summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
author刘学利 <[email protected]>2021-05-11 03:34:57 +0000
committer刘学利 <[email protected]>2021-05-11 03:34:57 +0000
commiteaa9479def9efc97f0f6f991f8ac379fe1eb7ad6 (patch)
tree2f892115138e95af18846ee79cc315a6a795c3af /src
parent16b8fb5fe0e61815ec7020078876129044a77b0d (diff)
support session ticketv2.0.0
Diffstat (limited to 'src')
-rw-r--r--src/SSL_Analyze.c151
-rw-r--r--src/SSL_Certificate.c103
-rw-r--r--src/SSL_Certificate.h4
-rw-r--r--src/SSL_Common.c60
-rw-r--r--src/SSL_Common.h24
-rw-r--r--src/SSL_Message.c371
-rw-r--r--src/SSL_Message.h23
-rw-r--r--src/SSL_Proc.c398
-rw-r--r--src/SSL_Proc.h5
-rw-r--r--src/ssl.h134
-rw-r--r--src/ssl_update.txt22
-rw-r--r--src/tool/test_cert/test_cert.c12
12 files changed, 1010 insertions, 297 deletions
diff --git a/src/SSL_Analyze.c b/src/SSL_Analyze.c
index a8a581d..7e93981 100644
--- a/src/SSL_Analyze.c
+++ b/src/SSL_Analyze.c
@@ -17,6 +17,8 @@
#include "SSL_Proc.h"
#include "field_stat2.h"
#include "MESA_prof_load.h"
+#include "SSL_Common.h"
+
#define GIT_VERSION_CATTER(v) __attribute__((__used__)) const char * GIT_VERSION_##v = NULL
#define GIT_VERSION_EXPEND(v) GIT_VERSION_CATTER(v)
@@ -41,7 +43,7 @@ extern "C"
ssl_prog_runtime_parameter_t g_ssl_prog_para;
-int SSL_VERSION_1_20200617 = 0;
+int SSL_VERSION_1_20210428 = 0;
void ssl_history()
{
@@ -92,6 +94,15 @@ void ssl_history()
//2020-01-09 V0.2 add stream tag
//2020-06-15 V0.2 memset buf
//2020-06-17 V0.2 increase MAX_DATA_BUFFER 40960
+//2020-12-02 V0.2 support session ticket
+//2020-12-03 V0.2 droppkt and dropme
+//2020-12-30 V0.2 add alpn
+//2021-02-07 V0.2 add SSLSubKey
+//2021-04-17 V0.2 support esni
+//2021-04-28 V0.2 add certlen for each cert
+
+
+
//to do
@@ -138,9 +149,6 @@ int ssl_readconf(const char* filename)
int ssl_readMainConf(const char* filename)
{
- char http_log_filename[256];
-
-
MESA_load_profile_int_def(filename, "FUNCTION", "stat_screen_print", &g_ssl_prog_para.stat_screen_print_trigger,0);
MESA_load_profile_int_def(filename, "FUNCTION", "stat_cycle", &g_ssl_prog_para.stat_cycle,0);
MESA_load_profile_string_def(filename, "FUNCTION", "stat_file", g_ssl_prog_para.stat_filename, sizeof(g_ssl_prog_para.stat_filename),"./log/ssl/ssl_stat.log");
@@ -236,7 +244,7 @@ void SSL_PROT_FUNSTAT(unsigned long long protflag)
return;
}/*PROT_FUNSTAT*/
-unsigned long long ssl_getRegionID(char *string, int str_len, char g_string[MAX_REGION_NUM][REGION_NAME_LEN])
+unsigned long long ssl_getRegionID(char *string, int str_len, const char g_string[MAX_REGION_NUM][REGION_NAME_LEN])
{
unsigned long long i=0;
for(i=0;i<g_ssl_prog_para.ssl_region_cnt;i++)
@@ -300,16 +308,16 @@ void ssl_initStructClientHello(st_client_hello_t* pstClientHello)
pstClientHello->session.session_value = NULL;
pstClientHello->session.session_len = 0;
- pstClientHello->ciphersuits.suite_value = NULL;
- pstClientHello->ciphersuits.suite_len = 0;
+ pstClientHello->ciphersuites.suites_value = NULL;
+ pstClientHello->ciphersuites.suites_len = 0;
pstClientHello->com_method.methods = NULL;
pstClientHello->com_method.methlen = 0;
+ pstClientHello->ext_num = 0;
memset(&pstClientHello->random, 0, sizeof(pstClientHello->random));
int i=0;
for(i=0;i<MAX_EXTENSION_NUM;i++)
{
memset(&pstClientHello->exts[i], 0, sizeof(pstClientHello->exts[i]));
-
}
memset(&pstClientHello->server_name, 0, sizeof(pstClientHello->server_name));
return;
@@ -321,11 +329,17 @@ void ssl_initStructServerHello(st_server_hello_t* pstServerHello)
pstServerHello->session.session_value = NULL;
pstServerHello->session.session_len = 0;
- pstServerHello->ciphersuits.suite_value = NULL;
- pstServerHello->ciphersuits.suite_len = 0;
+ pstServerHello->ciphersuites.suites_value = NULL;
+ pstServerHello->ciphersuites.suites_len = 0;
pstServerHello->com_method.methods = NULL;
pstServerHello->com_method.methlen = 0;
+ pstServerHello->ext_num = 0;
memset(&pstServerHello->random, 0, sizeof(pstServerHello->random));
+ int i=0;
+ for(i=0;i<MAX_EXTENSION_NUM;i++)
+ {
+ memset(&pstServerHello->exts[i], 0, sizeof(pstServerHello->exts[i]));
+ }
return;
}
@@ -361,19 +375,7 @@ int ssl_initSslStream(struct streaminfo *a_tcp, void **pme, int thread_seq)
a_ssl_stream->p_output_buffer = (cdata_buf*)dictator_malloc(thread_seq, sizeof(cdata_buf));
a_ssl_stream->p_output_buffer->data_size = 0;
a_ssl_stream->p_output_buffer->p_data = 0;
-
- /*
- a_ssl_stream->stSSLCert = (st_cert_t*)dictator_malloc(thread_seq,sizeof(st_cert_t));
- memset(a_ssl_stream->stSSLCert, 0, sizeof(a_ssl_stream->stSSLCert));
-
- a_ssl_stream->stClientHello = (st_client_hello_t*)dictator_malloc(thread_seq,sizeof(st_client_hello_t));
- memset(a_ssl_stream->stClientHello, 0, sizeof(a_ssl_stream->stClientHello));
- ssl_initStructClientHello(a_ssl_stream->stClientHello);
-
- a_ssl_stream->stServerHello = (st_server_hello_t*)dictator_malloc(thread_seq,sizeof(st_server_hello_t));
- memset(a_ssl_stream->stServerHello, 0, sizeof(a_ssl_stream->stServerHello));
- ssl_initStructServerHello(a_ssl_stream->stServerHello);
- */
+
a_ssl_stream->output_region_mask = SSL_INTEREST_KEY_MASK;
a_ssl_stream->business = (business_infor_t *)dictator_malloc(thread_seq,sizeof(business_infor_t));
@@ -393,15 +395,35 @@ void ssl_releaseStructClientHello(int thread_seq, st_client_hello_t* pstClientHe
dictator_free(thread_seq,pstClientHello->session.session_value);
pstClientHello->session.session_value = NULL;
}
- if(pstClientHello->ciphersuits.suite_value!=NULL)
+ if(pstClientHello->ciphersuites.suites_value!=NULL)
{
- dictator_free(thread_seq,pstClientHello->ciphersuits.suite_value);
- pstClientHello->ciphersuits.suite_value = NULL;
+ dictator_free(thread_seq,pstClientHello->ciphersuites.suites_value);
+ pstClientHello->ciphersuites.suites_value = NULL;
}
if(pstClientHello->com_method.methods!=NULL)
{
dictator_free(thread_seq,pstClientHello->com_method.methods);
pstClientHello->com_method.methods = NULL;
+ }
+ if(pstClientHello->encrypted_server_name.key_exchange!=NULL)
+ {
+ dictator_free(thread_seq,pstClientHello->encrypted_server_name.key_exchange);
+ pstClientHello->encrypted_server_name.key_exchange = NULL;
+ }
+ if(pstClientHello->encrypted_server_name.esni!=NULL)
+ {
+ dictator_free(thread_seq,pstClientHello->encrypted_server_name.esni);
+ pstClientHello->encrypted_server_name.esni = NULL;
+ }
+ if(pstClientHello->encrypted_server_name.record_digest!=NULL)
+ {
+ dictator_free(thread_seq,pstClientHello->encrypted_server_name.record_digest);
+ pstClientHello->encrypted_server_name.record_digest = NULL;
+ }
+ if(pstClientHello->encrypted_server_name.suite_value!=NULL)
+ {
+ dictator_free(thread_seq,pstClientHello->encrypted_server_name.suite_value);
+ pstClientHello->encrypted_server_name.suite_value = NULL;
}
return;
}
@@ -416,19 +438,20 @@ void ssl_releaseStructServerHello(int thread_seq,st_server_hello_t* pstServerHel
dictator_free(thread_seq,pstServerHello->session.session_value);
pstServerHello->session.session_value = NULL;
}
- if(pstServerHello->ciphersuits.suite_value!=NULL)
+ if(pstServerHello->ciphersuites.suites_value!=NULL)
{
- dictator_free(thread_seq,pstServerHello->ciphersuits.suite_value);
- pstServerHello->ciphersuits.suite_value = NULL;
+ dictator_free(thread_seq,pstServerHello->ciphersuites.suites_value);
+ pstServerHello->ciphersuites.suites_value = NULL;
}
if(pstServerHello->com_method.methods!=NULL)
{
dictator_free(thread_seq,pstServerHello->com_method.methods);
pstServerHello->com_method.methods = NULL;
- }
+ }
return ;
}
+
void ssl_releaseSslStream(struct streaminfo *a_tcp, ssl_stream** pme, int thread_seq,void *a_packet)
{
ssl_stream *a_ssl_stream = (ssl_stream *)*pme;
@@ -472,7 +495,11 @@ void ssl_releaseSslStream(struct streaminfo *a_tcp, ssl_stream** pme, int thread
dictator_free(thread_seq,a_ssl_stream->stServerHello);
a_ssl_stream->stServerHello = NULL;
}
-
+ if(NULL != a_ssl_stream->stNewSessionTicket)
+ {
+ dictator_free(thread_seq,a_ssl_stream->stNewSessionTicket);
+ a_ssl_stream->stNewSessionTicket = NULL;
+ }
if(a_ssl_stream->pcSslBuffer!=NULL)
{
dictator_free(thread_seq,a_ssl_stream->pcSslBuffer);
@@ -506,27 +533,29 @@ char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_pack
ssl_initSslStream(a_tcp, pme,thread_seq);
case OP_STATE_DATA:
return_val = ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet);
- a_ssl_stream = (ssl_stream *)*pme;
- if (SSL_RETURN_DROPME == return_val || a_ssl_stream->business->return_value & PROT_STATE_DROPME)
+ a_ssl_stream = (ssl_stream *)*pme;
+
+ if(SSL_RETURN_DROPME==return_val || a_ssl_stream->business->return_value&PROT_STATE_DROPME)
+ {
+ state = APP_STATE_DROPME;
+ }
+ if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT)
{
- state = APP_STATE_DROPME;
+ state |=APP_STATE_DROPPKT;
+ a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT;
}
- if (a_ssl_stream->business->return_value & PROT_STATE_DROPPKT)
- {
- state |= APP_STATE_DROPPKT;
- a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT;
+ if(state&APP_STATE_DROPME)
+ {
+ ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet);
+ *pme = NULL;
}
- if (state & APP_STATE_DROPME)
- {
- ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq, a_packet);
- *pme = NULL;
- }
- return state;
-
- break;
- case OP_STATE_CLOSE:
- a_ssl_stream = (ssl_stream *)*pme;
- if (a_ssl_stream != NULL)
+
+ return state;
+ break;
+
+ case OP_STATE_CLOSE:
+ a_ssl_stream = (ssl_stream *)*pme;
+ if(a_ssl_stream!=NULL)
{
a_ssl_stream->over_flag = SSL_TRUE;
}
@@ -546,21 +575,21 @@ char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_pack
FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_BITS_S2C], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_BITS_S2C]);
}
}
- return_val = ssl_analyseStream(a_tcp, pme, thread_seq, a_packet);
+ return_val = ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet);
state = APP_STATE_DROPME;
- if (a_ssl_stream->business->return_value & PROT_STATE_DROPPKT)
+ if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT)
{
state |= APP_STATE_DROPPKT;
- a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT;
- }
- if (NULL != a_ssl_stream)
- {
- ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq, a_packet);
- *pme = NULL;
- }
-
- return state;
- }
+ a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT;
+ }
+ if(NULL!=a_ssl_stream)
+ {
+ ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet);
+ *pme = NULL;
+ }
+
+ return state;
+ }
return APP_STATE_GIVEME;
}
diff --git a/src/SSL_Certificate.c b/src/SSL_Certificate.c
index 9fb8d9f..ee50ded 100644
--- a/src/SSL_Certificate.c
+++ b/src/SSL_Certificate.c
@@ -243,14 +243,18 @@ UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_strea
int cert_cnt = ssl_read_all_cert(pcCurSslCertificateData, iUnAnaCertLen, cert_unit, CERT_MAXNUM);
int i=0;
+ int totallen = a_ssl_stream->stSSLCert->totallen;
for(i=0;i<cert_cnt;i++)
{
+ a_ssl_stream->stSSLCert->totallen = totallen;
return_val = fn_pGetSSLInfo(cert_unit[i].cert, cert_unit[i].cert_len, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
if( SSL_RETURN_NORM != return_val) return return_val;
-
- a_ssl_stream->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK;
- a_ssl_stream->p_output_buffer->p_data = pcCurSslCertificateData;
+
+ a_ssl_stream->stSSLCert->certlen = cert_unit[i].cert_len;
+ a_ssl_stream->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK;
+ a_ssl_stream->p_output_buffer->p_data = cert_unit[i].cert;
a_ssl_stream->p_output_buffer->data_size = a_ssl_stream->stSSLCert->certlen;
+
switch(cert_num)
{
case 0:
@@ -302,10 +306,15 @@ UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_strea
dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubAltName);
a_ssl_stream->stSSLCert->SSLSubAltName = NULL;
}
+ if(a_ssl_stream->stSSLCert->SSLSubKey!=NULL)
+ {
+ dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubKey);
+ a_ssl_stream->stSSLCert->SSLSubKey = NULL;
+ }
#if PRINTF_CERTIFICATE
cert_log(a_ssl_stream);
-#endif
- memset(a_ssl_stream->stSSLCert,0,sizeof(st_cert_t));
+#endif
+ memset(a_ssl_stream->stSSLCert,0,sizeof(st_cert_t));
if(SSL_RETURN_NORM != return_val && SSL_RETURN_UNNORM != return_val ) return return_val;
}
return SSL_RETURN_NORM;
@@ -1030,7 +1039,6 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct
unsigned long long region_flag, int thread_seq, void *a_packet)
{
//return SSL_RETURN_NORM;
- int data = 0;
X509 *x509_handle = d2i_X509(NULL, (unsigned char const **)&pcCert, iLen);
if (x509_handle == NULL)
@@ -1090,7 +1098,18 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct
a_ssl_stream->stSSLCert->SSLSubO,
a_ssl_stream->stSSLCert->SSLSubC);
}
-
+
+ /*SSL Subject keyInfo*/
+ EVP_PKEY* pkey = X509_get_pubkey(x509_handle);
+ if(pkey!=NULL)
+ {
+ int pkeyLen=0;
+ a_ssl_stream->stSSLCert->SSLSubKeyLen = i2d_PublicKey(pkey, NULL);;
+ a_ssl_stream->stSSLCert->SSLSubKey = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stSSLCert->SSLSubKeyLen);
+ pkeyLen = i2d_PublicKey(pkey, &(a_ssl_stream->stSSLCert->SSLSubKey)); //!!! point will be changed
+ a_ssl_stream->stSSLCert->SSLSubKey = a_ssl_stream->stSSLCert->SSLSubKey-a_ssl_stream->stSSLCert->SSLSubKeyLen;
+ }
+
/*validity*/
ASN1_TIME *start = X509_get_notBefore(x509_handle);
ASN1_TIME *end = X509_get_notAfter(x509_handle);
@@ -1103,7 +1122,6 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct
int cnt = sk_GENERAL_NAME_num(subjectAltNames);
char* san = NULL;
ASN1_STRING *san_name;
- int len = 0;
GENERAL_NAME* generalName;
if(cnt>0)
{
@@ -1134,7 +1152,76 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct
if(subjectAltNames)
{
GENERAL_NAMES_free(subjectAltNames);
+ }
+
+ /*extension*/
+ /*SCT*/
+ /*
+ GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL);
+ if(!subjectAltNames) goto cert_return;
+ int cnt = sk_GENERAL_NAME_num(subjectAltNames);
+ char* san = NULL;
+ ASN1_STRING *san_name;
+ GENERAL_NAME* generalName;
+ if(cnt>0)
+ {
+ a_ssl_stream->stSSLCert->SSLSubAltName = (st_san_t*)dictator_malloc(thread_seq, sizeof(st_san_t));
+ a_ssl_stream->stSSLCert->SSLSubAltName->san_array = (san_t*)dictator_malloc(thread_seq, cnt*sizeof(san_t));
+ memset(a_ssl_stream->stSSLCert->SSLSubAltName->san_array,0,cnt*sizeof(san_t));
+ a_ssl_stream->stSSLCert->SSLSubAltName->count = 0;
+ for (int i = 0; i < cnt; i++)
+ {
+ generalName = sk_GENERAL_NAME_value(subjectAltNames, i);
+ if(!generalName) goto cert_return;
+ if(GEN_DNS == generalName->type)
+ {
+ san_name = (ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL);
+ if(ASN1_STRING_length(san_name)>0)
+ {
+ san = (char*)ASN1_STRING_data(san_name);
+ snprintf(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san,
+ sizeof(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san),
+ "%s",
+ san);
+ a_ssl_stream->stSSLCert->SSLSubAltName->count++;
+ }
+ }
+ }
+
+ /* GET ALL EXTENSION
+ int ext_num = X509_get_ext_count(x509_handle);
+ X509_EXTENSION* ext;
+ ASN1_OBJECT* obj;
+ int oid;
+ STACK_OF(CONF_VALUE)* item;
+ int item_num=0;
+ CONF_VALUE *val;
+ for(int i=0;i<ext_num;i++)
+ {
+ ext = X509_get_ext(x509_handle, i);
+ if(ext!=NULL)
+ {
+ item = X509V3_parse_list((const char *)ext->value->data);
+ item_num = sk_CONF_VALUE_num(item);
+ for (int j = 0; j<item_num; j++)
+ {
+ val = sk_CONF_VALUE_value(item, i);
+ //val->section;
+ //val->name;
+ }
+ obj = X509_EXTENSION_get_object(ext);
+ if(obj!=NULL)
+ {
+ oid = OBJ_obj2nid(obj);
+ ///*SCT: Signed Certificate Timestamp; OID is 1.3.6.1.4.1.11129.2.4.2; NID: NID_ct_cert_scts
+ if(oid=SCT_OID)
+ {
+
+ }
+ }
+ }
}
+ */
}
cert_return:
diff --git a/src/SSL_Certificate.h b/src/SSL_Certificate.h
index 38f96ca..76798db 100644
--- a/src/SSL_Certificate.h
+++ b/src/SSL_Certificate.h
@@ -11,6 +11,10 @@
#define CERT_TYPE_MAXNUM 16
+//#define SCT_OID 1.3.6.1.4.1.11129.2.4.2
+#define SCT_OID 1
+
+
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/src/SSL_Common.c b/src/SSL_Common.c
new file mode 100644
index 0000000..0d9aea8
--- /dev/null
+++ b/src/SSL_Common.c
@@ -0,0 +1,60 @@
+/*
+ * SSL_Common.c
+
+ *
+ * Created on: 2013-5-8
+ * Author: lis
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "SSL_Common.h"
+
+int get_so_path(void* func_addr,char* path,unsigned int size)
+
+ {
+
+ Dl_info av_dl_info;
+
+ dladdr(func_addr,&av_dl_info);
+
+ unsigned int i=0,last_slash_pos=0;
+
+ for(i=0;i<strlen(av_dl_info.dli_fname);i++)
+
+ {
+
+ if(av_dl_info.dli_fname[i]=='/')
+
+ {
+
+ last_slash_pos=i;
+
+ }
+
+ }
+
+ if(i<size)
+
+ {
+
+ memcpy(path,av_dl_info.dli_fname,last_slash_pos);
+
+ return last_slash_pos;
+
+ }
+
+ else
+
+ {
+
+ return 0;
+
+ }
+
+
+
+ }
+
+
diff --git a/src/SSL_Common.h b/src/SSL_Common.h
new file mode 100644
index 0000000..1a9bf93
--- /dev/null
+++ b/src/SSL_Common.h
@@ -0,0 +1,24 @@
+/*
+ * SSL_Common.h
+
+ *
+ * Created on: 2013-5-8
+ * Author: lis
+ */
+
+#ifndef SSL_COMMON_H_
+#define SSL_COMMON_H_
+
+#include <time.h>
+#include <ctype.h>
+#include <dlfcn.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+int get_so_path(void* func_addr,char* path,unsigned int size);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* SSL_COMMON_H_ */
diff --git a/src/SSL_Message.c b/src/SSL_Message.c
index aa7bcd0..d7062f1 100644
--- a/src/SSL_Message.c
+++ b/src/SSL_Message.c
@@ -3,117 +3,71 @@
#include "ssl.h"
#include "SSL_Message.h"
#include "SSL_Proc.h"
+#include "SSL_Common.h"
#include "SSL_Certificate.h"
extern ssl_prog_runtime_parameter_t g_ssl_prog_para;
-
-const stSerialString_t g_astCipherSuit[] =
-{
- {{0X00, 0X2f}, "TLS_RSA_WITH_AES_128_CBC_SHA"},
- {{0X00, 0X35}, "TLS_RSA_WITH_AES_256_CBC_SHA"},
- {{0X00, 0X05}, "TLS_RSA_WITH_RC4_128_CBC_SHA"},
- {{0X00, 0X0a}, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
- {{0Xc0, 0X13}, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
- {{0Xc0, 0X14}, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
- {{0Xc0, 0X09}, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"},
- {{0Xc0, 0X0a}, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"},
- {{0X00, 0X32}, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"},
- {{0X00, 0X38}, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"},
- {{0X00, 0X13}, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"},
- {{0X00, 0X04}, "TLS_RSA_WITH_RC4_128_MD5"},
- {{0X00, 0X39}, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
- {{0}, NULL},
-};
+extern stSerialString_t g_astCipherSuit;
const stSerialString_t g_astCompression[] =
{
{{0}, NULL},
};
-char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes)
+const char* ssl_get_suite(st_suites_t* ciphersuites)
{
- int iLoop = 0;
- int iInLoop = 0;
-
- if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes)
- {
- return NULL;
- }
-
- for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop)
- {
- for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop)
- {
- if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop])
- {
- //continue;
- break;
- }
- }
-
- if (iInLoop == iIdLen)
- {
- return (char *)(pastElemTypes[iLoop].pcString);
- }
- }
-
- return NULL;
-}
-
-
-const char* ssl_get_suite(st_suites_t* ciphersuits)
-{
- if(ciphersuits==NULL) return NULL;
- return fn_pcGetSuite((unsigned char *)ciphersuits->suite_value, ciphersuits->suite_len, (stSerialString_t*)g_astCipherSuit);
+ if(ciphersuites==NULL) return NULL;
+ return fn_pcGetSuite((unsigned char *)ciphersuites->suites_value, ciphersuites->suites_len, (stSerialString_t*)&g_astCipherSuit);
}
unsigned short ssl_getHelloVersion(unsigned char *pcData, unsigned int iDataLen)
-{
- if (CLIENT_HELLO != pcData[0] && SERVER_HELLO != pcData[0])
- {
- return 0;
- }
+{
+ if (CLIENT_HELLO != pcData[0] && SERVER_HELLO != pcData[0])
+ {
+ return 0;
+ }
- if (03 == pcData[4] && 1 == pcData[5])
- {
- /*TLS 1.0*/
- return 0x0301;
- }
- else if (03 == pcData[4] && 2 == pcData[5])
- {
- /*TLS 2.0*/
- return 0x0302;
- }
+ if (03 == pcData[4] && 1 == pcData[5])
+ {
+ /*TLS 1.0*/
+ return TLSV1_0_VERSION;
+ }
+ else if (03 == pcData[4] && 2 == pcData[5])
+ {
+ /*TLS 2.0*/
+ return TLSV1_1_VERSION;
+ }
else if (03 == pcData[4] && 3 == pcData[5])
- {
- /*TLS 2.0*/
- return 0x0303;
- }
- else if (03 == pcData[4] && 0 == pcData[5])
- {
- /*SSL 3.0*/
- return 0x0300;
- }
- else if (0 == pcData[4] && 2 == pcData[5])
- {
- /*SSL 2.0*/
- return 0x0002;
- }
- else if (0xfe == (unsigned char)pcData[4] && 0xff == (unsigned char)pcData[5])
- {
- /*DTLS 1.0*/
- return 0xfeff;
- }
- else if (0x01 == (unsigned char)pcData[4] && 0x00 == (unsigned char)pcData[5])
- {
- /*DTLS 1.0 (OpenSSL pre 0.9.8f)*/
- return 0x0100;
- }
- return 0;
+ {
+ /*TLS 2.0*/
+ return TLSV1_2_VERSION;
+ }
+ else if (03 == pcData[4] && 0 == pcData[5])
+ {
+ /*SSL 3.0*/
+ return SSLV3_VERSION;
+ }
+ else if (0 == pcData[4] && 2 == pcData[5])
+ {
+ /*SSL 2.0*/
+ return SSLV2_VERSION;
+ }
+ else if (0xfe == (unsigned char)pcData[4] && 0xff == (unsigned char)pcData[5])
+ {
+ /*DTLS 1.0*/
+ return DTLSV1_0_VERSION;
+ }
+ else if (0x01 == (unsigned char)pcData[4] && 0x00 == (unsigned char)pcData[5])
+ {
+ /*DTLS 1.0 (OpenSSL pre 0.9.8f)*/
+ return DTLSV1_0_VERSION_NOT;
+ }
+ return 0;
}
+
int fn_iIsHandShakeMsg(unsigned char ucMsgType)
{
switch (ucMsgType)
@@ -122,6 +76,7 @@ int fn_iIsHandShakeMsg(unsigned char ucMsgType)
case CLIENT_HELLO:
case SERVER_HELLO:
case CERTIFICATE:
+ case NEW_SESSION_TICKET:
// case SERVER_KEY_EXCHANGE:
// case CERTIFICATE_REQUEST:
// case SERVER_HELLO_DONE:
@@ -219,7 +174,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
if(a_ssl_stream->stClientHello==NULL)
{
a_ssl_stream->stClientHello = (st_client_hello_t*)dictator_malloc(thread_seq,sizeof(st_client_hello_t));
- memset(a_ssl_stream->stClientHello, 0, sizeof(a_ssl_stream->stClientHello));
+ memset(a_ssl_stream->stClientHello, 0, sizeof(st_client_hello_t));
ssl_initStructClientHello(a_ssl_stream->stClientHello);
}
@@ -285,23 +240,23 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
}
/*get client hello suites*/
- a_ssl_stream->stClientHello->ciphersuits.suite_len = (unsigned short)BtoL2BytesNum(pcCurSslData);
- pcCurSslData += sizeof(a_ssl_stream->stClientHello->ciphersuits.suite_len);
- iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->ciphersuits.suite_len);
+ a_ssl_stream->stClientHello->ciphersuites.suites_len = (unsigned short)BtoL2BytesNum(pcCurSslData);
+ pcCurSslData += sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len);
+ iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len);
if(iUnAnaHelloLen<0)
{
return SSL_RETURN_DROPME;
}
- if(a_ssl_stream->stClientHello->ciphersuits.suite_len>iUnAnaHelloLen)
+ if(a_ssl_stream->stClientHello->ciphersuites.suites_len>iUnAnaHelloLen)
{
return SSL_RETURN_DROPME;
}
- if(a_ssl_stream->stClientHello->ciphersuits.suite_len!=0)
+ if(a_ssl_stream->stClientHello->ciphersuites.suites_len!=0)
{
- a_ssl_stream->stClientHello->ciphersuits.suite_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stClientHello->ciphersuits.suite_len);
- memcpy(a_ssl_stream->stClientHello->ciphersuits.suite_value, pcCurSslData, a_ssl_stream->stClientHello->ciphersuits.suite_len);
- pcCurSslData += a_ssl_stream->stClientHello->ciphersuits.suite_len;
- iUnAnaHelloLen -= a_ssl_stream->stClientHello->ciphersuits.suite_len;
+ a_ssl_stream->stClientHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stClientHello->ciphersuites.suites_len);
+ memcpy(a_ssl_stream->stClientHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stClientHello->ciphersuites.suites_len);
+ pcCurSslData += a_ssl_stream->stClientHello->ciphersuites.suites_len;
+ iUnAnaHelloLen -= a_ssl_stream->stClientHello->ciphersuites.suites_len;
if(iUnAnaHelloLen<0)
{
return SSL_RETURN_DROPME;
@@ -339,6 +294,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
int i=0;
for(i=0; iUnAnaHelloLen>=4 && i<MAX_EXTENSION_NUM; i++)//min len of ext is 4 byte
{
+
a_ssl_stream->stClientHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData);
pcCurSslData += sizeof(a_ssl_stream->stClientHello->exts[i].type);
iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->exts[i].type);
@@ -353,31 +309,35 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
if(iUnAnaHelloLen<0)
{
return SSL_RETURN_DROPME;
- }
-
- memcpy(a_ssl_stream->stClientHello->exts[i].data,
- pcCurSslData,
- MIN(a_ssl_stream->stClientHello->exts[i].len, MAX_EXT_DATA_LEN)); //get ext data
-
+ }
+ a_ssl_stream->stClientHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->exts[i].len);
+ memcpy(a_ssl_stream->stClientHello->exts[i].data, pcCurSslData, a_ssl_stream->stClientHello->exts[i].len); //get ext data
pcCurSslData += a_ssl_stream->stClientHello->exts[i].len;
- iUnAnaHelloLen -= a_ssl_stream->stClientHello->exts[i].len;
- if(iUnAnaHelloLen<0)
- {
- return SSL_RETURN_DROPME;
- }
+ iUnAnaHelloLen -= a_ssl_stream->stClientHello->exts[i].len;
}
a_ssl_stream->stClientHello->ext_num = i;
+ //printf("ext_num: %d\n", a_ssl_stream->stClientHello->ext_num);
return_val = ssl_doWithClientHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
//20141121
+ for(int j=0;j<a_ssl_stream->stClientHello->ext_num;j++)
+ {
+ if(a_ssl_stream->stClientHello->exts[j].data!=NULL)
+ {
+ dictator_free(thread_seq,a_ssl_stream->stClientHello->exts[j].data);
+ a_ssl_stream->stClientHello->exts[j].data = NULL;
+ }
+ }
+ a_ssl_stream->stClientHello->ext_num = 0;
+ a_ssl_stream->stClientHello->session_ticket.ticket = NULL;
if(a_ssl_stream->stClientHello->session.session_value!=NULL)
{
dictator_free(thread_seq,a_ssl_stream->stClientHello->session.session_value);
a_ssl_stream->stClientHello->session.session_value = NULL;
}
- if(a_ssl_stream->stClientHello->ciphersuits.suite_value!=NULL)
+ if(a_ssl_stream->stClientHello->ciphersuites.suites_value!=NULL)
{
- dictator_free(thread_seq,a_ssl_stream->stClientHello->ciphersuits.suite_value);
- a_ssl_stream->stClientHello->ciphersuits.suite_value = NULL;
+ dictator_free(thread_seq,a_ssl_stream->stClientHello->ciphersuites.suites_value);
+ a_ssl_stream->stClientHello->ciphersuites.suites_value = NULL;
}
if(a_ssl_stream->stClientHello->com_method.methods!=NULL)
{
@@ -400,7 +360,7 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
if(a_ssl_stream->stServerHello==NULL)
{
a_ssl_stream->stServerHello = (st_server_hello_t*)dictator_malloc(thread_seq,sizeof(st_server_hello_t));
- memset(a_ssl_stream->stServerHello, 0, sizeof(a_ssl_stream->stServerHello));
+ memset(a_ssl_stream->stServerHello, 0, sizeof(st_server_hello_t));
ssl_initStructServerHello(a_ssl_stream->stServerHello);
}
a_ssl_stream->stServerHello->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1));
@@ -412,18 +372,18 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
/**packet trunked**/
break;
}
- if(0==(a_ssl_stream->stServerHello->client_ver = ssl_getHelloVersion((unsigned char*)pcCurSslData, iUnAnalyseLen)))
+ if(0==(a_ssl_stream->stServerHello->server_ver = ssl_getHelloVersion((unsigned char*)pcCurSslData, iUnAnalyseLen)))
{
return SSL_RETURN_DROPME;
}
- iUnAnaHelloLen = a_ssl_stream->stServerHello->totallen-sizeof(a_ssl_stream->stServerHello->client_ver);
+ iUnAnaHelloLen = a_ssl_stream->stServerHello->totallen-sizeof(a_ssl_stream->stServerHello->server_ver);
if(iUnAnaHelloLen<0)
{
return SSL_RETURN_DROPME;
}
- pcCurSslData += SERVER_HELLO_HDRLEN+sizeof(a_ssl_stream->stServerHello->client_ver);
+ pcCurSslData += SERVER_HELLO_HDRLEN+sizeof(a_ssl_stream->stServerHello->server_ver);
/*get server hello random*/
a_ssl_stream->stServerHello->random.gmt_time = (unsigned int)BtoL4BytesNum(pcCurSslData);
@@ -466,11 +426,11 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
}
/*get server hello suites*/
- a_ssl_stream->stServerHello->ciphersuits.suite_len = 2;
- a_ssl_stream->stServerHello->ciphersuits.suite_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stServerHello->ciphersuits.suite_len);
- memcpy(a_ssl_stream->stServerHello->ciphersuits.suite_value, pcCurSslData, a_ssl_stream->stServerHello->ciphersuits.suite_len);
- pcCurSslData += a_ssl_stream->stServerHello->ciphersuits.suite_len;
- iUnAnaHelloLen -= a_ssl_stream->stServerHello->ciphersuits.suite_len;
+ a_ssl_stream->stServerHello->ciphersuites.suites_len = 2;
+ a_ssl_stream->stServerHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq,a_ssl_stream->stServerHello->ciphersuites.suites_len);
+ memcpy(a_ssl_stream->stServerHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stServerHello->ciphersuites.suites_len);
+ pcCurSslData += a_ssl_stream->stServerHello->ciphersuites.suites_len;
+ iUnAnaHelloLen -= a_ssl_stream->stServerHello->ciphersuites.suites_len;
if(iUnAnaHelloLen<0)
{
return SSL_RETURN_DROPME;
@@ -499,6 +459,46 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
return SSL_RETURN_DROPME;
}
}
+
+ /*get extension*/
+ a_ssl_stream->stServerHello->extlen = (unsigned short)BtoL2BytesNum(pcCurSslData);
+ pcCurSslData += sizeof(a_ssl_stream->stServerHello->extlen);
+
+ int i=0;
+ for(i=0; iUnAnaHelloLen>=4 && i<MAX_EXTENSION_NUM; i++)//min len of ext is 4 byte
+ {
+ a_ssl_stream->stServerHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData);
+ pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].type);
+ iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].type);
+ if(iUnAnaHelloLen<0)
+ {
+ return SSL_RETURN_DROPME;
+ }
+
+ a_ssl_stream->stServerHello->exts[i].len = (unsigned short)BtoL2BytesNum(pcCurSslData);
+ pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].len);
+ iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].len);
+ if(iUnAnaHelloLen<0)
+ {
+ return SSL_RETURN_DROPME;
+ }
+ a_ssl_stream->stServerHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->exts[i].len);
+ memcpy(a_ssl_stream->stServerHello->exts[i].data, pcCurSslData, a_ssl_stream->stServerHello->exts[i].len); //get ext data
+ pcCurSslData += a_ssl_stream->stServerHello->exts[i].len;
+ iUnAnaHelloLen -= a_ssl_stream->stServerHello->exts[i].len;
+ }
+ a_ssl_stream->stServerHello->ext_num = i;
+
+ for(int j=0;j<a_ssl_stream->stServerHello->ext_num;j++)
+ {
+ if(a_ssl_stream->stServerHello->exts[j].data!=NULL)
+ {
+ dictator_free(thread_seq,a_ssl_stream->stServerHello->exts[j].data);
+ a_ssl_stream->stServerHello->exts[j].data = NULL;
+ }
+ }
+ a_ssl_stream->stServerHello->ext_num = 0;
+
return_val = ssl_doWithServerHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
//20141121
if(a_ssl_stream->stServerHello->session.session_value!=NULL)
@@ -506,10 +506,10 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
dictator_free(thread_seq,a_ssl_stream->stServerHello->session.session_value);
a_ssl_stream->stServerHello->session.session_value = NULL;
}
- if(a_ssl_stream->stServerHello->ciphersuits.suite_value!=NULL)
+ if(a_ssl_stream->stServerHello->ciphersuites.suites_value!=NULL)
{
- dictator_free(thread_seq,a_ssl_stream->stServerHello->ciphersuits.suite_value);
- a_ssl_stream->stServerHello->ciphersuits.suite_value = NULL;
+ dictator_free(thread_seq,a_ssl_stream->stServerHello->ciphersuites.suites_value);
+ a_ssl_stream->stServerHello->ciphersuites.suites_value = NULL;
}
if(a_ssl_stream->stServerHello->com_method.methods!=NULL)
{
@@ -519,11 +519,41 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseL
if(SSL_RETURN_NORM != return_val) return return_val;
iUnAnalyseLen -= (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN);
pcSslData += (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN);
- }
- else
- {
+ }
+ else if(NEW_SESSION_TICKET == pstHandShakeTypeHdr->ucContType)
+ {
+ if(iUnAnalyseLen<SESSION_TICKET_HDRLEN)
+ {
+ break;
+ }
+ if(a_ssl_stream->stNewSessionTicket==NULL)
+ {
+ a_ssl_stream->stNewSessionTicket = (st_new_session_ticket_t*)dictator_malloc(thread_seq,sizeof(st_new_session_ticket_t));
+ memset(a_ssl_stream->stNewSessionTicket, 0, sizeof(st_new_session_ticket_t));
+ }
+ a_ssl_stream->stNewSessionTicket->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1));
+ if(a_ssl_stream->stNewSessionTicket->totallen<0) return SSL_RETURN_DROPME;
+
+ /*4 means _type+len*/
+ if (a_ssl_stream->stNewSessionTicket->totallen+SESSION_TICKET_HDRLEN > iUnAnalyseLen)
+ {
+ /**packet trunked**/
+ break;
+ }
+ pcCurSslData += SESSION_TICKET_HDRLEN;
+ a_ssl_stream->stNewSessionTicket->lifttime = BtoL4BytesNum((char *)(pcCurSslData));
+ a_ssl_stream->stNewSessionTicket->ticket_len = BtoL2BytesNum((char *)(pcCurSslData+4));
+ a_ssl_stream->stNewSessionTicket->ticket = (unsigned char*)(pcCurSslData+6);
+ pcCurSslData += 6+a_ssl_stream->stNewSessionTicket->ticket_len;
+ iUnAnalyseLen -= (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN);
+ pcSslData += (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN);
+ return_val = ssl_doWithNewSessionTicket(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
+ //printf("new session ticket:%d\n", a_ssl_stream->stNewSessionTicket->ticket_len);
+ }
+ else
+ {
break;
- }
+ }
}
*res = (iSslDataLen - iUnAnalyseLen);
@@ -554,6 +584,29 @@ UCHAR ssl_analyseAppData(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen
return SSL_RETURN_NORM;
}
+UCHAR ssl_analyseAlert(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp,
+ unsigned long long region_flag, int thread_seq, void* a_packet)
+{
+ /**variable define and initialise**/
+ int return_val = SSL_RETURN_NORM;
+ int iUnAnalyseLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen;
+
+ /**validaty check**/
+ if (NULL == pcSslData || iUnAnalyseLen <= 0)
+ {
+ *res = 0;
+ return SSL_RETURN_NORM;
+ }
+ a_ssl_stream->output_region_mask = SSL_ALERT_MASK;
+ a_ssl_stream->p_output_buffer->p_data = pcSslData;
+ a_ssl_stream->p_output_buffer->data_size = iUnAnalyseLen;
+ return_val = ssl_doWithAlert(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
+ a_ssl_stream->p_output_buffer->p_data = NULL;
+ a_ssl_stream->p_output_buffer->data_size = 0;
+ *res = iUnAnalyseLen;
+ if(SSL_RETURN_NORM!= return_val) return return_val;
+ return SSL_RETURN_NORM;
+}
char *fn_pcGetType(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes)
{
@@ -600,47 +653,48 @@ int ssl_protoRecg(char *pcData, int iDataLen)
if (03 == pcData[1] && 1 == pcData[2])
{
/*TLS 1.0*/
- return 0x0301;
+ return TLSV1_0_VERSION;
}
else if (03 == pcData[1] && 2 == pcData[2])
{
- /*TLS 2.0*/
- return 0x0302;
+ /*TLS 1.1*/
+ return TLSV1_1_VERSION;
}
else if (03 == pcData[1] && 3 == pcData[2])
{
- /*TLS 3.0*/
- return 0x0303;
- }
+ /*TLS 1.2*/
+ return TLSV1_2_VERSION;
+ }
else if (03 == pcData[1] && 0 == pcData[2])
{
/*SSL 3.0*/
- return 0x0300;
+ return SSLV3_VERSION;
}
else if (0 == pcData[1] && 2 == pcData[2])
{
/*SSL 2.0*/
- return 0x0002;
+ return SSLV2_VERSION;
}
else if (0xfe == (unsigned char)pcData[1] && 0xff == (unsigned char)pcData[2])
{
/*DTLS 1.0*/
- return 0xfeff;
+ return DTLSV1_0_VERSION;
}
else if (0x01 == (unsigned char)pcData[1] && 0x00 == (unsigned char)pcData[2])
{
/*DTLS 1.0 (OpenSSL pre 0.9.8f)*/
- return 0x0100;
+ return DTLSV1_0_VERSION_NOT;
}
return 0;
}
+
#define MAX_THREAD_NUM 64
#define COUNTER_NUM 4096
extern volatile unsigned long long g_SysInputInfo[MAX_THREAD_NUM][COUNTER_NUM];
-UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp,
+UCHAR ssl_analyseSsl(char *pcSslData, int iDataLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp,
unsigned long long region_flag, int thread_seq, void* a_packet)
{
/**variable define and initialise**/
@@ -682,6 +736,7 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream
{
case HANDSHAKE:
case APPLICATION_DATA:
+ case ALERT:
pstHandShakeTypeHdr = (stHandShakeTypeHdr_t *)pcCurSslData;
iCurAllMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) ;
iCurMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) < iUnAnalyseLen ? (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) : iUnAnalyseLen;
@@ -777,7 +832,22 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream
{
is_trunk = 1;
}
- break;
+ break;
+
+ /*��������ȫ������ٴ���*/
+ case ALERT:
+ //printf("%d:%d\n",iCurAllMsgLen,iUnAnalyseLen);
+ if(iUnAnalyseLen<iCurAllMsgLen)
+ {
+ *res = 0;
+ is_trunk = 1;
+ }
+ else
+ {
+ return_val = ssl_analyseAlert((char *)pcCurSslData, iCurAllMsgLen, iUnAnalyseLen, res, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
+ is_trunk = 0;
+ }
+ break;
/*other handshark proto not process*/
case HANDSHAKE:
@@ -823,6 +893,7 @@ UCHAR ssl_analyseStreamData(char *pcSslData, int iDataLen, int *res, ssl_stream
{
a_ssl_stream->uiMsgState = SSL_HANDSHAKE_MSG_TRUNKED;
a_ssl_stream->uiMsgProcLen += *res;
+ pcCurSslData += *res;
iUnAnalyseLen -= *res ;
break;
}
@@ -900,27 +971,23 @@ UCHAR ssl_analyseStream(struct streaminfo *a_tcp, void** pme, int thread_seq, vo
}
- return_val = ssl_analyseStreamData(pcSslData, iSslDateLen, &iRet, a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet);
+ return_val = ssl_analyseSsl(pcSslData, iSslDateLen, &iRet, a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet);
if(SSL_RETURN_NORM != return_val)
{
return return_val;
}
/*is ssl_stream, need buffer data*/
- if (iRet < 0)
+ if (iRet < 0 || iRet >= iSslDateLen)
{
a_ssl_stream->uiCurBuffLen = 0;
- }
- else if (iRet >= iSslDateLen)
- {
- a_ssl_stream->uiCurBuffLen = 0;
- }
+ }
else
{
if(0==a_ssl_stream->uiMaxBuffLen)
{
a_ssl_stream->pcSslBuffer = (char*)dictator_malloc(thread_seq, MAX_DATA_BUFFER);
- memset(a_ssl_stream->pcSslBuffer,0,sizeof(a_ssl_stream->pcSslBuffer));
+ memset(a_ssl_stream->pcSslBuffer,0,MAX_DATA_BUFFER);
a_ssl_stream->uiMaxBuffLen = MAX_DATA_BUFFER;
}
fn_vMemCpy(a_ssl_stream->pcSslBuffer, (int)a_ssl_stream->uiMaxBuffLen, pcSslData + iRet, (int)(iSslDateLen - iRet));
diff --git a/src/SSL_Message.h b/src/SSL_Message.h
index 3bef42b..4f525c9 100644
--- a/src/SSL_Message.h
+++ b/src/SSL_Message.h
@@ -45,6 +45,26 @@
#define CERT_MAXNUM 8
+
+//#############################################client hello
+#define CLIENT_HELLO_HDRLEN 4
+
+typedef struct _st_client_server_name_t
+{
+ short server_name_list_len;
+ unsigned short server_name_type;
+ unsigned char server_name_len;
+ unsigned char* server_name_data;
+}__attribute__((packed))st_client_server_name_t;
+
+//#############################################server hello
+#define SERVER_HELLO_HDRLEN 4
+
+//#############################################certificate
+#define CERTIFICATE_HDRLEN 7
+#define SSL_CERTIFICATE_HDRLEN 3
+
+
typedef struct _stValueString_t
{
unsigned int uiValue;
@@ -87,7 +107,8 @@ typedef enum _emHelloMsgType_m
// SERVER_HELLO_DONE = 14,
// CERTIFICATE_VERIFY = 15,
// CLIENT_KEY_EXCHANGE = 16,
-// FINISHED = 20,
+// FINISHED = 20,
+ NEW_SESSION_TICKET=4,
MSG_UNKNOWN = 255,
}emHelloMsgType_m;
diff --git a/src/SSL_Proc.c b/src/SSL_Proc.c
index f42b59a..c9f7db0 100644
--- a/src/SSL_Proc.c
+++ b/src/SSL_Proc.c
@@ -13,6 +13,8 @@
#include "SSL_Message.h"
#include "ssl.h"
#include "SSL_Proc.h"
+#include "SSL_Common.h"
+
//debug
#define PRINTF_CLIENT_HELLO 0
@@ -21,16 +23,165 @@ extern ssl_prog_runtime_parameter_t g_ssl_prog_para;
const stValueString_t pastSslVersions[] =
{
- { 0xfeff, "DTLS1.0" },
- { 0x0100, "DTLS1.0(OpenSSL pre 0.9.8f)" },
- { 0x0303, "TLS1.2" },
- { 0x0302, "TLS1.1" },
- { 0x0301, "TLS1.0" },
- { 0x0300, "SSL3.0" },
- { 0x0002, "SSL2.0" },
- { 0x00, NULL }
+ { DTLSV1_0_VERSION, "DTLS1.0" },
+ { DTLSV1_0_VERSION_NOT, "DTLS1.0(OpenSSL pre 0.9.8f)" },
+ { TLSV1_2_VERSION, "TLS1.2" },
+ { TLSV1_1_VERSION, "TLS1.1" },
+ { TLSV1_0_VERSION, "TLS1.0" },
+ { SSLV3_VERSION, "SSL3.0" },
+ { SSLV2_VERSION, "SSL2.0" },
+ { UNKNOWN_VERSION, NULL }
};
+/*
+const stSerialString_t g_astCipherSuit[] =
+{
+ {{0X00, 0X2f}, "TLS_RSA_WITH_AES_128_CBC_SHA"},
+ {{0X00, 0X35}, "TLS_RSA_WITH_AES_256_CBC_SHA"},
+ {{0X00, 0X05}, "TLS_RSA_WITH_RC4_128_CBC_SHA"},
+ {{0X00, 0X0a}, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
+ {{0Xc0, 0X13}, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
+ {{0Xc0, 0X14}, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
+ {{0Xc0, 0X09}, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"},
+ {{0Xc0, 0X0a}, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"},
+ {{0X00, 0X32}, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"},
+ {{0X00, 0X38}, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"},
+ {{0X00, 0X13}, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"},
+ {{0X00, 0X04}, "TLS_RSA_WITH_RC4_128_MD5"},
+ {{0X00, 0X39}, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"},
+ {{0}, NULL},
+};
+*/
+
+stSerialString_t g_astCipherSuit[] =
+{
+ {{0xC0, 0X30}, "ECDHE-RSA-AES256-GCM-SHA384"},
+ {{0xC0, 0X2C}, "ECDHE-ECDSA-AES256-GCM-SHA384"},
+ {{0xC0, 0X28}, "ECDHE-RSA-AES256-SHA384"},
+ {{0xC0, 0X24}, "ECDHE-ECDSA-AES256-SHA384"},
+ {{0xC0, 0X14}, "ECDHE-RSA-AES256-SHA"},
+ {{0xC0, 0X0A}, "ECDHE-ECDSA-AES256-SHA"},
+ {{0x00, 0XA5}, "DH-DSS-AES256-GCM-SHA384"},
+ {{0x00, 0XA3}, "DHE-DSS-AES256-GCM-SHA384"},
+ {{0x00, 0XA1}, "DH-RSA-AES256-GCM-SHA384"},
+ {{0x00, 0X9F}, "DHE-RSA-AES256-GCM-SHA384"},
+ {{0x00, 0X6B}, "DHE-RSA-AES256-SHA256"},
+ {{0x00, 0X6A}, "DHE-DSS-AES256-SHA256"},
+ {{0x00, 0X69}, "DH-RSA-AES256-SHA256"},
+ {{0x00, 0X68}, "DH-DSS-AES256-SHA256"},
+ {{0x00, 0X39}, "DHE-RSA-AES256-SHA"},
+ {{0x00, 0X38}, "DHE-DSS-AES256-SHA"},
+ {{0x00, 0X37}, "DH-RSA-AES256-SHA"},
+ {{0x00, 0X36}, "DH-DSS-AES256-SHA"},
+ {{0x00, 0X88}, "DHE-RSA-CAMELLIA256-SHA"},
+ {{0x00, 0X87}, "DHE-DSS-CAMELLIA256-SHA"},
+ {{0x00, 0X86}, "DH-RSA-CAMELLIA256-SHA"},
+ {{0x00, 0X85}, "DH-DSS-CAMELLIA256-SHA"},
+ {{0xC0, 0X19}, "AECDH-AES256-SHA"},
+ {{0x00, 0XA7}, "ADH-AES256-GCM-SHA384"},
+ {{0x00, 0X6D}, "ADH-AES256-SHA256"},
+ {{0x00, 0X3A}, "ADH-AES256-SHA"},
+ {{0x00, 0X89}, "ADH-CAMELLIA256-SHA"},
+ {{0xC0, 0X32}, "ECDH-RSA-AES256-GCM-SHA384"},
+ {{0xC0, 0X2E}, "ECDH-ECDSA-AES256-GCM-SHA384"},
+ {{0xC0, 0X2A}, "ECDH-RSA-AES256-SHA384"},
+ {{0xC0, 0X26}, "ECDH-ECDSA-AES256-SHA384"},
+ {{0xC0, 0X0F}, "ECDH-RSA-AES256-SHA"},
+ {{0xC0, 0X05}, "ECDH-ECDSA-AES256-SHA"},
+ {{0x00, 0X9D}, "AES256-GCM-SHA384"},
+ {{0x00, 0X3D}, "AES256-SHA256"},
+ {{0x00, 0X35}, "AES256-SHA"},
+ {{0x00, 0X84}, "CAMELLIA256-SHA"},
+ {{0x00, 0X8D}, "PSK-AES256-CBC-SHA"},
+ {{0xC0, 0X2F}, "ECDHE-RSA-AES128-GCM-SHA256"},
+ {{0xC0, 0X2B}, "ECDHE-ECDSA-AES128-GCM-SHA256"},
+ {{0xC0, 0X27}, "ECDHE-RSA-AES128-SHA256"},
+ {{0xC0, 0X23}, "ECDHE-ECDSA-AES128-SHA256"},
+ {{0xC0, 0X13}, "ECDHE-RSA-AES128-SHA"},
+ {{0xC0, 0X09}, "ECDHE-ECDSA-AES128-SHA"},
+ {{0x00, 0XA4}, "DH-DSS-AES128-GCM-SHA256"},
+ {{0x00, 0XA2}, "DHE-DSS-AES128-GCM-SHA256"},
+ {{0x00, 0XA0}, "DH-RSA-AES128-GCM-SHA256"},
+ {{0x00, 0X9E}, "DHE-RSA-AES128-GCM-SHA256"},
+ {{0x00, 0X67}, "DHE-RSA-AES128-SHA256"},
+ {{0x00, 0X40}, "DHE-DSS-AES128-SHA256"},
+ {{0x00, 0X3F}, "DH-RSA-AES128-SHA256"},
+ {{0x00, 0X3E}, "DH-DSS-AES128-SHA256"},
+ {{0x00, 0X33}, "DHE-RSA-AES128-SHA"},
+ {{0x00, 0X32}, "DHE-DSS-AES128-SHA"},
+ {{0x00, 0X31}, "DH-RSA-AES128-SHA"},
+ {{0x00, 0X30}, "DH-DSS-AES128-SHA"},
+ {{0x00, 0X9A}, "DHE-RSA-SEED-SHA"},
+ {{0x00, 0X99}, "DHE-DSS-SEED-SHA"},
+ {{0x00, 0X98}, "DH-RSA-SEED-SHA"},
+ {{0x00, 0X97}, "DH-DSS-SEED-SHA"},
+ {{0x00, 0X45}, "DHE-RSA-CAMELLIA128-SHA"},
+ {{0x00, 0X44}, "DHE-DSS-CAMELLIA128-SHA"},
+ {{0x00, 0X43}, "DH-RSA-CAMELLIA128-SHA"},
+ {{0x00, 0X42}, "DH-DSS-CAMELLIA128-SHA"},
+ {{0xC0, 0X18}, "AECDH-AES128-SHA"},
+ {{0x00, 0XA6}, "ADH-AES128-GCM-SHA256"},
+ {{0x00, 0X6C}, "ADH-AES128-SHA256"},
+ {{0x00, 0X34}, "ADH-AES128-SHA"},
+ {{0x00, 0X9B}, "ADH-SEED-SHA"},
+ {{0x00, 0X46}, "ADH-CAMELLIA128-SHA"},
+ {{0xC0, 0X31}, "ECDH-RSA-AES128-GCM-SHA256"},
+ {{0xC0, 0X2D}, "ECDH-ECDSA-AES128-GCM-SHA256"},
+ {{0xC0, 0X29}, "ECDH-RSA-AES128-SHA256"},
+ {{0xC0, 0X25}, "ECDH-ECDSA-AES128-SHA256"},
+ {{0xC0, 0X0E}, "ECDH-RSA-AES128-SHA"},
+ {{0xC0, 0X04}, "ECDH-ECDSA-AES128-SHA"},
+ {{0x00, 0X9C}, "AES128-GCM-SHA256"},
+ {{0x00, 0X3C}, "AES128-SHA256"},
+ {{0x00, 0X2F}, "AES128-SHA"},
+ {{0x00, 0X96}, "SEED-SHA"},
+ {{0x00, 0X41}, "CAMELLIA128-SHA"},
+ {{0x00, 0X8C}, "PSK-AES128-CBC-SHA"},
+ {{0xC0, 0X12}, "ECDHE-RSA-DES-CBC3-SHA"},
+ {{0xC0, 0X08}, "ECDHE-ECDSA-DES-CBC3-SHA"},
+ {{0x00, 0X16}, "EDH-RSA-DES-CBC3-SHA"},
+ {{0x00, 0X13}, "EDH-DSS-DES-CBC3-SHA"},
+ {{0x00, 0X10}, "DH-RSA-DES-CBC3-SHA"},
+ {{0x00, 0X0D}, "DH-DSS-DES-CBC3-SHA"},
+ {{0xC0, 0X17}, "AECDH-DES-CBC3-SHA"},
+ {{0x00, 0X1B}, "ADH-DES-CBC3-SHA"},
+ {{0xC0, 0X0D}, "ECDH-RSA-DES-CBC3-SHA"},
+ {{0xC0, 0X03}, "ECDH-ECDSA-DES-CBC3-SHA"},
+ {{0x00, 0X0A}, "DES-CBC3-SHA"},
+ {{0x00, 0X07}, "IDEA-CBC-SHA"},
+ {{0x00, 0X8B}, "PSK-3DES-EDE-CBC-SHA"},
+ {{0x00, 0X21}, "KRB5-IDEA-CBC-SHA"},
+ {{0x00, 0X1F}, "KRB5-DES-CBC3-SHA"},
+ {{0x00, 0X25}, "KRB5-IDEA-CBC-MD5"},
+ {{0x00, 0X23}, "KRB5-DES-CBC3-MD5"},
+ {{0xC0, 0X11}, "ECDHE-RSA-RC4-SHA"},
+ {{0xC0, 0X07}, "ECDHE-ECDSA-RC4-SHA"},
+ {{0xC0, 0X16}, "AECDH-RC4-SHA"},
+ {{0x00, 0X18}, "ADH-RC4-MD5"},
+ {{0xC0, 0X0C}, "ECDH-RSA-RC4-SHA"},
+ {{0xC0, 0X02}, "ECDH-ECDSA-RC4-SHA"},
+ {{0x00, 0X05}, "RC4-SHA"},
+ {{0x00, 0X04}, "RC4-MD5"},
+ {{0x00, 0X8A}, "PSK-RC4-SHA"},
+ {{0x00, 0X20}, "KRB5-RC4-SHA"},
+ {{0x00, 0X24}, "KRB5-RC4-MD5"},
+ {{0xC0, 0X10}, "ECDHE-RSA-NULL-SHA"},
+ {{0xC0, 0X06}, "ECDHE-ECDSA-NULL-SHA"},
+ {{0xC0, 0X15}, "AECDH-NULL-SHA"},
+ {{0xC0, 0X0B}, "ECDH-RSA-NULL-SHA"},
+ {{0xC0, 0X01}, "ECDH-ECDSA-NULL-SHA"},
+ {{0x00, 0X3B}, "NULL-SHA256"},
+ {{0x00, 0X02}, "NULL-SHA"},
+ {{0x00, 0X01}, "NULL-MD5"},
+ {{0x13, 0X01}, "TLS_AES_128_GCM_SHA256"},
+ {{0x13, 0X02}, "TLS_AES_256_GCM_SHA384"},
+ {{0x13, 0X03}, "TLS_CHACHA20_POLY1305_SHA256"},
+ {{0x13, 0X04}, "TLS_AES_128_CCM_SHA256"},
+ {{0x13, 0X05}, "TLS_AES_128_CCM_8_SHA256"},
+ {{0}, NULL},
+};
+
+
int BtoL4BytesNum(char *pcData)
{
@@ -69,6 +220,90 @@ int BtoL1BytesNum(char *pcData)
return uiLength;
}
+char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, const stSerialString_t *pastElemTypes)
+{
+ int iLoop = 0;
+ int iInLoop = 0;
+
+ if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes)
+ {
+ return NULL;
+ }
+
+ for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop)
+ {
+ for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop)
+ {
+ if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop])
+ {
+ //continue;
+ break;
+ }
+ }
+
+ if (iInLoop == iIdLen)
+ {
+ return (char *)(pastElemTypes[iLoop].pcString);
+ }
+ }
+
+ return NULL;
+}
+
+const char* ssl_get_suite_name(unsigned char* suite_value, unsigned short suite_len)
+{
+ if(suite_value==NULL) return NULL;
+ return fn_pcGetSuite((unsigned char *)suite_value, suite_len, (stSerialString_t*)&g_astCipherSuit);
+}
+
+const char* ssl_get_version_name(unsigned short version)
+{
+ int find_index = -1;
+ for(unsigned int i=0;pastSslVersions[i].uiValue!=0;i++)
+ {
+ if(pastSslVersions[i].uiValue==version)
+ {
+ find_index = (int)i;
+ break;
+ }
+ }
+ return (char*)pastSslVersions[find_index].pcString;
+}
+
+int ssl_get_alpn_list(alpn_list_t* alpn_list, int alpn_size, st_ext_t* exts, unsigned short ext_num)
+{
+ int alpn_ext_len = 0;
+ int alpn_proto_len = 0;
+ int alpn_proto_num = 0;
+ unsigned char* alpl = NULL;
+
+ for(int i=0; i<ext_num; i++)
+ {
+ if(exts[i].type == ALPN_EXT_TYPE)
+ {
+ alpn_ext_len = exts[i].len;
+ alpl = exts[i].data;
+ alpn_ext_len = BtoL2BytesNum((char *)alpl);
+ alpl +=2;
+ while(alpn_ext_len>0 && alpn_proto_num<alpn_size)
+ {
+ alpn_proto_len = BtoL1BytesNum((char *)alpl);
+ alpl++;
+ alpn_ext_len -= 1;
+ alpn_list[alpn_proto_num].alpn_len = alpn_proto_len;
+ //memcpy(alpn_list[alpn_proto_num].alpn, alpl, alpn_proto_len);
+ alpn_list[alpn_proto_num].alpn = (char*)alpl;
+ alpn_list[alpn_proto_num].alpn_len = alpn_proto_len;
+ alpn_ext_len -= alpn_proto_len;
+ alpl += alpn_proto_len;
+ alpn_proto_num++;
+ }
+ break;
+ }
+ }
+ return alpn_proto_num;
+}
+
UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet)
{
@@ -98,6 +333,16 @@ UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
return return_val;
}
+UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
+ unsigned long long region_flag, int thread_seq, void *a_packet)
+{
+ UCHAR return_val = SSL_RETURN_NORM;
+ (*a_ssl_stream)->output_region_mask = SSL_NEW_SESSION_TICKET_MASK;
+ return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
+ (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK;
+ return return_val;
+}
+
UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet)
{
@@ -108,6 +353,18 @@ UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_
return return_val;
}
+
+UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
+ unsigned long long region_flag, int thread_seq, void *a_packet)
+{
+ UCHAR return_val = SSL_RETURN_NORM;
+ (*a_ssl_stream)->output_region_mask = SSL_ALERT_MASK;
+ return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet);
+ (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK;
+ return return_val;
+}
+
+
UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet)
{
@@ -140,8 +397,7 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
if((*a_ssl_stream)->stClientHello->exts[i].type == SERVER_NAME_EXT_TYPE)
{
st_client_server_name_t* pstClientServerName = (st_client_server_name_t*)dictator_malloc(thread_seq,sizeof(st_client_server_name_t));
- unsigned char* cur_data = NULL;
- unsigned char first_server_name = 0;
+ unsigned char* cur_data = NULL;
unsigned char servernamelen = 0;
pstClientServerName->server_name_list_len = (*a_ssl_stream)->stClientHello->exts[i].len;
cur_data = (*a_ssl_stream)->stClientHello->exts[i].data;
@@ -152,16 +408,16 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
/*3=sizeof(pstClientServerName.server_name_type)+sizeof(pstClientServerName.server_name_len)*/
while(pstClientServerName->server_name_list_len>3)
{
- pstClientServerName->server_name_type = BtoL2BytesNum((char *)cur_data);
- pstClientServerName->server_name_len = BtoL1BytesNum((char *)(cur_data+2));
+ pstClientServerName->server_name_type = BtoL1BytesNum((char *)cur_data);
+ pstClientServerName->server_name_len = BtoL2BytesNum((char *)(cur_data+1));
pstClientServerName->server_name_list_len -= 3;
+ cur_data += 3;
/*have data*/
- if(((pstClientServerName->server_name_type == SERVER_NAME_HOST_TYPE)||
- (pstClientServerName->server_name_type == SERVER_NAME_OTHER_TYPE))&&
+ if(((pstClientServerName->server_name_type == SERVER_NAME_HOST_TYPE))&&
pstClientServerName->server_name_len>0&&
pstClientServerName->server_name_list_len>=pstClientServerName->server_name_len)
{
- pstClientServerName->server_name_data = cur_data+3;
+ pstClientServerName->server_name_data = cur_data;
//if(!first_server_name)
{
memcpy((*a_ssl_stream)->stClientHello->server_name,
@@ -169,41 +425,60 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
pstClientServerName->server_name_len);
servernamelen = strlen((char*)(*a_ssl_stream)->stClientHello->server_name);
(*a_ssl_stream)->stClientHello->server_name[servernamelen] = '\0';
- first_server_name = 1;
- pstClientServerName->server_name_list_len -= pstClientServerName->server_name_len;
- cur_data += pstClientServerName->server_name_len;
-
-#if PRINTF_CLIENT_HELLO
- //printf("server_name:%s\n",(*a_ssl_stream)->stClientHello->server_name);
- FILE* pFile = NULL;
- time_t currTime;
- struct tm *now;
- char strTime[32];
- char logTime[32];
- char filename[64] = {0};
- time(&currTime);
- now = localtime(&currTime);
- memset(strTime, 0, sizeof(strTime) );
- memset(logTime, 0, sizeof(logTime) );
- strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now);
- strftime(logTime, sizeof(logTime), "%Y-%m-%d", now);
- strcpy(filename, "./ssl_log/ssl_server_name_log_");
- strcat(filename, logTime);
- if(((pFile = fopen(filename, "a+"))!=NULL))
- {
- fprintf(pFile,"%s===%s\n",strTime, (*a_ssl_stream)->stClientHello->server_name);
- fclose(pFile);
- }
-#endif
-
- break;
+ //printf("====servername:%s\n", (*a_ssl_stream)->stClientHello->server_name);
+ break;
}
- }
- cur_data += 3;
+ }
+ pstClientServerName->server_name_list_len -= pstClientServerName->server_name_len;
+ cur_data += pstClientServerName->server_name_len;
+ }
+ if(NULL!=pstClientServerName)
+ {
+ dictator_free(thread_seq,pstClientServerName);
+ }
+ }
+ else if((*a_ssl_stream)->stClientHello->exts[i].type == SESSION_TICKET_EXT_TYPE)
+ {
+ (*a_ssl_stream)->stClientHello->session_ticket.ticketlen = (*a_ssl_stream)->stClientHello->exts[i].len;
+ (*a_ssl_stream)->stClientHello->session_ticket.ticket = (*a_ssl_stream)->stClientHello->exts[i].data;
+ //printf("====session ticket:%d\n", (*a_ssl_stream)->stClientHello->session_ticket.ticketlen);
+ }
+ else if((*a_ssl_stream)->stClientHello->exts[i].type == ENCRPTED_SERVER_NAME_EXT_TYPE)
+ {
+ char* cur_data = (char*)(*a_ssl_stream)->stClientHello->exts[i].data;
+ int iUnAnaHelloLen = (*a_ssl_stream)->stClientHello->exts[i].len;
+ if(iUnAnaHelloLen>SUITE_VALUELEN)
+ {
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value = (unsigned char *)dictator_malloc(thread_seq,SUITE_VALUELEN);
+ memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value, cur_data, SUITE_VALUELEN);
+ cur_data += SUITE_VALUELEN;
+ iUnAnaHelloLen -= SUITE_VALUELEN;
+ }
+ if(iUnAnaHelloLen>KEY_EXCHANGELEN_LEN)
+ {
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_group = (unsigned short)BtoL2BytesNum(cur_data);
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len = (unsigned short)BtoL2BytesNum(cur_data+2);
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len);
+ memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange, cur_data+KEY_EXCHANGELEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len);
+ cur_data += (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len);
+ iUnAnaHelloLen -= (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len);
+ }
+ if(iUnAnaHelloLen>RECORD_DIGESTLEN_LEN)
+ {
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len= (unsigned short)BtoL2BytesNum(cur_data);
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len);
+ memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest, cur_data+RECORD_DIGESTLEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len);
+ cur_data += (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len);
+ iUnAnaHelloLen -= (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len);
+ }
+ if(iUnAnaHelloLen>ESNILEN_LEN)
+ {
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len = (unsigned short)BtoL2BytesNum(cur_data);
+ (*a_ssl_stream)->stClientHello->encrypted_server_name.esni = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len);
+ memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.esni, cur_data+ESNILEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len);
+ cur_data += (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len);
+ iUnAnaHelloLen -= (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len);
}
-
- if(NULL!=pstClientServerName) dictator_free(thread_seq,pstClientServerName);
- break;
}
}
@@ -212,6 +487,33 @@ UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
return return_val;
}
+void print_sni(ssl_stream **a_ssl_stream)
+{
+#if PRINTF_CLIENT_HELLO
+ //printf("server_name:%s\n",(*a_ssl_stream)->stClientHello->server_name);
+ FILE* pFile = NULL;
+ time_t currTime;
+ struct tm *now;
+ char strTime[32];
+ char logTime[32];
+ char filename[64] = {0};
+ time(&currTime);
+ now = localtime(&currTime);
+ memset(strTime, 0, sizeof(strTime) );
+ memset(logTime, 0, sizeof(logTime) );
+ strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now);
+ strftime(logTime, sizeof(logTime), "%Y-%m-%d", now);
+ strcpy(filename, "./ssl_log/ssl_server_name_log_");
+ strcat(filename, logTime);
+ if(((pFile = fopen(filename, "a+"))!=NULL))
+ {
+ fprintf(pFile,"%s===%s\n",strTime, (*a_ssl_stream)->stClientHello->server_name);
+ fclose(pFile);
+ }
+#endif
+
+}
+
UCHAR ssl_doWithServerHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet)
{
diff --git a/src/SSL_Proc.h b/src/SSL_Proc.h
index c9c7be2..8e25916 100644
--- a/src/SSL_Proc.h
+++ b/src/SSL_Proc.h
@@ -20,10 +20,15 @@ int BtoL3BytesNum(char *pcData);
int BtoL4BytesNum(char *pcData);
int ssl_protoRecg(char *pcData, int iDataLen);
+char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes);
UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet);
+UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
+ unsigned long long region_flag, int thread_seq, void *a_packet);
UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet);
+UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
+ unsigned long long region_flag, int thread_seq, void *a_packet);
UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
unsigned long long region_flag, int thread_seq, void *a_packet);
UCHAR ssl_doWithCertificateDetail(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp,
diff --git a/src/ssl.h b/src/ssl.h
index 21f43d7..2abb743 100644
--- a/src/ssl.h
+++ b/src/ssl.h
@@ -5,7 +5,7 @@
#include <stdio.h>
#include <string.h>
-#define SSH_H_VERSION_20160910_ADD_CERT 0
+#define SSH_H_VERSION_20201202_ADD_SESSION_TICKET 0
#define SSL_KEY 3
#define SSL_TRUE 1
@@ -19,6 +19,18 @@
#define SSL_CLIENT_HELLO (1<<SSL_CLIENT_HELLO_MASK)
#define SSL_SERVER_HELLO (1<<SSL_SERVER_HELLO_MASK)
#define SSL_VERSION (1<<SSL_VERSION_MASK)
+#define SSL_ALERT (1<<SSL_ALERT_MASK)
+#define SSL_NEW_SESSION_TICKET (1<<SSL_NEW_SESSION_TICKET_MASK)
+
+/**SSL versions, variate uiSslVersion in ssl_stream**/
+#define UNKNOWN_VERSION 0x0000
+#define SSLV3_VERSION 0x0300
+#define SSLV2_VERSION 0x0002
+#define TLSV1_0_VERSION 0x0301
+#define TLSV1_1_VERSION 0x0302
+#define TLSV1_2_VERSION 0x0303
+#define DTLSV1_0_VERSION 0xfeff
+#define DTLSV1_0_VERSION_NOT 0x0100
typedef enum
{
@@ -30,6 +42,8 @@ typedef enum
SSL_CERTIFICATE_MASK,
SSL_APPLICATION_DATA_MASK,
SSL_VERSION_MASK,
+ SSL_ALERT_MASK,
+ SSL_NEW_SESSION_TICKET_MASK,
}ssl_interested_region;
typedef struct cdata_buf
@@ -52,39 +66,58 @@ typedef struct _st_session_t
typedef struct _st_suites_t
{
- unsigned short suite_len; //4
- unsigned char* suite_value;
+ unsigned short suites_len; //4
+ unsigned char* suites_value; //ciphersuites list, split into 2 bytes and get suite name by "ssl_get_suite"
}st_suites_t;
typedef struct _st_compress_methods_t
{
unsigned char methlen;
- unsigned char* methods;//default 0:null
+ unsigned char* methods; //default 0:null
}st_compress_methods_t;
+typedef struct _st_session_tciket_t
+{
+ unsigned char ticketlen;
+ unsigned char* ticket; //default 0:null
+}st_session_tciket_t;
+
+#define SUITE_VALUELEN 2
+#define KEY_EXCHANGELEN_LEN 4
+#define RECORD_DIGESTLEN_LEN 2
+#define ESNILEN_LEN 2
+typedef struct _st_esni_t
+{
+ unsigned short key_exchange_group;
+ unsigned short key_exchange_len;
+ unsigned char* key_exchange;
+ unsigned char* record_digest;
+ unsigned short record_digest_len;
+ unsigned short esni_len;
+ unsigned char* esni;
+ unsigned char* suite_value; //get suite name by "ssl_get_suite"function
+}st_esni_t;
+
//#############################################client hello
-#define CLIENT_HELLO_HDRLEN 4
-#define MAX_EXTENSION_NUM 16
-#define MAX_EXT_DATA_LEN 256
-#define SERVER_NAME_EXT_TYPE 0x0000
-#define SERVER_NAME_HOST_TYPE 0x0000
-#define SERVER_NAME_OTHER_TYPE 0x0008
+#define MAX_EXTENSION_NUM 16
+#define MAX_EXT_DATA_LEN 256
+#define SERVER_NAME_EXT_TYPE 0x0000
+#define SERVER_NAME_HOST_TYPE 0x0000
+#define SERVER_NAME_OTHER_TYPE 0x0008
+#define SESSION_TICKET_EXT_TYPE 0x0023
+#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE
+
+/*important extension in clientHello: alpn(application_layer_protocol_negotiation) */
+#define ALPN_EXT_TYPE 0x0010
-typedef struct _st_client_ext_t
+
+typedef struct _st_ext_t
{
unsigned short type;
unsigned short len;
- unsigned char data[MAX_EXT_DATA_LEN];//if longer,cut off
-}__attribute__((packed))st_client_ext_t;
-
-typedef struct _st_client_server_name_t
-{
- short server_name_list_len;
- unsigned short server_name_type;
- unsigned char server_name_len;
- unsigned char* server_name_data;
-}__attribute__((packed))st_client_server_name_t;
+ unsigned char* data;
+}st_ext_t;
//client hello info
@@ -94,12 +127,14 @@ typedef struct _st_client_hello_t
unsigned short client_ver;
st_random_t random; //32 byte random,not used currently
st_session_t session;
- st_suites_t ciphersuits;
+ st_suites_t ciphersuites;
st_compress_methods_t com_method; //compress method
unsigned short extlen;
unsigned short ext_num; //number of extensions
- st_client_ext_t exts[MAX_EXTENSION_NUM]; //extensions content:1 or more extentions
+ st_ext_t exts[MAX_EXTENSION_NUM]; //extensions content:1 or more extentions
unsigned char server_name[512]; // server_name = host_name+...
+ st_session_tciket_t session_ticket;
+ st_esni_t encrypted_server_name;
}st_client_hello_t;
//#############################################client hello end
@@ -111,15 +146,35 @@ typedef struct _st_client_hello_t
typedef struct _st_server_hello_t
{
int totallen; //3
- unsigned short client_ver;
+ unsigned short server_ver;
st_random_t random; //32 byte random,not used currently
st_session_t session;
- st_suites_t ciphersuits;
+ st_suites_t ciphersuites;
st_compress_methods_t com_method; //compress method
+ unsigned short extlen; //the length of all extensions
+ unsigned short ext_num; //the number of extensions
+ st_ext_t exts[MAX_EXTENSION_NUM]; //the content of extensions :1 or more extentions
+
}st_server_hello_t;
//#############################################server hello end
+
+//#############################################new session ticket
+#define SESSION_TICKET_HDRLEN 4
+
+//client hello info
+typedef struct _st_new_session_ticket_t
+{
+ int totallen; //3 bytes
+ int lifttime; //second
+ int ticket_len; //3 bytes
+ unsigned char* ticket;
+}st_new_session_ticket_t;
+
+//#############################################new session ticket end
+
+
//#############################################certificate
#define CERTIFICATE_HDRLEN 7
#define SSL_CERTIFICATE_HDRLEN 3
@@ -156,6 +211,8 @@ typedef struct _st_cert_t
char SSLSubCN[64];//cname
st_san_t* SSLSubAltName;
uint8_t cert_type;
+ unsigned char* SSLSubKey;
+ int SSLSubKeyLen;
}st_cert_t;
//#############################################certificate end
@@ -174,7 +231,7 @@ typedef struct _ssl_stream_t
unsigned char over_flag;
unsigned char ucContType;
unsigned char is_ssl_stream;
- unsigned int uiSslVersion;
+ unsigned short uiSslVersion; //SSL versions, definition like TLSV1_2_VERSION in ssl.h
int uiAllMsgLen; //hand shake msg length
int uiMsgProcLen;
@@ -185,13 +242,15 @@ typedef struct _ssl_stream_t
cdata_buf* p_output_buffer;
st_client_hello_t* stClientHello;
st_server_hello_t* stServerHello;
- st_cert_t* stSSLCert;
+ st_cert_t* stSSLCert;
business_infor_t* business;
char* pcSslBuffer;
ssl_interested_region output_region_mask;
int uiCurBuffLen;
+
+ st_new_session_ticket_t* stNewSessionTicket;
}ssl_stream;
/*ssl_read_all_cert�еĽṹ��*/
@@ -201,6 +260,13 @@ typedef struct cert_chain_s
uint32_t cert_len;
}cert_chain_t;
+/*ssl_get_alpn_list?D��??��11��?*/
+typedef struct alpn_list_s
+{
+ char* alpn; //pointer to exts
+ uint32_t alpn_len;
+}alpn_list_t;
+
/*ssl_read_specific_cert��cert_type�IJ���*/
#define CERT_TYPE_INDIVIDUAL 0 //����֤��
#define CERT_TYPE_ROOT 1 //��֤��
@@ -217,6 +283,20 @@ int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, cert_chai
/*return : 1 ���ڣ�0 ������*/
int ssl_read_specific_cert(const char* conj_cert_buf, uint32_t conj_buflen, uint8_t cert_type, char** cert, uint32_t* cert_len);
+/*Obtain suite name like "TLS_RSA_WITH_AES_128_CBC_SHA" by suite_value; Each suite should be 2 bytes*/
+const char* ssl_get_suite_name(unsigned char* suite_value, unsigned short suite_len);
+
+/*Obtain version name like "TLS1.2" by version*/
+const char* ssl_get_version_name(unsigned short version);
+
+/*Obtain alpl list by */
+/*
+input: stClientHello; alpn_list is applied by user
+output: put the results in alpn_list
+return: the number of alpn
+*/
+int ssl_get_alpn_list(alpn_list_t* alpn_list, int alpn_size, st_ext_t* exts, unsigned short ext_num);
+
const char* ssl_get_suite(st_suites_t* ciphersuits);
struct _ssl_ja3_info_t
diff --git a/src/ssl_update.txt b/src/ssl_update.txt
index 6e1a892..0817dce 100644
--- a/src/ssl_update.txt
+++ b/src/ssl_update.txt
@@ -9,6 +9,28 @@ https://blog.csdn.net/aixiaoxiaoyu/article/details/79175855
https://www.cnblogs.com/huhu0013/p/4791430.html
BIO
https://blog.csdn.net/liujiayu2/article/details/51860172
+
+
+bug�͹����޸���ʷ
+*************************************************
+20210417
+֧��esni�ֶε���ȡ
+*************************************************
+20210107
+����֤�鹫Կ��Ϣ��SSLSubKey
+*************************************************
+20201230
+����ALPN���ֶεĽ���
+����SSL.H��ע��
+��������ɾ���
+ALERT���汨��
+*************************************************
+20201203
+1. DROPPKT����DROPME����
+*************************************************
+20201202
+1. ֧��session ticket
+2. ֧��new session ticket
*************************************************
20200617
1. �޸�application data������bug
diff --git a/src/tool/test_cert/test_cert.c b/src/tool/test_cert/test_cert.c
index e16ec71..ffd2f17 100644
--- a/src/tool/test_cert/test_cert.c
+++ b/src/tool/test_cert/test_cert.c
@@ -73,6 +73,18 @@ int BtoL3BytesNum(char *pcData)
return uiLength;
}
+int BtoL4BytesNum(char *pcData)
+{
+ int uiLength = 0;
+ uiLength = pcData[0];
+ uiLength = (uiLength << 8) + (unsigned char)pcData[1];
+ uiLength = (uiLength << 8) + (unsigned char)pcData[2];
+ uiLength = (uiLength << 8) + (unsigned char)pcData[3];
+
+ return uiLength;
+}
+
+
typedef struct _stValueString_t
{
unsigned int uiValue;
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 14:48:17 +0000