nfqws: support QUIC multi packet CRYPTO fragmentation

nfq/desync.c

@@ -1953,29 +1953,80 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 						return verdict; // cannot be first packet
 					}
 				}
-
 				uint8_t defrag[16384];
 				size_t hello_offset, hello_len, defrag_len = sizeof(defrag);
-				if (QUICDefragCrypto(pclean,clean_len,defrag,&defrag_len))
+				bool bFull;
+				if (QUICDefragCrypto(pclean,clean_len,defrag,&defrag_len,&bFull))
 				{
-					bool bIsHello = IsQUICCryptoHello(defrag, defrag_len, &hello_offset, &hello_len);
-					bool bReqFull = bIsHello ? IsTLSHandshakeFull(defrag+hello_offset,hello_len) : false;
-
-					DLOG(bIsHello ? bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n" : "packet does not contain TLS ClientHello\n");
-
-					if (ctrack)
+					if (bFull)
 					{
-						if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
+						bool bIsHello = IsQUICCryptoHello(defrag, defrag_len, &hello_offset, &hello_len);
+						bool bReqFull = bIsHello ? IsTLSHandshakeFull(defrag+hello_offset,hello_len) : false;
+
+						DLOG(bIsHello ? bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n" : "packet does not contain TLS ClientHello\n");
+
+						if (ctrack)
 						{
-							// preallocate max buffer to avoid reallocs that cause memory copy
-							if (!reasm_orig_start(ctrack,IPPROTO_UDP,16384,16384,clean,clean_len))
+							if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								// preallocate max buffer to avoid reallocs that cause memory copy
+								if (!reasm_orig_start(ctrack,IPPROTO_UDP,16384,16384,clean,clean_len))
+								{
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+							}
+							if (!ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
+								if (rawpacket_queue(&ctrack->delayed, &dst, desync_fwmark, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload))
+								{
+									DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ctrack->delayed));
+								}
+								else
+								{
+									DLOG_ERR("rawpacket_queue failed !\n");
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+								if (bReqFull)
+								{
+									replay_queue(&ctrack->delayed);
+									reasm_orig_fin(ctrack);
+								}
+								return ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
+							}
+						}
+
+						if (bIsHello)
+						{
+							bHaveHost = TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, sizeof(host), TLS_PARTIALS_ENABLE);
+							if (!bHaveHost && dp->desync_skip_nosni)
 							{
 								reasm_orig_cancel(ctrack);
+								DLOG("not applying tampering to QUIC ClientHello without hostname in the SNI\n");
 								return verdict;
 							}
 						}
-						if (!ReasmIsEmpty(&ctrack->reasm_orig))
+						else
 						{
+							if (!quic_reasm_cancel(ctrack,"QUIC initial without ClientHello")) return verdict;
+						}
+					}
+					else
+					{
+						DLOG("QUIC initial contains CRYPTO without full fragment coverage\n");
+						if (ctrack)
+						{
+							if (ReasmIsEmpty(&ctrack->reasm_orig))
+							{
+								// preallocate max buffer to avoid reallocs that cause memory copy
+								if (!reasm_orig_start(ctrack,IPPROTO_UDP,16384,16384,clean,clean_len))
+								{
+									reasm_orig_cancel(ctrack);
+									return verdict;
+								}
+							}
 							verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
 							if (rawpacket_queue(&ctrack->delayed, &dst, desync_fwmark, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload))
 							{
@@ -1987,28 +2038,9 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 								reasm_orig_cancel(ctrack);
 								return verdict;
 							}
-							if (bReqFull)
-							{
-								replay_queue(&ctrack->delayed);
-								reasm_orig_fin(ctrack);
-							}
 							return ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
 						}
-					}
-			
-					if (bIsHello)
-					{
-						bHaveHost = TLSHelloExtractHostFromHandshake(defrag + hello_offset, hello_len, host, sizeof(host), TLS_PARTIALS_ENABLE);
-						if (!bHaveHost && dp->desync_skip_nosni)
-						{
-							reasm_orig_cancel(ctrack);
-							DLOG("not applying tampering to QUIC ClientHello without hostname in the SNI\n");
-							return verdict;
-						}
-					}
-					else
-					{
-						if (!quic_reasm_cancel(ctrack,"QUIC initial without ClientHello")) return verdict;
+						if (!quic_reasm_cancel(ctrack,"QUIC initial fragmented CRYPTO")) return verdict;
 					}
 				}
 				else
@@ -2027,7 +2059,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 		{
 			// received payload without host. it means we are out of the request retransmission phase. stop counter
 			ctrack_stop_retrans_counter(ctrack);
-			
+
 			reasm_orig_cancel(ctrack);
 
 			if (IsWireguardHandshakeInitiation(dis->data_payload,dis->len_payload))