From d19f6c19a45ceb66cf68a1e7c02ece54d7fd8cb4 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 13 Apr 2025 15:27:50 +0300 Subject: [PATCH] nfqws,tpws: debug tls version --- docs/changes.txt | 4 ++++ nfq/desync.c | 31 +++++++++++++++++++++++++++++++ nfq/protocol.c | 13 +++++++++++++ nfq/protocol.h | 1 + tpws/protocol.c | 14 ++++++++++++++ tpws/protocol.h | 1 + tpws/tamper.c | 29 +++++++++++++++++++++++++++++ 7 files changed, 93 insertions(+) diff --git a/docs/changes.txt b/docs/changes.txt index 7e50633..fe9805b 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -481,3 +481,7 @@ nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SN nfqws: multiple mods for multiple TLS fakes init.d: remove 50-discord blockcheck: use tpws --fix-seg on linux for multiple splits + +v70.7 + +nfqws,tpws: debug tls version diff --git a/nfq/desync.c b/nfq/desync.c index 5bd1397..54fb3d5 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -83,6 +83,35 @@ const uint8_t fake_tls_clienthello_default[680] = { #define TCP_MAX_REASM 16384 #define UDP_MAX_REASM 16384 +void TLSDebug(const uint8_t *tls,size_t sz) +{ + if (sz<11) return; + + uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v; + DLOG("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake)); + + const uint8_t *ext_supvers; + size_t len_supvers,len_supvers2; + if (TLSFindExt(tls,sz,43,&ext_supvers,&len_supvers,false)) + { + if (len_supvers) + { + len_supvers2 = ext_supvers[0]; + if (len_supvers2>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN"; + } +} uint16_t TLSRecordDataLen(const uint8_t *data) { diff --git a/nfq/protocol.h b/nfq/protocol.h index 8658b80..df7dc24 100644 --- a/nfq/protocol.h +++ b/nfq/protocol.h @@ -57,6 +57,7 @@ int HttpReplyCode(const uint8_t *data, size_t len); // must be pre-checked by IsHttpReply bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host); +const char *TLSVersionStr(uint16_t tlsver); uint16_t TLSRecordDataLen(const uint8_t *data); size_t TLSRecordLen(const uint8_t *data); bool IsTLSRecordFull(const uint8_t *data, size_t len); diff --git a/tpws/protocol.c b/tpws/protocol.c index 9639186..2668d4d 100644 --- a/tpws/protocol.c +++ b/tpws/protocol.c @@ -339,6 +339,20 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz) +const char *TLSVersionStr(uint16_t tlsver) +{ + switch(tlsver) + { + case 0x0301: return "TLS 1.0"; + case 0x0302: return "TLS 1.1"; + case 0x0303: return "TLS 1.2"; + case 0x0304: return "TLS 1.3"; + default: + // 0x0a0a, 0x1a1a, ..., 0xfafa + return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN"; + } +} + uint16_t TLSRecordDataLen(const uint8_t *data) { return pntoh16(data + 3); diff --git a/tpws/protocol.h b/tpws/protocol.h index 82318c6..7bd0cf4 100644 --- a/tpws/protocol.h +++ b/tpws/protocol.h @@ -53,6 +53,7 @@ int HttpReplyCode(const uint8_t *data, size_t len); // must be pre-checked by IsHttpReply bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host); +const char *TLSVersionStr(uint16_t tlsver); uint16_t TLSRecordDataLen(const uint8_t *data); size_t TLSRecordLen(const uint8_t *data); bool IsTLSRecordFull(const uint8_t *data, size_t len); diff --git a/tpws/tamper.c b/tpws/tamper.c index 00b653d..caae979 100644 --- a/tpws/tamper.c +++ b/tpws/tamper.c @@ -15,6 +15,34 @@ void packet_debug(const uint8_t *data, size_t sz) hexdump_limited_dlog(data, sz, PKTDATA_MAXDUMP); VPRINT("\n"); } +void TLSDebug(const uint8_t *tls,size_t sz) +{ + if (sz<11) return; + + uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v; + VPRINT("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake)); + + const uint8_t *ext_supvers; + size_t len_supvers,len_supvers2; + if (TLSFindExt(tls,sz,43,&ext_supvers,&len_supvers,false)) + { + if (len_supvers) + { + len_supvers2 = ext_supvers[0]; + if (len_supvers2