mirror of
https://github.com/bol-van/zapret.git
synced 2025-08-10 01:02:03 +03:00
Compare commits
23 Commits
e5e53db6b8
...
v70.6
| Author | SHA1 | Date | |
|---|---|---|---|
|
58e73d0331 | ||
|
|
9ebeff621a | ||
|
|
69df271a16 | ||
|
|
e285b2401d | ||
|
|
6e1e7e43bc | ||
|
|
d04419a60c | ||
|
|
fc1bf47e82 | ||
|
|
929df3f094 | ||
|
|
7272b243cb | ||
|
|
72d48d957a | ||
|
|
f4069d484a | ||
|
|
1c82b0a6af | ||
|
|
c08e69aa65 | ||
|
|
8097f08020 | ||
|
|
4cae291e6f | ||
|
|
82ad5508dc | ||
|
|
fa8ddcfc79 | ||
|
|
b560e32e18 | ||
|
|
67e1aee8a8 | ||
|
|
1d8385a9b4 | ||
|
|
340dec62a7 | ||
|
|
db4585c02f | ||
|
|
e792ca67ef |
1
.github/workflows/build.yml
vendored
1
.github/workflows/build.yml
vendored
@@ -401,6 +401,7 @@ jobs:
|
||||
uses: crazy-max/ghaction-upx@v3
|
||||
with:
|
||||
install-only: true
|
||||
version: v4.2.4
|
||||
|
||||
- name: Prepare binaries
|
||||
shell: bash
|
||||
|
||||
@@ -347,6 +347,7 @@ check_system()
|
||||
|
||||
UNAME=$(uname)
|
||||
SUBSYS=
|
||||
FIX_SEG=
|
||||
local s
|
||||
|
||||
# can be passed FWTYPE=iptables to override default nftables preference
|
||||
@@ -354,6 +355,7 @@ check_system()
|
||||
Linux)
|
||||
PKTWS="$NFQWS"
|
||||
PKTWSD=nfqws
|
||||
FIX_SEG='--fix-seg'
|
||||
linux_fwtype
|
||||
[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
|
||||
echo firewall type $FWTYPE not supported in $UNAME
|
||||
@@ -1430,6 +1432,11 @@ warn_mss()
|
||||
[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
|
||||
return 0
|
||||
}
|
||||
fix_seg()
|
||||
{
|
||||
# $1 - split-pos
|
||||
[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
|
||||
}
|
||||
|
||||
tpws_check_domain_http_bypass_()
|
||||
{
|
||||
@@ -1455,7 +1462,7 @@ tpws_check_domain_http_bypass_()
|
||||
done
|
||||
for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for s in $splits_http ; do
|
||||
tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && {
|
||||
tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
break
|
||||
}
|
||||
@@ -1470,7 +1477,7 @@ tpws_check_domain_http_bypass_()
|
||||
s3=${mss:+--mss=$mss}
|
||||
for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for pos in $splits_tls; do
|
||||
tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_mss=0
|
||||
break
|
||||
@@ -1478,7 +1485,7 @@ tpws_check_domain_http_bypass_()
|
||||
done
|
||||
done
|
||||
for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
|
||||
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do
|
||||
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
|
||||
tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
|
||||
[ "$SCANLEVEL" = quick ] && return
|
||||
need_mss=0
|
||||
|
||||
@@ -477,3 +477,7 @@ v70.6
|
||||
nfqws: detect Discord Voice IP discovery packets
|
||||
nfqws: detect STUN message packets
|
||||
nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
|
||||
nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
|
||||
nfqws: multiple mods for multiple TLS fakes
|
||||
init.d: remove 50-discord
|
||||
blockcheck: use tpws --fix-seg on linux for multiple splits
|
||||
|
||||
@@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
|
||||
|
||||
examples :
|
||||
|
||||
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
|
||||
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
|
||||
cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
|
||||
|
||||
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
|
||||
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
|
||||
cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
|
||||
|
||||
3) Install required libs
|
||||
@@ -48,7 +48,7 @@ static build : make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
|
||||
executables only : build_dir/target/<progname>
|
||||
ipk or apk packages : bin/packages/*/base
|
||||
|
||||
8) Installating to openwrt to use with zapret
|
||||
8) Installing to openwrt to use with zapret
|
||||
|
||||
zapret with or without binaries should be already installed in /opt/zapret.
|
||||
Install ipk's or apk's with all compiled progs using opkg or apk.
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# zapret v70.5
|
||||
# zapret v70.6
|
||||
|
||||
# SCAMMER WARNING
|
||||
|
||||
@@ -291,9 +291,13 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
|
||||
By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
|
||||
This behaviour is compatible with previous versions with addition of `dupsid`.
|
||||
|
||||
If TLS mod is enabled and there're multiple TLS fakes, all valid TLS Client Hello fakes are modified.
|
||||
If there's no TLS Client Hello program exits with error.
|
||||
If multiple TLS fakes are present each one takes the last mod.
|
||||
If a mod is specified after fake it replaces previous mod.
|
||||
This way it's possible to use different mods for every TLS fake.
|
||||
|
||||
If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
|
||||
|
||||
Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
|
||||
|
||||
### TCP segmentation
|
||||
|
||||
@@ -1447,12 +1451,8 @@ If this is the case then run another script in background and add some delay the
|
||||
|
||||
Are welcome here :
|
||||
|
||||
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
|
||||
```
|
||||
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
|
||||
```
|
||||
USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
|
||||
|
||||
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC
|
||||
```
|
||||
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
|
||||
```
|
||||
BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
|
||||
|
||||
ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
|
||||
|
||||
@@ -346,8 +346,15 @@ dvtws, собираемый из тех же исходников (см. [док
|
||||
По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`.
|
||||
Это соответствует поведению программы более старых версий с добавлением функции `dupsid`.
|
||||
|
||||
Если задан режим модификации и имеется множество TLS фейков, модифицируются все фейки, являющиеся TLS Client Hello.
|
||||
Если нет ни одного TLS Client Hello фейка, программа завершается с ошибкой.
|
||||
Если задан режим модификации и имеется множество TLS фейков, к каждому из них применяется последний режим модификации.
|
||||
Если режим модификации задан после фейка, то он замещает предыдущий режим.
|
||||
Таким образом можно использовать разные режимы модификации для разных фейков.
|
||||
При невозможности модифицировать фейк на этапе запуска программа завершается с ошибкой.
|
||||
|
||||
Если сначала идет TLS фейк, для него задан режим однократной модификации, затем идет не TLS фейк, то будет ошибка.
|
||||
Нужно использовать `--dpi-desync-fake-tls-mod=none'.
|
||||
|
||||
Пример : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
|
||||
|
||||
### TCP СЕГМЕНТАЦИЯ
|
||||
|
||||
@@ -2361,12 +2368,8 @@ VPS можно приобрести в множестве мест. Сущест
|
||||
|
||||
## Поддержать разработчика
|
||||
|
||||
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
|
||||
```
|
||||
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
|
||||
```
|
||||
USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
|
||||
|
||||
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC
|
||||
```
|
||||
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
|
||||
```
|
||||
BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
|
||||
|
||||
ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
|
||||
|
||||
BIN
files/fake/isakmp_initiator_request.bin
Normal file
BIN
files/fake/isakmp_initiator_request.bin
Normal file
Binary file not shown.
File diff suppressed because one or more lines are too long
74
init.d/custom.d.examples.linux/50-nfqws-ipset
Normal file
74
init.d/custom.d.examples.linux/50-nfqws-ipset
Normal file
@@ -0,0 +1,74 @@
|
||||
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
|
||||
|
||||
# can override in config :
|
||||
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
|
||||
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
|
||||
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
|
||||
|
||||
alloc_dnum DNUM_NFQWS_MY1
|
||||
alloc_qnum QNUM_NFQWS_MY1
|
||||
NFQWS_MY1_SET_NAME=my1nfqws4
|
||||
|
||||
zapret_custom_daemons()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
|
||||
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
|
||||
}
|
||||
|
||||
zapret_custom_firewall()
|
||||
{
|
||||
# $1 - 1 - run, 0 - stop
|
||||
|
||||
local f
|
||||
local first_packets_only="$ipt_connbytes 1:3"
|
||||
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
|
||||
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
|
||||
local subnet
|
||||
|
||||
local DISABLE_IPV6=1
|
||||
|
||||
[ "$1" = 1 ] && {
|
||||
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
|
||||
ipset flush $NFQWS_MY1_SET_NAME
|
||||
for subnet in $NFQWS_MY1_SUBNETS; do
|
||||
echo add $NFQWS_MY1_SET_NAME $subnet
|
||||
done | ipset -! restore
|
||||
}
|
||||
|
||||
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
|
||||
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
|
||||
|
||||
[ "$1" = 1 ] || {
|
||||
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
|
||||
}
|
||||
}
|
||||
|
||||
zapret_custom_firewall_nft()
|
||||
{
|
||||
# stop logic is not required
|
||||
|
||||
local f
|
||||
local first_packets_only="$nft_connbytes 1-3"
|
||||
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
|
||||
local subnets
|
||||
|
||||
local DISABLE_IPV6=1
|
||||
|
||||
make_comma_list subnets $NFQWS_MY1_SUBNETS
|
||||
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
|
||||
nft_flush_set $NFQWS_MY1_SET_NAME
|
||||
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
|
||||
|
||||
f="udp dport {$NFQWS_MY1_PORTS}"
|
||||
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
|
||||
}
|
||||
|
||||
zapret_custom_firewall_nft_flush()
|
||||
{
|
||||
# this function is called after all nft fw rules are deleted
|
||||
# however sets are not deleted. it's desired to clear sets here.
|
||||
|
||||
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
|
||||
}
|
||||
@@ -274,7 +274,9 @@ hup_zapret_daemons()
|
||||
if exists killall; then
|
||||
killall -HUP tpws nfqws dvtws 2>/dev/null
|
||||
elif exists pkill; then
|
||||
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
|
||||
pkill -HUP ^tpws$
|
||||
pkill -HUP ^nfqws$
|
||||
pkill -HUP ^dvtws$
|
||||
else
|
||||
echo no mass killer available ! cant HUP zapret daemons
|
||||
fi
|
||||
|
||||
118
nfq/desync.c
118
nfq/desync.c
@@ -16,51 +16,65 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
|
||||
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
|
||||
"Accept-Encoding: gzip, deflate, br\r\n\r\n";
|
||||
|
||||
// random : +11 size 32
|
||||
// random : +44 size 32
|
||||
// sni : gatech.edu +125 size 11
|
||||
const uint8_t fake_tls_clienthello_default[648] = {
|
||||
0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31,
|
||||
0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0,
|
||||
0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73,
|
||||
0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57,
|
||||
0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01,
|
||||
0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30,
|
||||
0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35,
|
||||
0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74,
|
||||
0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00,
|
||||
0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00,
|
||||
0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68,
|
||||
0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00,
|
||||
0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02,
|
||||
0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31,
|
||||
0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49,
|
||||
0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04,
|
||||
0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55,
|
||||
0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb,
|
||||
0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2,
|
||||
0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29,
|
||||
0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04,
|
||||
0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06,
|
||||
0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00,
|
||||
0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69,
|
||||
0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc,
|
||||
0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef,
|
||||
0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5,
|
||||
0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8,
|
||||
0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64,
|
||||
0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f,
|
||||
0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d,
|
||||
0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a,
|
||||
0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff,
|
||||
0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6,
|
||||
0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48,
|
||||
0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45,
|
||||
0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04,
|
||||
0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb,
|
||||
0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd,
|
||||
0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04,
|
||||
0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
|
||||
// SNI - www.microsoft.com
|
||||
const uint8_t fake_tls_clienthello_default[680] = {
|
||||
0x16, 0x03, 0x01, 0x02, 0xa3, 0x01, 0x00, 0x02, 0x9f, 0x03, 0x03, 0x41,
|
||||
0x88, 0x82, 0x2d, 0x4f, 0xfd, 0x81, 0x48, 0x9e, 0xe7, 0x90, 0x65, 0x1f,
|
||||
0xba, 0x05, 0x7b, 0xff, 0xa7, 0x5a, 0xf9, 0x5b, 0x8a, 0x8f, 0x45, 0x8b,
|
||||
0x41, 0xf0, 0x3d, 0x1b, 0xdd, 0xe3, 0xf8, 0x20, 0x9b, 0x23, 0xa5, 0xd2,
|
||||
0x21, 0x1e, 0x9f, 0xe7, 0x85, 0x6c, 0xfc, 0x61, 0x80, 0x3a, 0x3f, 0xba,
|
||||
0xb9, 0x60, 0xba, 0xb3, 0x0e, 0x98, 0x27, 0x6c, 0xf7, 0x38, 0x28, 0x65,
|
||||
0x80, 0x5d, 0x40, 0x38, 0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02,
|
||||
0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
|
||||
0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
|
||||
0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, 0x02, 0x34, 0x00, 0x00, 0x00, 0x16,
|
||||
0x00, 0x14, 0x00, 0x00, 0x11, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
|
||||
0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x17,
|
||||
0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0e, 0x00,
|
||||
0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01,
|
||||
0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
|
||||
0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74,
|
||||
0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x22, 0x00, 0x0a, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03,
|
||||
0x06, 0x03, 0x02, 0x03, 0x00, 0x12, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b,
|
||||
0x00, 0x69, 0x00, 0x1d, 0x00, 0x20, 0x69, 0x15, 0x16, 0x29, 0x6d, 0xad,
|
||||
0xd5, 0x68, 0x88, 0x27, 0x2f, 0xde, 0xaf, 0xac, 0x3c, 0x4c, 0xa4, 0xe4,
|
||||
0xd8, 0xc8, 0xfb, 0x41, 0x87, 0xf4, 0x76, 0x4e, 0x0e, 0xfa, 0x64, 0xc4,
|
||||
0xe9, 0x29, 0x00, 0x17, 0x00, 0x41, 0x04, 0xfe, 0x62, 0xb9, 0x08, 0xc8,
|
||||
0xc3, 0x2a, 0xb9, 0x87, 0x37, 0x84, 0x42, 0x6b, 0x5c, 0xcd, 0xc9, 0xca,
|
||||
0x62, 0x38, 0xd3, 0xd9, 0x99, 0x8a, 0xc4, 0x2d, 0xc6, 0xd0, 0xa3, 0x60,
|
||||
0xb2, 0x12, 0x54, 0x41, 0x8e, 0x52, 0x5e, 0xe3, 0xab, 0xf9, 0xc2, 0x07,
|
||||
0x81, 0xdc, 0xf8, 0xf2, 0x6a, 0x91, 0x40, 0x2f, 0xcb, 0xa4, 0xff, 0x6f,
|
||||
0x24, 0xc7, 0x4d, 0x77, 0x77, 0x2d, 0x6f, 0xe0, 0x77, 0xaa, 0x92, 0x00,
|
||||
0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x0d, 0x00, 0x18,
|
||||
0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
|
||||
0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
|
||||
0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01,
|
||||
0x00, 0x1b, 0x00, 0x07, 0x06, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0xfe,
|
||||
0x0d, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x03, 0x21, 0x00, 0x20, 0x62,
|
||||
0xe8, 0x83, 0xd8, 0x97, 0x05, 0x8a, 0xbe, 0xa1, 0xf2, 0x63, 0x4e, 0xce,
|
||||
0x93, 0x84, 0x8e, 0xcf, 0xe7, 0xdd, 0xb2, 0xe4, 0x87, 0x06, 0xac, 0x11,
|
||||
0x19, 0xbe, 0x0e, 0x71, 0x87, 0xf1, 0xa6, 0x00, 0xef, 0xd8, 0x6b, 0x27,
|
||||
0x5e, 0xc0, 0xa7, 0x5d, 0x42, 0x4e, 0x8c, 0xdc, 0xf3, 0x9f, 0x1c, 0x51,
|
||||
0x62, 0xef, 0xff, 0x5b, 0xed, 0xc8, 0xfd, 0xee, 0x6f, 0xbb, 0x88, 0x9b,
|
||||
0xb1, 0x30, 0x9c, 0x66, 0x42, 0xab, 0x0f, 0x66, 0x89, 0x18, 0x8b, 0x11,
|
||||
0xc1, 0x6d, 0xe7, 0x2a, 0xeb, 0x96, 0x3b, 0x7f, 0x52, 0x78, 0xdb, 0xf8,
|
||||
0x6d, 0x04, 0xf7, 0x95, 0x1a, 0xa8, 0xf0, 0x64, 0x52, 0x07, 0x39, 0xf0,
|
||||
0xa8, 0x1d, 0x0d, 0x16, 0x36, 0xb7, 0x18, 0x0e, 0xc8, 0x44, 0x27, 0xfe,
|
||||
0xf3, 0x31, 0xf0, 0xde, 0x8c, 0x74, 0xf5, 0xa1, 0xd8, 0x8f, 0x6f, 0x45,
|
||||
0x97, 0x69, 0x79, 0x5e, 0x2e, 0xd4, 0xb0, 0x2c, 0x0c, 0x1a, 0x6f, 0xcc,
|
||||
0xce, 0x90, 0xc7, 0xdd, 0xc6, 0x60, 0x95, 0xf3, 0xc2, 0x19, 0xde, 0x50,
|
||||
0x80, 0xbf, 0xde, 0xf2, 0x25, 0x63, 0x15, 0x26, 0x63, 0x09, 0x1f, 0xc5,
|
||||
0xdf, 0x32, 0xf5, 0xea, 0x9c, 0xd2, 0xff, 0x99, 0x4e, 0x67, 0xa2, 0xe5,
|
||||
0x1a, 0x94, 0x85, 0xe3, 0xdf, 0x36, 0xa5, 0x83, 0x4b, 0x0a, 0x1c, 0xaf,
|
||||
0xd7, 0x48, 0xc9, 0x4b, 0x8a, 0x27, 0xdd, 0x58, 0x7f, 0x95, 0xf2, 0x6b,
|
||||
0xde, 0x2b, 0x12, 0xd3, 0xec, 0x4d, 0x69, 0x37, 0x9c, 0x13, 0x9b, 0x16,
|
||||
0xb0, 0x45, 0x52, 0x38, 0x77, 0x69, 0xef, 0xaa, 0x65, 0x19, 0xbc, 0xc2,
|
||||
0x93, 0x4d, 0xb0, 0x1b, 0x7f, 0x5b, 0x41, 0xff, 0xaf, 0xba, 0x50, 0x51,
|
||||
0xc3, 0xf1, 0x27, 0x09, 0x25, 0xf5, 0x60, 0x90, 0x09, 0xb1, 0xe5, 0xc0,
|
||||
0xc7, 0x42, 0x78, 0x54, 0x3b, 0x23, 0x19, 0x7d, 0x8e, 0x72, 0x13, 0xb4,
|
||||
0xd3, 0xcd, 0x63, 0xb6, 0xc4, 0x4a, 0x28, 0x3d, 0x45, 0x3e, 0x8b, 0xdb,
|
||||
0x84, 0x4f, 0x78, 0x64, 0x30, 0x69, 0xe2, 0x1b
|
||||
};
|
||||
|
||||
#define PKTDATA_MAXDUMP 32
|
||||
@@ -609,12 +623,12 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
|
||||
// fake_mod buffer must at least sizeof(desync_profile->fake_tls)
|
||||
// size does not change
|
||||
// return : true - altered, false - not altered
|
||||
static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, uint32_t fake_tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
|
||||
static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, const struct fake_tls_mod *tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
|
||||
{
|
||||
bool b=false;
|
||||
if (modcache) // it's filled only if it's TLS
|
||||
{
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
|
||||
{
|
||||
size_t sz_rec = pntoh16(fake_data+3) + payload_len;
|
||||
size_t sz_handshake = pntoh24(fake_data+6) + payload_len;
|
||||
@@ -633,7 +647,7 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
|
||||
DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len);
|
||||
}
|
||||
}
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_RND)
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_RND)
|
||||
{
|
||||
if (!b) memcpy(fake_mod,fake_data,fake_data_size);
|
||||
fill_random_bytes(fake_mod+11,32); // random
|
||||
@@ -641,9 +655,11 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
|
||||
b=true;
|
||||
DLOG("fake[%d] applied rnd tls mod\n", fake_n);
|
||||
}
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_DUP_SID)
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
|
||||
{
|
||||
if (fake_data[43]!=payload[43])
|
||||
if (payload_len<44)
|
||||
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is too short.\n",fake_n);
|
||||
else if (fake_data[43]!=payload[43])
|
||||
DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n);
|
||||
else if (payload_len<(44+payload[43]))
|
||||
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n);
|
||||
@@ -1307,7 +1323,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
|
||||
{
|
||||
case TLS:
|
||||
if ((fake_item->size <= sizeof(fake_data_buf)) &&
|
||||
runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra, dp->fake_tls_mod, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
|
||||
runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra,(struct fake_tls_mod *)fake_item->extra2, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
|
||||
{
|
||||
fake_data = fake_data_buf;
|
||||
break;
|
||||
|
||||
@@ -41,7 +41,7 @@ enum dpi_desync_mode {
|
||||
};
|
||||
|
||||
extern const char *fake_http_request_default;
|
||||
extern const uint8_t fake_tls_clienthello_default[648];
|
||||
extern const uint8_t fake_tls_clienthello_default[680];
|
||||
void randomize_default_tls_payload(uint8_t *p);
|
||||
|
||||
enum dpi_desync_mode desync_mode_from_string(const char *s);
|
||||
|
||||
141
nfq/nfqws.c
141
nfq/nfqws.c
@@ -950,12 +950,12 @@ static bool parse_ip_list(char *opt, ipset *pp)
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool parse_tlsmod_list(char *opt, uint32_t *mod, char *sni, size_t sni_buf_len)
|
||||
static bool parse_tlsmod_list(char *opt, struct fake_tls_mod *tls_mod)
|
||||
{
|
||||
char *e,*e2,*p,c,c2;
|
||||
|
||||
*mod &= FAKE_TLS_MOD_SAVE_MASK;
|
||||
*mod |= FAKE_TLS_MOD_SET;
|
||||
tls_mod->mod &= FAKE_TLS_MOD_SAVE_MASK;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_SET;
|
||||
for (p=opt ; p ; )
|
||||
{
|
||||
for (e2=p ; *e2 && *e2!=',' && *e2!='=' ; e2++);
|
||||
@@ -975,20 +975,20 @@ static bool parse_tlsmod_list(char *opt, uint32_t *mod, char *sni, size_t sni_bu
|
||||
e2=NULL;
|
||||
|
||||
if (!strcmp(p,"rnd"))
|
||||
*mod |= FAKE_TLS_MOD_RND;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_RND;
|
||||
else if (!strcmp(p,"rndsni"))
|
||||
*mod |= FAKE_TLS_MOD_RND_SNI;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_RND_SNI;
|
||||
else if (!strcmp(p,"sni"))
|
||||
{
|
||||
*mod |= FAKE_TLS_MOD_SNI;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_SNI;
|
||||
if (!e2 || !e2[1] || e2[1]==',') goto err;
|
||||
strncpy(sni,e2+1,sni_buf_len-1);
|
||||
sni[sni_buf_len-1]=0;
|
||||
strncpy(tls_mod->sni,e2+1,sizeof(tls_mod->sni)-1);
|
||||
tls_mod->sni[sizeof(tls_mod->sni)-1-1]=0;
|
||||
}
|
||||
else if (!strcmp(p,"padencap"))
|
||||
*mod |= FAKE_TLS_MOD_PADENCAP;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_PADENCAP;
|
||||
else if (!strcmp(p,"dupsid"))
|
||||
*mod |= FAKE_TLS_MOD_DUP_SID;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_DUP_SID;
|
||||
else if (strcmp(p,"none"))
|
||||
goto err;
|
||||
|
||||
@@ -1034,13 +1034,13 @@ static void SplitDebug(void)
|
||||
|
||||
static const char * tld[]={"com","org","net","edu","gov","biz"};
|
||||
|
||||
static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mod, const char *fake_tls_sni, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache)
|
||||
static bool onetime_tls_mod_blob(int profile_n, int fake_n, const struct fake_tls_mod *tls_mod, uint8_t *fake_tls, size_t *fake_tls_size, size_t fake_tls_buf_size, struct fake_tls_mod_cache *modcache)
|
||||
{
|
||||
const uint8_t *ext;
|
||||
size_t extlen;
|
||||
|
||||
modcache->extlen_offset = modcache->padlen_offset = 0;
|
||||
if (fake_tls_mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI|FAKE_TLS_MOD_PADENCAP))
|
||||
if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI|FAKE_TLS_MOD_PADENCAP))
|
||||
{
|
||||
if (!TLSFindExtLen(fake_tls,*fake_tls_size,&modcache->extlen_offset))
|
||||
{
|
||||
@@ -1048,7 +1048,7 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
|
||||
return false;
|
||||
}
|
||||
DLOG("profile %d fake[%d] tls extensions length offset : %zu\n", profile_n, fake_n, modcache->extlen_offset);
|
||||
if (fake_tls_mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI))
|
||||
if (tls_mod->mod & (FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_SNI))
|
||||
{
|
||||
size_t slen;
|
||||
if (!TLSFindExt(fake_tls,*fake_tls_size,0,&ext,&extlen,false))
|
||||
@@ -1063,15 +1063,24 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
|
||||
return false;
|
||||
}
|
||||
uint8_t *sni = fake_tls + (ext - fake_tls);
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_SNI)
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_SNI)
|
||||
{
|
||||
size_t slen_new = strlen(fake_tls_sni);
|
||||
size_t slen_new = strlen(tls_mod->sni);
|
||||
ssize_t slen_delta = slen_new-slen;
|
||||
char *s1=NULL;
|
||||
if (params.debug)
|
||||
{
|
||||
if ((s1 = malloc(slen+1)))
|
||||
{
|
||||
memcpy(s1,sni,slen); s1[slen]=0;
|
||||
}
|
||||
}
|
||||
if (slen_delta)
|
||||
{
|
||||
if ((*fake_tls_size+slen_delta)>fake_tls_buf_size)
|
||||
{
|
||||
DLOG_ERR("profile %d fake[%d] not enough space for new SNI\n", profile_n, fake_n);
|
||||
free(s1);
|
||||
return false;
|
||||
}
|
||||
memmove(sni+slen_new,sni+slen,fake_tls+*fake_tls_size-(sni+slen));
|
||||
@@ -1084,10 +1093,12 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
|
||||
*fake_tls_size+=slen_delta;
|
||||
slen = slen_new;
|
||||
}
|
||||
DLOG("profile %d fake[%d] change sni to %s size_delta=%zd\n", profile_n, fake_n, fake_tls_sni,slen_delta);
|
||||
memcpy(sni,fake_tls_sni,slen_new);
|
||||
DLOG("profile %d fake[%d] change SNI : %s => %s size_delta=%zd\n", profile_n, fake_n, s1, tls_mod->sni, slen_delta);
|
||||
free(s1);
|
||||
|
||||
memcpy(sni,tls_mod->sni,slen_new);
|
||||
}
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_RND_SNI)
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_RND_SNI)
|
||||
{
|
||||
if (!slen)
|
||||
{
|
||||
@@ -1125,74 +1136,72 @@ static bool onetime_tls_mod_blob(int profile_n, int fake_n, uint32_t fake_tls_mo
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
|
||||
{
|
||||
if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
|
||||
if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
|
||||
{
|
||||
if ((ext-fake_tls+extlen)!=*fake_tls_size)
|
||||
if (TLSFindExt(fake_tls,*fake_tls_size,21,&ext,&extlen,false))
|
||||
{
|
||||
DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
|
||||
return false;
|
||||
if ((ext-fake_tls+extlen)!=*fake_tls_size)
|
||||
{
|
||||
DLOG_ERR("profile %d fake[%d] tls padding ext is present but it's not at the end. padding ext offset %zu, padding ext size %zu, fake size %zu\n", profile_n, fake_n, ext-fake_tls, extlen, *fake_tls_size);
|
||||
return false;
|
||||
}
|
||||
modcache->padlen_offset = ext-fake_tls-2;
|
||||
DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
|
||||
}
|
||||
modcache->padlen_offset = ext-fake_tls-2;
|
||||
DLOG("profile %d fake[%d] tls padding ext is present, padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
|
||||
}
|
||||
else
|
||||
{
|
||||
if ((*fake_tls_size+4)>fake_tls_buf_size)
|
||||
else
|
||||
{
|
||||
DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
|
||||
return false;
|
||||
if ((*fake_tls_size+4)>fake_tls_buf_size)
|
||||
{
|
||||
DLOG_ERR("profile %d fake[%d] tls padding is absent and there's no space to add it\n", profile_n, fake_n);
|
||||
return false;
|
||||
}
|
||||
phton16(fake_tls+*fake_tls_size,21);
|
||||
*fake_tls_size+=2;
|
||||
modcache->padlen_offset=*fake_tls_size;
|
||||
phton16(fake_tls+*fake_tls_size,0);
|
||||
*fake_tls_size+=2;
|
||||
phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
|
||||
phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
|
||||
phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
|
||||
DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
|
||||
}
|
||||
phton16(fake_tls+*fake_tls_size,21);
|
||||
*fake_tls_size+=2;
|
||||
modcache->padlen_offset=*fake_tls_size;
|
||||
phton16(fake_tls+*fake_tls_size,0);
|
||||
*fake_tls_size+=2;
|
||||
phton16(fake_tls+modcache->extlen_offset,pntoh16(fake_tls+modcache->extlen_offset)+4);
|
||||
phton16(fake_tls+3,pntoh16(fake_tls+3)+4); // increase tls record len
|
||||
phton24(fake_tls+6,pntoh24(fake_tls+6)+4); // increase tls handshake len
|
||||
DLOG("profile %d fake[%d] tls padding is absent. added. padding length offset %zu\n", profile_n, fake_n, modcache->padlen_offset);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
static bool onetime_tls_mod(struct desync_profile *dp)
|
||||
{
|
||||
if (dp->n && !(dp->fake_tls_mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
|
||||
dp->fake_tls_mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
|
||||
if (!(dp->fake_tls_mod & ~FAKE_TLS_MOD_SAVE_MASK))
|
||||
return true; // nothing to do
|
||||
|
||||
struct blob_item *fake_tls;
|
||||
struct fake_tls_mod *tls_mod;
|
||||
int n=0;
|
||||
bool bMod=false;
|
||||
|
||||
LIST_FOREACH(fake_tls, &dp->fake_tls, next)
|
||||
{
|
||||
++n;
|
||||
if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ?
|
||||
{
|
||||
DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid. mod skipped.\n", dp->n, n);
|
||||
tls_mod = (struct fake_tls_mod *)fake_tls->extra2;
|
||||
if (!tls_mod) continue;
|
||||
if (dp->n && !(tls_mod->mod & (FAKE_TLS_MOD_SET|FAKE_TLS_MOD_CUSTOM_FAKE)))
|
||||
tls_mod->mod |= FAKE_TLS_MOD_RND|FAKE_TLS_MOD_RND_SNI|FAKE_TLS_MOD_DUP_SID; // old behavior compat + dup_sid
|
||||
if (!(tls_mod->mod & ~FAKE_TLS_MOD_SAVE_MASK))
|
||||
continue;
|
||||
|
||||
if (!IsTLSClientHello(fake_tls->data,fake_tls->size,false) || (fake_tls->size < (44+fake_tls->data[43]))) // has session id ?
|
||||
{
|
||||
DLOG("profile %d fake[%d] tls mod set but tls fake structure invalid.\n", dp->n, n);
|
||||
return false;
|
||||
}
|
||||
bMod = true;
|
||||
if (!fake_tls->extra)
|
||||
{
|
||||
fake_tls->extra = malloc(sizeof(struct fake_tls_mod_cache));
|
||||
if (!fake_tls->extra) return false;
|
||||
}
|
||||
if (!onetime_tls_mod_blob(dp->n,n,dp->fake_tls_mod,dp->fake_tls_sni,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra))
|
||||
if (!onetime_tls_mod_blob(dp->n,n,tls_mod,fake_tls->data,&fake_tls->size,fake_tls->size_buf,(struct fake_tls_mod_cache*)fake_tls->extra))
|
||||
return false;
|
||||
}
|
||||
if (!bMod)
|
||||
DLOG_ERR("profile %d tls fake list does not have any valid TLS ClientHello\n", dp->n);
|
||||
return bMod;
|
||||
return true;
|
||||
}
|
||||
|
||||
static void load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve)
|
||||
static struct blob_item *load_blob_to_collection(const char *filename, struct blob_collection_head *blobs, size_t max_size, size_t size_reserve)
|
||||
{
|
||||
struct blob_item *blob = blob_collection_add(blobs);
|
||||
uint8_t *p;
|
||||
@@ -1211,6 +1220,7 @@ static void load_blob_to_collection(const char *filename, struct blob_collection
|
||||
}
|
||||
blob->data = p;
|
||||
blob->size_buf = blob->size+size_reserve;
|
||||
return blob;
|
||||
}
|
||||
|
||||
|
||||
@@ -2105,15 +2115,26 @@ int main(int argc, char **argv)
|
||||
load_blob_to_collection(optarg, &dp->fake_http, FAKE_MAX_TCP,0);
|
||||
break;
|
||||
case 39: /* dpi-desync-fake-tls */
|
||||
load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4+sizeof(dp->fake_tls_sni));
|
||||
dp->fake_tls_mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
|
||||
{
|
||||
dp->tls_fake_last = load_blob_to_collection(optarg, &dp->fake_tls, FAKE_MAX_TCP,4+sizeof(dp->tls_mod_last.sni));
|
||||
if (!(dp->tls_fake_last->extra2 = malloc(sizeof(struct fake_tls_mod))))
|
||||
{
|
||||
DLOG_ERR("out of memory\n");
|
||||
exit_clean(1);
|
||||
}
|
||||
struct fake_tls_mod *tls_mod = (struct fake_tls_mod*)dp->tls_fake_last->extra2;
|
||||
*tls_mod = dp->tls_mod_last;
|
||||
tls_mod->mod |= FAKE_TLS_MOD_CUSTOM_FAKE;
|
||||
}
|
||||
break;
|
||||
case 40: /* dpi-desync-fake-tls-mod */
|
||||
if (!parse_tlsmod_list(optarg,&dp->fake_tls_mod,dp->fake_tls_sni,sizeof(dp->fake_tls_sni)))
|
||||
if (!parse_tlsmod_list(optarg,&dp->tls_mod_last))
|
||||
{
|
||||
DLOG_ERR("Invalid tls mod : %s\n",optarg);
|
||||
exit_clean(1);
|
||||
}
|
||||
if (dp->tls_fake_last)
|
||||
*(struct fake_tls_mod*)dp->tls_fake_last->extra2 = dp->tls_mod_last;
|
||||
break;
|
||||
case 41: /* dpi-desync-fake-unknown */
|
||||
load_blob_to_collection(optarg, &dp->fake_unknown, FAKE_MAX_TCP, 0);
|
||||
|
||||
@@ -185,7 +185,6 @@ void dp_init(struct desync_profile *dp)
|
||||
dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
|
||||
dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
|
||||
dp->desync_repeats = 1;
|
||||
dp->fake_tls_mod = 0;
|
||||
dp->fake_syndata_size = 16;
|
||||
dp->wscale=-1; // default - dont change scale factor (client)
|
||||
dp->desync_ttl6 = 0xFF; // unused
|
||||
@@ -206,8 +205,11 @@ bool dp_fake_defaults(struct desync_profile *dp)
|
||||
return false;
|
||||
if (blob_collection_empty(&dp->fake_tls))
|
||||
{
|
||||
if (!blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(dp->fake_tls_sni)))
|
||||
if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
|
||||
return false;
|
||||
if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
|
||||
return false;
|
||||
*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
|
||||
}
|
||||
if (blob_collection_empty(&dp->fake_unknown))
|
||||
{
|
||||
|
||||
@@ -56,6 +56,11 @@ struct fake_tls_mod_cache
|
||||
{
|
||||
size_t extlen_offset, padlen_offset;
|
||||
};
|
||||
struct fake_tls_mod
|
||||
{
|
||||
char sni[64];
|
||||
uint32_t mod;
|
||||
};
|
||||
|
||||
struct desync_profile
|
||||
{
|
||||
@@ -88,8 +93,8 @@ struct desync_profile
|
||||
uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
|
||||
size_t fake_syndata_size;
|
||||
|
||||
uint32_t fake_tls_mod;
|
||||
char fake_tls_sni[64];
|
||||
struct fake_tls_mod tls_mod_last;
|
||||
struct blob_item *tls_fake_last;
|
||||
|
||||
int udplen_increment;
|
||||
|
||||
|
||||
@@ -570,6 +570,7 @@ void blob_collection_destroy(struct blob_collection_head *head)
|
||||
{
|
||||
LIST_REMOVE(entry, next);
|
||||
free(entry->extra);
|
||||
free(entry->extra2);
|
||||
free(entry->data);
|
||||
free(entry);
|
||||
}
|
||||
|
||||
@@ -153,6 +153,7 @@ struct blob_item {
|
||||
size_t size; // main data blob size
|
||||
size_t size_buf;// main data blob allocated size
|
||||
void *extra; // any data without size
|
||||
void *extra2; // any data without size
|
||||
LIST_ENTRY(blob_item) next;
|
||||
};
|
||||
LIST_HEAD(blob_collection_head, blob_item);
|
||||
|
||||
Reference in New Issue
Block a user