tpws: memmem nfqws: memmem, nfqws check hostlist in hostcase and hostnospace options

nfq/desync.c

@@ -76,6 +76,11 @@ bool dpi_desync_packet(const uint8_t *data_pkt, size_t len_pkt, struct iphdr *ip
 			fake = (uint8_t*)fake_http_request;
 			fake_size = sizeof(fake_http_request);
 			if (params.hostlist || params.debug) bHaveHost=HttpExtractHost(data_payload,len_payload,host,sizeof(host));
+			if (params.hostlist && !bHaveHost)
+			{
+				DLOG("not applying dpi-desync to HTTP without Host:\n")
+				return false;
+			}
 		}
 		else if (IsTLSClientHello(data_payload,len_payload))
 		{

nfq/helpers.c

@@ -1,29 +1,9 @@
-#include "helpers.h"
-#include <string.h>
-#include <stdio.h>
+#define _GNU_SOURCE
 
-const uint8_t *find_bin_const(const uint8_t *data, size_t len, const void *blk, size_t blk_len)
-{
-	while (len >= blk_len)
-	{
-		if (!memcmp(data, blk, blk_len))
-			return data;
-		data++;
-		len--;
-	}
-	return NULL;
-}
-uint8_t *find_bin(uint8_t *data, size_t len, const void *blk, size_t blk_len)
-{
-	while (len >= blk_len)
-	{
-		if (!memcmp(data, blk, blk_len))
-			return data;
-		data++;
-		len--;
-	}
-	return NULL;
-}
+#include "helpers.h"
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
 
 void print_sockaddr(const struct sockaddr *sa)
 {
@@ -42,3 +22,24 @@ void print_sockaddr(const struct sockaddr *sa)
 		printf("UNKNOWN_FAMILY_%d", sa->sa_family);
 	}
 }
+
+char *strncasestr(const char *s,const char *find, size_t slen)
+{
+	char c, sc;
+	size_t len;
+
+	if ((c = *find++) != '\0')
+	{
+		len = strlen(find);
+		do
+		{
+			do
+			{
+				if (slen-- < 1 || (sc = *s++) == '\0') return NULL;
+			} while (toupper(c) != toupper(sc));
+			if (len > slen)	return NULL;
+		} while (strncasecmp(s, find, len) != 0);
+		s--;
+	}
+	return (char *)s;
+}

nfq/helpers.h

@@ -1,10 +1,7 @@
 #pragma once
 
-#include <stddef.h>
-#include <stdint.h>
-#include <stdbool.h>
 #include <arpa/inet.h>
+#include <stddef.h>
 
-const uint8_t *find_bin_const(const uint8_t *data, size_t len, const void *blk, size_t blk_len);
-uint8_t *find_bin(uint8_t *data, size_t len, const void *blk, size_t blk_len);
 void print_sockaddr(const struct sockaddr *sa);
+char *strncasestr(const char *s,const char *find, size_t slen);

nfq/nfqws.c

@@ -5,6 +5,7 @@
 #include "helpers.h"
 #include "checksum.h"
 #include "params.h"
+#include "protocol.h"
 #include "hostlist.h"
 
 #include <stdio.h>
@@ -165,34 +166,57 @@ static bool modify_tcp_packet(uint8_t *data, size_t len, struct tcphdr *tcphdr)
 	uint8_t *phost, *pua;
 	bool bRet = false;
 
-	if (params.wsize && tcp_synack_segment(tcphdr))
+	if (tcp_synack_segment(tcphdr))
 	{
-		tcp_rewrite_winsize(tcphdr, (uint16_t)params.wsize);
-		bRet = true;
-	}
-
-	if ((params.hostcase || params.hostnospace) && (phost = find_bin(data, len, "\r\nHost: ", 8)))
-	{
-		if (params.hostcase)
+		if (params.wsize)
 		{
-			DLOG("modifying Host: => %c%c%c%c:\n", params.hostspell[0], params.hostspell[1], params.hostspell[2], params.hostspell[3])
-			memcpy(phost + 2, params.hostspell, 4);
+			tcp_rewrite_winsize(tcphdr, (uint16_t)params.wsize);
 			bRet = true;
 		}
-		if (params.hostnospace && (pua = find_bin(data, len, "\r\nUser-Agent: ", 14)) && (pua = find_bin(pua + 1, len - (pua - data) - 1, "\r\n", 2)))
+	}
+	else if ((params.hostcase || params.hostnospace) && IsHttp(data,len))
+	{
+		if (params.hostlist)
 		{
-			DLOG("removing space after Host: and adding it to User-Agent:\n")
-			if (pua > phost)
+			char host[256];
+			if (HttpExtractHost(data,len,host,sizeof(host)))
 			{
-				memmove(phost + 7, phost + 8, pua - phost - 8);
-				phost[pua - phost - 1] = ' ';
+				DLOG("hostname: %s\n",host)
+				if (!SearchHostList(params.hostlist,host,params.debug))
+				{
+					DLOG("not applying tampering to this request\n")
+					return false;
+				}
 			}
 			else
 			{
-				memmove(pua + 1, pua, phost - pua + 7);
-				*pua = ' ';
+				DLOG("could not extract host from http request. not applying tampering\n")
+				return false;
+			}
+		}
+		if (phost = (uint8_t*)memmem(data, len, "\r\nHost: ", 8))
+		{
+			if (params.hostcase)
+			{
+				DLOG("modifying Host: => %c%c%c%c:\n", params.hostspell[0], params.hostspell[1], params.hostspell[2], params.hostspell[3])
+				memcpy(phost + 2, params.hostspell, 4);
+				bRet = true;
+			}
+			if (params.hostnospace && (pua = (uint8_t*)memmem(data, len, "\r\nUser-Agent: ", 14)) && (pua = (uint8_t*)memmem(pua + 1, len - (pua - data) - 1, "\r\n", 2)))
+			{
+				DLOG("removing space after Host: and adding it to User-Agent:\n")
+				if (pua > phost)
+				{
+					memmove(phost + 7, phost + 8, pua - phost - 8);
+					phost[pua - phost - 1] = ' ';
+				}
+				else
+				{
+					memmove(pua + 1, pua, phost - pua + 7);
+					*pua = ' ';
+				}
+				bRet = true;
 			}
-			bRet = true;
 		}
 	}
 	return bRet;
@@ -531,12 +555,6 @@ int main(int argc, char **argv)
 		}
 	}
 
-	if (params.desync_mode==DESYNC_NONE && params.hostlist)
-	{
-		fprintf(stderr, "hostlist is applicable only to dpi-desync\n");
-		exit_clean(1);
-	}
-
 	if (daemon) daemonize();
 
 	h = NULL;

nfq/protocol.c

@@ -1,8 +1,11 @@
+#define _GNU_SOURCE
+
 #include "protocol.h"
 #include "helpers.h"
 #include <string.h>
 #include <ctype.h>
 #include <arpa/inet.h>
+#include <string.h>
 
 const char *http_methods[] = { "GET /","POST /","HEAD /","OPTIONS /","PUT /","DELETE /","CONNECT /","TRACE /",NULL };
 bool IsHttp(const char *data, size_t len)
@@ -21,7 +24,7 @@ bool HttpExtractHost(const uint8_t *data, size_t len, char *host, size_t len_hos
 {
 	const uint8_t *p, *s, *e=data+len;
 
-	p = find_bin_const(data, len, "\nHost:", 6);
+	p = (uint8_t*)strncasestr((char*)data, "\nHost:", len);
 	if (!p) return false;
 	p+=6;
 	while(p<e && (*p==' ' || *p=='\t')) p++;