diff options
| author | 刘学利 <[email protected]> | 2023-07-24 07:17:02 +0000 |
|---|---|---|
| committer | 刘学利 <[email protected]> | 2023-07-24 07:17:02 +0000 |
| commit | 4389d188f364a14b720fbb58aef96cb5e92ad584 (patch) | |
| tree | 1c0aba34a74c6c574d9617fd4f317870b0990cd1 | |
| parent | 8c94311e8691791a06bdbbac761a0b6d4fa95cb7 (diff) | |
支持不依赖ssl解析层生成ja3_fingerprint,增加是否生成ja3_fingerprint的开关, GENERATE_JA3_FINGERPRINT=1v6.0.42
| -rw-r--r-- | .gitlab-ci.yml | 2 | ||||
| -rw-r--r-- | src/CMakeLists.txt | 4 | ||||
| -rw-r--r-- | src/tsg_bridge.cpp | 6 | ||||
| -rw-r--r-- | src/tsg_bridge.h | 2 | ||||
| -rw-r--r-- | src/tsg_entry.cpp | 33 | ||||
| -rw-r--r-- | src/tsg_ssl_ja3_fingerprint.cpp | 610 | ||||
| -rw-r--r-- | src/tsg_ssl_utils.h (renamed from inc/tsg_ssl_utils.h) | 3 | ||||
| -rw-r--r-- | src/tsg_variable.h | 1 | ||||
| -rw-r--r-- | test/src/CMakeLists.txt | 7 | ||||
| -rw-r--r-- | test/src/gtest_common.cpp | 5 |
10 files changed, 644 insertions, 29 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 756118e..10d9c8a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,7 +4,7 @@ variables: BUILD_IMAGE_CENTOS8: "git.mesalab.cn:7443/mesa_platform/build-env:rockylinux" BUILD_PADDING_PREFIX: /tmp/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX/ INSTALL_PREFIX: "/home/mesasoft/sapp_run/" - INSTALL_DEPENDENCY_LIBRARY: systemd-devel libbreakpad_mini numactl-devel zlib-devel vim-common libMESA_handle_logger-devel libcjson-devel libMESA_field_stat2-devel sapp sapp-devel framework_env libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel librdkafka-devel libmaat4-devel quic-devel mesa_sip-devel gtp-devel libMESA_htable-devel libasan mrzcpd rapidjson-devel libMESA_jump_layer-devel stratum-devel rdp-devel dtls-devel-1.0.10.ab7166e libfieldstat3-devel + INSTALL_DEPENDENCY_LIBRARY: systemd-devel libbreakpad_mini numactl-devel zlib-devel vim-common libMESA_handle_logger-devel libcjson-devel libMESA_field_stat2-devel sapp sapp-devel framework_env libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel librdkafka-devel libmaat4-devel quic-devel mesa_sip-devel gtp-devel libMESA_htable-devel libasan mrzcpd rapidjson-devel libMESA_jump_layer-devel stratum-devel rdp-devel dtls-devel-1.0.10.ab7166e libfieldstat3-devel openssl-devel stages: - analysis diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 93f3482..7a9857e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -2,13 +2,13 @@ cmake_minimum_required(VERSION 2.8) add_definitions(-fPIC) -set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp tsg_action.cpp tsg_leaky_bucket.cpp tsg_dns.cpp tsg_icmp.cpp tsg_tamper.cpp tsg_bridge.cpp tsg_sync_state.cpp tsg_variable.cpp tsg_proxy.cpp mpack.c tsg_stat.cpp) +set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp tsg_action.cpp tsg_leaky_bucket.cpp tsg_dns.cpp tsg_icmp.cpp tsg_tamper.cpp tsg_bridge.cpp tsg_sync_state.cpp tsg_variable.cpp tsg_proxy.cpp mpack.c tsg_stat.cpp tsg_ssl_ja3_fingerprint.cpp) include_directories(${CMAKE_SOURCE_DIR}/inc) include_directories(/opt/MESA/include/MESA/) include_directories(/usr/include/) -set(TSG_MASTER_DEPEND_DYN_LIB MESA_handle_logger MESA_prof_load maat4 pthread rdkafka cjson MESA_jump_layer fieldstat3) +set(TSG_MASTER_DEPEND_DYN_LIB MESA_handle_logger MESA_prof_load maat4 pthread rdkafka cjson MESA_jump_layer fieldstat3 crypto) set(CMAKE_INSTALL_PREFIX /home/mesasoft/sapp_run) diff --git a/src/tsg_bridge.cpp b/src/tsg_bridge.cpp index eb324b8..700793b 100644 --- a/src/tsg_bridge.cpp +++ b/src/tsg_bridge.cpp @@ -355,12 +355,14 @@ int srt_attribute_set_reponse_size(const struct streaminfo *a_stream, int http_a return 0; } -int srt_attribute_set_ja3_fingprint(const struct streaminfo *a_stream, const char *ja3_fingerprint) +int srt_attribute_set_ja3_fingprint(const struct streaminfo *a_stream, const char *ja3_fingerprint, int ja3_fingerprint_len) { struct session_runtime_attribute *srt_attribute=(struct session_runtime_attribute *)session_runtime_attribute_new(a_stream); if(srt_attribute) { - srt_attribute->ja3_fingerprint=ja3_fingerprint; + srt_attribute->ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_fingerprint_len+1); + memcpy((void *)srt_attribute->ja3_fingerprint, ja3_fingerprint, ja3_fingerprint_len); + ((char *)srt_attribute->ja3_fingerprint)[ja3_fingerprint_len]='\0'; return 1; } diff --git a/src/tsg_bridge.h b/src/tsg_bridge.h index bf017fd..8e2d754 100644 --- a/src/tsg_bridge.h +++ b/src/tsg_bridge.h @@ -196,7 +196,7 @@ const struct session_runtime_attribute *session_runtime_attribute_new(const stru int srt_attribute_set_protocol(const struct streaminfo * a_stream, TSG_PROTOCOL protocol); int srt_attribute_set_flags(const struct streaminfo * a_stream, unsigned long s_flags); int srt_attribute_set_establish_latecy(const struct streaminfo * a_stream); -int srt_attribute_set_ja3_fingprint(const struct streaminfo *a_stream, const char *ja3_fingerprint); +int srt_attribute_set_ja3_fingprint(const struct streaminfo *a_stream, const char *ja3_fingerprint, int ja3_fingerprint_len); int srt_attribute_set_reponse_size(const struct streaminfo *a_stream, int http_action_file_size); void srt_attribute_free_proxy_tcp_option(const struct streaminfo *a_stream); diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 5109a21..74c0a85 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -1443,9 +1443,8 @@ int session_l7_protocol_identify(const struct streaminfo *a_stream, struct sessi return 1; } } - - if(g_tsg_para.proto_flag&(1<<PROTO_SSL)) //ssl - { + + {//ssl enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT; struct ssl_chello *chello = NULL; @@ -2042,6 +2041,19 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid return 0; } +static int session_ssl_ja3_fingerprint_generate(const struct streaminfo *a_stream) +{ + char ja3_fingerprint[64]={0}; + int ja3_fingerprint_len=tsg_ssl_ja3_fingerprint_generate((unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, ja3_fingerprint, sizeof(ja3_fingerprint), a_stream->threadnum); + if(ja3_fingerprint_len>0) + { + srt_attribute_set_ja3_fingprint(a_stream, ja3_fingerprint, ja3_fingerprint_len); + return 1; + } + + return 0; +} + size_t session_pending_state_deal(const struct streaminfo *a_stream, struct session_runtime_process_context *srt_process_context, struct maat_rule *matched_rules, int n_matched_rules, void *a_packet) { size_t matched_cnt=0; @@ -2058,19 +2070,9 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess srt_process_context->is_app_link=FLAG_TRUE; srt_attribute_set_protocol(a_stream, srt_process_context->proto); - if(srt_process_context->proto==PROTO_SSL) + if(srt_process_context->proto==PROTO_SSL && g_tsg_para.generate_ja3_fingerprint==1) { - struct ssl_ja3_info *ja3_info=ssl_get_ja3_fingerprint((struct streaminfo *)a_stream, (unsigned char *)a_stream->ptcpdetail->pdata, (unsigned int)a_stream->ptcpdetail->datalen, a_stream->threadnum); - if(ja3_info!=NULL) - { - if(ja3_info->fp!=NULL && ja3_info->fp_len>0) - { - char *ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1); - memcpy(ja3_fingerprint, ja3_info->fp, ja3_info->fp_len); - ja3_fingerprint[ja3_info->fp_len]='\0'; - srt_attribute_set_ja3_fingprint(a_stream, ja3_fingerprint); - } - } + session_ssl_ja3_fingerprint_generate(a_stream); } int table_idx=tsg_domain_table_idx_get(srt_process_context->proto); @@ -2543,6 +2545,7 @@ extern "C" int TSG_MASTER_INIT() MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "PROXY_SID", &g_tsg_para.intercept_sid, 0); MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "SCAN_IN_PACKET_STATE", &g_tsg_para.scan_in_pkt_state, 1); + MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "GENERATE_JA3_FINGERPRINT", &g_tsg_para.generate_ja3_fingerprint, 0); ret=MESA_load_profile_int_def(tsg_conffile, "SYSTEM", "DEVICE_SEQ_IN_DATA_CENTER", &g_tsg_para.device_seq_in_dc, 0); if(ret<0) diff --git a/src/tsg_ssl_ja3_fingerprint.cpp b/src/tsg_ssl_ja3_fingerprint.cpp new file mode 100644 index 0000000..0d2bdee --- /dev/null +++ b/src/tsg_ssl_ja3_fingerprint.cpp @@ -0,0 +1,610 @@ +#include <ctype.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <openssl/md5.h> + +#ifndef MIN +#define MIN(a, b) ((a) > (b) ? (b) : (a)) +#endif + +#define BSB_INIT(b, buffer, size) \ + do \ + { \ + (b).buf = (unsigned char *)buffer; \ + (b).ptr = (unsigned char *)buffer; \ + int s = (int)size; \ + if ((buffer == NULL) || (s < 0)) \ + (b).end = 0; \ + else \ + (b).end = (unsigned char *)buffer + size; \ + } while (0) + +#define BSB_SET_ERROR(b) ((b).end = NULL) +#define BSB_IS_ERROR(b) ((b).end == NULL) +#define BSB_NOT_ERROR(b) ((b).end != NULL) +#define BSB_LENGTH(b) ((b).ptr - (b).buf) +#define BSB_POSITION BSB_LENGTH +#define BSB_SIZE(b) ((b).end - (b).buf) +#define BSB_REMAINING(b) ((b).end ? (b).end - (b).ptr : 0) +#define BSB_WORK_PTR(b) ((b).ptr) + +#define BSB_EXPORT_u08(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 1 <= (b).end) \ + { \ + *(((b).ptr)++) = (unsigned char)x; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_u16(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 2 <= (b).end) \ + { \ + uint16_t t = (uint16_t)x; \ + *(((b).ptr)++) = (t & 0xff00) >> 8; \ + *(((b).ptr)++) = (t & 0x00ff); \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_u32(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 4 <= (b).end) \ + { \ + uint32_t t = x; \ + *(((b).ptr)++) = (t & 0xff000000) >> 24; \ + *(((b).ptr)++) = (t & 0x00ff0000) >> 16; \ + *(((b).ptr)++) = (t & 0x0000ff00) >> 8; \ + *(((b).ptr)++) = (t & 0x000000ff); \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_ptr(b, x, size) \ + do \ + { \ + if ((x || size == 0) && \ + (b).ptr + size <= (b).end && \ + (b).ptr + size >= (b).buf) \ + { \ + memcpy((b).ptr, x, size); \ + (b).ptr += size; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_ptr_some(b, x, size) \ + do \ + { \ + if ((b).ptr + size <= (b).end) \ + { \ + memcpy((b).ptr, x, size); \ + (b).ptr += size; \ + } \ + else if (BSB_NOT_ERROR(b)) \ + { \ + memcpy((b).ptr, x, BSB_REMAINING(b)); \ + (b).ptr += BSB_REMAINING(b); \ + } \ + } while (0) + +#define BSB_EXPORT_cstr(b, x) \ + do \ + { \ + const int size = sizeof x - 1; \ + if ((b).ptr + size <= (b).end) \ + { \ + memcpy((b).ptr, x, size); \ + (b).ptr += size; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_skip(b, size) \ + do \ + { \ + if ((b).ptr + size <= (b).end && \ + (b).ptr + size >= (b).buf) \ + { \ + (b).ptr += size; \ + if ((b).ptr < (b).buf) \ + (b).end = 0; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_EXPORT_rewind(b, size) \ + do \ + { \ + if ((b).ptr - size <= (b).end && \ + (b).ptr - size >= (b).buf) \ + { \ + (b).ptr -= size; \ + if ((b).ptr < (b).buf) \ + (b).end = 0; \ + } \ + else \ + { \ + BSB_SET_ERROR(b); \ + } \ + } while (0) + +#if defined(C9X) + +#define BSB_EXPORT_sprintf(b, ...) \ + do \ + { \ + if ((b).end != 0) \ + { \ + int l = snprintf((char *)(b).ptr, \ + (b).end - (b).ptr, \ + __VA_ARGS__); \ + if (l <= (b).end - (b).ptr) \ + { \ + (b).ptr += l; \ + } \ + else \ + { \ + BSB_SET_ERROR(b); \ + } \ + } \ + } while (0) + +#else + +#define BSB_EXPORT_sprintf(b, args...) \ + do \ + { \ + if ((b).end != 0) \ + { \ + int l = snprintf((char *)(b).ptr, \ + (b).end - (b).ptr, \ + ##args); \ + if (l <= (b).end - (b).ptr) \ + { \ + (b).ptr += l; \ + } \ + else \ + { \ + BSB_SET_ERROR(b); \ + } \ + } \ + } while (0) +#endif + +#define BSB_IMPORT_u08(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 1 <= (b).end) \ + { \ + x = *(((b).ptr)++); \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_IMPORT_u16(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 2 <= (b).end) \ + { \ + x = ((uint16_t)((b).ptr)[0]) << 8 | \ + ((uint16_t)((b).ptr)[1]); \ + (b).ptr += 2; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_IMPORT_u24(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 3 <= (b).end) \ + { \ + x = ((uint32_t)((b).ptr)[0]) << 16 | \ + ((uint32_t)((b).ptr)[1]) << 8 | \ + ((uint32_t)((b).ptr)[2]); \ + (b).ptr += 3; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_IMPORT_u32(b, x) \ + do \ + { \ + if ((b).ptr && (b).ptr + 4 <= (b).end) \ + { \ + x = ((uint32_t)((b).ptr)[0]) << 24 | \ + ((uint32_t)((b).ptr)[1]) << 16 | \ + ((uint32_t)((b).ptr)[2]) << 8 | \ + ((uint32_t)((b).ptr)[3]); \ + (b).ptr += 4; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_LEXPORT_u08(b, x) BSB_EXPORT_u08(b, x) + +#define BSB_LEXPORT_u16(b, x) \ + do \ + { \ + if ((b).ptr + 2 <= (b).end) \ + { \ + uint16_t t = (uint16_t)x; \ + *(((b).ptr)++) = (t & 0x00ff); \ + *(((b).ptr)++) = (t & 0xff00) >> 8; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_LEXPORT_u32(b, x) \ + do \ + { \ + if ((b).ptr + 4 <= (b).end) \ + { \ + uint32_t t = x; \ + *(((b).ptr)++) = (t & 0x000000ff); \ + *(((b).ptr)++) = (t & 0x0000ff00) >> 8; \ + *(((b).ptr)++) = (t & 0x00ff0000) >> 16; \ + *(((b).ptr)++) = (t & 0xff000000) >> 24; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_LIMPORT_u08(b, x) BSB_IMPORT_u08(b, x) + +#define BSB_LIMPORT_u16(b, x) \ + do \ + { \ + if ((b).ptr + 2 <= (b).end) \ + { \ + x = ((uint16_t)((b).ptr)[1]) << 8 | \ + ((uint16_t)((b).ptr)[0]); \ + (b).ptr += 2; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_LIMPORT_u24(b, x) \ + do \ + { \ + if ((b).ptr + 3 <= (b).end) \ + { \ + x = ((uint32_t)((b).ptr)[2]) << 16 | \ + ((uint32_t)((b).ptr)[1]) << 8 | \ + ((uint32_t)((b).ptr)[0]); \ + (b).ptr += 3; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_LIMPORT_u32(b, x) \ + do \ + { \ + if ((b).ptr + 4 <= (b).end) \ + { \ + x = ((uint32_t)((b).ptr)[3]) << 24 | \ + ((uint32_t)((b).ptr)[2]) << 16 | \ + ((uint32_t)((b).ptr)[1]) << 8 | \ + ((uint32_t)((b).ptr)[0]); \ + (b).ptr += 4; \ + } \ + else \ + BSB_SET_ERROR(b); \ + } while (0) + +#define BSB_IMPORT_ptr(b, x, size) \ + do \ + { \ + if ((b).ptr + size <= (b).end && \ + (b).ptr + size >= (b).buf) \ + { \ + (x) = (b).ptr; \ + (b).ptr += size; \ + } \ + else \ + { \ + BSB_SET_ERROR(b); \ + x = 0; \ + } \ + } while (0) + +#define BSB_LIMPORT_ptr BSB_IMPORT_ptr +#define BSB_IMPORT_skip BSB_EXPORT_skip +#define BSB_LIMPORT_skip BSB_EXPORT_skip +#define BSB_IMPORT_rewind BSB_EXPORT_rewind +#define BSB_LIMPORT_rewind BSB_EXPORT_rewind + +#define BSB_memchr(b, ch, pos) \ + do \ + { \ + if (BSB_IS_ERROR(b)) \ + { \ + pos = 0; \ + break; \ + } \ + char *s = memchr((char *)b.ptr, ch, BSB_REMAINING(b)); \ + if (s) \ + pos = (char *)s - (char *)b.ptr; \ + else \ + pos = 0; \ + } while (0) + +#define BSB_memcmp(str, b, len) ((b).ptr + len <= (b).end ? memcmp(str, b.ptr, len) : -1) + +#define BSB_PEEK(b) ((b).ptr + 1 <= (b).end ? *b.ptr : -1) + +#define BSB_IMPORT_zbyte(b, x, size) \ + do \ + { \ + if ((b).ptr + size <= (b).end) \ + { \ + memcpy(x, b, size); \ + (x)[size] = 0; \ + (b).ptr += size; \ + } \ + else \ + { \ + BSB_SET_ERROR(b); \ + (x)[0] = 0; \ + } \ + } while (0) + +/* Private data structure */ +typedef struct bsb +{ + unsigned char *buf; + unsigned char *ptr; + unsigned char *end; +} BSB; + +int ja3_md5sum(const char *str, int len, char *buf, int size) +{ + int n; + int ret = 0; + MD5_CTX ctx; + unsigned char tmp[MD5_DIGEST_LENGTH]; + + MD5_Init(&ctx); + MD5_Update(&ctx, str, len); + MD5_Final(tmp, &ctx); + + for (n = 0; n < MD5_DIGEST_LENGTH; n++) + { + ret += snprintf(buf + ret, size - ret, "%.2x", tmp[n]); + } + + return ret; +} + + +// https://tools.ietf.org/html/draft-davidben-tls-grease-00 +static int tls_is_grease_value(uint32_t val) +{ + if ((val & 0x0f) != 0x0a) + return 0; + + if ((val & 0xff) != ((val >> 8) & 0xff)) + return 0; + + return 1; +} + +static int ssl_generate_ja3_fingerprint(const unsigned char *data, int len, char *ja3_fp, int ja3_fp_len, char *sni_buff, int sni_buff_len) +{ + BSB sslbsb; + //char ja3[30000]; + BSB ja3bsb; + char ecfja3[1000]; + BSB ecfja3bsb; + char eja3[10000]; + BSB eja3bsb; + char ecja3[10000]; + BSB ecja3bsb; + + BSB_INIT(sslbsb, data, len); + BSB_INIT(ja3bsb, ja3_fp, ja3_fp_len); + BSB_INIT(ecja3bsb, ecja3, sizeof(ecja3)); + BSB_INIT(ecfja3bsb, ecfja3, sizeof(ecfja3)); + BSB_INIT(eja3bsb, eja3, sizeof(eja3)); + + if (BSB_REMAINING(sslbsb) > 5) + { + unsigned char *ssldata = BSB_WORK_PTR(sslbsb); + int ssllen = MIN(BSB_REMAINING(sslbsb) - 5, ssldata[3] << 8 | ssldata[4]); + + BSB pbsb; + BSB_INIT(pbsb, ssldata + 5, ssllen); + + if (BSB_REMAINING(pbsb) > 7) + { + unsigned char *pdata = BSB_WORK_PTR(pbsb); + int plen = MIN(BSB_REMAINING(pbsb) - 4, pdata[2] << 8 | pdata[3]); + + uint16_t ver = 0; + BSB_IMPORT_skip(pbsb, 4); // type + len + BSB_IMPORT_u16(pbsb, ver); + + BSB_EXPORT_sprintf(ja3bsb, "%d,", ver); + + BSB cbsb; + BSB_INIT(cbsb, pdata + 6, plen - 2); // The - 4 for plen is done above, confusing + + if (BSB_REMAINING(cbsb) > 32) + { + BSB_IMPORT_skip(cbsb, 32); // Random + + int skiplen = 0; + BSB_IMPORT_u08(cbsb, skiplen); // Session Id Length + if (skiplen > 0 && BSB_REMAINING(cbsb) > skiplen) + { + // unsigned char *ptr = BSB_WORK_PTR(cbsb); + // char sessionId[513]; + // int i; + + // for (i = 0; i < skiplen; i++) + // { + // sessionId[i * 2] = moloch_char_to_hexstr[ptr[i]][0]; + // sessionId[i * 2 + 1] = moloch_char_to_hexstr[ptr[i]][1]; + // } + // sessionId[skiplen * 2] = 0; + // moloch_field_string_add(srcIdField, session, sessionId, skiplen * 2, TRUE); + } + BSB_IMPORT_skip(cbsb, skiplen); // Session Id + + BSB_IMPORT_u16(cbsb, skiplen); // Ciper Suites Length + while (BSB_NOT_ERROR(cbsb) && skiplen > 0) + { + uint16_t c = 0; + BSB_IMPORT_u16(cbsb, c); + if (!tls_is_grease_value(c)) + { + BSB_EXPORT_sprintf(ja3bsb, "%d-", c); + } + skiplen -= 2; + } + BSB_EXPORT_rewind(ja3bsb, 1); // Remove last - + BSB_EXPORT_u08(ja3bsb, ','); + + BSB_IMPORT_u08(cbsb, skiplen); // Compression Length + BSB_IMPORT_skip(cbsb, skiplen); // Compressions + + if (BSB_REMAINING(cbsb) > 6) + { + int etotlen = 0; + BSB_IMPORT_u16(cbsb, etotlen); // Extensions Length + + etotlen = MIN(etotlen, BSB_REMAINING(cbsb)); + + BSB ebsb; + BSB_INIT(ebsb, BSB_WORK_PTR(cbsb), etotlen); + + while (BSB_REMAINING(ebsb) > 4) + { + uint16_t etype = 0, elen = 0; + + BSB_IMPORT_u16(ebsb, etype); + BSB_IMPORT_u16(ebsb, elen); + + if (!tls_is_grease_value(etype)) + BSB_EXPORT_sprintf(eja3bsb, "%d-", etype); + + if (elen > BSB_REMAINING(ebsb)) + break; + + if (etype == 0) + { // SNI + BSB snibsb; + BSB_INIT(snibsb, BSB_WORK_PTR(ebsb), elen); + BSB_IMPORT_skip(ebsb, elen); + + int sni = 0; + BSB_IMPORT_u16(snibsb, sni); // list len + if (sni != BSB_REMAINING(snibsb)) + continue; + + BSB_IMPORT_u08(snibsb, sni); // type + if (sni != 0) + continue; + + BSB_IMPORT_u16(snibsb, sni); // len + if (sni != BSB_REMAINING(snibsb)) + continue; + + memcpy(sni_buff, (char *)BSB_WORK_PTR(snibsb), (sni>sni_buff_len ? sni_buff_len : sni)); + // moloch_field_string_add(hostField, session, (char *)BSB_WORK_PTR(snibsb), sni, TRUE); + } + else if (etype == 0x000a) + { // Elliptic Curves + BSB bsb; + BSB_INIT(bsb, BSB_WORK_PTR(ebsb), elen); + BSB_IMPORT_skip(ebsb, elen); + + uint16_t llen = 0; + BSB_IMPORT_u16(bsb, llen); // list len + while (llen > 0 && !BSB_IS_ERROR(bsb)) + { + uint16_t c = 0; + BSB_IMPORT_u16(bsb, c); + if (!tls_is_grease_value(c)) + { + BSB_EXPORT_sprintf(ecja3bsb, "%d-", c); + } + llen -= 2; + } + BSB_EXPORT_rewind(ecja3bsb, 1); // Remove last - + } + else if (etype == 0x000b) + { // Elliptic Curves point formats + BSB bsb; + BSB_INIT(bsb, BSB_WORK_PTR(ebsb), elen); + BSB_IMPORT_skip(ebsb, elen); + + uint16_t llen = 0; + BSB_IMPORT_u08(bsb, llen); // list len + while (llen > 0 && !BSB_IS_ERROR(bsb)) + { + uint8_t c = 0; + BSB_IMPORT_u08(bsb, c); + BSB_EXPORT_sprintf(ecfja3bsb, "%d-", c); + llen -= 1; + } + BSB_EXPORT_rewind(ecfja3bsb, 1); // Remove last - + } + else + { + BSB_IMPORT_skip(ebsb, elen); + } + } + BSB_EXPORT_rewind(eja3bsb, 1); // Remove last - + } + } + } + BSB_IMPORT_skip(sslbsb, ssllen + 5); + + if (BSB_LENGTH(ja3bsb) > 0 && BSB_NOT_ERROR(ja3bsb) && BSB_NOT_ERROR(ecja3bsb) && BSB_NOT_ERROR(eja3bsb) && BSB_NOT_ERROR(ecfja3bsb)) + { + BSB_EXPORT_sprintf(ja3bsb, "%.*s,%.*s,%.*s", (int)BSB_LENGTH(eja3bsb), eja3, (int)BSB_LENGTH(ecja3bsb), ecja3, (int)BSB_LENGTH(ecfja3bsb), ecfja3); + } + return 1; + } + + return 0; +} + +int tsg_ssl_ja3_fingerprint_generate(const unsigned char *buff, int buff_len, char *ja3_fingerprint, int n_ja3_fingerprint, int thread_seq) +{ + if(n_ja3_fingerprint<(2*MD5_DIGEST_LENGTH+1) || buff_len<=0 || buff==NULL) + { + return 0; + } + + char ja3_fp[8192]={0}; + char sni_buff[1024]={0}; + + int ret=ssl_generate_ja3_fingerprint(buff, buff_len, ja3_fp, sizeof(ja3_fp), sni_buff, sizeof(sni_buff)); + if(ret==1 && strlen(ja3_fp)>0) + { + return ja3_md5sum(ja3_fp, strlen(ja3_fp), ja3_fingerprint, n_ja3_fingerprint); + } + + return 0; +}
\ No newline at end of file diff --git a/inc/tsg_ssl_utils.h b/src/tsg_ssl_utils.h index 1d39b47..2d425e7 100644 --- a/inc/tsg_ssl_utils.h +++ b/src/tsg_ssl_utils.h @@ -35,3 +35,6 @@ struct ssl_chello struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result); void ssl_chello_free(struct ssl_chello* chello); + + +int tsg_ssl_ja3_fingerprint_generate(const unsigned char *buff, int buff_len, char *ja3_fingerprint, int n_ja3_fingerprint, int thread_seq); diff --git a/src/tsg_variable.h b/src/tsg_variable.h index 9a9d31d..af865bc 100644 --- a/src/tsg_variable.h +++ b/src/tsg_variable.h @@ -73,6 +73,7 @@ struct tsg_rt_para int intercept_sid; int send_resetall; int scan_in_pkt_state; + int generate_ja3_fingerprint; int app_metric_update_interval_ms; enum DEPLOY_MODE deploy_mode; int scan_time_interval; diff --git a/test/src/CMakeLists.txt b/test/src/CMakeLists.txt index 76ef411..c30b649 100644 --- a/test/src/CMakeLists.txt +++ b/test/src/CMakeLists.txt @@ -43,18 +43,19 @@ set(TSG_MASTER_SRC ${PROJECT_SOURCE_DIR}/src/tsg_entry.cpp ${PROJECT_SOURCE_DIR}/src/tsg_proxy.cpp ${PROJECT_SOURCE_DIR}/src/mpack.c ${PROJECT_SOURCE_DIR}/src/tsg_stat.cpp + ${PROJECT_SOURCE_DIR}/src/tsg_ssl_ja3_fingerprint.cpp ) add_executable(gtest_master ${TSG_MASTER_SRC} gtest_kafka.cpp gtest_common.cpp gtest_master.cpp) -target_link_libraries(gtest_master gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 MESA_htable fieldstat3) +target_link_libraries(gtest_master gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 MESA_htable fieldstat3 crypto) add_executable(gtest_sync_state ${PROJECT_SOURCE_DIR}/src/tsg_sync_state.cpp ${PROJECT_SOURCE_DIR}/src/mpack.c ${PROJECT_SOURCE_DIR}/src/tsg_stat.cpp gtest_common.cpp gtest_sync_state.cpp) target_link_libraries(gtest_sync_state gtest-static cjson ctemplate-static MESA_prof_load MESA_handle_logger fieldstat3) add_executable(gtest_fieldstat3 ${TSG_MASTER_SRC} gtest_common.cpp gtest_kafka.cpp gtest_fieldstat3.cpp) -target_link_libraries(gtest_fieldstat3 gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 MESA_htable fieldstat3) +target_link_libraries(gtest_fieldstat3 gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 MESA_htable fieldstat3 crypto) add_executable(gtest_proxy ${TSG_MASTER_SRC} gtest_common.cpp gtest_proxy.cpp) -target_link_libraries(gtest_proxy gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 rdkafka MESA_htable fieldstat3 pcap) +target_link_libraries(gtest_proxy gtest-static ctemplate-static cjson MESA_prof_load MESA_handle_logger MESA_jump_layer MESA_field_stat2 maat4 rdkafka MESA_htable fieldstat3 pcap crypto) file(COPY ../pcap/ DESTINATION ./pcap/) diff --git a/test/src/gtest_common.cpp b/test/src/gtest_common.cpp index 71614f9..6c680f9 100644 --- a/test/src/gtest_common.cpp +++ b/test/src/gtest_common.cpp @@ -327,8 +327,3 @@ extern "C" bool dtls_identifyStream(struct streaminfo *a_udp) { return 0; } - -struct ssl_ja3_info *ssl_get_ja3_fingerprint(struct streaminfo *stream, unsigned char *payload, int payload_len, int thread_seq) -{ - return NULL; -} |