From 21950877e691e1b52038d6cffa3914b944c9dfe9 Mon Sep 17 00:00:00 2001 From: 刘学利 Date: Mon, 3 Jul 2023 13:39:18 +0000 Subject: 代码重构,性能优化 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CMakeLists.txt | 3 +- include/ssl.h | 244 ++ src/Makefile | 61 - src/SSL_Analyze.c | 570 +---- src/SSL_Analyze.h | 98 +- src/SSL_Certificate.c | 1060 +------- src/SSL_Certificate.h | 34 +- src/SSL_Common.c | 60 - src/SSL_Common.h | 24 - src/SSL_Message.c | 1449 ++++++----- src/SSL_Message.h | 101 +- src/SSL_Proc.c | 463 +--- src/SSL_Proc.h | 59 +- src/SSl_ja3_fingerprint.cpp | 147 +- src/ssl.h | 342 --- src/ssl_update.txt | 88 - src/tool/test_cert/Makefile | 42 - src/tool/test_cert/cert_test | Bin 27632 -> 0 bytes src/tool/test_cert/ssl_cert.crt | Bin 3738 -> 0 bytes src/tool/test_cert/test_cert.c | 296 --- test/CMakeLists.txt | 2 + ...ssl-192.168.50.52.17434.15.197.193.217.443.pcap | Bin 0 -> 7211 bytes test/pcap/bug/ssl_bug_result.json | 24 + test/pcap/e21/ssl_e21_target_result.json | 4 +- test/pcap/multiple_handshake/3-ssl-with-cert.pcap | Bin 0 -> 203193 bytes .../ssl_multiple_handshake_result.json | 21 + test/pcap/ssl/ssl_result.json | 3 +- test/pcap/xxg/ssl_xxg_target_result.json | 2556 ++++++++++---------- test/ssl_result.json | 32 + test/ssl_test_plug.cpp | 178 +- 30 files changed, 2737 insertions(+), 5224 deletions(-) create mode 100644 include/ssl.h delete mode 100644 src/Makefile delete mode 100644 src/SSL_Common.c delete mode 100644 src/SSL_Common.h delete mode 100644 src/ssl.h delete mode 100644 src/ssl_update.txt delete mode 100644 src/tool/test_cert/Makefile delete mode 100644 src/tool/test_cert/cert_test delete mode 100644 src/tool/test_cert/ssl_cert.crt delete mode 100644 src/tool/test_cert/test_cert.c create mode 100644 test/pcap/bug/ssl-192.168.50.52.17434.15.197.193.217.443.pcap create mode 100644 test/pcap/bug/ssl_bug_result.json create mode 100644 test/pcap/multiple_handshake/3-ssl-with-cert.pcap create mode 100644 test/pcap/multiple_handshake/ssl_multiple_handshake_result.json create mode 100644 test/ssl_result.json diff --git a/CMakeLists.txt b/CMakeLists.txt index bfb930a..2ce3a56 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,6 +40,7 @@ if (CMAKE_CXX_CPPCHECK) "--suppress=unmatchedSuppression" "--suppress=unreadVariable" "--suppress=unreachableCode" + "--suppress=constParameter" ) message("cppcheck start...") else() @@ -87,7 +88,7 @@ SET(CPACK_RPM_LIBRARIES_PRE_UNINSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/cmake/p install(TARGETS ssl LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/plug/protocol/${lib_name} COMPONENT LIBRARIES) install(FILES bin/${lib_name}.inf DESTINATION ${CMAKE_INSTALL_PREFIX}/plug/protocol/${lib_name} COMPONENT PROFILE) install(FILES bin/${lib_name}/${lib_name}.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/conf/${lib_name}/ COMPONENT PROFILE) -install(FILES src/${lib_name}.h DESTINATION /opt/MESA/include/MESA COMPONENT HEADER) +install(FILES include/${lib_name}.h DESTINATION /opt/MESA/include/MESA COMPONENT HEADER) file(GLOB DEMO "test/src/*.c" diff --git a/include/ssl.h b/include/ssl.h new file mode 100644 index 0000000..96d2835 --- /dev/null +++ b/include/ssl.h @@ -0,0 +1,244 @@ +#pragma once + +enum ssl_interested_region +{ + /*1*/ + SSL_INTEREST_KEY_MASK = 0, + SSL_CERTIFICATE_DETAIL_MASK = 1, + SSL_CLIENT_HELLO_MASK = 2, + SSL_SERVER_HELLO_MASK= 3, + SSL_CERTIFICATE_MASK, + SSL_APPLICATION_DATA_MASK, + SSL_VERSION_MASK, + SSL_ALERT_MASK, + SSL_NEW_SESSION_TICKET_MASK, +}; + +#define SSL_INTEREST_KEY (1< $@ - --include $(DEPS) - -clean : - rm -f $(OBJECTS) $(DEPS) $(TARGET) - - -PLUGIN_PATH=./plug/protocol -CONFLIST_NAME=conflist_protocol.inf -PLUGIN_DIR_NAME=ssl -PLUGIN_INF_NAME=ssl.inf - -TARGET_DIR=$(PAPP_PATH)/$(PLUGIN_PATH)/$(PLUGIN_DIR_NAME)/ -INSERT_FILE=$(PAPP_PATH)/$(PLUGIN_PATH)/$(CONFLIST_NAME) -INSERT_CONTENT=$(PLUGIN_PATH)/$(PLUGIN_DIR_NAME)/$(PLUGIN_INF_NAME) -install: - mkdir -p $(TARGET_DIR) - cp -r ../bin/*.inf $(TARGET_DIR) - cp -r ../bin/*.so $(TARGET_DIR) - @ret=`cat $(INSERT_FILE)|grep $(INSERT_CONTENT)|wc -l`;if [ $$ret -eq 0 ];then echo $(INSERT_CONTENT) >>$(INSERT_FILE);fi - -CONF_DIR=$(PAPP_PATH)/conf/ -conf: - mkdir -p $(CONF_DIR) - cp -r ../bin/ssl $(CONF_DIR) diff --git a/src/SSL_Analyze.c b/src/SSL_Analyze.c index 0cccd9f..0fd703f 100644 --- a/src/SSL_Analyze.c +++ b/src/SSL_Analyze.c @@ -14,10 +14,8 @@ #include "SSL_Analyze.h" #include "SSL_Message.h" #include "ssl.h" +#include #include "SSL_Proc.h" -#include "field_stat2.h" -#include "MESA_prof_load.h" -#include "SSL_Common.h" #define GIT_VERSION_CATTER(v) __attribute__((__used__)) const char * GIT_VERSION_##v = NULL @@ -41,83 +39,11 @@ extern "C" } #endif -ssl_prog_runtime_parameter_t g_ssl_prog_para; +struct ssl_runtime_para g_ssl_runtime_para; -int SSL_VERSION_1_20210805 = 0; - -void ssl_history() +int ssl_read_config(const char* filename) { -//2014-03-03 V0.1 parse ssl, include expand ; -//2014-03-03 V0.1 modify service back_state, DROPME return DROPME ; -//2014-03-03 V0.1 server_name add length judge; -//2014-03-04 V0.1 use for youtube only analyse server_name, close certificate -//2014-03-30 V0.1 xjfd -//2014-03-31 V0.1 review ssl code after xj online , complete ssl recognition and parse -//2014-04-03 V0.1 iUnAnalyseLen bug -//2014-04-04 V0.1 write log, use define control write log or not -//2014-04-04 V0.1 bug1 : unanlyzelen< is pcaket trunk ; bug2 : clean cert before analeze_cert -//2014-04-04 V0.1 one stream , not half stream -//2014-04-10 V0.1 server_name_type 0000 or 0008 two bytes ,cert: ilength become int -//2014-05-15 V0.1 newplatform -//2014-05-15 V0.1 ssl conf modify -//2014-05-29 V0.1 while unsigned int bug and fcloe(fp) and free(output) and close printf -//2014-06-03 V0.1 review code , check unsigned int and int and return_value -//2014-06-05 V0.1 malformation ssl certificate -//2014-10-08 V0.1 version 0303 -//2014-10-31 V0.1 newplatform -//2014-11-18 V0.1 delete KILLME; certificate and certificate_detail can get by biz plugin at the same time. ssl_message.h->ssl.h -//2014-11-20 V0.1 subbak -//2014-11-21 V0.1 memcheck clientHello -//2014-11-28 V0.1 ssl.h and SSL_Message.h -//2015-01-06 V0.1 new plugin -//2015-01-27 V0.1 add "if(a_ssl_stream->stSSLCert->totallen<0) return SSL_RETURN_DROPME;" -//2015-03-23 V0.1 Conditional jump or move depends on uninitialised value -//2015-10-29 V0.1 such as ftp smtp -//2015-12-23 V0.1 cert level -//2015-12-31 V0.1 lost prco, buf, and pcSslBuffer malloc if need, and clienthello... -//2016-08-08 V0.2 cert issuer pport O C CN field and uiMaxBuffLen=0 -//2016-09-06 V0.2 1. server hello : method_len=1 2. 2. add version info -//2016-09-10 V0.2 1. ssl_read_specific_cert and ssl_read_all_cert -//2016-09-28 V0.2 pstClientServerName dictator_malloc -//2016-11-10 V0.2 clientHello Callback -//2017-03-08 V0.2 CERT Sub -//2017-04-15 V0.2 session->buf=cert when cert detail -//2017-04-19 V0.2 cert detail -//2018-06-29 V0.2 cert extension -//2018-07-30 V0.2 APPLICATION_DATA bug -//2018-11-08 V0.2 multi-san -//2018-11-29 V0.2 san dictator_malloc -//2018-12-04 V0.2 openssl parse certificate bug -//2018-12-07 V0.2 certificate maxnum; memcheck -//2019-01-28 V0.2 1. bug update: memset in cert 2. ssl cert_chain:FF FF -//2019-12-20 V0.2 add info statistics -//2020-01-09 V0.2 add stream tag -//2020-06-15 V0.2 memset buf -//2020-06-17 V0.2 increase MAX_DATA_BUFFER 40960 -//2020-12-02 V0.2 support session ticket -//2020-12-03 V0.2 droppkt and dropme -//2020-12-30 V0.2 add alpn -//2021-02-07 V0.2 add SSLSubKey -//2021-04-17 V0.2 support esni -//2021-04-28 V0.2 add certlen for each cert -//2021-05-29 V0.2 add SSLSerialNumLen -//2021-07-27 V0.2 add subject and issuer = commonName + organizationName + organizationalUnitName + localityName + streetAddress + stateOrProvinceName + countryName -//2021-08-05 V0.2 client hello SSL 2.0 - - - - - -//to do -//certificate ANSL - -} - -int ssl_readconf(const char* filename) -{ - FILE *fp = NULL; - - + FILE *fp=NULL; if(((fp = fopen(filename, "r"))!=NULL)) { char buf[2048]={0}; @@ -136,8 +62,8 @@ int ssl_readconf(const char* filename) printf( "ssl.so : ssl.conf %d bigger than MAX_REGION_NUM\n", region_id); return -1; } - strncpy(g_ssl_prog_para.ssl_conf_regionname[region_id], region_name, strlen(region_name)); - g_ssl_prog_para.ssl_region_cnt++; + memcpy(g_ssl_runtime_para.ssl_conf_regionname[region_id], region_name, strlen(region_name)); + g_ssl_runtime_para.ssl_region_cnt++; memset(region_name, 0, sizeof(region_name)); } fclose(fp); @@ -146,35 +72,20 @@ int ssl_readconf(const char* filename) { printf( "ssl.so : ssl.conf %s open error\n", filename); return -1; - } - return 0; -} - -int ssl_readMainConf(const char* filename) -{ - MESA_load_profile_int_def(filename, "FUNCTION", "stat_screen_print", &g_ssl_prog_para.stat_screen_print_trigger,0); - MESA_load_profile_int_def(filename, "FUNCTION", "stat_cycle", &g_ssl_prog_para.stat_cycle,0); - MESA_load_profile_string_def(filename, "FUNCTION", "stat_file", g_ssl_prog_para.stat_filename, sizeof(g_ssl_prog_para.stat_filename),"./log/ssl/ssl_stat.log"); - MESA_load_profile_short_def(filename, "FUNCTION", "switch_no_biz", (short*)&g_ssl_prog_para.ssl_switch_no_biz,0); - - MESA_load_profile_string_def(filename, "FUNCTION", "STAT_FIELD_APPNAME", g_ssl_prog_para.stat_appname, 16, "SSL"); - MESA_load_profile_string_def(filename, "FUNCTION", "STAT_FIELD_DST_IP", g_ssl_prog_para.stat_dst_ip, 64, "127.0.0.1"); - MESA_load_profile_int_def(filename, "FUNCTION", "STAT_FIELD_DST_PORT", &g_ssl_prog_para.stat_dst_port, 8125); - + } return 0; } -int ssl_add_proto_tag(int projetc_id, struct streaminfo *a_stream, const char* value, int len) +int ssl_add_proto_tag(const struct streaminfo *a_stream, const char* value, int len) { - if(projetc_id < 0)return -1; - struct ssl_proto_tag_t* proto_tag = (struct ssl_proto_tag_t*)project_req_get_struct(a_stream,projetc_id); + struct ssl_proto_tag* proto_tag = (struct ssl_proto_tag*)project_req_get_struct(a_stream, g_ssl_runtime_para.proto_tag_id); if(proto_tag == NULL) { - proto_tag = (struct ssl_proto_tag_t *)dictator_malloc(a_stream->threadnum, sizeof(struct ssl_proto_tag_t)); + proto_tag = (struct ssl_proto_tag *)dictator_malloc(a_stream->threadnum, sizeof(struct ssl_proto_tag)); memcpy(proto_tag->buf, value, len); proto_tag->buf[len]='\0'; - if(0 != project_req_add_struct(a_stream, projetc_id, proto_tag)) + if(0 != project_req_add_struct((struct streaminfo *)a_stream, g_ssl_runtime_para.proto_tag_id, proto_tag)) { dictator_free(a_stream->threadnum, proto_tag); proto_tag=NULL; @@ -196,70 +107,138 @@ void ssl_proto_tag_free(int thread_seq, void *value) return; } -int SSL_INIT(void) +int ssl_init_context(void **pme, int thread_seq) { - memset(&g_ssl_prog_para,0,sizeof(ssl_prog_runtime_parameter_t)); - strcat(g_ssl_prog_para.ssl_conf_filename, "./conf/ssl/ssl.conf"); + if(NULL!=*pme) + { + return -1; + } + + struct ssl_runtime_context *ssl_context = (struct ssl_runtime_context *)dictator_malloc(thread_seq, sizeof(struct ssl_runtime_context)); + memset(ssl_context, 0, sizeof(struct ssl_runtime_context)); + + ssl_context->link_state=SSL_FLASE; + ssl_context->over_flag=SSL_FLASE; + ssl_context->is_ssl_stream=SSL_FLASE; + ssl_context->version=UNKNOWN_VERSION; + ssl_context->business.return_value=PROT_STATE_GIVEME; - if(0!=ssl_readconf(g_ssl_prog_para.ssl_conf_filename)) - return -1; + *pme = (void*)ssl_context; + return 0; +} - ssl_readMainConf("./conf/ssl/ssl_main.conf"); +void ssl_release_context(struct ssl_runtime_context *ssl_context, int thread_seq) +{ + if(NULL==ssl_context) + { + return; + } - /*MESA_proto*/ - g_ssl_prog_para.proto_tag_id = project_producer_register("MESA_PROTO","struct",ssl_proto_tag_free); - ssl_ja3_init(); + if(ssl_context->record.cache_buff!=NULL) + { + dictator_free(thread_seq, ssl_context->record.cache_buff); + } + + dictator_free(thread_seq, ssl_context); + ssl_context=NULL; +} + +extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_seq, const void *a_packet) +{ + int return_val=0; + char state=APP_STATE_GIVEME; + struct ssl_runtime_context *ssl_context=(struct ssl_runtime_context *)(*pme); + + switch(a_tcp->opstate) + { + case OP_STATE_PENDING: + if(g_ssl_runtime_para.ssl_interested_region_flag < SSL_KEY) + { + return APP_STATE_DROPME; + } + + ssl_init_context(pme,thread_seq); + ssl_context=(struct ssl_runtime_context *)(*pme); + case OP_STATE_DATA: + return_val=ssl_parse_stream(a_tcp, ssl_context ,thread_seq, a_packet); + if(SSL_FLASE==return_val || ssl_context->business.return_value&PROT_STATE_DROPME) + { + state=APP_STATE_DROPME; + } + break; + case OP_STATE_CLOSE: + if(ssl_context->version!=UNKNOWN_VERSION) + { + ssl_add_proto_tag( a_tcp, "SSL", strlen("SSL")); + } + ssl_context->over_flag=SSL_TRUE; + ssl_call_plugins(a_tcp, ssl_context, NULL, 0, SSL_INTEREST_KEY_MASK, thread_seq, a_packet); + break; + default: + break; + } + + if(ssl_context->business.return_value&PROT_STATE_DROPPKT) + { + state|=APP_STATE_DROPPKT; + } + + if(state&APP_STATE_DROPME || a_tcp->opstate==OP_STATE_CLOSE) + { + ssl_release_context(ssl_context, thread_seq); + *pme=NULL; + } - if(g_ssl_prog_para.stat_cycle) - { - g_ssl_prog_para.stat_handler = FS_create_handle(); - FS_set_para(g_ssl_prog_para.stat_handler, OUTPUT_DEVICE, g_ssl_prog_para.stat_filename, strlen(g_ssl_prog_para.stat_filename)+1); - int value = 1;//flush by date - FS_set_para(g_ssl_prog_para.stat_handler, FLUSH_BY_DATE, &value, sizeof(value)); - value = 2;//append - FS_set_para(g_ssl_prog_para.stat_handler, PRINT_MODE, &value, sizeof(value)); - FS_set_para(g_ssl_prog_para.stat_handler, STAT_CYCLE, &g_ssl_prog_para.stat_cycle, sizeof(g_ssl_prog_para.stat_cycle)); - value = (g_ssl_prog_para.stat_cycle!=0) ? 1 : 0; - FS_set_para(g_ssl_prog_para.stat_handler, PRINT_TRIGGER, &value, sizeof(value)); - value = 1; - FS_set_para(g_ssl_prog_para.stat_handler, CREATE_THREAD, &value, sizeof(value)); - FS_set_para(g_ssl_prog_para.stat_handler, APP_NAME, g_ssl_prog_para.stat_appname, strlen(g_ssl_prog_para.stat_appname)+1); - FS_set_para(g_ssl_prog_para.stat_handler, STATS_SERVER_IP, g_ssl_prog_para.stat_dst_ip, strlen(g_ssl_prog_para.stat_dst_ip)+1); - FS_set_para(g_ssl_prog_para.stat_handler, STATS_SERVER_PORT, &g_ssl_prog_para.stat_dst_port, sizeof(g_ssl_prog_para.stat_dst_port)); - g_ssl_prog_para.stat_field[SSL_STAT_PKTS_C2S] = FS_register(g_ssl_prog_para.stat_handler,FS_STYLE_FIELD,FS_CALC_CURRENT,"ssl_c2s_pkts"); - g_ssl_prog_para.stat_field[SSL_STAT_PKTS_S2C] = FS_register(g_ssl_prog_para.stat_handler,FS_STYLE_FIELD,FS_CALC_CURRENT,"ssl_s2c_pkts"); - g_ssl_prog_para.stat_field[SSL_STAT_BITS_C2S] = FS_register(g_ssl_prog_para.stat_handler,FS_STYLE_FIELD,FS_CALC_CURRENT,"ssl_c2s_bytes"); - g_ssl_prog_para.stat_field[SSL_STAT_BITS_S2C] = FS_register(g_ssl_prog_para.stat_handler,FS_STYLE_FIELD,FS_CALC_CURRENT,"ssl_s2c_bytes"); - FS_start(g_ssl_prog_para.stat_handler); + return state; +} + +extern "C" int SSL_INIT(void) +{ + memset(&g_ssl_runtime_para, 0, sizeof(struct ssl_runtime_para)); + + if(ssl_read_config("./conf/ssl/ssl.conf")!=0) + { + return -1; } + + const char *filename="./conf/ssl/ssl_main.conf"; + MESA_load_profile_int_def(filename, "FUNCTION", "MAC_CACHE_LEN", &g_ssl_runtime_para.max_cache_len, 10240); + + ssl_ja3_init(); + g_ssl_runtime_para.proto_tag_id=project_producer_register("MESA_PROTO", "struct", ssl_proto_tag_free); + return 0; -}/*SSL_INIT*/ +} -void SSL_DESTROY(void) +extern "C" void SSL_DESTROY(void) { return; -}/*SSL_DESTRORY*/ +} -void SSL_GETPLUGID(unsigned short plugid) +extern "C" void SSL_GETPLUGID(unsigned short plugid) { - g_ssl_prog_para.ssl_plugid = plugid; + g_ssl_runtime_para.ssl_plugid = plugid; } -void SSL_PROT_FUNSTAT(unsigned long long protflag) +extern "C" void SSL_PROT_FUNSTAT(unsigned long long protflag) { - if(0==protflag) return; + if(0==protflag) + { + return; + } + + g_ssl_runtime_para.ssl_interested_region_flag=protflag; - g_ssl_prog_para.ssl_interested_region_flag = protflag; return; -}/*PROT_FUNSTAT*/ +} unsigned long long ssl_getRegionID(char *string, int str_len, const char g_string[MAX_REGION_NUM][REGION_NAME_LEN]) { unsigned long long i=0; - for(i=0;isession.session_value = NULL; - pstClientHello->session.session_len = 0; - pstClientHello->ciphersuites.suites_value = NULL; - pstClientHello->ciphersuites.suites_len = 0; - pstClientHello->com_method.methods = NULL; - pstClientHello->com_method.methlen = 0; - pstClientHello->ext_num = 0; - memset(&pstClientHello->random, 0, sizeof(pstClientHello->random)); - int i=0; - for(i=0;iexts[i], 0, sizeof(pstClientHello->exts[i])); - } - memset(&pstClientHello->server_name, 0, sizeof(pstClientHello->server_name)); - return; -} - -void ssl_initStructServerHello(st_server_hello_t* pstServerHello) -{ - if(pstServerHello==NULL) return ; - - pstServerHello->session.session_value = NULL; - pstServerHello->session.session_len = 0; - pstServerHello->ciphersuites.suites_value = NULL; - pstServerHello->ciphersuites.suites_len = 0; - pstServerHello->com_method.methods = NULL; - pstServerHello->com_method.methlen = 0; - pstServerHello->ext_num = 0; - memset(&pstServerHello->random, 0, sizeof(pstServerHello->random)); - int i=0; - for(i=0;iexts[i], 0, sizeof(pstServerHello->exts[i])); - } - return; -} - -int ssl_initSslStream(struct streaminfo *a_tcp, void **pme, int thread_seq) -{ - /**Variables define**/ - if(NULL != *pme) - { - return -1; - } - - ssl_stream *a_ssl_stream = (ssl_stream *)dictator_malloc(thread_seq, sizeof(ssl_stream)); - memset(a_ssl_stream,0,sizeof(ssl_stream)); - - a_ssl_stream->output_region_flag = g_ssl_prog_para.ssl_interested_region_flag; - - a_ssl_stream->uiMaxBuffLen = 0; - a_ssl_stream->uiCurBuffLen = 0; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - a_ssl_stream->uiSslVersion = UNKNOWN_VERSION; - a_ssl_stream->uiAllMsgLen = 0; - a_ssl_stream->ucContType = 0; - a_ssl_stream->link_state = SSL_FLASE; - a_ssl_stream->over_flag = SSL_FLASE; - a_ssl_stream->is_ssl_stream = SSL_FLASE; - - //memset(a_ssl_stream->pcSslBuffer, 0, sizeof(a_ssl_stream->pcSslBuffer)); - //ssl_stream->pcSslBuffer = NULL; - a_ssl_stream->p_output_buffer = (cdata_buf*)dictator_malloc(thread_seq, sizeof(cdata_buf)); - a_ssl_stream->p_output_buffer->data_size = 0; - a_ssl_stream->p_output_buffer->p_data = 0; - - a_ssl_stream->output_region_mask = SSL_INTEREST_KEY_MASK; - - a_ssl_stream->business = (business_infor_t *)dictator_malloc(thread_seq,sizeof(business_infor_t)); - a_ssl_stream->business->param = NULL; - a_ssl_stream->business->return_value = PROT_STATE_GIVEME; - - *pme = (void*)a_ssl_stream; - return 0; -} - - -void ssl_releaseStructClientHello(int thread_seq, st_client_hello_t* pstClientHello) -{ - if(pstClientHello==NULL) return ; - if(pstClientHello->session.session_value!=NULL) - { - dictator_free(thread_seq,pstClientHello->session.session_value); - pstClientHello->session.session_value = NULL; - } - if(pstClientHello->ciphersuites.suites_value!=NULL) - { - dictator_free(thread_seq,pstClientHello->ciphersuites.suites_value); - pstClientHello->ciphersuites.suites_value = NULL; - } - if(pstClientHello->com_method.methods!=NULL) - { - dictator_free(thread_seq,pstClientHello->com_method.methods); - pstClientHello->com_method.methods = NULL; - } - if(pstClientHello->encrypted_server_name.key_exchange!=NULL) - { - dictator_free(thread_seq,pstClientHello->encrypted_server_name.key_exchange); - pstClientHello->encrypted_server_name.key_exchange = NULL; - } - if(pstClientHello->encrypted_server_name.esni!=NULL) - { - dictator_free(thread_seq,pstClientHello->encrypted_server_name.esni); - pstClientHello->encrypted_server_name.esni = NULL; - } - if(pstClientHello->encrypted_server_name.record_digest!=NULL) - { - dictator_free(thread_seq,pstClientHello->encrypted_server_name.record_digest); - pstClientHello->encrypted_server_name.record_digest = NULL; - } - if(pstClientHello->encrypted_server_name.suite_value!=NULL) - { - dictator_free(thread_seq,pstClientHello->encrypted_server_name.suite_value); - pstClientHello->encrypted_server_name.suite_value = NULL; - } - return; -} - - - -void ssl_releaseStructServerHello(int thread_seq,st_server_hello_t* pstServerHello) -{ - if(pstServerHello==NULL) return ; - if(pstServerHello->session.session_value!=NULL) - { - dictator_free(thread_seq,pstServerHello->session.session_value); - pstServerHello->session.session_value = NULL; - } - if(pstServerHello->ciphersuites.suites_value!=NULL) - { - dictator_free(thread_seq,pstServerHello->ciphersuites.suites_value); - pstServerHello->ciphersuites.suites_value = NULL; - } - if(pstServerHello->com_method.methods!=NULL) - { - dictator_free(thread_seq,pstServerHello->com_method.methods); - pstServerHello->com_method.methods = NULL; - } - return ; -} - - -void ssl_releaseSslStream(struct streaminfo *a_tcp, ssl_stream** pme, int thread_seq,void *a_packet) -{ - ssl_stream *a_ssl_stream = (ssl_stream *)*pme; - if(NULL == a_ssl_stream) return; - - (a_ssl_stream)->over_flag = SSL_TRUE; - - if(a_ssl_stream->uiSslVersion!=UNKNOWN_VERSION) - { - ssl_callPlugins(&a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet); - } - - if(NULL != a_ssl_stream->p_output_buffer) - { - if(a_ssl_stream->p_output_buffer->p_data!=NULL) - { - dictator_free(thread_seq,a_ssl_stream->p_output_buffer->p_data); - a_ssl_stream->p_output_buffer->p_data = NULL; - } - dictator_free(thread_seq,a_ssl_stream->p_output_buffer); - } - if(NULL != a_ssl_stream->business) - { - dictator_free(thread_seq,a_ssl_stream->business); - a_ssl_stream->business = NULL; - } - if(NULL != a_ssl_stream->stSSLCert) - { - dictator_free(thread_seq,a_ssl_stream->stSSLCert); - a_ssl_stream->stSSLCert = NULL; - } - if(NULL != a_ssl_stream->stClientHello) - { - ssl_releaseStructClientHello(thread_seq, a_ssl_stream->stClientHello); - dictator_free(thread_seq,a_ssl_stream->stClientHello); - a_ssl_stream->stClientHello = NULL; - } - if(NULL != a_ssl_stream->stServerHello) - { - ssl_releaseStructServerHello(thread_seq, a_ssl_stream->stServerHello); - dictator_free(thread_seq,a_ssl_stream->stServerHello); - a_ssl_stream->stServerHello = NULL; - } - if(NULL != a_ssl_stream->stNewSessionTicket) - { - dictator_free(thread_seq,a_ssl_stream->stNewSessionTicket); - a_ssl_stream->stNewSessionTicket = NULL; - } - if(a_ssl_stream->pcSslBuffer!=NULL) - { - dictator_free(thread_seq,a_ssl_stream->pcSslBuffer); - } - - dictator_free(thread_seq,a_ssl_stream); - a_ssl_stream = NULL; - return; -} - -char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_packet) -{ - char state=APP_STATE_GIVEME; - UCHAR return_val=0; - ssl_stream *a_ssl_stream = NULL; - - if(!g_ssl_prog_para.ssl_switch_no_biz) - { - switch(ssl_doWithInsterestedRegion(a_tcp)) - { - case APP_STATE_DROPME: - return APP_STATE_DROPME; - default: - break; - } - } - - switch(a_tcp->opstate) - { - case OP_STATE_PENDING: - ssl_initSslStream(a_tcp, pme,thread_seq); - case OP_STATE_DATA: - return_val = ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet); - a_ssl_stream = (ssl_stream *)*pme; - - if(SSL_RETURN_DROPME==return_val || a_ssl_stream->business->return_value&PROT_STATE_DROPME) - { - state = APP_STATE_DROPME; - } - if(SSL_RETURN_GIVEME==return_val) - { - state = APP_STATE_GIVEME; - } - if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT) - { - state |=APP_STATE_DROPPKT; - a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; - } - if(state&APP_STATE_DROPME) - { - ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet); - *pme = NULL; - } - - return state; - break; - - case OP_STATE_CLOSE: - a_ssl_stream = (ssl_stream *)*pme; - if(a_ssl_stream==NULL) - { - return APP_STATE_DROPME; - } - - a_ssl_stream->over_flag = SSL_TRUE; - if (a_ssl_stream->uiSslVersion != UNKNOWN_VERSION) - { - ssl_add_proto_tag(g_ssl_prog_para.proto_tag_id, a_tcp, "SSL", strlen("SSL")); - if (g_ssl_prog_para.stat_cycle) - { - atomic_add(&g_ssl_prog_para.stat_value[SSL_STAT_PKTS_C2S], a_tcp->ptcpdetail->serverpktnum); - atomic_add(&g_ssl_prog_para.stat_value[SSL_STAT_PKTS_S2C], a_tcp->ptcpdetail->clientpktnum); - atomic_add(&g_ssl_prog_para.stat_value[SSL_STAT_BITS_C2S], a_tcp->ptcpdetail->serverbytes); - atomic_add(&g_ssl_prog_para.stat_value[SSL_STAT_BITS_S2C], a_tcp->ptcpdetail->clientbytes); - - FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_PKTS_C2S], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_PKTS_C2S]); - FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_PKTS_S2C], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_PKTS_S2C]); - FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_BITS_C2S], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_BITS_C2S]); - FS_operate(g_ssl_prog_para.stat_handler, g_ssl_prog_para.stat_field[SSL_STAT_BITS_S2C], 0, FS_OP_SET, g_ssl_prog_para.stat_value[SSL_STAT_BITS_S2C]); - } - } - ssl_analyseStream(a_tcp, pme ,thread_seq, a_packet); - state = APP_STATE_DROPME; - if(a_ssl_stream->business->return_value&PROT_STATE_DROPPKT) - { - state |= APP_STATE_DROPPKT; - a_ssl_stream->business->return_value ^= PROT_STATE_DROPPKT; - } - - ssl_releaseSslStream(a_tcp, &a_ssl_stream, thread_seq,a_packet); - *pme = NULL; - - return state; - } - return APP_STATE_GIVEME; -} - diff --git a/src/SSL_Analyze.h b/src/SSL_Analyze.h index a8fab7c..955aff8 100644 --- a/src/SSL_Analyze.h +++ b/src/SSL_Analyze.h @@ -1,20 +1,6 @@ -/* - * SSL_Analyze.h - * - * Created on: 2013-5-2 - * Author: lis - */ +#pragma once -#ifndef SSL_ANALYZE_H_ -#define SSL_ANALYZE_H_ - -#define MESA_INCLUDE 1 - -#if MESA_INCLUDE #include -#else -#include "stream.h" -#endif #include "ssl.h" @@ -40,61 +26,59 @@ typedef long atomic_t; #define SSL_RETURN_NORM 0x53 #define SSL_RETURN_UNNORM 0x54 -#define SSL_RETURN_RESET_BUFFER 0x55 #define SSL_RETURN_GIVEME 0x56 #define SSL_RETURN_DROPME 0x57 #define MAX_REGION_NUM 15 #define REGION_NAME_LEN 32 -#define SSL_STAT_PKTS_C2S 0 -#define SSL_STAT_PKTS_S2C 1 -#define SSL_STAT_BITS_C2S 2 -#define SSL_STAT_BITS_S2C 3 -#define SSL_MAX_STAT_FIELD 4 +#define SSL_KEY 3 +#define SSL_TRUE 1 +#define SSL_FLASE 0 +struct ssl_proto_tag +{ + char buf[8]; +}; -typedef struct ssl_prog_runtime_parameter_t +struct ssl_runtime_para { unsigned long long ssl_interested_region_flag; unsigned long long ssl_region_cnt; - char ssl_conf_filename[256]; - unsigned short ssl_plugid; - char ssl_conf_regionname[MAX_REGION_NUM][REGION_NAME_LEN]; - void* stat_handler; - int stat_screen_print_trigger; - int stat_cycle; - int ssl_switch_no_biz; - - int stat_field[SSL_MAX_STAT_FIELD]; - int stat_dst_port; - uint64_t stat_value[SSL_MAX_STAT_FIELD]; - char stat_filename[256]; - char stat_dst_ip[64]; - char stat_appname[16]; - - int proto_tag_id ; -}ssl_prog_runtime_parameter_t; + unsigned short ssl_plugid; + char ssl_conf_regionname[MAX_REGION_NUM][REGION_NAME_LEN]; + char stat_filename[256]; + char stat_dst_ip[64]; + char stat_appname[16]; + int proto_tag_id ; + int max_cache_len; +}; -struct ssl_proto_tag_t -{ - char buf[8]; +struct ssl_business_info +{ + void* param; + unsigned char return_value; +}; + +struct ssl_record_trunk +{ + int cache_len; + char* cache_buff; }; -#ifdef __cplusplus -extern "C" { -#endif +struct ssl_runtime_context +{ + unsigned char link_state; + unsigned char over_flag; + unsigned char is_ssl_stream; + unsigned short version; //SSL versions, definition like TLSV1_2_VERSION in ssl.h + + unsigned char first_pkt_flag; + struct ssl_stream stream; + struct ssl_record_trunk record; + struct ssl_business_info business; +}; -int SSL_INIT(void); -char SSL_ENTRY(struct streaminfo *a_tcp, void**pme, int thread_seq, void *a_pcaket); -void SSL_DESTROY(void); -void SSL_GETPLUGID(unsigned short plugid); -void SSL_PROT_FUNSTAT(unsigned long long protflag); -long long SSL_FLAG_CHANGE(char* flag_str); -void ssl_initStructClientHello(st_client_hello_t* pstClientHello); -void ssl_initStructServerHello(st_server_hello_t* pstServerHello); +extern struct ssl_runtime_para g_ssl_runtime_para; +int ssl_ja3_init(void); -#ifdef __cplusplus -} -#endif -#endif /* SSL_ANALYZE_H_ */ diff --git a/src/SSL_Certificate.c b/src/SSL_Certificate.c index 1d25e21..f0b6b2d 100644 --- a/src/SSL_Certificate.c +++ b/src/SSL_Certificate.c @@ -25,11 +25,9 @@ #include "SSL_Certificate.h" #include "SSL_Proc.h" -//debug -#define PRINTF_CERTIFICATE 0 - #define CERT_VER_MAXNUM 3 -const stValueString_t g_astCertVersions[] = + +const struct ssl_value2string g_certificate_version[] = { { 0, "v1" }, { 1, "v2" }, @@ -38,7 +36,7 @@ const stValueString_t g_astCertVersions[] = { 0, NULL }, }; -const stSerialString_t g_astAlgrithomTypes[] = +const struct ssl_serial_string g_astAlgrithomTypes[] = { {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x02}, "md2"}, {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, "md4"}, @@ -52,7 +50,7 @@ const stSerialString_t g_astAlgrithomTypes[] = {{0}, NULL}, }; -const stSerialString_t g_astUserItemId[] = +const struct ssl_serial_string g_astUserItemId[] = { {{0X55, 0X04, 0X03}, "commonName"}, {{0X55, 0X04, 0x0a}, "organizationName"}, @@ -72,7 +70,7 @@ int ssl_read_specific_cert(const char* conj_cert_buf, uint32_t conj_buflen, uint uint32_t unproc_certlen = conj_buflen; char* cur_cert = NULL; uint32_t cert_unit_cnt = 0; - cert_chain_t cert_unit[CERT_TYPE_MAXNUM]; + struct ssl_certificate_chain cert_unit[CERT_TYPE_MAXNUM]; while (unproc_certlen > 0) { @@ -144,7 +142,7 @@ int ssl_read_specific_cert(const char* conj_cert_buf, uint32_t conj_buflen, uint } /*return : chain ����*/ -int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, cert_chain_t* cert_unit, uint32_t unit_size) +int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, struct ssl_certificate_chain* cert_unit, uint32_t unit_size) { if(NULL==conj_cert_buf || 0==conj_buflen) return 0; char* unproc_cert = (char*)conj_cert_buf; @@ -152,892 +150,33 @@ int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, cert_chai char* cur_cert = NULL; uint32_t cert_unit_cnt = 0; - while ((int)unproc_certlen > 0) - { + while ((int)unproc_certlen > 0) + { if(cert_unit_cnt>=unit_size) { break; } + cert_unit[cert_unit_cnt].cert_len = BtoL3BytesNum(unproc_cert); if((int)cert_unit[cert_unit_cnt].cert_len <0 || cert_unit[cert_unit_cnt].cert_len+SSL_CERTIFICATE_HDRLEN>unproc_certlen) { break; } + cur_cert = unproc_cert+SSL_CERTIFICATE_HDRLEN; - cert_unit[cert_unit_cnt].cert = cur_cert; - unproc_certlen -= (SSL_CERTIFICATE_HDRLEN+cert_unit[cert_unit_cnt].cert_len); + cert_unit[cert_unit_cnt].cert=cur_cert; + unproc_certlen -= (SSL_CERTIFICATE_HDRLEN+cert_unit[cert_unit_cnt].cert_len); unproc_cert += SSL_CERTIFICATE_HDRLEN+cert_unit[cert_unit_cnt].cert_len; - cert_unit_cnt++; - - } - return cert_unit_cnt; -} - - -UCHAR ssl_Certificate(char *pcSslCertificateData, int iDataLen, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, - unsigned long long region_flag, int thread_seq, void* a_packet) -{ - int iUnAnaCertLen = iDataLen; - char *pcCurSslCertificateData = pcSslCertificateData; - while (iUnAnaCertLen > 0) - { - a_ssl_stream->stSSLCert->certlen = BtoL3BytesNum(pcCurSslCertificateData); - if (a_ssl_stream->stSSLCert->certlen + SSL_CERTIFICATE_HDRLEN > iUnAnaCertLen) - { - /**packet trunked is impossible**/ - break; - } - pcCurSslCertificateData += SSL_CERTIFICATE_HDRLEN; - iUnAnaCertLen -= SSL_CERTIFICATE_HDRLEN; - a_ssl_stream->p_output_buffer->p_data = pcCurSslCertificateData; - a_ssl_stream->p_output_buffer->data_size = a_ssl_stream->stSSLCert->certlen; - a_ssl_stream->output_region_mask = SSL_CERTIFICATE_MASK; - int return_val = ssl_doWithCertificate(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - a_ssl_stream->p_output_buffer->p_data = NULL; - a_ssl_stream->p_output_buffer->data_size = 0; - if(SSL_RETURN_NORM != return_val) - { - return return_val; - } - pcCurSslCertificateData += a_ssl_stream->stSSLCert->certlen; - iUnAnaCertLen -= a_ssl_stream->stSSLCert->certlen; - } - return SSL_RETURN_NORM; -} - -void cert_log(ssl_stream *a_ssl_stream) -{ - FILE* pFile = NULL; - time_t currTime; - struct tm *now; - char strTime[32]; - char logTime[32]; - char filename[64] = {0}; - time(&currTime); - now = localtime(&currTime); - memset(strTime, 0, sizeof(strTime) ); - memset(logTime, 0, sizeof(logTime) ); - strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now); - strftime(logTime, sizeof(logTime), "%Y-%m-%d", now); - strcpy(filename, "./ssl_log/ssl_cert_log_"); - strcat(filename, logTime); - if(((pFile = fopen(filename, "a+"))!=NULL)) - { - fprintf(pFile,"%s=SSLIssuer==%s\n",strTime, a_ssl_stream->stSSLCert->SSLIssuer); - fprintf(pFile,"%s=SSLSub==%s\n",strTime, a_ssl_stream->stSSLCert->SSLSub); - fclose(pFile); - } -} - -UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, - unsigned long long region_flag, int thread_seq, void* a_packet) -{ - int iUnAnaCertLen = iDataLen; - char *pcCurSslCertificateData = pcSslCertificateData; - int return_val; - cert_chain_t cert_unit[CERT_MAXNUM]; - int cert_num = 0; - int cert_cnt = ssl_read_all_cert(pcCurSslCertificateData, iUnAnaCertLen, cert_unit, CERT_MAXNUM); - - int i=0; - int totallen = a_ssl_stream->stSSLCert->totallen; - for(i=0;istSSLCert->totallen = totallen; - return_val = fn_pGetSSLInfo(cert_unit[i].cert, cert_unit[i].cert_len, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - if( SSL_RETURN_NORM != return_val) return return_val; - - a_ssl_stream->stSSLCert->certlen = cert_unit[i].cert_len; - a_ssl_stream->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK; - a_ssl_stream->p_output_buffer->p_data = cert_unit[i].cert; - a_ssl_stream->p_output_buffer->data_size = a_ssl_stream->stSSLCert->certlen; - - switch(cert_num) - { - case 0: - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_INDIVIDUAL; - break; - case 1: - if(cert_cnt==2) - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_ROOT; - } - else - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_MIDDLE; - } - break; - case 2: - if(cert_cnt==3) - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_ROOT; - } - else - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_CHAIN; - } - break; - default: - if(cert_num==cert_cnt-1) - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_ROOT; - } - else - { - a_ssl_stream->stSSLCert->cert_type = CERT_TYPE_CHAIN; - } - break; - } - return_val = ssl_doWithCertificateDetail(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - a_ssl_stream->p_output_buffer->p_data = NULL; - a_ssl_stream->p_output_buffer->data_size = 0; - cert_num++; - /*�ͷ�san�ڴ�*/ - if(a_ssl_stream->stSSLCert->SSLSubAltName!=NULL) - { - if(a_ssl_stream->stSSLCert->SSLSubAltName->san_array!=NULL) - { - dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubAltName->san_array); - a_ssl_stream->stSSLCert->SSLSubAltName->san_array = NULL; - } - dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubAltName); - a_ssl_stream->stSSLCert->SSLSubAltName = NULL; - } - if(a_ssl_stream->stSSLCert->SSLSubKey!=NULL) - { - dictator_free(thread_seq,a_ssl_stream->stSSLCert->SSLSubKey); - a_ssl_stream->stSSLCert->SSLSubKey = NULL; - } -#if PRINTF_CERTIFICATE - cert_log(a_ssl_stream); -#endif - memset(a_ssl_stream->stSSLCert,0,sizeof(st_cert_t)); - if(SSL_RETURN_NORM != return_val && SSL_RETURN_UNNORM != return_val ) return return_val; - } - return SSL_RETURN_NORM; -} - - -char *fn_pcGetElemType(const unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes) -{ - int iLoop = 0; - int iInLoop = 0; - - if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes) - { - return NULL; - } - - for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop) - { - int iAlgIdLen = strlen((const char *)pastElemTypes[iLoop].aucSerial); - - if (iAlgIdLen != iIdLen) - { - continue; - } - - for (iInLoop = 0; iInLoop < iAlgIdLen; ++iInLoop) - { - if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop]) - { - //continue; - break; - } - } - - if (iInLoop == iAlgIdLen) - { - return (char *)(pastElemTypes[iLoop].pcString); - } - } - - return NULL; -} - -UCHAR fn_pGetSSLInfo_v1(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) - -{ - /**variable define and initialise**/ - int iUnAnalyseLen = iLen; - char *pcCurData = pcCert; - char *pcIdString = NULL; - char *pcCurExtData = NULL; - char *pcCurElemData = NULL; - char *pcCurExtItem = NULL; - char acBuffer[8192] = {0}; - //int iCurExtItemLen; //20220318 cppcheck - int uiLength = 0; - int iCurItemLen; //20220318 cppcheck - int iCurElemLen = 0; - int iExtenLen = 0; - int iByteNum = 0; - int iShowFlag; - int iLoop = 0; - st_cert_t *stSSLCert = a_ssl_stream->stSSLCert; - char* issuer_info = NULL; - char* sub_info = NULL; - - /**validaty check**/ - if (NULL == pcCert || iLen <= 0 || NULL == stSSLCert) - { - //printf("1\n"); - return SSL_RETURN_UNNORM; - } - - /**certificate length**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - //printf("2\n"); - return SSL_RETURN_UNNORM; - } - - pcCurData += (iByteNum + 1); - iUnAnalyseLen -= (iByteNum + 1); - if (iUnAnalyseLen <= 0) - { - // printf("3\n"); - return SSL_RETURN_UNNORM; - } - - /***signed certificate***/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("4\n"); - return SSL_RETURN_UNNORM; - } - - pcCurData = pcCurData + iByteNum + 1; - iUnAnalyseLen -= (iByteNum + 1); - if (iUnAnalyseLen <= 0) - { - // printf("5\n"); - return SSL_RETURN_UNNORM; - } - - /**version**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("6\n"); - return SSL_RETURN_UNNORM; - } - - pcCurElemData = pcCurData + iByteNum + 1; - iCurElemLen = uiLength; - pcCurData += (iByteNum + 1 + uiLength); - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - // printf("7\n"); - return SSL_RETURN_UNNORM; - } - - /*get the version*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("8\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("9\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - if ((unsigned char)pcCurElemData[0] < 3) - { - unsigned int i = (unsigned int)pcCurElemData[0]; - memcpy(stSSLCert->SSLVersion, g_astCertVersions[i].pcString, 1 + strlen((const char *)g_astCertVersions[i].pcString)); - } - - /**serial number**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("10\n"); - return SSL_RETURN_UNNORM; - } - /*find the serial*/ - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - // printf("11\n"); - return SSL_RETURN_UNNORM; - } - - - for (iLoop = 0; iLoop < (uiLength>=128/3?(128/3-1):uiLength); ++iLoop) - { - fn_vPrintNum(stSSLCert->SSLSerialNum+3*iLoop, (unsigned char)pcCurData[iByteNum + 1+iLoop]); - stSSLCert->SSLSerialNum[3*(1+iLoop)-1] = ' '; - stSSLCert->SSLSerialNum[3*(1+iLoop)] = '\0'; - } - - //memcpy(stSSLRz->SSLSerialNum, pcCurData+iByteNum + 1, uiLength>=128?127:uiLength); - //stSSLRz->SSLSerialNum[uiLength>=128?127:uiLength] = '\0'; - - pcCurData += (iByteNum + 1 + uiLength); - - /**signature**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("12\n"); - return SSL_RETURN_UNNORM; - } - - pcCurElemData = pcCurData + iByteNum + 1; - iCurElemLen = uiLength; - pcCurData += (iByteNum + 1 + uiLength); - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - // printf("13\n"); - return SSL_RETURN_UNNORM; - } - /*get the signature info*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("14\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("15\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - pcIdString = fn_pcGetElemType((unsigned char *)pcCurElemData, uiLength, (stSerialString_t*)g_astAlgrithomTypes); - if (NULL != pcIdString) - { - memcpy(stSSLCert->SSLAgID, pcIdString, 1 + strlen((const char *)pcIdString)); - } - - - /**issuer**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("16\n"); - return SSL_RETURN_UNNORM; - } - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - // printf("17\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData = pcCurData + iByteNum + 1; - iCurElemLen = uiLength; - pcCurData += (iByteNum + 1 + uiLength); - - - /*get the issuer info*/ - while (iCurElemLen > 0) - { - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("18\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("19\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("20\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("21\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - /*next level:first elem*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("22\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1 + uiLength); - if (0 > iCurElemLen) - { - // printf("23\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - issuer_info = NULL; - issuer_info = fn_pcGetElemType((unsigned char *)pcCurElemData, uiLength, (stSerialString_t*)g_astUserItemId); - if (NULL == issuer_info) - { - iShowFlag = 0; - } - else - { - iShowFlag = 1; - } - pcCurElemData += uiLength; - /*second elem*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("24\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("25\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - if (1 == iShowFlag) - { - //malformation ssl certificate - if(uiLength>(int)sizeof(acBuffer)) - { - return SSL_RETURN_DROPME; - } - /*issuer detail*/ - if(0==strncmp(issuer_info, "commonName", strlen("commonName"))) - { - memcpy(stSSLCert->SSLIssuerCN, pcCurElemData, uiLength >= 64 ? 63 : uiLength); - stSSLCert->SSLIssuerCN[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else if(0==strncmp(issuer_info, "organizationName", strlen("organizationName"))) - { - memcpy(stSSLCert->SSLIssuerO, pcCurElemData, uiLength >= 64? 63 : uiLength); - stSSLCert->SSLIssuerO[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else if(0==strncmp(issuer_info, "countryName", strlen("countryName"))) - { - memcpy(stSSLCert->SSLIssuerC, pcCurElemData, uiLength >= 64 ? 63 : uiLength); - stSSLCert->SSLIssuerC[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else - { - /*not proc*/ - } - memcpy(acBuffer, pcCurElemData, uiLength); - acBuffer[uiLength] = ';'; - acBuffer[uiLength+1] = '\0'; - memcpy(acBuffer+strlen((const char *)acBuffer), stSSLCert->SSLIssuer, 1 + strlen((const char *)stSSLCert->SSLIssuer)); - iCurItemLen = strlen((const char *)acBuffer); - memcpy(stSSLCert->SSLIssuer, acBuffer, iCurItemLen >= 512 ? 511 : iCurItemLen); - stSSLCert->SSLIssuer[ iCurItemLen >= 512 ? 511 : iCurItemLen] = '\0'; - } - - iCurElemLen -= uiLength; - pcCurElemData += uiLength; - } - - - /**validaty**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurElemData = pcCurData + iByteNum + 1; - iCurElemLen = uiLength; - pcCurData += (iByteNum + 1 + uiLength); - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - return SSL_RETURN_UNNORM; - } - /*get the validaty info*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("26\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("27\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - /*utcTime*/ - if (0x0d == uiLength && 0x5a == pcCurElemData[uiLength-1]) - { - unsigned int str_len = 0; - sprintf(stSSLCert->SSLFrom, "%c%c-%c%c-%c%c %c%c:%c%c:%c%c(UTC)", pcCurElemData[0], pcCurElemData[1], pcCurElemData[2], pcCurElemData[3], - pcCurElemData[4], pcCurElemData[5], pcCurElemData[6], pcCurElemData[7], pcCurElemData[8], pcCurElemData[9], pcCurElemData[10], pcCurElemData[11]); - str_len = MIN(strlen(stSSLCert->SSLFrom), (sizeof(stSSLCert->SSLFrom)-1)); - stSSLCert->SSLFrom[str_len] = '\0'; + cert_unit_cnt++; } - //else if (1) - else - { - /*generalizedTime*/ - memcpy(stSSLCert->SSLFrom, pcCurElemData, uiLength>=80?79:uiLength); - stSSLCert->SSLFrom[uiLength>=80?79:uiLength] = '\0'; - } - - pcCurElemData += uiLength; - - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("28\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1 - uiLength); - if (0 > iCurElemLen) - { - // printf("29\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - if (0x0d == uiLength && 0x5a == pcCurElemData[uiLength-1]) - { - unsigned int str_len = 0; - sprintf(stSSLCert->SSLTo, "%c%c-%c%c-%c%c %c%c:%c%c:%c%c(UTC)", pcCurElemData[0], pcCurElemData[1], pcCurElemData[2], pcCurElemData[3], - pcCurElemData[4], pcCurElemData[5], pcCurElemData[6], pcCurElemData[7], pcCurElemData[8], pcCurElemData[9], pcCurElemData[10], pcCurElemData[11]); - str_len = MIN(strlen(stSSLCert->SSLTo), (sizeof(stSSLCert->SSLTo)-1)); - stSSLCert->SSLTo[str_len] = '\0'; - } -// else if (1) - else - { - /*generalizedTime*/ - memcpy(stSSLCert->SSLTo, pcCurElemData, uiLength>=80?79:uiLength); - stSSLCert->SSLTo[uiLength>=80?79:uiLength] = '\0'; - } - - /**subject**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - // printf("30\n"); - return SSL_RETURN_UNNORM; - } - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - return SSL_RETURN_UNNORM; - } - //memcpy(stSSLRz->SSLSub, pcCurData+iByteNum + 1, uiLength); - - pcCurElemData = pcCurData + (iByteNum + 1); - iCurElemLen = uiLength; - - pcCurData += (iByteNum + 1 + uiLength); - - /*get the subject info*/ - while (iCurElemLen > 0) - { - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("31\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("32\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("33\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - // printf("34\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - /*next level:first elem*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("35\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1 + uiLength); - if (0 > iCurElemLen) - { - // printf("36\n"); - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - sub_info = fn_pcGetElemType((unsigned char *)pcCurElemData, uiLength, (stSerialString_t*)g_astUserItemId); - if (NULL == sub_info) - { - iShowFlag = 0; - } - else - { - iShowFlag = 1; - } - - pcCurElemData += uiLength; - /*second elem*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - // printf("37\n"); - return SSL_RETURN_UNNORM; - } - - iCurElemLen -= (iByteNum + 1); - if (0 > iCurElemLen) - { - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - - if (1 == iShowFlag) - { - //malformation ssl certificate - if(uiLength>(int)sizeof(acBuffer)) - { - return SSL_RETURN_DROPME; - } - /*sub detail*/ - if(0==strncmp(sub_info, "commonName", strlen("commonName"))) - { - memcpy(stSSLCert->SSLSubCN, pcCurElemData, uiLength >= 64 ? 63 : uiLength); - stSSLCert->SSLSubCN[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else if(0==strncmp(sub_info, "organizationName", strlen("organizationName"))) - { - memcpy(stSSLCert->SSLSubO, pcCurElemData, uiLength >= 64? 63 : uiLength); - stSSLCert->SSLSubO[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else if(0==strncmp(sub_info, "countryName", strlen("countryName"))) - { - memcpy(stSSLCert->SSLSubC, pcCurElemData, uiLength >= 64 ? 63 : uiLength); - stSSLCert->SSLSubC[uiLength >= 64 ? 63 : uiLength] = '\0'; - } - else - { - /*not proc*/ - } - memcpy(acBuffer, pcCurElemData, uiLength); - acBuffer[uiLength] = ';'; - acBuffer[uiLength+1] = '\0'; - memcpy(acBuffer+strlen((const char *)acBuffer), stSSLCert->SSLSub, 1 + strlen((const char *)stSSLCert->SSLSub)); - iCurItemLen = strlen((const char *)acBuffer); - memcpy(stSSLCert->SSLSub, acBuffer, iCurItemLen >= 512 ? 511 : iCurItemLen); - stSSLCert->SSLSub[iCurItemLen >= 512 ? 511 : iCurItemLen ] = '\0'; - } - iCurElemLen -= uiLength; - pcCurElemData += uiLength; - } - - /*add by 20141120*/ - /**subject public key info**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurData += (iByteNum + 1 + uiLength); - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - return SSL_RETURN_UNNORM; - } - - /**extensions**/ - /*level 1: extention items length*/ - iExtenLen = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (iExtenLen <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtData = pcCurData + iByteNum + 1; - pcCurData += (iByteNum + 1 + iExtenLen); - iUnAnalyseLen -= (iByteNum + 1 + iExtenLen); - if (iUnAnalyseLen < 0) - { - return SSL_RETURN_UNNORM; - } - - /*level 2: extention items*/ - iExtenLen = fn_iSslDecodeTagLength(pcCurExtData, iExtenLen, &iByteNum); - if (iExtenLen <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtData += (iByteNum + 1); - - while (iExtenLen > 0) - { - /*current item length*/ - int iCurExtItemLen = fn_iSslDecodeTagLength(pcCurExtData, iExtenLen, &iByteNum); - if (iCurExtItemLen <= 0) - { - return SSL_RETURN_UNNORM; - } - - pcCurExtItem = pcCurExtData + iByteNum + 1; - pcCurExtData += (iByteNum + 1 + iCurExtItemLen); - iExtenLen -= (iByteNum + 1 + iCurExtItemLen); - if (iExtenLen < 0) - { - return SSL_RETURN_UNNORM; - } - - /*extention item id length*/ - uiLength = fn_iSslDecodeTagLength(pcCurExtItem, iCurExtItemLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtItem += (iByteNum + 1); - iCurExtItemLen -= (iByteNum + 1); - - /*alter subject id*/ - if (3 == uiLength && 0x55 == pcCurExtItem[0] && 0x1d == pcCurExtItem[1] && 0x11 == pcCurExtItem[2]) - { - /*subject alter name*/ - pcCurExtItem += uiLength; - iCurExtItemLen -= uiLength; - uiLength = fn_iSslDecodeTagLength(pcCurExtItem, iCurExtItemLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtItem += (iByteNum + 1); - iCurExtItemLen -= (iByteNum + 1); - if (iCurExtItemLen < 0) - { - return SSL_RETURN_UNNORM; - } - uiLength = fn_iSslDecodeTagLength(pcCurExtItem, iCurExtItemLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtItem += (iByteNum + 1); - iCurExtItemLen -= (iByteNum + 1); - if (iCurExtItemLen < 0) - { - return SSL_RETURN_UNNORM; - } - /*get the last piece*/ - pcCurElemData = pcCurExtItem; - iCurElemLen = uiLength; - //pcCurExtItem += uiLength; //20220318 cppcheck - //iCurExtItemLen -= uiLength; //20220318 cppcheck - /*DNS name*/ - if((char)0x82 == pcCurElemData[0]) - { - /*SAN:subject alter name*/ - uiLength = fn_iSslDecodeTagLength(pcCurElemData, iCurElemLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurElemData += (iByteNum + 1); - iCurElemLen -= (iByteNum + 1 + uiLength); - if (iCurElemLen < 0) - { - return SSL_RETURN_UNNORM; - } - //memcpy(stSSLCert->SSLSubBak, pcCurElemData, uiLength>=512?511:uiLength); - //stSSLCert->SSLSubBak[uiLength>=512?511:uiLength] = '\0'; - pcCurElemData += uiLength; - } - } - } - - /**algorithm identifier**/ - uiLength = fn_iSslDecodeTagLength(pcCurData, iUnAnalyseLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - pcCurExtData = pcCurData + iByteNum + 1; - iExtenLen = uiLength; - //pcCurData += (iByteNum + 1 + uiLength); //20220318 cppcheck - iUnAnalyseLen -= (iByteNum + 1 + uiLength); - if (iUnAnalyseLen <= 0) - { - return SSL_RETURN_UNNORM; - } - - uiLength = fn_iSslDecodeTagLength(pcCurExtData, iExtenLen, &iByteNum); - if (uiLength <= 0) - { - return SSL_RETURN_UNNORM; - } - - iExtenLen -= (iByteNum + 1); - if (0 > iExtenLen) - { - return SSL_RETURN_UNNORM; - } - pcCurExtData += (iByteNum + 1); - - pcIdString = fn_pcGetElemType((unsigned char *)pcCurExtData, uiLength, (stSerialString_t*)g_astAlgrithomTypes); - if (NULL != pcIdString) - { - memcpy(stSSLCert->SSLFPAg, pcIdString, 1 + strlen((const char *)pcIdString)); - } - - //pcCurExtData += uiLength; //20220318 cppcheck - /**padding**/ - /**encrypted**/ - return SSL_RETURN_NORM; + return cert_unit_cnt; } -UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) +int x509_parse_certificate_detail(struct ssl_certificate *certificate, char *cert_payload, int cert_payload_len, int thread_seq) { - int cnt; - int i = 0; - char *san = NULL; - + int state=SSL_TRUE; + int san_count=0; X509_NAME *issuer = NULL; X509_NAME *subject = NULL; @@ -1054,87 +193,83 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct const ASN1_OBJECT *salg; const X509_ALGOR *tsig_alg; - //return SSL_RETURN_NORM; - - X509 *x509_handle = d2i_X509(NULL, (unsigned char const **)&pcCert, iLen); + X509 *x509_handle = d2i_X509(NULL, (unsigned char const **)&cert_payload, cert_payload_len); if (x509_handle == NULL) { - return SSL_RETURN_NORM; + return SSL_FLASE; } /*version*/ int ver = X509_get_version(x509_handle); - if(ver>CERT_VER_MAXNUM || ver<0) goto cert_return; - memcpy(a_ssl_stream->stSSLCert->SSLVersion, - g_astCertVersions[ver].pcString, - 1 + strlen((const char *)g_astCertVersions[ver].pcString)); + if(ver>CERT_VER_MAXNUM || ver<0) + { + state=SSL_FLASE; + goto cert_return; + } + + certificate->version.len=(unsigned char)strlen((const char *)g_certificate_version[ver].string); + certificate->version.value=(unsigned char *)g_certificate_version[ver].string; /*serial num*/ serial = X509_get_serialNumber(x509_handle); if (NULL != serial) { - a_ssl_stream->stSSLCert->SSLSerialNumLen = MIN(ASN1_STRING_length(serial), (int)(sizeof(a_ssl_stream->stSSLCert->SSLSerialNum))); - memcpy(a_ssl_stream->stSSLCert->SSLSerialNum, ASN1_STRING_get0_data(serial), a_ssl_stream->stSSLCert->SSLSerialNumLen); + certificate->serial.len=MIN(ASN1_STRING_length(serial), (int)(sizeof(certificate->serial.value)-1)); + memcpy(certificate->serial.value, ASN1_STRING_get0_data(serial), certificate->serial.len); } /*SSL AgID*/ tsig_alg = X509_get0_tbs_sigalg(x509_handle); X509_ALGOR_get0(&salg, NULL, NULL, tsig_alg); - OBJ_obj2txt(a_ssl_stream->stSSLCert->SSLAgID, sizeof(a_ssl_stream->stSSLCert->SSLAgID), salg, 1); + OBJ_obj2txt((char*)certificate->signature_algorithm.value, sizeof(certificate->signature_algorithm.value), salg, 1); + certificate->signature_algorithm.len=strlen((const char *)certificate->signature_algorithm.value); /*SSL Issuer*/ issuer = X509_get_issuer_name(x509_handle); if(NULL!=issuer) { - X509_NAME_get_text_by_NID(issuer, NID_commonName, a_ssl_stream->stSSLCert->SSLIssuerCN, sizeof(a_ssl_stream->stSSLCert->SSLIssuerCN)); - X509_NAME_get_text_by_NID(issuer, NID_organizationName, a_ssl_stream->stSSLCert->SSLIssuerO, sizeof(a_ssl_stream->stSSLCert->SSLIssuerO)); - X509_NAME_get_text_by_NID(issuer, NID_organizationalUnitName, a_ssl_stream->stSSLCert->SSLIssuerU, sizeof(a_ssl_stream->stSSLCert->SSLIssuerU)); - X509_NAME_get_text_by_NID(issuer, NID_localityName, a_ssl_stream->stSSLCert->SSLIssuerL, sizeof(a_ssl_stream->stSSLCert->SSLIssuerL)); - X509_NAME_get_text_by_NID(issuer, NID_streetAddress, a_ssl_stream->stSSLCert->SSLIssuerS, sizeof(a_ssl_stream->stSSLCert->SSLIssuerS)); - X509_NAME_get_text_by_NID(issuer, NID_stateOrProvinceName, a_ssl_stream->stSSLCert->SSLIssuerP, sizeof(a_ssl_stream->stSSLCert->SSLIssuerP)); - X509_NAME_get_text_by_NID(issuer, NID_countryName, a_ssl_stream->stSSLCert->SSLIssuerC, sizeof(a_ssl_stream->stSSLCert->SSLIssuerC)); - + X509_NAME_get_text_by_NID(issuer, NID_commonName, certificate->issuer.common, sizeof(certificate->issuer.common)); + X509_NAME_get_text_by_NID(issuer, NID_organizationName, certificate->issuer.organization, sizeof(certificate->issuer.organization)); + X509_NAME_get_text_by_NID(issuer, NID_organizationalUnitName, certificate->issuer.organizational_unit, sizeof(certificate->issuer.organizational_unit)); + X509_NAME_get_text_by_NID(issuer, NID_localityName, certificate->issuer.locality, sizeof(certificate->issuer.locality)); + X509_NAME_get_text_by_NID(issuer, NID_streetAddress, certificate->issuer.street_address, sizeof(certificate->issuer.street_address)); + X509_NAME_get_text_by_NID(issuer, NID_stateOrProvinceName, certificate->issuer.state_or_Province, sizeof(certificate->issuer.state_or_Province)); + X509_NAME_get_text_by_NID(issuer, NID_countryName, certificate->issuer.country, sizeof(certificate->issuer.country)); - snprintf(a_ssl_stream->stSSLCert->SSLIssuer, - sizeof(a_ssl_stream->stSSLCert->SSLIssuer), + snprintf(certificate->issuer.rdn_sequence_list, + sizeof(certificate->issuer.rdn_sequence_list), "%s;%s;%s;%s;%s;%s;%s", - a_ssl_stream->stSSLCert->SSLIssuerCN, - a_ssl_stream->stSSLCert->SSLIssuerO, - a_ssl_stream->stSSLCert->SSLIssuerU, - a_ssl_stream->stSSLCert->SSLIssuerL, - a_ssl_stream->stSSLCert->SSLIssuerS, - a_ssl_stream->stSSLCert->SSLIssuerP, - a_ssl_stream->stSSLCert->SSLIssuerC); + certificate->issuer.common, + certificate->issuer.organization, + certificate->issuer.organizational_unit, + certificate->issuer.locality, + certificate->issuer.street_address, + certificate->issuer.state_or_Province, + certificate->issuer.country); } /*SSL Subject*/ subject = X509_get_subject_name(x509_handle); if(NULL!=subject) { - X509_NAME_get_text_by_NID(subject, NID_commonName, a_ssl_stream->stSSLCert->SSLSubCN, sizeof(a_ssl_stream->stSSLCert->SSLSubCN)); - X509_NAME_get_text_by_NID(subject, NID_organizationName, a_ssl_stream->stSSLCert->SSLSubO, sizeof(a_ssl_stream->stSSLCert->SSLSubO)); - X509_NAME_get_text_by_NID(subject, NID_countryName, a_ssl_stream->stSSLCert->SSLSubC, sizeof(a_ssl_stream->stSSLCert->SSLSubC)); - - - X509_NAME_get_text_by_NID(subject, NID_commonName, a_ssl_stream->stSSLCert->SSLSubCN, sizeof(a_ssl_stream->stSSLCert->SSLSubCN)); - X509_NAME_get_text_by_NID(subject, NID_organizationName, a_ssl_stream->stSSLCert->SSLSubO, sizeof(a_ssl_stream->stSSLCert->SSLSubO)); - X509_NAME_get_text_by_NID(subject, NID_organizationalUnitName, a_ssl_stream->stSSLCert->SSLSubU, sizeof(a_ssl_stream->stSSLCert->SSLSubU)); - X509_NAME_get_text_by_NID(subject, NID_localityName, a_ssl_stream->stSSLCert->SSLSubL, sizeof(a_ssl_stream->stSSLCert->SSLSubL)); - X509_NAME_get_text_by_NID(subject, NID_streetAddress, a_ssl_stream->stSSLCert->SSLSubS, sizeof(a_ssl_stream->stSSLCert->SSLSubS)); - X509_NAME_get_text_by_NID(subject, NID_stateOrProvinceName, a_ssl_stream->stSSLCert->SSLSubP, sizeof(a_ssl_stream->stSSLCert->SSLSubP)); - X509_NAME_get_text_by_NID(subject, NID_countryName, a_ssl_stream->stSSLCert->SSLSubC, sizeof(a_ssl_stream->stSSLCert->SSLSubC)); + X509_NAME_get_text_by_NID(subject, NID_commonName, certificate->subject.common, sizeof(certificate->subject.common)); + X509_NAME_get_text_by_NID(subject, NID_organizationName, certificate->subject.organization, sizeof(certificate->subject.organization)); + X509_NAME_get_text_by_NID(subject, NID_countryName, certificate->subject.country, sizeof(certificate->subject.country)); + X509_NAME_get_text_by_NID(subject, NID_organizationalUnitName, certificate->subject.organizational_unit, sizeof(certificate->subject.organizational_unit)); + X509_NAME_get_text_by_NID(subject, NID_localityName, certificate->subject.locality, sizeof(certificate->subject.locality)); + X509_NAME_get_text_by_NID(subject, NID_streetAddress, certificate->subject.street_address, sizeof(certificate->subject.street_address)); + X509_NAME_get_text_by_NID(subject, NID_stateOrProvinceName, certificate->subject.state_or_Province, sizeof(certificate->subject.state_or_Province)); - - snprintf(a_ssl_stream->stSSLCert->SSLSub, - sizeof(a_ssl_stream->stSSLCert->SSLSub), + snprintf(certificate->subject.rdn_sequence_list, + sizeof(certificate->subject.rdn_sequence_list), "%s;%s;%s;%s;%s;%s;%s", - a_ssl_stream->stSSLCert->SSLSubCN, - a_ssl_stream->stSSLCert->SSLSubO, - a_ssl_stream->stSSLCert->SSLSubU, - a_ssl_stream->stSSLCert->SSLSubL, - a_ssl_stream->stSSLCert->SSLSubS, - a_ssl_stream->stSSLCert->SSLSubP, - a_ssl_stream->stSSLCert->SSLSubC); + certificate->subject.common, + certificate->subject.organization, + certificate->subject.organizational_unit, + certificate->subject.locality, + certificate->subject.street_address, + certificate->subject.state_or_Province, + certificate->subject.country); } /*SSL Subject keyInfo*/ @@ -1142,20 +277,20 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct if(pkey!=NULL) { //https://www.openssl.org/docs/man3.0/man3/i2d_PublicKey.html - a_ssl_stream->stSSLCert->SSLSubKeyLen = i2d_PublicKey(pkey, NULL); - if(a_ssl_stream->stSSLCert->SSLSubKeyLen>0) + certificate->subject_key.len=i2d_PublicKey(pkey, NULL); + if(certificate->subject_key.len>0) { - a_ssl_stream->stSSLCert->SSLSubKey = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stSSLCert->SSLSubKeyLen); - int ret=i2d_PublicKey(pkey, &(a_ssl_stream->stSSLCert->SSLSubKey)); //!!! point will be changed + certificate->subject_key.value=(char *)dictator_malloc(thread_seq, certificate->subject_key.len); + int ret=i2d_PublicKey(pkey, (unsigned char **)&(certificate->subject_key.value)); //!!! point will be changed if(ret>0) { - a_ssl_stream->stSSLCert->SSLSubKey = a_ssl_stream->stSSLCert->SSLSubKey-a_ssl_stream->stSSLCert->SSLSubKeyLen; + certificate->subject_key.value=certificate->subject_key.value-certificate->subject_key.len; } else { - dictator_free(thread_seq, (void *)a_ssl_stream->stSSLCert->SSLSubKey); - a_ssl_stream->stSSLCert->SSLSubKey=NULL; - a_ssl_stream->stSSLCert->SSLSubKeyLen=0; + dictator_free(thread_seq, (void *)certificate->subject_key.value); + certificate->subject_key.value=NULL; + certificate->subject_key.len=0; } } EVP_PKEY_free(pkey); @@ -1164,49 +299,60 @@ UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct /*validity*/ start = X509_get_notBefore(x509_handle); end = X509_get_notAfter(x509_handle); - sprintf(a_ssl_stream->stSSLCert->SSLFrom, "%s", start->data); - sprintf(a_ssl_stream->stSSLCert->SSLTo, "%s", end->data); + sprintf(certificate->validity.before, "%s", start->data); + sprintf(certificate->validity.after, "%s", end->data); /*subject bak*/ - subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL); - if(!subjectAltNames) goto cert_return; - cnt = sk_GENERAL_NAME_num(subjectAltNames); - if(cnt>0) - { - a_ssl_stream->stSSLCert->SSLSubAltName = (st_san_t*)dictator_malloc(thread_seq, sizeof(st_san_t)); - a_ssl_stream->stSSLCert->SSLSubAltName->san_array = (san_t*)dictator_malloc(thread_seq, cnt*sizeof(san_t)); - memset(a_ssl_stream->stSSLCert->SSLSubAltName->san_array,0,cnt*sizeof(san_t)); - a_ssl_stream->stSSLCert->SSLSubAltName->count = 0; - for (i = 0; i < cnt; i++) + subjectAltNames=(GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL); + if(!subjectAltNames) + { + goto cert_return; + } + + san_count=sk_GENERAL_NAME_num(subjectAltNames); + if(san_count>0) + { + certificate->subject_alter.num=0; + certificate->subject_alter.name=(char (*)[MAX_ALTER_NAME_LEN])dictator_malloc(thread_seq, san_count * sizeof(char[MAX_ALTER_NAME_LEN])); + + for (int i=0; itype) { san_name = (ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL); if(ASN1_STRING_length(san_name)>0) { - san = (char*)ASN1_STRING_get0_data(san_name); - snprintf(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san, - sizeof(a_ssl_stream->stSSLCert->SSLSubAltName->san_array[a_ssl_stream->stSSLCert->SSLSubAltName->count].san), - "%s", - san); - a_ssl_stream->stSSLCert->SSLSubAltName->count++; + char *san=(char*)ASN1_STRING_get0_data(san_name); + int length=MIN(strlen(san), sizeof(certificate->subject_alter.name[certificate->subject_alter.num])-1); + memcpy(certificate->subject_alter.name[certificate->subject_alter.num], san, length); + certificate->subject_alter.name[certificate->subject_alter.num][length]='\0'; + certificate->subject_alter.num++; } } } } + if(subjectAltNames) { GENERAL_NAMES_free(subjectAltNames); } + //https://www.openssl.org/docs/man1.1.1/man3/X509_ALGOR_get0.html + X509_ALGOR_get0(&salg, NULL, NULL, X509_get0_tbs_sigalg(x509_handle)); + OBJ_obj2txt(certificate->algorithm_identifier.value, sizeof(certificate->algorithm_identifier.value), salg, 1); + certificate->algorithm_identifier.len=strlen((const char *)certificate->algorithm_identifier.value); cert_return: if (x509_handle != NULL) { X509_free(x509_handle); } - return SSL_RETURN_NORM; -} + return state; +} diff --git a/src/SSL_Certificate.h b/src/SSL_Certificate.h index 76798db..cb0b992 100644 --- a/src/SSL_Certificate.h +++ b/src/SSL_Certificate.h @@ -1,37 +1,7 @@ -/* - * SSL_Certificate.h - * - * Created on: 2013-5-8 - * Author: lis - */ - -#ifndef SSL_CERTIFICATE_H_ -#define SSL_CERTIFICATE_H_ - +#pragma once #define CERT_TYPE_MAXNUM 16 - //#define SCT_OID 1.3.6.1.4.1.11129.2.4.2 #define SCT_OID 1 - -#ifdef __cplusplus -extern "C" { -#endif - -char *fn_pcGetElemType(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes); - -UCHAR fn_pGetSSLInfo(char *pcCert, int iLen, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); - -UCHAR ssl_AnalyseCertificate(char *pcSslCertificateData, int iDataLen, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, - unsigned long long region_flag, int thread_seq, void* a_packet); -UCHAR ssl_Certificate(char *pcSslCertificateData, int iDataLen, ssl_stream *a_ssl_stream, struct streaminfo* a_tcp, - unsigned long long region_flag, int thread_seq, void* a_packet); - - -#ifdef __cplusplus -} -#endif - -#endif /* SSL_CERTIFICATE_H_ */ +int x509_parse_certificate_detail(struct ssl_certificate *certificate, char *cert_payload, int cert_payload_len, int thread_seq); diff --git a/src/SSL_Common.c b/src/SSL_Common.c deleted file mode 100644 index 0d9aea8..0000000 --- a/src/SSL_Common.c +++ /dev/null @@ -1,60 +0,0 @@ -/* - * SSL_Common.c - - * - * Created on: 2013-5-8 - * Author: lis - */ - -#include -#include -#include -#include "SSL_Common.h" - -int get_so_path(void* func_addr,char* path,unsigned int size) - - { - - Dl_info av_dl_info; - - dladdr(func_addr,&av_dl_info); - - unsigned int i=0,last_slash_pos=0; - - for(i=0;i -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif -int get_so_path(void* func_addr,char* path,unsigned int size); - -#ifdef __cplusplus -} -#endif -#endif /* SSL_COMMON_H_ */ diff --git a/src/SSL_Message.c b/src/SSL_Message.c index 77969a8..0ad84ff 100644 --- a/src/SSL_Message.c +++ b/src/SSL_Message.c @@ -1,27 +1,184 @@ +#include +#include +#include #include "SSL_Analyze.h" #include "ssl.h" #include "SSL_Message.h" #include "SSL_Proc.h" -#include "SSL_Common.h" #include "SSL_Certificate.h" -extern ssl_prog_runtime_parameter_t g_ssl_prog_para; -extern stSerialString_t g_astCipherSuit; -const stSerialString_t g_astCompression[] = +#define SUITE_VALUELEN 2 +#define KEY_EXCHANGELEN_LEN 4 +#define RECORD_DIGESTLEN_LEN 2 +#define ESNILEN_LEN 2 +#define SERVER_HELLO_HDRLEN 4 +#define SESSION_TICKET_HDRLEN 4 + +#define MAX_EXT_DATA_LEN 256 +#define ALPN_EXT_TYPE 0x0010 +#define SERVER_NAME_EXT_TYPE 0x0000 +#define SERVER_NAME_HOST_TYPE 0x0000 +#define SERVER_NAME_OTHER_TYPE 0x0008 +#define SESSION_TICKET_EXT_TYPE 0x0023 +#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE +#define ENCRPTED_CLIENT_HELLO_EXT_TYPE 0xFE0D + +#define CERTIFICATE_HDRLEN 7 +#define SSL_CERTIFICATE_HDRLEN 3 + +extern int ja3_md5sum(const char *str, int len, char *buf, int size); +extern struct ssl_serial_string g_astCipherSuit; + +const struct ssl_serial_string g_astCompression[] = { {{0}, NULL}, }; -const char *ssl_get_suite(st_suites_t *ciphersuites) +const struct ssl_value2string ssl_version_list[] = +{ + { DTLSV1_0_VERSION, "DTLS1.0" }, + { DTLSV1_0_VERSION_NOT, "DTLS1.0(OpenSSL pre 0.9.8f)" }, + { TLSV1_2_VERSION, "TLS1.2" }, + { TLSV1_1_VERSION, "TLS1.1" }, + { TLSV1_0_VERSION, "TLS1.0" }, + { SSLV3_VERSION, "SSL3.0" }, + { SSLV2_VERSION, "SSL2.0" }, + { UNKNOWN_VERSION, NULL } +}; + +const char *ssl_get_suite(struct ssl_l2v *ciphersuites) { if (ciphersuites == NULL) return NULL; - return fn_pcGetSuite((unsigned char *)ciphersuites->suites_value, ciphersuites->suites_len, (stSerialString_t *)&g_astCipherSuit); + return fn_pcGetSuite((unsigned char *)ciphersuites->value, ciphersuites->len, (struct ssl_serial_string *)&g_astCipherSuit); +} + + +int ssl_parse_lv1(struct ssl_l1v *lv1, unsigned char *payload, int payload_len) +{ + lv1->len=(unsigned char)BtoL1BytesNum((const char *)payload); + int offset=(int)sizeof(lv1->len); + if((payload_len-offset-lv1->len)<0) + { + return -1; + } + + if(lv1->len>0) + { + lv1->value=payload+offset; + offset+=lv1->len; + } + + return offset; +} + +int ssl_parse_lv2(struct ssl_l2v *lv2, unsigned char *payload, int payload_len) +{ + lv2->len=(unsigned short)BtoL2BytesNum((const char *)payload); + int offset=sizeof(lv2->len); + if((payload_len-offset-(lv2->len))<0) + { + return -1; + } + + if(lv2->len>0) + { + lv2->value=payload+offset; + offset+=lv2->len; + } + + return offset; +} + +int ssl_parse_ltv2(struct ssl_l2tv *ltv2, unsigned char *payload, int payload_len) +{ + ltv2->type=(unsigned short)BtoL2BytesNum((const char *)(payload)); + int offset=(int)sizeof(ltv2->type); + if((payload_len-offset)<0) + { + return -1; + } + + ltv2->len=(unsigned short)BtoL2BytesNum((const char *)(payload+offset)); + offset+=(int)sizeof(ltv2->len); + if((payload_len-offset-ltv2->len)<0) + { + return -1; + } + + if(ltv2->len>0) + { + ltv2->value=payload+offset; + offset+=ltv2->len; + } + + return offset; +} + +void ssl_trunk_free(struct ssl_runtime_context *ssl_context, int thread_seq) +{ + if(ssl_context!=NULL) + { + if(ssl_context->record.cache_buff!=NULL) + { + dictator_free(thread_seq, ssl_context->record.cache_buff); + ssl_context->record.cache_buff=NULL; + } + + ssl_context->record.cache_len=0; + } +} + +int ssl_trunk_cache(struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq) +{ + if(ssl_context->record.cache_buff==NULL) + { + ssl_context->record.cache_buff=(char *)dictator_malloc(thread_seq, g_ssl_runtime_para.max_cache_len); + } + + ssl_context->record.cache_len=0; + int length=MIN(payload_len, g_ssl_runtime_para.max_cache_len); + memcpy(ssl_context->record.cache_buff+ssl_context->record.cache_len, payload, length); + ssl_context->record.cache_len+=length; + + return 0; +} + +int ssl_get_alpn_list(struct ssl_l2tv *extension_alpn, struct ssl_alpn_list* alpn_list, int alpn_size) +{ + if(extension_alpn==NULL || (extension_alpn->value==NULL) || (extension_alpn->len==0) || (extension_alpn->type!=ALPN_EXT_TYPE)) + { + return 0; + } + + int alpn_proto_num = 0; + unsigned char* alpl=extension_alpn->value; + int alpn_ext_len=BtoL2BytesNum((char *)alpl); + if(alpn_ext_len<=0 || alpn_ext_len>extension_alpn->len) + { + return 0; + } + + alpl+=2; + while(alpn_ext_len>0 && alpn_proto_numlen; + unsigned char *cur_data=extension->value; + + p_server_name.list_len-=sizeof(p_server_name.list_len); + cur_data+=sizeof(p_server_name.list_len); + + /*3=sizeof(p_server_name.server_name_type)+sizeof(p_server_name.server_name_len)*/ + while(p_server_name.list_len>3) + { + p_server_name.type = BtoL1BytesNum((const char *)cur_data); + p_server_name.len = BtoL2BytesNum((const char *)(cur_data+1)); + p_server_name.list_len -= 3; + cur_data += 3; + /*have data*/ + if(((p_server_name.type == SERVER_NAME_HOST_TYPE)) && p_server_name.len>0&& p_server_name.list_len>=p_server_name.len) + { + p_server_name.data = cur_data; + + int length=MIN(sizeof(chello->server_name)-1, p_server_name.len); + memcpy(chello->server_name, p_server_name.data, length); + chello->server_name[length]='\0'; + break; + } + p_server_name.list_len-=p_server_name.len; + cur_data+=p_server_name.len; + } + + return 0; +} + +int ssl_parse_encrypt_server_name(struct ssl_client_hello *chello, struct ssl_l2tv *extension) { - switch (ucMsgType) - { - // case HELLO_REQUEST: - case CLIENT_HELLO: - case SERVER_HELLO: - case CERTIFICATE: - case NEW_SESSION_TICKET: - // case SERVER_KEY_EXCHANGE: - // case CERTIFICATE_REQUEST: - // case SERVER_HELLO_DONE: - // case CERTIFICATE_VERIFY: - // case CLIENT_KEY_EXCHANGE: - // case FINISHED: - return 1; - break; - default: + int offset=0,one_l2v=0; + unsigned char* cur_data=extension->value; + int extension_len=extension->len; + + if(extension_len-offset>SUITE_VALUELEN) + { + chello->esni.suite.value=cur_data+offset; + chello->esni.suite.len=SUITE_VALUELEN; + offset+=SUITE_VALUELEN; + } + + if((extension_len-offset)>=(int)sizeof(chello->esni.key_exchange_group)) + { + chello->esni.key_exchange_group=(unsigned short)BtoL2BytesNum((const char *)(cur_data+offset)); + offset+=sizeof(chello->esni.key_exchange_group); + } + else + { return 0; - break; } + + one_l2v=ssl_parse_lv2(&(chello->esni.key_exchange), cur_data+offset, extension_len-offset); + if(one_l2v==-1) + { + return 0; + } + + offset+=one_l2v; + + one_l2v=ssl_parse_lv2(&(chello->esni.record_digest), cur_data+offset, extension_len-offset); + if(one_l2v==-1) + { + return 0; + } + offset+=one_l2v; + + one_l2v=ssl_parse_lv2(&(chello->esni.esni), cur_data+offset, extension_len-offset); + if(one_l2v==-1) + { + return 0; + } + offset+=one_l2v; + + chello->esni.is_esni=1; + + return 1; } -/* -Function: analyse ssl hand shake msgs -Note: if one msg is trunked, just wait -return : SSL_RETURN_UNNORM : error ; SSL_RETURN_DROPME/KILLME; business return_value -*/ -UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) +UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len) { - /**variable define and initialise**/ - int iSslDataLen = 0; - char *pcCurSslData=NULL; - int iUnAnalyseLen; - int iUnAnaCertLen; - int iUnAnaHelloLen; - UCHAR return_val; - stHandShakeTypeHdr_t *pstHandShakeTypeHdr = NULL; - - iSslDataLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen; - iUnAnalyseLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen; - - while (iUnAnalyseLen > 0) - { - - // 20150324 - pstHandShakeTypeHdr = (stHandShakeTypeHdr_t *)pcSslData; - pcCurSslData = pcSslData; - /**analyse certification**/ - if (CERTIFICATE == pstHandShakeTypeHdr->ucContType) - { - if (iUnAnalyseLen < CERTIFICATE_HDRLEN) - { - /**packet trunked**/ - break; - } + int offset=0,one_ltv=0; + chello->total_len=BtoL3BytesNum((const char *)(payload+1)); + if(chello->total_len<0 || (chello->total_len+CLIENT_HELLO_HDRLEN > payload_len) || (chello->total_len-(int)sizeof(chello->version)<0)) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/ + { + return SSL_RETURN_DROPME; + } - if (a_ssl_stream->stSSLCert == NULL) - { - a_ssl_stream->stSSLCert = (st_cert_t *)dictator_malloc(thread_seq, sizeof(st_cert_t)); - // memset(a_ssl_stream->stSSLCert, 0, sizeof(a_ssl_stream->stSSLCert)); - } - memset(a_ssl_stream->stSSLCert, 0, sizeof(st_cert_t)); - a_ssl_stream->stSSLCert->totallen = BtoL3BytesNum((char *)(pcCurSslData + 4)); - if (a_ssl_stream->stSSLCert->totallen < 0) - return SSL_RETURN_DROPME; + chello->version=ssl_get_hello_version((unsigned char *)payload, payload_len); + if(chello->version==0) + { + return SSL_RETURN_DROPME; + } - /*7 means cert_type+len*/ - if (a_ssl_stream->stSSLCert->totallen + 7 > iUnAnalyseLen) - { - /**packet trunked**/ - break; - } + offset+=(CLIENT_HELLO_HDRLEN+sizeof(chello->version)); - /*2 means version*/ - pcCurSslData += CERTIFICATE_HDRLEN; - iUnAnaCertLen = iUnAnalyseLen - CERTIFICATE_HDRLEN; + /*get client hello random*/ + chello->random.gmt_time=(unsigned int)BtoL4BytesNum((const char *)(payload+offset)); + offset+=sizeof(chello->random.gmt_time); + + if(payload_len-offset-SSL_RANDOM_SIZE<=0) + { + return SSL_RETURN_DROPME; + } + + chello->random.bytes.len=SSL_RANDOM_SIZE; + chello->random.bytes.value=payload+offset; + offset+=SSL_RANDOM_SIZE; - if (g_ssl_prog_para.ssl_interested_region_flag & SSL_CERTIFICATE) - { - a_ssl_stream->p_output_buffer->p_data = pcCurSslData; - a_ssl_stream->p_output_buffer->data_size = iUnAnaCertLen; - a_ssl_stream->output_region_mask = SSL_CERTIFICATE_MASK; - return_val = ssl_doWithCertificate(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - a_ssl_stream->p_output_buffer->p_data = NULL; - a_ssl_stream->p_output_buffer->data_size = 0; - if (SSL_RETURN_NORM != return_val) - return return_val; - } - if (g_ssl_prog_para.ssl_interested_region_flag & SSL_CERTIFICATE_DETAIL) - { - return_val = ssl_AnalyseCertificate(pcCurSslData, iUnAnaCertLen, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - if (SSL_RETURN_NORM != return_val) - return return_val; - } - iUnAnalyseLen -= (a_ssl_stream->stSSLCert->totallen + 7); - pcSslData += (a_ssl_stream->stSSLCert->totallen + 7); + /*get client hello session*/ + one_ltv=ssl_parse_lv1(&(chello->session), payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; + } + offset+=one_ltv; + + /*get client hello suites*/ + one_ltv=ssl_parse_lv2(&chello->ciphersuites, payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; + } + offset+=one_ltv; + + /*get client hello compress*/ + one_ltv=ssl_parse_lv1(&(chello->compress_method), payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; + } + offset+=one_ltv; + + /*get extension*/ + chello->extensions.len=(unsigned short)BtoL2BytesNum((const char *)(payload+offset)); + offset+=sizeof(chello->extensions.len); + + for(int i=0; payload_len-offset >= 4 && i < MAX_EXTENSION_NUM; i++) // min len of ext is 4 byte + { + one_ltv=ssl_parse_ltv2(&(chello->extensions.extension[i]), payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; } - /**analyse client_hello**/ - else if (CLIENT_HELLO == pstHandShakeTypeHdr->ucContType) + offset+=one_ltv; + chello->extensions.num++; + + switch(chello->extensions.extension[i].type) { - if (iUnAnalyseLen < CLIENT_HELLO_HDRLEN) - { + case SERVER_NAME_EXT_TYPE: + ssl_parse_server_name(chello, &(chello->extensions.extension[i])); break; - } - if (a_ssl_stream->stClientHello == NULL) - { - a_ssl_stream->stClientHello = (st_client_hello_t *)dictator_malloc(thread_seq, sizeof(st_client_hello_t)); - memset(a_ssl_stream->stClientHello, 0, sizeof(st_client_hello_t)); - ssl_initStructClientHello(a_ssl_stream->stClientHello); - } + case SESSION_TICKET_EXT_TYPE: + chello->session_ticket=&(chello->extensions.extension[i]); + break; + case ENCRPTED_SERVER_NAME_EXT_TYPE: + ssl_parse_encrypt_server_name(chello, &(chello->extensions.extension[i])); + break; + case ENCRPTED_CLIENT_HELLO_EXT_TYPE: + chello->encrypt_chello=&(chello->extensions.extension[i]); + break; + case ALPN_EXT_TYPE: + chello->alpn=&(chello->extensions.extension[i]); + break; + default: + break; + } + } - a_ssl_stream->stClientHello->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1)); - if (a_ssl_stream->stClientHello->totallen < 0) - return SSL_RETURN_DROPME; + return SSL_RETURN_NORM; +} - /*4 means client_type+len*/ - if (a_ssl_stream->stClientHello->totallen + CLIENT_HELLO_HDRLEN > iUnAnalyseLen) - { - /**packet trunked**/ - break; - } - if (0 == (a_ssl_stream->stClientHello->client_ver = ssl_getHelloVersion((unsigned char *)pcCurSslData, iUnAnalyseLen))) - { - return SSL_RETURN_DROPME; - } +UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *payload, int payload_len) +{ + int offset=0,one_ltv=0; + int ja3s_string_offset=0; + char ja3s_string[1024]={0}; + shello->total_len = BtoL3BytesNum((const char *)(payload+1)); + if(shello->total_len<0 || (shello->total_len+SERVER_HELLO_HDRLEN > payload_len-offset)) + { + return SSL_RETURN_DROPME; + } - iUnAnaHelloLen = a_ssl_stream->stClientHello->totallen - sizeof(a_ssl_stream->stClientHello->client_ver); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - pcCurSslData += CLIENT_HELLO_HDRLEN + sizeof(a_ssl_stream->stClientHello->client_ver); + shello->version=ssl_get_hello_version((unsigned char *)payload, payload_len-offset); + if(shello->version==0) + { + return SSL_RETURN_DROPME; + } + + ja3s_string_offset+=snprintf(ja3s_string+ja3s_string_offset, sizeof(ja3s_string)-ja3s_string_offset, "%u,", shello->version); - /*get client hello random*/ - a_ssl_stream->stClientHello->random.gmt_time = (unsigned int)BtoL4BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->random.gmt_time); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->random.gmt_time); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - memcpy(a_ssl_stream->stClientHello->random.random_bytes, pcCurSslData, sizeof(a_ssl_stream->stClientHello->random.random_bytes)); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->random.random_bytes); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->random.random_bytes); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } + offset+=(sizeof(shello->version)+SERVER_HELLO_HDRLEN); - /*get client hello session*/ - a_ssl_stream->stClientHello->session.session_len = (unsigned char)BtoL1BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->session.session_len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->session.session_len); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->session.session_len > iUnAnaHelloLen) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->session.session_len != 0) - { - a_ssl_stream->stClientHello->session.session_value = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->session.session_len); - memcpy(a_ssl_stream->stClientHello->session.session_value, pcCurSslData, a_ssl_stream->stClientHello->session.session_len); - pcCurSslData += a_ssl_stream->stClientHello->session.session_len; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->session.session_len; - if (iUnAnaHelloLen < 0) + /*get client hello random*/ + shello->random.gmt_time=(unsigned int)BtoL4BytesNum((const char *)(payload+offset)); + offset+=sizeof(shello->random.gmt_time); + + if(payload_len-offset-SSL_RANDOM_SIZE<=0) + { + return SSL_RETURN_DROPME; + } + + shello->random.bytes.len=SSL_RANDOM_SIZE; + shello->random.bytes.value=payload+offset; + offset+=SSL_RANDOM_SIZE; + + /*get client hello session*/ + one_ltv=ssl_parse_lv1(&(shello->session), payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; + } + offset+=one_ltv; + + /*get client hello suites*/ + shello->ciphersuites.len=2; + shello->ciphersuites.value=payload+offset; + offset+=2; + + ja3s_string_offset+=snprintf(ja3s_string+ja3s_string_offset, sizeof(ja3s_string)-ja3s_string_offset, "%u,", ntohs(*(unsigned short *)(shello->ciphersuites.value))); + + /*get client hello compress*/ + shello->compress_method.len=1; + shello->compress_method.value=payload+offset; + offset+=1; + + /*get extension*/ + shello->extensions.len=(unsigned short)BtoL2BytesNum((const char *)(payload+offset)); + offset+=sizeof(shello->extensions.len); + + // shello->total_len not contains handshake header + for(int i=0; (shello->total_len-offset+SERVER_HELLO_HDRLEN) >=4 && i < MAX_EXTENSION_NUM; i++) // min len of ext is 4 byte + { + one_ltv=ssl_parse_ltv2(&(shello->extensions.extension[i]), payload+offset, payload_len-offset); + if(one_ltv==-1) + { + return SSL_RETURN_DROPME; + } + offset+=one_ltv; + shello->extensions.num++; + + ja3s_string_offset+=snprintf(ja3s_string+ja3s_string_offset, sizeof(ja3s_string)-ja3s_string_offset, "%u-", shello->extensions.extension[i].type); + } + + ja3s_string_offset--; + if(ja3s_string_offset==0) + { + return SSL_RETURN_DROPME; + } + + ja3s_string[ja3s_string_offset]='\0'; + shello->ja3s.fingerprint_md5_len=ja3_md5sum(ja3s_string, ja3s_string_offset, shello->ja3s.fingerprint_md5, sizeof(shello->ja3s.fingerprint_md5)); + shello->ja3s.fingerprint_md5[shello->ja3s.fingerprint_md5_len]='\0'; + + return 1; +} + +UCHAR ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ticket, char *payload, int payload_len) +{ + int offset=0; + new_session_ticket->total_len=BtoL3BytesNum((const char *)(payload+1)); + if(new_session_ticket->total_len<0) + { + return SSL_RETURN_DROPME; + } + + /*4 means _type+len*/ + if(new_session_ticket->total_len+SESSION_TICKET_HDRLEN > payload_len-offset) + { + /**packet trunked**/ + return SSL_RETURN_NORM; + } + offset+=SESSION_TICKET_HDRLEN; + new_session_ticket->lift_time=BtoL4BytesNum((const char *)(payload+offset)); + offset+=sizeof(new_session_ticket->lift_time); + new_session_ticket->ticket_len=BtoL2BytesNum((const char *)(payload+offset)); + + new_session_ticket->ticket=(unsigned char *)(payload+offset); + + return SSL_RETURN_NORM; +} + +int ssl_parse_certificate_detail(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) +{ + if(!(g_ssl_runtime_para.ssl_interested_region_flag&SSL_CERTIFICATE_DETAIL)) + { + ssl_context->stream.certificate=NULL; + return SSL_TRUE; + } + + int certificate_num=0; + struct ssl_certificate_chain cert_unit[CERT_MAXNUM]; + int certificate_count=ssl_read_all_cert(payload, payload_len, cert_unit, CERT_MAXNUM); + + for(int i=0;istream.certificate, cert_unit[i].cert, cert_unit[i].cert_len, thread_seq); + if(state==SSL_FLASE) + { + return SSL_FLASE; + } + + ssl_context->stream.certificate->cert_len = cert_unit[i].cert_len; + + switch(certificate_num) + { + case 0: + ssl_context->stream.certificate->cert_type=CERT_TYPE_INDIVIDUAL; + break; + case 1: + if(certificate_count==2) { - return SSL_RETURN_DROPME; + ssl_context->stream.certificate->cert_type=CERT_TYPE_ROOT; } - } - - /*get client hello suites*/ - a_ssl_stream->stClientHello->ciphersuites.suites_len = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->ciphersuites.suites_len); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->ciphersuites.suites_len > iUnAnaHelloLen) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->ciphersuites.suites_len != 0) - { - a_ssl_stream->stClientHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->ciphersuites.suites_len); - memcpy(a_ssl_stream->stClientHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stClientHello->ciphersuites.suites_len); - pcCurSslData += a_ssl_stream->stClientHello->ciphersuites.suites_len; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->ciphersuites.suites_len; - if (iUnAnaHelloLen < 0) + else { - return SSL_RETURN_DROPME; + ssl_context->stream.certificate->cert_type=CERT_TYPE_MIDDLE; } - } - - /*get client hello compress*/ - a_ssl_stream->stClientHello->com_method.methlen = (unsigned short)BtoL1BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->com_method.methlen); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->com_method.methlen); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->com_method.methlen > iUnAnaHelloLen) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stClientHello->com_method.methlen != 0) - { - a_ssl_stream->stClientHello->com_method.methods = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->com_method.methlen); - memcpy(a_ssl_stream->stClientHello->com_method.methods, pcCurSslData, a_ssl_stream->stClientHello->com_method.methlen); - pcCurSslData += a_ssl_stream->stClientHello->com_method.methlen; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->com_method.methlen; - if (iUnAnaHelloLen < 0) + break; + case 2: + if(certificate_count==3) { - return SSL_RETURN_DROPME; + ssl_context->stream.certificate->cert_type=CERT_TYPE_ROOT; } - } - - /*get extension*/ - a_ssl_stream->stClientHello->extlen = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->extlen); - - int i = 0; - for (i = 0; iUnAnaHelloLen >= 4 && i < MAX_EXTENSION_NUM; i++) // min len of ext is 4 byte - { - - a_ssl_stream->stClientHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->exts[i].type); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->exts[i].type); - if (iUnAnaHelloLen < 0) + else { - return SSL_RETURN_DROPME; + ssl_context->stream.certificate->cert_type=CERT_TYPE_CHAIN; } - - a_ssl_stream->stClientHello->exts[i].len = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stClientHello->exts[i].len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stClientHello->exts[i].len); - if (iUnAnaHelloLen < 0 || a_ssl_stream->stClientHello->exts[i].len > iUnAnaHelloLen) + break; + default: + if(certificate_num==certificate_count-1) { - return SSL_RETURN_DROPME; + ssl_context->stream.certificate->cert_type=CERT_TYPE_ROOT; } - a_ssl_stream->stClientHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stClientHello->exts[i].len); - memcpy(a_ssl_stream->stClientHello->exts[i].data, pcCurSslData, a_ssl_stream->stClientHello->exts[i].len); // get ext data - pcCurSslData += a_ssl_stream->stClientHello->exts[i].len; - iUnAnaHelloLen -= a_ssl_stream->stClientHello->exts[i].len; - } - a_ssl_stream->stClientHello->ext_num = i; - // printf("ext_num: %d\n", a_ssl_stream->stClientHello->ext_num); - return_val = ssl_doWithClientHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - // 20141121 - for (int j = 0; j < a_ssl_stream->stClientHello->ext_num; j++) - { - if (a_ssl_stream->stClientHello->exts[j].data != NULL) + else { - dictator_free(thread_seq, a_ssl_stream->stClientHello->exts[j].data); - a_ssl_stream->stClientHello->exts[j].data = NULL; + ssl_context->stream.certificate->cert_type=CERT_TYPE_CHAIN; } - } - a_ssl_stream->stClientHello->ext_num = 0; - a_ssl_stream->stClientHello->session_ticket.ticket = NULL; - if (a_ssl_stream->stClientHello->session.session_value != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stClientHello->session.session_value); - a_ssl_stream->stClientHello->session.session_value = NULL; - } - if (a_ssl_stream->stClientHello->ciphersuites.suites_value != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stClientHello->ciphersuites.suites_value); - a_ssl_stream->stClientHello->ciphersuites.suites_value = NULL; - } - if (a_ssl_stream->stClientHello->com_method.methods != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stClientHello->com_method.methods); - a_ssl_stream->stClientHello->com_method.methods = NULL; - } + break; + } + + ssl_call_plugins(a_tcp, ssl_context, (char *)(ssl_context->stream.certificate), sizeof(struct ssl_certificate), SSL_CERTIFICATE_DETAIL_MASK, thread_seq, a_packet); + certificate_num++; - if (SSL_RETURN_NORM != return_val) - return return_val; - iUnAnalyseLen -= (a_ssl_stream->stClientHello->totallen + CLIENT_HELLO_HDRLEN); - pcSslData += (a_ssl_stream->stClientHello->totallen + CLIENT_HELLO_HDRLEN); + ssl_context->stream.certificate->subject_alter.num=0; + if(ssl_context->stream.certificate->subject_alter.name!=NULL) + { + dictator_free(thread_seq, ssl_context->stream.certificate->subject_alter.name); + ssl_context->stream.certificate->subject_alter.name=NULL; } - /**analyse server_hello**/ - else if (SERVER_HELLO == pstHandShakeTypeHdr->ucContType) + ssl_context->stream.certificate->subject_key.len=0; + if(ssl_context->stream.certificate->subject_key.value!=NULL) { - if (iUnAnalyseLen < SERVER_HELLO_HDRLEN) - { - break; - } - if (a_ssl_stream->stServerHello == NULL) - { - a_ssl_stream->stServerHello = (st_server_hello_t *)dictator_malloc(thread_seq, sizeof(st_server_hello_t)); - memset(a_ssl_stream->stServerHello, 0, sizeof(st_server_hello_t)); - ssl_initStructServerHello(a_ssl_stream->stServerHello); - } - a_ssl_stream->stServerHello->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1)); - if (a_ssl_stream->stServerHello->totallen < 0) - return SSL_RETURN_DROPME; + dictator_free(thread_seq, ssl_context->stream.certificate->subject_key.value); + ssl_context->stream.certificate->subject_key.value=NULL; + } + + memset(&(ssl_context->stream.certificate->issuer), 0, sizeof(struct ssl_rdn_sequence)); + memset(&(ssl_context->stream.certificate->subject), 0, sizeof(struct ssl_rdn_sequence)); + + ssl_context->stream.certificate->serial.len=0; + ssl_context->stream.certificate->version.len=0; + ssl_context->stream.certificate->version.value=NULL; + ssl_context->stream.certificate->validity.before[0]='\0'; + ssl_context->stream.certificate->validity.after[0]='\0'; + ssl_context->stream.certificate->signature_algorithm.len=0; + ssl_context->stream.certificate->signature_algorithm.value[0]='\0'; + } + + return SSL_TRUE; +} - /*4 means client_type+len*/ - if (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN > iUnAnalyseLen) - { - /**packet trunked**/ - break; - } - if (0 == (a_ssl_stream->stServerHello->server_ver = ssl_getHelloVersion((unsigned char *)pcCurSslData, iUnAnalyseLen))) - { - return SSL_RETURN_DROPME; - } +int ssl_parse_certificate(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) +{ + int offset=0; + + ssl_context->stream.certificate->total_len=BtoL3BytesNum((const char *)(payload+4)); + if(ssl_context->stream.certificate->total_len<0) + { + return SSL_FLASE; + } - iUnAnaHelloLen = a_ssl_stream->stServerHello->totallen - sizeof(a_ssl_stream->stServerHello->server_ver); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } + /*7 means cert_type+len*/ + if(ssl_context->stream.certificate->total_len+CERTIFICATE_HDRLEN>payload_len) + { + /**packet trunked**/ + return SSL_TRUE; + } - pcCurSslData += SERVER_HELLO_HDRLEN + sizeof(a_ssl_stream->stServerHello->server_ver); + /*2 means version*/ + offset=CERTIFICATE_HDRLEN; - /*get server hello random*/ - a_ssl_stream->stServerHello->random.gmt_time = (unsigned int)BtoL4BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->random.gmt_time); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->random.gmt_time); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - memcpy(a_ssl_stream->stServerHello->random.random_bytes, pcCurSslData, sizeof(a_ssl_stream->stServerHello->random.random_bytes)); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->random.random_bytes); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->random.random_bytes); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } + if(g_ssl_runtime_para.ssl_interested_region_flag & SSL_CERTIFICATE) + { + ssl_call_plugins(a_tcp, ssl_context, payload+offset, payload_len-offset, SSL_CERTIFICATE_MASK, thread_seq, a_packet); + } - /*get server hello session*/ - a_ssl_stream->stServerHello->session.session_len = (unsigned char)BtoL1BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->session.session_len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->session.session_len); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stServerHello->session.session_len > iUnAnaHelloLen) - { - return SSL_RETURN_DROPME; - } - if (a_ssl_stream->stServerHello->session.session_len != 0) - { - a_ssl_stream->stServerHello->session.session_value = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->session.session_len); - memcpy(a_ssl_stream->stServerHello->session.session_value, pcCurSslData, a_ssl_stream->stServerHello->session.session_len); - pcCurSslData += a_ssl_stream->stServerHello->session.session_len; - iUnAnaHelloLen -= a_ssl_stream->stServerHello->session.session_len; - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - } + return ssl_parse_certificate_detail(a_tcp, ssl_context, payload+offset, payload_len-offset, thread_seq, a_packet); +} - /*get server hello suites*/ - a_ssl_stream->stServerHello->ciphersuites.suites_len = 2; - a_ssl_stream->stServerHello->ciphersuites.suites_value = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->ciphersuites.suites_len); - memcpy(a_ssl_stream->stServerHello->ciphersuites.suites_value, pcCurSslData, a_ssl_stream->stServerHello->ciphersuites.suites_len); - pcCurSslData += a_ssl_stream->stServerHello->ciphersuites.suites_len; - iUnAnaHelloLen -= a_ssl_stream->stServerHello->ciphersuites.suites_len; - if (iUnAnaHelloLen < 0) +int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) +{ + int offset=0; + int state=SSL_TRUE; + + while((payload_len-offset) > 0) + { + struct ssl_handshake_type *handshake=(struct ssl_handshake_type *)(payload+offset); + if(CERTIFICATE == handshake->content_type) + { + if(payload_len-offsetstServerHello->com_method.methlen = (unsigned short)BtoL1BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->com_method.methlen); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->com_method.methlen); - if(iUnAnaHelloLen<0) + + struct ssl_certificate certificate={0}; + ssl_context->stream.certificate=&certificate; + state=ssl_parse_certificate(a_tcp, ssl_context, payload+offset, payload_len-offset, thread_seq, a_packet); + if(state==SSL_FLASE) { - return SSL_RETURN_DROPME; + return SSL_FLASE; } - */ - /*20160906 methlenֻռһ���ֽ�*/ - a_ssl_stream->stServerHello->com_method.methlen = 1; - a_ssl_stream->stServerHello->com_method.methods = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->com_method.methlen); - memcpy(a_ssl_stream->stServerHello->com_method.methods, pcCurSslData, a_ssl_stream->stServerHello->com_method.methlen); - pcCurSslData += a_ssl_stream->stServerHello->com_method.methlen; - iUnAnaHelloLen -= a_ssl_stream->stServerHello->com_method.methlen; - if (iUnAnaHelloLen < 0) + offset+=(certificate.total_len+CERTIFICATE_HDRLEN); + ssl_context->stream.certificate=NULL; + } + /**analyse client_hello**/ + else if (CLIENT_HELLO == handshake->content_type) + { + if ((payload_len-offset)stServerHello->extlen = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->extlen); - int i = 0; - for (i = 0; iUnAnaHelloLen >= 4 && i < MAX_EXTENSION_NUM; i++) // min len of ext is 4 byte + struct ssl_client_hello chello={0}; + ssl_context->stream.chello=&chello; + state=ssl_parse_client_hello(&chello, (unsigned char *)(payload+offset), payload_len-offset); + if(state==SSL_FLASE) { - a_ssl_stream->stServerHello->exts[i].type = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].type); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].type); - if (iUnAnaHelloLen < 0) - { - return SSL_RETURN_DROPME; - } - - a_ssl_stream->stServerHello->exts[i].len = (unsigned short)BtoL2BytesNum(pcCurSslData); - pcCurSslData += sizeof(a_ssl_stream->stServerHello->exts[i].len); - iUnAnaHelloLen -= sizeof(a_ssl_stream->stServerHello->exts[i].len); - if (iUnAnaHelloLen < 0 || a_ssl_stream->stServerHello->exts[i].len > iUnAnaHelloLen) - { - return SSL_RETURN_DROPME; - } - a_ssl_stream->stServerHello->exts[i].data = (unsigned char *)dictator_malloc(thread_seq, a_ssl_stream->stServerHello->exts[i].len); - memcpy(a_ssl_stream->stServerHello->exts[i].data, pcCurSslData, a_ssl_stream->stServerHello->exts[i].len); // get ext data - pcCurSslData += a_ssl_stream->stServerHello->exts[i].len; - iUnAnaHelloLen -= a_ssl_stream->stServerHello->exts[i].len; + return SSL_FLASE; } - a_ssl_stream->stServerHello->ext_num = i; - for (int j = 0; j < a_ssl_stream->stServerHello->ext_num; j++) + ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), chello.total_len+CLIENT_HELLO_HDRLEN, SSL_CLIENT_HELLO_MASK, thread_seq, a_packet); + offset+=(chello.total_len+CLIENT_HELLO_HDRLEN); + ssl_context->stream.chello=NULL; + } + /**analyse server_hello**/ + else if (SERVER_HELLO == handshake->content_type) + { + if((payload_len-offset)stServerHello->exts[j].data != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stServerHello->exts[j].data); - a_ssl_stream->stServerHello->exts[j].data = NULL; - } + break; } - a_ssl_stream->stServerHello->ext_num = 0; - return_val = ssl_doWithServerHello(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - // 20141121 - if (a_ssl_stream->stServerHello->session.session_value != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stServerHello->session.session_value); - a_ssl_stream->stServerHello->session.session_value = NULL; - } - if (a_ssl_stream->stServerHello->ciphersuites.suites_value != NULL) - { - dictator_free(thread_seq, a_ssl_stream->stServerHello->ciphersuites.suites_value); - a_ssl_stream->stServerHello->ciphersuites.suites_value = NULL; - } - if (a_ssl_stream->stServerHello->com_method.methods != NULL) + struct ssl_server_hello shello={0}; + ssl_context->stream.shello=&shello; + state=ssl_parse_server_hello(&shello, (unsigned char *)(payload+offset), payload_len-offset); + if(state==SSL_FLASE) { - dictator_free(thread_seq, a_ssl_stream->stServerHello->com_method.methods); - a_ssl_stream->stServerHello->com_method.methods = NULL; + return SSL_FLASE; } - if (SSL_RETURN_NORM != return_val) - return return_val; - iUnAnalyseLen -= (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN); - pcSslData += (a_ssl_stream->stServerHello->totallen + SERVER_HELLO_HDRLEN); + + ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), shello.total_len+SERVER_HELLO_HDRLEN, SSL_SERVER_HELLO_MASK, thread_seq, a_packet); + offset+=(shello.total_len+SERVER_HELLO_HDRLEN); + ssl_context->stream.shello=NULL; } - else if (NEW_SESSION_TICKET == pstHandShakeTypeHdr->ucContType) + else if (NEW_SESSION_TICKET == handshake->content_type) { - if (iUnAnalyseLen < SESSION_TICKET_HDRLEN) + if((payload_len-offset) < SESSION_TICKET_HDRLEN) { break; } - if (a_ssl_stream->stNewSessionTicket == NULL) + struct ssl_new_session_ticket new_session_ticket={0}; + ssl_context->stream.new_session_ticket=&new_session_ticket; + state=ssl_parse_new_session_ticket(&new_session_ticket, (payload+offset), (payload_len-offset)); + if(state==SSL_FLASE) { - a_ssl_stream->stNewSessionTicket = (st_new_session_ticket_t *)dictator_malloc(thread_seq, sizeof(st_new_session_ticket_t)); - memset(a_ssl_stream->stNewSessionTicket, 0, sizeof(st_new_session_ticket_t)); + return SSL_FLASE; } - a_ssl_stream->stNewSessionTicket->totallen = BtoL3BytesNum((char *)(pcCurSslData + 1)); - if (a_ssl_stream->stNewSessionTicket->totallen < 0) - return SSL_RETURN_DROPME; - /*4 means _type+len*/ - if (a_ssl_stream->stNewSessionTicket->totallen + SESSION_TICKET_HDRLEN > iUnAnalyseLen) - { - /**packet trunked**/ - break; - } - pcCurSslData += SESSION_TICKET_HDRLEN; - a_ssl_stream->stNewSessionTicket->lifttime = BtoL4BytesNum((char *)(pcCurSslData)); - a_ssl_stream->stNewSessionTicket->ticket_len = BtoL2BytesNum((char *)(pcCurSslData + 4)); - a_ssl_stream->stNewSessionTicket->ticket = (unsigned char *)(pcCurSslData + 6); - pcCurSslData += 6 + a_ssl_stream->stNewSessionTicket->ticket_len; - iUnAnalyseLen -= (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN); - pcSslData += (a_ssl_stream->stNewSessionTicket->totallen + SERVER_HELLO_HDRLEN); - ssl_doWithNewSessionTicket(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - // printf("new session ticket:%d\n", a_ssl_stream->stNewSessionTicket->ticket_len); + ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), new_session_ticket.total_len+SESSION_TICKET_HDRLEN, SSL_NEW_SESSION_TICKET_MASK, thread_seq, a_packet); + offset+=(new_session_ticket.total_len+SESSION_TICKET_HDRLEN); + ssl_context->stream.new_session_ticket=NULL; } else { @@ -560,91 +719,34 @@ UCHAR ssl_analyseHandShake(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen } } - *res = (iSslDataLen - iUnAnalyseLen); - return SSL_RETURN_NORM; + return SSL_TRUE;; } -UCHAR ssl_analyseAppData(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) +int ssl_parse_application_data(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) { - /**variable define and initialise**/ - int return_val = SSL_RETURN_NORM; - int iUnAnalyseLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen; - - /**validaty check**/ - if (NULL == pcSslData || iUnAnalyseLen <= 0) + if (NULL==payload || payload_len<= 0) { - *res = 0; - return SSL_RETURN_NORM; + return SSL_TRUE; } - a_ssl_stream->output_region_mask = SSL_APPLICATION_DATA_MASK; - a_ssl_stream->p_output_buffer->p_data = pcSslData; - a_ssl_stream->p_output_buffer->data_size = iUnAnalyseLen; - return_val = ssl_doWithApplicationData(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - a_ssl_stream->p_output_buffer->p_data = NULL; - a_ssl_stream->p_output_buffer->data_size = 0; - *res = iUnAnalyseLen; - if (SSL_RETURN_NORM != return_val) - return return_val; - return SSL_RETURN_NORM; -} - -UCHAR ssl_analyseAlert(char *pcSslData, int iAllMsgLen, int iSslUnAnalyseLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - /**variable define and initialise**/ - int return_val = SSL_RETURN_NORM; - int iUnAnalyseLen = iAllMsgLen < iSslUnAnalyseLen ? iAllMsgLen : iSslUnAnalyseLen; - /**validaty check**/ - if (NULL == pcSslData || iUnAnalyseLen <= 0) - { - *res = 0; - return SSL_RETURN_NORM; - } - a_ssl_stream->output_region_mask = SSL_ALERT_MASK; - a_ssl_stream->p_output_buffer->p_data = pcSslData; - a_ssl_stream->p_output_buffer->data_size = iUnAnalyseLen; - return_val = ssl_doWithAlert(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - a_ssl_stream->p_output_buffer->p_data = NULL; - a_ssl_stream->p_output_buffer->data_size = 0; - *res = iUnAnalyseLen; - if (SSL_RETURN_NORM != return_val) - return return_val; - return SSL_RETURN_NORM; + ssl_call_plugins(a_tcp, ssl_context, payload, payload_len, SSL_APPLICATION_DATA_MASK, thread_seq, a_packet); + return SSL_TRUE; } -char *fn_pcGetType(const unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes) +int ssl_parse_alert(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) { - int iLoop; - int iInLoop; - - if (NULL == pucId || iIdLen < 0 || NULL == pastElemTypes) - { - return NULL; - } - - for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop) + if(NULL==payload || payload_len<=0) { - for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop) - { - if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop]) - { - break; - } - } - if (iInLoop == iIdLen) - { - return (char *)(pastElemTypes[iLoop].pcString); - } + return SSL_TRUE; } - return NULL; + ssl_call_plugins(a_tcp, ssl_context, payload, payload_len, SSL_ALERT_MASK, thread_seq, a_packet); + return SSL_TRUE; } -int ssl_protoRecg(char *pcData, int iDataLen) +int ssl_identify_version(char *pcData, int payload_len) { - if (NULL == pcData || iDataLen < 1) + if (NULL == pcData || payload_len < 1) { return 0; } @@ -692,322 +794,157 @@ int ssl_protoRecg(char *pcData, int iDataLen) return 0; } -#define MAX_THREAD_NUM 64 -#define COUNTER_NUM 4096 - -extern volatile unsigned long long g_SysInputInfo[MAX_THREAD_NUM][COUNTER_NUM]; - -UCHAR ssl_analyseSsl(char *pcSslData, int iDataLen, int *res, ssl_stream *a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - /**variable define and initialise**/ - stSSLRecordHdr_t *pstSSLRecordHdr = NULL; - stHandShakeTypeHdr_t *pstHandShakeTypeHdr = NULL; - int iUnAnalyseLen = iDataLen; - char *pcCurSslData = pcSslData; - int iCurAllMsgLen = 0; - int iCurMsgLen = 0; - int is_trunk = 0; - UCHAR return_val = SSL_RETURN_NORM; - - /**validaty check**/ - if (NULL == pcSslData || iDataLen < SSL_HEADER_LEN) +const char* ssl_get_version_name(unsigned short version) +{ + for(unsigned int i=0;ssl_version_list[i].value!=0;i++) { - *res = 0; - return SSL_RETURN_NORM; + if(ssl_version_list[i].value==version) + { + return (char*)ssl_version_list[i].string; + } } + + return NULL; +} - /**first packet of an hand shake conversation**/ - if (UNKNOWN_VERSION == a_ssl_stream->uiSslVersion) +int ssl_parse_version(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) +{ + if(UNKNOWN_VERSION==ssl_context->version) { - a_ssl_stream->uiSslVersion = (unsigned int)ssl_protoRecg(pcSslData, iDataLen); + ssl_context->version=(unsigned int)ssl_identify_version(payload, payload_len); /*jump the first pkt*/ - if (UNKNOWN_VERSION == a_ssl_stream->uiSslVersion) + if (UNKNOWN_VERSION==ssl_context->version) { - *res = -1; - if (a_ssl_stream->first_pkt_flag == 0) + if (ssl_context->first_pkt_flag==0) { - a_ssl_stream->first_pkt_flag = 1; - return SSL_RETURN_GIVEME; + ssl_context->first_pkt_flag=1; + return SSL_CONTINUE; } else { - return SSL_RETURN_DROPME; + return SSL_FLASE; } } /*version callback*/ - return_val = ssl_doWithVersion(&a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - if (SSL_RETURN_NORM != return_val) - return return_val; - } - // 2020.11.27 iUnAnalyseLen need more than SSL_RECORD_HDRLEN - while (iUnAnalyseLen > SSL_RECORD_HDRLEN) - { - if (SSL_HANDSHAKE_MSG_TRUNKED == a_ssl_stream->uiMsgState) + for(int i=0; ssl_version_list[i].value!=0; i++) { - switch (a_ssl_stream->ucContType) + if(ssl_version_list[i].value==ssl_context->version) { - case HANDSHAKE: - case APPLICATION_DATA: - case ALERT: - pstHandShakeTypeHdr = (stHandShakeTypeHdr_t *)pcCurSslData; - iCurAllMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen); - iCurMsgLen = (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) < iUnAnalyseLen ? (a_ssl_stream->uiAllMsgLen - a_ssl_stream->uiMsgProcLen) : iUnAnalyseLen; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; + ssl_call_plugins(a_tcp, ssl_context, (char*)ssl_version_list[i].string, strlen(ssl_version_list[i].string), SSL_VERSION_MASK, thread_seq, a_packet); break; - default: - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - a_ssl_stream->ucContType = 0; - *res = -1; - return SSL_RETURN_NORM; } - } - else - { - - pstSSLRecordHdr = (stSSLRecordHdr_t *)pcCurSslData; - switch (pstSSLRecordHdr->ucContType) - { - case HANDSHAKE: - a_ssl_stream->ucContType = HANDSHAKE; - a_ssl_stream->is_ssl_stream = SSL_TRUE; - a_ssl_stream->uiAllMsgLen = htons(pstSSLRecordHdr->usTotalLen); - pstHandShakeTypeHdr = (stHandShakeTypeHdr_t *)(pcCurSslData + SSL_RECORD_HDRLEN); - pcCurSslData += SSL_RECORD_HDRLEN; - iUnAnalyseLen -= SSL_RECORD_HDRLEN; - iCurAllMsgLen = a_ssl_stream->uiAllMsgLen; - iCurMsgLen = a_ssl_stream->uiAllMsgLen < iUnAnalyseLen ? a_ssl_stream->uiAllMsgLen : iUnAnalyseLen; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - break; + } + } - case APPLICATION_DATA: - a_ssl_stream->ucContType = APPLICATION_DATA; - a_ssl_stream->is_ssl_stream = SSL_TRUE; - a_ssl_stream->uiAllMsgLen = htons(pstSSLRecordHdr->usTotalLen); - pcCurSslData += SSL_RECORD_HDRLEN; - iUnAnalyseLen -= SSL_RECORD_HDRLEN; - iCurAllMsgLen = a_ssl_stream->uiAllMsgLen; - iCurMsgLen = a_ssl_stream->uiAllMsgLen < iUnAnalyseLen ? a_ssl_stream->uiAllMsgLen : iUnAnalyseLen; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - // static int count; - // count++; - // printf("%d\t%d\t%lld\n",count, a_ssl_stream->uiAllMsgLen, g_SysInputInfo[0][0]); - break; + return SSL_TRUE; +} - case CHANGE_CIPHER_SEP: - a_ssl_stream->ucContType = CHANGE_CIPHER_SEP; - a_ssl_stream->is_ssl_stream = SSL_TRUE; - a_ssl_stream->uiAllMsgLen = htons(pstSSLRecordHdr->usTotalLen); - iCurAllMsgLen = a_ssl_stream->uiAllMsgLen; - pcCurSslData += SSL_RECORD_HDRLEN; - iUnAnalyseLen -= SSL_RECORD_HDRLEN; - iCurMsgLen = a_ssl_stream->uiAllMsgLen < iUnAnalyseLen ? a_ssl_stream->uiAllMsgLen : iUnAnalyseLen; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - *res = iCurAllMsgLen; - break; +int ssl_parse_message(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet) +{ + int offset=0; + int state=SSL_TRUE; - case ALERT: - a_ssl_stream->ucContType = ALERT; - a_ssl_stream->is_ssl_stream = SSL_TRUE; - a_ssl_stream->uiAllMsgLen = htons(pstSSLRecordHdr->usTotalLen); - iCurAllMsgLen = a_ssl_stream->uiAllMsgLen; - pcCurSslData += SSL_RECORD_HDRLEN; - iUnAnalyseLen -= SSL_RECORD_HDRLEN; - iCurMsgLen = a_ssl_stream->uiAllMsgLen < iUnAnalyseLen ? a_ssl_stream->uiAllMsgLen : iUnAnalyseLen; - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - *res = iCurAllMsgLen; - break; + state=ssl_parse_version(a_tcp, ssl_context, payload, payload_len, thread_seq, a_packet); + if(state!=SSL_TRUE) + { + return state; + } - default: - if (a_ssl_stream->is_ssl_stream == SSL_TRUE) - { - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - a_ssl_stream->ucContType = 0; - *res = -1; - return SSL_RETURN_NORM; - } - else - { - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_NOTRUNK; - a_ssl_stream->ucContType = 0; - *res = -1; - return SSL_RETURN_DROPME; - } - } + while(payload_len-offset > SSL_RECORD_HDRLEN) + { + struct ssl_record_header *ssl_record=(struct ssl_record_header *)(payload+offset); + + int one_record_len=htons(ssl_record->total_len); + ssl_context->is_ssl_stream=SSL_TRUE; + + if((payload_len-offset) < one_record_len) + { + ssl_trunk_cache(ssl_context, payload+offset, payload_len-offset, thread_seq); + break; //cache } - switch (a_ssl_stream->ucContType) + + offset+=SSL_RECORD_HDRLEN; + + switch (ssl_record->content_type) { case APPLICATION_DATA: - /*���������ݣ�ʵʱ����*/ - return_val = ssl_analyseAppData((char *)pcCurSslData, iCurAllMsgLen, iUnAnalyseLen, res, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - /*the data is not enough*/ - if (*res < iCurAllMsgLen) - { - is_trunk = 1; - } + state=ssl_parse_application_data(a_tcp, ssl_context, payload+offset, one_record_len, thread_seq, a_packet); break; - - /*��������ȫ������ٴ���*/ - case ALERT: - // printf("%d:%d\n",iCurAllMsgLen,iUnAnalyseLen); - if (iUnAnalyseLen < iCurAllMsgLen) - { - *res = 0; - is_trunk = 1; - } - else - { - return_val = ssl_analyseAlert((char *)pcCurSslData, iCurAllMsgLen, iUnAnalyseLen, res, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - is_trunk = 0; - } + case ALERT: + state=ssl_parse_alert(a_tcp, ssl_context, payload+offset, one_record_len, thread_seq, a_packet); break; - - /*other handshark proto not process*/ case HANDSHAKE: - /*���幻�����ٴ���*/ - if (fn_iIsHandShakeMsg(*(unsigned char *)pstHandShakeTypeHdr)) + state=ssl_parse_handshake(a_tcp, ssl_context, payload+offset, one_record_len, thread_seq, a_packet); + break; + case CHANGE_CIPHER_SEP: + break; + default: + if (ssl_context->is_ssl_stream==SSL_TRUE) { - /*res��ʾ����������*/ - return_val = ssl_analyseHandShake((char *)pstHandShakeTypeHdr, iCurAllMsgLen, iUnAnalyseLen, res, a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - if (*res < iCurAllMsgLen) - { - is_trunk = 1; - } + return SSL_TRUE; } else { - if (iCurMsgLen >= iCurAllMsgLen) - { - /*����Ϣ�������*/ - *res = iCurMsgLen; - } - else - { - /*��ʾ��Ҫ���浱ǰ���ݰ����������ݣ�����*res������������Ϊ0*/ - *res = 0; - is_trunk = 1; - } + return SSL_FLASE; } - /*20140731 res<0 but no why*/ - if (*res < 0) - { - return SSL_RETURN_DROPME; - } - break; - - default: - *res = iCurMsgLen; - break; } - /*the data is not enough*/ - if (is_trunk) - // if(*res < iCurMsgLen) + if(state==SSL_FLASE) { - a_ssl_stream->uiMsgState = SSL_HANDSHAKE_MSG_TRUNKED; - a_ssl_stream->uiMsgProcLen += *res; - //pcCurSslData += *res; //20220318 cppcheck - iUnAnalyseLen -= *res; + offset=payload_len; break; } - else - { - /*������Ϣ�������*/ - a_ssl_stream->uiAllMsgLen = 0; - a_ssl_stream->uiMsgProcLen = 0; - } - if (SSL_RETURN_NORM != return_val) - { - return return_val; - } - - pcCurSslData += *res; - iUnAnalyseLen -= *res; + offset+=one_record_len; } - *res = iDataLen - iUnAnalyseLen; + if(offset==payload_len) + { + ssl_trunk_free(ssl_context, thread_seq); + } - return SSL_RETURN_NORM; + return state; } -UCHAR ssl_analyseStream(struct streaminfo *a_tcp, void **pme, int thread_seq, void *a_packet) +int ssl_parse_stream(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, int thread_seq, const void *a_packet) { - /**variables define, and initialise**/ - int return_val = APP_STATE_GIVEME; - ssl_stream *a_ssl_stream = (ssl_stream *)*pme; - struct tcpdetail *tcp_detail = (struct tcpdetail *)a_tcp->pdetail; - char *pcSslData = NULL; - int iSslDateLen = 0; - int iRet = 0; + int payload_len = 0; + char *payload=NULL; - if (NULL == a_ssl_stream) + if(ssl_context==NULL) { - return SSL_RETURN_DROPME; + return SSL_FLASE; } - if (0 == tcp_detail->datalen) - { - /*trans ssl over state*/ - if (a_ssl_stream->over_flag == SSL_TRUE && a_ssl_stream->uiSslVersion != UNKNOWN_VERSION) - { - return ssl_callPlugins(&a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet); - } - else - return APP_STATE_GIVEME; - } + struct tcpdetail *tcp_detail=(struct tcpdetail *)a_tcp->pdetail; /**if buffered, copy new data to the buff**/ /**if lose packets, drop the buffered data**/ /*bad data fill the buffer, or lose pkt clear it*/ - if ((tcp_detail->lostlen > 0) || (a_ssl_stream->uiMaxBuffLen > 0 && a_ssl_stream->uiCurBuffLen >= a_ssl_stream->uiMaxBuffLen)) + if(tcp_detail->lostlen>0 && ssl_context->record.cache_len>0) { - // 20151231 - return SSL_RETURN_DROPME; - a_ssl_stream->uiCurBuffLen = 0; + ssl_trunk_free(ssl_context, thread_seq); } - if (a_ssl_stream->uiCurBuffLen > 0) + if(ssl_context->record.cache_len>0) { - // 20151231 not enough,tcp_detail->pdata will be cut, it's not useful - if (a_ssl_stream->uiMaxBuffLen - a_ssl_stream->uiCurBuffLen < (int)tcp_detail->datalen) - { - return SSL_RETURN_DROPME; - } - iSslDateLen = MIN((int)tcp_detail->datalen, (a_ssl_stream->uiMaxBuffLen - a_ssl_stream->uiCurBuffLen)); - - memcpy(a_ssl_stream->pcSslBuffer + a_ssl_stream->uiCurBuffLen, tcp_detail->pdata, iSslDateLen); - a_ssl_stream->uiCurBuffLen += iSslDateLen; - iSslDateLen = a_ssl_stream->uiCurBuffLen; - pcSslData = a_ssl_stream->pcSslBuffer; + payload_len=MIN((int)tcp_detail->datalen, (g_ssl_runtime_para.max_cache_len - ssl_context->record.cache_len)); + memcpy(ssl_context->record.cache_buff + ssl_context->record.cache_len, tcp_detail->pdata, payload_len); + ssl_context->record.cache_len += payload_len; + payload_len=ssl_context->record.cache_len; + payload=ssl_context->record.cache_buff; } else { - pcSslData = (char *)tcp_detail->pdata; - iSslDateLen = tcp_detail->datalen; + payload=(char *)tcp_detail->pdata; + payload_len=tcp_detail->datalen; } - return_val = ssl_analyseSsl(pcSslData, iSslDateLen, &iRet, a_ssl_stream, a_tcp, a_ssl_stream->output_region_flag, thread_seq, a_packet); - - if (SSL_RETURN_NORM != return_val) - { - return return_val; - } - /*is ssl_stream, need buffer data*/ - if (iRet < 0 || iRet >= iSslDateLen) - { - a_ssl_stream->uiCurBuffLen = 0; - } - else + /**validaty check**/ + if(NULL==payload || payload_lenuiMaxBuffLen) - { - a_ssl_stream->pcSslBuffer = (char *)dictator_malloc(thread_seq, MAX_DATA_BUFFER); - memset(a_ssl_stream->pcSslBuffer, 0, MAX_DATA_BUFFER); - a_ssl_stream->uiMaxBuffLen = MAX_DATA_BUFFER; - } - fn_vMemCpy(a_ssl_stream->pcSslBuffer, (int)a_ssl_stream->uiMaxBuffLen, pcSslData + iRet, (int)(iSslDateLen - iRet)); - a_ssl_stream->uiCurBuffLen = iSslDateLen - iRet; + return SSL_TRUE; } - return return_val; + + return ssl_parse_message(a_tcp, ssl_context, payload, payload_len, thread_seq, a_packet); } diff --git a/src/SSL_Message.h b/src/SSL_Message.h index 4f525c9..fbefeed 100644 --- a/src/SSL_Message.h +++ b/src/SSL_Message.h @@ -1,34 +1,19 @@ - -#ifndef H_SSL_MESSAGE_H -#define H_SSL_MESSAGE_H - -#include -#include +#pragma once #define MIN(a, b) ((a) <= (b) ? (a):(b)) -#define MAX_DATA_BUFFER 10240 - #define SSL_HEADER_LEN 5+1 //use the hand_shake first bytes -#define SSL_KEY 3 -#define SSL_TRUE 1 -#define SSL_FLASE 0 +#define SSL_KEY 3 +#define SSL_CONTINUE 2 +#define SSL_TRUE 1 +#define SSL_FLASE 0 #define RANDOM_TIME_LEN 4 #define SSL_RANDOM_SIZE 28 -/**SSL versions**/ -#define UNKNOWN_VERSION 0x0000 -#define SSLV3_VERSION 0x0300 -#define SSLV2_VERSION 0x0002 -#define TLSV1_VERSION 0x0301 -#define TLSV1_2_VERSION 0x0303 -#define TLSV1DOT1_VERSION 0x0302 -#define DTLSV1DOT0_VERSION 0xfeff -#define DTLSV1DOT0_VERSION_NOT 0x0100 #define SSL_HANDSHAKE_MSG_HDRLEN 4 #define SSL_RECORD_HDRLEN 5 @@ -49,70 +34,52 @@ //#############################################client hello #define CLIENT_HELLO_HDRLEN 4 -typedef struct _st_client_server_name_t +struct client_server_name { - short server_name_list_len; - unsigned short server_name_type; - unsigned char server_name_len; - unsigned char* server_name_data; -}__attribute__((packed))st_client_server_name_t; + short list_len; + unsigned short type; + unsigned char len; + unsigned char* data; +}__attribute__((packed)); -//#############################################server hello #define SERVER_HELLO_HDRLEN 4 -//#############################################certificate #define CERTIFICATE_HDRLEN 7 #define SSL_CERTIFICATE_HDRLEN 3 - -typedef struct _stValueString_t +struct ssl_value2string { - unsigned int uiValue; - const char *pcString; -}stValueString_t; + unsigned int value; + const char *string; +}; -typedef struct _stSerialString_t +struct ssl_serial_string { - unsigned char aucSerial[16]; - const char *pcString; -}stSerialString_t; + unsigned char serial[16]; + const char *string; +}; -typedef struct _stSSLRecordHdr_t +struct ssl_record_header { - unsigned char ucContType; - unsigned short usVersion; - unsigned short usTotalLen; + unsigned char content_type; + unsigned short version; + unsigned short total_len; +}__attribute__((packed)); -}__attribute__((packed))stSSLRecordHdr_t; - -typedef struct _stHandShakeTypeHdr_t -{ - unsigned char ucContType; -}__attribute__((packed))stHandShakeTypeHdr_t; - -typedef struct _stHSkCertificateHdr_t +struct ssl_handshake_type { - //unsigned char pacCertLen[3]; -}stHSkCertificateHdr_t; + unsigned char content_type; +}__attribute__((packed)); -typedef enum _emHelloMsgType_m +enum SSL_HANDSHAKE_TYPE { -// HELLO_REQUEST = 0, - CLIENT_HELLO = 1, - SERVER_HELLO = 2, - CERTIFICATE = 11, - // SERVER_KEY_EXCHANGE = 12, -// CERTIFICATE_REQUEST = 13, -// SERVER_HELLO_DONE = 14, -// CERTIFICATE_VERIFY = 15, -// CLIENT_KEY_EXCHANGE = 16, -// FINISHED = 20, + CLIENT_HELLO=1, + SERVER_HELLO=2, + CERTIFICATE=11, NEW_SESSION_TICKET=4, - MSG_UNKNOWN = 255, -}emHelloMsgType_m; - -UCHAR ssl_analyseStream(struct streaminfo *a_tcp, void** pme, int thread_seq, void *a_packet); + MSG_UNKNOWN=255, +}; -#endif +int ssl_parse_stream(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, int thread_seq, const void *a_packet); diff --git a/src/SSL_Proc.c b/src/SSL_Proc.c index bea37aa..1c7a621 100644 --- a/src/SSL_Proc.c +++ b/src/SSL_Proc.c @@ -13,28 +13,9 @@ #include "SSL_Message.h" #include "ssl.h" #include "SSL_Proc.h" -#include "SSL_Common.h" - - -//debug -#define PRINTF_CLIENT_HELLO 0 - -extern ssl_prog_runtime_parameter_t g_ssl_prog_para; - -const stValueString_t pastSslVersions[] = -{ - { DTLSV1_0_VERSION, "DTLS1.0" }, - { DTLSV1_0_VERSION_NOT, "DTLS1.0(OpenSSL pre 0.9.8f)" }, - { TLSV1_2_VERSION, "TLS1.2" }, - { TLSV1_1_VERSION, "TLS1.1" }, - { TLSV1_0_VERSION, "TLS1.0" }, - { SSLV3_VERSION, "SSL3.0" }, - { SSLV2_VERSION, "SSL2.0" }, - { UNKNOWN_VERSION, NULL } -}; /* -const stSerialString_t g_astCipherSuit[] = +const struct ssl_serial_string g_astCipherSuit[] = { {{0X00, 0X2f}, "TLS_RSA_WITH_AES_128_CBC_SHA"}, {{0X00, 0X35}, "TLS_RSA_WITH_AES_256_CBC_SHA"}, @@ -53,7 +34,7 @@ const stSerialString_t g_astCipherSuit[] = }; */ -stSerialString_t g_astCipherSuit[] = +struct ssl_serial_string g_astCipherSuit[] = { {{0xC0, 0X30}, "ECDHE-RSA-AES256-GCM-SHA384"}, {{0xC0, 0X2C}, "ECDHE-ECDSA-AES256-GCM-SHA384"}, @@ -220,7 +201,7 @@ int BtoL1BytesNum(const char *pcData) return uiLength; } -char *fn_pcGetSuite(const unsigned char *pucId, int iIdLen, const stSerialString_t *pastElemTypes) +char *fn_pcGetSuite(const unsigned char *pucId, int iIdLen, const struct ssl_serial_string *pastElemTypes) { int iLoop; int iInLoop; @@ -230,11 +211,11 @@ char *fn_pcGetSuite(const unsigned char *pucId, int iIdLen, const stSerialString return NULL; } - for (iLoop = 0; NULL != pastElemTypes[iLoop].pcString; ++iLoop) + for (iLoop = 0; NULL != pastElemTypes[iLoop].string; ++iLoop) { for (iInLoop = 0; iInLoop < iIdLen; ++iInLoop) { - if (pucId[iInLoop] != pastElemTypes[iLoop].aucSerial[iInLoop]) + if (pucId[iInLoop] != pastElemTypes[iLoop].serial[iInLoop]) { //continue; break; @@ -243,7 +224,7 @@ char *fn_pcGetSuite(const unsigned char *pucId, int iIdLen, const stSerialString if (iInLoop == iIdLen) { - return (char *)(pastElemTypes[iLoop].pcString); + return (char *)(pastElemTypes[iLoop].string); } } @@ -253,440 +234,52 @@ char *fn_pcGetSuite(const unsigned char *pucId, int iIdLen, const stSerialString const char* ssl_get_suite_name(unsigned char* suite_value, unsigned short suite_len) { if(suite_value==NULL) return NULL; - return fn_pcGetSuite((unsigned char *)suite_value, suite_len, (stSerialString_t*)&g_astCipherSuit); -} - -const char* ssl_get_version_name(unsigned short version) -{ - for(unsigned int i=0;pastSslVersions[i].uiValue!=0;i++) - { - if(pastSslVersions[i].uiValue==version) - { - return (char*)pastSslVersions[i].pcString; - } - } - - return NULL; -} - -int ssl_get_alpn_list(alpn_list_t* alpn_list, int alpn_size, st_ext_t* exts, unsigned short ext_num) -{ - int alpn_ext_len; - int alpn_proto_len; - int alpn_proto_num = 0; - unsigned char* alpl = NULL; - - for(int i=0; i0 && alpn_proto_numuiSslVersion) - { - find_index = (int)i; - break; - } - } - if(-1!=find_index) - { - (*a_ssl_stream)->output_region_mask = SSL_VERSION_MASK; - (*a_ssl_stream)->p_output_buffer->p_data = (char*)pastSslVersions[find_index].pcString; - (*a_ssl_stream)->p_output_buffer->data_size = strlen(pastSslVersions[find_index].pcString); - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->p_output_buffer->p_data = NULL; - (*a_ssl_stream)->p_output_buffer->data_size = 0; - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - } - return return_val; -} - -UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_NEW_SESSION_TICKET_MASK; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - -UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_APPLICATION_DATA_MASK; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - - -UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_ALERT_MASK; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - - -UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - -UCHAR ssl_doWithCertificateDetail(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_CERTIFICATE_DETAIL_MASK; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - -UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_CLIENT_HELLO_MASK; - - /*parse extionsion server_name*/ - int i=0; - for(i=0; i<(*a_ssl_stream)->stClientHello->ext_num; i++) - { - if((*a_ssl_stream)->stClientHello->exts[i].type == SERVER_NAME_EXT_TYPE) - { - st_client_server_name_t* pstClientServerName = (st_client_server_name_t*)dictator_malloc(thread_seq,sizeof(st_client_server_name_t)); - unsigned char* cur_data = NULL; - unsigned char servernamelen = 0; - pstClientServerName->server_name_list_len = (*a_ssl_stream)->stClientHello->exts[i].len; - cur_data = (*a_ssl_stream)->stClientHello->exts[i].data; - - pstClientServerName->server_name_list_len -= sizeof(pstClientServerName->server_name_list_len); - cur_data += sizeof(pstClientServerName->server_name_list_len); - - /*3=sizeof(pstClientServerName.server_name_type)+sizeof(pstClientServerName.server_name_len)*/ - while(pstClientServerName->server_name_list_len>3) - { - pstClientServerName->server_name_type = BtoL1BytesNum((char *)cur_data); - pstClientServerName->server_name_len = BtoL2BytesNum((char *)(cur_data+1)); - pstClientServerName->server_name_list_len -= 3; - cur_data += 3; - /*have data*/ - if(((pstClientServerName->server_name_type == SERVER_NAME_HOST_TYPE))&& - pstClientServerName->server_name_len>0&& - pstClientServerName->server_name_list_len>=pstClientServerName->server_name_len) - { - pstClientServerName->server_name_data = cur_data; - //if(!first_server_name) - { - memcpy((*a_ssl_stream)->stClientHello->server_name, - pstClientServerName->server_name_data, - pstClientServerName->server_name_len); - servernamelen = strlen((char*)(*a_ssl_stream)->stClientHello->server_name); - (*a_ssl_stream)->stClientHello->server_name[servernamelen] = '\0'; - //printf("====servername:%s\n", (*a_ssl_stream)->stClientHello->server_name); - break; - } - } - pstClientServerName->server_name_list_len -= pstClientServerName->server_name_len; - cur_data += pstClientServerName->server_name_len; - } - //if(NULL!=pstClientServerName) - //{ - dictator_free(thread_seq,pstClientServerName); - //} - } - else if((*a_ssl_stream)->stClientHello->exts[i].type == SESSION_TICKET_EXT_TYPE) - { - (*a_ssl_stream)->stClientHello->session_ticket.ticketlen = (*a_ssl_stream)->stClientHello->exts[i].len; - (*a_ssl_stream)->stClientHello->session_ticket.ticket = (*a_ssl_stream)->stClientHello->exts[i].data; - //printf("====session ticket:%d\n", (*a_ssl_stream)->stClientHello->session_ticket.ticketlen); - } - else if((*a_ssl_stream)->stClientHello->exts[i].type == ENCRPTED_SERVER_NAME_EXT_TYPE) - { - char* cur_data = (char*)(*a_ssl_stream)->stClientHello->exts[i].data; - int iUnAnaHelloLen = (*a_ssl_stream)->stClientHello->exts[i].len; - if(iUnAnaHelloLen>SUITE_VALUELEN) - { - (*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value = (unsigned char *)dictator_malloc(thread_seq,SUITE_VALUELEN); - memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.suite_value, cur_data, SUITE_VALUELEN); - cur_data += SUITE_VALUELEN; - iUnAnaHelloLen -= SUITE_VALUELEN; - } - if(iUnAnaHelloLen>KEY_EXCHANGELEN_LEN) - { - (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_group = (unsigned short)BtoL2BytesNum(cur_data); - (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len = (unsigned short)BtoL2BytesNum(cur_data+2); - (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); - memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange, cur_data+KEY_EXCHANGELEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); - cur_data += (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); - iUnAnaHelloLen -= (KEY_EXCHANGELEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.key_exchange_len); - } - if(iUnAnaHelloLen>RECORD_DIGESTLEN_LEN) - { - (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len= (unsigned short)BtoL2BytesNum(cur_data); - (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); - memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest, cur_data+RECORD_DIGESTLEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); - cur_data += (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); - iUnAnaHelloLen -= (RECORD_DIGESTLEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.record_digest_len); - } - if(iUnAnaHelloLen>ESNILEN_LEN) - { - (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len = (unsigned short)BtoL2BytesNum(cur_data); - (*a_ssl_stream)->stClientHello->encrypted_server_name.esni = (unsigned char *)dictator_malloc(thread_seq,(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); - memcpy((*a_ssl_stream)->stClientHello->encrypted_server_name.esni, cur_data+ESNILEN_LEN, (*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); - cur_data += (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); - iUnAnaHelloLen -= (ESNILEN_LEN+(*a_ssl_stream)->stClientHello->encrypted_server_name.esni_len); - } - } - else if((*a_ssl_stream)->stClientHello->exts[i].type == ENCRPTED_CLIENT_HELLO_EXT_TYPE) - { - (*a_ssl_stream)->stClientHello->encrypt_chello = &(*a_ssl_stream)->stClientHello->exts[i]; - } - } - - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - -void print_sni(ssl_stream **a_ssl_stream) -{ -#if PRINTF_CLIENT_HELLO - //printf("server_name:%s\n",(*a_ssl_stream)->stClientHello->server_name); - FILE* pFile = NULL; - time_t currTime; - struct tm *now; - char strTime[32]; - char logTime[32]; - char filename[64] = {0}; - time(&currTime); - now = localtime(&currTime); - memset(strTime, 0, sizeof(strTime) ); - memset(logTime, 0, sizeof(logTime) ); - strftime(strTime, sizeof(strTime), "%Y-%m-%d %H:%M:%S", now); - strftime(logTime, sizeof(logTime), "%Y-%m-%d", now); - strcpy(filename, "./ssl_log/ssl_server_name_log_"); - strcat(filename, logTime); - if(((pFile = fopen(filename, "a+"))!=NULL)) - { - fprintf(pFile,"%s===%s\n",strTime, (*a_ssl_stream)->stClientHello->server_name); - fclose(pFile); - } -#endif - -} - -UCHAR ssl_doWithServerHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) -{ - UCHAR return_val = SSL_RETURN_NORM; - (*a_ssl_stream)->output_region_mask = SSL_SERVER_HELLO_MASK; - return_val = ssl_callPlugins(a_ssl_stream, a_tcp, region_flag, thread_seq, a_packet); - (*a_ssl_stream)->output_region_mask = SSL_INTEREST_KEY_MASK; - return return_val; -} - -int ssl_getLinkState(ssl_stream *a_ssl_stream) +int ssl_get_link_state(struct ssl_runtime_context *ssl_context) { UCHAR state = 0; - if(SSL_FLASE==(a_ssl_stream)->link_state) + if(SSL_FLASE==ssl_context->link_state) { - if(SSL_TRUE==(a_ssl_stream)->over_flag) + if(SSL_TRUE==ssl_context->over_flag) state = SESSION_STATE_CLOSE | SESSION_STATE_PENDING; else state = SESSION_STATE_PENDING; } else { - if(SSL_TRUE==(a_ssl_stream)->over_flag) + if(SSL_TRUE==ssl_context->over_flag) { state = SESSION_STATE_CLOSE; } else + { state = SESSION_STATE_DATA; + } } - (a_ssl_stream)->link_state = SSL_TRUE; + + ssl_context->link_state = SSL_TRUE; + return state; -}/*ssl_getLinkState*/ +} -UCHAR ssl_callPlugins(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet) +void ssl_call_plugins(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *buff, int buff_len, enum ssl_interested_region output_region_mask, int thread_seq, const void *a_packet) { stSessionInfo session_info; - region_flag = (region_flag >> (*a_ssl_stream)->output_region_mask) % 2; + unsigned long long region_flag = (g_ssl_runtime_para.ssl_interested_region_flag >> output_region_mask) % 2; - if( SSL_TRUE==region_flag || (*a_ssl_stream)->over_flag==SSL_TRUE ) + if(SSL_TRUE==region_flag || ssl_context->over_flag==SSL_TRUE ) { - if (PROT_STATE_DROPME != (*a_ssl_stream)->business->return_value) + if (PROT_STATE_DROPME != ssl_context->business.return_value) { - session_info.plugid = g_ssl_prog_para.ssl_plugid; - session_info.prot_flag = (((unsigned long long)1)<<(*a_ssl_stream)->output_region_mask); - session_info.session_state = ssl_getLinkState(*a_ssl_stream) ; - session_info.app_info = (void*)(*a_ssl_stream); - session_info.buf = (*a_ssl_stream)->p_output_buffer->p_data; - session_info.buflen = (*a_ssl_stream)->p_output_buffer->data_size; - (*a_ssl_stream)->business->return_value = PROT_PROCESS(&session_info, - &((*a_ssl_stream)->business->param), - thread_seq,a_tcp, a_packet); + session_info.plugid = g_ssl_runtime_para.ssl_plugid; + session_info.prot_flag = (((unsigned long long)1)<stream); + session_info.buf=buff; + session_info.buflen=buff_len; + ssl_context->business.return_value=PROT_PROCESS(&session_info, &(ssl_context->business.param), thread_seq, (struct streaminfo *)a_tcp, a_packet); } } - /* - if(PROT_STATE_DROPME == (*a_ssl_stream)->business->return_value) - { - return PROT_STATE_DROPME; - } - */ - return SSL_RETURN_NORM; -} - -/* -Input: pLenBytes return the bytes of the length domain -Return: length of the tlv structure -*/ -int fn_iSslDecodeTagLength(char *pcTlvData, int iDataLen, int *pLenBytes) -{ - unsigned int uiLength = 0; - int iLoop = 0; - unsigned char *pucTlvData = (unsigned char *)pcTlvData; - if (NULL == pucTlvData || iDataLen < 2 || NULL == pLenBytes) - { - return -1; - } - - if (pucTlvData[1] > 0x80) - { - *pLenBytes = pucTlvData[1] & 0x7f; - } - else if (pucTlvData[1] == 0x80) - { - *pLenBytes = 1; - return 0; - } - else - { - *pLenBytes = 1; - return pucTlvData[1]; - } - - if (*pLenBytes > iDataLen - 2 || *pLenBytes > 4) - { - return -1; - } - - for (iLoop = 0; iLoop < *pLenBytes; ++iLoop) - { - uiLength = (uiLength << 8) + pucTlvData[2+iLoop]; - } - - *pLenBytes += 1; - - return uiLength; -} - - -void fn_vMemCpy(char *pcDst, int iMaxDstLen, char *pcSrc, int iSrcLen) -{ - char *pcBuff = NULL; - int iLoop = 0; - if (NULL == pcDst || NULL == pcSrc || pcDst == pcSrc || iMaxDstLen < iSrcLen) - { - return; - } - - if (pcDst < pcSrc || pcDst > pcSrc + iSrcLen) - { - pcBuff = pcSrc; - } - else - { - pcBuff = (char *)malloc(sizeof(char)*iSrcLen); - if (NULL == pcBuff) - { - return; - } - - memcpy(pcBuff, pcSrc, iSrcLen); - } - - for (iLoop = 0; iLoop < iSrcLen; ++iLoop) - { - pcDst[iLoop] = pcSrc[iLoop]; - } - - if (pcBuff != pcSrc) - { - free(pcBuff); - } - - return; -} - -void fn_vPrintNum(char *pcDstBuff, unsigned char ucNum) -{ - if (NULL == pcDstBuff) - { - return; - } - - if ((((ucNum&0xf0)>>4)&0x0f) < 0x0a) - { - pcDstBuff[0] = 0x30 + (((ucNum&0xf0)>>4)&0x0f); - } - else - { - pcDstBuff[0] = 0x61 - 0x0a + (((ucNum&0xf0)>>4)&0x0f); - } - - if ((ucNum&0x0f) < 0x0a) - { - pcDstBuff[1] = 0x30 + (ucNum&0x0f); - } - else - { - pcDstBuff[1] = 0x61 - 0x0a + (ucNum&0x0f); - } - - pcDstBuff[2] = '\0'; - return; } diff --git a/src/SSL_Proc.h b/src/SSL_Proc.h index 62ddd35..5dbb380 100644 --- a/src/SSL_Proc.h +++ b/src/SSL_Proc.h @@ -1,53 +1,10 @@ -/* - * SSL_Proc.h - * - * Created on: 2013-5-3 - * Author: lis - */ +#pragma once -#ifndef SSL_PROC_H_ -#define SSL_PROC_H_ +int BtoL1BytesNum(const char *pcData); +int BtoL2BytesNum(const char *pcData); +int BtoL3BytesNum(const char *pcData); +int BtoL4BytesNum(const char *pcData); -#include "ssl.h" - -#ifdef __cplusplus -extern "C" { -#endif - -int BtoL1BytesNum(const char *pcData); -int BtoL2BytesNum(const char *pcData); -int BtoL3BytesNum(const char *pcData); -int BtoL4BytesNum(const char *pcData); - -int ssl_protoRecg(char *pcData, int iDataLen); -char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, stSerialString_t *pastElemTypes); -UCHAR ssl_doWithVersion(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithNewSessionTicket(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithApplicationData(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithAlert(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithCertificate(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithCertificateDetail(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithServerName(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithClientHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_doWithServerHello(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -UCHAR ssl_callPlugins(ssl_stream **a_ssl_stream, struct streaminfo *a_tcp, - unsigned long long region_flag, int thread_seq, void *a_packet); -int ssl_getLinkState(ssl_stream *a_ssl_stream); -int fn_iSslDecodeTagLength(char *pcTlvData, int iDataLen, int *pLenBytes); -void fn_vMemCpy(char *pcDst, int iMaxDstLen, char *pcSrc, int iSrcLen); -void fn_vPrintNum(char *pcDstBuff, unsigned char ucNum); - -#ifdef __cplusplus -} -#endif - -#endif /* SSL_PROC_H_ */ +int ssl_identify_version(char *pcData, int iDataLen); +char *fn_pcGetSuite(unsigned char *pucId, int iIdLen, struct ssl_serial_string *pastElemTypes); +void ssl_call_plugins(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *buff, int buff_len, enum ssl_interested_region output_region_mask, int thread_seq, const void *a_packet); diff --git a/src/SSl_ja3_fingerprint.cpp b/src/SSl_ja3_fingerprint.cpp index cc6be0c..5bfb453 100644 --- a/src/SSl_ja3_fingerprint.cpp +++ b/src/SSl_ja3_fingerprint.cpp @@ -380,14 +380,13 @@ typedef struct bsb unsigned char *end; } BSB; -typedef struct _ssl_fingerprint +struct ssl_fingerprint { - struct _ssl_ja3_info_t *ja3_info; - struct _ssl_ja3s_info_t *ja3s_info; -}ssl_fingerprint_t; + struct ssl_ja3_info *ja3_info; +}; -static int ja3_md5sum(const char *str, int len, char *buf, int size) +int ja3_md5sum(const char *str, int len, char *buf, int size) { int n; int ret = 0; @@ -603,7 +602,7 @@ static int ssl_generate_ja3_fingerprint(const unsigned char *data, int len, char static void free_ja3_fingerprint_label(int thread_seq, void *value) { - ssl_fingerprint_t *fingerprint_info=(ssl_fingerprint_t *)value; + struct ssl_fingerprint *fingerprint_info=(struct ssl_fingerprint *)value; if(value!=NULL) { if (fingerprint_info->ja3_info != NULL) @@ -617,14 +616,6 @@ static void free_ja3_fingerprint_label(int thread_seq, void *value) dictator_free(thread_seq, fingerprint_info->ja3_info); fingerprint_info->ja3_info = NULL; } - - if (fingerprint_info->ja3s_info != NULL) - { - dictator_free(thread_seq, (void *)fingerprint_info->ja3s_info->fp); - fingerprint_info->ja3s_info->fp = NULL; - dictator_free(thread_seq, fingerprint_info->ja3s_info); - fingerprint_info->ja3s_info = NULL; - } dictator_free(thread_seq, value); value=NULL; @@ -633,18 +624,18 @@ static void free_ja3_fingerprint_label(int thread_seq, void *value) return ; } -struct _ssl_ja3_info_t *ssl_get_ja3_fingerprint(struct streaminfo *stream, unsigned char *payload, int payload_len, int thread_seq) +struct ssl_ja3_info *ssl_get_ja3_fingerprint(struct streaminfo *stream, unsigned char *payload, int payload_len, int thread_seq) { int ret=0; char ja3_fp[8192]={0}; char sni_buff[1024]={0}; - _ssl_ja3_info_t *ja3_info = NULL; + struct ssl_ja3_info *ja3_info = NULL; - ssl_fingerprint_t *fingerprint_info=(ssl_fingerprint_t *)project_req_get_struct(stream, g_ssl_ja3_fingerprint_label_id); + struct ssl_fingerprint *fingerprint_info=(struct ssl_fingerprint *)project_req_get_struct(stream, g_ssl_ja3_fingerprint_label_id); if (fingerprint_info == NULL) { - fingerprint_info = (ssl_fingerprint_t *)dictator_malloc(thread_seq, sizeof(ssl_fingerprint_t)); - memset(fingerprint_info, 0, sizeof(ssl_fingerprint_t)); + fingerprint_info = (struct ssl_fingerprint *)dictator_malloc(thread_seq, sizeof(struct ssl_fingerprint)); + memset(fingerprint_info, 0, sizeof(struct ssl_fingerprint)); project_req_add_struct(stream, g_ssl_ja3_fingerprint_label_id, (void *)fingerprint_info); } else if(fingerprint_info->ja3_info!=NULL) @@ -655,7 +646,7 @@ struct _ssl_ja3_info_t *ssl_get_ja3_fingerprint(struct streaminfo *stream, unsig ret=ssl_generate_ja3_fingerprint(payload, payload_len, ja3_fp, sizeof(ja3_fp), sni_buff, sizeof(sni_buff)); if(ret==1) { - fingerprint_info->ja3_info=(struct _ssl_ja3_info_t *)dictator_malloc(thread_seq, sizeof(struct _ssl_ja3_info_t)); + fingerprint_info->ja3_info=(struct ssl_ja3_info *)dictator_malloc(thread_seq, sizeof(struct ssl_ja3_info)); ja3_info = fingerprint_info->ja3_info; if(strlen(sni_buff)>0 && strlen(sni_buff)= 0x0300 && ver <= 0x0303) { - int skiplen = 0; - BSB_IMPORT_u08(bsb, skiplen); // Session Id Length - BSB_IMPORT_skip(bsb, skiplen); // Session Id - } - - uint16_t cipher = 0; - BSB_IMPORT_u16(bsb, cipher); - BSB_IMPORT_skip(bsb, 1); - - - BSB ja3bsb; - char eja3[10000]; - BSB eja3bsb; - - BSB_INIT(ja3bsb, ja3_fp, ja3_fp_len); - BSB_INIT(eja3bsb, eja3, sizeof(eja3)); - - if (BSB_REMAINING(bsb) > 2) { - int etotlen = 0; - BSB_IMPORT_u16(bsb, etotlen); // Extensions Length - - etotlen = MIN(etotlen, BSB_REMAINING(bsb)); - - BSB ebsb; - BSB_INIT(ebsb, BSB_WORK_PTR(bsb), etotlen); - - while (BSB_REMAINING(ebsb) > 0) { - int etype = 0, elen = 0; - - BSB_IMPORT_u16 (ebsb, etype); - BSB_IMPORT_u16 (ebsb, elen); - - BSB_EXPORT_sprintf(eja3bsb, "%d-", etype); - - if (elen > BSB_REMAINING(ebsb)) - break; - - // if (etype == 0x2b && elen == 2) { // etype 0x2b is supported version - // uint16_t supported_version = 0; - // BSB_IMPORT_u16(ebsb, supported_version); - // } - - BSB_IMPORT_skip (ebsb, elen); - } - BSB_EXPORT_rewind(eja3bsb, 1); // Remove last - - } - - BSB_EXPORT_sprintf(ja3bsb, "%d,%d,%.*s", ver, cipher, (int)BSB_LENGTH(eja3bsb), eja3); - - return 1; -} - -struct _ssl_ja3s_info_t *ssl_get_ja3s_fingerprint(struct streaminfo *stream, unsigned char *payload, int payload_len, int thread_seq) -{ - int ret=0; - char ja3s_fp[8192]={0}; - _ssl_ja3s_info_t *ja3s_info = NULL; - - ssl_fingerprint_t *fingerprint_info=(ssl_fingerprint_t *)project_req_get_struct(stream, g_ssl_ja3_fingerprint_label_id); - if (fingerprint_info == NULL) - { - fingerprint_info = (ssl_fingerprint_t *)dictator_malloc(thread_seq, sizeof(ssl_fingerprint_t)); - memset(fingerprint_info, 0, sizeof(ssl_fingerprint_t)); - project_req_add_struct(stream, g_ssl_ja3_fingerprint_label_id, (void *)fingerprint_info); - } - else if(fingerprint_info->ja3s_info!=NULL) - { - return fingerprint_info->ja3s_info; - } - - ret=ssl_generate_ja3s_fingerprint(payload, payload_len, ja3s_fp, sizeof(ja3s_fp)); - if(ret==1) - { - fingerprint_info->ja3s_info=(struct _ssl_ja3s_info_t *)dictator_malloc(thread_seq, sizeof(struct _ssl_ja3s_info_t)); - ja3s_info = fingerprint_info->ja3s_info; - - if(strlen(ja3s_fp)>0) - { - ja3s_info->fp=(char *)dictator_malloc(thread_seq, MD5_DIGEST_LENGTH*2+1); - ja3s_info->fp_len=ja3_md5sum(ja3s_fp, strlen(ja3s_fp), ja3s_info->fp, MD5_DIGEST_LENGTH*2+1); - ja3s_info->fp[ja3s_info->fp_len]='\0'; - } - else - { - ja3s_info->fp=NULL; - ja3s_info->fp_len=0; - } - - return ja3s_info; - } - - return NULL; -} - - int ssl_ja3_init(void) { g_ssl_ja3_fingerprint_label_id=project_producer_register("JA3_FINGERPRINT_LABEL", "struct", free_ja3_fingerprint_label); diff --git a/src/ssl.h b/src/ssl.h deleted file mode 100644 index 7e53cf2..0000000 --- a/src/ssl.h +++ /dev/null @@ -1,342 +0,0 @@ - -#ifndef H_SSL_H -#define H_SSL_H - -#include -#include - -#define SSH_H_VERSION_20210805_ssl20 0 - -#define SSL_KEY 3 -#define SSL_TRUE 1 -#define SSL_FLASE 0 - - -#define SSL_INTEREST_KEY (1<0 ͲˣΪSSLĸʽ̫ϸ -2. bufƣνռڴ -3. pcSslBuffer malloc when need -4. dictator_malloc -5. cert,client,serverڴҪʱ -************************************************* -2015-03-23 -1. Conditional jump or move depends on uninitialised value -2. Эжһ1 2 11 Ӧж -************************************************* -2014-11-18 -1. ssl_message.h->ssl.h -2. delete killme -3. ҵͬʱĵ֤ϸϢԭʼϢ - -************************************************* -2014-11-28 -1. ɾssl.h,SSL_Message.h - -************************************************* -20150106 -1. µı׼淶Լ· -************************************************* -20150127 -1. if(a_ssl_stream->stSSLCert->totallen<0) return SSL_RETURN_DROPME;жϣ쳣Ķδ \ No newline at end of file diff --git a/src/tool/test_cert/Makefile b/src/tool/test_cert/Makefile deleted file mode 100644 index 12eb449..0000000 --- a/src/tool/test_cert/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# CREATED by Guo Le, 08/23/2010 -# -CC = gcc -PROGRAM = test_cert -CFLAGS = -g -Wall -INCLUDE = -I. -I./common -LDFLAGS = -lpthread -Wall -OBJS = backend.o -DEPLOY_DIR = /home/ictsoft/fake_backend -BUILD_DIR = ./debug -LIB = /usr/lib64/ruby/openssl.so - -.PHONY : all clean -all: $(PROGRAM) - - -test_cert: test_cert.c - gcc $(INCLUDE) $(LDFLAGS) -g -Wall test_cert.c $(LIB) -lcrypto -o cert_test - -$(OBJS): %.o: %.c - $(CC) -c $(CFLAGS) $(INCLUDE) $< -o $@ - - -clean: - $(RM) *.o $(PROGRAM) - -localdeploy: $(PROGRAM) - @echo "- Kill previous process ---------------------------------------------" - @-killall -vq backend_video backend_audio; - @echo "---------------------------------------------------------------------" - @echo "- Check deploy dir --------------------------------------------------" - @if [ ! -d "$(DEPLOY_DIR)" ]; \ - then echo "DEPLOY_DIR doesn't exist!"; mkdir -p $(DEPLOY_DIR); \ - else echo "DEPLOY_DIR exist, remove all"; fi - @-rm -rfv $(DEPLOY_DIR)/* - @echo "---------------------------------------------------------------------" - @echo "- Deploy ------------------------------------------------------------" - @cp -rv $(BUILD_DIR)/* $(DEPLOY_DIR) - @echo "---------------------------------------------------------------------" - @echo "- Run ---------------------------------------------------------------" - @cd $(DEPLOY_DIR); ./r2; - @ps au | grep -e "backend" | grep -v grep diff --git a/src/tool/test_cert/cert_test b/src/tool/test_cert/cert_test deleted file mode 100644 index 73ec2df..0000000 Binary files a/src/tool/test_cert/cert_test and /dev/null differ diff --git a/src/tool/test_cert/ssl_cert.crt b/src/tool/test_cert/ssl_cert.crt deleted file mode 100644 index cb66757..0000000 Binary files a/src/tool/test_cert/ssl_cert.crt and /dev/null differ diff --git a/src/tool/test_cert/test_cert.c b/src/tool/test_cert/test_cert.c deleted file mode 100644 index 45f1d32..0000000 --- a/src/tool/test_cert/test_cert.c +++ /dev/null @@ -1,296 +0,0 @@ - -#include -#include -#include -#include -#include -#include -#include - - -#include "openssl/x509.h" -#include "openssl/objects.h" -#include "openssl/safestack.h" -#include "openssl/cms.h" -#include "openssl/ocsp.h" -#include "openssl/ts.h" -#include "openssl/ts.h" -#include "openssl/x509v3.h" - -#define SSL_RETURN_NORM 0x53 -#define SSL_RETURN_UNNORM 0x54 -#define SSL_RETURN_RESET_BUFFER 0x55 -#define SSL_RETURN_DROPME 0x57 - - -/*ssl_read_all_certеĽṹ*/ -typedef struct cert_chain_s -{ - char* cert; - uint32_t cert_len; -}cert_chain_t; - -typedef struct _san_t -{ - char san[64]; -}san_t; - -typedef struct _st_san_t -{ - int count; - san_t* san_array; //ָ -}st_san_t; - -typedef struct _st_cert_t -{ - int totallen; - int certlen; - char SSLVersion[10]; - char SSLSerialNum[128]; - char SSLAgID [64]; - char SSLIssuer[512]; //commonName + organizationName + organizationalUnitName + localityName + streetAddress + stateOrProvinceName + countryName - char SSLSub[512]; //commonName + organizationName + organizationalUnitName + localityName + streetAddress + stateOrProvinceName + countryName - char SSLFrom[80]; - char SSLTo[80]; - char SSLFPAg[32]; - char SSLIssuerC[64]; //countryName - char SSLIssuerO[64]; //organizationName - char SSLIssuerCN[64];//commonName - char SSLSubC[64]; //countryName - char SSLSubO[64]; //organizationName - char SSLSubCN[64];//commonName - st_san_t* SSLSubAltName; - uint8_t cert_type; - unsigned char* SSLSubKey; - int SSLSubKeyLen; - uint8_t SSLSerialNumLen; - - char SSLIssuerP[64];//stateOrProvinceName - char SSLIssuerS[64];//streetAddress - char SSLIssuerL[64];//localityName - char SSLIssuerU[64];//organizationalUnitName - - char SSLSubP[64];//stateOrProvinceName - char SSLSubS[64];//streetAddress - char SSLSubL[64];//localityName - char SSLSubU[64];//organizationalUnitName - -}st_cert_t; - - -int BtoL3BytesNum(char *pcData) -{ - int uiLength = 0; - uiLength = pcData[0]; - uiLength = (uiLength << 8) + (unsigned char)pcData[1]; - uiLength = (uiLength << 8) + (unsigned char)pcData[2]; - - return uiLength; -} - -int BtoL4BytesNum(char *pcData) -{ - int uiLength = 0; - uiLength = pcData[0]; - uiLength = (uiLength << 8) + (unsigned char)pcData[1]; - uiLength = (uiLength << 8) + (unsigned char)pcData[2]; - uiLength = (uiLength << 8) + (unsigned char)pcData[3]; - - return uiLength; -} - - -typedef struct _stValueString_t -{ - unsigned int uiValue; - const char *pcString; -}stValueString_t; - -#define CERT_VER_MAXNUM 3 -const stValueString_t g_astCertVersions[] = -{ - { 0, "v1" }, - { 1, "v2" }, - { 2, "v3" }, - { 3, "v4" }, - { 0, NULL }, -}; - -char fn_pGetSSLInfo(char *pcCert, int iLen, st_cert_t* stSSLCert) -{ - //return SSL_RETURN_NORM; - int data = 0; - - X509 *x509_handle = d2i_X509(NULL, (unsigned char const **)&pcCert, iLen); - if (x509_handle == NULL) - { - return SSL_RETURN_NORM; - } - - if(NULL!=x509_handle->cert_info) - { - /*version*/ - int ver = X509_get_version(x509_handle); - if(ver>CERT_VER_MAXNUM) goto cert_return; - memcpy(stSSLCert->SSLVersion, - g_astCertVersions[ver].pcString, - 1 + strlen((const char *)g_astCertVersions[ver].pcString)); - - /*serial num*/ - if(NULL!=x509_handle->cert_info->serialNumber) - { - memcpy(stSSLCert->SSLSerialNum, - x509_handle->cert_info->serialNumber->data, - x509_handle->cert_info->serialNumber->length); - } - - /*SSL AgID*/ - ASN1_OBJECT* salg = x509_handle->cert_info->signature->algorithm; - OBJ_obj2txt(stSSLCert->SSLAgID, sizeof(stSSLCert->SSLAgID), salg, 1); - - /*SSL Issuer*/ - X509_NAME* issuer = X509_get_issuer_name(x509_handle); - if(NULL!=issuer) - { - X509_NAME_get_text_by_NID(issuer, NID_commonName, stSSLCert->SSLIssuerCN, sizeof(stSSLCert->SSLIssuerCN)); - X509_NAME_get_text_by_NID(issuer, NID_organizationName, stSSLCert->SSLIssuerO, sizeof(stSSLCert->SSLIssuerO)); - X509_NAME_get_text_by_NID(issuer, NID_countryName, stSSLCert->SSLIssuerC, sizeof(stSSLCert->SSLIssuerC)); - - snprintf(stSSLCert->SSLIssuer, - sizeof(stSSLCert->SSLIssuer), - "%s;%s;%s", - stSSLCert->SSLIssuerCN, - stSSLCert->SSLIssuerO, - stSSLCert->SSLIssuerC); - } - - /*SSL Subject*/ - X509_NAME* subject = X509_get_subject_name(x509_handle); - if(NULL!=subject) - { - X509_NAME_get_text_by_NID(subject, NID_commonName, stSSLCert->SSLSubCN, sizeof(stSSLCert->SSLSubCN)); - X509_NAME_get_text_by_NID(subject, NID_organizationName, stSSLCert->SSLSubO, sizeof(stSSLCert->SSLSubO)); - X509_NAME_get_text_by_NID(subject, NID_countryName, stSSLCert->SSLSubC, sizeof(stSSLCert->SSLSubC)); - - snprintf(stSSLCert->SSLSub, - sizeof(stSSLCert->SSLSub), - "%s;%s;%s", - stSSLCert->SSLSubCN, - stSSLCert->SSLSubO, - stSSLCert->SSLSubC); - } - - /*validity*/ - ASN1_TIME *start = X509_get_notBefore(x509_handle); - ASN1_TIME *end = X509_get_notAfter(x509_handle); - sprintf(stSSLCert->SSLFrom, "%s", start->data); - sprintf(stSSLCert->SSLTo, "%s", end->data); - - /*subject bak*/ - GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL); - if(!subjectAltNames) goto cert_return; - int cnt = sk_GENERAL_NAME_num(subjectAltNames); - char* san = NULL; - ASN1_STRING *san_name; - int len = 0; - GENERAL_NAME* generalName; - if(cnt>0) - { - stSSLCert->SSLSubAltName = (st_san_t*)malloc(sizeof(st_san_t)); - stSSLCert->SSLSubAltName->san_array = (san_t*)malloc(cnt*sizeof(san_t)); - memset(stSSLCert->SSLSubAltName->san_array,0,cnt*sizeof(san_t)); - stSSLCert->SSLSubAltName->count = 0; - int i = 0; - for (i = 0; i < cnt; i++) - { - generalName = sk_GENERAL_NAME_value(subjectAltNames, i); - if(!generalName) goto cert_return; - if(GEN_DNS == generalName->type) - { - san_name = (ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL); - if(ASN1_STRING_length(san_name)>0) - { - san = (char*)ASN1_STRING_data(san_name); - snprintf(stSSLCert->SSLSubAltName->san_array[stSSLCert->SSLSubAltName->count].san, - sizeof(stSSLCert->SSLSubAltName->san_array[stSSLCert->SSLSubAltName->count].san), - "%s", - san); - stSSLCert->SSLSubAltName->count++; - } - } - } - } - if(subjectAltNames) - { - GENERAL_NAMES_free(subjectAltNames); - } - } - -cert_return: - if (x509_handle != NULL) - { - X509_free(x509_handle); - } - return SSL_RETURN_NORM; -} - -#define SSL_CERTIFICATE_HDRLEN 3 -/*return : chain */ -int ssl_read_all_cert(const char* conj_cert_buf, uint32_t conj_buflen, cert_chain_t* cert_unit, uint32_t unit_size) -{ - if(NULL==conj_cert_buf || 0==conj_buflen) return 0; - char* unproc_cert = (char*)conj_cert_buf; - uint32_t unproc_certlen = conj_buflen; - char* cur_cert = NULL; - uint32_t cur_certlen = 0; - uint32_t cert_unit_cnt = 0; - st_cert_t stSSLCert[32]; - - while ((int)unproc_certlen > 0) - { - if(cert_unit_cnt>=unit_size) - { - break; - } - cur_certlen = BtoL3BytesNum(unproc_cert); - if((int)cur_certlen <0 || cur_certlen+SSL_CERTIFICATE_HDRLEN>unproc_certlen) - { - break; - } - cur_cert = unproc_cert+SSL_CERTIFICATE_HDRLEN; - if(cert_unit_cnt15.197.193.217.443", + "ssl_sni": "match.adsrvr.org", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.adsrvr.org;;;;;;", + "ssl_cert_SubCN": "*.adsrvr.org", + "ssl_cert_SubCN": "*.adsrvr.org", + "ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", + "ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "220331203750Z", + "ssl_cert_To": "230502203749Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" + } +] diff --git a/test/pcap/e21/ssl_e21_target_result.json b/test/pcap/e21/ssl_e21_target_result.json index 0244e56..ff62115 100644 --- a/test/pcap/e21/ssl_e21_target_result.json +++ b/test/pcap/e21/ssl_e21_target_result.json @@ -105,6 +105,7 @@ "ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_From": "210928164609Z", "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "name": "SSL_RESULT_13" }, { @@ -130,6 +131,7 @@ "ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_From": "210928164609Z", "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "name": "SSL_RESULT_14" }, { @@ -496,4 +498,4 @@ "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", "name": "SSL_RESULT_66" } -] \ No newline at end of file +] diff --git a/test/pcap/multiple_handshake/3-ssl-with-cert.pcap b/test/pcap/multiple_handshake/3-ssl-with-cert.pcap new file mode 100644 index 0000000..d386c5a Binary files /dev/null and b/test/pcap/multiple_handshake/3-ssl-with-cert.pcap differ diff --git a/test/pcap/multiple_handshake/ssl_multiple_handshake_result.json b/test/pcap/multiple_handshake/ssl_multiple_handshake_result.json new file mode 100644 index 0000000..8d46be2 --- /dev/null +++ b/test/pcap/multiple_handshake/ssl_multiple_handshake_result.json @@ -0,0 +1,21 @@ +[{ + "Tuple4": "192.168.32.27.52705>202.89.233.101.443", + "ssl_sni": "cn.bing.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "67bfe5d15ae567fb35fd7837f0116eec", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "Microsoft RSA TLS CA 02;Microsoft Corporation;;;;;US", + "ssl_cert_IssuerCN": "Microsoft RSA TLS CA 02", + "ssl_cert_IssuerO": "Microsoft Corporation", + "ssl_cert_IssuerC": "US", + "ssl_cert_Sub": "www.bing.com;;;;;;", + "ssl_cert_SubCN": "www.bing.com", + "ssl_cert_SubAltName": "www.bing.com;dict.bing.com.cn;*.platform.bing.com;*.bing.com;bing.com;ieonline.microsoft.com;*.windowssearch.com;cn.ieonline.microsoft.com;*.origin.bing.com;*.mm.bing.net;*.api.bing.com;ecn.dev.virtualearth.net;*.cn.bing.net;*.cn.bing.com;ssl-api.bing.com;ssl-api.bing.net;*.api.bing.net;*.bingapis.com;bingsandbox.com;feedback.microsoft.com;insertmedia.bing.office.net;r.bat.bing.com;*.r.bat.bing.com;*.dict.bing.com.cn;*.dict.bing.com;*.ssl.bing.com;*.appex.bing.com;*.platform.cn.bing.com;wp.m.bing.com;*.m.bing.com;global.bing.com;windowssearch.com;search.msn.com;*.bingsandbox.com;*.api.tiles.ditu.live.com;*.ditu.live.com;*.t0.tiles.ditu.live.com;*.t1.tiles.ditu.live.com;*.t2.tiles.ditu.live.com;*.t3.tiles.ditu.live.com;*.tiles.ditu.live.com;3d.live.com;api.search.live.com;beta.search.live.com;cnweb.search.live.com;dev.live.com;ditu.live.com;farecast.live.com;image.live.com;images.live.com;local.live.com.au;localsearch.live.com;ls4d.search.live.com;mail.live.com;mapindia.live.com;local.live.com;maps.live.com;maps.live.com.au;mindia.live.com;news.live.com;origin.cnweb.search.live.com;preview.local.live.com;search.live.com;test.maps.live.com;video.live.com;videos.live.com;virtualearth.live.com;wap.live.com;webmaster.live.com;webmasters.live.com;www.local.live.com.au;www.maps.live.com.au", + "ssl_cert_SerialNum": "0x7f0012e261129541195fac1a6000000012e261", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210706015313Z", + "ssl_cert_To": "220106015313Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_1" +}] diff --git a/test/pcap/ssl/ssl_result.json b/test/pcap/ssl/ssl_result.json index e1857f0..ed7d862 100644 --- a/test/pcap/ssl/ssl_result.json +++ b/test/pcap/ssl/ssl_result.json @@ -36,6 +36,7 @@ "ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_From": "180717083809Z", "ssl_cert_To": "190714162604Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "name": "SSL_RESULT_3" }, { "Tuple4": "192.168.2.102.56776>34.138.246.121.443", @@ -45,4 +46,4 @@ "ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362", "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", "name": "SSL_RESULT_4" -}] \ No newline at end of file +}] diff --git a/test/pcap/xxg/ssl_xxg_target_result.json b/test/pcap/xxg/ssl_xxg_target_result.json index 0bcca97..3fc12c0 100644 --- a/test/pcap/xxg/ssl_xxg_target_result.json +++ b/test/pcap/xxg/ssl_xxg_target_result.json @@ -1,1279 +1,1279 @@ [{ - "Tuple4": "192.168.50.33.51933>54.230.21.91.443", - "name": "SSL_RESULT_1" -}, { - "Tuple4": "192.168.50.52.17312>142.250.66.99.443", - "ssl_sni": "www.gstatic.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", - "name": "SSL_RESULT_2" -}, { - "Tuple4": "192.168.50.52.17311>142.250.66.99.443", - "ssl_sni": "www.gstatic.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", - "name": "SSL_RESULT_3" -}, { - "Tuple4": "192.168.50.52.17313>142.250.66.99.443", - "ssl_sni": "www.gstatic.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", - "name": "SSL_RESULT_4" -}, { - "Tuple4": "192.168.50.52.17330>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_5" -}, { - "Tuple4": "192.168.50.52.17332>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_6" -}, { - "Tuple4": "192.168.50.52.17331>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_7" -}, { - "Tuple4": "192.168.50.52.17335>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_8" -}, { - "Tuple4": "192.168.50.52.17337>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_9" -}, { - "Tuple4": "192.168.50.52.17336>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_10" -}, { - "Tuple4": "192.168.50.52.17339>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_11" -}, { - "Tuple4": "192.168.50.52.17340>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_12" -}, { - "Tuple4": "192.168.50.33.63477>142.250.66.78.443", - "name": "SSL_RESULT_13" -}, { - "Tuple4": "192.168.50.52.17356>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_14" -}, { - "Tuple4": "192.168.50.52.17357>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_15" -}, { - "Tuple4": "192.168.50.52.17358>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_16" -}, { - "Tuple4": "192.168.50.52.17359>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_17" -}, { - "Tuple4": "192.168.50.33.50714>142.250.66.134.443", - "name": "SSL_RESULT_18" -}, { - "Tuple4": "192.168.50.52.17367>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_19" -}, { - "Tuple4": "192.168.50.52.17368>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_20" -}, { - "Tuple4": "192.168.50.52.17370>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_21" -}, { - "Tuple4": "192.168.50.52.17369>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_22" -}, { - "Tuple4": "192.168.50.52.17376>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", - "ssl_cert_version": "v3", - "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", - "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", - "ssl_cert_IssuerO": "GlobalSign nv-sa", - "ssl_cert_IssuerC": "BE", - "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", - "ssl_cert_SubCN": "sites.target.com", - "ssl_cert_SubO": "Target Corporation", - "ssl_cert_SubC": "US", - "ssl_cert_SubP": "Minnesota", - "ssl_cert_SubL": "Minneapolis", - "ssl_cert_SubCN": "sites.target.com", - "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", - "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", - "ssl_cert_AgID": "1.2.840.113549.1.1.11", - "ssl_cert_From": "210928164609Z", - "ssl_cert_To": "221030164608Z", - "name": "SSL_RESULT_23" -}, { - "Tuple4": "192.168.50.52.17378>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_24" -}, { - "Tuple4": "192.168.50.52.17379>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_25" -}, { - "Tuple4": "192.168.50.52.17383>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_26" -}, { - "Tuple4": "192.168.50.52.17382>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_27" -}, { - "Tuple4": "192.168.50.52.17385>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_28" -}, { - "Tuple4": "192.168.50.52.17389>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_29" -}, { - "Tuple4": "192.168.50.52.17387>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_30" -}, { - "Tuple4": "192.168.50.52.17386>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_31" -}, { - "Tuple4": "192.168.50.52.17390>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_32" -}, { - "Tuple4": "192.168.50.52.17391>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_33" -}, { - "Tuple4": "192.168.50.52.17392>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_34" -}, { - "Tuple4": "192.168.50.52.17395>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_35" -}, { - "Tuple4": "192.168.50.52.17393>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_36" -}, { - "Tuple4": "192.168.50.52.17396>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_37" -}, { - "Tuple4": "192.168.50.52.17394>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_38" -}, { - "Tuple4": "192.168.50.52.17397>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_39" -}, { - "Tuple4": "192.168.50.52.17398>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_40" -}, { - "Tuple4": "192.168.50.52.17403>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_41" -}, { - "Tuple4": "192.168.50.52.17402>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_42" -}, { - "Tuple4": "192.168.50.52.17405>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_43" -}, { - "Tuple4": "192.168.50.52.17404>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_44" -}, { - "Tuple4": "192.168.50.52.17406>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_45" -}, { - "Tuple4": "192.168.50.52.17407>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_46" -}, { - "Tuple4": "192.168.50.52.17409>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_47" -}, { - "Tuple4": "192.168.50.52.17408>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_48" -}, { - "Tuple4": "192.168.50.52.17413>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_49" -}, { - "Tuple4": "192.168.50.52.17412>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_50" -}, { - "Tuple4": "192.168.50.52.17415>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_51" -}, { - "Tuple4": "192.168.50.52.17416>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_52" -}, { - "Tuple4": "192.168.50.52.17421>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_53" -}, { - "Tuple4": "192.168.50.52.17420>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_54" -}, { - "Tuple4": "192.168.50.52.17422>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_55" -}, { - "Tuple4": "192.168.50.52.17423>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_56" -}, { - "Tuple4": "192.168.50.52.17424>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_57" -}, { - "Tuple4": "192.168.50.52.17429>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_58" -}, { - "Tuple4": "192.168.50.52.17430>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_59" -}, { - "Tuple4": "192.168.50.52.17381>23.57.114.38.443", - "ssl_sni": "js-sec.indexww.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "410b9bedaf65dd26c6fe547154d60db4", - "name": "SSL_RESULT_60" -}, { - "Tuple4": "192.168.50.52.17380>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_61" -}, { - "Tuple4": "192.168.50.52.17438>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_62" -}, { - "Tuple4": "192.168.50.52.17388>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_63" -}, { - "Tuple4": "192.168.50.52.17439>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_64" -}, { - "Tuple4": "192.168.50.52.17401>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_65" -}, { - "Tuple4": "192.168.50.52.17400>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_66" -}, { - "Tuple4": "192.168.50.52.17440>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_67" -}, { - "Tuple4": "192.168.50.52.17442>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_68" -}, { - "Tuple4": "192.168.50.52.17443>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_69" -}, { - "Tuple4": "192.168.50.52.17441>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_70" -}, { - "Tuple4": "192.168.50.52.17410>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_71" -}, { - "Tuple4": "192.168.50.52.17444>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_72" -}, { - "Tuple4": "192.168.50.52.17445>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_73" -}, { - "Tuple4": "192.168.50.52.17419>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_74" -}, { - "Tuple4": "192.168.50.52.17417>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_75" -}, { - "Tuple4": "192.168.50.52.17414>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_76" -}, { - "Tuple4": "192.168.50.52.17411>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_77" -}, { - "Tuple4": "192.168.50.52.17448>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_78" -}, { - "Tuple4": "192.168.50.52.17449>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_79" -}, { - "Tuple4": "192.168.50.52.17451>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_80" -}, { - "Tuple4": "192.168.50.52.17452>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_81" -}, { - "Tuple4": "192.168.50.52.17453>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_82" -}, { - "Tuple4": "192.168.50.52.17454>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_83" -}, { - "Tuple4": "192.168.50.52.17455>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_84" -}, { - "Tuple4": "192.168.50.52.17425>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_85" -}, { - "Tuple4": "192.168.50.52.17426>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_86" -}, { - "Tuple4": "192.168.50.52.17456>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_87" -}, { - "Tuple4": "192.168.50.52.17457>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_88" -}, { - "Tuple4": "192.168.50.52.17458>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_89" -}, { - "Tuple4": "192.168.50.52.17459>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_90" -}, { - "Tuple4": "192.168.50.52.17428>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_91" -}, { - "Tuple4": "192.168.50.52.17460>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_92" -}, { - "Tuple4": "192.168.50.52.17461>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_93" -}, { - "Tuple4": "192.168.50.52.17462>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_94" -}, { - "Tuple4": "192.168.50.52.17464>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_95" -}, { - "Tuple4": "192.168.50.52.17463>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_96" -}, { - "Tuple4": "192.168.50.52.17466>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_97" -}, { - "Tuple4": "192.168.50.52.17465>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_98" -}, { - "Tuple4": "192.168.50.52.17468>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_99" -}, { - "Tuple4": "192.168.50.52.17431>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_100" -}, { - "Tuple4": "192.168.50.52.17469>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_101" -}, { - "Tuple4": "192.168.50.52.17470>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_102" -}, { - "Tuple4": "192.168.50.52.17473>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_103" -}, { - "Tuple4": "192.168.50.52.17474>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_104" -}, { - "Tuple4": "192.168.50.52.17471>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_105" -}, { - "Tuple4": "192.168.50.52.17472>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_106" -}, { - "Tuple4": "192.168.50.52.17475>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_107" -}, { - "Tuple4": "192.168.50.52.17476>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_108" -}, { - "Tuple4": "192.168.50.52.17477>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_109" -}, { - "Tuple4": "192.168.50.52.17481>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_110" -}, { - "Tuple4": "192.168.50.52.17479>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_111" -}, { - "Tuple4": "192.168.50.52.17483>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_112" -}, { - "Tuple4": "192.168.50.52.17484>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_113" -}, { - "Tuple4": "192.168.50.52.17485>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_114" -}, { - "Tuple4": "192.168.50.52.17486>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_115" -}, { - "Tuple4": "192.168.50.52.17487>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_116" -}, { - "Tuple4": "192.168.50.52.17488>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_117" -}, { - "Tuple4": "192.168.50.52.17490>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_118" -}, { - "Tuple4": "192.168.50.52.17491>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_119" -}, { - "Tuple4": "192.168.50.52.17492>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_120" -}, { - "Tuple4": "192.168.50.52.17493>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_121" -}, { - "Tuple4": "192.168.50.52.17494>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_122" -}, { - "Tuple4": "192.168.50.52.17495>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_123" -}, { - "Tuple4": "192.168.50.52.17496>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_124" -}, { - "Tuple4": "192.168.50.52.17497>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_125" -}, { - "Tuple4": "192.168.50.52.17498>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_126" -}, { - "Tuple4": "192.168.50.52.17499>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_127" -}, { - "Tuple4": "192.168.50.52.17500>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_128" -}, { - "Tuple4": "192.168.50.52.17501>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_129" -}, { - "Tuple4": "192.168.50.52.17502>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_130" -}, { - "Tuple4": "192.168.50.52.17503>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_131" -}, { - "Tuple4": "192.168.50.52.17504>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_132" -}, { - "Tuple4": "192.168.50.52.17505>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_133" -}, { - "Tuple4": "192.168.50.52.17506>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_134" -}, { - "Tuple4": "192.168.50.52.17507>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_135" -}, { - "Tuple4": "192.168.50.52.17508>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_136" -}, { - "Tuple4": "192.168.50.52.17509>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_137" -}, { - "Tuple4": "192.168.50.52.17511>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_138" -}, { - "Tuple4": "192.168.50.52.17510>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_139" -}, { - "Tuple4": "192.168.50.52.17512>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_140" -}, { - "Tuple4": "192.168.50.52.17513>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_141" -}, { - "Tuple4": "192.168.50.52.17514>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_142" -}, { - "Tuple4": "192.168.50.52.17515>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_143" -}, { - "Tuple4": "192.168.50.52.17516>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_144" -}, { - "Tuple4": "192.168.50.52.17519>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_145" -}, { - "Tuple4": "192.168.50.52.17518>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_146" -}, { - "Tuple4": "192.168.50.52.17520>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_147" -}, { - "Tuple4": "192.168.50.52.17521>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_148" -}, { - "Tuple4": "192.168.50.52.17522>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_149" -}, { - "Tuple4": "192.168.50.52.17523>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_150" -}, { - "Tuple4": "192.168.50.52.17524>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_151" -}, { - "Tuple4": "192.168.50.52.17526>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_152" -}, { - "Tuple4": "192.168.50.52.17525>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_153" -}, { - "Tuple4": "192.168.50.52.17527>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_154" -}, { - "Tuple4": "192.168.50.52.17528>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_155" -}, { - "Tuple4": "192.168.50.52.17529>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_156" -}, { - "Tuple4": "192.168.50.52.17530>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_157" -}, { - "Tuple4": "192.168.50.52.17446>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_158" -}, { - "Tuple4": "192.168.50.52.17418>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_159" -}, { - "Tuple4": "192.168.50.52.17447>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_160" -}, { - "Tuple4": "192.168.50.52.17531>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_161" -}, { - "Tuple4": "192.168.50.52.17450>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_162" -}, { - "Tuple4": "192.168.50.52.17532>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_163" -}, { - "Tuple4": "192.168.50.52.17533>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_164" -}, { - "Tuple4": "192.168.50.52.17480>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_165" -}, { - "Tuple4": "192.168.50.52.17478>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_166" -}, { - "Tuple4": "192.168.50.52.17482>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_167" -}, { - "Tuple4": "192.168.50.52.17534>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_168" -}, { - "Tuple4": "192.168.50.52.17536>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_169" -}, { - "Tuple4": "192.168.50.52.17517>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_170" -}, { - "Tuple4": "192.168.50.52.17540>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_171" -}, { - "Tuple4": "192.168.50.52.17399>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_172" -}, { - "Tuple4": "192.168.50.52.17541>23.57.112.179.443", - "ssl_sni": "target.scene7.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_173" -}, { - "Tuple4": "192.168.50.52.17535>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_174" -}, { - "Tuple4": "192.168.50.52.17542>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_175" -}, { - "Tuple4": "192.168.50.52.17543>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_176" -}, { - "Tuple4": "192.168.50.52.17545>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_177" -}, { - "Tuple4": "192.168.50.52.17546>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_178" -}, { - "Tuple4": "192.168.50.52.17547>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_179" -}, { - "Tuple4": "192.168.50.52.17548>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_180" -}, { - "Tuple4": "192.168.50.52.17549>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_181" -}, { - "Tuple4": "192.168.50.52.17550>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_182" -}, { - "Tuple4": "192.168.50.52.17551>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_183" -}, { - "Tuple4": "192.168.50.52.17552>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_184" -}, { - "Tuple4": "192.168.50.52.17554>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_185" -}, { - "Tuple4": "192.168.50.33.64967>54.230.21.91.443", - "name": "SSL_RESULT_186" -}, { - "Tuple4": "192.168.50.52.17553>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_187" -}, { - "Tuple4": "192.168.50.52.17555>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_188" -}, { - "Tuple4": "192.168.50.52.17559>151.101.130.180.443", - "ssl_sni": "assets.targetimg1.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "name": "SSL_RESULT_189" -}, { - "Tuple4": "192.168.50.33.57414>142.250.66.42.443", - "name": "SSL_RESULT_190" -}, { - "Tuple4": "192.168.50.33.60652>142.250.66.99.443", - "name": "SSL_RESULT_191" -}, { - "Tuple4": "192.168.50.33.58291>220.181.174.230.443", - "name": "SSL_RESULT_192" -}, { - "Tuple4": "192.168.50.33.50525>172.217.27.35.443", - "name": "SSL_RESULT_193" -}, { - "Tuple4": "192.168.50.33.56708>142.250.204.36.443", - "name": "SSL_RESULT_194" -}, { - "Tuple4": "192.168.50.33.55558>142.250.66.99.443", - "name": "SSL_RESULT_195" -}, { - "Tuple4": "192.168.50.33.65240>142.250.204.86.443", - "name": "SSL_RESULT_196" -}, { - "Tuple4": "192.168.50.33.57554>142.250.204.65.443", - "name": "SSL_RESULT_197" -}, { - "Tuple4": "192.168.50.33.65100>142.250.207.74.443", - "name": "SSL_RESULT_198" -}, { - "Tuple4": "192.168.50.33.54638>142.250.204.110.443", - "name": "SSL_RESULT_199" -}, { - "Tuple4": "192.168.50.33.63347>142.250.66.131.443", - "name": "SSL_RESULT_200" -}, { - "Tuple4": "192.168.50.52.1079>40.119.211.203.443", - "name": "SSL_RESULT_201" -}, { - "Tuple4": "192.168.50.52.14756>172.217.24.110.443", - "name": "SSL_RESULT_202" -}, { - "Tuple4": "192.168.50.52.27956>40.90.189.152.443", - "name": "SSL_RESULT_203" -}, { - "Tuple4": "192.168.50.52.17384>220.181.174.102.443", - "ssl_sni": "securepubads.g.doubleclick.net", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "598872011444709307b861ae817a4b60", - "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", - "name": "SSL_RESULT_204" -}, { - "Tuple4": "192.168.50.52.17427>172.217.31.2.443", - "ssl_sni": "pagead2.googlesyndication.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "598872011444709307b861ae817a4b60", - "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", - "name": "SSL_RESULT_205" -}, { - "Tuple4": "192.168.50.52.17432>220.181.174.102.443", - "ssl_sni": "securepubads.g.doubleclick.net", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "598872011444709307b861ae817a4b60", - "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", - "name": "SSL_RESULT_206" -}, { - "Tuple4": "192.168.50.52.17434>15.197.193.217.443", - "ssl_sni": "match.adsrvr.org", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", - "ssl_cert_version": "v3", - "ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", - "ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", - "ssl_cert_IssuerO": "GlobalSign nv-sa", - "ssl_cert_IssuerC": "BE", - "ssl_cert_Sub": "*.adsrvr.org;;;;;;", - "ssl_cert_SubCN": "*.adsrvr.org", - "ssl_cert_SubCN": "*.adsrvr.org", - "ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", - "ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", - "ssl_cert_AgID": "1.2.840.113549.1.1.11", - "ssl_cert_From": "220331203750Z", - "ssl_cert_To": "230502203749Z", - "name": "SSL_RESULT_207" -}, { - "Tuple4": "192.168.50.52.17375>151.101.194.187.443", - "ssl_sni": "www.target.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", - "ssl_cert_version": "v3", - "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", - "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", - "ssl_cert_IssuerO": "GlobalSign nv-sa", - "ssl_cert_IssuerC": "BE", - "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", - "ssl_cert_SubCN": "sites.target.com", - "ssl_cert_SubO": "Target Corporation", - "ssl_cert_SubC": "US", - "ssl_cert_SubP": "Minnesota", - "ssl_cert_SubL": "Minneapolis", - "ssl_cert_SubCN": "sites.target.com", - "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", - "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", - "ssl_cert_AgID": "1.2.840.113549.1.1.11", - "ssl_cert_From": "210928164609Z", - "ssl_cert_To": "221030164608Z", - "name": "SSL_RESULT_208" -}, { - "Tuple4": "192.168.50.52.17433>3.217.136.163.443", - "ssl_sni": "idx.liadm.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", - "name": "SSL_RESULT_209" -}, { - "Tuple4": "192.168.50.52.17437>3.217.136.163.443", - "ssl_sni": "idx.liadm.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", - "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", - "name": "SSL_RESULT_210" -}, { - "Tuple4": "192.168.50.52.17544>142.250.207.74.443", - "ssl_sni": "content-autofill.googleapis.com", - "ssl_client_version": "TLS1.2", - "ssl_ja3_hash": "598872011444709307b861ae817a4b60", - "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", - "name": "SSL_RESULT_211" -}, { - "Tuple4": "192.168.50.57.54160>39.105.29.36.443", - "name": "SSL_RESULT_212" -}, { - "Tuple4": "192.168.50.57.54162>39.105.29.36.443", - "name": "SSL_RESULT_213" -}] \ No newline at end of file + "Tuple4": "192.168.50.33.51933>54.230.21.91.443", + "name": "SSL_RESULT_1" + }, { + "Tuple4": "192.168.50.52.17312>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_2" + }, { + "Tuple4": "192.168.50.52.17313>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_3" + }, { + "Tuple4": "192.168.50.52.17330>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_4" + }, { + "Tuple4": "192.168.50.52.17332>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_5" + }, { + "Tuple4": "192.168.50.52.17331>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_6" + }, { + "Tuple4": "192.168.50.52.17335>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_7" + }, { + "Tuple4": "192.168.50.52.17337>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_8" + }, { + "Tuple4": "192.168.50.52.17336>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_9" + }, { + "Tuple4": "192.168.50.52.17339>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_10" + }, { + "Tuple4": "192.168.50.52.17340>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_11" + }, { + "Tuple4": "192.168.50.33.63477>142.250.66.78.443", + "name": "SSL_RESULT_12" + }, { + "Tuple4": "192.168.50.52.17356>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_13" + }, { + "Tuple4": "192.168.50.52.17357>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_14" + }, { + "Tuple4": "192.168.50.52.17358>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_15" + }, { + "Tuple4": "192.168.50.52.17359>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_16" + }, { + "Tuple4": "192.168.50.33.50714>142.250.66.134.443", + "name": "SSL_RESULT_17" + }, { + "Tuple4": "192.168.50.52.17367>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_18" + }, { + "Tuple4": "192.168.50.52.17368>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_19" + }, { + "Tuple4": "192.168.50.52.17370>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_20" + }, { + "Tuple4": "192.168.50.52.17369>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_21" + }, { + "Tuple4": "192.168.50.52.17378>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_22" + }, { + "Tuple4": "192.168.50.52.17379>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_23" + }, { + "Tuple4": "192.168.50.52.17383>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_24" + }, { + "Tuple4": "192.168.50.52.17382>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_25" + }, { + "Tuple4": "192.168.50.52.17385>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_26" + }, { + "Tuple4": "192.168.50.52.17389>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_27" + }, { + "Tuple4": "192.168.50.52.17387>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_28" + }, { + "Tuple4": "192.168.50.52.17386>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_29" + }, { + "Tuple4": "192.168.50.52.17390>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_30" + }, { + "Tuple4": "192.168.50.52.17391>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_31" + }, { + "Tuple4": "192.168.50.52.17392>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_32" + }, { + "Tuple4": "192.168.50.52.17395>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_33" + }, { + "Tuple4": "192.168.50.52.17393>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_34" + }, { + "Tuple4": "192.168.50.52.17396>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_35" + }, { + "Tuple4": "192.168.50.52.17394>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_36" + }, { + "Tuple4": "192.168.50.52.17397>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_37" + }, { + "Tuple4": "192.168.50.52.17398>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_38" + }, { + "Tuple4": "192.168.50.52.17403>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_39" + }, { + "Tuple4": "192.168.50.52.17402>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_40" + }, { + "Tuple4": "192.168.50.52.17405>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_41" + }, { + "Tuple4": "192.168.50.52.17404>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_42" + }, { + "Tuple4": "192.168.50.52.17406>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_43" + }, { + "Tuple4": "192.168.50.52.17407>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_44" + }, { + "Tuple4": "192.168.50.52.17409>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_45" + }, { + "Tuple4": "192.168.50.52.17408>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_46" + }, { + "Tuple4": "192.168.50.52.17413>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_47" + }, { + "Tuple4": "192.168.50.52.17412>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_48" + }, { + "Tuple4": "192.168.50.52.17415>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_49" + }, { + "Tuple4": "192.168.50.52.17416>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_50" + }, { + "Tuple4": "192.168.50.52.17421>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_51" + }, { + "Tuple4": "192.168.50.52.17420>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_52" + }, { + "Tuple4": "192.168.50.52.17422>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_53" + }, { + "Tuple4": "192.168.50.52.17423>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_54" + }, { + "Tuple4": "192.168.50.52.17424>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_55" + }, { + "Tuple4": "192.168.50.52.17429>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_56" + }, { + "Tuple4": "192.168.50.52.17430>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_57" + }, { + "Tuple4": "192.168.50.52.17380>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_58" + }, { + "Tuple4": "192.168.50.52.17438>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_59" + }, { + "Tuple4": "192.168.50.52.17388>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_60" + }, { + "Tuple4": "192.168.50.52.17439>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_61" + }, { + "Tuple4": "192.168.50.52.17401>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_62" + }, { + "Tuple4": "192.168.50.52.17400>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_63" + }, { + "Tuple4": "192.168.50.52.17440>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_64" + }, { + "Tuple4": "192.168.50.52.17442>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_65" + }, { + "Tuple4": "192.168.50.52.17443>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_66" + }, { + "Tuple4": "192.168.50.52.17441>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_67" + }, { + "Tuple4": "192.168.50.52.17410>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_68" + }, { + "Tuple4": "192.168.50.52.17444>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_69" + }, { + "Tuple4": "192.168.50.52.17445>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_70" + }, { + "Tuple4": "192.168.50.52.17419>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_71" + }, { + "Tuple4": "192.168.50.52.17417>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_72" + }, { + "Tuple4": "192.168.50.52.17414>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_73" + }, { + "Tuple4": "192.168.50.52.17411>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_74" + }, { + "Tuple4": "192.168.50.52.17448>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_75" + }, { + "Tuple4": "192.168.50.52.17449>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_76" + }, { + "Tuple4": "192.168.50.52.17451>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_77" + }, { + "Tuple4": "192.168.50.52.17452>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_78" + }, { + "Tuple4": "192.168.50.52.17453>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_79" + }, { + "Tuple4": "192.168.50.52.17454>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_80" + }, { + "Tuple4": "192.168.50.52.17455>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_81" + }, { + "Tuple4": "192.168.50.52.17425>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_82" + }, { + "Tuple4": "192.168.50.52.17426>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_83" + }, { + "Tuple4": "192.168.50.52.17456>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_84" + }, { + "Tuple4": "192.168.50.52.17457>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_85" + }, { + "Tuple4": "192.168.50.52.17458>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_86" + }, { + "Tuple4": "192.168.50.52.17459>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_87" + }, { + "Tuple4": "192.168.50.52.17428>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_88" + }, { + "Tuple4": "192.168.50.52.17460>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_89" + }, { + "Tuple4": "192.168.50.52.17461>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_90" + }, { + "Tuple4": "192.168.50.52.17462>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_91" + }, { + "Tuple4": "192.168.50.52.17464>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_92" + }, { + "Tuple4": "192.168.50.52.17463>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_93" + }, { + "Tuple4": "192.168.50.52.17466>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_94" + }, { + "Tuple4": "192.168.50.52.17465>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_95" + }, { + "Tuple4": "192.168.50.52.17468>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_96" + }, { + "Tuple4": "192.168.50.52.17431>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_97" + }, { + "Tuple4": "192.168.50.52.17469>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_98" + }, { + "Tuple4": "192.168.50.52.17470>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_99" + }, { + "Tuple4": "192.168.50.52.17473>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_100" + }, { + "Tuple4": "192.168.50.52.17474>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_101" + }, { + "Tuple4": "192.168.50.52.17471>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_102" + }, { + "Tuple4": "192.168.50.52.17472>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_103" + }, { + "Tuple4": "192.168.50.52.17475>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_104" + }, { + "Tuple4": "192.168.50.52.17476>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_105" + }, { + "Tuple4": "192.168.50.52.17477>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_106" + }, { + "Tuple4": "192.168.50.52.17481>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_107" + }, { + "Tuple4": "192.168.50.52.17479>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_108" + }, { + "Tuple4": "192.168.50.52.17483>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_109" + }, { + "Tuple4": "192.168.50.52.17484>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_110" + }, { + "Tuple4": "192.168.50.52.17485>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_111" + }, { + "Tuple4": "192.168.50.52.17486>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_112" + }, { + "Tuple4": "192.168.50.52.17487>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_113" + }, { + "Tuple4": "192.168.50.52.17488>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_114" + }, { + "Tuple4": "192.168.50.52.17490>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_115" + }, { + "Tuple4": "192.168.50.52.17491>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_116" + }, { + "Tuple4": "192.168.50.52.17492>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_117" + }, { + "Tuple4": "192.168.50.52.17493>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_118" + }, { + "Tuple4": "192.168.50.52.17494>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_119" + }, { + "Tuple4": "192.168.50.52.17495>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_120" + }, { + "Tuple4": "192.168.50.52.17496>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_121" + }, { + "Tuple4": "192.168.50.52.17497>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_122" + }, { + "Tuple4": "192.168.50.52.17498>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_123" + }, { + "Tuple4": "192.168.50.52.17499>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_124" + }, { + "Tuple4": "192.168.50.52.17500>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_125" + }, { + "Tuple4": "192.168.50.52.17501>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_126" + }, { + "Tuple4": "192.168.50.52.17502>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_127" + }, { + "Tuple4": "192.168.50.52.17503>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_128" + }, { + "Tuple4": "192.168.50.52.17504>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_129" + }, { + "Tuple4": "192.168.50.52.17505>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_130" + }, { + "Tuple4": "192.168.50.52.17506>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_131" + }, { + "Tuple4": "192.168.50.52.17507>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_132" + }, { + "Tuple4": "192.168.50.52.17508>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_133" + }, { + "Tuple4": "192.168.50.52.17509>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_134" + }, { + "Tuple4": "192.168.50.52.17511>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_135" + }, { + "Tuple4": "192.168.50.52.17510>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_136" + }, { + "Tuple4": "192.168.50.52.17512>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_137" + }, { + "Tuple4": "192.168.50.52.17513>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_138" + }, { + "Tuple4": "192.168.50.52.17514>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_139" + }, { + "Tuple4": "192.168.50.52.17515>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_140" + }, { + "Tuple4": "192.168.50.52.17516>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_141" + }, { + "Tuple4": "192.168.50.52.17519>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_142" + }, { + "Tuple4": "192.168.50.52.17518>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_143" + }, { + "Tuple4": "192.168.50.52.17520>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_144" + }, { + "Tuple4": "192.168.50.52.17521>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_145" + }, { + "Tuple4": "192.168.50.52.17522>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_146" + }, { + "Tuple4": "192.168.50.52.17523>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_147" + }, { + "Tuple4": "192.168.50.52.17524>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_148" + }, { + "Tuple4": "192.168.50.52.17526>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_149" + }, { + "Tuple4": "192.168.50.52.17525>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_150" + }, { + "Tuple4": "192.168.50.52.17527>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_151" + }, { + "Tuple4": "192.168.50.52.17528>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_152" + }, { + "Tuple4": "192.168.50.52.17529>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_153" + }, { + "Tuple4": "192.168.50.52.17530>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_154" + }, { + "Tuple4": "192.168.50.52.17446>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_155" + }, { + "Tuple4": "192.168.50.52.17418>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_156" + }, { + "Tuple4": "192.168.50.52.17447>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_157" + }, { + "Tuple4": "192.168.50.52.17531>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_158" + }, { + "Tuple4": "192.168.50.52.17450>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_159" + }, { + "Tuple4": "192.168.50.52.17532>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_160" + }, { + "Tuple4": "192.168.50.52.17533>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_161" + }, { + "Tuple4": "192.168.50.52.17480>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_162" + }, { + "Tuple4": "192.168.50.52.17478>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_163" + }, { + "Tuple4": "192.168.50.52.17482>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_164" + }, { + "Tuple4": "192.168.50.52.17534>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_165" + }, { + "Tuple4": "192.168.50.52.17536>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_166" + }, { + "Tuple4": "192.168.50.52.17517>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_167" + }, { + "Tuple4": "192.168.50.52.17540>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_168" + }, { + "Tuple4": "192.168.50.52.17399>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_169" + }, { + "Tuple4": "192.168.50.52.17541>23.57.112.179.443", + "ssl_sni": "target.scene7.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_170" + }, { + "Tuple4": "192.168.50.52.17535>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_171" + }, { + "Tuple4": "192.168.50.52.17542>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_172" + }, { + "Tuple4": "192.168.50.52.17543>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_173" + }, { + "Tuple4": "192.168.50.52.17545>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_174" + }, { + "Tuple4": "192.168.50.52.17546>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_175" + }, { + "Tuple4": "192.168.50.52.17547>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_176" + }, { + "Tuple4": "192.168.50.52.17548>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_177" + }, { + "Tuple4": "192.168.50.52.17549>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_178" + }, { + "Tuple4": "192.168.50.52.17550>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_179" + }, { + "Tuple4": "192.168.50.52.17551>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_180" + }, { + "Tuple4": "192.168.50.52.17552>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_181" + }, { + "Tuple4": "192.168.50.52.17554>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_182" + }, { + "Tuple4": "192.168.50.33.64967>54.230.21.91.443", + "name": "SSL_RESULT_183" + }, { + "Tuple4": "192.168.50.52.17553>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_184" + }, { + "Tuple4": "192.168.50.52.17555>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_185" + }, { + "Tuple4": "192.168.50.52.17559>151.101.130.180.443", + "ssl_sni": "assets.targetimg1.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "name": "SSL_RESULT_186" + }, { + "Tuple4": "192.168.50.33.57414>142.250.66.42.443", + "name": "SSL_RESULT_187" + }, { + "Tuple4": "192.168.50.33.60652>142.250.66.99.443", + "name": "SSL_RESULT_188" + }, { + "Tuple4": "192.168.50.33.58291>220.181.174.230.443", + "name": "SSL_RESULT_189" + }, { + "Tuple4": "192.168.50.33.50525>172.217.27.35.443", + "name": "SSL_RESULT_190" + }, { + "Tuple4": "192.168.50.33.56708>142.250.204.36.443", + "name": "SSL_RESULT_191" + }, { + "Tuple4": "192.168.50.33.55558>142.250.66.99.443", + "name": "SSL_RESULT_192" + }, { + "Tuple4": "192.168.50.33.65240>142.250.204.86.443", + "name": "SSL_RESULT_193" + }, { + "Tuple4": "192.168.50.33.57554>142.250.204.65.443", + "name": "SSL_RESULT_194" + }, { + "Tuple4": "192.168.50.33.65100>142.250.207.74.443", + "name": "SSL_RESULT_195" + }, { + "Tuple4": "192.168.50.33.54638>142.250.204.110.443", + "name": "SSL_RESULT_196" + }, { + "Tuple4": "192.168.50.33.63347>142.250.66.131.443", + "name": "SSL_RESULT_197" + }, { + "Tuple4": "192.168.50.52.1079>40.119.211.203.443", + "name": "SSL_RESULT_198" + }, { + "Tuple4": "192.168.50.52.17311>142.250.66.99.443", + "ssl_sni": "www.gstatic.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_199" + }, { + "Tuple4": "192.168.50.52.14756>172.217.24.110.443", + "name": "SSL_RESULT_200" + }, { + "Tuple4": "192.168.50.52.27956>40.90.189.152.443", + "name": "SSL_RESULT_201" + }, { + "Tuple4": "192.168.50.52.17376>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_202" + }, { + "Tuple4": "192.168.50.52.17384>220.181.174.102.443", + "ssl_sni": "securepubads.g.doubleclick.net", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_203" + }, { + "Tuple4": "192.168.50.52.17427>172.217.31.2.443", + "ssl_sni": "pagead2.googlesyndication.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_204" + }, { + "Tuple4": "192.168.50.52.17381>23.57.114.38.443", + "ssl_sni": "js-sec.indexww.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "410b9bedaf65dd26c6fe547154d60db4", + "name": "SSL_RESULT_205" + }, { + "Tuple4": "192.168.50.52.17432>220.181.174.102.443", + "ssl_sni": "securepubads.g.doubleclick.net", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_206" + }, { + "Tuple4": "192.168.50.52.17434>15.197.193.217.443", + "ssl_sni": "match.adsrvr.org", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.adsrvr.org;;;;;;", + "ssl_cert_SubCN": "*.adsrvr.org", + "ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", + "ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "220331203750Z", + "ssl_cert_To": "230502203749Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_207" + }, { + "Tuple4": "192.168.50.52.17375>151.101.194.187.443", + "ssl_sni": "www.target.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US", + "ssl_cert_SubCN": "sites.target.com", + "ssl_cert_SubO": "Target Corporation", + "ssl_cert_SubC": "US", + "ssl_cert_SubP": "Minnesota", + "ssl_cert_SubL": "Minneapolis", + "ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com", + "ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "210928164609Z", + "ssl_cert_To": "221030164608Z", + "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", + "name": "SSL_RESULT_208" + }, { + "Tuple4": "192.168.50.52.17433>3.217.136.163.443", + "ssl_sni": "idx.liadm.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", + "name": "SSL_RESULT_209" + }, { + "Tuple4": "192.168.50.52.17437>3.217.136.163.443", + "ssl_sni": "idx.liadm.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", + "ssl_ja3s_hash": "303951d4c50efb2e991652225a6f02b1", + "name": "SSL_RESULT_210" + }, { + "Tuple4": "192.168.50.52.17544>142.250.207.74.443", + "ssl_sni": "content-autofill.googleapis.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "598872011444709307b861ae817a4b60", + "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", + "name": "SSL_RESULT_211" + }, { + "Tuple4": "192.168.50.57.54160>39.105.29.36.443", + "name": "SSL_RESULT_212" + }, { + "Tuple4": "192.168.50.57.54162>39.105.29.36.443", + "name": "SSL_RESULT_213" +}] diff --git a/test/ssl_result.json b/test/ssl_result.json new file mode 100644 index 0000000..85f55d0 --- /dev/null +++ b/test/ssl_result.json @@ -0,0 +1,32 @@ +[{ + "Tuple4": "192.168.50.38.52391>104.16.123.96.443", + "ssl_sni": "ESNI", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "62a4a00de930bd0a5bee0309cc8362ed", + "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", + "name": "SSL_RESULT_1" +}, { + "Tuple4": "90.143.182.94.55835>93.186.227.131.443", + "ssl_sni": "sun9-20.userapi.com", + "ssl_client_version": "TLS1.2", + "ssl_ja3_hash": "6f5e62edfa5933b1332ddf8b9fb3ef9d", + "ssl_ja3s_hash": "2d1eb5817ece335c24904f516ad5da12", + "ssl_cert_version": "v3", + "ssl_cert_Issuer": "GlobalSign Organization Validation CA - SHA256 - G2;GlobalSign nv-sa;;;;;BE", + "ssl_cert_IssuerCN": "GlobalSign Organization Validation CA - SHA256 - G2", + "ssl_cert_IssuerO": "GlobalSign nv-sa", + "ssl_cert_IssuerC": "BE", + "ssl_cert_Sub": "*.userapi.com;V Kontakte LLC;;Saint-Petersburg;;Saint-Petersburg;RU", + "ssl_cert_SubCN": "*.userapi.com", + "ssl_cert_SubO": "V Kontakte LLC", + "ssl_cert_SubC": "RU", + "ssl_cert_SubP": "Saint-Petersburg", + "ssl_cert_SubL": "Saint-Petersburg", + "ssl_cert_SubCN": "*.userapi.com", + "ssl_cert_SubAltName": "*.userapi.com;vk.me;*.vk-cdn.net;*.vkuserlive.com;*.vkuserlive.net;*.vkuseraudio.net;*.vkuseraudio.com;*.vkuservideo.net;*.vkuservideo.com;*.vk.me;userapi.com", + "ssl_cert_SerialNum": "0x5afa3a189e6a5c11e1e18b0f", + "ssl_cert_AgID": "1.2.840.113549.1.1.11", + "ssl_cert_From": "180717083809Z", + "ssl_cert_To": "190714162604Z", + "name": "SSL_RESULT_2" +}] diff --git a/test/ssl_test_plug.cpp b/test/ssl_test_plug.cpp index 9f956e6..c43ea72 100644 --- a/test/ssl_test_plug.cpp +++ b/test/ssl_test_plug.cpp @@ -27,14 +27,14 @@ extern "C" int commit_test_result_json(cJSON *node, const char *name); static int g_result_count = 1; -static char *ssl_test_assemble_san(st_cert_t *cert) +static char *ssl_test_assemble_san(struct ssl_certificate *certificate) { char *san_buf=NULL; int total_buflen = 0; - for (int i = 0; i < cert->SSLSubAltName->count; i++) + for (int i = 0; i < certificate->subject_alter.num; i++) { - int tmp_buflen = strlen(cert->SSLSubAltName->san_array[i].san); - char *tmp_buf = (char *)realloc(san_buf, total_buflen+tmp_buflen+1); + int tmp_buflen=strlen(certificate->subject_alter.name[i]); + char *tmp_buf=(char *)realloc(san_buf, total_buflen+tmp_buflen+1); if(tmp_buf==NULL) { free(san_buf); @@ -44,7 +44,7 @@ static char *ssl_test_assemble_san(st_cert_t *cert) san_buf=tmp_buf; san_buf[total_buflen + tmp_buflen] = ';'; - memcpy(san_buf+total_buflen, cert->SSLSubAltName->san_array[i].san, tmp_buflen); + memcpy(san_buf+total_buflen, certificate->subject_alter.name[i], tmp_buflen); total_buflen+=tmp_buflen+1; } @@ -60,10 +60,9 @@ extern "C" unsigned char SSL_TEST_PLUG_ENTRY(stSessionInfo *session_info, void * assert(NULL != session_info || pme != NULL); cJSON *ctx = (cJSON *)*pme; - st_cert_t *cert=NULL; - ssl_stream *a_ssl = (ssl_stream *)(session_info->app_info); - _ssl_ja3_info_t *ja3_info = NULL; - _ssl_ja3s_info_t *ja3s_info = NULL; + + struct ssl_stream *a_ssl = (struct ssl_stream *)(session_info->app_info); + struct ssl_ja3_info *ja3_info = NULL; if (session_info->session_state & SESSION_STATE_PENDING) { @@ -78,28 +77,28 @@ extern "C" unsigned char SSL_TEST_PLUG_ENTRY(stSessionInfo *session_info, void * switch (session_info->prot_flag) { case SSL_CLIENT_HELLO: - if (a_ssl== NULL || a_ssl->stClientHello==NULL) + if (a_ssl== NULL || a_ssl->chello==NULL) { break; } - if (strlen((char *)(a_ssl->stClientHello->server_name)) > 0) + if (strlen((char *)(a_ssl->chello->server_name)) > 0) { - cJSON_AddStringToObject(ctx, (const char *)"ssl_sni", (const char *)(a_ssl->stClientHello->server_name)); + cJSON_AddStringToObject(ctx, (const char *)"ssl_sni", (const char *)(a_ssl->chello->server_name)); } - if (a_ssl->stClientHello->encrypt_chello != NULL) + if (a_ssl->chello->encrypt_chello != NULL) { cJSON_AddStringToObject(ctx, (const char *)"ssl_ech", "1"); } - if (a_ssl->stClientHello->encrypted_server_name.esni != NULL) + if (a_ssl->chello->esni.is_esni==1) { cJSON_AddStringToObject(ctx, (const char *)"ssl_sni", "ESNI"); } - if (ssl_get_version_name(a_ssl->stClientHello->client_ver)) + if (ssl_get_version_name(a_ssl->chello->version) != NULL) { - cJSON_AddStringToObject(ctx, "ssl_client_version", ssl_get_version_name(a_ssl->stClientHello->client_ver)); + cJSON_AddStringToObject(ctx, "ssl_client_version", ssl_get_version_name(a_ssl->chello->version)); } ja3_info = ssl_get_ja3_fingerprint(a_tcp, (unsigned char *)a_tcp->ptcpdetail->pdata, (unsigned int)a_tcp->ptcpdetail->datalen, a_tcp->threadnum); @@ -110,129 +109,122 @@ extern "C" unsigned char SSL_TEST_PLUG_ENTRY(stSessionInfo *session_info, void * break; case SSL_SERVER_HELLO: - ja3s_info = ssl_get_ja3s_fingerprint(a_tcp, (unsigned char *)a_tcp->ptcpdetail->pdata, (unsigned int)a_tcp->ptcpdetail->datalen, a_tcp->threadnum); - if (ja3s_info != NULL && ja3s_info->fp != NULL && ja3s_info->fp_len > 0) + if (a_ssl->shello->ja3s.fingerprint_md5 != NULL && a_ssl->shello->ja3s.fingerprint_md5_len > 0) { - cJSON_AddStringToObject(ctx, "ssl_ja3s_hash", ja3s_info->fp); + cJSON_AddStringToObject(ctx, "ssl_ja3s_hash", a_ssl->shello->ja3s.fingerprint_md5); } break; case SSL_CERTIFICATE_DETAIL: - if (a_ssl==NULL || a_ssl->stSSLCert==NULL || a_tcp->curdir==DIR_C2S) + if (a_ssl==NULL || a_ssl->certificate==NULL || a_tcp->curdir==DIR_C2S) { break; } - cert = a_ssl->stSSLCert; - if (cert->cert_type != CERT_TYPE_INDIVIDUAL) + if (a_ssl->certificate->cert_type != CERT_TYPE_INDIVIDUAL) { break; } - if (strlen(cert->SSLVersion) > 0) + if(a_ssl->certificate->version.len > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_version", cert->SSLVersion); + cJSON_AddStringToObject(ctx, "ssl_cert_version", (const char*)a_ssl->certificate->version.value); } - if(strlen(cert->SSLIssuer)>0) + if(strlen(a_ssl->certificate->issuer.rdn_sequence_list)>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_Issuer", cert->SSLIssuer); + cJSON_AddStringToObject(ctx, "ssl_cert_Issuer", a_ssl->certificate->issuer.rdn_sequence_list); - if (cert->SSLIssuerCN != NULL && strlen(cert->SSLIssuerCN) > 0) + if(strlen(a_ssl->certificate->issuer.common) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerCN", cert->SSLIssuerCN); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerCN", a_ssl->certificate->issuer.common); } - if (cert->SSLIssuerO != NULL && strlen(cert->SSLIssuerO) > 0) + if(strlen(a_ssl->certificate->issuer.organization) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerO", cert->SSLIssuerO); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerO", a_ssl->certificate->issuer.organization); } - if (cert->SSLIssuerC != NULL && strlen(cert->SSLIssuerC) > 0) + if(strlen(a_ssl->certificate->issuer.country) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerC", cert->SSLIssuerC); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerC", a_ssl->certificate->issuer.country); } - if (cert->SSLIssuerP != NULL && strlen(cert->SSLIssuerP) > 0) + if(strlen(a_ssl->certificate->issuer.state_or_Province) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerP", cert->SSLIssuerP); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerP", a_ssl->certificate->issuer.state_or_Province); } - if (cert->SSLIssuerL != NULL && strlen(cert->SSLIssuerL) > 0) + if(strlen(a_ssl->certificate->issuer.locality) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerL", cert->SSLIssuerL); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerL", a_ssl->certificate->issuer.locality); } - if (cert->SSLIssuerS != NULL && strlen(cert->SSLIssuerS) > 0) + if(strlen(a_ssl->certificate->issuer.street_address) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerS", cert->SSLIssuerS); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerS", a_ssl->certificate->issuer.street_address); } - if (cert->SSLIssuerU != NULL && strlen(cert->SSLIssuerU) > 0) + if(strlen(a_ssl->certificate->issuer.organizational_unit) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_IssuerU", cert->SSLIssuerU); + cJSON_AddStringToObject(ctx, "ssl_cert_IssuerU", a_ssl->certificate->issuer.organizational_unit); } } - if(strlen(cert->SSLSub)>0) + if(strlen(a_ssl->certificate->subject.rdn_sequence_list)>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_Sub", cert->SSLSub); + cJSON_AddStringToObject(ctx, "ssl_cert_Sub", a_ssl->certificate->subject.rdn_sequence_list); - if (cert->SSLSubCN != NULL && strlen(cert->SSLSubCN) > 0) + if(strlen(a_ssl->certificate->subject.common) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubCN", cert->SSLSubCN); + cJSON_AddStringToObject(ctx, "ssl_cert_SubCN", a_ssl->certificate->subject.common); } - if (cert->SSLSubO != NULL && strlen(cert->SSLSubO) > 0) + if(strlen(a_ssl->certificate->subject.organization) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubO", cert->SSLSubO); + cJSON_AddStringToObject(ctx, "ssl_cert_SubO", a_ssl->certificate->subject.organization); } - if (cert->SSLSubC != NULL && strlen(cert->SSLSubC) > 0) + if(strlen(a_ssl->certificate->subject.country) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubC", cert->SSLSubC); + cJSON_AddStringToObject(ctx, "ssl_cert_SubC", a_ssl->certificate->subject.country); } - if (cert->SSLSubP != NULL && strlen(cert->SSLSubP) > 0) + if(strlen(a_ssl->certificate->subject.state_or_Province) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubP", cert->SSLSubP); + cJSON_AddStringToObject(ctx, "ssl_cert_SubP", a_ssl->certificate->subject.state_or_Province); } - if (cert->SSLSubL != NULL && strlen(cert->SSLSubL) > 0) + if(strlen(a_ssl->certificate->subject.locality) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubL", cert->SSLSubL); + cJSON_AddStringToObject(ctx, "ssl_cert_SubL", a_ssl->certificate->subject.locality); } - if (cert->SSLSubS != NULL && strlen(cert->SSLSubS) > 0) + if(strlen(a_ssl->certificate->subject.street_address) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubS", cert->SSLSubS); + cJSON_AddStringToObject(ctx, "ssl_cert_SubS", a_ssl->certificate->subject.street_address); } - if (cert->SSLSubU != NULL && strlen(cert->SSLSubU) > 0) + if(strlen(a_ssl->certificate->subject.organizational_unit) > 0) { - cJSON_AddStringToObject(ctx, "ssl_cert_SubU", cert->SSLSubU); + cJSON_AddStringToObject(ctx, "ssl_cert_SubU", a_ssl->certificate->subject.organizational_unit); } } - if (cert->SSLSubCN!=NULL) - { - cJSON_AddStringToObject(ctx, "ssl_cert_SubCN", cert->SSLSubCN); - } - - if (cert->SSLSubAltName != NULL && cert->SSLSubAltName->count > 0) + if(a_ssl->certificate->subject_alter.name != NULL && a_ssl->certificate->subject_alter.num>0) { - char *san_buf = ssl_test_assemble_san(cert); + char *san_buf = ssl_test_assemble_san(a_ssl->certificate); cJSON_AddStringToObject(ctx, "ssl_cert_SubAltName", san_buf); free(san_buf); san_buf=NULL; } - if(cert->SSLSerialNumLen>0) + if(a_ssl->certificate->serial.len>0) { - char *serialBuf=(char *)calloc(1, cert->SSLSerialNumLen*2+1+2); + char *serialBuf=(char *)calloc(1, a_ssl->certificate->serial.len*2+1+2); int offset=snprintf(serialBuf, 3, "0x"); - for(int i=0; iSSLSerialNumLen; i++) + for(int i=0; icertificate->serial.len; i++) { - offset+=snprintf(serialBuf+offset, cert->SSLSerialNumLen*2+1+2-offset, "%02hhx", (unsigned char )(cert->SSLSerialNum[i])); + offset+=snprintf(serialBuf+offset, a_ssl->certificate->serial.len*2+1+2-offset, "%02hhx", (unsigned char )(a_ssl->certificate->serial.value[i])); } cJSON_AddStringToObject(ctx, "ssl_cert_SerialNum", serialBuf); @@ -240,46 +232,44 @@ extern "C" unsigned char SSL_TEST_PLUG_ENTRY(stSessionInfo *session_info, void * serialBuf=NULL; } - if(strlen(cert->SSLAgID)>0) + if(a_ssl->certificate->signature_algorithm.len>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_AgID", cert->SSLAgID); + cJSON_AddStringToObject(ctx, "ssl_cert_AgID", (const char*)a_ssl->certificate->signature_algorithm.value); } - if(strlen(cert->SSLFPAg)>0) + if(strlen(a_ssl->certificate->validity.before)>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_FPAg", cert->SSLFPAg); + cJSON_AddStringToObject(ctx, "ssl_cert_From", a_ssl->certificate->validity.before); } - if(strlen(cert->SSLFrom)>0) + if(strlen(a_ssl->certificate->validity.after)>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_From", cert->SSLFrom); + cJSON_AddStringToObject(ctx, "ssl_cert_To", a_ssl->certificate->validity.after); } - if(strlen(cert->SSLTo)>0) + if(a_ssl->certificate->algorithm_identifier.len>0) { - cJSON_AddStringToObject(ctx, "ssl_cert_To", cert->SSLTo); + cJSON_AddStringToObject(ctx, "ssl_cert_SSLFPAg", (const char*)a_ssl->certificate->algorithm_identifier.value); } - break; - default: - break; - } - - if(session_info->session_state&SESSION_STATE_CLOSE) - { - if(ctx) - { - char result_name[16]=""; - sprintf(result_name,"SSL_RESULT_%d", g_result_count); - commit_test_result_json(ctx, result_name); - g_result_count+=1; - } - *pme = NULL; - return PROT_STATE_DROPME; - - } + break; + default: + break; + } - return PROT_STATE_GIVEME; + if(session_info->session_state&SESSION_STATE_CLOSE) + { + if(ctx) + { + char result_name[16]=""; + sprintf(result_name,"SSL_RESULT_%d", g_result_count); + commit_test_result_json(ctx, result_name); + g_result_count+=1; + } + *pme = NULL; + return PROT_STATE_DROPME; + } + return PROT_STATE_GIVEME; } extern "C" int SSL_TEST_PLUG_INIT() -- cgit v1.2.3