* ssid-filter */
 			hash_ssid_filter=hash_jen(optarg,strlen(optarg));
 			{
 				char *e,*p = optarg;
@@ -2167,7 +2298,7 @@ int main(int argc, char **argv)
 				}
 			}
 			break;
-		case 75: /* nlm-filter */
+		case 76: /* nlm-filter */
 			hash_nlm_filter=hash_jen(optarg,strlen(optarg));
 			{
 				char *e,*p = optarg;
@@ -2185,7 +2316,7 @@ int main(int argc, char **argv)
 				}
 			}
 			break;
-		case 76: /* nlm-list */
+		case 77: /* nlm-list */
 			if (!nlm_list(optarg && !strcmp(optarg,"all")))
 			{
 				DLOG_ERR("could not get list of NLM networks\n");
@@ -2294,6 +2425,7 @@ int main(int argc, char **argv)
 		if (AUTOTTL_ENABLED(dp->desync_autottl6))
 			DLOG("profile %d autottl ipv6 %u:%u-%u\n",dp->n,dp->desync_autottl6.delta,dp->desync_autottl6.min,dp->desync_autottl6.max);
 		split_compat(dp);
+		onetime_tls_mod(dp);
 #ifndef __CYGWIN__
 		if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1))
 			DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);

nfq/params.c

@@ -186,7 +186,7 @@ void dp_init(struct desync_profile *dp)
 	dp->desync_repeats = 1;
 	dp->fake_tls_size = sizeof(fake_tls_clienthello_default);
 	memcpy(dp->fake_tls,fake_tls_clienthello_default,dp->fake_tls_size);
-	randomize_default_tls_payload(dp->fake_tls);
+	dp->fake_tls_mod = 0;
 	dp->fake_http_size = strlen(fake_http_request_default);
 	memcpy(dp->fake_http,fake_http_request_default,dp->fake_http_size);
 	dp->fake_quic_size = 620; // must be 601+ for TSPU hack

nfq/params.h

@@ -38,6 +38,13 @@
 
 #define MAX_SPLITS	64
 
+#define FAKE_TLS_MOD_SAVE_MASK		0x0F
+#define FAKE_TLS_MOD_SET		0x01
+#define FAKE_TLS_MOD_CUSTOM_FAKE	0x02
+#define FAKE_TLS_MOD_RND		0x10
+#define FAKE_TLS_MOD_RND_SNI		0x20
+#define FAKE_TLS_MOD_PADENCAP		0x40
+
 enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };
 
 struct desync_profile
@@ -66,9 +73,13 @@ struct desync_profile
 	autottl desync_autottl, desync_autottl6;
 	uint32_t desync_fooling_mode;
 	uint32_t desync_badseq_increment, desync_badseq_ack_increment;
-	uint8_t fake_http[1460],fake_tls[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460];
+	uint8_t fake_http[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460],fsplit_pattern[1460];
 	uint8_t fake_unknown_udp[1472],udplen_pattern[1472],fake_quic[1472],fake_wg[1472],fake_dht[1472];
-	size_t fake_http_size,fake_tls_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;
+	size_t fake_http_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;
+
+	uint8_t fake_tls[1460],fake_tls_mod;
+	size_t fake_tls_size, fake_tls_extlen_offset, fake_tls_padlen_offset;
+
 	int udplen_increment;
 
 	bool filter_ipv4,filter_ipv6;

nfq/protocol.c

@@ -373,6 +373,46 @@ bool IsTLSHandshakeFull(const uint8_t *data, size_t len)
 }
 
 
+bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off)
+{
+	// +0
+	// u8	HandshakeType: ClientHello
+	// u24	Length
+	// u16	Version
+	// c[32] random
+	// u8	SessionIDLength
+	//	<SessionID>
+	// u16	CipherSuitesLength
+	//	<CipherSuites>
+	// u8	CompressionMethodsLength
+	//	<CompressionMethods>
+	// u16	ExtensionsLength
+
+	size_t l;
+
+	l = 1 + 3 + 2 + 32;
+	// SessionIDLength
+	if (len < (l + 1)) return false;
+	l += data[l] + 1;
+	// CipherSuitesLength
+	if (len < (l + 2)) return false;
+	l += pntoh16(data + l) + 2;
+	// CompressionMethodsLength
+	if (len < (l + 1)) return false;
+	l += data[l] + 1;
+	// ExtensionsLength
+	if (len < (l + 2)) return false;
+	*off = l;
+	return true;
+}
+bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off)
+{
+	if (!TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
+		return false;
+	*off+=5;
+	return true;
+}
+
 // bPartialIsOK=true - accept partial packets not containing the whole TLS message
 bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK)
 {
@@ -393,18 +433,7 @@ bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const
 
 	if (!bPartialIsOK && !IsTLSHandshakeFull(data,len)) return false;
 
-	l = 1 + 3 + 2 + 32;
+	if (!TLSFindExtLenOffsetInHandshake(data,len,&l)) return false;
-	// SessionIDLength
-	if (len < (l + 1)) return false;
-	l += data[l] + 1;
-	// CipherSuitesLength
-	if (len < (l + 2)) return false;
-	l += pntoh16(data + l) + 2;
-	// CompressionMethodsLength
-	if (len < (l + 1)) return false;
-	l += data[l] + 1;
-	// ExtensionsLength
-	if (len < (l + 2)) return false;
 
 	data += l; len -= l;
 	l = pntoh16(data);
@@ -451,7 +480,7 @@ bool TLSFindExt(const uint8_t *data, size_t len, uint16_t type, const uint8_t **
 	if (reclen<len) len=reclen; // correct len if it has more data than the first tls record has
 	return TLSFindExtInHandshake(data + 5, len - 5, type, ext, len_ext, bPartialIsOK);
 }
-static bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
+bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
 {
 	// u16	data+0 - name list length
 	// u8	data+2 - server name type. 0=host_name

nfq/protocol.h

@@ -62,6 +62,9 @@ bool IsTLSClientHello(const uint8_t *data, size_t len, bool bPartialIsOK);
 size_t TLSHandshakeLen(const uint8_t *data);
 bool IsTLSHandshakeClientHello(const uint8_t *data, size_t len);
 bool IsTLSHandshakeFull(const uint8_t *data, size_t len);
+bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen);
+bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off);
+bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off);
 bool TLSFindExt(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK);
 bool TLSFindExtInHandshake(const uint8_t *data, size_t len, uint16_t type, const uint8_t **ext, size_t *len_ext, bool bPartialIsOK);
 bool TLSHelloExtractHost(const uint8_t *data, size_t len, char *host, size_t len_host, bool bPartialIsOK);