drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-08-10 01:02:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: drygdryg:67e1aee8a81d710409864a6a555a3effea1707e2
Branches Tags
drygdryg:master
drygdryg:v71.3 drygdryg:v71.2 drygdryg:v71.1.1 drygdryg:v71.1 drygdryg:v71 drygdryg:v70.6 drygdryg:v70.5 drygdryg:v70.4 drygdryg:v70.3 drygdryg:v70 drygdryg:v69.9 drygdryg:v69.8 drygdryg:v69.7 drygdryg:v69.6 drygdryg:v69.5 drygdryg:v69.4 drygdryg:v69.3 drygdryg:v69.2 drygdryg:v69.1 drygdryg:v69 drygdryg:v68 drygdryg:v67 drygdryg:v65 drygdryg:v66 drygdryg:v64
...
compare: drygdryg:v70.6
Branches Tags
drygdryg:master
drygdryg:v71.3 drygdryg:v71.2 drygdryg:v71.1.1 drygdryg:v71.1 drygdryg:v71 drygdryg:v70.6 drygdryg:v70.5 drygdryg:v70.4 drygdryg:v70.3 drygdryg:v70 drygdryg:v69.9 drygdryg:v69.8 drygdryg:v69.7 drygdryg:v69.6 drygdryg:v69.5 drygdryg:v69.4 drygdryg:v69.3 drygdryg:v69.2 drygdryg:v69.1 drygdryg:v69 drygdryg:v68 drygdryg:v67 drygdryg:v65 drygdryg:v66 drygdryg:v64

18 Commits
67e1aee8a8 ... v70.6

Author SHA1 Message Date
bol-van
58e73d0331 github actions: do not use broken upx 5.0.0 2025-04-07 17:52:11 +03:00
bol-van
9ebeff621a readme.en : update ver 2025-04-07 10:16:30 +03:00
bol-van
69df271a16 readme: update crypto addresses 2025-04-07 10:15:36 +03:00
bol-van
e285b2401d isakmp fake 2025-04-06 16:42:56 +03:00
bol-van
6e1e7e43bc nfqws: optimize tls mod parse 2025-04-06 11:53:57 +03:00
bol-van
d04419a60c nfqws: safety check 2025-04-06 11:43:25 +03:00
bol-van
fc1bf47e82 update changes.txt 2025-04-06 11:34:43 +03:00
bol-van
929df3f094 nfqws: support different tls mods for every tls fake 2025-04-06 11:29:58 +03:00
bol-van
7272b243cb blockcheck: optimize 2025-04-05 18:13:16 +03:00
bol-van
72d48d957a update changes.txt 2025-04-05 18:10:46 +03:00
bol-van
f4069d484a update changes.txt 2025-04-05 18:10:18 +03:00
bol-van
1c82b0a6af blockcheck: --fix seg only if multiple split pos 2025-04-05 16:35:26 +03:00
bol-van
c08e69aa65 blockcheck: --fix seg only if multiple split pos 2025-04-05 16:31:22 +03:00
bol-van
8097f08020 ipset: some pkill's do not support multiple patterns 2025-04-05 13:56:31 +03:00
bol-van
4cae291e6f blockcheck: remove fix-seg for single split 2025-04-05 12:32:16 +03:00
bol-van
82ad5508dc blockcheck: --fix-seg for tpws multisplits 2025-04-05 12:24:43 +03:00
bol-van
fa8ddcfc79 desync.h fix 2025-04-05 11:53:59 +03:00
bol-van
b560e32e18 nfqws: update default tls fake 2025-04-05 09:45:44 +03:00
14 changed files with 169 additions and 118 deletions
Expand all files Collapse all files

1
.github/workflows/build.yml vendored
View File

@@ -401,6 +401,7 @@ jobs:
uses: crazy-max/ghaction-upx@v3 uses: crazy-max/ghaction-upx@v3
with: with:
install-only: true install-only: true
version: v4.2.4
- name: Prepare binaries - name: Prepare binaries
shell: bash shell: bash

13
blockcheck.sh
View File

@@ -347,6 +347,7 @@ check_system()
UNAME=$(uname) UNAME=$(uname)
SUBSYS= SUBSYS=
FIX_SEG=
local s local s
# can be passed FWTYPE=iptables to override default nftables preference # can be passed FWTYPE=iptables to override default nftables preference
@@ -354,6 +355,7 @@ check_system()
Linux) Linux)
PKTWS="$NFQWS" PKTWS="$NFQWS"
PKTWSD=nfqws PKTWSD=nfqws
FIX_SEG='--fix-seg'
linux_fwtype linux_fwtype
[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || { [ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
echo firewall type $FWTYPE not supported in $UNAME echo firewall type $FWTYPE not supported in $UNAME
@@ -1430,6 +1432,11 @@ warn_mss()
[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3' [ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
return 0 return 0
} }
fix_seg()
{
# $1 - split-pos
[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
}
tpws_check_domain_http_bypass_() tpws_check_domain_http_bypass_()
{ {
@@ -1455,7 +1462,7 @@ tpws_check_domain_http_bypass_()
done done
for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for s in $splits_http ; do for s in $splits_http ; do
tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && { tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return [ "$SCANLEVEL" = quick ] && return
break break
} }
@@ -1470,7 +1477,7 @@ tpws_check_domain_http_bypass_()
s3=${mss:+--mss=$mss} s3=${mss:+--mss=$mss}
for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for pos in $splits_tls; do for pos in $splits_tls; do
tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && { tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return [ "$SCANLEVEL" = quick ] && return
need_mss=0 need_mss=0
break break
@@ -1478,7 +1485,7 @@ tpws_check_domain_http_bypass_()
done done
done done
for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && { tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return [ "$SCANLEVEL" = quick ] && return
need_mss=0 need_mss=0

3
docs/changes.txt
View File

@@ -477,4 +477,7 @@ v70.6
nfqws: detect Discord Voice IP discovery packets nfqws: detect Discord Voice IP discovery packets
nfqws: detect STUN message packets nfqws: detect STUN message packets
nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni> nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
nfqws: multiple mods for multiple TLS fakes
init.d: remove 50-discord init.d: remove 50-discord
blockcheck: use tpws --fix-seg on linux for multiple splits

22
docs/readme.en.md
View File

@@ -1,4 +1,4 @@
# zapret v70.5 # zapret v70.6
# SCAMMER WARNING # SCAMMER WARNING
@@ -291,9 +291,13 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`. By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
This behaviour is compatible with previous versions with addition of `dupsid`. This behaviour is compatible with previous versions with addition of `dupsid`.
If TLS mod is enabled and there're multiple TLS fakes, all valid TLS Client Hello fakes are modified. If multiple TLS fakes are present each one takes the last mod.
If there's no TLS Client Hello program exits with error. If a mod is specified after fake it replaces previous mod.
This way it's possible to use different mods for every TLS fake.
If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
### TCP segmentation ### TCP segmentation
@@ -1447,12 +1451,8 @@ If this is the case then run another script in background and add some delay the
Are welcome here : Are welcome here :
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
```
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
```
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
```
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
```

23
docs/readme.md
View File

@@ -346,8 +346,15 @@ dvtws, собираемый из тех же исходников (см. [док
По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`. По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`.
Это соответствует поведению программы более старых версий с добавлением функции `dupsid`. Это соответствует поведению программы более старых версий с добавлением функции `dupsid`.
Если задан режим модификации и имеется множество TLS фейков, модифицируются все фейки, являющиеся TLS Client Hello. Если задан режим модификации и имеется множество TLS фейков, к каждому из них применяется последний режим модификации.
Если нет ни одного TLS Client Hello фейка, программа завершается с ошибкой. Если режим модификации задан после фейка, то он замещает предыдущий режим.
Таким образом можно использовать разные режимы модификации для разных фейков.
При невозможности модифицировать фейк на этапе запуска программа завершается с ошибкой.
Если сначала идет TLS фейк, для него задан режим однократной модификации, затем идет не TLS фейк, то будет ошибка.
Нужно использовать `--dpi-desync-fake-tls-mod=none'.
Пример : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
### TCP СЕГМЕНТАЦИЯ ### TCP СЕГМЕНТАЦИЯ
@@ -2361,12 +2368,8 @@ VPS можно приобрести в множестве мест. Сущест
## Поддержать разработчика ## Поддержать разработчика
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
```
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
```
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
```
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
```

BIN
files/fake/isakmp_initiator_request.bin Normal file
View File

Binary file not shown.

4
ipset/def.sh
View File

@@ -274,7 +274,9 @@ hup_zapret_daemons()
if exists killall; then if exists killall; then
killall -HUP tpws nfqws dvtws 2>/dev/null killall -HUP tpws nfqws dvtws 2>/dev/null
elif exists pkill; then elif exists pkill; then
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$ pkill -HUP ^tpws$
pkill -HUP ^nfqws$
pkill -HUP ^dvtws$
else else
echo no mass killer available ! cant HUP zapret daemons echo no mass killer available ! cant HUP zapret daemons
fi fi

118
nfq/desync.c
View File

@@ -16,51 +16,65 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
"Accept-Encoding: gzip, deflate, br\r\n\r\n"; "Accept-Encoding: gzip, deflate, br\r\n\r\n";
// random : +11 size 32 // SNI - www.microsoft.com
// random : +44 size 32 const uint8_t fake_tls_clienthello_default[680] = {
// sni : gatech.edu +125 size 11 0x16, 0x03, 0x01, 0x02, 0xa3, 0x01, 0x00, 0x02, 0x9f, 0x03, 0x03, 0x41,
const uint8_t fake_tls_clienthello_default[648] = { 0x88, 0x82, 0x2d, 0x4f, 0xfd, 0x81, 0x48, 0x9e, 0xe7, 0x90, 0x65, 0x1f,
0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31, 0xba, 0x05, 0x7b, 0xff, 0xa7, 0x5a, 0xf9, 0x5b, 0x8a, 0x8f, 0x45, 0x8b,
0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0, 0x41, 0xf0, 0x3d, 0x1b, 0xdd, 0xe3, 0xf8, 0x20, 0x9b, 0x23, 0xa5, 0xd2,
0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73, 0x21, 0x1e, 0x9f, 0xe7, 0x85, 0x6c, 0xfc, 0x61, 0x80, 0x3a, 0x3f, 0xba,
0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57, 0xb9, 0x60, 0xba, 0xb3, 0x0e, 0x98, 0x27, 0x6c, 0xf7, 0x38, 0x28, 0x65,
0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01, 0x80, 0x5d, 0x40, 0x38, 0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02,
0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30, 0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74, 0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, 0x02, 0x34, 0x00, 0x00, 0x00, 0x16,
0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00, 0x00, 0x14, 0x00, 0x00, 0x11, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x17,
0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0e, 0x00,
0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00, 0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01,
0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31, 0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74,
0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49, 0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04, 0x00, 0x00, 0x00, 0x22, 0x00, 0x0a, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03,
0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55, 0x06, 0x03, 0x02, 0x03, 0x00, 0x12, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b,
0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb, 0x00, 0x69, 0x00, 0x1d, 0x00, 0x20, 0x69, 0x15, 0x16, 0x29, 0x6d, 0xad,
0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2, 0xd5, 0x68, 0x88, 0x27, 0x2f, 0xde, 0xaf, 0xac, 0x3c, 0x4c, 0xa4, 0xe4,
0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29, 0xd8, 0xc8, 0xfb, 0x41, 0x87, 0xf4, 0x76, 0x4e, 0x0e, 0xfa, 0x64, 0xc4,
0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04, 0xe9, 0x29, 0x00, 0x17, 0x00, 0x41, 0x04, 0xfe, 0x62, 0xb9, 0x08, 0xc8,
0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06, 0xc3, 0x2a, 0xb9, 0x87, 0x37, 0x84, 0x42, 0x6b, 0x5c, 0xcd, 0xc9, 0xca,
0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00, 0x62, 0x38, 0xd3, 0xd9, 0x99, 0x8a, 0xc4, 0x2d, 0xc6, 0xd0, 0xa3, 0x60,
0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69, 0xb2, 0x12, 0x54, 0x41, 0x8e, 0x52, 0x5e, 0xe3, 0xab, 0xf9, 0xc2, 0x07,
0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc, 0x81, 0xdc, 0xf8, 0xf2, 0x6a, 0x91, 0x40, 0x2f, 0xcb, 0xa4, 0xff, 0x6f,
0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef, 0x24, 0xc7, 0x4d, 0x77, 0x77, 0x2d, 0x6f, 0xe0, 0x77, 0xaa, 0x92, 0x00,
0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5, 0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x0d, 0x00, 0x18,
0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8, 0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f, 0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01,
0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d, 0x00, 0x1b, 0x00, 0x07, 0x06, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0xfe,
0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a, 0x0d, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x03, 0x21, 0x00, 0x20, 0x62,
0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff, 0xe8, 0x83, 0xd8, 0x97, 0x05, 0x8a, 0xbe, 0xa1, 0xf2, 0x63, 0x4e, 0xce,
0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6, 0x93, 0x84, 0x8e, 0xcf, 0xe7, 0xdd, 0xb2, 0xe4, 0x87, 0x06, 0xac, 0x11,
0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48, 0x19, 0xbe, 0x0e, 0x71, 0x87, 0xf1, 0xa6, 0x00, 0xef, 0xd8, 0x6b, 0x27,
0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45, 0x5e, 0xc0, 0xa7, 0x5d, 0x42, 0x4e, 0x8c, 0xdc, 0xf3, 0x9f, 0x1c, 0x51,
0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04, 0x62, 0xef, 0xff, 0x5b, 0xed, 0xc8, 0xfd, 0xee, 0x6f, 0xbb, 0x88, 0x9b,
0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb, 0xb1, 0x30, 0x9c, 0x66, 0x42, 0xab, 0x0f, 0x66, 0x89, 0x18, 0x8b, 0x11,
0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd, 0xc1, 0x6d, 0xe7, 0x2a, 0xeb, 0x96, 0x3b, 0x7f, 0x52, 0x78, 0xdb, 0xf8,
0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04, 0x6d, 0x04, 0xf7, 0x95, 0x1a, 0xa8, 0xf0, 0x64, 0x52, 0x07, 0x39, 0xf0,
0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4 0xa8, 0x1d, 0x0d, 0x16, 0x36, 0xb7, 0x18, 0x0e, 0xc8, 0x44, 0x27, 0xfe,
0xf3, 0x31, 0xf0, 0xde, 0x8c, 0x74, 0xf5, 0xa1, 0xd8, 0x8f, 0x6f, 0x45,
0x97, 0x69, 0x79, 0x5e, 0x2e, 0xd4, 0xb0, 0x2c, 0x0c, 0x1a, 0x6f, 0xcc,
0xce, 0x90, 0xc7, 0xdd, 0xc6, 0x60, 0x95, 0xf3, 0xc2, 0x19, 0xde, 0x50,
0x80, 0xbf, 0xde, 0xf2, 0x25, 0x63, 0x15, 0x26, 0x63, 0x09, 0x1f, 0xc5,
0xdf, 0x32, 0xf5, 0xea, 0x9c, 0xd2, 0xff, 0x99, 0x4e, 0x67, 0xa2, 0xe5,
0x1a, 0x94, 0x85, 0xe3, 0xdf, 0x36, 0xa5, 0x83, 0x4b, 0x0a, 0x1c, 0xaf,
0xd7, 0x48, 0xc9, 0x4b, 0x8a, 0x27, 0xdd, 0x58, 0x7f, 0x95, 0xf2, 0x6b,
0xde, 0x2b, 0x12, 0xd3, 0xec, 0x4d, 0x69, 0x37, 0x9c, 0x13, 0x9b, 0x16,
0xb0, 0x45, 0x52, 0x38, 0x77, 0x69, 0xef, 0xaa, 0x65, 0x19, 0xbc, 0xc2,
0x93, 0x4d, 0xb0, 0x1b, 0x7f, 0x5b, 0x41, 0xff, 0xaf, 0xba, 0x50, 0x51,
0xc3, 0xf1, 0x27, 0x09, 0x25, 0xf5, 0x60, 0x90, 0x09, 0xb1, 0xe5, 0xc0,
0xc7, 0x42, 0x78, 0x54, 0x3b, 0x23, 0x19, 0x7d, 0x8e, 0x72, 0x13, 0xb4,
0xd3, 0xcd, 0x63, 0xb6, 0xc4, 0x4a, 0x28, 0x3d, 0x45, 0x3e, 0x8b, 0xdb,
0x84, 0x4f, 0x78, 0x64, 0x30, 0x69, 0xe2, 0x1b
}; };
#define PKTDATA_MAXDUMP 32 #define PKTDATA_MAXDUMP 32
@@ -609,12 +623,12 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
// fake_mod buffer must at least sizeof(desync_profile->fake_tls) // fake_mod buffer must at least sizeof(desync_profile->fake_tls)
// size does not change // size does not change
// return : true - altered, false - not altered // return : true - altered, false - not altered
static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, uint32_t fake_tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod) static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, const struct fake_tls_mod *tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
{ {
bool b=false; bool b=false;
if (modcache) // it's filled only if it's TLS if (modcache) // it's filled only if it's TLS
{ {
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP) if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
{ {
size_t sz_rec = pntoh16(fake_data+3) + payload_len; size_t sz_rec = pntoh16(fake_data+3) + payload_len;
size_t sz_handshake = pntoh24(fake_data+6) + payload_len; size_t sz_handshake = pntoh24(fake_data+6) + payload_len;
@@ -633,7 +647,7 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len); DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len);
} }
} }
if (fake_tls_mod & FAKE_TLS_MOD_RND) if (tls_mod->mod & FAKE_TLS_MOD_RND)
{ {
if (!b) memcpy(fake_mod,fake_data,fake_data_size); if (!b) memcpy(fake_mod,fake_data,fake_data_size);
fill_random_bytes(fake_mod+11,32); // random fill_random_bytes(fake_mod+11,32); // random
@@ -641,9 +655,11 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
b=true; b=true;
DLOG("fake[%d] applied rnd tls mod\n", fake_n); DLOG("fake[%d] applied rnd tls mod\n", fake_n);
} }
if (fake_tls_mod & FAKE_TLS_MOD_DUP_SID) if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
{ {
if (fake_data[43]!=payload[43]) if (payload_len<44)
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is too short.\n",fake_n);
else if (fake_data[43]!=payload[43])
DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n); DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n);
else if (payload_len<(44+payload[43])) else if (payload_len<(44+payload[43]))
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n); DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n);
@@ -1307,7 +1323,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
{ {
case TLS: case TLS:
if ((fake_item->size <= sizeof(fake_data_buf)) && if ((fake_item->size <= sizeof(fake_data_buf)) &&
runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra, dp->fake_tls_mod, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf)) runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra,(struct fake_tls_mod *)fake_item->extra2, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
{ {
fake_data = fake_data_buf; fake_data = fake_data_buf;
break; break;

2
nfq/desync.h
View File

@@ -41,7 +41,7 @@ enum dpi_desync_mode {
}; };
extern const char *fake_http_request_default; extern const char *fake_http_request_default;
extern const uint8_t fake_tls_clienthello_default[648]; extern const uint8_t fake_tls_clienthello_default[680];
void randomize_default_tls_payload(uint8_t *p); void randomize_default_tls_payload(uint8_t *p);
enum dpi_desync_mode desync_mode_from_string(const char *s); enum dpi_desync_mode desync_mode_from_string(const char *s);

84
nfq/nfqws.c
View File

@@ -950,12 +950,12 @@ static bool parse_ip_list(char *opt, ipset *pp)
return true; return true;
} }
static bool parse_tlsmod_list(char *opt, uint32_t *mod, char *sni, size_t sni_buf_len) static bool parse_tlsmod_list(char *opt, struct fake_tls_mod *tls_mod)
{ {
char *e,*e2,*p,c,c2; char *e,*e2,*p,c,c2;
*mod &= FAKE_TLS_MOD_SAVE_MASK; tls_mod->mod &= FAKE_TLS_MOD_SAVE_MASK;
*mod |= FAKE_TLS_MOD_SET; tls_mod->mod |= FAKE_TLS_MOD_SET;
for (p=opt ; p ; ) for (p=opt ; p ; )
{ {
for (e2=p ; *e2 && *e2!=',' && *e2!='=' ; e2++); for (e2=p ; *e2 && *e2!=',' && *e2!='=' ; e2++);
@@ -975,20 +975,20 @@ static bool parse_tlsmod_list(char *opt, uint32_t *mod, char *sni, size_t sni_bu
e2=NULL; e2=NULL;
if (!strcmp(p,"rnd")) if (!strcmp(p,"rnd"))
*mod |= FAKE_TLS_MOD_RND; tls_mod->mod |= FAKE_TLS_MOD_RND;
else if (!strcmp(p,"rndsni")) else if (!strcmp(p,"rndsni"))
*mod |= FAKE_TLS_MOD_RND_SNI; tls_mod->mod |= FAKE_TLS_MOD_RND_SNI;
else if (!strcmp(p,"sni")) else if (!strcmp(p,"sni"))
{ {
*mod |= FAKE_TLS_MOD_SNI; tls_mod->mod |= FAKE_TLS_MOD_SNI;
if (!e2 || !e2[1] || e2[1]==',') goto err; if (!e2 || !e2[1] || e2[1]==',') goto err;
strncpy(sni,e2+1,sni_buf_len-1); strncpy(tls_mod->sni,e2+1,sizeof(tls_mod->sni)-1);
sni[sni_buf_len-1]=0; tls_mod->sni[sizeof(tls_mod->sni)-1-1]=0;
} }
else if (!strcmp(p,"padencap")) else if (!strcmp(p,"padencap"))
*mod |= FAKE_TLS_MOD_PADENCAP; tls_mod->mod |= FAKE_TLS_MOD_PADENCAP;
else if (!strcmp(p,"dupsid")) else if (!strcmp(p,"dupsid"))
*mod |= FAKE_TLS_MOD_DUP_SID; tls_mod->mod |= FAKE_TLS_MOD_DUP_SID;
else if (strcmp(p,"none")) else if (strcmp(p,"none"))
goto err; goto err;
@@ -1034,13 +1034,13 @@ static void SplitDebug(void)
static const char * tld[]={"com","org","net","edu","gov","biz"}; static const char * tld[]={"com","org","net","edu","gov","biz"};
static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mod, const char *fake_tls_sni, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache) static bool onetime_tls_mod_blob(int profile_n, int fake_n, const struct fake_tls_mod *tls_mod, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache)
{ {
const uint8_t *ext; const uint8_t *ext;
size_t extlen; size_t extlen;
modcache->extlen_offset = modcache->padlen_offset = 0; modcache->extlen_offset = modcache->padlen_offset = 0;
if (fake_tls_mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI|FAKE_TLS_MOD_PADENCAP)) if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI|FAKE_TLS_MOD_PADENCAP))
{ {
if (!TLSFindExtLen(fake_tls,*fake_tls_size,&modcache->extlen_offset)) if (!TLSFindExtLen(fake_tls,*fake_tls_size,&modcache->extlen_offset))
{ {
@@ -1048,7 +1048,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
return false; return false;
} }
DLOG("profile %d fake[%d] tls extensions length offset : %zu\n", profile_n, fake_n, modcache->extlen_offset); DLOG("profile %d fake[%d] tls extensions length offset : %zu\n", profile_n, fake_n, modcache->extlen_offset);
if (fake_tls_mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI)) if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI))
{ {
size_t slen; size_t slen;
if (!TLSFindExt(fake_tls,*fake_tls_size,0,&ext,&extlen,false)) if (!TLSFindExt(fake_tls,*fake_tls_size,0,&ext,&extlen,false))
@@ -1063,9 +1063,9 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
return false; return false;
} }
uint8_t *sni = fake_tls + (ext - fake_tls); uint8_t *sni = fake_tls + (ext - fake_tls);
if (fake_tls_mod & FAKE_TLS_MOD_SNI) if (tls_mod->mod & FAKE_TLS_MOD_SNI)
{ {
size_t slen_new = strlen(fake_tls_sni); size_t slen_new = strlen(tls_mod->sni);
ssize_t slen_delta = slen_new-slen; ssize_t slen_delta = slen_new-slen;
char *s1=NULL; char *s1=NULL;
if (params.debug) if (params.debug)
@@ -1093,12 +1093,12 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
*fake_tls_size+=slen_delta; *fake_tls_size+=slen_delta;
slen = slen_new; slen = slen_new;
} }
DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, fake_tls_sni, slen_delta); DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, tls_mod->sni, slen_delta);
free(s1); free(s1);
memcpy(sni,fake_tls_sni,slen_new); memcpy(sni,tls_mod->sni,slen_new);
} }
if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI) if (tls_mod->mod & FAKE_TLS_MOD_RND_SNI)
{ {
if (!slen) if (!slen)
{ {
@@ -1136,7 +1136,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
} }
} }
} }
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP) if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
{ {
if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false)) if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
{ {
@@ -1171,39 +1171,37 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
} }
static bool onetime_tls_mod(struct desync_profile *dp) static bool onetime_tls_mod(struct desync_profile *dp)
{ {
if (dp->n && !(dp->fake_tls_mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
dp->fake_tls_mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
if (!(dp->fake_tls_mod & ~FAKE_TLS_MOD_SAVE_MASK))
return true; // nothing to do
struct blob_item *fake_tls; struct blob_item *fake_tls;
struct fake_tls_mod *tls_mod;
int n=0; int n=0;
bool bMod=false;
LIST_FOREACH(fake_tls, &dp->fake_tls, next) LIST_FOREACH(fake_tls, &dp->fake_tls, next)
{ {
++n; ++n;
if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ? tls_mod = (struct fake_tls_mod *)fake_tls->extra2;
{ if (!tls_mod) continue;
DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid. mod skipped.\n", dp->n, n); if (dp->n && !(tls_mod->mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
tls_mod->mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
if (!(tls_mod->mod & ~FAKE_TLS_MOD_SAVE_MASK))
continue; continue;
if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ?
{
DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid.\n", dp->n, n);
return false;
} }
bMod = true;
if (!fake_tls->extra) if (!fake_tls->extra)
{ {
fake_tls->extra = malloc(sizeof(struct fake_tls_mod_cache)); fake_tls->extra = malloc(sizeof(struct fake_tls_mod_cache));
if (!fake_tls->extra) return false; if (!fake_tls->extra) return false;
} }
if (!onetime_tls_mod_blob(dp->n,n,dp->fake_tls_mod,dp->fake_tls_sni,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra)) if (!onetime_tls_mod_blob(dp->n,n,tls_mod,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra))
return false; return false;
} }
if (!bMod) return true;
DLOG_ERR("profile %d tls fake list does not have any valid TLS ClientHello\n", dp->n);
return bMod;
} }
static void load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve) static struct blob_item *load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve)
{ {
struct blob_item *blob = blob_collection_add(blobs); struct blob_item *blob = blob_collection_add(blobs);
uint8_t *p; uint8_t *p;
@@ -1222,6 +1220,7 @@ static void load_blob_to_collection(const char *filename, struct blob_collection
} }
blob->data = p; blob->data = p;
blob->size_buf = blob->size+size_reserve; blob->size_buf = blob->size+size_reserve;
return blob;
} }
@@ -2116,15 +2115,26 @@ int main(int argc, char **argv)
load_blob_to_collection(optarg, &dp->fake_http, FAKE_MAX_TCP,0); load_blob_to_collection(optarg, &dp->fake_http, FAKE_MAX_TCP,0);
break; break;
case 39: /* dpi-desync-fake-tls */ case 39: /* dpi-desync-fake-tls */
load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4+sizeof(dp->fake_tls_sni)); {
dp->fake_tls_mod |= FAKE_TLS_MOD_CUSTOM_FAKE; dp->tls_fake_last = load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4+sizeof(dp->tls_mod_last.sni));
if (!(dp->tls_fake_last->extra2 = malloc(sizeof(struct fake_tls_mod))))
{
DLOG_ERR("out of memory\n");
exit_clean(1);
}
struct fake_tls_mod *tls_mod = (struct fake_tls_mod*)dp->tls_fake_last->extra2;
*tls_mod = dp->tls_mod_last;
tls_mod->mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
}
break; break;
case 40: /* dpi-desync-fake-tls-mod */ case 40: /* dpi-desync-fake-tls-mod */
if (!parse_tlsmod_list(optarg,&dp->fake_tls_mod,dp->fake_tls_sni,sizeof(dp->fake_tls_sni))) if (!parse_tlsmod_list(optarg,&dp->tls_mod_last))
{ {
DLOG_ERR("Invalid tls mod : %s\n",optarg); DLOG_ERR("Invalid tls mod : %s\n",optarg);
exit_clean(1); exit_clean(1);
} }
if (dp->tls_fake_last)
*(struct fake_tls_mod*)dp->tls_fake_last->extra2 = dp->tls_mod_last;
break; break;
case 41: /* dpi-desync-fake-unknown */ case 41: /* dpi-desync-fake-unknown */
load_blob_to_collection(optarg, &dp->fake_unknown, FAKE_MAX_TCP, 0); load_blob_to_collection(optarg, &dp->fake_unknown, FAKE_MAX_TCP, 0);

6
nfq/params.c
View File

@@ -185,7 +185,6 @@ void dp_init(struct desync_profile *dp)
dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT; dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT; dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
dp->desync_repeats = 1; dp->desync_repeats = 1;
dp->fake_tls_mod = 0;
dp->fake_syndata_size = 16; dp->fake_syndata_size = 16;
dp->wscale=-1; // default - dont change scale factor (client) dp->wscale=-1; // default - dont change scale factor (client)
dp->desync_ttl6 = 0xFF; // unused dp->desync_ttl6 = 0xFF; // unused
@@ -206,8 +205,11 @@ bool dp_fake_defaults(struct desync_profile *dp)
return false; return false;
if (blob_collection_empty(&dp->fake_tls)) if (blob_collection_empty(&dp->fake_tls))
{ {
if (!blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(dp->fake_tls_sni))) if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
return false; return false;
if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
return false;
*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
} }
if (blob_collection_empty(&dp->fake_unknown)) if (blob_collection_empty(&dp->fake_unknown))
{ {

9
nfq/params.h
View File

@@ -56,6 +56,11 @@ struct fake_tls_mod_cache
{ {
size_t extlen_offset, padlen_offset; size_t extlen_offset, padlen_offset;
}; };
struct fake_tls_mod
{
char sni[64];
uint32_t mod;
};
struct desync_profile struct desync_profile
{ {
@@ -88,8 +93,8 @@ struct desync_profile
uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP]; uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
size_t fake_syndata_size; size_t fake_syndata_size;
uint32_t fake_tls_mod; struct fake_tls_mod tls_mod_last;
char fake_tls_sni[64]; struct blob_item *tls_fake_last;
int udplen_increment; int udplen_increment;

1
nfq/pools.c
View File

@@ -570,6 +570,7 @@ void blob_collection_destroy(struct blob_collection_head *head)
{ {
LIST_REMOVE(entry, next); LIST_REMOVE(entry, next);
free(entry->extra); free(entry->extra);
free(entry->extra2);
free(entry->data); free(entry->data);
free(entry); free(entry);
} }

1
nfq/pools.h
View File

@@ -153,6 +153,7 @@ struct blob_item {
size_t size; // main data blob size size_t size; // main data blob size
size_t size_buf;// main data blob allocated size size_t size_buf;// main data blob allocated size
void *extra; // any data without size void *extra; // any data without size
void *extra2; // any data without size
LIST_ENTRY(blob_item) next; LIST_ENTRY(blob_item) next;
}; };
LIST_HEAD(blob_collection_head, blob_item); LIST_HEAD(blob_collection_head, blob_item);