diff options
| -rw-r--r-- | src/SSL_Message.c | 127 | ||||
| -rw-r--r-- | test/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | test/pcap/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap | bin | 0 -> 4708 bytes | |||
| -rw-r--r-- | test/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json | 8 | ||||
| -rw-r--r-- | test/pcap/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap | bin | 0 -> 21756 bytes | |||
| -rw-r--r-- | test/pcap/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json | 114 |
6 files changed, 190 insertions, 60 deletions
diff --git a/src/SSL_Message.c b/src/SSL_Message.c index bbc9033..86f9713 100644 --- a/src/SSL_Message.c +++ b/src/SSL_Message.c @@ -157,6 +157,11 @@ void ssl_trunk_free(struct ssl_runtime_context *ssl_context, int thread_seq) int ssl_trunk_cache(struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq) { + if(payload==NULL || payload_len<=0) + { + return 0; + } + if(ssl_context->record.cache_buff==NULL) { ssl_context->record.cache_buff=(char *)dictator_malloc(thread_seq, g_ssl_runtime_para.max_cache_len); @@ -334,20 +339,10 @@ int ssl_parse_encrypt_server_name(struct ssl_client_hello *chello, struct ssl_l2 int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len) { int offset=0,one_ltv=0; - unsigned int ec_point_format=0; - - UT_string *ja3_string,*cipher_suite_string,*ec_string,*ex_string; - utstring_new(ja3_string); - utstring_new(cipher_suite_string); - utstring_printf(cipher_suite_string, ","); - utstring_new(ec_string); - utstring_printf(ec_string, ","); - utstring_new(ex_string); - utstring_printf(ex_string, ","); - chello->total_len=BtoL3BytesNum((const char *)(payload+1)); if(chello->total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/ { + return SSL_FLASE; } @@ -361,8 +356,6 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo { return SSL_FLASE; } - - utstring_printf(ja3_string, "%u", chello->version); offset+=(CLIENT_HELLO_HDRLEN+sizeof(chello->version)); /*get client hello random*/ @@ -393,18 +386,6 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo return SSL_FLASE; } - if(chello->ciphersuites.len>0) - { - for(unsigned short i=0; i<chello->ciphersuites.len; i+=2) - { - unsigned short cipher_suite=BtoL2BytesNum((const char *)(chello->ciphersuites.value+i)); - if(ssl_is_grease_value(cipher_suite)==0) - { - utstring_printf(cipher_suite_string, "%u-", cipher_suite); - } - } - } - offset+=one_ltv; /*get client hello compress*/ @@ -415,6 +396,13 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo } offset+=one_ltv; + + UT_string *ex_string; + utstring_new(ex_string); + utstring_printf(ex_string, ","); + + struct ssl_l2tv *ec=NULL; + struct ssl_l2tv *ec_point_format=NULL; if(offset < payload_len) { /*get extension*/ @@ -427,6 +415,7 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo one_ltv=ssl_parse_ltv2(&(chello->extensions.extension[ex_offset]), payload+offset, payload_len-offset); if(one_ltv==-1) { + utstring_free(ex_string); return SSL_FLASE; } @@ -455,42 +444,10 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo chello->alpn=&(chello->extensions.extension[ex_offset++]); break; case EC_POINT_FORMATS_EXT_TYPE: - // parse ec point formats - { - char length=BtoL1BytesNum((const char*)(chello->extensions.extension[ex_offset].value)); - switch(length) - { - case 1: - ec_point_format=BtoL1BytesNum((const char*)(chello->extensions.extension[ex_offset].value+1)); - break; - case 2: - ec_point_format=BtoL2BytesNum((const char*)(chello->extensions.extension[ex_offset].value+1)); - break; - case 3: - ec_point_format=BtoL3BytesNum((const char*)(chello->extensions.extension[ex_offset].value+1)); - break; - case 4: - ec_point_format=BtoL4BytesNum((const char*)(chello->extensions.extension[ex_offset].value+1)); - break; - default: - ec_point_format=0; - break; - } - } + ec_point_format=&(chello->extensions.extension[ex_offset++]); break; case SUPPORTED_GROUPS_EXT_TYPE: - // parse supported groups - { - unsigned short length=BtoL2BytesNum((const char*)(chello->extensions.extension[ex_offset].value)); - for(unsigned short j=0; j<length; j+=2) - { - unsigned short group=BtoL2BytesNum((const char*)(chello->extensions.extension[ex_offset].value+j+2)); - if(ssl_is_grease_value(group)==0) - { - utstring_printf(ec_string, "%u-", group); - } - } - } + ec=&(chello->extensions.extension[ex_offset++]); break; default: break; @@ -499,11 +456,59 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo chello->extensions.num=ex_offset; } + + UT_string *ja3_string; + utstring_new(ja3_string); + utstring_printf(ja3_string, "%u", chello->version); + + UT_string *cipher_suite_string; + utstring_new(cipher_suite_string); + utstring_printf(cipher_suite_string, ","); + if(chello->ciphersuites.len>0) + { + for(unsigned short i=0; i<chello->ciphersuites.len; i+=2) + { + unsigned short cipher_suite=BtoL2BytesNum((const char *)(chello->ciphersuites.value+i)); + if(ssl_is_grease_value(cipher_suite)==0) + { + utstring_printf(cipher_suite_string, "%u-", cipher_suite); + } + } + } utstring_bincpy(ja3_string, utstring_body(cipher_suite_string), (utstring_len(cipher_suite_string)==1 ? utstring_len(cipher_suite_string) : utstring_len(cipher_suite_string)-1)); + utstring_bincpy(ja3_string, utstring_body(ex_string), (utstring_len(ex_string)==1 ? utstring_len(ex_string) : utstring_len(ex_string)-1)); + + UT_string *ec_string; + utstring_new(ec_string); + utstring_printf(ec_string, ","); + if(ec!=NULL) + { + unsigned short length=BtoL2BytesNum((const char*)(ec->value)); + for(unsigned short j=0; j<length; j+=2) + { + unsigned short group=BtoL2BytesNum((const char*)(ec->value+j+2)); + if(ssl_is_grease_value(group)==0) + { + utstring_printf(ec_string, "%u-", group); + } + } + } utstring_bincpy(ja3_string, utstring_body(ec_string), (utstring_len(ec_string)==1 ? utstring_len(ec_string) : utstring_len(ec_string)-1)); - utstring_printf(ja3_string, ",%u", ec_point_format); + + UT_string *ec_point_format_string; + utstring_new(ec_point_format_string); + utstring_printf(ec_point_format_string, ","); + if(ec_point_format!=NULL) + { + char length=BtoL1BytesNum((const char*)(ec_point_format->value)); + for(char j=0; j<length; j++) + { + utstring_printf(ec_point_format_string, "%u-", ec_point_format->value[j+1]); + } + } + utstring_bincpy(ja3_string, utstring_body(ec_point_format_string), (utstring_len(ec_point_format_string)==1 ? utstring_len(ec_point_format_string) : utstring_len(ec_point_format_string)-1)); chello->ja3.md5_len=ja3_md5sum(utstring_body(ja3_string), utstring_len(ja3_string), chello->ja3.md5, sizeof(chello->ja3.md5)); chello->ja3.md5[chello->ja3.md5_len]='\0'; @@ -512,6 +517,7 @@ int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *paylo utstring_free(cipher_suite_string); utstring_free(ec_string); utstring_free(ex_string); + utstring_free(ec_point_format_string); return SSL_TRUE; } @@ -1095,6 +1101,7 @@ int ssl_parse_stream(const struct streaminfo *a_tcp, struct ssl_runtime_context /**validaty check**/ if(NULL==payload || payload_len<SSL_HEADER_LEN) { + ssl_trunk_cache(ssl_context, payload, payload_len, thread_seq); return SSL_TRUE; } diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index f7d79de..d234fca 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -45,3 +45,4 @@ add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND proto_test_main ${CMAKE_CURREN add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) add_test(NAME RUN_EXTENSION_EXCEED_16 COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/extensions_exceed_16/extensions_exceed_16_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/extensions_exceed_16/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) add_test(NAME RUN_CLIENT_HELLO_FRAGMENT COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/client_hello_fragment/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) +add_test(NAME RUN_ACK_CONTAINS_PAYLOAD COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/tcp_ack_contians_payload/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR}) diff --git a/test/pcap/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap b/test/pcap/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap Binary files differnew file mode 100644 index 0000000..f81b4fe --- /dev/null +++ b/test/pcap/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap diff --git a/test/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json b/test/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json index dfbad1a..b392285 100644 --- a/test/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json +++ b/test/pcap/client_hello_fragment/ssl_client_hello_fragment_result.json @@ -46,5 +46,13 @@ "ssl_cert_To": "240515235959Z", "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "name": "SSL_RESULT_2" + }, + { + "Tuple4": "36.251.161.167.39777>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555", + "name": "SSL_RESULT_3" } ]
\ No newline at end of file diff --git a/test/pcap/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap b/test/pcap/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap Binary files differnew file mode 100644 index 0000000..199f7ee --- /dev/null +++ b/test/pcap/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap diff --git a/test/pcap/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json b/test/pcap/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json new file mode 100644 index 0000000..9632ce8 --- /dev/null +++ b/test/pcap/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json @@ -0,0 +1,114 @@ +[ + { + "Tuple4": "36.251.161.167.39018>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "6f7971785f5cbbcb21819b6639f0e8f7", + "name": "SSL_RESULT_1" + }, + { + "Tuple4": "36.251.161.167.39025>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "0ac1d260c0b1f0e3bf645d6580ea6343", + "name": "SSL_RESULT_2" + }, + { + "Tuple4": "36.251.161.167.39112>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "ca54aeeb513ecacf4d7bc22c5d8f0b75", + "name": "SSL_RESULT_3" + }, + { + "Tuple4": "36.251.161.167.39423>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "9e41793e6f0a1696bedc0876465e1f42", + "name": "SSL_RESULT_4" + }, + { + "Tuple4": "36.251.161.167.39680>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "47c3fabcf1bc65a32a9d3fb8e70ab79d", + "name": "SSL_RESULT_5" + }, + { + "Tuple4": "36.251.161.167.39809>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "04331a57b3e122e689c373712edf42c0", + "name": "SSL_RESULT_6" + }, + { + "Tuple4": "36.251.161.167.39816>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "34c3efe4e6565e8eef2eaaeb7c12a1a6", + "name": "SSL_RESULT_7" + }, + { + "Tuple4": "36.251.161.167.39820>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cc97290a5bb4651489fe7a88e93ace90", + "name": "SSL_RESULT_8" + }, + { + "Tuple4": "36.251.161.167.39825>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "4e6ae21ce8b876dc7cad2f5ca9a60b23", + "name": "SSL_RESULT_9" + }, + { + "Tuple4": "36.251.161.167.39832>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "89cb560e9ee2d33728756a2d4d7b2900", + "name": "SSL_RESULT_10" + }, + { + "Tuple4": "36.251.161.167.39850>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "7324d30178b21f4c3a60550ef43d5ab0", + "name": "SSL_RESULT_11" + }, + { + "Tuple4": "36.251.161.167.39867>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "53fed08198669268c271fc320627c0c4", + "name": "SSL_RESULT_12" + }, + { + "Tuple4": "36.251.161.167.39777>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555", + "name": "SSL_RESULT_13" + }, + { + "Tuple4": "36.251.161.167.39810>143.92.57.79.443", + "ssl_sni": "a.ywgyuv.cn", + "ssl_ech": "1", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "ff194650bab04e7b4cd55e66fd91c010", + "name": "SSL_RESULT_14" + } +]
\ No newline at end of file |