winws2: fix sandbox reinit error

Fix typos in function descriptions

docs/changes.txt

@@ -12,3 +12,9 @@ v0.1.2
 * nfqws2: 'known' protocol and payload filter
 * nfqws2: 'aes_ctr' luacall
 * zapret-antidpi: rst
+* github actions: remove FFI from luajit
+
+v0.1.4
+
+* winws2: set low mandatory level in process token if possible : no --wlan-filter or --nlm-filter (no windivert reinit required)
+* nfqws2: optimize debug logging to file

lua/zapret-antidpi.lua

@@ -35,7 +35,7 @@ standard fooling :
 * tcp_ts=N - add N to timestamp value
 * tcp_md5[=hex] - add MD5 header with optional 16-byte data. all zero by default.
 * tcp_flags_set=<list> - set tcp flags in comma separated list
-* tcp_unflags_set=<list> - unset tcp flags in comma separated list
+* tcp_flags_unset=<list> - unset tcp flags in comma separated list
 * tcp_ts_up - move timestamp tcp option to the top if present (workaround for badack without badseq fooling)
 
 * fool=fool_function - custom fooling function : fool_func(dis, fooling_options)

lua/zapret-lib.lua

@@ -423,7 +423,7 @@ end
 -- tcp_ts=N - add N to timestamp value
 -- tcp_md5[=hex] - add MD5 header with optional 16-byte data. all zero by default.
 -- tcp_flags_set=<list> - set tcp flags in comma separated list
--- tcp_unflags_set=<list> - unset tcp flags in comma separated list
+-- tcp_flags_unset=<list> - unset tcp flags in comma separated list
 -- tcp_ts_up - move timestamp tcp option to the top if it's present. this allows linux not to accept badack segments without badseq. this is very strange discovery but it works.
 
 -- fool - custom fooling function : fool_func(dis, fooling_options)

lua/zapret-tests.lua

@@ -222,8 +222,33 @@ function test_aes_ctr()
 		print( decrypted==clear_text and "DECRYPT OK" or "DECRYPT ERROR" )
 		test_assert(decrypted~=clear_text)
 	end
-end
 
+	-- openssl enc -aes-256-ctr -d -in rnd.bin -out rnd_decrypted.bin -K c39383634d87eb3b6e56edf2c8c0ba99cc8cadf000fb2cd737e37947eecde5fd -iv d745164b233f10b93945526ffe94b87f
+	print("* aes_ctr const tests")
+
+	local data="\x9d\x9c\xa0\x78\x2e\x17\x84\xfc\x87\xc7\xf5\xdf\x5b\xb5\x71\xfd\xb9\xcb\xd2\x4d\xae\x2f\xf0\x19\xf3\xad\x79\xa8\x9a\xb4\xed\x28\x88\x3c\xe1\x78\x91\x23\x27\xd4\x8d\x94\xb3\xd0\x81\x88\xd2\x55\x95\x8a\x88\x70\x67\x99\x75\xb2\xee\x30\x0f\xe7\xc6\x32\x10"
+	local iv="\xd7\x45\x16\x4b\x23\x3f\x10\xb9\x39\x45\x52\x6f\xfe\x94\xb8\x7f"
+	local tests = {
+		{
+			key="\xc3\x93\x83\x63\x4d\x87\xeb\x3b\x6e\x56\xed\xf2\xc8\xc0\xba\x99\xcc\x8c\xad\xf0\x00\xfb\x2c\xd7\x37\xe3\x79\x47\xee\xcd\xe5\xfd",
+			result="\x8C\x2C\x15\x99\x83\x37\x33\xEE\xA1\x70\xA7\x4A\x44\x2E\x6F\x56\x22\x41\xE1\xFC\xC5\x84\x21\x1C\x16\xC6\xE9\x75\x22\x57\x55\x4A\x02\x04\xCE\xAD\xE9\x0A\x45\xAB\x4E\x38\xB8\xB2\x6F\x95\xDA\x46\x4F\x9E\xB1\xFF\xF4\x40\x8A\x57\x25\xD2\xF6\xB6\x93\x65\x75"
+		},
+		{
+			key="\xc3\x93\x83\x63\x4d\x87\xeb\x3b\x6e\x56\xed\xf2\xc8\xc0\xba\x99\xcc\x8c\xad\xf0\x00\xfb\x2c\xd7",
+			result="\xB0\x4C\xC9\xDB\x0C\xE5\x67\x51\x1D\x24\x3C\x15\x87\x1B\xF9\x62\x84\x8C\xD0\x57\x33\x93\xE0\x71\x91\x3A\x11\x26\xCA\x77\xA7\x54\xBD\xC6\x5E\x96\x60\x2C\x94\x0F\xBA\x3E\x79\xDC\x48\xA0\x22\x97\xA7\x77\x55\xC8\x14\xEA\xC2\xF5\xA0\x88\x6F\xE2\x44\x32\x68"
+		},
+		{
+			key="\xc3\x93\x83\x63\x4d\x87\xeb\x3b\x6e\x56\xed\xf2\xc8\xc0\xba\x99",
+			result="\xD9\xAC\xC7\x7D\xC8\xC9\xF1\x59\x9A\xDF\x15\xF3\x58\x61\xFD\x2B\x1D\x01\x9A\x5F\x04\x53\xA2\xA8\xFD\x52\xDC\x8A\xE9\x3B\x2E\x5E\x0D\x13\xCB\xBD\x16\xED\xC1\xF2\x0D\x68\x62\xB7\xD5\x0F\x8D\xD4\xEB\xA1\xC5\x75\xF2\x0B\x26\x75\x1D\x7E\x5A\x37\xA6\x8A\xCD"
+		}
+	}
+	for k,t in pairs(tests) do
+		local decrypted = aes_ctr(t.key, iv, data)
+		io.write("KEY SIZE "..(#t.key*8).." ")
+		print( decrypted==t.result and "DECRYPT OK" or "DECRYPT ERROR" )
+		test_assert(decrypted==t.result)
+	end
+end
 
 function test_ub()
 	for k,f in pairs({{u8,bu8,0xFF,8}, {u16,bu16,0xFFFF,16}, {u24,bu24,0xFFFFFF,24}, {u32,bu32,0xFFFFFFFF,32}}) do

lua/zapret-wgobfs.lua

@@ -11,15 +11,12 @@ function wgobfs(ctx, desync)
 	local padmin = desync.arg.padmin and tonumber(desync.arg.padmin) or 0
 	local padmax = desync.arg.padmax and tonumber(desync.arg.padmax) or 16
 	local function genkey()
-		-- cache key in lua_state of conntrack is present
+		-- cache key in a global var bound to instance name
-		if desync.track and desync.track.lua_state.wgobfs_key then
+		local key_cache_name = desync.func_instance.."_key"
-			key = desync.track.lua_state.wgobfs_key
+		key = _G[key_cache_name]
-		end
 		if not key then
 			key = hkdf("sha256", "wgobfs_salt", desync.arg.secret, nil, 16)
-			if desync.track then
+			_G[key_cache_name] = key
-				desync.track.lua_state.wgobfs_key = key
-			end
 		end
 		return key
 	end

nfq2/crypto/aes-ctr.c

@@ -3,46 +3,55 @@
 
 #define AES_BLOCKLEN 16
 
+#if defined(__GNUC__) && !defined(__llvm__)
+__attribute__((optimize ("no-strict-aliasing")))
+#endif
 void aes_ctr_xcrypt_buffer(aes_context *ctx, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out)
 {
 	uint8_t bi, buffer[AES_BLOCKLEN], ivc[AES_BLOCKLEN];
-	size_t i;
+	size_t i, l16 = length & ~0xF;
 
-	memcpy(ivc,iv,AES_BLOCKLEN);
+	memcpy(ivc, iv, AES_BLOCKLEN);
 
-	for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi)
+	for (i = 0; i < l16; i += 16)
 	{
-		if (bi == AES_BLOCKLEN) /* we need to regen xor complement in buffer */
+		memcpy(buffer, ivc, AES_BLOCKLEN);
-		{
+		aes_cipher(ctx, buffer, buffer);
-			memcpy(buffer, ivc, AES_BLOCKLEN);
-			aes_cipher(ctx, buffer, buffer);
 
-			/* Increment ivc and handle overflow */
+		// Increment ivc and handle overflow
-			for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi)
+		for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi)
+		{
+			// inc will owerflow
+			if (ivc[bi] == 255)
 			{
-				/* inc will owerflow */
+				ivc[bi] = 0;
-				if (ivc[bi] == 255)
+				continue;
-				{
-					ivc[bi] = 0;
-					continue;
-				}
-				ivc[bi] += 1;
-				break;
 			}
-			bi = 0;
+			ivc[bi]++;;
+			break;
 		}
-		out[i] = in[i] ^ buffer[bi];
+		*((uint64_t*)(out + i)) = *((uint64_t*)(in + i)) ^ ((uint64_t*)buffer)[0];
+		*((uint64_t*)(out + i + 8)) = *((uint64_t*)(in + i + 8)) ^ ((uint64_t*)buffer)[1];
+	}
+
+	if (i<length)
+	{
+		memcpy(buffer, ivc, AES_BLOCKLEN);
+		aes_cipher(ctx, buffer, buffer);
+
+		for (bi=0 ; i < length; i++, bi++)
+			out[i] = in[i] ^ buffer[bi];
 	}
 }
 
-int aes_ctr_crypt(const uint8_t *key, const size_t key_len, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out)
+int aes_ctr_crypt(const uint8_t *key, unsigned int key_len, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out)
 {
-	int ret=0;
+	int ret = 0;
 	aes_context ctx;
 
 	aes_init_keygen_tables();
 
-	if (!(ret=aes_setkey(&ctx, AES_ENCRYPT, key, key_len)))
+	if (!(ret = aes_setkey(&ctx, AES_ENCRYPT, key, key_len)))
 		aes_ctr_xcrypt_buffer(&ctx, iv, in, length, out);
 
 	return ret;

nfq2/crypto/aes-ctr.h

@@ -4,4 +4,4 @@
 #include "aes.h"
 
 void aes_ctr_xcrypt_buffer(aes_context *ctx, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out);
-int aes_ctr_crypt(const uint8_t *key, const size_t key_len, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out);
+int aes_ctr_crypt(const uint8_t *key, unsigned int key_len, const uint8_t *iv, const uint8_t *in, size_t length, uint8_t *out);

nfq2/crypto/aes-gcm.c

@@ -5,6 +5,8 @@ int aes_gcm_crypt(int mode, uint8_t *output, const uint8_t *input, size_t input_
 	int ret = 0;
 	gcm_context ctx;
 
+	gcm_initialize();
+
 	if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len)))
 	{
 		ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);

nfq2/darkmagic.c

@@ -20,8 +20,14 @@
 #include "nfqws.h"
 
 #ifdef __CYGWIN__
+#include <sys/cygwin.h>
+
 #include <wlanapi.h>
 #include <netlistmgr.h>
+#include <aclapi.h>
+#include <wchar.h>
+#include <KnownFolders.h>
+#include <shlobj.h>
 
 #ifndef ERROR_INVALID_IMAGE_HASH
 #define ERROR_INVALID_IMAGE_HASH __MSABI_LONG(577)
@@ -88,26 +94,22 @@ uint8_t tcp_find_scale_factor(const struct tcphdr *tcp)
 	if (scale && scale[1]==3) return scale[2];
 	return SCALE_NONE;
 }
-bool tcp_has_fastopen(const struct tcphdr *tcp)
-{
-	uint8_t *opt;
-	// new style RFC7413
-	opt = tcp_find_option((struct tcphdr*)tcp, TCP_KIND_FASTOPEN);
-	if (opt) return true;
-	// old style RFC6994
-	opt = tcp_find_option((struct tcphdr*)tcp, 254);
-	return opt && opt[1]>=4 && opt[2]==0xF9 && opt[3]==0x89;
-}
 uint16_t tcp_find_mss(const struct tcphdr *tcp)
 {
 	uint8_t *t = tcp_find_option((struct tcphdr *)tcp, TCP_KIND_MSS);
 	return (t && t[1]==4) ? *(uint16_t*)(t+2) : 0;
 }
-bool tcp_has_sack(struct tcphdr *tcp)
+bool tcp_synack_segment(const struct tcphdr *tcphdr)
 {
-	uint8_t *t = tcp_find_option(tcp, TCP_KIND_SACK_PERM);
+	/* check for set bits in TCP hdr */
-	return !!t;
+	return ((tcphdr->th_flags & (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN)) == (TH_ACK|TH_SYN));
 }
+bool tcp_syn_segment(const struct tcphdr *tcphdr)
+{
+	/* check for set bits in TCP hdr */
+	return ((tcphdr->th_flags & (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN)) == TH_SYN);
+}
+
 
 void extract_ports(const struct tcphdr *tcphdr, const struct udphdr *udphdr, uint8_t *proto, uint16_t *sport, uint16_t *dport)
 {
@@ -549,56 +551,6 @@ void proto_dissect_l3l4(const uint8_t *data, size_t len, struct dissect *dis)
 }
 
 
-bool tcp_synack_segment(const struct tcphdr *tcphdr)
-{
-	/* check for set bits in TCP hdr */
-	return ((tcphdr->th_flags & (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN)) == (TH_ACK|TH_SYN));
-}
-bool tcp_syn_segment(const struct tcphdr *tcphdr)
-{
-	/* check for set bits in TCP hdr */
-	return ((tcphdr->th_flags & (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN)) == TH_SYN);
-}
-bool tcp_ack_segment(const struct tcphdr *tcphdr)
-{
-	/* check for set bits in TCP hdr */
-	return ((tcphdr->th_flags & (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN)) == TH_ACK);
-}
-
-void tcp_rewrite_wscale(struct tcphdr *tcp, uint8_t scale_factor)
-{
-	uint8_t *scale,scale_factor_old;
-
-	if (scale_factor!=SCALE_NONE)
-	{
-		scale = tcp_find_option(tcp,3); // tcp option 3 - scale factor
-		if (scale && scale[1]==3) // length should be 3
-		{
-			scale_factor_old=scale[2];
-			// do not allow increasing scale factor
-			if (scale_factor>=scale_factor_old)
-				DLOG("Scale factor %u unchanged\n", scale_factor_old);
-			else
-			{
-				scale[2]=scale_factor;
-				DLOG("Scale factor change %u => %u\n", scale_factor_old, scale_factor);
-			}
-		}
-	}
-}
-// scale_factor=SCALE_NONE - do not change
-void tcp_rewrite_winsize(struct tcphdr *tcp, uint16_t winsize, uint8_t scale_factor)
-{
-	uint16_t winsize_old;
-
-	winsize_old = htons(tcp->th_win); // << scale_factor;
-	tcp->th_win = htons(winsize);
-	DLOG("Window size change %u => %u\n", winsize_old, winsize);
-
-	tcp_rewrite_wscale(tcp, scale_factor);
-}
-
-
 uint8_t ttl46(const struct ip *ip, const struct ip6_hdr *ip6)
 {
 	return ip ? ip->ip_ttl : ip6 ? ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim : 0;
@@ -609,7 +561,7 @@ uint8_t ttl46(const struct ip *ip, const struct ip6_hdr *ip6)
 
 uint32_t w_win32_error=0;
 
-static BOOL RemoveTokenPrivs()
+static BOOL RemoveTokenPrivs(void)
 {
 	BOOL bRes = FALSE;
 	HANDLE hToken;
@@ -643,15 +595,163 @@ static BOOL RemoveTokenPrivs()
 	if (!bRes) w_win32_error = GetLastError();
 	return bRes;
 }
-static BOOL WinSandbox()
+
+static SID_IDENTIFIER_AUTHORITY label_authority = SECURITY_MANDATORY_LABEL_AUTHORITY;
+BOOL LowMandatoryLevel(void)
 {
-	// unfortunately there's no way to remove or disable Administrators group in the current process's token
+	BOOL bRes = FALSE;
-	// only possible run child process with restricted token
+	HANDLE hToken;
-	// but at least it's possible to permanently remove privileges
+	char buf1[32];
-	// this is not much but better than nothing
+	TOKEN_MANDATORY_LABEL label_low;
-	return RemoveTokenPrivs();
+
+	label_low.Label.Sid = (PSID)buf1;
+	InitializeSid(label_low.Label.Sid, &label_authority, 1);
+	label_low.Label.Attributes = 0;
+	*GetSidSubAuthority(label_low.Label.Sid, 0) = SECURITY_MANDATORY_LOW_RID;
+
+	// S-1-16-12288 : Mandatory Label\High Mandatory Level
+	// S-1-16-8192  : Mandatory Label\Medium Mandatory Level
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, &hToken))
+	{
+		bRes = SetTokenInformation(hToken, TokenIntegrityLevel, &label_low, sizeof(label_low));
+		CloseHandle(hToken);
+	}
+	if (!bRes) w_win32_error = GetLastError();
+	return bRes;
 }
 
+BOOL SetMandatoryLabelFile(LPCSTR lpFileName, DWORD dwMandatoryLabelRID, DWORD dwAceFlags)
+{
+	BOOL bRes=FALSE;
+	DWORD dwErr, dwFileAttributes;
+	char buf_label[16], buf_pacl[32];
+	PSID label = (PSID)buf_label;
+	PACL pacl = (PACL)buf_pacl;
+	LPWSTR lpFileNameW = NULL;
+	size_t szFileName;
+
+	szFileName = strlen(lpFileName);
+	if (!(lpFileNameW = (LPWSTR)LocalAlloc(LMEM_FIXED,(szFileName+1)*sizeof(WCHAR))))
+		goto err;
+
+	if (!MultiByteToWideChar(CP_UTF8, 0, lpFileName, -1, lpFileNameW, szFileName+1))
+		goto err;
+
+	if (!strncmp(lpFileName,"\\\\.\\",4))
+		dwFileAttributes = 0;
+	else
+	{
+		dwFileAttributes = GetFileAttributesW(lpFileNameW);
+		if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) goto err;
+	}
+
+	InitializeSid(label, &label_authority, 1);
+	*GetSidSubAuthority(label, 0) = dwMandatoryLabelRID;
+	if (InitializeAcl(pacl, sizeof(buf_pacl), ACL_REVISION) && AddMandatoryAce(pacl, (dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? ACL_REVISION_DS : ACL_REVISION, dwAceFlags, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, label))
+	{
+		dwErr = SetNamedSecurityInfoW(lpFileNameW, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pacl);
+		SetLastError(dwErr);
+		bRes = dwErr==ERROR_SUCCESS;
+	}
+err:
+	if (!bRes) w_win32_error = GetLastError();
+	LocalFree(lpFileNameW);
+	return bRes;
+}
+
+BOOL SetMandatoryLabelFileW(LPCWSTR lpFileNameW, DWORD dwMandatoryLabelRID, DWORD dwAceFlags)
+{
+	BOOL bRes=FALSE;
+	DWORD dwErr, dwFileAttributes;
+	char buf_label[16], buf_pacl[32];
+	PSID label = (PSID)buf_label;
+	PACL pacl = (PACL)buf_pacl;
+
+	if (!wcsncmp(lpFileNameW,L"\\\\.\\",4))
+		dwFileAttributes = 0;
+	else
+	{
+		dwFileAttributes = GetFileAttributesW(lpFileNameW);
+		if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) goto err;
+	}
+
+	InitializeSid(label, &label_authority, 1);
+	*GetSidSubAuthority(label, 0) = dwMandatoryLabelRID;
+	if (InitializeAcl(pacl, sizeof(buf_pacl), ACL_REVISION) && AddMandatoryAce(pacl, (dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? ACL_REVISION_DS : ACL_REVISION, dwAceFlags, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP, label))
+	{
+		dwErr = SetNamedSecurityInfoW((LPWSTR)lpFileNameW, SE_FILE_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pacl);
+		SetLastError(dwErr);
+		bRes = dwErr==ERROR_SUCCESS;
+	}
+err:
+	if (!bRes) w_win32_error = GetLastError();
+	return bRes;
+}
+
+bool ensure_file_access(const char *filename)
+{
+	return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID, 0);
+}
+static bool prepare_low_appdata()
+{
+	bool b = false;
+	PWSTR pszPath = NULL;
+	HRESULT hr = SHGetKnownFolderPath(&FOLDERID_LocalAppDataLow, 0, NULL, &pszPath);
+	if (SUCCEEDED(hr))
+	{
+		size_t l = cygwin_conv_path(CCP_WIN_W_TO_POSIX | CCP_ABSOLUTE, pszPath, NULL, 0);
+		char *buf = (char*)malloc(l+8);
+		if (buf)
+		{
+			if (!cygwin_conv_path(CCP_WIN_W_TO_POSIX | CCP_ABSOLUTE, pszPath, buf, l))
+			{
+				b = true;
+				setenv("APPDATALOW", buf, 1);
+				memcpy(buf+l-1,"/zapret2",9);
+				setenv("WRITEABLE", buf, 1);
+				mkdir(buf,0755);
+
+				l = wcslen(pszPath);
+				PWSTR pszPath2 = malloc((l+9)*sizeof(WCHAR));
+				if (pszPath2)
+				{
+					memcpy(pszPath2,pszPath,l*sizeof(WCHAR));
+					memcpy(pszPath2+l,L"\\zapret2",9*sizeof(WCHAR));
+					// ensure it's low and everything created inside is also low
+					SetMandatoryLabelFileW(pszPath2, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
+					free(pszPath2);
+				}
+			}
+			free(buf);
+		}
+		CoTaskMemFree(pszPath);
+	}
+	return b;
+}
+
+#define WINDIVERT_DEVICE_NAME "WinDivert"
+static bool b_isandbox_set = false;
+bool win_sandbox(void)
+{
+	// there's no way to return privs
+	if (!b_isandbox_set)
+	{
+		if (!RemoveTokenPrivs())
+			return FALSE;
+
+		// set low mandatory label on windivert device to allow administrators with low label access the driver
+		if (logical_net_filter_present() && !SetMandatoryLabelFile("\\\\.\\" WINDIVERT_DEVICE_NAME, SECURITY_MANDATORY_LOW_RID, 0))
+			return FALSE;
+		prepare_low_appdata();
+		if (!LowMandatoryLevel())
+			return false;
+		// for LUA code to find where to store files
+		b_isandbox_set = true;
+	}
+	return true;
+}
+
+
 
 static HANDLE w_filter = NULL;
 static OVERLAPPED ovl = { .hEvent = NULL };
@@ -745,8 +845,6 @@ bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_lis
 	if (LIST_EMPTY(ssid_filter)) ssid_filter=NULL;
 	if (LIST_EMPTY(nlm_filter)) nlm_filter=NULL;
 
-	if (!WinSandbox()) return false;
-
 	if (nlm_filter)
 	{
 		if (SUCCEEDED(w_win32_error = CoInitialize(NULL)))
@@ -1004,6 +1102,13 @@ bool logical_net_filter_match(void)
 	return wlan_filter_match(wlan_filter_ssid) && nlm_filter_match(nlm_filter_net);
 }
 
+bool logical_net_filter_present(void)
+{
+	return (wlan_filter_ssid && !LIST_EMPTY(wlan_filter_ssid)) || (nlm_filter_net && !LIST_EMPTY(nlm_filter_net));
+}
+
+
+
 static bool logical_net_filter_match_rate_limited(void)
 {
 	DWORD dwTick = GetTickCount() / 1000;
@@ -1093,14 +1198,17 @@ static bool windivert_recv_filter(HANDLE hFilter, uint8_t *packet, size_t *len,
 		return false;
 	}
 	usleep(0);
+
 	if (WinDivertRecvEx(hFilter, packet, *len, &recv_len, 0, wa, NULL, &ovl))
 	{
 		*len = recv_len;
 		return true;
 	}
+
 	for(;;)
 	{
 		w_win32_error = GetLastError();
+
 		switch(w_win32_error)
 		{
 			case ERROR_IO_PENDING:
@@ -1179,6 +1287,11 @@ bool rawsend(const struct sockaddr* dst,uint32_t fwmark,const char *ifout,const
 
 #else // *nix
 
+bool ensure_file_access(const char *filename)
+{
+	return !chown(filename, params.uid, -1);
+}
+
 static int rawsend_sock4=-1, rawsend_sock6=-1;
 static bool b_bind_fix4=false, b_bind_fix6=false;
 static void rawsend_clean_sock(int *sock)

nfq2/darkmagic.h

@@ -83,17 +83,21 @@ uint8_t *tcp_find_option(struct tcphdr *tcp, uint8_t kind);
 uint32_t *tcp_find_timestamps(struct tcphdr *tcp);
 uint8_t tcp_find_scale_factor(const struct tcphdr *tcp);
 uint16_t tcp_find_mss(const struct tcphdr *tcp);
-bool tcp_has_sack(struct tcphdr *tcp);
+bool tcp_synack_segment(const struct tcphdr *tcphdr);
-
+bool tcp_syn_segment(const struct tcphdr *tcphdr);
-bool tcp_has_fastopen(const struct tcphdr *tcp);
 
 bool ip_has_df(const struct ip *ip);
 
+
+bool ensure_file_access(const char *filename);
+
 #ifdef __CYGWIN__
 extern uint32_t w_win32_error;
 
+bool win_sandbox(void);
 bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_list_head *nlm_filter);
 bool win_dark_deinit(void);
+bool logical_net_filter_present(void);
 bool logical_net_filter_match(void);
 bool nlm_list(bool bAll);
 bool windivert_init(const char *filter);
@@ -156,13 +160,6 @@ struct dissect
 };
 void proto_dissect_l3l4(const uint8_t *data, size_t len, struct dissect *dis);
 
-bool tcp_synack_segment(const struct tcphdr *tcphdr);
-bool tcp_syn_segment(const struct tcphdr *tcphdr);
-bool tcp_ack_segment(const struct tcphdr *tcphdr);
-// scale_factor=SCALE_NONE - do not change
-void tcp_rewrite_wscale(struct tcphdr *tcp, uint8_t scale_factor);
-void tcp_rewrite_winsize(struct tcphdr *tcp, uint16_t winsize, uint8_t scale_factor);
-
 uint8_t ttl46(const struct ip *ip, const struct ip6_hdr *ip6);
 
 void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transport_len, const struct ip *ip, const struct ip6_hdr *ip6hdr);

nfq2/helpers.c

@@ -417,26 +417,9 @@ bool parse_hex_str(const char *s, uint8_t *pbuf, size_t *size)
 	}
 	return true;
 }
-
+char hex_digit(uint8_t v)
-void fill_pattern(uint8_t *buf,size_t bufsize,const void *pattern,size_t patsize,size_t offset)
 {
-	size_t size;
+	return v<=9 ? '0'+v : (v<=0xF) ? v+'A'-0xA : '?';
-
-	if (offset%=patsize)
-	{
-		size = patsize-offset;
-		size = bufsize>size ? size : bufsize;
-		memcpy(buf,pattern+offset,size);
-		buf += size;
-		bufsize -= size;
-	}
-	while (bufsize)
-	{
-		size = bufsize>patsize ? patsize : bufsize;
-		memcpy(buf,pattern,size);
-		buf += size;
-		bufsize -= size;
-	}
 }
 
 int fprint_localtime(FILE *F)

nfq2/helpers.h

@@ -65,7 +65,7 @@ uint64_t pntoh64(const uint8_t *p);
 void phton64(uint8_t *p, uint64_t v);
 
 bool parse_hex_str(const char *s, uint8_t *pbuf, size_t *size);
-void fill_pattern(uint8_t *buf,size_t bufsize,const void *pattern,size_t patsize,size_t offset);
+char hex_digit(uint8_t v);
 
 int fprint_localtime(FILE *F);
 

nfq2/lua.c

@@ -1,8 +1,10 @@
 #include <time.h>
+#include <fcntl.h>
 
 #include "lua.h"
 #include "params.h"
 #include "helpers.h"
+#include "conntrack.h"
 #include "crypto/sha.h"
 #include "crypto/aes-gcm.h"
 #include "crypto/aes-ctr.h"
@@ -2244,6 +2246,8 @@ void lua_shutdown()
 	if (params.L)
 	{
 		DLOG("LUA SHUTDOWN\n");
+		// conntrack holds lua state. must clear it before lua shoudown
+		ConntrackPoolDestroy(&params.conntrack);
 		lua_close(params.L);
 		params.L=NULL;
 	}
@@ -2328,6 +2332,20 @@ static bool lua_desync_functions_exist()
 	return true;
 }
 
+bool lua_test_init_script_files(void)
+{
+	struct str_list *str;
+	LIST_FOREACH(str, &params.lua_init_scripts, next)
+	{
+		if (str->str[0]=='@' && !file_open_test(str->str+1, O_RDONLY))
+		{
+			DLOG_ERR("LUA file '%s' not accessible\n",str->str+1);
+			return false;
+		}
+	}
+	return true;
+}
+
 static bool lua_init_scripts(void)
 {
 	struct str_list *str;
@@ -2380,13 +2398,16 @@ static void lua_sec_harden(void)
 			{
 				lua_getfield(params.L, -1, bad[i].field);
 				lua_pushstring(params.L, bad[i].field2);
+				DLOG(" %s.%s.%s", bad[i].global, bad[i].field, bad[i].field2);
 			}
 			else
+			{
 				lua_pushstring(params.L, bad[i].field);
+				DLOG(" %s.%s", bad[i].global, bad[i].field);
+			}
 			lua_pushnil(params.L);
 			lua_rawset(params.L, -3);
 			lua_pop(params.L,1 + !!bad[i].field2);
-			DLOG(" %s.%s", bad[i].global, bad[i].field);
 		}
 		else
 		{

nfq2/lua.h

@@ -28,6 +28,7 @@
 #define LUA_STACK_GUARD_RETURN(L,N) LUA_STACK_GUARD_LEAVE(L,N); return N;
 
 
+bool lua_test_init_script_files(void);
 bool lua_init(void);
 void lua_shutdown(void);
 void lua_dlog_error(void);

nfq2/nfqws.c

@@ -303,6 +303,8 @@ static int nfq_main(void)
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto err;
+	if (!lua_test_init_script_files())
+		goto err;
 
 	sec_harden();
 
@@ -461,6 +463,8 @@ static int dvt_main(void)
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;
+	if (!lua_test_init_script_files())
+		goto exiterr;
 
 	if (!lua_init())
 		goto exiterr;
@@ -601,11 +605,6 @@ static int win_main()
 		return ERROR_TOO_MANY_OPEN_FILES; // code 4 = The system cannot open the file
 	}
 
-	if (!lua_init())
-	{
-		res=ERROR_INVALID_PARAMETER; goto ex;
-	}
-
 	if (!win_dark_init(&params.ssid_filter, &params.nlm_filter))
 	{
 		DLOG_ERR("win_dark_init failed. win32 error %u (0x%08X)\n", w_win32_error, w_win32_error);
@@ -635,6 +634,19 @@ static int win_main()
 		{
 			res=w_win32_error; goto ex;
 		}
+		if (!win_sandbox())
+		{
+			res=w_win32_error;
+			DLOG_ERR("Cannot init Windows sandbox\n");
+			goto ex;
+		}
+
+
+		// init LUA only here because of possible sandbox. no LUA code with high privs
+		if (!params.L && !lua_init())
+		{
+			res=ERROR_INVALID_PARAMETER; goto ex;
+		}
 
 		DLOG_CONDUP("windivert initialized. capture is started.\n");
 
@@ -2399,11 +2411,14 @@ int main(int argc, char **argv)
 	DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
 
 #ifndef __CYGWIN__
-	if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1))
+	if (params.droproot)
-		fprintf(stderr, "could not chown %s. log file may not be writable after privilege drop\n", params.debug_logfile);
-	if (params.droproot && *params.hostlist_auto_debuglog && chown(params.hostlist_auto_debuglog, params.uid, -1))
-		DLOG_ERR("could not chown %s. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
 #endif
+	{
+		if (params.debug_target == LOG_TARGET_FILE && !ensure_file_access(params.debug_logfile))
+			DLOG_ERR("could not make '%s' accessible. log file may not be writable after privilege drop\n", params.debug_logfile);
+		if (*params.hostlist_auto_debuglog && !ensure_file_access(params.hostlist_auto_debuglog))
+			DLOG_ERR("could not make '%s' accessible. auto hostlist debug log may not be writable after privilege drop\n", params.hostlist_auto_debuglog);
+	}
 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
 		dp = &dpl->dp;
@@ -2415,14 +2430,20 @@ int main(int argc, char **argv)
 		}
 
 #ifndef __CYGWIN__
-		if (params.droproot && dp->hostlist_auto && chown(dp->hostlist_auto->filename, params.uid, -1))
+		if (params.droproot)
-			DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
 #endif
+		{
+			if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename))
+				DLOG_ERR("could not chown %s. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);
+
+		}
 		LuaDesyncDebug(dp);
 	}
 
 	if (!test_list_files())
 		exit_clean(1);
+	if (!lua_test_init_script_files())
+		exit_clean(1);
 
 	if (!LoadAllHostLists())
 	{

nfq2/params.c

@@ -88,21 +88,21 @@ const uint8_t fake_tls_clienthello_default[680] = {
 
 const char * tld[6] = { "com","org","net","edu","gov","biz" };
 
-int DLOG_FILE(FILE *F, const char *format, va_list args)
+int DLOG_FILE_VA(FILE *F, const char *format, va_list args)
 {
 	return vfprintf(F, format, args);
 }
-int DLOG_CON(const char *format, int syslog_priority, va_list args)
+int DLOG_CON_VA(const char *format, int syslog_priority, va_list args)
 {
-	return DLOG_FILE(syslog_priority==LOG_ERR ? stderr : stdout, format, args);
+	return DLOG_FILE_VA(syslog_priority==LOG_ERR ? stderr : stdout, format, args);
 }
-int DLOG_FILENAME(const char *filename, const char *format, va_list args)
+int DLOG_FILENAME_VA(const char *filename, const char *format, va_list args)
 {
 	int r;
 	FILE *F = fopen(filename,"at");
 	if (F)
 	{
-		r = DLOG_FILE(F, format, args);
+		r = DLOG_FILE_VA(F, format, args);
 		fclose(F);
 	}
 	else
@@ -118,6 +118,21 @@ static void syslog_log_function(int priority, const char *line)
 {
 	syslog(priority,"%s",log_buf);
 }
+
+static int DLOG_FILENAME(const char *filename, const char *format, ...)
+{
+	int r;
+	va_list args;
+	va_start(args, format);
+	r = DLOG_FILENAME_VA(filename, format, args);
+	va_end(args);
+	return r;
+}
+static void file_log_function(int priority, const char *line)
+{
+	DLOG_FILENAME(params.debug_logfile,"%s",log_buf);
+}
+
 #ifdef __ANDROID__
 static enum android_LogPriority syslog_priority_to_android(int priority)
 {
@@ -163,7 +178,7 @@ static int DLOG_VA(const char *format, int syslog_priority, bool condup, va_list
 	if (condup && !(params.debug && params.debug_target==LOG_TARGET_CONSOLE))
 	{
 		va_copy(args2,args);
-		DLOG_CON(format,syslog_priority,args2);
+		DLOG_CON_VA(format,syslog_priority,args2);
 		va_end(args2);
 	}
 	if (params.debug)
@@ -171,10 +186,11 @@ static int DLOG_VA(const char *format, int syslog_priority, bool condup, va_list
 		switch(params.debug_target)
 		{
 			case LOG_TARGET_CONSOLE:
-				r = DLOG_CON(format,syslog_priority,args);
+				r = DLOG_CON_VA(format,syslog_priority,args);
 				break;
 			case LOG_TARGET_FILE:
-				r = DLOG_FILENAME(params.debug_logfile,format,args);
+				log_buffered(file_log_function,syslog_priority,format,args);
+				r = 1;
 				break;
 			case LOG_TARGET_SYSLOG:
 				// skip newlines
@@ -271,10 +287,39 @@ void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
 		bcut = true;
 	}
 	if (!size) return;
-	for (k = 0; k < size; k++) DLOG("%02X ", data[k]);
+
-	DLOG(bcut ? "... : " : ": ");
+	char *p, *buf = malloc(size*4 + 16);
-	for (k = 0; k < size; k++) DLOG("%c", data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.');
+	if (buf)
-	if (bcut) DLOG(" ...");
+	{
+		p=buf;
+		for (k = 0; k < size; k++)
+		{
+			*p++ = hex_digit(data[k] >> 4);
+			*p++ = hex_digit(data[k] & 0xF);
+			*p++ = ' ';
+		}
+		if (bcut)
+		{
+			*p++='.';
+			*p++='.';
+			*p++='.';
+			*p++=' ';
+		}
+		*p++=':';
+		*p++=' ';
+		for (k = 0; k < size; k++)
+			*p++ = data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.';
+		if (bcut)
+		{
+			*p++=' ';
+			*p++='.';
+			*p++='.';
+			*p++='.';
+		}
+		*p = 0;
+		DLOG("%s", buf);
+		free(buf);
+	}
 }
 
 void dp_init(struct desync_profile *dp)
@@ -381,9 +426,7 @@ void cleanup_params(struct params_s *params)
 #endif
 
 	ConntrackPoolDestroy(&params->conntrack);
-
 	dp_list_destroy(&params->desync_profiles);
-
 	hostlist_files_destroy(&params->hostlists);
 	ipset_files_destroy(&params->ipsets);
 	ipcacheDestroy(&params->ipcache);

nfq2/protocol.c

@@ -1398,4 +1398,5 @@ bool IsMTProto(const uint8_t *data, size_t len)
 		aes_ctr_crypt(data+8, 32, data+40, data, 64, decrypt);
 		return !memcmp(decrypt+56,"\xEF\xEF\xEF\xEF",4);
 	}
+	return false;
 }