readme: remove iana.org from tls clienthello

docs/readme.txt

@@ -259,7 +259,7 @@ nfqws
  --dpi-desync-badack-increment=<int|0xHEX>      ; инкремент ack sequence number для badseq. по умолчанию -66000
  --dpi-desync-any-protocol=0|1                  ; 0(default)=работать только по http request и tls clienthello  1=по всем непустым пакетам данных
  --dpi-desync-fake-http=<filename>|0xHEX	; файл, содержащий фейковый http запрос для dpi-desync=fake, на замену стандартному www.iana.org
- --dpi-desync-fake-tls=<filename>|0xHEX	        ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному www.iana.org
+ --dpi-desync-fake-tls=<filename>|0xHEX	        ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному
  --dpi-desync-fake-unknown=<filename>|0xHEX	; файл, содержащий фейковый пейлоад неизвестного протокола для dpi-desync=fake, на замену стандартным нулям 256 байт
  --dpi-desync-fake-syndata=<filename>|0xHEX	; файл, содержащий фейковый пейлоад пакета SYN для режима десинхронизации syndata
  --dpi-desync-fake-quic=<filename>|0xHEX        ; файл, содержащий фейковый QUIC Initial

nfq/desync.c

@@ -15,22 +15,63 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
                                         "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
                                         "Accept-Encoding: gzip, deflate, br\r\n\r\n";
 
-const uint8_t fake_tls_clienthello_default[517] = {
+// random : +11 size 32
-  0x16, 0x03, 0x01, 0x02, 0x00, 0x01, 0x00, 0x01, 0xFC, 0x03, 0x03, 0x6F, 0x0B, 0xB6, 0x85, 0x58, 0x28, 0x59, 0xD5, 0x0D, 0x6C, 0x78, 0x39, 0x7F, 0x2B, 0x0B, 0x45, 0xA3, 0x71, 0x4F, 0x49, 0xD6, 0x34, 0x17, 0xC6, 0x59, 0xA5, 0x1D, 0x89, 0x01,
+// random : +44 size 32
-  0xE1, 0x72, 0x1D, 0x20, 0x9D, 0x2C, 0xAB, 0x26, 0x58, 0xA7, 0x83, 0xBF, 0xB7, 0xDC, 0x5F, 0x28, 0xAA, 0x11, 0xA7, 0x63, 0x54, 0x19, 0xCB, 0xC6, 0xC4, 0x0E, 0xA4, 0x15, 0x46, 0xCC, 0x2F, 0x25, 0x13, 0x9A, 0x14, 0x54, 0x00, 0x3E, 0x13, 0x02,
+// sni : gatech.edu +125 size 11
-  0x13, 0x03, 0x13, 0x01, 0xC0, 0x2C, 0xC0, 0x30, 0x00, 0x9F, 0xCC, 0xA9, 0xCC, 0xA8, 0xCC, 0xAA, 0xC0, 0x2B, 0xC0, 0x2F, 0x00, 0x9E, 0xC0, 0x24, 0xC0, 0x28, 0x00, 0x6B, 0xC0, 0x23, 0xC0, 0x27, 0x00, 0x67, 0xC0, 0x0A, 0xC0, 0x14, 0x00, 0x39,
+const uint8_t fake_tls_clienthello_default[648] = {
-  0xC0, 0x09, 0xC0, 0x13, 0x00, 0x33, 0x00, 0x9D, 0x00, 0x9C, 0x00, 0x3D, 0x00, 0x3C, 0x00, 0x35, 0x00, 0x2F, 0x00, 0xFF, 0x01, 0x00, 0x01, 0x75, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x0B, 0x00, 0x00, 0x08, 0x69, 0x61, 0x6E, 0x61, 0x2E, 0x6F, 0x72,
+0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31,
-  0x67, 0x00, 0x0B, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0A, 0x00, 0x0C, 0x00, 0x0A, 0x00, 0x1D, 0x00, 0x17, 0x00, 0x1E, 0x00, 0x19, 0x00, 0x18, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x0E, 0x00, 0x0C, 0x02, 0x68, 0x32, 0x08, 0x68,
+0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0,
-  0x74, 0x74, 0x70, 0x2F, 0x31, 0x2E, 0x31, 0x00, 0x16, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x30, 0x00, 0x2E, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09, 0x08, 0x0A, 0x08,
+0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73,
-  0x0B, 0x08, 0x04, 0x08, 0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01, 0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02, 0x06, 0x02, 0x00, 0x2B, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03, 0x03,
+0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57,
-  0x03, 0x02, 0x03, 0x01, 0x00, 0x2D, 0x00, 0x02, 0x01, 0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1D, 0x00, 0x20, 0x1B, 0xB3, 0xF5, 0x23, 0x6E, 0x05, 0x98, 0x5D, 0x92, 0x30, 0x8A, 0xAC, 0x64, 0x61, 0x1F, 0xD7, 0x0A, 0x6D, 0xB1, 0xA5,
+0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01,
-  0x74, 0xF9, 0x44, 0x07, 0xC0, 0x55, 0xD8, 0x8B, 0x0C, 0xEA, 0x29, 0x27, 0x00, 0x15, 0x00, 0xB5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00,
+0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68,
+0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00,
+0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02,
+0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31,
+0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49,
+0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04,
+0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55,
+0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb,
+0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2,
+0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29,
+0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04,
+0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06,
+0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00,
+0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69,
+0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc,
+0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef,
+0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5,
+0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8,
+0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64,
+0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f,
+0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d,
+0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a,
+0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff,
+0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6,
+0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48,
+0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45,
+0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04,
+0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb,
+0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd,
+0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04,
+0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
 };
 
+static const char * tld[]={"com","org","net","edu","gov","biz"};
+void randomize_default_tls_payload(uint8_t *p)
+{
+	fill_random_bytes(p+11,32);
+	fill_random_bytes(p+44,32);
+	fill_random_az(p+125,1);
+	fill_random_az09(p+126,5);
+	memcpy(p+132,tld[random()%(sizeof(tld)/sizeof(*tld))],3);
+}
+
 #define PKTDATA_MAXDUMP 32
 #define IP_MAXDUMP 80
 
@@ -41,7 +82,6 @@ void desync_init(void)
 	memset(zeropkt, 0, sizeof(zeropkt));
 }
 
-
 bool desync_valid_zero_stage(enum dpi_desync_mode mode)
 {
 	return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;

nfq/desync.h

@@ -41,7 +41,8 @@ enum dpi_desync_mode {
 };
 
 extern const char *fake_http_request_default;
-extern const uint8_t fake_tls_clienthello_default[517];
+extern const uint8_t fake_tls_clienthello_default[648];
+void randomize_default_tls_payload(uint8_t *p);
 
 enum dpi_desync_mode desync_mode_from_string(const char *s);
 bool desync_valid_zero_stage(enum dpi_desync_mode mode);

nfq/helpers.c

@@ -342,3 +342,25 @@ bool pf_parse(const char *s, port_filter *pf)
 		return false;
 	return true;
 }
+
+void fill_random_bytes(uint8_t *p,size_t sz)
+{
+	size_t k,sz16 = sz>>1;
+	for(k=0;k<sz16;k++) ((uint16_t*)p)[k]=(uint16_t)random();
+	if (sz & 1) p[sz-1]=(uint8_t)random();
+}
+void fill_random_az(uint8_t *p,size_t sz)
+{
+	size_t k;
+	for(k=0;k<sz;k++) p[k] = 'a'+(random() % ('z'-'a'));
+}
+void fill_random_az09(uint8_t *p,size_t sz)
+{
+	size_t k;
+	uint8_t rnd;
+	for(k=0;k<sz;k++)
+	{
+		rnd = random() % (10 + 'z'-'a'+1);
+		p[k] = rnd<10 ? rnd+'0' : 'a'+rnd-10;
+	}
+}

nfq/helpers.h

@@ -57,3 +57,7 @@ typedef struct
 } port_filter;
 bool pf_in_range(uint16_t port, const port_filter *pf);
 bool pf_parse(const char *s, port_filter *pf);
+
+void fill_random_bytes(uint8_t *p,size_t sz);
+void fill_random_az(uint8_t *p,size_t sz);
+void fill_random_az09(uint8_t *p,size_t sz);

nfq/nfqws.c

@@ -924,7 +924,6 @@ int main(int argc, char **argv)
 		return 0;
 	}
 #endif
-
 	int result, v;
 	int option_index = 0;
 	bool daemon = false;
@@ -954,6 +953,7 @@ int main(int argc, char **argv)
 	params.desync_repeats = 1;
 	params.fake_tls_size = sizeof(fake_tls_clienthello_default);
 	memcpy(params.fake_tls,fake_tls_clienthello_default,params.fake_tls_size);
+	randomize_default_tls_payload(params.fake_tls);
 	params.fake_http_size = strlen(fake_http_request_default);
 	memcpy(params.fake_http,fake_http_request_default,params.fake_http_size);
 	params.fake_quic_size = 620; // must be 601+ for TSPU hack

nfq/sec.h

@@ -19,39 +19,67 @@ bool dropcaps(void);
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
 #if defined(__aarch64__)
+
 # define REG_SYSCALL	regs.regs[8]
 # define ARCH_NR	AUDIT_ARCH_AARCH64
+
 #elif defined(__amd64__)
+
 # define REG_SYSCALL	REG_RAX
 # define ARCH_NR	AUDIT_ARCH_X86_64
+
 #elif defined(__arm__) && (defined(__ARM_EABI__) || defined(__thumb__))
+
 # define REG_SYSCALL	regs.uregs[7]
 # if __BYTE_ORDER == __LITTLE_ENDIAN
 #  define ARCH_NR	AUDIT_ARCH_ARM
 # else
 #  define ARCH_NR	AUDIT_ARCH_ARMEB
 # endif
+
 #elif defined(__i386__)
+
 # define REG_SYSCALL	REG_EAX
 # define ARCH_NR	AUDIT_ARCH_I386
+
 #elif defined(__mips__)
+
 # define REG_SYSCALL	regs[2]
+
+#if _MIPS_SIM == _MIPS_SIM_ABI32
 # if __BYTE_ORDER == __LITTLE_ENDIAN
 #  define ARCH_NR	AUDIT_ARCH_MIPSEL
 # else
 #  define ARCH_NR	AUDIT_ARCH_MIPS
 # endif
-#elif defined(__PPC__)
+#elif _MIPS_SIM == _MIPS_SIM_ABI64
-# define REG_SYSCALL	regs.gpr[0]
+# if __BYTE_ORDER == __LITTLE_ENDIAN
-# define ARCH_NR	AUDIT_ARCH_PPC
+#  define ARCH_NR	AUDIT_ARCH_MIPSEL64
+# else
+#  define ARCH_NR	AUDIT_ARCH_MIPS64
+# endif
 #else
 # warning "Platform does not support seccomp filter yet"
 # define REG_SYSCALL	0
 # define ARCH_NR	0
 #endif
 
+#elif defined(__PPC__)
+
+# define REG_SYSCALL	regs.gpr[0]
+# define ARCH_NR	AUDIT_ARCH_PPC
+
+#else
+
+# warning "Platform does not support seccomp filter yet"
+# define REG_SYSCALL	0
+# define ARCH_NR	0
+
 #endif
 
+#endif
+
+
 #ifndef __CYGWIN__
 bool sec_harden(void);
 bool can_drop_root(void);

tpws/resolver.c

@@ -214,11 +214,13 @@ bool resolver_init(int threads, int fd_signal_pipe)
 	pthread_attr_t attr;
 	if (pthread_attr_init(&attr)) goto ex;
 	// set minimum thread stack size
-	if (pthread_attr_setstacksize(&attr,20480))
+
+	if (pthread_attr_setstacksize(&attr,PTHREAD_STACK_MIN>20480 ? PTHREAD_STACK_MIN : 20480))
 	{
 		pthread_attr_destroy(&attr);
 		goto ex;
 	}
+
 	for(t=0, resolver.threads=threads ; t<threads ; t++)
 	{
 		if (pthread_create(resolver.thread + t, &attr, resolver_thread, NULL))

tpws/sec.h

@@ -21,37 +21,64 @@ bool dropcaps(void);
 #define syscall_arg(x) (offsetof(struct seccomp_data, args[x]))
 
 #if defined(__aarch64__)
+
 # define REG_SYSCALL	regs.regs[8]
 # define ARCH_NR	AUDIT_ARCH_AARCH64
+
 #elif defined(__amd64__)
+
 # define REG_SYSCALL	REG_RAX
 # define ARCH_NR	AUDIT_ARCH_X86_64
+
 #elif defined(__arm__) && (defined(__ARM_EABI__) || defined(__thumb__))
+
 # define REG_SYSCALL	regs.uregs[7]
 # if __BYTE_ORDER == __LITTLE_ENDIAN
 #  define ARCH_NR	AUDIT_ARCH_ARM
 # else
 #  define ARCH_NR	AUDIT_ARCH_ARMEB
 # endif
+
 #elif defined(__i386__)
+
 # define REG_SYSCALL	REG_EAX
 # define ARCH_NR	AUDIT_ARCH_I386
+
 #elif defined(__mips__)
+
 # define REG_SYSCALL	regs[2]
+
+#if _MIPS_SIM == _MIPS_SIM_ABI32
 # if __BYTE_ORDER == __LITTLE_ENDIAN
 #  define ARCH_NR	AUDIT_ARCH_MIPSEL
 # else
 #  define ARCH_NR	AUDIT_ARCH_MIPS
 # endif
-#elif defined(__PPC__)
+#elif _MIPS_SIM == _MIPS_SIM_ABI64
-# define REG_SYSCALL	regs.gpr[0]
+# if __BYTE_ORDER == __LITTLE_ENDIAN
-# define ARCH_NR	AUDIT_ARCH_PPC
+#  define ARCH_NR	AUDIT_ARCH_MIPSEL64
+# else
+#  define ARCH_NR	AUDIT_ARCH_MIPS64
+# endif
 #else
 # warning "Platform does not support seccomp filter yet"
 # define REG_SYSCALL	0
 # define ARCH_NR	0
 #endif
 
+#elif defined(__PPC__)
+
+# define REG_SYSCALL	regs.gpr[0]
+# define ARCH_NR	AUDIT_ARCH_PPC
+
+#else
+
+# warning "Platform does not support seccomp filter yet"
+# define REG_SYSCALL	0
+# define ARCH_NR	0
+
+#endif
+
 #endif
 
 bool sec_harden(void);