docs/changes.txt

@@ -481,7 +481,3 @@ nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SN
 nfqws: multiple mods for multiple TLS fakes
 init.d: remove 50-discord
 blockcheck: use tpws --fix-seg on linux for multiple splits
-
-v70.7
-
-nfqws,tpws: debug tls version, alpn, ech

nfq/desync.c

@@ -83,66 +83,6 @@ const uint8_t fake_tls_clienthello_default[680] = {
 #define TCP_MAX_REASM 16384
 #define UDP_MAX_REASM 16384
 
-void TLSDebug(const uint8_t *tls,size_t sz)
-{
-	if (sz<11) return;
-
-	uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v, v2;
-	DLOG("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake));
-
-	const uint8_t *ext;
-	size_t len,len2;
-	if (TLSFindExt(tls,sz,43,&ext,&len,false))
-	{
-		if (len)
-		{
-			len2 = ext[0];
-			if (len2<len)
-			{
-				for(ext++,len2&=~1 ; len2 ; len2-=2,ext+=2)
-				{
-					v = pntoh16(ext);
-					DLOG("TLS supported versions ext : %s\n",TLSVersionStr(v));
-				}
-			}
-		}
-	}
-	else
-		DLOG("TLS supported versions ext : not present\n");
-
-	if (TLSFindExt(tls,sz,16,&ext,&len,false))
-	{
-		if (len>=2)
-		{
-			len2 = pntoh16(ext);
-			if (len2<=(len-2))
-			{
-				char s[32];
-				for(ext+=2; len2 ;)
-				{
-					v = *ext; ext++; len2--;
-					if (v<=len2)
-					{
-						v2 = v<sizeof(s) ? v : sizeof(s)-1;
-						memcpy(s,ext,v2);
-						s[v2]=0;
-						DLOG("TLS ALPN ext : %s\n",s);
-						len2-=v;
-						ext+=v;
-					}
-					else
-						break;
-				}
-			}
-		}
-	}
-	else
-		DLOG("TLS ALPN ext : not present\n");
-
-	DLOG("TLS ECH ext : %s\n",TLSFindExt(tls,sz,65037,NULL,NULL,false) ? "present" : "not present");
-}
-
-
 bool desync_valid_zero_stage(enum dpi_desync_mode mode)
 {
 	return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;
@@ -1026,8 +966,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			DLOG(bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n");
 			l7proto = TLS;
 
-			if (bReqFull && params.debug) TLSDebug(rdata_payload,rlen_payload);
-
 			bHaveHost=TLSHelloExtractHost(rdata_payload,rlen_payload,host,sizeof(host),TLS_PARTIALS_ENABLE);
 
 			if (ctrack)

nfq/protocol.c

@@ -345,19 +345,6 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
 }
 
 
-const char *TLSVersionStr(uint16_t tlsver)
-{
-	switch(tlsver)
-	{
-		case 0x0301: return "TLS 1.0";
-		case 0x0302: return "TLS 1.1";
-		case 0x0303: return "TLS 1.2";
-		case 0x0304: return "TLS 1.3";
-		default:
-			// 0x0a0a, 0x1a1a, ..., 0xfafa
-			return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
-	}
-}
 
 uint16_t TLSRecordDataLen(const uint8_t *data)
 {

nfq/protocol.h

@@ -57,7 +57,6 @@ int HttpReplyCode(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
 
-const char *TLSVersionStr(uint16_t tlsver);
 uint16_t TLSRecordDataLen(const uint8_t *data);
 size_t TLSRecordLen(const uint8_t *data);
 bool IsTLSRecordFull(const uint8_t *data, size_t len);

tpws/protocol.c

@@ -339,20 +339,6 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
 
 
 
-const char *TLSVersionStr(uint16_t tlsver)
-{
-	switch(tlsver)
-	{
-		case 0x0301: return "TLS 1.0";
-		case 0x0302: return "TLS 1.1";
-		case 0x0303: return "TLS 1.2";
-		case 0x0304: return "TLS 1.3";
-		default:
-			// 0x0a0a, 0x1a1a, ..., 0xfafa
-			return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
-	}
-}
-
 uint16_t TLSRecordDataLen(const uint8_t *data)
 {
 	return pntoh16(data + 3);

tpws/protocol.h

@@ -53,7 +53,6 @@ int HttpReplyCode(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
 
-const char *TLSVersionStr(uint16_t tlsver);
 uint16_t TLSRecordDataLen(const uint8_t *data);
 size_t TLSRecordLen(const uint8_t *data);
 bool IsTLSRecordFull(const uint8_t *data, size_t len);

tpws/tamper.c

@@ -15,65 +15,6 @@ void packet_debug(const uint8_t *data, size_t sz)
 	hexdump_limited_dlog(data, sz, PKTDATA_MAXDUMP); VPRINT("\n");
 }
 
-void TLSDebug(const uint8_t *tls,size_t sz)
-{
-	if (sz<11) return;
-
-	uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v, v2;
-	VPRINT("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake));
-
-	const uint8_t *ext;
-	size_t len,len2;
-	if (TLSFindExt(tls,sz,43,&ext,&len,false))
-	{
-		if (len)
-		{
-			len2 = ext[0];
-			if (len2<len)
-			{
-				for(ext++,len2&=~1 ; len2 ; len2-=2,ext+=2)
-				{
-					v = pntoh16(ext);
-					VPRINT("TLS supported versions ext : %s\n",TLSVersionStr(v));
-				}
-			}
-		}
-	}
-	else
-		VPRINT("TLS supported versions ext : not present\n");
-
-	if (TLSFindExt(tls,sz,16,&ext,&len,false))
-	{
-		if (len>=2)
-		{
-			len2 = pntoh16(ext);
-			if (len2<=(len-2))
-			{
-				char s[32];
-				for(ext+=2; len2 ;)
-				{
-					v = *ext; ext++; len2--;
-					if (v<=len2)
-					{
-						v2 = v<sizeof(s) ? v : sizeof(s)-1;
-						memcpy(s,ext,v2);
-						s[v2]=0;
-						VPRINT("TLS ALPN ext : %s\n",s);
-						len2-=v;
-						ext+=v;
-					}
-					else
-						break;
-				}
-			}
-		}
-	}
-	else
-		VPRINT("TLS ALPN ext : not present\n");
-
-	VPRINT("TLS ECH ext : %s\n",TLSFindExt(tls,sz,65037,NULL,NULL,false) ? "present" : "not present");
-}
-
 static bool dp_match(struct desync_profile *dp, const struct sockaddr *dest, const char *hostname, t_l7proto l7proto)
 {
 	bool bHostlistsEmpty;
@@ -189,7 +130,6 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment,
 	{
 		VPRINT("Data block contains TLS ClientHello\n");
 		l7proto=TLS;
-		if (params.debug) TLSDebug(segment,*size);
 		bHaveHost=TLSHelloExtractHost((uint8_t*)segment,*size,Host,sizeof(Host),false);
 	}
 	else