Mirror/youtubeUnblock
1
0
Fork 0
mirror of https://github.com/Waujito/youtubeUnblock.git synced 2026-03-28 08:37:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

Remaster tls parser for quic crypto

Browse Source
This commit is contained in:
Vadim Vetrov
2025-01-02 19:02:21 +03:00
parent fa7fe5294d
commit e5153e9186
6 changed files with 368 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/mangle.c
View File

@@ -177,11 +177,13 @@ int process_tcp_packet(const struct section_config_t *section, const uint8_t *ra
lgtrace_addp("TLS analyzed");
if (vrd.sni_len != 0) {
lgtrace_addp("SNI detected: %.*s", vrd.sni_len, data + vrd.sni_offset);
lgtrace_addp("SNI detected: %.*s", vrd.sni_len, vrd.sni_ptr);
}
if (vrd.target_sni) {
lgdebugmsg("Target SNI detected: %.*s", vrd.sni_len, data + vrd.sni_offset);
lgdebugmsg("Target SNI detected: %.*s", vrd.sni_len, vrd.sni_ptr);
size_t sni_offset = vrd.sni_ptr - data;
size_t target_sni_offset = vrd.target_sni_ptr - data;
uint32_t payload_len = raw_payload_len;
NETBUF_ALLOC(payload, MAX_PACKET_SIZE);
@@ -238,8 +240,8 @@ int process_tcp_packet(const struct section_config_t *section, const uint8_t *ra
switch (section->fragmentation_strategy) {
case FRAG_STRAT_TCP: {
ipd_offset = vrd.sni_target_offset;
mid_offset = ipd_offset + vrd.sni_target_len / 2;
ipd_offset = target_sni_offset;
mid_offset = ipd_offset + vrd.target_sni_len / 2;
uint32_t poses[2];
int cnt = 0;
@@ -269,8 +271,8 @@ int process_tcp_packet(const struct section_config_t *section, const uint8_t *ra
break;
case FRAG_STRAT_IP:
if (ipxv == IP4VERSION) {
ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_target_offset;
mid_offset = ipd_offset + vrd.sni_target_len / 2;
ipd_offset = ((char *)data - (char *)tcph) + target_sni_offset;
mid_offset = ipd_offset + vrd.target_sni_len / 2;
mid_offset += 8 - mid_offset % 8;
uint32_t poses[2];

63
src/quic.c
View File

@@ -18,7 +18,10 @@ uint64_t quic_parse_varlength(const uint8_t *variable, uint64_t *mlen) {
uint8_t len = 1 << (*variable >> 6);
if (mlen) {
if (*mlen < len) return 0;
if (*mlen < len) {
*mlen = 0;
return 0;
}
*mlen = len;
}
@@ -164,6 +167,47 @@ invalid_packet:
return -EINVAL;
}
ssize_t quic_parse_crypto(struct quic_frame_crypto *crypto_frame,
const uint8_t *frame, uint64_t flen) {
const uint8_t *curptr = frame;
uint64_t curptr_len = flen;
uint64_t vln;
*crypto_frame = (struct quic_frame_crypto){0};
if (flen == 0 || *frame != QUIC_FRAME_CRYPTO ||
crypto_frame == NULL)
return -EINVAL;
curptr++, curptr_len--;
vln = curptr_len;
uint64_t offset = quic_parse_varlength(curptr, &vln);
curptr += vln, curptr_len -= vln;
if (vln == 0) {
return -EINVAL;
}
vln = curptr_len;
uint64_t length = quic_parse_varlength(curptr, &vln);
curptr += vln, curptr_len -= vln;
if (vln == 0) {
return -EINVAL;
}
if (length > curptr_len)
return -EINVAL;
crypto_frame->offset = offset;
crypto_frame->payload_length = length;
crypto_frame->payload = curptr;
curptr += length;
curptr_len -= length;
return flen - curptr_len;
}
int udp_fail_packet(struct udp_failing_strategy strategy, uint8_t *payload, uint32_t *plen, uint32_t avail_buflen) {
void *iph;
uint32_t iph_len;
@@ -313,20 +357,11 @@ int detect_udp_filtered(const struct section_config_t *section,
lgtrace_addp("QUIC detected");
uint8_t qtype = qch->type;
if (qch->version == QUIC_V1)
qtype = quic_convtype_v1(qtype);
else if (qch->version == QUIC_V2)
qtype = quic_convtype_v2(qtype);
if (qtype != QUIC_INITIAL_TYPE) {
lgtrace_addp("QUIC message type: %d", qtype);
goto match_port;
if (quic_check_is_initial(qch)) {
lgtrace_addp("QUIC initial message");
goto approve;
}
lgtrace_addp("QUIC initial message");
goto approve;
}
match_port:

17
src/quic.h
View File

@@ -41,6 +41,9 @@
#define QUIC_RETRY_TYPE_V2 0b00
#define quic_convtype_v2(type) (((type) + 1) & 0b11)
#define QUIC_FRAME_CRYPTO 0x06
#define QUIC_FRAME_PADDING 0x00
#define QUIC_V1 1 // RFC 9000
#define QUIC_V2 0x6b3343cf // RFC 9369
@@ -130,6 +133,8 @@ int quic_parse_data(const uint8_t *raw_payload, uint32_t raw_payload_len,
*
* \mlen Used to signal about variable length and validate left length
* in the buffer.
*
* On error/buffer overflow mlen set to 0, otherwise it is higher
*/
uint64_t quic_parse_varlength(const uint8_t *variable, uint64_t *mlen);
@@ -161,6 +166,18 @@ int64_t quic_get_version(const struct quic_lhdr *qch);
*/
int quic_check_is_initial(const struct quic_lhdr *qch);
struct quic_frame_crypto {
uint64_t offset;
uint64_t payload_length;
const uint8_t *payload;
};
/**
* Parses quic crypto frame
* Returns parsed size or -EINVAL on error
*/
ssize_t quic_parse_crypto(struct quic_frame_crypto *crypto_frame,
const uint8_t *frame, uint64_t flen);
/**
* Parses QUIC initial message header.

251
src/tls.c
View File

@@ -17,7 +17,7 @@ static int bruteforce_analyze_sni_str(
if (section->all_domains) {
vrd->target_sni = 1;
vrd->sni_len = 0;
vrd->sni_offset = dlen / 2;
vrd->sni_ptr = data + dlen / 2;
return 0;
}
@@ -53,9 +53,9 @@ static int bruteforce_analyze_sni_str(
if (zbuf[k] == domain_len) {
vrd->target_sni = 1;
vrd->sni_len = domain_len;
vrd->sni_offset = (k - domain_len - 1);
vrd->sni_target_offset = vrd->sni_offset;
vrd->sni_target_len = vrd->sni_len;
vrd->sni_ptr = data + (k - domain_len - 1);
vrd->target_sni_ptr = vrd->sni_ptr;
vrd->target_sni_len = vrd->sni_len;
NETBUF_FREE(buf);
NETBUF_FREE(nzbuf);
return 0;
@@ -71,7 +71,7 @@ static int bruteforce_analyze_sni_str(
}
static int analyze_sni_str(
const struct section_config_t *section,
const char *sni_name, int sni_len, const uint8_t *data,
const char *sni_name, int sni_len,
struct tls_verdict *vrd
) {
if (section->all_domains) {
@@ -89,8 +89,8 @@ static int analyze_sni_str(
domain_startp,
sne->domain_len)) {
vrd->target_sni = 1;
vrd->sni_target_offset = (const uint8_t *)sni_startp - data;
vrd->sni_target_len = sne->domain_len;
vrd->target_sni_ptr = (const uint8_t *)sni_startp;
vrd->target_sni_len = sne->domain_len;
break;
}
}
@@ -108,7 +108,7 @@ check_domain:
sne->domain_len)) {
vrd->target_sni = 0;
lgdebugmsg("Excluded SNI: %.*s",
vrd->sni_len, data + vrd->sni_offset);
vrd->sni_len, vrd->sni_ptr);
}
}
}
@@ -116,11 +116,115 @@ check_domain:
return 0;
}
int analyze_tls_message(
const struct section_config_t *section,
const uint8_t *message_data,
size_t message_length,
struct tls_verdict *tlsv
) {
*tlsv = (struct tls_verdict){0};
const uint8_t *handshakeProto = message_data;
const uint8_t *data_end = message_data + message_length;
#define TLS_CONTENT_TYPE_HANDSHAKE 0x16
#define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
#define TLS_EXTENSION_SNI 0x0000
#define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d
if (handshakeProto + 1 >= data_end)
goto invalid;
uint8_t handshakeType = *handshakeProto;
if (handshakeType != TLS_HANDSHAKE_TYPE_CLIENT_HELLO)
goto next;
const uint8_t *msgPtr = handshakeProto;
msgPtr += 1;
msgPtr += 3 + 2 + 32;
if (msgPtr + 1 >= data_end)
goto invalid;
uint8_t sessionIdLength = *msgPtr;
msgPtr++;
msgPtr += sessionIdLength;
if (msgPtr + 2 >= data_end)
goto invalid;
uint16_t ciphersLength = ntohs(*(uint16_t *)msgPtr);
msgPtr += 2;
msgPtr += ciphersLength;
if (msgPtr + 1 >= data_end)
goto invalid;
uint8_t compMethodsLen = *msgPtr;
msgPtr++;
msgPtr += compMethodsLen;
if (msgPtr + 2 >= data_end)
goto invalid;
uint16_t extensionsLen = ntohs(*(uint16_t *)msgPtr);
msgPtr += 2;
const uint8_t *extensionsPtr = msgPtr;
const uint8_t *extensions_end = extensionsPtr + extensionsLen;
if (extensions_end > data_end) extensions_end = data_end;
while (extensionsPtr < extensions_end) {
const uint8_t *extensionPtr = extensionsPtr;
if (extensionPtr + 4 >= extensions_end)
goto invalid;
uint16_t extensionType =
ntohs(*(uint16_t *)extensionPtr);
extensionPtr += 2;
uint16_t extensionLen =
ntohs(*(uint16_t *)extensionPtr);
extensionPtr += 2;
if (extensionPtr + extensionLen > extensions_end)
goto invalid;
if (extensionType != TLS_EXTENSION_SNI)
goto nextExtension;
const uint8_t *sni_ext_ptr = extensionPtr;
if (sni_ext_ptr + 2 >= extensions_end)
goto invalid;
uint16_t sni_ext_dlen = ntohs(*(uint16_t *)sni_ext_ptr);
sni_ext_ptr += 2;
const uint8_t *sni_ext_end = sni_ext_ptr + sni_ext_dlen;
if (sni_ext_end >= extensions_end)
goto invalid;
if (sni_ext_ptr + 3 >= sni_ext_end)
goto invalid;
sni_ext_ptr++;
uint16_t sni_len = ntohs(*(uint16_t *)sni_ext_ptr);
sni_ext_ptr += 2;
if (sni_ext_ptr + sni_len > sni_ext_end)
goto invalid;
const char *sni_name = (char *)sni_ext_ptr;
tlsv->sni_ptr = (const uint8_t *)sni_name;
tlsv->sni_len = sni_len;
tlsv->target_sni_ptr = tlsv->sni_ptr;
tlsv->target_sni_len = tlsv->sni_len;
analyze_sni_str(section, sni_name, sni_len, tlsv);
return TLS_MESSAGE_ANALYZE_FOUND;
nextExtension:
extensionsPtr += 2 + 2 + extensionLen;
}
next:
return TLS_MESSAGE_ANALYZE_GOTO_NEXT;
invalid:
return TLS_MESSAGE_ANALYZE_INVALID;
}
/**
* Processes tls payload of the tcp request.
@@ -135,115 +239,56 @@ struct tls_verdict analyze_tls_data(
{
struct tls_verdict vrd = {0};
size_t i = 0;
const uint8_t *data_end = data + dlen;
const uint8_t *message_ptr = data;
int ret;
if (section->sni_detection == SNI_DETECTION_BRUTE) {
bruteforce_analyze_sni_str(section, data, dlen, &vrd);
goto out;
}
while (i + 4 < dlen) {
const uint8_t *msgData = data + i;
while (message_ptr + 5 < data_end) {
uint8_t tls_content_type = *message_ptr;
message_ptr++;
uint8_t tls_content_type = *msgData;
uint8_t tls_vmajor = *(msgData + 1);
uint16_t message_length = ntohs(*(uint16_t *)(msgData + 3));
uint8_t tls_vmajor = *message_ptr;
if (tls_vmajor != 0x03) break;
message_ptr++;
if (tls_vmajor != 0x03) goto nextMessage;
uint8_t tls_vminor = *message_ptr;
message_ptr++;
if (i + 5 > dlen) break;
uint16_t message_length = ntohs(*(const uint16_t *)message_ptr);
message_ptr += 2;
const uint8_t *tls_message_data = message_ptr;
// Since real length may be truncated use minimum of two
size_t tls_message_length = min(message_length, data_end - message_ptr);
if (tls_content_type != TLS_CONTENT_TYPE_HANDSHAKE)
goto nextMessage;
const uint8_t *handshakeProto = msgData + 5;
ret = analyze_tls_message(
section,
tls_message_data,
tls_message_length,
&vrd
);
if (handshakeProto + 1 >= data_end) break;
uint8_t handshakeType = *handshakeProto;
if (handshakeType != TLS_HANDSHAKE_TYPE_CLIENT_HELLO)
goto nextMessage;
const uint8_t *msgPtr = handshakeProto;
msgPtr += 1;
msgPtr += 3 + 2 + 32;
if (msgPtr + 1 >= data_end) break;
uint8_t sessionIdLength = *msgPtr;
msgPtr++;
msgPtr += sessionIdLength;
if (msgPtr + 2 >= data_end) break;
uint16_t ciphersLength = ntohs(*(uint16_t *)msgPtr);
msgPtr += 2;
msgPtr += ciphersLength;
if (msgPtr + 1 >= data_end) break;
uint8_t compMethodsLen = *msgPtr;
msgPtr++;
msgPtr += compMethodsLen;
if (msgPtr + 2 >= data_end) break;
uint16_t extensionsLen = ntohs(*(uint16_t *)msgPtr);
msgPtr += 2;
const uint8_t *extensionsPtr = msgPtr;
const uint8_t *extensions_end = extensionsPtr + extensionsLen;
if (extensions_end > data_end) extensions_end = data_end;
while (extensionsPtr < extensions_end) {
const uint8_t *extensionPtr = extensionsPtr;
if (extensionPtr + 4 >= extensions_end) break;
uint16_t extensionType =
ntohs(*(uint16_t *)extensionPtr);
extensionPtr += 2;
uint16_t extensionLen =
ntohs(*(uint16_t *)extensionPtr);
extensionPtr += 2;
if (extensionPtr + extensionLen > extensions_end)
break;
if (extensionType != TLS_EXTENSION_SNI)
goto nextExtension;
const uint8_t *sni_ext_ptr = extensionPtr;
if (sni_ext_ptr + 2 >= extensions_end) break;
uint16_t sni_ext_dlen = ntohs(*(uint16_t *)sni_ext_ptr);
sni_ext_ptr += 2;
const uint8_t *sni_ext_end = sni_ext_ptr + sni_ext_dlen;
if (sni_ext_end >= extensions_end) break;
switch (ret) {
case TLS_MESSAGE_ANALYZE_GOTO_NEXT:
goto nextMessage;
case TLS_MESSAGE_ANALYZE_FOUND:
case TLS_MESSAGE_ANALYZE_INVALID:
default:
goto out;
if (sni_ext_ptr + 3 >= sni_ext_end) break;
sni_ext_ptr++;
uint16_t sni_len = ntohs(*(uint16_t *)sni_ext_ptr);
sni_ext_ptr += 2;
if (sni_ext_ptr + sni_len > sni_ext_end) break;
const char *sni_name = (char *)sni_ext_ptr;
vrd.sni_offset = (uint8_t *)sni_name - data;
vrd.sni_target_offset = vrd.sni_offset;
vrd.sni_len = sni_len;
vrd.sni_target_len = vrd.sni_len;
analyze_sni_str(section, sni_name, sni_len, data, &vrd);
goto out;
nextExtension:
extensionsPtr += 2 + 2 + extensionLen;
}
nextMessage:
i += 5 + message_length;
message_ptr += tls_message_length;
}
out:

28
src/tls.h
View File

@@ -9,16 +9,36 @@
* Result of analyze_tls_data function
*/
struct tls_verdict {
int target_sni; /* google video hello packet */
int sni_offset; /* offset from start of tcp _payload_ */
int sni_target_offset; /* offset of target domain instead of entire sni */
int sni_target_len; /* offset of target domain instead of entire sni */
const uint8_t *sni_ptr;
int sni_len;
int target_sni; /* boolean, 1 if target found */
const uint8_t *target_sni_ptr; /* pointer to target domain instead of entire sni */
int target_sni_len; /* length of target domain instead of entire sni */
};
#define TLS_CONTENT_TYPE_HANDSHAKE 0x16
#define TLS_HANDSHAKE_TYPE_CLIENT_HELLO 0x01
#define TLS_EXTENSION_SNI 0x0000
#define TLS_EXTENSION_CLIENT_HELLO_ENCRYPTED 0xfe0d
#define TLS_MESSAGE_ANALYZE_INVALID -1
#define TLS_MESSAGE_ANALYZE_FOUND 0
#define TLS_MESSAGE_ANALYZE_GOTO_NEXT 1
int analyze_tls_message(
const struct section_config_t *section,
const uint8_t *message_data,
size_t message_length,
struct tls_verdict *tlsv
);
/**
* Processes the packet and finds TLS Client Hello information inside it.
* data pointer points to start of TLS Message (TCP Payload)
*
* Note that all the constant pointers of tls_verdict will be relative to data pointer
*/
struct tls_verdict analyze_tls_data(const struct section_config_t *section, const uint8_t *data, uint32_t dlen);