diff --git a/README.md b/README.md index 749e302..e57e5f5 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ Also DNS over HTTPS (DOH) is preferred for additional anonimity. ## Flags Available flags: +- `--sni-domains=|all` - List of domains you want to be handled by sni. Use this string if you want to change default domains. Defaults to `googlevideo.com,youtube.com,ggpht.com,ytimg.com`. You can pass all if you want for every Client Hello to be handled. - `--seg2delay=` - This flag forces youtubeUnblock to wait little bit before send the 2nd part of the split packet. - `--fake-sni={ack,ttl, none}` This flag enables fake-sni which forces youtubeUnblock to send at least three packets instead of one with TLS ClientHello: Fake ClientHello, 1st part of original ClientHello, 2nd part of original ClientHello. This flag may be related to some Operation not permitted error messages, so befor open an issue refer to FAQ for EPERMS. Note, that this flag is set to `ack` by default. You may disable fake sni by setting it to `none`. Note, that your ISP may have conntrack drop on invalid state enabled, so this flag won't work. Use `ttl` to escape that. - `--fake-sni-ttl=` Tunes the time to live of fake sni messages. TTL is specified like that the packet will go through the TSPU and captured by it, but will not reach the destination server. Defaults to 8. diff --git a/config.h b/config.h index 483703a..a10612b 100644 --- a/config.h +++ b/config.h @@ -9,6 +9,9 @@ struct config_t { int fake_sni_strategy; int verbose; unsigned int seg2_delay; + const char *domains_str; + unsigned int domains_strlen; + unsigned int all_domains; }; extern struct config_t config; @@ -66,3 +69,5 @@ extern struct config_t config; // The Maximum Transmission Unit size for rawsocket // Larger packets will be fragmented. Applicable for Chrome's kyber. #define AVAILABLE_MTU 1384 + +static const char defaul_snistr[] = "googlevideo.com,youtube.com,ggpht.com,ytimg.com"; diff --git a/mangle.c b/mangle.c index b049168..e391986 100644 --- a/mangle.c +++ b/mangle.c @@ -285,10 +285,6 @@ int tcp4_frag(const __u8 *pkt, __u32 buflen, __u32 payload_offset, #define TLS_EXTENSION_SNI 0x0000 #define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d -const char googlevideo_ending[] = "googlevideo.com"; -const int googlevideo_len = 15; - - typedef __u8 uint8_t; typedef __u32 uint32_t; typedef __u16 uint16_t; @@ -401,19 +397,33 @@ struct verdict analyze_tls_data( if (sni_ext_ptr + sni_len > sni_ext_end) break; char *sni_name = (char *)sni_ext_ptr; - // sni_len vrd.sni_offset = (uint8_t *)sni_name - data; vrd.sni_len = sni_len; - char *gv_startp = sni_name + sni_len - googlevideo_len; - if (sni_len >= googlevideo_len && - sni_len < 128 && - !strncmp(gv_startp, - googlevideo_ending, - googlevideo_len)) { + if (config.all_domains) { + vrd.target_sni = 1; + goto out; + } - vrd.gvideo_hello = 1; + + unsigned int j = 0; + for (unsigned int i = 0; i < config.domains_strlen; i++) { + if (config.domains_str[i] == ',' || config.domains_str[i] == '\n') { + unsigned int domain_len = (i - j); + const char *sni_startp = sni_name + sni_len - domain_len; + const char *domain_startp = config.domains_str + j; + + if (sni_len >= domain_len && + sni_len < 128 && + !strncmp(sni_startp, + domain_startp, + domain_len)) { + vrd.target_sni = 1; + } + + j = i + 1; + } } nextExtension: @@ -423,6 +433,7 @@ nextMessage: i += 5 + message_length; } +out: return vrd; } diff --git a/mangle.h b/mangle.h index 103b3ea..1e3a173 100644 --- a/mangle.h +++ b/mangle.h @@ -32,7 +32,7 @@ typedef __u32 uint32_t; #endif struct verdict { - int gvideo_hello; /* google video hello packet */ + int target_sni; /* google video hello packet */ int sni_offset; /* offset from start of tcp _payload_ */ int sni_len; }; diff --git a/youtubeUnblock.c b/youtubeUnblock.c index f550c53..29702c2 100644 --- a/youtubeUnblock.c +++ b/youtubeUnblock.c @@ -55,6 +55,8 @@ struct config_t config = { #else .verbose = false, #endif + .domains_str = defaul_snistr, + .domains_strlen = sizeof(defaul_snistr), }; const char* get_value(const char *option, const char *prefix) @@ -111,6 +113,21 @@ int parse_option(const char* option) { goto out; } + if ((value = get_value(option, "--sni-domains")) != 0) { + if (!value) { + goto err; + } + + if (strcmp(value, "all")) { + config.all_domains = 1; + } + + config.domains_str = value; + config.domains_strlen = strlen(value); + + goto out; + } + if ((value = get_value(option, "--frag=")) != 0) { if (!value) { goto err; @@ -212,6 +229,7 @@ errormsg_help: err = errno; printf("Usage: %s [OPTIONS]\n", argv[0]); printf("Options:\n"); + printf("\t--sni-domains=|all\n"); printf("\t--fake-sni={ack,ttl,none}\n"); printf("\t--fake-sni-ttl=\n"); printf("\t--frag={tcp,ip,none}\n"); @@ -493,9 +511,9 @@ static int process_packet(const struct packet_data packet, struct queue_data qda verdnlh = nfq_nlmsg_put(buf, NFQNL_MSG_VERDICT, qdata.queue_num); nfq_nlmsg_verdict_put(verdnlh, packet.id, NF_ACCEPT); - if (vrd.gvideo_hello) { + if (vrd.target_sni) { if (config.verbose) - printf("Google video!\n"); + printf("SNI target detected\n"); if (dlen > 1480) { if (config.verbose)