From 55679c46bbcaad75146556c0684063b22f103eed Mon Sep 17 00:00:00 2001 From: jimraynor2470 Date: Mon, 8 May 2023 10:35:39 +0900 Subject: [PATCH 1/2] Add whitelist option --- src/blackwhitelist.c | 43 ++++++++++++++++++++++++++++++------------- src/blackwhitelist.h | 6 ++++-- src/goodbyedpi.c | 28 +++++++++++++++++++++------- 3 files changed, 55 insertions(+), 22 deletions(-) diff --git a/src/blackwhitelist.c b/src/blackwhitelist.c index e59b59d9..803ec29d 100644 --- a/src/blackwhitelist.c +++ b/src/blackwhitelist.c @@ -16,13 +16,14 @@ typedef struct blackwhitelist_record { UT_hash_handle hh; /* makes this structure hashable */ } blackwhitelist_record_t; -static blackwhitelist_record_t *blackwhitelist = NULL; +static blackwhitelist_record_t *blacklist = NULL; +static blackwhitelist_record_t *whitelist = NULL; -static int check_get_hostname(const char *host) { +static int check_get_hostname(const char *host, blackwhitelist_record_t **list) { blackwhitelist_record_t *tmp_record = NULL; - if (!blackwhitelist) return FALSE; + if (!*list) return FALSE; - HASH_FIND_STR(blackwhitelist, host, tmp_record); + HASH_FIND_STR(*list, host, tmp_record); if (tmp_record) { debug("check_get_hostname found host\n"); return TRUE; @@ -31,17 +32,17 @@ static int check_get_hostname(const char *host) { return FALSE; } -static int add_hostname(const char *host) { +static int add_hostname(const char *host, blackwhitelist_record_t **list) { if (!host) return FALSE; blackwhitelist_record_t *tmp_record = malloc(sizeof(blackwhitelist_record_t)); char *host_c = NULL; - if (!check_get_hostname(host)) { + if (!check_get_hostname(host, list)) { host_c = strdup(host); tmp_record->host = host_c; - HASH_ADD_KEYPTR(hh, blackwhitelist, tmp_record->host, + HASH_ADD_KEYPTR(hh, *list, tmp_record->host, strlen(tmp_record->host), tmp_record); debug("Added host %s\n", host_c); return TRUE; @@ -53,7 +54,7 @@ static int add_hostname(const char *host) { return FALSE; } -int blackwhitelist_load_list(const char *filename) { +static int blackwhitelist_load_list(const char *filename, blackwhitelist_record_t **list) { char *line = malloc(HOST_MAXLEN + 1); size_t linelen = HOST_MAXLEN + 1; int cnt = 0; @@ -74,17 +75,25 @@ int blackwhitelist_load_list(const char *filename) { printf("WARNING: host %s is less than 3 bytes, skipping\n", line); continue; } - if (add_hostname(line)) + if (add_hostname(line, list)) cnt++; } free(line); - if (!blackwhitelist) return FALSE; + if (!*list) return FALSE; printf("Loaded %d hosts from file %s\n", cnt, filename); fclose(fp); return TRUE; } -int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) { +int blackwhitelist_load_blacklist(const char *filename) { + return blackwhitelist_load_list(filename, &blacklist); +} + +int blackwhitelist_load_whitelist(const char *filename) { + return blackwhitelist_load_list(filename, &whitelist); +} + +static int blackwhitelist_check_hostname(const char *host_addr, size_t host_len, blackwhitelist_record_t **list) { char current_host[HOST_MAXLEN + 1]; char *tokenized_host = NULL; @@ -94,13 +103,13 @@ int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) { current_host[host_len] = '\0'; } - if (check_get_hostname(current_host)) + if (check_get_hostname(current_host, list)) return TRUE; tokenized_host = strchr(current_host, '.'); while (tokenized_host != NULL && tokenized_host < (current_host + HOST_MAXLEN)) { /* Search hostname only if there is next token */ - if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1)) + if (strchr(tokenized_host + 1, '.') && check_get_hostname(tokenized_host + 1, list)) return TRUE; tokenized_host = strchr(tokenized_host + 1, '.'); } @@ -108,3 +117,11 @@ int blackwhitelist_check_hostname(const char *host_addr, size_t host_len) { debug("____blackwhitelist_check_hostname FALSE: host %s\n", current_host); return FALSE; } + +int blackwhitelist_check_hostname_blacklist(const char *host_addr, size_t host_len) { + return blackwhitelist_check_hostname(host_addr, host_len, &blacklist); +} + +int blackwhitelist_check_hostname_whitelist(const char *host_addr, size_t host_len) { + return blackwhitelist_check_hostname(host_addr, host_len, &whitelist); +} diff --git a/src/blackwhitelist.h b/src/blackwhitelist.h index f8122a32..96eff04f 100644 --- a/src/blackwhitelist.h +++ b/src/blackwhitelist.h @@ -1,2 +1,4 @@ -int blackwhitelist_load_list(const char *filename); -int blackwhitelist_check_hostname(const char *host_addr, size_t host_len); +int blackwhitelist_load_blacklist(const char *filename); +int blackwhitelist_load_whitelist(const char *filename); +int blackwhitelist_check_hostname_blacklist(const char *host_addr, size_t host_len); +int blackwhitelist_check_hostname_whitelist(const char *host_addr, size_t host_len); diff --git a/src/goodbyedpi.c b/src/goodbyedpi.c index f80581f7..f5331155 100644 --- a/src/goodbyedpi.c +++ b/src/goodbyedpi.c @@ -161,6 +161,7 @@ static struct option long_options[] = { {"dnsv6-port", required_argument, 0, '@' }, {"dns-verb", no_argument, 0, 'v' }, {"blacklist", required_argument, 0, 'b' }, + {"whitelist", required_argument, 0, 't' }, {"allow-no-sni",no_argument, 0, ']' }, {"ip-id", required_argument, 0, 'i' }, {"set-ttl", required_argument, 0, '$' }, @@ -566,7 +567,8 @@ int main(int argc, char *argv[]) { do_http_allports = 0, do_host_mixedcase = 0, do_dnsv4_redirect = 0, do_dnsv6_redirect = 0, - do_dns_verb = 0, do_tcp_verb = 0, do_blacklist = 0, + do_dns_verb = 0, do_tcp_verb = 0, + do_blacklist = 0, do_whitelist = 0, do_allow_no_sni = 0, do_fake_packet = 0, do_auto_ttl = 0, @@ -798,11 +800,18 @@ int main(int argc, char *argv[]) { break; case 'b': // --blacklist do_blacklist = 1; - if (!blackwhitelist_load_list(optarg)) { + if (!blackwhitelist_load_blacklist(optarg)) { printf("Can't load blacklist from file!\n"); exit(EXIT_FAILURE); } break; + case 't': // --whitelist + do_whitelist = 1; + if (!blackwhitelist_load_whitelist(optarg)) { + printf("Can't load whitelist from file!\n"); + exit(EXIT_FAILURE); + } + break; case ']': // --allow-no-sni do_allow_no_sni = 1; break; @@ -898,6 +907,9 @@ int main(int argc, char *argv[]) { " --blacklist perform circumvention tricks only to host names and subdomains from\n" " supplied text file (HTTP Host/TLS SNI).\n" " This option can be supplied multiple times.\n" + " --whitelist does not perform circumvention tricks to host names and subdomains from\n" + " supplied text file.\n" + " This option can be supplied multiple times.\n" " --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled.\n" " --set-ttl activate Fake Request Mode and send it with supplied TTL value.\n" " DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).\n" @@ -1131,16 +1143,17 @@ int main(int argc, char *argv[]) { if ((packet_dataLen == 2 && memcmp(packet_data, "\x16\x03", 2) == 0) || (packet_dataLen >= 3 && memcmp(packet_data, "\x16\x03\x01", 3) == 0)) { - if (do_blacklist) { + if (do_blacklist || do_whitelist) { sni_ok = extract_sni(packet_data, packet_dataLen, &host_addr, &host_len); } if ( - (do_blacklist && sni_ok && - blackwhitelist_check_hostname(host_addr, host_len) + ((do_blacklist && sni_ok && + blackwhitelist_check_hostname_blacklist(host_addr, host_len) ) || (do_blacklist && !sni_ok && do_allow_no_sni) || - (!do_blacklist) + (!do_blacklist)) && + (do_whitelist ? !blackwhitelist_check_hostname_whitelist(host_addr, host_len) : 1) ) { #ifdef DEBUG @@ -1176,7 +1189,8 @@ int main(int argc, char *argv[]) { if (find_header_and_get_info(packet_data, packet_dataLen, http_host_find, &hdr_name_addr, &hdr_value_addr, &hdr_value_len) && hdr_value_len > 0 && hdr_value_len <= HOST_MAXLEN && - (do_blacklist ? blackwhitelist_check_hostname(hdr_value_addr, hdr_value_len) : 1)) + (do_blacklist ? blackwhitelist_check_hostname_blacklist(hdr_value_addr, hdr_value_len) : 1) && + (do_whitelist ? !blackwhitelist_check_hostname_whitelist(hdr_value_addr, hdr_value_len) : 1)) { host_addr = hdr_value_addr; host_len = hdr_value_len; From a650e55ffe134ae4357795bb8f966cac4bb6f621 Mon Sep 17 00:00:00 2001 From: jimraynor2470 Date: Mon, 8 May 2023 11:48:57 +0900 Subject: [PATCH 2/2] Update README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 7bea3400..43155f9b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,9 @@ Usage: goodbyedpi.exe [OPTION...] --blacklist perform circumvention tricks only to host names and subdomains from supplied text file (HTTP Host/TLS SNI). This option can be supplied multiple times. + --whitelist does not perform circumvention tricks to host names and subdomains from + supplied text file. + This option can be supplied multiple times. --allow-no-sni perform circumvention if TLS SNI can't be detected with --blacklist enabled. --set-ttl activate Fake Request Mode and send it with supplied TTL value. DANGEROUS! May break websites in unexpected ways. Use with care (or --blacklist).