Fix #40

2024-12-22 06:15:31 +00:00 · 2024-08-08 15:29:04 +03:00 · 2024-08-08 15:29:04 +03:00 · fb47d80543
commit fb47d80543
parent 22573b7d12
5 changed files with 50 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -36,6 +36,7 @@ Also DNS over HTTPS (DOH) is preferred for additional anonimity.

 ## Flags
 Available flags:
+- `--sni-domains=<comma separated domain list>|all` - List of domains you want to be handled by sni. Use this string if you want to change default domains. Defaults to `googlevideo.com,youtube.com,ggpht.com,ytimg.com`. You can pass all if you want for every Client Hello to be handled.
 - `--seg2delay=<delay>` - This flag forces youtubeUnblock to wait little bit before send the 2nd part of the split packet.
 - `--fake-sni={ack,ttl, none}` This flag enables fake-sni which forces youtubeUnblock to send at least three packets instead of one with TLS ClientHello: Fake ClientHello, 1st part of original ClientHello, 2nd part of original ClientHello. This flag may be related to some Operation not permitted error messages, so befor open an issue refer to FAQ for EPERMS. Note, that this flag is set to `ack` by default. You may disable fake sni by setting it to `none`. Note, that your ISP may have conntrack drop on invalid state enabled, so this flag won't work. Use `ttl` to escape that.
 - `--fake-sni-ttl=<ttl>` Tunes the time to live of fake sni messages. TTL is specified like that the packet will go through the TSPU and captured by it, but will not reach the destination server. Defaults to 8.
--- a/config.h
+++ b/config.h
@ -9,6 +9,9 @@ struct config_t {
 	int  fake_sni_strategy;
 	int verbose;
 	unsigned int seg2_delay;
+	const char *domains_str;
+	unsigned int domains_strlen;
+	unsigned int all_domains;
 };
 extern struct config_t config;

@ -66,3 +69,5 @@ extern struct config_t config;
 // The Maximum Transmission Unit size for rawsocket
 // Larger packets will be fragmented. Applicable for Chrome's kyber.
 #define AVAILABLE_MTU 1384
+
+static const char defaul_snistr[] = "googlevideo.com,youtube.com,ggpht.com,ytimg.com";
--- a/mangle.c
+++ b/mangle.c
@ -285,10 +285,6 @@ int tcp4_frag(const __u8 *pkt, __u32 buflen, __u32 payload_offset,
 #define TLS_EXTENSION_SNI 0x0000
 #define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d

-const char googlevideo_ending[] = "googlevideo.com";
-const int googlevideo_len = 15;
-
-
 typedef __u8 uint8_t;
 typedef __u32 uint32_t;
 typedef __u16 uint16_t;
@ -401,19 +397,33 @@ struct verdict analyze_tls_data(
 			if (sni_ext_ptr + sni_len > sni_ext_end) break;

 			char *sni_name = (char *)sni_ext_ptr;
-			// sni_len

 			vrd.sni_offset = (uint8_t *)sni_name - data;
 			vrd.sni_len = sni_len;

-			char *gv_startp = sni_name + sni_len - googlevideo_len;
-			if (sni_len >= googlevideo_len &&
-				sni_len < 128 && 
-				!strncmp(gv_startp, 
-				googlevideo_ending, 
-				googlevideo_len)) {
+			if (config.all_domains) {
+				vrd.target_sni = 1;
+				goto out;
+			}

-				vrd.gvideo_hello = 1;
+
+			unsigned int j = 0;
+			for (unsigned int i = 0; i < config.domains_strlen; i++) {
+				if (config.domains_str[i] == ',' || config.domains_str[i] == '\n') {
+					unsigned int domain_len = (i - j);
+					const char *sni_startp = sni_name + sni_len - domain_len;
+					const char *domain_startp = config.domains_str + j;
+
+					if (sni_len >= domain_len &&
+						sni_len < 128 && 
+						!strncmp(sni_startp, 
+						domain_startp, 
+						domain_len)) {
+							vrd.target_sni = 1;
+					}
+
+					j = i + 1;
+				}
 			}

 nextExtension:
@ -423,6 +433,7 @@ nextMessage:
 		i += 5 + message_length;
 	}

+out:
 	return vrd;
 }

--- a/mangle.h
+++ b/mangle.h
@ -32,7 +32,7 @@ typedef __u32 uint32_t;
 #endif

 struct verdict {
-	int gvideo_hello; /* google video hello packet */
+	int target_sni; /* google video hello packet */
 	int sni_offset; /* offset from start of tcp _payload_ */
 	int sni_len;
 };
--- a/youtubeUnblock.c
+++ b/youtubeUnblock.c
@ -55,6 +55,8 @@ struct config_t config = {
 #else
 	.verbose = false,
 #endif
+	.domains_str = defaul_snistr,
+	.domains_strlen = sizeof(defaul_snistr),
 };

 const char* get_value(const char *option, const char *prefix)
@ -111,6 +113,21 @@ int parse_option(const char* option) {
 		goto out;
 	}

+	if ((value = get_value(option, "--sni-domains")) != 0) {
+		if (!value) {
+			goto err;
+		}
+		
+		if (strcmp(value, "all")) {
+			config.all_domains = 1;
+		}
+
+		config.domains_str = value;
+		config.domains_strlen = strlen(value);
+
+		goto out;
+	}
+
 	if ((value = get_value(option, "--frag=")) != 0) {
 		if (!value) {
 			goto err;
@ -212,6 +229,7 @@ errormsg_help:
 	err = errno;
 	printf("Usage: %s <queue_num> [OPTIONS]\n", argv[0]);
 	printf("Options:\n");
+	printf("\t--sni-domains=<comma separated domain list>|all\n");
 	printf("\t--fake-sni={ack,ttl,none}\n");
 	printf("\t--fake-sni-ttl=<ttl>\n");
 	printf("\t--frag={tcp,ip,none}\n");
@ -493,9 +511,9 @@ static int process_packet(const struct packet_data packet, struct queue_data qda
 	verdnlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, qdata.queue_num);
        nfq_nlmsg_verdict_put(verdnlh, packet.id, NF_ACCEPT);

-	if (vrd.gvideo_hello) {
+	if (vrd.target_sni) {
 		if (config.verbose)
-			printf("Google video!\n");
+			printf("SNI target detected\n");

 		if (dlen > 1480) {
 			if (config.verbose)