Gamercat/GoodbyeDPI
1
0
Fork 0
mirror of https://github.com/ValdikSS/GoodbyeDPI.git synced 2024-11-22 01:55:19 +01:00
Code Issues Projects Releases Wiki Activity

--allow-no-sni option. Useful with --blacklist and undetectable SNI.

Browse Source 
This option is added specially for protonmail.com, as it sends
low Window Size in SYN-ACK for requests from Russia, to force
the client to fragment the packet. GoodbyeDPI doesn't do reassembling
and can't extract SNI in this case, thus won't circumvent the
censorship if --blacklist option is used.
This commit is contained in:
ValdikSS 2021-12-29 16:18:56 +03:00
parent 7f59593a28
commit cc1676ad92
2 changed files with 27 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -34,6 +34,7 @@ Usage: goodbyedpi.exe [OPTION...]
--blacklist <txtfile> perform circumvention tricks only to host names and subdomains from --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from
supplied text file (HTTP Host/TLS SNI). supplied text file (HTTP Host/TLS SNI).
This option can be supplied multiple times. This option can be supplied multiple times.
--allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.
--set-ttl <value> activate Fake Request Mode and send it with supplied TTL value. --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.
DANGEROUS! May break websites in unexpected ways. Use with care. DANGEROUS! May break websites in unexpected ways. Use with care.
--auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease

37
src/goodbyedpi.c
View File

@ -160,6 +160,7 @@ static struct option long_options[] = {
{"dnsv6-port", required_argument, 0, '@' }, {"dnsv6-port", required_argument, 0, '@' },
{"dns-verb", no_argument, 0, 'v' }, {"dns-verb", no_argument, 0, 'v' },
{"blacklist", required_argument, 0, 'b' }, {"blacklist", required_argument, 0, 'b' },
{"allow-no-sni",no_argument, 0, ']' },
{"ip-id", required_argument, 0, 'i' }, {"ip-id", required_argument, 0, 'i' },
{"set-ttl", required_argument, 0, '$' }, {"set-ttl", required_argument, 0, '$' },
{"min-ttl", required_argument, 0, '[' }, {"min-ttl", required_argument, 0, '[' },
@ -523,6 +524,7 @@ int main(int argc, char *argv[]) {
ipv6_tcp, ipv6_tcp_data, ipv6_udp_data ipv6_tcp, ipv6_tcp_data, ipv6_udp_data
} packet_type; } packet_type;
int i, should_reinject, should_recalc_checksum = 0; int i, should_reinject, should_recalc_checksum = 0;
int sni_ok = 0;
int opt; int opt;
int packet_v4, packet_v6; int packet_v4, packet_v6;
HANDLE w_filter = NULL; HANDLE w_filter = NULL;
@ -547,6 +549,7 @@ int main(int argc, char *argv[]) {
do_host_mixedcase = 0, do_host_mixedcase = 0,
do_dnsv4_redirect = 0, do_dnsv6_redirect = 0, do_dnsv4_redirect = 0, do_dnsv6_redirect = 0,
do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0, do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0,
do_allow_no_sni = 0,
do_fake_packet = 0, do_fake_packet = 0,
do_auto_ttl = 0, do_auto_ttl = 0,
do_wrong_chksum = 0, do_wrong_chksum = 0,
@ -778,6 +781,9 @@ int main(int argc, char *argv[]) {
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
break; break;
case ']': // --allow-no-sni
do_allow_no_sni = 1;
break;
case '$': // --set-ttl case '$': // --set-ttl
do_fake_packet = 1; do_fake_packet = 1;
ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!"); ttl_of_fake_packet = atoub(optarg, "Set TTL parameter error!");
@ -861,6 +867,7 @@ int main(int argc, char *argv[]) {
" --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from\n" " --blacklist <txtfile> perform circumvention tricks only to host names and subdomains from\n"
" supplied text file (HTTP Host/TLS SNI).\n" " supplied text file (HTTP Host/TLS SNI).\n"
" This option can be supplied multiple times.\n" " This option can be supplied multiple times.\n"
" --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n"
" --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n" " --set-ttl <value> activate Fake Request Mode and send it with supplied TTL value.\n"
" DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n" " DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n"
" --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n" " --auto-ttl [a1-a2-m] activate Fake Request Mode, automatically detect TTL and decrease\n"
@ -925,9 +932,10 @@ int main(int argc, char *argv[]) {
"HTTP Persistent Nowait: %d\n" /* 12 */ "HTTP Persistent Nowait: %d\n" /* 12 */
"DNS redirect: %d\n" /* 13 */ "DNS redirect: %d\n" /* 13 */
"DNSv6 redirect: %d\n" /* 14 */ "DNSv6 redirect: %d\n" /* 14 */
"Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 15 */ "Allow missing SNI: %d\n" /* 15 */
"Fake requests, wrong checksum: %d\n" /* 16 */ "Fake requests, TTL: %s (fixed: %hu, auto: %hu-%hu-%hu, min distance: %hu)\n" /* 16 */
"Fake requests, wrong SEQ/ACK: %d\n", /* 17 */ "Fake requests, wrong checksum: %d\n" /* 17 */
"Fake requests, wrong SEQ/ACK: %d\n", /* 18 */
do_passivedpi, /* 1 */ do_passivedpi, /* 1 */
(do_fragment_http ? http_fragment_size : 0), /* 2 */ (do_fragment_http ? http_fragment_size : 0), /* 2 */
(do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */ (do_fragment_http_persistent ? http_fragment_size : 0),/* 3 */
@ -942,11 +950,12 @@ int main(int argc, char *argv[]) {
do_fragment_http_persistent_nowait, /* 12 */ do_fragment_http_persistent_nowait, /* 12 */
do_dnsv4_redirect, /* 13 */ do_dnsv4_redirect, /* 13 */
do_dnsv6_redirect, /* 14 */ do_dnsv6_redirect, /* 14 */
ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"), /* 15 */ do_allow_no_sni, /* 15 */
ttl_of_fake_packet ? "fixed" : (do_auto_ttl ? "auto" : "disabled"), /* 16 */
ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0, ttl_of_fake_packet, do_auto_ttl ? auto_ttl_1 : 0, do_auto_ttl ? auto_ttl_2 : 0,
do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops, do_auto_ttl ? auto_ttl_max : 0, ttl_min_nhops,
do_wrong_chksum, /* 16 */ do_wrong_chksum, /* 17 */
do_wrong_seq /* 17 */ do_wrong_seq /* 18 */
); );
if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) { if (do_fragment_http && http_fragment_size > 2 && !do_native_frag) {
@ -1083,11 +1092,17 @@ int main(int argc, char *argv[]) {
if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) || if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) ||
(packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0)) (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0))
{ {
if (do_blacklist if (do_blacklist) {
? (extract_sni(packet_data, packet_dataLen, sni_ok = extract_sni(packet_data, packet_dataLen,
&host_addr, &host_len) && &host_addr, &host_len);
blackwhitelist_check_hostname(host_addr, host_len)) }
: 1) if (
(do_blacklist && sni_ok &&
blackwhitelist_check_hostname(host_addr, host_len)
) ||
(do_blacklist && !sni_ok && do_allow_no_sni) ||
(!do_blacklist)
)
{ {
#ifdef DEBUG #ifdef DEBUG
char lsni[HOST_MAXLEN + 1] = {0}; char lsni[HOST_MAXLEN + 1] = {0};