nfqws,tpws: debug tls version (d19f6c19) · Commits · git-mirror / Zapret

docs/changes.txt

+4 −0

Original line number	Diff line number	Diff line
		@@ -481,3 +481,7 @@ nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SN
		nfqws: multiple mods for multiple TLS fakes
		init.d: remove 50-discord
		blockcheck: use tpws --fix-seg on linux for multiple splits

		v70.7

		nfqws,tpws: debug tls version

+31 −0

Original line number	Diff line number	Diff line
		@@ -83,6 +83,35 @@ const uint8_t fake_tls_clienthello_default[680] = {
		#define TCP_MAX_REASM 16384
		#define UDP_MAX_REASM 16384

		void TLSDebug(const uint8_t *tls,size_t sz)
		{
		if (sz<11) return;

		uint16_t v_rec=pntoh16(tls+1), v_handshake=pntoh16(tls+9), v;
		DLOG("TLS record layer version : %s\nTLS handshake version : %s\n",TLSVersionStr(v_rec),TLSVersionStr(v_handshake));

		const uint8_t *ext_supvers;
		size_t len_supvers,len_supvers2;
		if (TLSFindExt(tls,sz,43,&ext_supvers,&len_supvers,false))
		{
		if (len_supvers)
		{
		len_supvers2 = ext_supvers[0];
		if (len_supvers2<len_supvers)
		{
		for(ext_supvers++,len_supvers2&=~1 ; len_supvers2 ; len_supvers2-=2,ext_supvers+=2)
		{
		v = pntoh16(ext_supvers);
		DLOG("TLS supported versions ext : %s\n",TLSVersionStr(v));
		}
		}
		}
		}
		else
		DLOG("TLS supported versions ext : not present\n");
		}


		bool desync_valid_zero_stage(enum dpi_desync_mode mode)
		{
		return mode==DESYNC_SYNACK \|\| mode==DESYNC_SYNDATA;
		@@ -966,6 +995,8 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
		DLOG(bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n");
		l7proto = TLS;

		if (bReqFull && params.debug) TLSDebug(rdata_payload,rlen_payload);

		bHaveHost=TLSHelloExtractHost(rdata_payload,rlen_payload,host,sizeof(host),TLS_PARTIALS_ENABLE);

		if (ctrack)

+13 −0

Original line number	Diff line number	Diff line
		@@ -345,6 +345,19 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
		}


		const char *TLSVersionStr(uint16_t tlsver)
		{
		switch(tlsver)
		{
		case 0x0301: return "TLS 1.0";
		case 0x0302: return "TLS 1.1";
		case 0x0303: return "TLS 1.2";
		case 0x0304: return "TLS 1.3";
		default:
		// 0x0a0a, 0x1a1a, ..., 0xfafa
		return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
		}
		}

		uint16_t TLSRecordDataLen(const uint8_t *data)
		{

+1 −0

Original line number	Diff line number	Diff line
		@@ -57,6 +57,7 @@ int HttpReplyCode(const uint8_t *data, size_t len);
		// must be pre-checked by IsHttpReply
		bool HttpReplyLooksLikeDPIRedirect(const uint8_t data, size_t len, const char host);

		const char *TLSVersionStr(uint16_t tlsver);
		uint16_t TLSRecordDataLen(const uint8_t *data);
		size_t TLSRecordLen(const uint8_t *data);
		bool IsTLSRecordFull(const uint8_t *data, size_t len);

+14 −0

Original line number	Diff line number	Diff line
		@@ -339,6 +339,20 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)



		const char *TLSVersionStr(uint16_t tlsver)
		{
		switch(tlsver)
		{
		case 0x0301: return "TLS 1.0";
		case 0x0302: return "TLS 1.1";
		case 0x0303: return "TLS 1.2";
		case 0x0304: return "TLS 1.3";
		default:
		// 0x0a0a, 0x1a1a, ..., 0xfafa
		return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
		}
		}

		uint16_t TLSRecordDataLen(const uint8_t *data)
		{
		return pntoh16(data + 3);