diff options
| author | 刘学利 <[email protected]> | 2021-05-11 03:34:57 +0000 |
|---|---|---|
| committer | 刘学利 <[email protected]> | 2021-05-11 03:34:57 +0000 |
| commit | eaa9479def9efc97f0f6f991f8ac379fe1eb7ad6 (patch) | |
| tree | 2f892115138e95af18846ee79cc315a6a795c3af | |
| parent | 16b8fb5fe0e61815ec7020078876129044a77b0d (diff) | |
support session ticketv2.0.0
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | CMakeLists.txt | 1 | ||||
| -rw-r--r-- | bin/ssl/ssl.conf | 1 | ||||
| -rw-r--r-- | cmake/Package.cmake | 4 | ||||
| -rw-r--r-- | cmake/Version.cmake | 2 | ||||
| -rw-r--r-- | readme.md | 26 | ||||
| -rw-r--r-- | src/SSL_Analyze.c | 151 | ||||
| -rw-r--r-- | src/SSL_Certificate.c | 103 | ||||
| -rw-r--r-- | src/SSL_Certificate.h | 4 | ||||
| -rw-r--r-- | src/SSL_Common.c | 60 | ||||
| -rw-r--r-- | src/SSL_Common.h | 24 | ||||
| -rw-r--r-- | src/SSL_Message.c | 371 | ||||
| -rw-r--r-- | src/SSL_Message.h | 23 | ||||
| -rw-r--r-- | src/SSL_Proc.c | 398 | ||||
| -rw-r--r-- | src/SSL_Proc.h | 5 | ||||
| -rw-r--r-- | src/ssl.h | 134 | ||||
| -rw-r--r-- | src/ssl_update.txt | 22 | ||||
| -rw-r--r-- | src/tool/test_cert/test_cert.c | 12 |
18 files changed, 1038 insertions, 306 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c90e3cd --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.vscode/ +build/ +cmake-build-*/ diff --git a/CMakeLists.txt b/CMakeLists.txt index 2ca434a..2df4eb0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -45,6 +45,7 @@ set(DNS_DEPEND_DYN_LIB MESA_handle_logger MESA_field_stat2 MESA_prof_load) add_library(ssl SHARED ${SRC}) set_target_properties(ssl PROPERTIES PREFIX "") target_link_libraries(ssl ${DNS_DEPEND_DYN_LIB}) +#target_link_libraries(ssl "openssl.so") if(DEFINED MESA_SHARED_INSTALL_DIR) set_target_properties(ssl PROPERTIES OUTPUT_NAME ${lib_name} LIBRARY_OUTPUT_DIRECTORY ${MESA_SHARED_INSTALL_DIR}) else() diff --git a/bin/ssl/ssl.conf b/bin/ssl/ssl.conf index 630f255..b6911fc 100644 --- a/bin/ssl/ssl.conf +++ b/bin/ssl/ssl.conf @@ -6,3 +6,4 @@ 5 SSL_APPLICATION_DATA 6 SSL_VERSION 7 SSL_ALERT +8 SSL_NEW_SESSION_TICKET diff --git a/cmake/Package.cmake b/cmake/Package.cmake index 5eb84a3..20e7cfa 100644 --- a/cmake/Package.cmake +++ b/cmake/Package.cmake @@ -14,8 +14,8 @@ set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) set(CPACK_PACKAGE_VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}.${VERSION_BUILD}") execute_process(COMMAND bash -c "echo -ne \"`uname -r | awk -F'.' '{print $5\".\"$6\".\"$7}'`\"" OUTPUT_VARIABLE SYSTEM_VERSION) -execute_process(COMMAND sh changelog.sh ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/cmake) -SET(CPACK_RPM_CHANGELOG_FILE ${CMAKE_BINARY_DIR}/changelog.txt) +#execute_process(COMMAND sh changelog.sh ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/cmake) +#SET(CPACK_RPM_CHANGELOG_FILE ${CMAKE_BINARY_DIR}/changelog.txt) # RPM Build set(CPACK_GENERATOR "RPM") diff --git a/cmake/Version.cmake b/cmake/Version.cmake index 9b05d0b..a47944c 100644 --- a/cmake/Version.cmake +++ b/cmake/Version.cmake @@ -3,7 +3,7 @@ set(__SOURCE_AUTORESIVISION ${CMAKE_SOURCE_DIR}/autorevision.sh) set(__AUTORESIVISION ${CMAKE_BINARY_DIR}/autorevision.sh) -set(__VERSION_CACHE ${CMAKE_SOURCE_DIR}/version.txt) +set(__VERSION_CACHE ${CMAKE_BINARY_DIR}/version.txt) set(__VERSION_CONFIG ${CMAKE_BINARY_DIR}/version.cmake) file(COPY ${__SOURCE_AUTORESIVISION} DESTINATION ${CMAKE_BINARY_DIR} @@ -1,12 +1,26 @@ -# 1.��� +# 0. 功能升级历史 -ssl.so��sappƽ̨���������� +* 2021.4.17 -# 2.ҵ��㿪��ָ�� + 支持esni提取,使用方法参考ssl.h中 st_esni_t结构体 -�μ�wiki���� + **注意ssl.h有更新** + +* 2020.12.2 +支持session ticket的获取,以及new_session_ticket报文的解析。 +**注意ssl.h有更新。** +获取new_session_ticket请在inf文件注册。 +(https://git.mesalab.cn/MESA_Platform/ssl/-/wikis/Session-Ticket) + +# 1.简介 + +ssl.so是sapp平台解析层插件。 + +# 2.业务层开发指南 + +参见wiki链接 https://git.mesalab.cn/MESA_Platform/ssl/wikis/SSL%E4%B8%9A%E5%8A%A1%E5%B1%82%E5%BC%80%E5%8F%91%E6%8C%87%E5%8D%97 -ҵ���demo: -�μ�project ssl_service_test project +业务层demo: +参见project ssl_service_test project diff --git a/src/SSL_Analyze.c b/src/SSL_Analyze.c index a8a581d..7e93981 100644 --- a/src/SSL_Analyze.c +++ b/src/SSL_Analyze.c @@ -17,6 +17,8 @@ #include "SSL_Proc.h" #include "field_stat2.h" #include "MESA_prof_load.h" +#include "SSL_Common.h" + #define GIT_VERSION_CATTER(v) __attribute__((__used__)) const char * GIT_VERSION_##v = NULL #define GIT_VERSION_EXPEND(v) GIT_VERSION_CATTER(v) @@ -41,7 +43,7 @@ extern "C" ssl_prog_runtime_parameter_t g_ssl_prog_para; -int SSL_VERSION_1_20200617 = 0; +int SSL_VERSION_1_20210428 = 0; void ssl_history() { @@ -92,6 +94,15 @@ void ssl_history() //2020-01-09 V0.2 add stream tag //2020-06-15 V0.2 memset buf //2020-06-17 V0.2 increase MAX_DATA_BUFFER 40960 +//2020-12-02 V0.2 support session ticket +//2020-12-03 V0.2 droppkt and dropme +//2020-12-30 V0.2 add alpn +//2021-02-07 V0.2 add SSLSubKey +//2021-04-17 V0.2 support esni +//2021-04-28 V0.2 add certlen for each cert + + + //to do @@ -138,9 +149,6 @@ int ssl_readconf(const char* filename) int ssl_readMainConf(const char* filename) { - char http_log_filename[256]; - - MESA_load_profile_int_def(filename, "FUNCTION", "stat_screen_print", &g_ssl_prog_para.stat_screen_print_trigger,0); MESA_load_profile_int_def(filename, "FUNCTION", "stat_cycle", &g_ssl_prog_para.stat_cycle,0); MESA_load_profile_string_def(filename, "FUNCTION", "stat_file", g_ssl_prog_para.stat_filename, sizeof(g_ssl_prog_para.stat_filename),"./log/ssl/ssl_stat.log"); @@ -236,7 +244,7 @@ void SSL_PROT_FUNSTAT(unsigned long long protflag) return; }/*PROT_FUNSTAT*/ -unsigned long long ssl_getRegionID(char *string, int str_len, char g_string[MAX_REGION_NUM][REGION_NAME_LEN]) +unsigned long long ssl_getRegionID(char *string, int str_len, const char g_string[MAX_REGION_NUM][REGION_NAME_LEN]) { unsigned long long i=0; for(i=0;i<g_ssl_prog_para.ssl_region_cnt;i++) @@ -300,16 +308,16 @@ void ssl_initStructClientHello(st_client_hello_t* pstClientHello) pstClientHello->session.session_value = NULL; pstClientHello->session.session_len = 0; - pstClientHello->ciphersuits.suite_value = NULL; - pstClientHello->ciphersuits.suite_len = 0; + pstClientHello->ciphersuites.suites_value = NULL; + pstClientHello->ciphersuites.suites_len = 0; pstClientHello->com_method.methods = NULL; pstClientHello->com_method.methlen = 0; + pstClientHello->ext_num = 0; memset(&pstClientHello->random, 0, sizeof(pstClientHello->random)); int i=0; for(i=0;i<MAX_EXTENSION_NUM;i++) { memset(&pstClientHello->exts[i], 0, sizeof(pstClientHello->exts[i])); - } memset(&pstClientHello->server_name, 0, sizeof(pstClientHello->server_name)); return; @@ -321,11 +329,17 @@ void ssl_initStructServerHello(st_server_hello_t* pstServerHello) pstServerHello->session.session_value = NULL; pstServerHello->session.session_len = 0; - pstServerHello->ciphersuits.suite_value = NULL; - pstServerHello->ciphersuits.suite_len = 0; + pstServerHello->ciphersuites.suites_value = NULL; + pstServerHello->ciphersuites.suites_len = 0; pstServerHello->com_method.methods = NULL; pstServerHello->com_method.methlen = 0; + pstServerHello->ext_num = 0; memset(&pstServerHello->random, 0, sizeof(pstServerHello->random)); + int i=0; + for(i=0;i<MAX_EXTENSION_NUM;i++) + { + memset(&pstServerHello->exts[i], 0, sizeof(pstServerHello->exts[i])); + } return; } @@ -361,19 +375,7 @@ int ssl_initSslStream(struct streaminfo *a_tcp, void **pme, int thread_seq) a_ssl_stream->p_output_buffer = (cdata_buf*)dictator_malloc(thread_seq, sizeof(cdata_buf)); a_ssl_stream->p_output_buffer->data_size = 0; a_ssl_stream->p_output_buffer->p_data = 0; - - /* - a_ssl_stream->stSSLCert = (st_cert_t*)dictator_malloc(thread_seq,sizeof(st_cert_t)); - memset(a_ssl_stream->stSSLCert, 0, sizeof(a_ssl_stream->stSSLCert)); - - a_ssl_stream->stClientHello = (st_client_hello_t*)dictator_malloc(thread_seq,sizeof(st_client_hello_t)); - memset(a_ssl_stream->stClientHello, 0, sizeof(a_ssl_stream->stClientHello)); - ssl_initStructClientHello(a_ssl_stream->stClientHello); - - a_ssl_stream->stServerHello = (st_server_hello_t*)dictator_malloc(thread_seq,sizeof(st_server_hello_t)); - memset(a_ssl_stream->stServerHello, 0, sizeof(a_ssl_stream->stServerHello)); - ssl_initStructServerHello(a_ssl_stream->stServerHello); - */ + a_ssl_stream->output_region_mask = SSL_INTEREST_KEY_MASK; a_ssl_stream->business = (business_infor_t *)dictator_malloc(thread_seq,sizeof(business_infor_t)); @@ -393,15 +395,35 @@ void ssl_releaseStructClientHello(int thread_seq, st_client_hello_t* pstClientHe dictator_free(thread_seq,pstClientHello->session.session_value); pstClientHello->session.session_value = NULL; } - if(pstClientHello->ciphersuits.suite_value!=NULL) + if(pstClientHello->ciphersuites.suites_value!=NULL) { - dictator_free(thread_seq,pstClientHello->ciphersuits.suite_value); - pstClientHello->ciphersuits.suite_value = NULL; + dictator_free(thread_seq,pstClientHello->ciphersuites.suites_value); + pstClientHello->ciphersuites.suites_value = NULL; } if(pstClientHello->com_method.methods!=NULL) { dictator_free(thread_seq,pstClientHello->com_method.methods); pstClientHello->com_method.methods = NULL; + } + if(pstClientHello->encrypted_server_name.key_exchange!=NULL) + { + dictator_free(thread_seq,pstClientHello->encrypted_server_name.key_exchange); + pstClientHello->encrypted_server_name.key_exchange = NULL; + } + if(pstClientHello->encrypted_server_name.esni!=NULL) + { + dictator_free(thread_seq,pstClientHello->encrypted_server_name.esni); + pstClientHello->encrypted_server_name.esni = NULL; + } + if(pstClientHello->encrypted_server_name.record_digest!=NULL) + { + dictator_free(thread_seq,pstClientHello->encrypted_server_name.record_digest); + pstClientHello->encrypted_server_name.record_digest = NULL; + } + if(pstClientHello->encrypted_server_name.suite_value!=NULL) + { + dictator_free(thread_seq,pstClientHello->encrypted_server_name.suite_value); + pstClientHello->encrypted_server_name.suite_value = NULL; } return; } @@ -416,19 +438,20 @@ void ssl_releaseStructServerHello(int thread_seq,st_server_hello_t* pstServerHel dictator_free(thread_seq,pstServerHello->session.session_value); pstServerHello->session.session_value = NULL; } - if(pstServerHello->ciphersuits.suite_value!=NULL) + if(pstServerHello->ciphersuites.suites_value!=NULL) { - dictator_free(thread_seq,pstServerHello->ciphersuits.suite_value); - pstServerHello->ciphersuits.suite_value = NULL; + dictator_free(thread_seq,pstServerHello->ciphersuites.suites_value); + pstServerHello->ciphersuites.suites_value = NULL; } if(pstServerHello->com_method.methods!=NULL) { dictator_free(thread_seq,pstServerHello->com_method.methods); pstServerHello->com_method.methods = NULL; - } + } return ; } + void ssl_releaseSslStream(struct streaminfo *a_tcp, ssl_stream** pme, int thread_seq,void *a_packet) { ssl_stream *a_ssl_stream = (ssl_stream *)*pme; @@ -472,7 +495,11 @@ void ssl_releaseSslStream(struct streaminfo *a_tcp, ssl_stream** pme, int thread dictator_free(thread_seq,a_ssl_stream->stServerHello); a_ssl_stream->stServerHello = NULL; } - + if(NULL != a_ssl_stream->stNewSessionTicket) + { + dictator_free(thread_seq,a_ssl_stream->stNewSessionTicket); + a_ssl_stream->stNewSessionTicket = NULL; + } if(a_ssl_stream->pcSslBuffer!=NULL) { dictator_free(thread_seq,a_ssl_stream->pcSslBuffer); @@ -506,27 +533,29 @@ char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_pack ssl_initSslStream(a_tcp, pme,thread_seq); case OP_STATE_DATA: return_val = ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet); - a_ssl_stream = (ssl_stream *)*pme; - if (SSL_RETURN_DROPME == return_val || a_ssl_stream->business->return_value & PROT_STATE_DROPME) + a_ssl_stream = (ssl_stream *)*pme; + + if(SSL_RETURN_DROPME==return_val || a_ssl_stream->business->return_value&PROT_STATE_DROPME) + { + state = APP_STATE_DROPME; + } + if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT) { - state = APP_STATE_DROPME; + state |=APP_STATE_DROPPKT; + a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; } - if (a_ssl_stream->business->return_value & PROT_STATE_DROPPKT) - { - state |= APP_STATE_DROPPKT; - a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; + if(state&APP_STATE_DROPME) + { + ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet); + *pme = NULL; } - if (state & APP_STATE_DROPME) - { - ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq, a_packet); - *pme = NULL; - } - return state; - - break; - case OP_STATE_CLOSE: - a_ssl_stream = (ssl_stream *)*pme; - if (a_ssl_stream != NULL) + + return state; + break; + + case OP_STATE_CLOSE: + a_ssl_stream = (ssl_stream *)*pme; + if(a_ssl_stream!=NULL) { a_ssl_stream->over_flag = SSL_TRUE; } @@ -546,21 +575,21 @@ char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_pack FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_BITS_S2C], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_BITS_S2C]); } } - return_val = ssl_analyseStream(a_tcp, pme, thread_seq, a_packet); + return_val = ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet); state = APP_STATE_DROPME; - if (a_ssl_stream->business->return_value & PROT_STATE_DROPPKT) + if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT) { state |= APP_STATE_DROPPKT; - a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; - } - if (NULL != a_ssl_stream) - { - ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq, a_packet); - *pme = NULL; - } - - return state; - } + a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; + } + if(NULL!=a_ssl_stream) + { + ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet); + *pme = NULL; + } + + return state; + } return APP_STATE_GIVEME; } diff --git a/src/SSL_Certificate.c b/src/SSL_Certificate.c index 9fb8d9f..ee50ded 100644 --- a/src/SSL_Certificate.c +++ b/src/SSL_Certificate.c @@ -243,14 +243,18 @@ UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_strea int cert_cnt = ssl_read_all_cert(pcCurSslCertificateData, iUnAnaCertLen, cert_unit, CERT_MAXNUM); int i=0; + int totallen = a_ssl_stream->stSSLCert->totallen; for(i=0;i<cert_cnt;i++) { + a_ssl_stream->stSSLCert->totallen = totallen; return_val = fn_pGetSSLInfo(cert_unit[i].cert, cert_unit[i].cert_len, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); if( SSL_RETURN_NORM != return_val) return return_val; - - a_ssl_stream->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK; - a_ssl_stream->p_output_buffer->p_data = pcCurSslCertificateData; + + a_ssl_stream->stSSLCert->certlen = cert_unit[i].cert_len; + a_ssl_stream->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK; + a_ssl_stream->p_output_buffer->p_data = cert_unit[i].cert; a_ssl_stream->p_output_buffer->data_size = a_ssl_stream->stSSLCert->certlen; + switch(cert_num) { case 0: @@ -302,10 +306,15 @@ UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_strea dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubAltName); a_ssl_stream->stSSLCert->SSLSubAltName = NULL; } + if(a_ssl_stream->stSSLCert->SSLSubKey!=NULL) + { + dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubKey); + a_ssl_stream->stSSLCert->SSLSubKey = NULL; + } #if PRINTF_CERTIFICATE cert_log(a_ssl_stream); -#endif - memset(a_ssl_stream->stSSLCert,0,sizeof(st_cert_t)); +#endif + memset(a_ssl_stream->stSSLCert,0,sizeof(st_cert_t)); if(SSL_RETURN_NORM != return_val && SSL_RETURN_UNNORM != return_val ) return return_val; } return SSL_RETURN_NORM; @@ -1030,7 +1039,6 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct unsigned long long region_flag, int thread_seq, void *a_packet) { //return SSL_RETURN_NORM; - int data = 0; X509 *x509_handle = d2i_X509(NULL, (unsigned char const **)&pcCert, iLen); if (x509_handle == NULL) @@ -1090,7 +1098,18 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct a_ssl_stream->stSSLCert->SSLSubO, a_ssl_stream->stSSLCert->SSLSubC); } - + + /*SSL Subject keyInfo*/ + EVP_PKEY* pkey = X509_get_pubkey(x509_handle); + if(pkey!=NULL) + { + int pkeyLen=0; + a_ssl_stream->stSSLCert->SSLSubKeyLen = i2d_PublicKey(pkey, NULL);; + a_ssl_stream->stSSLCert->SSLSubKey = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stSSLCert->SSLSubKeyLen); + pkeyLen = i2d_PublicKey(pkey, &(a_ssl_stream->stSSLCert->SSLSubKey)); //!!! point will be changed + a_ssl_stream->stSSLCert->SSLSubKey = a_ssl_stream->stSSLCert->SSLSubKey-a_ssl_stream->stSSLCert->SSLSubKeyLen; + } + /*validity*/ ASN1_TIME *start = X509_get_notBefore(x509_handle); ASN1_TIME *end = X509_get_notAfter(x509_handle); @@ -1103,7 +1122,6 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct int cnt = sk_GENERAL_NAME_num(subjectAltNames); char* san = NULL; ASN1_STRING *san_name; - int len = 0; GENERAL_NAME* generalName; if(cnt>0) { @@ -1134,7 +1152,76 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct if(subjectAltNames) { GENERAL_NAMES_free(subjectAltNames); + } + + /*extension*/ + /*SCT*/ + /* + GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL); + if(!subjectAltNames) goto cert_return; + int cnt = sk_GENERAL_NAME_num(subjectAltNames); + char* san = NULL; + ASN1_STRING *san_name; + GENERAL_NAME* generalName; + if(cnt>0) + { + a_ssl_stream->stSSLCert->SSLSubAltName = (st_san_t*)dictator_malloc(thread_seq, sizeof(st_san_t)); + a_ssl_stream->stSSLCert->SSLSubAltName->san_array = (san_t*)dictator_malloc(thread_seq, cnt*sizeof(san_t)); + memset(a_ssl_stream->stSSLCert->SSLSubAltName->san_array,0,cnt*sizeof(san_t)); + a_ssl_stream->stSSLCert->SSLSubAltName->count = 0; + for (int i = 0; i < cnt; i++) + { + generalName = sk_GENERAL_NAME_value(subjectAltNames, i); + if(!generalName) goto cert_return; + if(GEN_DNS == generalName->type) + { + san_name = (ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL); + if(ASN1_STRING_length(san_name)>0) + { + san = (char*)ASN1_STRING_data(san_name); + snprintf(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san, + sizeof(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san), + "%s", + san); + a_ssl_stream->stSSLCert->SSLSubAltName->count++; + } + } + } + + /* GET ALL EXTENSION + int ext_num = X509_get_ext_count(x509_handle); + X509_EXTENSION* ext; + ASN1_OBJECT* obj; + int oid; + STACK_OF(CONF_VALUE)* item; + int item_num=0; + CONF_VALUE *val; + for(int i=0;i<ext_num;i++) + { + ext = X509_get_ext(x509_handle, i); + if(ext!=NULL) + { + item = X509V3_parse_list((const char *)ext->value->data); + item_num = sk_CONF_VALUE_num(item); + for (int j = 0; j<item_num; j++) + { + val = sk_CONF_VALUE_value(item, i); + //val->section; + //val->name; + } + obj = X509_EXTENSION_get_object(ext); + if(obj!=NULL) + { + oid = OBJ_obj2nid(obj); + ///*SCT: Signed Certificate Timestamp; OID is 1.3.6.1.4.1.11129.2.4.2; NID: NID_ct_cert_scts + if(oid=SCT_OID) + { + + } + } + } } + */ } cert_return: diff --git a/src/SSL_Certificate.h b/src/SSL_Certificate.h index 38f96ca..76798db 100644 --- a/src/SSL_Certificate.h +++ b/src/SSL_Certificate.h @@ -11,6 +11,10 @@ #define CERT_TYPE_MAXNUM 16 +//#define SCT_OID 1.3.6.1.4.1.11129.2.4.2 +#define SCT_OID 1 + + #ifdef __cplusplus extern "C" { #endif diff --git a/src/SSL_Common.c b/src/SSL_Common.c new file mode 100644 index 0000000..0d9aea8 --- /dev/null +++ b/src/SSL_Common.c @@ -0,0 +1,60 @@ +/* + * SSL_Common.c + + * + * Created on: 2013-5-8 + * Author: lis + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include "SSL_Common.h" + +int get_so_path(void* func_addr,char* path,unsigned int size) + + { + + Dl_info av_dl_info; + + dladdr(func_addr,&av_dl_info); + + unsigned int i=0,last_slash_pos=0; + + for(i=0;i<strlen(av_dl_info.dli_fname);i++) + + { + + if(av_dl_info.dli_fname[i]=='/') + + { + + last_slash_pos=i; + + } + + } + + if(i<size) + + { + + memcpy(path,av_dl_info.dli_fname,last_slash_pos); + + return last_slash_pos; + + } + + else + + { + + return 0; + + } + + + + } + + diff --git a/src/SSL_Common.h b/src/SSL_Common.h new file mode 100644 index 0000000..1a9bf93 --- /dev/null +++ b/src/SSL_Common.h @@ -0,0 +1,24 @@ +/* + * SSL_Common.h + + * + * Created on: 2013-5-8 + * Author: lis + */ + +#ifndef SSL_COMMON_H_ +#define SSL_COMMON_H_ + +#include <time.h> +#include <ctype.h> +#include <dlfcn.h> + +#ifdef __cplusplus +extern "C" { +#endif +int get_so_path(void* func_addr,char* path,unsigned int size); + +#ifdef __cplusplus +} +#endif +#endif /* SSL_COMMON_H_ */ diff --git a/src/SSL_Message.c b/src/SSL_Message.c index aa7bcd0..d7062f1 100644 --- a/src/SSL_Message.c +++ b/src/SSL_Message.c @@ -3,117 +3,71 @@ #include "ssl.h" #include "SSL_Message.h" #include "SSL_Proc.h" +#include "SSL_Common.h" #include "SSL_Certificate.h" extern ssl_prog_runtime_parameter_t g_ssl_prog_para; - -const stSerialString_t g_astCipherSuit[] = -{ - {{0X00, 0X2f}, "TLS_RSA_WITH_AES_128_CBC_SHA"}, - {{0X00, 0X35}, "TLS_RSA_WITH_AES_256_CBC_SHA"}, - {{0X00, 0X05}, "TLS_RSA_WITH_RC4_128_CBC_SHA"}, - {{0X00, 0X0a}, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, - {{0Xc0, 0X13}, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}, - {{0Xc0, 0X14}, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}, - {{0Xc0, 0X09}, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"}, - {{0Xc0, 0X0a}, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}, - {{0X00, 0X32}, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"}, - {{0X00, 0X38}, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"}, - {{0X00, 0X13}, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}, - {{0X00, 0X04}, "TLS_RSA_WITH_RC4_128_MD5"}, - {{0X00, 0X39}, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, - {{0}, NULL}, -}; +extern stSerialString_t g_astCipherSuit; const stSerialString_t g_astCompression[] = { {{0}, NULL}, }; -char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes) +const char* ssl_get_suite(st_suites_t* ciphersuites) { - int iLoop = 0; - int iInLoop = 0; - - if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes) - { - return NULL; - } - - for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop) - { - for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop) - { - if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop]) - { - //continue; - break; - } - } - - if (iInLoop == iIdLen) - { - return (char *)(pastElemTypes[iLoop].pcString); - } - } - - return NULL; -} - - -const char* ssl_get_suite(st_suites_t* ciphersuits) -{ - if(ciphersuits==NULL) return NULL; - return fn_pcGetSuite((unsigned char *)ciphersuits->suite_value, ciphersuits->suite_len, (stSerialString_t*)g_astCipherSuit); + if(ciphersuites==NULL) return NULL; + return fn_pcGetSuite((unsigned char *)ciphersuites->suites_value, ciphersuites->suites_len, (stSerialString_t*)&g_astCipherSuit); } unsigned short ssl_getHelloVersion(unsigned char *pcData, unsigned int iDataLen) -{ - if (CLIENT_HELLO != pcData[0] && SERVER_HELLO != pcData[0]) - { - return 0; - } +{ + if (CLIENT_HELLO != pcData[0] && SERVER_HELLO != pcData[0]) + { + return 0; + } - if (03 == pcData[4] && 1 == pcData[5]) - { - /*TLS 1.0*/ - return 0x0301; - } - else if (03 == pcData[4] && 2 == pcData[5]) - { - /*TLS 2.0*/ - return 0x0302; - } + if (03 == pcData[4] && 1 == pcData[5]) + { + /*TLS 1.0*/ + return TLSV1_0_VERSION; + } + else if (03 == pcData[4] && 2 == pcData[5]) + { + /*TLS 2.0*/ + return TLSV1_1_VERSION; + } else if (03 == pcData[4] && 3 == pcData[5]) - { - /*TLS 2.0*/ - return 0x0303; - } - else if (03 == pcData[4] && 0 == pcData[5]) - { - /*SSL 3.0*/ - return 0x0300; - } - else if (0 == pcData[4] && 2 == pcData[5]) - { - /*SSL 2.0*/ - return 0x0002; - } - else if (0xfe == (unsigned char)pcData[4] && 0xff == (unsigned char)pcData[5]) - { - /*DTLS 1.0*/ - return 0xfeff; - } - else if (0x01 == (unsigned char)pcData[4] && 0x00 == (unsigned char)pcData[5]) - { - /*DTLS 1.0 (OpenSSL pre 0.9.8f)*/ - return 0x0100; - } - return 0; + { + /*TLS 2.0*/ + return TLSV1_2_VERSION; + } + else if (03 == pcData[4] && 0 == pcData[5]) + { + /*SSL 3.0*/ + return SSLV3_VERSION; + } + else if (0 == pcData[4] && 2 == pcData[5]) + { + /*SSL 2.0*/ + return SSLV2_VERSION; + } + else if (0xfe == (unsigned char)pcData[4] && 0xff == (unsigned char)pcData[5]) + { + /*DTLS 1.0*/ + return DTLSV1_0_VERSION; + } + else if (0x01 == (unsigned char)pcData[4] && 0x00 == (unsigned char)pcData[5]) + { + /*DTLS 1.0 (OpenSSL pre 0.9.8f)*/ + return DTLSV1_0_VERSION_NOT; + } + return 0; } + int fn_iIsHandShakeMsg(unsigned char ucMsgType) { switch (ucMsgType) @@ -122,6 +76,7 @@ int fn_iIsHandShakeMsg(unsigned char ucMsgType) case CLIENT_HELLO: case SERVER_HELLO: case CERTIFICATE: + case NEW_SESSION_TICKET: // case SERVER_KEY_EXCHANGE: // case CERTIFICATE_REQUEST: // case SERVER_HELLO_DONE: @@ -219,7 +174,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL if(a_ssl_stream->stClientHello==NULL) { a_ssl_stream->stClientHello = (st_client_hello_t*)dictator_malloc(thread_seq,sizeof(st_client_hello_t)); - memset(a_ssl_stream->stClientHello, 0, sizeof(a_ssl_stream->stClientHello)); + memset(a_ssl_stream->stClientHello, 0, sizeof(st_client_hello_t)); ssl_initStructClientHello(a_ssl_stream->stClientHello); } @@ -285,23 +240,23 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL } /*get client hello suites*/ - a_ssl_stream->stClientHello->ciphersuits.suite_len = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->ciphersuits.suite_len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->ciphersuits.suite_len); + a_ssl_stream->stClientHello->ciphersuites.suites_len = (unsigned short)BtoL2BytesNum(pcCurSslData); + pcCurSslData += sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len); + iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len); if(iUnAnaHelloLen<0) { return SSL_RETURN_DROPME; } - if(a_ssl_stream->stClientHello->ciphersuits.suite_len>iUnAnaHelloLen) + if(a_ssl_stream->stClientHello->ciphersuites.suites_len>iUnAnaHelloLen) { return SSL_RETURN_DROPME; } - if(a_ssl_stream->stClientHello->ciphersuits.suite_len!=0) + if(a_ssl_stream->stClientHello->ciphersuites.suites_len!=0) { - a_ssl_stream->stClientHello->ciphersuits.suite_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stClientHello->ciphersuits.suite_len); - memcpy(a_ssl_stream->stClientHello->ciphersuits.suite_value, pcCurSslData, a_ssl_stream->stClientHello->ciphersuits.suite_len); - pcCurSslData += a_ssl_stream->stClientHello->ciphersuits.suite_len; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->ciphersuits.suite_len; + a_ssl_stream->stClientHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stClientHello->ciphersuites.suites_len); + memcpy(a_ssl_stream->stClientHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stClientHello->ciphersuites.suites_len); + pcCurSslData += a_ssl_stream->stClientHello->ciphersuites.suites_len; + iUnAnaHelloLen -= a_ssl_stream->stClientHello->ciphersuites.suites_len; if(iUnAnaHelloLen<0) { return SSL_RETURN_DROPME; @@ -339,6 +294,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL int i=0; for(i=0; iUnAnaHelloLen>=4 && i<MAX_EXTENSION_NUM; i++)//min len of ext is 4 byte { + a_ssl_stream->stClientHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData); pcCurSslData += sizeof(a_ssl_stream->stClientHello->exts[i].type); iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->exts[i].type); @@ -353,31 +309,35 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL if(iUnAnaHelloLen<0) { return SSL_RETURN_DROPME; - } - - memcpy(a_ssl_stream->stClientHello->exts[i].data, - pcCurSslData, - MIN(a_ssl_stream->stClientHello->exts[i].len, MAX_EXT_DATA_LEN)); //get ext data - + } + a_ssl_stream->stClientHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->exts[i].len); + memcpy(a_ssl_stream->stClientHello->exts[i].data, pcCurSslData, a_ssl_stream->stClientHello->exts[i].len); //get ext data pcCurSslData += a_ssl_stream->stClientHello->exts[i].len; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->exts[i].len; - if(iUnAnaHelloLen<0) - { - return SSL_RETURN_DROPME; - } + iUnAnaHelloLen -= a_ssl_stream->stClientHello->exts[i].len; } a_ssl_stream->stClientHello->ext_num = i; + //printf("ext_num: %d\n", a_ssl_stream->stClientHello->ext_num); return_val = ssl_doWithClientHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); //20141121 + for(int j=0;j<a_ssl_stream->stClientHello->ext_num;j++) + { + if(a_ssl_stream->stClientHello->exts[j].data!=NULL) + { + dictator_free(thread_seq,a_ssl_stream->stClientHello->exts[j].data); + a_ssl_stream->stClientHello->exts[j].data = NULL; + } + } + a_ssl_stream->stClientHello->ext_num = 0; + a_ssl_stream->stClientHello->session_ticket.ticket = NULL; if(a_ssl_stream->stClientHello->session.session_value!=NULL) { dictator_free(thread_seq,a_ssl_stream->stClientHello->session.session_value); a_ssl_stream->stClientHello->session.session_value = NULL; } - if(a_ssl_stream->stClientHello->ciphersuits.suite_value!=NULL) + if(a_ssl_stream->stClientHello->ciphersuites.suites_value!=NULL) { - dictator_free(thread_seq,a_ssl_stream->stClientHello->ciphersuits.suite_value); - a_ssl_stream->stClientHello->ciphersuits.suite_value = NULL; + dictator_free(thread_seq,a_ssl_stream->stClientHello->ciphersuites.suites_value); + a_ssl_stream->stClientHello->ciphersuites.suites_value = NULL; } if(a_ssl_stream->stClientHello->com_method.methods!=NULL) { @@ -400,7 +360,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL if(a_ssl_stream->stServerHello==NULL) { a_ssl_stream->stServerHello = (st_server_hello_t*)dictator_malloc(thread_seq,sizeof(st_server_hello_t)); - memset(a_ssl_stream->stServerHello, 0, sizeof(a_ssl_stream->stServerHello)); + memset(a_ssl_stream->stServerHello, 0, sizeof(st_server_hello_t)); ssl_initStructServerHello(a_ssl_stream->stServerHello); } a_ssl_stream->stServerHello->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1)); @@ -412,18 +372,18 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL /**packet trunked**/ break; } - if(0==(a_ssl_stream->stServerHello->client_ver = ssl_getHelloVersion((unsigned char*)pcCurSslData, iUnAnalyseLen))) + if(0==(a_ssl_stream->stServerHello->server_ver = ssl_getHelloVersion((unsigned char*)pcCurSslData, iUnAnalyseLen))) { return SSL_RETURN_DROPME; } - iUnAnaHelloLen = a_ssl_stream->stServerHello->totallen-sizeof(a_ssl_stream->stServerHello->client_ver); + iUnAnaHelloLen = a_ssl_stream->stServerHello->totallen-sizeof(a_ssl_stream->stServerHello->server_ver); if(iUnAnaHelloLen<0) { return SSL_RETURN_DROPME; } - pcCurSslData += SERVER_HELLO_HDRLEN+sizeof(a_ssl_stream->stServerHello->client_ver); + pcCurSslData += SERVER_HELLO_HDRLEN+sizeof(a_ssl_stream->stServerHello->server_ver); /*get server hello random*/ a_ssl_stream->stServerHello->random.gmt_time = (unsigned int)BtoL4BytesNum(pcCurSslData); @@ -466,11 +426,11 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL } /*get server hello suites*/ - a_ssl_stream->stServerHello->ciphersuits.suite_len = 2; - a_ssl_stream->stServerHello->ciphersuits.suite_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stServerHello->ciphersuits.suite_len); - memcpy(a_ssl_stream->stServerHello->ciphersuits.suite_value, pcCurSslData, a_ssl_stream->stServerHello->ciphersuits.suite_len); - pcCurSslData += a_ssl_stream->stServerHello->ciphersuits.suite_len; - iUnAnaHelloLen -= a_ssl_stream->stServerHello->ciphersuits.suite_len; + a_ssl_stream->stServerHello->ciphersuites.suites_len = 2; + a_ssl_stream->stServerHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stServerHello->ciphersuites.suites_len); + memcpy(a_ssl_stream->stServerHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stServerHello->ciphersuites.suites_len); + pcCurSslData += a_ssl_stream->stServerHello->ciphersuites.suites_len; + iUnAnaHelloLen -= a_ssl_stream->stServerHello->ciphersuites.suites_len; if(iUnAnaHelloLen<0) { return SSL_RETURN_DROPME; @@ -499,6 +459,46 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL return SSL_RETURN_DROPME; } } + + /*get extension*/ + a_ssl_stream->stServerHello->extlen = (unsigned short)BtoL2BytesNum(pcCurSslData); + pcCurSslData += sizeof(a_ssl_stream->stServerHello->extlen); + + int i=0; + for(i=0; iUnAnaHelloLen>=4 && i<MAX_EXTENSION_NUM; i++)//min len of ext is 4 byte + { + a_ssl_stream->stServerHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData); + pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].type); + iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].type); + if(iUnAnaHelloLen<0) + { + return SSL_RETURN_DROPME; + } + + a_ssl_stream->stServerHello->exts[i].len = (unsigned short)BtoL2BytesNum(pcCurSslData); + pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].len); + iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].len); + if(iUnAnaHelloLen<0) + { + return SSL_RETURN_DROPME; + } + a_ssl_stream->stServerHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->exts[i].len); + memcpy(a_ssl_stream->stServerHello->exts[i].data, pcCurSslData, a_ssl_stream->stServerHello->exts[i].len); //get ext data + pcCurSslData += a_ssl_stream->stServerHello->exts[i].len; + iUnAnaHelloLen -= a_ssl_stream->stServerHello->exts[i].len; + } + a_ssl_stream->stServerHello->ext_num = i; + + for(int j=0;j<a_ssl_stream->stServerHello->ext_num;j++) + { + if(a_ssl_stream->stServerHello->exts[j].data!=NULL) + { + dictator_free(thread_seq,a_ssl_stream->stServerHello->exts[j].data); + a_ssl_stream->stServerHello->exts[j].data = NULL; + } + } + a_ssl_stream->stServerHello->ext_num = 0; + return_val = ssl_doWithServerHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); //20141121 if(a_ssl_stream->stServerHello->session.session_value!=NULL) @@ -506,10 +506,10 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL dictator_free(thread_seq,a_ssl_stream->stServerHello->session.session_value); a_ssl_stream->stServerHello->session.session_value = NULL; } - if(a_ssl_stream->stServerHello->ciphersuits.suite_value!=NULL) + if(a_ssl_stream->stServerHello->ciphersuites.suites_value!=NULL) { - dictator_free(thread_seq,a_ssl_stream->stServerHello->ciphersuits.suite_value); - a_ssl_stream->stServerHello->ciphersuits.suite_value = NULL; + dictator_free(thread_seq,a_ssl_stream->stServerHello->ciphersuites.suites_value); + a_ssl_stream->stServerHello->ciphersuites.suites_value = NULL; } if(a_ssl_stream->stServerHello->com_method.methods!=NULL) { @@ -519,11 +519,41 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL if(SSL_RETURN_NORM != return_val) return return_val; iUnAnalyseLen -= (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN); pcSslData += (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN); - } - else - { + } + else if(NEW_SESSION_TICKET == pstHandShakeTypeHdr->ucContType) + { + if(iUnAnalyseLen<SESSION_TICKET_HDRLEN) + { + break; + } + if(a_ssl_stream->stNewSessionTicket==NULL) + { + a_ssl_stream->stNewSessionTicket = (st_new_session_ticket_t*)dictator_malloc(thread_seq,sizeof(st_new_session_ticket_t)); + memset(a_ssl_stream->stNewSessionTicket, 0, sizeof(st_new_session_ticket_t)); + } + a_ssl_stream->stNewSessionTicket->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1)); + if(a_ssl_stream->stNewSessionTicket->totallen<0) return SSL_RETURN_DROPME; + + /*4 means _type+len*/ + if (a_ssl_stream->stNewSessionTicket->totallen+SESSION_TICKET_HDRLEN > iUnAnalyseLen) + { + /**packet trunked**/ + break; + } + pcCurSslData += SESSION_TICKET_HDRLEN; + a_ssl_stream->stNewSessionTicket->lifttime = BtoL4BytesNum((char *)(pcCurSslData)); + a_ssl_stream->stNewSessionTicket->ticket_len = BtoL2BytesNum((char *)(pcCurSslData+4)); + a_ssl_stream->stNewSessionTicket->ticket = (unsigned char*)(pcCurSslData+6); + pcCurSslData += 6+a_ssl_stream->stNewSessionTicket->ticket_len; + iUnAnalyseLen -= (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN); + pcSslData += (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN); + return_val = ssl_doWithNewSessionTicket(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); + //printf("new session ticket:%d\n", a_ssl_stream->stNewSessionTicket->ticket_len); + } + else + { break; - } + } } *res = (iSslDataLen - iUnAnalyseLen); @@ -554,6 +584,29 @@ UCHAR ssl_analyseAppData(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen return SSL_RETURN_NORM; } +UCHAR ssl_analyseAlert(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, + unsigned long long region_flag, int thread_seq, void* a_packet) +{ + /**variable define and initialise**/ + int return_val = SSL_RETURN_NORM; + int iUnAnalyseLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen; + + /**validaty check**/ + if (NULL == pcSslData || iUnAnalyseLen <= 0) + { + *res = 0; + return SSL_RETURN_NORM; + } + a_ssl_stream->output_region_mask = SSL_ALERT_MASK; + a_ssl_stream->p_output_buffer->p_data = pcSslData; + a_ssl_stream->p_output_buffer->data_size = iUnAnalyseLen; + return_val = ssl_doWithAlert(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); + a_ssl_stream->p_output_buffer->p_data = NULL; + a_ssl_stream->p_output_buffer->data_size = 0; + *res = iUnAnalyseLen; + if(SSL_RETURN_NORM!= return_val) return return_val; + return SSL_RETURN_NORM; +} char *fn_pcGetType(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes) { @@ -600,47 +653,48 @@ int ssl_protoRecg(char *pcData, int iDataLen) if (03 == pcData[1] && 1 == pcData[2]) { /*TLS 1.0*/ - return 0x0301; + return TLSV1_0_VERSION; } else if (03 == pcData[1] && 2 == pcData[2]) { - /*TLS 2.0*/ - return 0x0302; + /*TLS 1.1*/ + return TLSV1_1_VERSION; } else if (03 == pcData[1] && 3 == pcData[2]) { - /*TLS 3.0*/ - return 0x0303; - } + /*TLS 1.2*/ + return TLSV1_2_VERSION; + } else if (03 == pcData[1] && 0 == pcData[2]) { /*SSL 3.0*/ - return 0x0300; + return SSLV3_VERSION; } else if (0 == pcData[1] && 2 == pcData[2]) { /*SSL 2.0*/ - return 0x0002; + return SSLV2_VERSION; } else if (0xfe == (unsigned char)pcData[1] && 0xff == (unsigned char)pcData[2]) { /*DTLS 1.0*/ - return 0xfeff; + return DTLSV1_0_VERSION; } else if (0x01 == (unsigned char)pcData[1] && 0x00 == (unsigned char)pcData[2]) { /*DTLS 1.0 (OpenSSL pre 0.9.8f)*/ - return 0x0100; + return DTLSV1_0_VERSION_NOT; } return 0; } + #define MAX_THREAD_NUM 64 #define COUNTER_NUM 4096 extern volatile unsigned long long g_SysInputInfo[MAX_THREAD_NUM][COUNTER_NUM]; -UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, +UCHAR ssl_analyseSsl(char *pcSslData, int iDataLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, unsigned long long region_flag, int thread_seq, void* a_packet) { /**variable define and initialise**/ @@ -682,6 +736,7 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream { case HANDSHAKE: case APPLICATION_DATA: + case ALERT: pstHandShakeTypeHdr = (stHandShakeTypeHdr_t *)pcCurSslData; iCurAllMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) ; iCurMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) < iUnAnalyseLen ? (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) : iUnAnalyseLen; @@ -777,7 +832,22 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream { is_trunk = 1; } - break; + break; + + /*��������ȫ������ٴ���*/ + case ALERT: + //printf("%d:%d\n",iCurAllMsgLen,iUnAnalyseLen); + if(iUnAnalyseLen<iCurAllMsgLen) + { + *res = 0; + is_trunk = 1; + } + else + { + return_val = ssl_analyseAlert((char *)pcCurSslData, iCurAllMsgLen, iUnAnalyseLen, res, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); + is_trunk = 0; + } + break; /*other handshark proto not process*/ case HANDSHAKE: @@ -823,6 +893,7 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream { a_ssl_stream->uiMsgState = SSL_HANDSHAKE_MSG_TRUNKED; a_ssl_stream->uiMsgProcLen += *res; + pcCurSslData += *res; iUnAnalyseLen -= *res ; break; } @@ -900,27 +971,23 @@ UCHAR ssl_analyseStream(struct streaminfo *a_tcp, void** pme, int thread_seq, vo } - return_val = ssl_analyseStreamData(pcSslData, iSslDateLen, &iRet, a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet); + return_val = ssl_analyseSsl(pcSslData, iSslDateLen, &iRet, a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet); if(SSL_RETURN_NORM != return_val) { return return_val; } /*is ssl_stream, need buffer data*/ - if (iRet < 0) + if (iRet < 0 || iRet >= iSslDateLen) { a_ssl_stream->uiCurBuffLen = 0; - } - else if (iRet >= iSslDateLen) - { - a_ssl_stream->uiCurBuffLen = 0; - } + } else { if(0==a_ssl_stream->uiMaxBuffLen) { a_ssl_stream->pcSslBuffer = (char*)dictator_malloc(thread_seq, MAX_DATA_BUFFER); - memset(a_ssl_stream->pcSslBuffer,0,sizeof(a_ssl_stream->pcSslBuffer)); + memset(a_ssl_stream->pcSslBuffer,0,MAX_DATA_BUFFER); a_ssl_stream->uiMaxBuffLen = MAX_DATA_BUFFER; } fn_vMemCpy(a_ssl_stream->pcSslBuffer, (int)a_ssl_stream->uiMaxBuffLen, pcSslData + iRet, (int)(iSslDateLen - iRet)); diff --git a/src/SSL_Message.h b/src/SSL_Message.h index 3bef42b..4f525c9 100644 --- a/src/SSL_Message.h +++ b/src/SSL_Message.h @@ -45,6 +45,26 @@ #define CERT_MAXNUM 8 + +//#############################################client hello +#define CLIENT_HELLO_HDRLEN 4 + +typedef struct _st_client_server_name_t +{ + short server_name_list_len; + unsigned short server_name_type; + unsigned char server_name_len; + unsigned char* server_name_data; +}__attribute__((packed))st_client_server_name_t; + +//#############################################server hello +#define SERVER_HELLO_HDRLEN 4 + +//#############################################certificate +#define CERTIFICATE_HDRLEN 7 +#define SSL_CERTIFICATE_HDRLEN 3 + + typedef struct _stValueString_t { unsigned int uiValue; @@ -87,7 +107,8 @@ typedef enum _emHelloMsgType_m // SERVER_HELLO_DONE = 14, // CERTIFICATE_VERIFY = 15, // CLIENT_KEY_EXCHANGE = 16, -// FINISHED = 20, +// FINISHED = 20, + NEW_SESSION_TICKET=4, MSG_UNKNOWN = 255, }emHelloMsgType_m; diff --git a/src/SSL_Proc.c b/src/SSL_Proc.c index f42b59a..c9f7db0 100644 --- a/src/SSL_Proc.c +++ b/src/SSL_Proc.c @@ -13,6 +13,8 @@ #include "SSL_Message.h" #include "ssl.h" #include "SSL_Proc.h" +#include "SSL_Common.h" + //debug #define PRINTF_CLIENT_HELLO 0 @@ -21,16 +23,165 @@ extern ssl_prog_runtime_parameter_t g_ssl_prog_para; const stValueString_t pastSslVersions[] = { - { 0xfeff, "DTLS1.0" }, - { 0x0100, "DTLS1.0(OpenSSL pre 0.9.8f)" }, - { 0x0303, "TLS1.2" }, - { 0x0302, "TLS1.1" }, - { 0x0301, "TLS1.0" }, - { 0x0300, "SSL3.0" }, - { 0x0002, "SSL2.0" }, - { 0x00, NULL } + { DTLSV1_0_VERSION, "DTLS1.0" }, + { DTLSV1_0_VERSION_NOT, "DTLS1.0(OpenSSL pre 0.9.8f)" }, + { TLSV1_2_VERSION, "TLS1.2" }, + { TLSV1_1_VERSION, "TLS1.1" }, + { TLSV1_0_VERSION, "TLS1.0" }, + { SSLV3_VERSION, "SSL3.0" }, + { SSLV2_VERSION, "SSL2.0" }, + { UNKNOWN_VERSION, NULL } }; +/* +const stSerialString_t g_astCipherSuit[] = +{ + {{0X00, 0X2f}, "TLS_RSA_WITH_AES_128_CBC_SHA"}, + {{0X00, 0X35}, "TLS_RSA_WITH_AES_256_CBC_SHA"}, + {{0X00, 0X05}, "TLS_RSA_WITH_RC4_128_CBC_SHA"}, + {{0X00, 0X0a}, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, + {{0Xc0, 0X13}, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}, + {{0Xc0, 0X14}, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"}, + {{0Xc0, 0X09}, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"}, + {{0Xc0, 0X0a}, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"}, + {{0X00, 0X32}, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"}, + {{0X00, 0X38}, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"}, + {{0X00, 0X13}, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"}, + {{0X00, 0X04}, "TLS_RSA_WITH_RC4_128_MD5"}, + {{0X00, 0X39}, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, + {{0}, NULL}, +}; +*/ + +stSerialString_t g_astCipherSuit[] = +{ + {{0xC0, 0X30}, "ECDHE-RSA-AES256-GCM-SHA384"}, + {{0xC0, 0X2C}, "ECDHE-ECDSA-AES256-GCM-SHA384"}, + {{0xC0, 0X28}, "ECDHE-RSA-AES256-SHA384"}, + {{0xC0, 0X24}, "ECDHE-ECDSA-AES256-SHA384"}, + {{0xC0, 0X14}, "ECDHE-RSA-AES256-SHA"}, + {{0xC0, 0X0A}, "ECDHE-ECDSA-AES256-SHA"}, + {{0x00, 0XA5}, "DH-DSS-AES256-GCM-SHA384"}, + {{0x00, 0XA3}, "DHE-DSS-AES256-GCM-SHA384"}, + {{0x00, 0XA1}, "DH-RSA-AES256-GCM-SHA384"}, + {{0x00, 0X9F}, "DHE-RSA-AES256-GCM-SHA384"}, + {{0x00, 0X6B}, "DHE-RSA-AES256-SHA256"}, + {{0x00, 0X6A}, "DHE-DSS-AES256-SHA256"}, + {{0x00, 0X69}, "DH-RSA-AES256-SHA256"}, + {{0x00, 0X68}, "DH-DSS-AES256-SHA256"}, + {{0x00, 0X39}, "DHE-RSA-AES256-SHA"}, + {{0x00, 0X38}, "DHE-DSS-AES256-SHA"}, + {{0x00, 0X37}, "DH-RSA-AES256-SHA"}, + {{0x00, 0X36}, "DH-DSS-AES256-SHA"}, + {{0x00, 0X88}, "DHE-RSA-CAMELLIA256-SHA"}, + {{0x00, 0X87}, "DHE-DSS-CAMELLIA256-SHA"}, + {{0x00, 0X86}, "DH-RSA-CAMELLIA256-SHA"}, + {{0x00, 0X85}, "DH-DSS-CAMELLIA256-SHA"}, + {{0xC0, 0X19}, "AECDH-AES256-SHA"}, + {{0x00, 0XA7}, "ADH-AES256-GCM-SHA384"}, + {{0x00, 0X6D}, "ADH-AES256-SHA256"}, + {{0x00, 0X3A}, "ADH-AES256-SHA"}, + {{0x00, 0X89}, "ADH-CAMELLIA256-SHA"}, + {{0xC0, 0X32}, "ECDH-RSA-AES256-GCM-SHA384"}, + {{0xC0, 0X2E}, "ECDH-ECDSA-AES256-GCM-SHA384"}, + {{0xC0, 0X2A}, "ECDH-RSA-AES256-SHA384"}, + {{0xC0, 0X26}, "ECDH-ECDSA-AES256-SHA384"}, + {{0xC0, 0X0F}, "ECDH-RSA-AES256-SHA"}, + {{0xC0, 0X05}, "ECDH-ECDSA-AES256-SHA"}, + {{0x00, 0X9D}, "AES256-GCM-SHA384"}, + {{0x00, 0X3D}, "AES256-SHA256"}, + {{0x00, 0X35}, "AES256-SHA"}, + {{0x00, 0X84}, "CAMELLIA256-SHA"}, + {{0x00, 0X8D}, "PSK-AES256-CBC-SHA"}, + {{0xC0, 0X2F}, "ECDHE-RSA-AES128-GCM-SHA256"}, + {{0xC0, 0X2B}, "ECDHE-ECDSA-AES128-GCM-SHA256"}, + {{0xC0, 0X27}, "ECDHE-RSA-AES128-SHA256"}, + {{0xC0, 0X23}, "ECDHE-ECDSA-AES128-SHA256"}, + {{0xC0, 0X13}, "ECDHE-RSA-AES128-SHA"}, + {{0xC0, 0X09}, "ECDHE-ECDSA-AES128-SHA"}, + {{0x00, 0XA4}, "DH-DSS-AES128-GCM-SHA256"}, + {{0x00, 0XA2}, "DHE-DSS-AES128-GCM-SHA256"}, + {{0x00, 0XA0}, "DH-RSA-AES128-GCM-SHA256"}, + {{0x00, 0X9E}, "DHE-RSA-AES128-GCM-SHA256"}, + {{0x00, 0X67}, "DHE-RSA-AES128-SHA256"}, + {{0x00, 0X40}, "DHE-DSS-AES128-SHA256"}, + {{0x00, 0X3F}, "DH-RSA-AES128-SHA256"}, + {{0x00, 0X3E}, "DH-DSS-AES128-SHA256"}, + {{0x00, 0X33}, "DHE-RSA-AES128-SHA"}, + {{0x00, 0X32}, "DHE-DSS-AES128-SHA"}, + {{0x00, 0X31}, "DH-RSA-AES128-SHA"}, + {{0x00, 0X30}, "DH-DSS-AES128-SHA"}, + {{0x00, 0X9A}, "DHE-RSA-SEED-SHA"}, + {{0x00, 0X99}, "DHE-DSS-SEED-SHA"}, + {{0x00, 0X98}, "DH-RSA-SEED-SHA"}, + {{0x00, 0X97}, "DH-DSS-SEED-SHA"}, + {{0x00, 0X45}, "DHE-RSA-CAMELLIA128-SHA"}, + {{0x00, 0X44}, "DHE-DSS-CAMELLIA128-SHA"}, + {{0x00, 0X43}, "DH-RSA-CAMELLIA128-SHA"}, + {{0x00, 0X42}, "DH-DSS-CAMELLIA128-SHA"}, + {{0xC0, 0X18}, "AECDH-AES128-SHA"}, + {{0x00, 0XA6}, "ADH-AES128-GCM-SHA256"}, + {{0x00, 0X6C}, "ADH-AES128-SHA256"}, + {{0x00, 0X34}, "ADH-AES128-SHA"}, + {{0x00, 0X9B}, "ADH-SEED-SHA"}, + {{0x00, 0X46}, "ADH-CAMELLIA128-SHA"}, + {{0xC0, 0X31}, "ECDH-RSA-AES128-GCM-SHA256"}, + {{0xC0, 0X2D}, "ECDH-ECDSA-AES128-GCM-SHA256"}, + {{0xC0, 0X29}, "ECDH-RSA-AES128-SHA256"}, + {{0xC0, 0X25}, "ECDH-ECDSA-AES128-SHA256"}, + {{0xC0, 0X0E}, "ECDH-RSA-AES128-SHA"}, + {{0xC0, 0X04}, "ECDH-ECDSA-AES128-SHA"}, + {{0x00, 0X9C}, "AES128-GCM-SHA256"}, + {{0x00, 0X3C}, "AES128-SHA256"}, + {{0x00, 0X2F}, "AES128-SHA"}, + {{0x00, 0X96}, "SEED-SHA"}, + {{0x00, 0X41}, "CAMELLIA128-SHA"}, + {{0x00, 0X8C}, "PSK-AES128-CBC-SHA"}, + {{0xC0, 0X12}, "ECDHE-RSA-DES-CBC3-SHA"}, + {{0xC0, 0X08}, "ECDHE-ECDSA-DES-CBC3-SHA"}, + {{0x00, 0X16}, "EDH-RSA-DES-CBC3-SHA"}, + {{0x00, 0X13}, "EDH-DSS-DES-CBC3-SHA"}, + {{0x00, 0X10}, "DH-RSA-DES-CBC3-SHA"}, + {{0x00, 0X0D}, "DH-DSS-DES-CBC3-SHA"}, + {{0xC0, 0X17}, "AECDH-DES-CBC3-SHA"}, + {{0x00, 0X1B}, "ADH-DES-CBC3-SHA"}, + {{0xC0, 0X0D}, "ECDH-RSA-DES-CBC3-SHA"}, + {{0xC0, 0X03}, "ECDH-ECDSA-DES-CBC3-SHA"}, + {{0x00, 0X0A}, "DES-CBC3-SHA"}, + {{0x00, 0X07}, "IDEA-CBC-SHA"}, + {{0x00, 0X8B}, "PSK-3DES-EDE-CBC-SHA"}, + {{0x00, 0X21}, "KRB5-IDEA-CBC-SHA"}, + {{0x00, 0X1F}, "KRB5-DES-CBC3-SHA"}, + {{0x00, 0X25}, "KRB5-IDEA-CBC-MD5"}, + {{0x00, 0X23}, "KRB5-DES-CBC3-MD5"}, + {{0xC0, 0X11}, "ECDHE-RSA-RC4-SHA"}, + {{0xC0, 0X07}, "ECDHE-ECDSA-RC4-SHA"}, + {{0xC0, 0X16}, "AECDH-RC4-SHA"}, + {{0x00, 0X18}, "ADH-RC4-MD5"}, + {{0xC0, 0X0C}, "ECDH-RSA-RC4-SHA"}, + {{0xC0, 0X02}, "ECDH-ECDSA-RC4-SHA"}, + {{0x00, 0X05}, "RC4-SHA"}, + {{0x00, 0X04}, "RC4-MD5"}, + {{0x00, 0X8A}, "PSK-RC4-SHA"}, + {{0x00, 0X20}, "KRB5-RC4-SHA"}, + {{0x00, 0X24}, "KRB5-RC4-MD5"}, + {{0xC0, 0X10}, "ECDHE-RSA-NULL-SHA"}, + {{0xC0, 0X06}, "ECDHE-ECDSA-NULL-SHA"}, + {{0xC0, 0X15}, "AECDH-NULL-SHA"}, + {{0xC0, 0X0B}, "ECDH-RSA-NULL-SHA"}, + {{0xC0, 0X01}, "ECDH-ECDSA-NULL-SHA"}, + {{0x00, 0X3B}, "NULL-SHA256"}, + {{0x00, 0X02}, "NULL-SHA"}, + {{0x00, 0X01}, "NULL-MD5"}, + {{0x13, 0X01}, "TLS_AES_128_GCM_SHA256"}, + {{0x13, 0X02}, "TLS_AES_256_GCM_SHA384"}, + {{0x13, 0X03}, "TLS_CHACHA20_POLY1305_SHA256"}, + {{0x13, 0X04}, "TLS_AES_128_CCM_SHA256"}, + {{0x13, 0X05}, "TLS_AES_128_CCM_8_SHA256"}, + {{0}, NULL}, +}; + + int BtoL4BytesNum(char *pcData) { @@ -69,6 +220,90 @@ int BtoL1BytesNum(char *pcData) return uiLength; } +char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, const stSerialString_t *pastElemTypes) +{ + int iLoop = 0; + int iInLoop = 0; + + if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes) + { + return NULL; + } + + for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop) + { + for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop) + { + if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop]) + { + //continue; + break; + } + } + + if (iInLoop == iIdLen) + { + return (char *)(pastElemTypes[iLoop].pcString); + } + } + + return NULL; +} + +const char* ssl_get_suite_name(unsigned char* suite_value, unsigned short suite_len) +{ + if(suite_value==NULL) return NULL; + return fn_pcGetSuite((unsigned char *)suite_value, suite_len, (stSerialString_t*)&g_astCipherSuit); +} + +const char* ssl_get_version_name(unsigned short version) +{ + int find_index = -1; + for(unsigned int i=0;pastSslVersions[i].uiValue!=0;i++) + { + if(pastSslVersions[i].uiValue==version) + { + find_index = (int)i; + break; + } + } + return (char*)pastSslVersions[find_index].pcString; +} + +int ssl_get_alpn_list(alpn_list_t* alpn_list, int alpn_size, st_ext_t* exts, unsigned short ext_num) +{ + int alpn_ext_len = 0; + int alpn_proto_len = 0; + int alpn_proto_num = 0; + unsigned char* alpl = NULL; + + for(int i=0; i<ext_num; i++) + { + if(exts[i].type == ALPN_EXT_TYPE) + { + alpn_ext_len = exts[i].len; + alpl = exts[i].data; + alpn_ext_len = BtoL2BytesNum((char *)alpl); + alpl +=2; + while(alpn_ext_len>0 && alpn_proto_num<alpn_size) + { + alpn_proto_len = BtoL1BytesNum((char *)alpl); + alpl++; + alpn_ext_len -= 1; + alpn_list[alpn_proto_num].alpn_len = alpn_proto_len; + //memcpy(alpn_list[alpn_proto_num].alpn, alpl, alpn_proto_len); + alpn_list[alpn_proto_num].alpn = (char*)alpl; + alpn_list[alpn_proto_num].alpn_len = alpn_proto_len; + alpn_ext_len -= alpn_proto_len; + alpl += alpn_proto_len; + alpn_proto_num++; + } + break; + } + } + return alpn_proto_num; +} + UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet) { @@ -98,6 +333,16 @@ UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, return return_val; } +UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, + unsigned long long region_flag, int thread_seq, void *a_packet) +{ + UCHAR return_val = SSL_RETURN_NORM; + (*a_ssl_stream)->output_region_mask = SSL_NEW_SESSION_TICKET_MASK; + return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); + (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; + return return_val; +} + UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet) { @@ -108,6 +353,18 @@ UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_ return return_val; } + +UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, + unsigned long long region_flag, int thread_seq, void *a_packet) +{ + UCHAR return_val = SSL_RETURN_NORM; + (*a_ssl_stream)->output_region_mask = SSL_ALERT_MASK; + return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); + (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; + return return_val; +} + + UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet) { @@ -140,8 +397,7 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, if((*a_ssl_stream)->stClientHello->exts[i].type == SERVER_NAME_EXT_TYPE) { st_client_server_name_t* pstClientServerName = (st_client_server_name_t*)dictator_malloc(thread_seq,sizeof(st_client_server_name_t)); - unsigned char* cur_data = NULL; - unsigned char first_server_name = 0; + unsigned char* cur_data = NULL; unsigned char servernamelen = 0; pstClientServerName->server_name_list_len = (*a_ssl_stream)->stClientHello->exts[i].len; cur_data = (*a_ssl_stream)->stClientHello->exts[i].data; @@ -152,16 +408,16 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, /*3=sizeof(pstClientServerName.server_name_type)+sizeof(pstClientServerName.server_name_len)*/ while(pstClientServerName->server_name_list_len>3) { - pstClientServerName->server_name_type = BtoL2BytesNum((char *)cur_data); - pstClientServerName->server_name_len = BtoL1BytesNum((char *)(cur_data+2)); + pstClientServerName->server_name_type = BtoL1BytesNum((char *)cur_data); + pstClientServerName->server_name_len = BtoL2BytesNum((char *)(cur_data+1)); pstClientServerName->server_name_list_len -= 3; + cur_data += 3; /*have data*/ - if(((pstClientServerName->server_name_type == SERVER_NAME_HOST_TYPE)|| - (pstClientServerName->server_name_type == SERVER_NAME_OTHER_TYPE))&& + if(((pstClientServerName->server_name_type == SERVER_NAME_HOST_TYPE))&& pstClientServerName->server_name_len>0&& pstClientServerName->server_name_list_len>=pstClientServerName->server_name_len) { - pstClientServerName->server_name_data = cur_data+3; + pstClientServerName->server_name_data = cur_data; //if(!first_server_name) { memcpy((*a_ssl_stream)->stClientHello->server_name, @@ -169,41 +425,60 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, pstClientServerName->server_name_len); servernamelen = strlen((char*)(*a_ssl_stream)->stClientHello->server_name); (*a_ssl_stream)->stClientHello->server_name[servernamelen] = '\0'; - first_server_name = 1; - pstClientServerName->server_name_list_len -= pstClientServerName->server_name_len; - cur_data += pstClientServerName->server_name_len; - -#if PRINTF_CLIENT_HELLO - //printf("server_name:%s\n",(*a_ssl_stream)->stClientHello->server_name); - FILE* pFile = NULL; - time_t currTime; - struct tm *now; - char strTime[32]; - char logTime[32]; - char filename[64] = {0}; - time(&currTime); - now = localtime(&currTime); - memset(strTime, 0, sizeof(strTime) ); - memset(logTime, 0, sizeof(logTime) ); - strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now); - strftime(logTime, sizeof(logTime), "%Y-%m-%d", now); - strcpy(filename, "./ssl_log/ssl_server_name_log_"); - strcat(filename, logTime); - if(((pFile = fopen(filename, "a+"))!=NULL)) - { - fprintf(pFile,"%s===%s\n",strTime, (*a_ssl_stream)->stClientHello->server_name); - fclose(pFile); - } -#endif - - break; + //printf("====servername:%s\n", (*a_ssl_stream)->stClientHello->server_name); + break; } - } - cur_data += 3; + } + pstClientServerName->server_name_list_len -= pstClientServerName->server_name_len; + cur_data += pstClientServerName->server_name_len; + } + if(NULL!=pstClientServerName) + { + dictator_free(thread_seq,pstClientServerName); + } + } + else if((*a_ssl_stream)->stClientHello->exts[i].type == SESSION_TICKET_EXT_TYPE) + { + (*a_ssl_stream)->stClientHello->session_ticket.ticketlen = (*a_ssl_stream)->stClientHello->exts[i].len; + (*a_ssl_stream)->stClientHello->session_ticket.ticket = (*a_ssl_stream)->stClientHello->exts[i].data; + //printf("====session ticket:%d\n", (*a_ssl_stream)->stClientHello->session_ticket.ticketlen); + } + else if((*a_ssl_stream)->stClientHello->exts[i].type == ENCRPTED_SERVER_NAME_EXT_TYPE) + { + char* cur_data = (char*)(*a_ssl_stream)->stClientHello->exts[i].data; + int iUnAnaHelloLen = (*a_ssl_stream)->stClientHello->exts[i].len; + if(iUnAnaHelloLen>SUITE_VALUELEN) + { + (*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value = (unsigned char *)dictator_malloc(thread_seq,SUITE_VALUELEN); + memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value, cur_data, SUITE_VALUELEN); + cur_data += SUITE_VALUELEN; + iUnAnaHelloLen -= SUITE_VALUELEN; + } + if(iUnAnaHelloLen>KEY_EXCHANGELEN_LEN) + { + (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_group = (unsigned short)BtoL2BytesNum(cur_data); + (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len = (unsigned short)BtoL2BytesNum(cur_data+2); + (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); + memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange, cur_data+KEY_EXCHANGELEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); + cur_data += (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); + iUnAnaHelloLen -= (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); + } + if(iUnAnaHelloLen>RECORD_DIGESTLEN_LEN) + { + (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len= (unsigned short)BtoL2BytesNum(cur_data); + (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); + memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest, cur_data+RECORD_DIGESTLEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); + cur_data += (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); + iUnAnaHelloLen -= (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); + } + if(iUnAnaHelloLen>ESNILEN_LEN) + { + (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len = (unsigned short)BtoL2BytesNum(cur_data); + (*a_ssl_stream)->stClientHello->encrypted_server_name.esni = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); + memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.esni, cur_data+ESNILEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); + cur_data += (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); + iUnAnaHelloLen -= (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); } - - if(NULL!=pstClientServerName) dictator_free(thread_seq,pstClientServerName); - break; } } @@ -212,6 +487,33 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, return return_val; } +void print_sni(ssl_stream **a_ssl_stream) +{ +#if PRINTF_CLIENT_HELLO + //printf("server_name:%s\n",(*a_ssl_stream)->stClientHello->server_name); + FILE* pFile = NULL; + time_t currTime; + struct tm *now; + char strTime[32]; + char logTime[32]; + char filename[64] = {0}; + time(&currTime); + now = localtime(&currTime); + memset(strTime, 0, sizeof(strTime) ); + memset(logTime, 0, sizeof(logTime) ); + strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now); + strftime(logTime, sizeof(logTime), "%Y-%m-%d", now); + strcpy(filename, "./ssl_log/ssl_server_name_log_"); + strcat(filename, logTime); + if(((pFile = fopen(filename, "a+"))!=NULL)) + { + fprintf(pFile,"%s===%s\n",strTime, (*a_ssl_stream)->stClientHello->server_name); + fclose(pFile); + } +#endif + +} + UCHAR ssl_doWithServerHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet) { diff --git a/src/SSL_Proc.h b/src/SSL_Proc.h index c9c7be2..8e25916 100644 --- a/src/SSL_Proc.h +++ b/src/SSL_Proc.h @@ -20,10 +20,15 @@ int BtoL3BytesNum(char *pcData); int BtoL4BytesNum(char *pcData); int ssl_protoRecg(char *pcData, int iDataLen); +char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes); UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet); +UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, + unsigned long long region_flag, int thread_seq, void *a_packet); UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet); +UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, + unsigned long long region_flag, int thread_seq, void *a_packet); UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, unsigned long long region_flag, int thread_seq, void *a_packet); UCHAR ssl_doWithCertificateDetail(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, @@ -5,7 +5,7 @@ #include <stdio.h> #include <string.h> -#define SSH_H_VERSION_20160910_ADD_CERT 0 +#define SSH_H_VERSION_20201202_ADD_SESSION_TICKET 0 #define SSL_KEY 3 #define SSL_TRUE 1 @@ -19,6 +19,18 @@ #define SSL_CLIENT_HELLO (1<<SSL_CLIENT_HELLO_MASK) #define SSL_SERVER_HELLO (1<<SSL_SERVER_HELLO_MASK) #define SSL_VERSION (1<<SSL_VERSION_MASK) +#define SSL_ALERT (1<<SSL_ALERT_MASK) +#define SSL_NEW_SESSION_TICKET (1<<SSL_NEW_SESSION_TICKET_MASK) + +/**SSL versions, variate uiSslVersion in ssl_stream**/ +#define UNKNOWN_VERSION 0x0000 +#define SSLV3_VERSION 0x0300 +#define SSLV2_VERSION 0x0002 +#define TLSV1_0_VERSION 0x0301 +#define TLSV1_1_VERSION 0x0302 +#define TLSV1_2_VERSION 0x0303 +#define DTLSV1_0_VERSION 0xfeff +#define DTLSV1_0_VERSION_NOT 0x0100 typedef enum { @@ -30,6 +42,8 @@ typedef enum SSL_CERTIFICATE_MASK, SSL_APPLICATION_DATA_MASK, SSL_VERSION_MASK, + SSL_ALERT_MASK, + SSL_NEW_SESSION_TICKET_MASK, }ssl_interested_region; typedef struct cdata_buf @@ -52,39 +66,58 @@ typedef struct _st_session_t typedef struct _st_suites_t { - unsigned short suite_len; //4 - unsigned char* suite_value; + unsigned short suites_len; //4 + unsigned char* suites_value; //ciphersuites list, split into 2 bytes and get suite name by "ssl_get_suite" }st_suites_t; typedef struct _st_compress_methods_t { unsigned char methlen; - unsigned char* methods;//default 0:null + unsigned char* methods; //default 0:null }st_compress_methods_t; +typedef struct _st_session_tciket_t +{ + unsigned char ticketlen; + unsigned char* ticket; //default 0:null +}st_session_tciket_t; + +#define SUITE_VALUELEN 2 +#define KEY_EXCHANGELEN_LEN 4 +#define RECORD_DIGESTLEN_LEN 2 +#define ESNILEN_LEN 2 +typedef struct _st_esni_t +{ + unsigned short key_exchange_group; + unsigned short key_exchange_len; + unsigned char* key_exchange; + unsigned char* record_digest; + unsigned short record_digest_len; + unsigned short esni_len; + unsigned char* esni; + unsigned char* suite_value; //get suite name by "ssl_get_suite"function +}st_esni_t; + //#############################################client hello -#define CLIENT_HELLO_HDRLEN 4 -#define MAX_EXTENSION_NUM 16 -#define MAX_EXT_DATA_LEN 256 -#define SERVER_NAME_EXT_TYPE 0x0000 -#define SERVER_NAME_HOST_TYPE 0x0000 -#define SERVER_NAME_OTHER_TYPE 0x0008 +#define MAX_EXTENSION_NUM 16 +#define MAX_EXT_DATA_LEN 256 +#define SERVER_NAME_EXT_TYPE 0x0000 +#define SERVER_NAME_HOST_TYPE 0x0000 +#define SERVER_NAME_OTHER_TYPE 0x0008 +#define SESSION_TICKET_EXT_TYPE 0x0023 +#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE + +/*important extension in clientHello: alpn(application_layer_protocol_negotiation) */ +#define ALPN_EXT_TYPE 0x0010 -typedef struct _st_client_ext_t + +typedef struct _st_ext_t { unsigned short type; unsigned short len; - unsigned char data[MAX_EXT_DATA_LEN];//if longer,cut off -}__attribute__((packed))st_client_ext_t; - -typedef struct _st_client_server_name_t -{ - short server_name_list_len; - unsigned short server_name_type; - unsigned char server_name_len; - unsigned char* server_name_data; -}__attribute__((packed))st_client_server_name_t; + unsigned char* data; +}st_ext_t; //client hello info @@ -94,12 +127,14 @@ typedef struct _st_client_hello_t unsigned short client_ver; st_random_t random; //32 byte random,not used currently st_session_t session; - st_suites_t ciphersuits; + st_suites_t ciphersuites; st_compress_methods_t com_method; //compress method unsigned short extlen; unsigned short ext_num; //number of extensions - st_client_ext_t exts[MAX_EXTENSION_NUM]; //extensions content:1 or more extentions + st_ext_t exts[MAX_EXTENSION_NUM]; //extensions content:1 or more extentions unsigned char server_name[512]; // server_name = host_name+... + st_session_tciket_t session_ticket; + st_esni_t encrypted_server_name; }st_client_hello_t; //#############################################client hello end @@ -111,15 +146,35 @@ typedef struct _st_client_hello_t typedef struct _st_server_hello_t { int totallen; //3 - unsigned short client_ver; + unsigned short server_ver; st_random_t random; //32 byte random,not used currently st_session_t session; - st_suites_t ciphersuits; + st_suites_t ciphersuites; st_compress_methods_t com_method; //compress method + unsigned short extlen; //the length of all extensions + unsigned short ext_num; //the number of extensions + st_ext_t exts[MAX_EXTENSION_NUM]; //the content of extensions :1 or more extentions + }st_server_hello_t; //#############################################server hello end + +//#############################################new session ticket +#define SESSION_TICKET_HDRLEN 4 + +//client hello info +typedef struct _st_new_session_ticket_t +{ + int totallen; //3 bytes + int lifttime; //second + int ticket_len; //3 bytes + unsigned char* ticket; +}st_new_session_ticket_t; + +//#############################################new session ticket end + + //#############################################certificate #define CERTIFICATE_HDRLEN 7 #define SSL_CERTIFICATE_HDRLEN 3 @@ -156,6 +211,8 @@ typedef struct _st_cert_t char SSLSubCN[64];//cname st_san_t* SSLSubAltName; uint8_t cert_type; + unsigned char* SSLSubKey; + int SSLSubKeyLen; }st_cert_t; //#############################################certificate end @@ -174,7 +231,7 @@ typedef struct _ssl_stream_t unsigned char over_flag; unsigned char ucContType; unsigned char is_ssl_stream; - unsigned int uiSslVersion; + unsigned short uiSslVersion; //SSL versions, definition like TLSV1_2_VERSION in ssl.h int uiAllMsgLen; //hand shake msg length int uiMsgProcLen; @@ -185,13 +242,15 @@ typedef struct _ssl_stream_t cdata_buf* p_output_buffer; st_client_hello_t* stClientHello; st_server_hello_t* stServerHello; - st_cert_t* stSSLCert; + st_cert_t* stSSLCert; business_infor_t* business; char* pcSslBuffer; ssl_interested_region output_region_mask; int uiCurBuffLen; + + st_new_session_ticket_t* stNewSessionTicket; }ssl_stream; /*ssl_read_all_cert�еĽṹ��*/ @@ -201,6 +260,13 @@ typedef struct cert_chain_s uint32_t cert_len; }cert_chain_t; +/*ssl_get_alpn_list?D��??��11��?*/ +typedef struct alpn_list_s +{ + char* alpn; //pointer to exts + uint32_t alpn_len; +}alpn_list_t; + /*ssl_read_specific_cert��cert_type�IJ���*/ #define CERT_TYPE_INDIVIDUAL 0 //����֤�� #define CERT_TYPE_ROOT 1 //��֤�� @@ -217,6 +283,20 @@ int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, cert_chai /*return : 1 ���ڣ�0 ������*/ int ssl_read_specific_cert(const char* conj_cert_buf, uint32_t conj_buflen, uint8_t cert_type, char** cert, uint32_t* cert_len); +/*Obtain suite name like "TLS_RSA_WITH_AES_128_CBC_SHA" by suite_value; Each suite should be 2 bytes*/ +const char* ssl_get_suite_name(unsigned char* suite_value, unsigned short suite_len); + +/*Obtain version name like "TLS1.2" by version*/ +const char* ssl_get_version_name(unsigned short version); + +/*Obtain alpl list by */ +/* +input: stClientHello; alpn_list is applied by user +output: put the results in alpn_list +return: the number of alpn +*/ +int ssl_get_alpn_list(alpn_list_t* alpn_list, int alpn_size, st_ext_t* exts, unsigned short ext_num); + const char* ssl_get_suite(st_suites_t* ciphersuits); struct _ssl_ja3_info_t diff --git a/src/ssl_update.txt b/src/ssl_update.txt index 6e1a892..0817dce 100644 --- a/src/ssl_update.txt +++ b/src/ssl_update.txt @@ -9,6 +9,28 @@ https://blog.csdn.net/aixiaoxiaoyu/article/details/79175855 https://www.cnblogs.com/huhu0013/p/4791430.html BIO https://blog.csdn.net/liujiayu2/article/details/51860172 + + +bug��������ʷ +************************************************* +20210417 +֧��esni�ֶε���ȡ +************************************************* +20210107 +����֤�鹫Կ��Ϣ��SSLSubKey +************************************************* +20201230 +����ALPN���ֶεĽ��� +����SSL.H��ע�� +��������ɾ��� +ALERT���汨�� +************************************************* +20201203 +1. DROPPKT����DROPME���� +************************************************* +20201202 +1. ֧��session ticket +2. ֧��new session ticket ************************************************* 20200617 1. ��application data������bug diff --git a/src/tool/test_cert/test_cert.c b/src/tool/test_cert/test_cert.c index e16ec71..ffd2f17 100644 --- a/src/tool/test_cert/test_cert.c +++ b/src/tool/test_cert/test_cert.c @@ -73,6 +73,18 @@ int BtoL3BytesNum(char *pcData) return uiLength; } +int BtoL4BytesNum(char *pcData) +{ + int uiLength = 0; + uiLength = pcData[0]; + uiLength = (uiLength << 8) + (unsigned char)pcData[1]; + uiLength = (uiLength << 8) + (unsigned char)pcData[2]; + uiLength = (uiLength << 8) + (unsigned char)pcData[3]; + + return uiLength; +} + + typedef struct _stValueString_t { unsigned int uiValue; |