update docs

.github/workflows/build.yml

@@ -106,7 +106,7 @@ jobs:
               OPTIMIZE=-Os
               ;;
             arm)
-              CPU="-mcpu=cortex-a7 -mthumb"
+              CPU="-mcpu=arm1176jzf-s -mthumb"
               ;;
             arm64|mips64)
               # not safe without GC64

docs/compile/build_howto_unix.txt

@@ -3,6 +3,11 @@
 apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libmnl-dev libsystemd-dev libluajit2-5.1-dev
 make -C /opt/zapret2 systemd
 
+* fedora, rhel, centos, alma
+
+dnf add make gcc zlib-devel libcap-devel libnetfilter_queue-devel libmnl-devel systemd-devel luajit-devel
+make -C /opt/zapret2 systemd
+
 * linux static :
 
 need any x86_64 classic linux distribution

lua/zapret-antidpi.lua

@@ -389,7 +389,8 @@ function syndata(ctx, desync)
 			dis.payload = blob(desync, desync.arg.blob, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
 			apply_fooling(desync, dis)
 			if desync.arg.tls_mod then
-				dis.payload = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				local pl = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				if pl then dis.payload = pl end
 			end
 			if b_debug then DLOG("syndata: "..hexdump_dlog(dis.payload)) end
 			if rawsend_dissect_ipfrag(dis, desync_opts(desync)) then
@@ -449,7 +450,8 @@ function fake(ctx, desync)
 			end
 			local fake_payload = blob(desync, desync.arg.blob)
 			if desync.reasm_data and desync.arg.tls_mod then
-				fake_payload = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				local pl = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				if pl then fake_payload = pl end
 			end
 			-- check debug to save CPU
 			if b_debug then DLOG("fake: "..hexdump_dlog(fake_payload)) end

lua/zapret-obfs.lua

@@ -175,7 +175,12 @@ end
 -- arg : server=[0|1] - override server mode. by default use "--server" nfqws2 parameter
 function udp2icmp(ctx, desync)
 	local dataxor
-	local bserver = desync.arg.server and (desync.arg.server~="0") or b_server
+	local bserver
+	if desync.arg.server then
+		bserver = desync.arg.server~="0"
+	else
+		bserver = b_server
+	end
 
 	local function one_byte_arg(name)
 		if desync.arg[name] then

lua/zapret-pcap.lua

@@ -8,7 +8,7 @@ function pcap_write_packet(file, raw)
 	file:write(raw)
 end
 function pcap_write(file, raw)
-	local pos = file:seek()
+	local pos = file:seek('end')
 	if (pos==0) then
 		pcap_write_header(file)
 	end

nfq2/Makefile

@@ -14,6 +14,7 @@ CFLAGS_UBSAN = -fsanitize=undefined,alignment -fno-sanitize-recover=undefined,al
 LDFLAGS_PIE = -pie
 LDFLAGS += -flto=auto -Wl,--gc-sections $(LDFLAGS_PIE)
 LDFLAGS_ANDROID = -llog
+LDFLAGS_CYGWIN = -Wl,--build-id=none
 STRIPP=-s
 LIBS =
 LIBS_LINUX = -lz -lnetfilter_queue -lnfnetlink -lmnl -lm
@@ -157,9 +158,9 @@ bsd: $(SRC_FILES)
 	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_BSD) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_BSD) $(LDFLAGS)
 
 cygwin64:
-	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN64) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN64) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS) $(LDFLAGS_CYGWIN)
 cygwin32:
-	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS) $(LDFLAGS_CYGWIN)
 cygwin: cygwin64
 
 clean:

nfq2/lua.c

@@ -3350,7 +3350,6 @@ static int luacall_tls_mod(lua_State *L)
 	int argc=lua_gettop(L);
 
 	size_t fake_tls_len;
-	bool bRes;
 	const uint8_t *fake_tls = (uint8_t*)lua_reqlstring(L,1,&fake_tls_len);
 	const char *modlist = lua_reqstring(L,2);
 
@@ -3370,8 +3369,10 @@ static int luacall_tls_mod(lua_State *L)
 		uint8_t *newtls = lua_newuserdata(L, maxlen);
 
 		memcpy(newtls, fake_tls, newlen);
-		bRes = TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen);
+		if (TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen))
-		lua_pushlstring(L,(char*)newtls,newlen);
+			lua_pushlstring(L,(char*)newtls,newlen);
+		else
+			lua_pushnil(L);
 
 		lua_remove(L,-2);
 	}
@@ -3379,11 +3380,9 @@ static int luacall_tls_mod(lua_State *L)
 	{
 		// no mod. push it back
 		lua_pushlstring(L,(char*)fake_tls,fake_tls_len);
-		bRes = true;
 	}
-	lua_pushboolean(L, bRes);
 
-	LUA_STACK_GUARD_RETURN(L,2)
+	LUA_STACK_GUARD_RETURN(L,1)
 }
 
 struct userdata_zs

nfq2/protocol.c

@@ -649,9 +649,11 @@ bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
 	// u8	data+2 - server name type. 0=host_name
 	// u16	data+3 - server name length
 	if (*elen < 5 || (*ext)[2] != 0) return false;
+	uint16_t nll = pntoh16(*ext);
 	*slen = pntoh16(*ext + 3);
+	if (nll<(*slen+3) || *slen > *elen-5) return false;
 	*ext += 5; *elen -= 5;
-	return *slen <= *elen;
+	return true;
 }
 static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, size_t len_host)
 {