From 3ee979f7d173a6828aa5e551a6e1cb94a2e25fd4 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 28 Sep 2024 11:31:46 +0300 Subject: [PATCH] Enhance middle sni split Instead of real middle sni we use targetted middle sni for explicit (not all) sni domain list --- mangle.c | 7 ++++--- tls.c | 4 +++- tls.h | 1 + 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/mangle.c b/mangle.c index 88380e7..09b6c30 100644 --- a/mangle.c +++ b/mangle.c @@ -190,7 +190,7 @@ int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) { switch (config.fragmentation_strategy) { case FRAG_STRAT_TCP: { - ipd_offset = vrd.sni_offset; + ipd_offset = vrd.sni_target_offset; mid_offset = ipd_offset + vrd.sni_len / 2; uint32_t poses[2]; @@ -221,7 +221,7 @@ int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) { break; case FRAG_STRAT_IP: if (ipxv == IP4VERSION) { - ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_offset; + ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_target_offset; mid_offset = ipd_offset + vrd.sni_len / 2; mid_offset += 8 - mid_offset % 8; @@ -618,7 +618,8 @@ int post_fake_sni(const void *iph, unsigned int iph_len, fake_seq_type.type = FAKE_PAYLOAD_DEFAULT; } - for (int i = 0; i < sequence_len; i++) { + // one goes for default fake + for (int i = 1; i < sequence_len; i++) { NETBUF_ALLOC(fake_sni, MAX_PACKET_SIZE); if (!NETBUF_CHECK(fake_sni)) { lgerror("Allocation error", -ENOMEM); diff --git a/tls.c b/tls.c index 287f7c8..5c8fa11 100644 --- a/tls.c +++ b/tls.c @@ -122,6 +122,7 @@ struct tls_verdict analyze_tls_data( char *sni_name = (char *)sni_ext_ptr; vrd.sni_offset = (uint8_t *)sni_name - data; + vrd.sni_target_offset = vrd.sni_offset; vrd.sni_len = sni_len; if (config.all_domains) { @@ -129,7 +130,6 @@ struct tls_verdict analyze_tls_data( goto check_domain; } - unsigned int j = 0; for (unsigned int i = 0; i <= config.domains_strlen; i++) { if ( i > j && @@ -148,6 +148,7 @@ struct tls_verdict analyze_tls_data( domain_startp, domain_len)) { vrd.target_sni = 1; + vrd.sni_target_offset = (const uint8_t *)sni_startp - data; goto check_domain; } @@ -247,6 +248,7 @@ brute: vrd.target_sni = 1; vrd.sni_len = domain_len; vrd.sni_offset = (k - domain_len - 1); + vrd.sni_target_offset = vrd.sni_offset NETBUF_FREE(buf); NETBUF_FREE(nzbuf); goto out; diff --git a/tls.h b/tls.h index ba71d19..bcc7cab 100644 --- a/tls.h +++ b/tls.h @@ -10,6 +10,7 @@ struct tls_verdict { int target_sni; /* google video hello packet */ int sni_offset; /* offset from start of tcp _payload_ */ + int sni_target_offset; /* offset of target domain instead of entire sni */ int sni_len; };