Enhance middle sni split

Instead of real middle sni we use targetted middle sni for explicit (not all) sni domain list
Waujito · Sep 28, 2024 · 3ee979f · 3ee979f
1 parent 82c4911
commit 3ee979f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/mangle.c b/mangle.c
@@ -190,7 +190,7 @@ int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 
 		switch (config.fragmentation_strategy) {
 			case FRAG_STRAT_TCP: {
-				ipd_offset = vrd.sni_offset;
+				ipd_offset = vrd.sni_target_offset;
 				mid_offset = ipd_offset + vrd.sni_len / 2;
 
 				uint32_t poses[2];
@@ -221,7 +221,7 @@ int process_tcp_packet(const uint8_t *raw_payload, uint32_t raw_payload_len) {
 			break;
 			case FRAG_STRAT_IP: 
 			if (ipxv == IP4VERSION) {
-				ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_offset;
+				ipd_offset = ((char *)data - (char *)tcph) + vrd.sni_target_offset;
 				mid_offset = ipd_offset + vrd.sni_len / 2;
 				mid_offset += 8 - mid_offset % 8;
 
@@ -618,7 +618,8 @@ int post_fake_sni(const void *iph, unsigned int iph_len,
 				fake_seq_type.type = FAKE_PAYLOAD_DEFAULT;
 		}
 
-		for (int i = 0; i < sequence_len; i++) {
+		// one goes for default fake
+		for (int i = 1; i < sequence_len; i++) {
 			NETBUF_ALLOC(fake_sni, MAX_PACKET_SIZE);
 			if (!NETBUF_CHECK(fake_sni)) {
 				lgerror("Allocation error", -ENOMEM);

diff --git a/tls.c b/tls.c
@@ -122,14 +122,14 @@ struct tls_verdict analyze_tls_data(
 			char *sni_name = (char *)sni_ext_ptr;
 
 			vrd.sni_offset = (uint8_t *)sni_name - data;
+			vrd.sni_target_offset = vrd.sni_offset;
 			vrd.sni_len = sni_len;
 
 			if (config.all_domains) {
 				vrd.target_sni = 1;
 				goto check_domain;
 			}
 
-
 			unsigned int j = 0;
 			for (unsigned int i = 0; i <= config.domains_strlen; i++) {
 				if (	i > j &&
@@ -148,6 +148,7 @@ struct tls_verdict analyze_tls_data(
 						domain_startp, 
 						domain_len)) {
 							vrd.target_sni = 1;
+							vrd.sni_target_offset = (const uint8_t *)sni_startp - data;
 							goto check_domain;
 					}
 
@@ -247,6 +248,7 @@ struct tls_verdict analyze_tls_data(
 					vrd.target_sni = 1;
 					vrd.sni_len = domain_len;
 					vrd.sni_offset = (k - domain_len - 1);
+					vrd.sni_target_offset = vrd.sni_offset
 					NETBUF_FREE(buf);
 					NETBUF_FREE(nzbuf);
 					goto out;

diff --git a/tls.h b/tls.h
@@ -10,6 +10,7 @@
 struct tls_verdict {
 	int target_sni; /* google video hello packet */
 	int sni_offset; /* offset from start of tcp _payload_ */
+	int sni_target_offset; /* offset of target domain instead of entire sni */
 	int sni_len;
 };