gfwleak/stellar-ssl-decoder
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feature: add gtest case

Browse Source
This commit is contained in:
liuxueli
2024-08-06 08:04:00 +00:00
parent 4b3d68bc66
commit 2963165b5e
25 changed files with 3313 additions and 2449 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/ssl_decoder.toml
View File

@@ -10,3 +10,6 @@ stat_per_thread_enable="no"
stat_name="SSL_DECODER" stat_name="SSL_DECODER"
stat_interval_time_s=5 stat_interval_time_s=5
stat_output="metrics/ssl_decoder_local_stat.json" stat_output="metrics/ssl_decoder_local_stat.json"
[decoder.ssl.test]
commit_result_enable="yes"

11
include/ssl_decoder.h
View File

@@ -12,10 +12,10 @@ extern "C"
enum ssl_message_type enum ssl_message_type
{ {
SSL_MESSAGE_CLIENT_HELLO, SSL_MESSAGE_CLIENT_HELLO=0x1,
SSL_MESSAGE_SERVER_HELLO, SSL_MESSAGE_SERVER_HELLO,
SSL_MESSAGE_CERTIFICATE, SSL_MESSAGE_CERTIFICATE,
SSL_PROTECTED_PAYLOAD, SSL_MESSAGE_ENCRYPTED_APPLICATION,
SSL_MSG_MAX, SSL_MSG_MAX,
}; };
@@ -23,6 +23,7 @@ struct ssl_message;
enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg); enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg);
// SSL_MESSAGE_CLIENT_HELLO // SSL_MESSAGE_CLIENT_HELLO
int32_t ssl_message_is_fragment(const struct ssl_message *msg);
int32_t ssl_message_esni_is_true(const struct ssl_message *msg); int32_t ssl_message_esni_is_true(const struct ssl_message *msg);
int32_t ssl_message_ech_is_true(const struct ssl_message *msg); int32_t ssl_message_ech_is_true(const struct ssl_message *msg);
@@ -53,8 +54,8 @@ void ssl_message_validity_before_get0(const struct ssl_message *msg, char **valu
void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_ssl_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_ssl_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
/** /**
* @brief loop reading all domain of subject_alter. * @brief loop reading all domain of subject_alter.
@@ -81,7 +82,7 @@ void ssl_rdn_sequence_state_or_province_get0(struct ssl_rdn_sequence *rdn, char
void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz); void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz);
void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz); void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz);
// SSL_PROTECTED_PAYLOAD // SSL_MESSAGE_ENCRYPTED_APPLICATION
void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz); void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
#ifdef __cplusplus #ifdef __cplusplus

655
src/ssl_decoder.cpp
View File

@@ -38,8 +38,29 @@ extern "C"
#include "ssl_internal.h" #include "ssl_internal.h"
#include "ssl_decoder.h" #include "ssl_decoder.h"
#define SSL_TRUNK_MESSAGE_TOPIC "SSL_TRUNK_MESSAGE"
UT_icd UT_ssl_hello_extension_icd={sizeof(struct ssl_decoder_ltv), NULL, NULL, NULL}; UT_icd UT_ssl_hello_extension_icd={sizeof(struct ssl_decoder_ltv), NULL, NULL, NULL};
#define SSL_TRUNK_MAGIC 0x5a5a5a5a
enum SSL_TRUNK_TYPE
{
SSL_TRUNK_TYPE_NONE=0,
SSL_TRUNK_TYPE_MOVE,
SSL_TRUNK_TYPE_APPEND,
SSL_TRUNK_TYPE_FREE,
SSL_TRUNK_TYPE_MAX,
};
struct ssl_trunk_message
{
uint32_t magic;
enum SSL_TRUNK_TYPE type;
struct ssl_record_trunk *record_trunk;
uint8_t *pdata;
size_t pdata_sz;
};
struct ssl_certificate_chain struct ssl_certificate_chain
{ {
uint8_t *data; uint8_t *data;
@@ -62,9 +83,10 @@ struct ssl_record_header
struct ssl_record_trunk struct ssl_record_trunk
{ {
struct ssl_record_header header; uint8_t is_contains_header;
size_t cache_len; struct ssl_record_header record_hdr;
uint8_t* cache_buff; size_t data_sz;
uint8_t *data;
}; };
#define SSL_NAME_MAX 256 #define SSL_NAME_MAX 256
@@ -96,6 +118,8 @@ struct ssl_decoder_plugin_env
int32_t n_net_port; int32_t n_net_port;
int32_t max_cache_len; int32_t max_cache_len;
struct message_schema ssl; struct message_schema ssl;
struct message_schema ptrunk;
struct message_schema strunk;
struct message_schema tcp_stream; struct message_schema tcp_stream;
struct ssl_decoder_stat stat; struct ssl_decoder_stat stat;
}; };
@@ -106,100 +130,6 @@ struct ssl_decoder_context
struct ssl_record_trunk record_trunk; struct ssl_record_trunk record_trunk;
}; };
void ssl_hello_md5sum(struct ssl_decoder_ltv *ltv, const char *str, size_t str_sz)
{
MD5_CTX ctx;
uint8_t md5[MD5_DIGEST_LENGTH];
MD5_Init(&ctx);
MD5_Update(&ctx, str, str_sz);
MD5_Final(md5, &ctx);
size_t offset=0;
size_t buff_sz=MD5_DIGEST_LENGTH*2+1;
char buff[buff_sz];
for(int32_t n=0; n<MD5_DIGEST_LENGTH; n++)
{
offset+=snprintf(buff+offset, buff_sz-offset, "%.2x", md5[n]);
}
ltv->lv_u32=offset;
ltv->type=SSL_DECODER_NONE;
ltv->value=(uint8_t *)malloc(offset);
memcpy(ltv->value, buff, offset);
}
// https://tools.ietf.org/html/draft-davidben-tls-grease-00
static int32_t ssl_is_grease_value(unsigned short val)
{
if((val & 0x0f)!=0x0a)
{
return SSL_DECODER_FALSE;
}
if((val & 0xff) != ((val >> 8) & 0xff))
{
return SSL_DECODER_FALSE;
}
return SSL_DECODER_TRUE;
}
void ssl_trunk_free(struct ssl_record_trunk *record_trunk)
{
if(record_trunk!=NULL)
{
if(record_trunk->cache_buff!=NULL)
{
FREE(record_trunk->cache_buff);
record_trunk->cache_buff=NULL;
}
record_trunk={0};
}
}
void ssl_trunk_cache(struct ssl_record_trunk *record_trunk, uint8_t *fragment, size_t fragment_sz)
{
if(fragment==NULL || fragment_sz==0)
{
return ;
}
if(record_trunk->cache_buff==NULL)
{
record_trunk->cache_buff=(uint8_t *)malloc(fragment_sz);
}
memmove(record_trunk->cache_buff+record_trunk->cache_len, fragment, fragment_sz);
record_trunk->cache_len+=fragment_sz;
}
int32_t is_trunk_cache(struct ssl_record_trunk *record_trunk)
{
return ((record_trunk->cache_len>0) ? SSL_DECODER_TRUE : SSL_DECODER_FALSE);
}
void ssl_recod_buff_get0(struct ssl_record_trunk *record_trunk, uint8_t **record_buff, size_t *record_buff_sz)
{
if(!is_trunk_cache(record_trunk) || (*record_buff_sz)<=SSL_RECORD_HEADER_SZ)
{
return ;
}
ssl_trunk_cache(record_trunk, (*record_buff), (*record_buff_sz));
(*record_buff)=record_trunk->cache_buff;
(*record_buff_sz)=record_trunk->cache_len;
}
void ssl_handshake_server_key_exchange_decode()
{
}
int32_t ssl_read_u8(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, uint8_t *value) int32_t ssl_read_u8(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, uint8_t *value)
{ {
if(pdata_sz<(*pdata_offset)+1) if(pdata_sz<(*pdata_offset)+1)
@@ -269,6 +199,206 @@ int32_t ssl_read_be_u32(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, u
return SSL_DECODER_TRUE; return SSL_DECODER_TRUE;
} }
void ssl_hello_md5sum(struct ssl_decoder_ltv *ltv, const char *str, size_t str_sz)
{
MD5_CTX ctx;
uint8_t md5[MD5_DIGEST_LENGTH];
MD5_Init(&ctx);
MD5_Update(&ctx, str, str_sz);
MD5_Final(md5, &ctx);
size_t offset=0;
size_t buff_sz=MD5_DIGEST_LENGTH*2+1;
char buff[buff_sz];
for(int32_t n=0; n<MD5_DIGEST_LENGTH; n++)
{
offset+=snprintf(buff+offset, buff_sz-offset, "%.2x", md5[n]);
}
ltv->lv_u32=offset;
ltv->type=SSL_DECODER_NONE;
ltv->value=(uint8_t *)malloc(offset);
memcpy(ltv->value, buff, offset);
}
// https://tools.ietf.org/html/draft-davidben-tls-grease-00
static int32_t ssl_is_grease_value(unsigned short val)
{
if((val & 0x0f)!=0x0a)
{
return SSL_DECODER_FALSE;
}
if((val & 0xff) != ((val >> 8) & 0xff))
{
return SSL_DECODER_FALSE;
}
return SSL_DECODER_TRUE;
}
void ssl_trunk_free(struct ssl_record_trunk *record_trunk)
{
if(record_trunk!=NULL)
{
if(record_trunk->data!=NULL)
{
FREE(record_trunk->data);
}
record_trunk->data=NULL;
record_trunk->data_sz=0;
record_trunk->is_contains_header=SSL_DECODER_TRUE;
record_trunk->record_hdr={0};
}
}
void ssl_trunk_cache(struct ssl_record_trunk *record_trunk, enum SSL_TRUNK_TYPE type, uint8_t *fragment, size_t fragment_sz)
{
if(record_trunk==NULL || fragment==NULL || fragment_sz==0)
{
return ;
}
switch(type)
{
case SSL_TRUNK_TYPE_MOVE:
{
uint8_t *tmp=(uint8_t *)malloc(fragment_sz);
memcpy(tmp, fragment, fragment_sz);
if(record_trunk->data!=NULL)
{
FREE(record_trunk->data);
}
record_trunk->data=tmp;
record_trunk->data_sz=fragment_sz;
}
break;
case SSL_TRUNK_TYPE_APPEND:
record_trunk->data=(record_trunk->data==NULL) ? (uint8_t *)malloc(fragment_sz) : (uint8_t *)realloc(record_trunk->data, record_trunk->data_sz+fragment_sz);
memcpy(record_trunk->data+record_trunk->data_sz, fragment, fragment_sz);
record_trunk->data_sz+=fragment_sz;
break;
default:
break;
}
}
int32_t is_trunk_cache(struct ssl_record_trunk *record_trunk)
{
return ((record_trunk->data_sz>0) ? SSL_DECODER_TRUE : SSL_DECODER_FALSE);
}
int32_t ssl_record_header_get(struct ssl_record_header *record_hdr, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
if(pdata_sz<(*pdata_offset)+SSL_RECORD_HEADER_SZ)
{
return SSL_DECODER_FALSE;
}
ssl_read_u8(pdata, pdata_sz, pdata_offset, &(record_hdr->content_type));
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(record_hdr->version));
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(record_hdr->total_len));
return SSL_DECODER_TRUE;
}
void ssl_recod_buff_get0(struct ssl_record_trunk *record_trunk, uint8_t **record_buff, size_t *record_buff_sz)
{
if(!is_trunk_cache(record_trunk) && (*record_buff_sz)>SSL_RECORD_HEADER_SZ)
{
return ;
}
if(record_trunk->is_contains_header==SSL_DECODER_TRUE)
{
ssl_trunk_cache(record_trunk, SSL_TRUNK_TYPE_APPEND, (*record_buff), (*record_buff_sz));
}
else
{
size_t offset=0;
struct ssl_record_header record_hdr={0};
ssl_record_header_get(&record_hdr, *record_buff, *record_buff_sz, &offset);
if(record_hdr.content_type!=record_trunk->record_hdr.content_type)
{
ssl_trunk_free(record_trunk);
return ;
}
if((*record_buff_sz)<SSL_RECORD_HEADER_SZ)
{
return ;
}
ssl_trunk_cache(record_trunk, SSL_TRUNK_TYPE_APPEND, (*record_buff)+SSL_RECORD_HEADER_SZ, (*record_buff_sz)-SSL_RECORD_HEADER_SZ);
}
(*record_buff)=record_trunk->data;
(*record_buff_sz)=record_trunk->data_sz;
}
void ssl_trunk_message_segment_data_cb(struct session *ss, int32_t topic_id, const void *msg, void *per_session_ctx, void *penv)
{
struct ssl_trunk_message *trunk_msg=(struct ssl_trunk_message *)msg;
if(trunk_msg==NULL || trunk_msg->magic!=SSL_TRUNK_MAGIC)
{
return ;
}
switch(trunk_msg->type)
{
case SSL_TRUNK_TYPE_MOVE:
ssl_trunk_cache(trunk_msg->record_trunk, SSL_TRUNK_TYPE_MOVE, trunk_msg->pdata, trunk_msg->pdata_sz);
break;
case SSL_TRUNK_TYPE_APPEND:
ssl_trunk_cache(trunk_msg->record_trunk, SSL_TRUNK_TYPE_APPEND, trunk_msg->pdata, trunk_msg->pdata_sz);
break;
case SSL_TRUNK_TYPE_FREE:
ssl_trunk_free(trunk_msg->record_trunk);
break;
default:
break;
}
}
void ssl_trunk_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, struct ssl_record_trunk *record_trunk, uint8_t *pdata, size_t pdata_sz)
{
struct ssl_trunk_message *message=(struct ssl_trunk_message *)malloc(sizeof(struct ssl_trunk_message));
message->magic=SSL_TRUNK_MAGIC;
message->record_trunk=record_trunk;
message->pdata=pdata;
message->pdata_sz=pdata_sz;
if(pdata_sz==0)
{
message->type=SSL_TRUNK_TYPE_FREE;
}
else
{
message->type=((is_trunk_cache(record_trunk)) ? SSL_TRUNK_TYPE_MOVE : SSL_TRUNK_TYPE_APPEND);
}
if(((long long)pdata_sz) <0)
{
abort();
}
session_mq_publish_message(ss, plugin_env->ptrunk.topic_id, (void *)message);
}
void ssl_trunk_message_free(struct session *sess, void *msg, void *msg_free_arg)
{
struct ssl_trunk_message *trunk_msg=(struct ssl_trunk_message *)msg;
if(trunk_msg==NULL)
{
return ;
}
FREE(trunk_msg);
}
int32_t ssl_decoder_ltv_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset) int32_t ssl_decoder_ltv_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{ {
if(ltv==NULL || pdata==NULL || pdata_sz<(*pdata_offset)) if(ltv==NULL || pdata==NULL || pdata_sz<(*pdata_offset))
@@ -723,7 +853,7 @@ struct ssl_client_hello *ssl_handshake_client_hello_decode(uint8_t *pdata, size_
utarray_push_back(chello->extensions, &ltv); utarray_push_back(chello->extensions, &ltv);
switch(ltv.type) switch(ltv.vtype)
{ {
case SERVER_NAME_EXT_TYPE: case SERVER_NAME_EXT_TYPE:
{ {
@@ -900,7 +1030,7 @@ int32_t ssl_client_hello_ja3_generate(struct ssl_client_hello *chello)
return SSL_DECODER_TRUE; return SSL_DECODER_TRUE;
} }
void ssl_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, enum ssl_message_type type, void *data) void ssl_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, enum ssl_message_type type, void *data, size_t data_sz)
{ {
struct ssl_message *message=(struct ssl_message *)malloc(sizeof(struct ssl_message)); struct ssl_message *message=(struct ssl_message *)malloc(sizeof(struct ssl_message));
message->magic=SSL_MESSAGE_MAGIC; message->magic=SSL_MESSAGE_MAGIC;
@@ -908,11 +1038,11 @@ void ssl_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct sessi
message->ss=ss; message->ss=ss;
message->plugin_env=plugin_env; message->plugin_env=plugin_env;
message->data=data; message->data=data;
message->data_sz=data_sz;
session_mq_publish_message(ss, plugin_env->ssl.topic_id, (void *)message); session_mq_publish_message(ss, plugin_env->ssl.topic_id, (void *)message);
} }
void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg) void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{ {
struct ssl_message *message=(struct ssl_message *)msg; struct ssl_message *message=(struct ssl_message *)msg;
@@ -932,6 +1062,8 @@ void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{ {
utarray_free(chello->extensions); utarray_free(chello->extensions);
} }
FREE(message->data);
} }
break; break;
case SSL_MESSAGE_SERVER_HELLO: case SSL_MESSAGE_SERVER_HELLO:
@@ -941,6 +1073,8 @@ void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{ {
utarray_free(shello->extensions); utarray_free(shello->extensions);
} }
FREE(message->data);
} }
break; break;
case SSL_MESSAGE_CERTIFICATE: case SSL_MESSAGE_CERTIFICATE:
@@ -955,103 +1089,112 @@ void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{ {
FREE(certificate->subject_key.value); FREE(certificate->subject_key.value);
} }
FREE(message->data);
} }
break; break;
default: default:
break; break;
} }
FREE(message->data);
} }
FREE(message); FREE(message);
} }
int32_t ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, size_t total_sz)
void ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{ {
if(pdata==NULL || ((*pdata_offset)+1>pdata_sz)) if(pdata==NULL || ((*pdata_offset)+1>pdata_sz))
{
return ;
}
struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(pdata+(*pdata_offset));
(*pdata_offset)+=sizeof(struct ssl_handshake_type);
int32_t total_len=0;
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&total_len);
if(ret==SSL_DECODER_FALSE || total_len<0 || total_len+(*pdata_offset)>pdata_sz)
{
return ;
}
switch(handshake_type->content_type)
{
case SSL_HANDSHAKE_CLIENT_HELLO:
{
struct ssl_client_hello *chello=ssl_handshake_client_hello_decode(pdata, pdata_sz, pdata_offset);
ssl_client_hello_ja3_generate(chello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CLIENT_HELLO, (void *)chello);
}
break;
case SSL_HANDSHAKE_SERVER_HELLO:
{
struct ssl_server_hello *shello=ssl_handshake_server_hello_decode(pdata, pdata_sz, pdata_offset);
ssl_server_hello_ja3s_generate(shello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_SERVER_HELLO, (void *)shello);
}
break;
case SSL_HANDSHAKE_CERTIFICATE:
{
int32_t cert_total_len=0;
ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&cert_total_len);
if(ret==SSL_DECODER_FALSE || cert_total_len<0 || cert_total_len+(*pdata_offset)>pdata_sz || (cert_total_len+3)!=total_len)
{
return ;
}
struct ssl_certificate_chain cert_unit[SSL_CERTIFICATE_NUM_MAX];
uint32_t cert_count=ssl_handshake_certificate_count_get(pdata, pdata_sz, pdata_offset, cert_unit, SSL_CERTIFICATE_NUM_MAX);
for(uint32_t i=0, cert_offset=0; i<cert_count; i++, cert_offset++)
{
struct ssl_certificate *certificate=(struct ssl_certificate *)CALLOC(struct ssl_certificate, 1);
certificate->type=ssl_handshake_certificate_type_get(cert_count, cert_offset);
int32_t state=ssl_x509_certificate_detail_decode(certificate, cert_unit[i].data, cert_unit[i].data_sz);
if(state==SSL_DECODER_FALSE)
{
FREE(certificate);
return ;
}
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CERTIFICATE, (void *)certificate);
}
}
break;
case SSL_HANDSHAKE_SERVER_KEY_EXCHANGE:
// ssl_handshake_server_key_exchange_decode();
break;
default:
break;
}
}
int32_t ssl_record_header_get(struct ssl_record_header *record_hdr, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
if(pdata_sz<(*pdata_offset)+SSL_RECORD_HEADER_SZ)
{ {
return SSL_DECODER_FALSE; return SSL_DECODER_FALSE;
} }
ssl_read_u8(pdata, pdata_sz, pdata_offset, &(record_hdr->content_type)); size_t hd_offset=0;
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(record_hdr->version)); while(total_sz>hd_offset && pdata_sz>(*pdata_offset))
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(record_hdr->total_len)); {
struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(pdata+(*pdata_offset));
if(handshake_type->content_type==SSL_HANDSHAKE_ENCRYPTED_MESSAGE)
{
hd_offset=total_sz;
(*pdata_offset)+=total_sz;
return SSL_DECODER_TRUE;
}
(*pdata_offset)+=sizeof(struct ssl_handshake_type);
int32_t total_len=0;
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&total_len);
if(ret==SSL_DECODER_FALSE)
{
return SSL_DECODER_CONTINUE;
}
if(total_len<0)
{
return SSL_DECODER_FALSE;
}
if(total_len+(*pdata_offset)>pdata_sz)
{
return SSL_DECODER_CONTINUE;
}
size_t offset=(*pdata_offset);
(*pdata_offset)+=total_len;
hd_offset+=total_len+4;
switch(handshake_type->content_type)
{
case SSL_HANDSHAKE_CLIENT_HELLO:
{
struct ssl_client_hello *chello=ssl_handshake_client_hello_decode(pdata, pdata_sz, &offset);
ssl_client_hello_ja3_generate(chello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CLIENT_HELLO, (void *)chello, sizeof(struct ssl_client_hello));
}
break;
case SSL_HANDSHAKE_SERVER_HELLO:
{
struct ssl_server_hello *shello=ssl_handshake_server_hello_decode(pdata, pdata_sz, &offset);
ssl_server_hello_ja3s_generate(shello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_SERVER_HELLO, (void *)shello, sizeof(struct ssl_server_hello));
}
break;
case SSL_HANDSHAKE_CERTIFICATE:
{
int32_t cert_total_len=0;
ret=ssl_read_be_u24(pdata, pdata_sz, &offset, (uint8_t *)&cert_total_len);
if(ret==SSL_DECODER_FALSE || cert_total_len<0 || cert_total_len+offset>pdata_sz || (cert_total_len+3)!=total_len)
{
break;
}
struct ssl_certificate_chain cert_unit[SSL_CERTIFICATE_NUM_MAX];
uint32_t cert_count=ssl_handshake_certificate_count_get(pdata, pdata_sz, &offset, cert_unit, SSL_CERTIFICATE_NUM_MAX);
for(uint32_t i=0, cert_offset=0; i<cert_count; i++, cert_offset++)
{
struct ssl_certificate *certificate=(struct ssl_certificate *)CALLOC(struct ssl_certificate, 1);
certificate->type=ssl_handshake_certificate_type_get(cert_count, cert_offset);
int32_t state=ssl_x509_certificate_detail_decode(certificate, cert_unit[i].data, cert_unit[i].data_sz);
if(state==SSL_DECODER_FALSE)
{
FREE(certificate);
break;
}
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CERTIFICATE, (void *)certificate, sizeof(struct ssl_certificate));
}
}
break;
case SSL_HANDSHAKE_SERVER_KEY_EXCHANGE:
default:
break;
}
}
return SSL_DECODER_TRUE; return SSL_DECODER_TRUE;
} }
void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id, const void *msg, void *per_session_ctx, void *penv) void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id, const void *msg, void *per_session_ctx, void *penv)
{ {
size_t pdata_offset=0; size_t pdata_offset=0;
@@ -1063,48 +1206,84 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id
return ; return ;
} }
/* // fragment: 1: less than SSL_RECORD_HEADER_SZ; 2: less than the length of the message; 3: multiple record messages
* fragment: struct ssl_decoder_plugin_env *plugin_env=(struct ssl_decoder_plugin_env *)penv;
1: less than SSL_RECORD_HEADER_SZ struct ssl_decoder_context *per_ss_ctx=(struct ssl_decoder_context *)(per_session_ctx);
2: less than the length of the message
*/
struct ssl_decoder_context *per_ss_ctx=(struct ssl_decoder_context *)(per_session_ctx);
ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &pdata, &pdata_sz); ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &pdata, &pdata_sz);
if(pdata_sz<=SSL_RECORD_HEADER_SZ) if(pdata_sz<=SSL_RECORD_HEADER_SZ)
{ {
return ; return ;
} }
struct ssl_record_header record_hdr={0}; while(pdata_sz>pdata_offset)
ssl_record_header_get(&record_hdr, pdata, pdata_sz, &pdata_offset);
if(!is_trunk_cache(&(per_ss_ctx->record_trunk)) && pdata_sz<record_hdr.total_len)
{ {
ssl_trunk_cache(&(per_ss_ctx->record_trunk), pdata, pdata_sz); struct ssl_record_header record_hdr={0};
return ; if(per_ss_ctx->record_trunk.is_contains_header==SSL_DECODER_TRUE)
{
ssl_record_header_get(&record_hdr, pdata, pdata_sz, &pdata_offset);
}
else
{
record_hdr=per_ss_ctx->record_trunk.record_hdr;
record_hdr.total_len=pdata_sz;
}
int32_t ret=SSL_DECODER_TRUE;
size_t offset=pdata_offset;
switch(record_hdr.content_type)
{
case SSL_CONTENT_TYPE_HANDSHAKE:
if(pdata_sz-pdata_offset<record_hdr.total_len)
{
pdata_offset-=5;
ret=SSL_DECODER_FALSE;
per_ss_ctx->record_trunk.record_hdr=record_hdr;
per_ss_ctx->record_trunk.is_contains_header=SSL_DECODER_TRUE;
break;
}
else
{
ret=ssl_handshake_decode(plugin_env, ss, pdata, pdata_sz, &offset, record_hdr.total_len);
pdata_offset=((ret==SSL_DECODER_FALSE) ? pdata_sz : pdata_offset);
}
break;
case SSL_CONTENT_TYPE_APPLICATION_DATA:
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_ENCRYPTED_APPLICATION, (void *)(pdata+offset), record_hdr.total_len);
offset+=record_hdr.total_len;
break;
case SSL_CONTENT_TYPE_ALERT:
case SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC:
offset+=record_hdr.total_len;
break;
default:
offset+=record_hdr.total_len;
if(per_ss_ctx->identify_pkt_count++>=plugin_env->max_identify_pkt)
{
stellar_session_plugin_dettach_current_session(ss);
return ;
}
break;
}
if(ret==SSL_DECODER_FALSE)
{
break;
}
if(ret==SSL_DECODER_CONTINUE)
{
//pdata_offset-=5;
per_ss_ctx->record_trunk.record_hdr=record_hdr;
per_ss_ctx->record_trunk.is_contains_header=SSL_DECODER_FALSE;
break;
}
pdata_offset+=record_hdr.total_len;
} }
struct ssl_decoder_plugin_env *plugin_env=(struct ssl_decoder_plugin_env *)penv; if(is_trunk_cache(&(per_ss_ctx->record_trunk)) || pdata_sz>pdata_offset)
switch(record_hdr.content_type)
{ {
case SSL_CONTENT_TYPE_HANDSHAKE: ssl_trunk_message_publish(plugin_env, ss, &(per_ss_ctx->record_trunk), pdata+pdata_offset, pdata_sz-pdata_offset);
ssl_handshake_decode(plugin_env, ss, pdata, pdata_sz, &pdata_offset);
break;
case SSL_CONTENT_TYPE_ALERT:
break;
case SSL_CONTENT_TYPE_APPLICATION_DATA:
break;
case SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC:
break;
default:
if(per_ss_ctx->identify_pkt_count++>=plugin_env->max_identify_pkt)
{
stellar_session_plugin_dettach_current_session(ss);
return ;
}
break;
} }
} }
@@ -1118,7 +1297,9 @@ void *ssl_decoder_per_session_context_new(struct session *ss, void *penv)
return NULL; return NULL;
} }
return CALLOC(struct ssl_decoder_context, 1); struct ssl_decoder_context *per_ss_ctx=(struct ssl_decoder_context *)CALLOC(struct ssl_decoder_context, 1);
per_ss_ctx->record_trunk.is_contains_header=SSL_DECODER_TRUE;
return (void *)per_ss_ctx;
} }
void ssl_decoder_per_session_context_free(struct session *ss, void *per_session_ctx, void *penv) void ssl_decoder_per_session_context_free(struct session *ss, void *per_session_ctx, void *penv)
@@ -1194,37 +1375,6 @@ int32_t ssl_decoder_config_load(const char *cfg_path, struct ssl_decoder_plugin_
plugin_env->net_port[i]=ntohs(int_val.u.i); plugin_env->net_port[i]=ntohs(int_val.u.i);
} }
// toml_table_t *limited_tbl=toml_table_in(ssl_tbl, "limited");
// if(NULL==limited_tbl)
// {
// fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.limited]", __FUNCTION__, __LINE__, cfg_path);
// toml_free(root);
// return -1;
// }
// toml_datum_t max_rr_num_val=toml_int_in(limited_tbl, "max_rr_num");
// if(max_rr_num_val.ok==0)
// {
// fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.limited.max_rr_num]", __FUNCTION__, __LINE__, cfg_path);
// ret=-1;
// }
// else
// {
// plugin_env->max_rr_num=max_rr_num_val.u.i;
// }
// // max_cache_trans_num
// toml_datum_t max_cache_trans_num_val=toml_int_in(limited_tbl, "max_cache_trans_num");
// if(max_cache_trans_num_val.ok==0)
// {
// fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.limited.max_cache_trans_num]", __FUNCTION__, __LINE__, cfg_path);
// ret=-1;
// }
// else
// {
// plugin_env->max_cache_trans_num=max_cache_trans_num_val.u.i;
// }
toml_table_t *local_stat_tbl=toml_table_in(ssl_tbl, "local_stat"); toml_table_t *local_stat_tbl=toml_table_in(ssl_tbl, "local_stat");
if(NULL==local_stat_tbl) if(NULL==local_stat_tbl)
{ {
@@ -1354,21 +1504,38 @@ extern "C" void *ssl_decoder_init(struct stellar *st)
plugin_env->ssl.free_cb=ssl_message_free; plugin_env->ssl.free_cb=ssl_message_free;
plugin_env->ssl.on_cb=NULL; plugin_env->ssl.on_cb=NULL;
plugin_env->ssl.topic_name=SSL_DECODER_MESSAGE_TOPIC; plugin_env->ssl.topic_name=SSL_DECODER_MESSAGE_TOPIC;
plugin_env->ssl.topic_id=stellar_session_mq_get_topic_id(st, plugin_env->ssl.topic_name); plugin_env->ssl.topic_id=stellar_session_mq_get_topic_id(plugin_env->st, plugin_env->ssl.topic_name);
if(plugin_env->ssl.topic_id<0) if(plugin_env->ssl.topic_id<0)
{ {
plugin_env->ssl.topic_id=stellar_session_mq_create_topic(st, plugin_env->ssl.topic_name, ssl_message_free, NULL); plugin_env->ssl.topic_id=stellar_session_mq_create_topic(plugin_env->st, plugin_env->ssl.topic_name, ssl_message_free, NULL);
} }
plugin_env->ptrunk.free_cb=ssl_trunk_message_free;
plugin_env->ptrunk.on_cb=NULL;
plugin_env->ptrunk.topic_name=SSL_TRUNK_MESSAGE_TOPIC;
plugin_env->ptrunk.topic_id=stellar_session_mq_get_topic_id(plugin_env->st, plugin_env->ptrunk.topic_name);
if(plugin_env->ptrunk.topic_id<0)
{
plugin_env->ptrunk.topic_id=stellar_session_mq_create_topic(plugin_env->st, plugin_env->ptrunk.topic_name, ssl_trunk_message_free, NULL);
}
plugin_env->strunk.free_cb=NULL;
plugin_env->strunk.on_cb=ssl_trunk_message_segment_data_cb;
plugin_env->strunk.topic_name=SSL_TRUNK_MESSAGE_TOPIC;
plugin_env->strunk.topic_id=stellar_session_mq_get_topic_id(plugin_env->st, plugin_env->strunk.topic_name);
plugin_env->strunk.sub_id=stellar_session_mq_subscribe(plugin_env->st, plugin_env->strunk.topic_id, plugin_env->strunk.on_cb, plugin_env->plugin_id);
plugin_env->tcp_stream.free_cb=NULL; plugin_env->tcp_stream.free_cb=NULL;
plugin_env->tcp_stream.on_cb=ssl_tcp_stream_session_segment_data_cb; plugin_env->tcp_stream.on_cb=ssl_tcp_stream_session_segment_data_cb;
plugin_env->tcp_stream.topic_name=TOPIC_TCP_STREAM; plugin_env->tcp_stream.topic_name=TOPIC_TCP_STREAM;
plugin_env->tcp_stream.topic_id=stellar_session_mq_get_topic_id(plugin_env->st, plugin_env->tcp_stream.topic_name); plugin_env->tcp_stream.topic_id=stellar_session_mq_get_topic_id(plugin_env->st, plugin_env->tcp_stream.topic_name);
plugin_env->tcp_stream.sub_id=stellar_session_mq_subscribe(plugin_env->st, plugin_env->tcp_stream.topic_id, plugin_env->tcp_stream.on_cb, plugin_env->plugin_id); plugin_env->tcp_stream.sub_id=stellar_session_mq_subscribe(plugin_env->st, plugin_env->tcp_stream.topic_id, plugin_env->tcp_stream.on_cb, plugin_env->plugin_id);
printf("ssl_decoder_init: plugin_id: %d, topic: [{name: %s -> id: %d}, {name: %s -> id: %d}] \n", printf("ssl_decoder_init: plugin_id: %d, topic: [{name: %s -> id: %d}, {name: %s -> id: %d}, {name: %s -> id: %d}, {name: %s -> id: %d}] \n",
plugin_env->plugin_id, plugin_env->plugin_id,
plugin_env->ssl.topic_name, plugin_env->ssl.topic_id, plugin_env->ssl.topic_name, plugin_env->ssl.topic_id,
plugin_env->ptrunk.topic_name, plugin_env->ptrunk.topic_id,
plugin_env->strunk.topic_name, plugin_env->strunk.topic_id,
plugin_env->tcp_stream.topic_name, plugin_env->tcp_stream.topic_id plugin_env->tcp_stream.topic_name, plugin_env->tcp_stream.topic_id
); );

158
src/ssl_export.cpp
View File

@@ -18,7 +18,7 @@ int32_t ssl_message_esni_is_true(const struct ssl_message *msg)
return -1; return -1;
} }
return ((msg->chello->esni==NULL) ? 1 : 0); return ((msg->chello->esni==NULL) ? 0 : 1);
} }
int32_t ssl_message_ech_is_true(const struct ssl_message *msg) int32_t ssl_message_ech_is_true(const struct ssl_message *msg)
@@ -28,7 +28,7 @@ int32_t ssl_message_ech_is_true(const struct ssl_message *msg)
return -1; return -1;
} }
return ((msg->chello->ech==NULL) ? 1 : 0); return ((msg->chello->ech==NULL) ? 0 : 1);
} }
void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
@@ -71,6 +71,26 @@ const char *ssl_message_readable_version_get0(const struct ssl_message *msg)
} }
version=msg->shello->version; version=msg->shello->version;
break; break;
case SSL_MESSAGE_CERTIFICATE:
if(msg->certificate==NULL)
{
return NULL;
}
switch(msg->certificate->version)
{
case 0:
return "v1";
case 1:
return "v2";
case 2:
return "v3";
case 3:
return "v4";
default:
break;
}
return NULL;
default: default:
return NULL; return NULL;
} }
@@ -78,19 +98,19 @@ const char *ssl_message_readable_version_get0(const struct ssl_message *msg)
switch(version) switch(version)
{ {
case SSL_DECODER_VERSION_SSL_V2_0: case SSL_DECODER_VERSION_SSL_V2_0:
return "SSLv2.0"; return "SSL2.0";
case SSL_DECODER_VERSION_SSL_V3_0: case SSL_DECODER_VERSION_SSL_V3_0:
return "SSLv3.0"; return "SSL3.0";
case SSL_DECODER_VERSION_TLS_V1_0: case SSL_DECODER_VERSION_TLS_V1_0:
return "TLSv1.0"; return "TLS1.0";
case SSL_DECODER_VERSION_TLS_V1_1: case SSL_DECODER_VERSION_TLS_V1_1:
return "TLSv1.1"; return "TLS1.1";
case SSL_DECODER_VERSION_TLS_V1_2: case SSL_DECODER_VERSION_TLS_V1_2:
return "TLSv1.2"; return "TLS1.2";
case SSL_DECODER_VERSION_TLS_V1_3: case SSL_DECODER_VERSION_TLS_V1_3:
return "TLSv1.3"; return "TLS1.3";
case SSL_DECODER_VERSION_TLCP_V1_0: case SSL_DECODER_VERSION_TLCP_V1_0:
return "TLCPv1.0"; return "TLCP1.0";
default: default:
break; break;
} }
@@ -151,102 +171,212 @@ int ssl_message_reset_extensions_iter(struct ssl_message *msg)
enum ssl_certificate_type ssl_certificate_type_get(const struct ssl_message *msg) enum ssl_certificate_type ssl_certificate_type_get(const struct ssl_message *msg)
{ {
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? msg->certificate->type : SSL_CERTIFICATE_TYPE_UNKNOWN); return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? SSL_CERTIFICATE_TYPE_UNKNOWN : msg->certificate->type);
} }
void ssl_message_validity_before_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_validity_before_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->validity.before;
*value_sz=strlen(msg->certificate->validity.before);
} }
void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->validity.after;
*value_sz=strlen(msg->certificate->validity.after);
} }
void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->serial.value;
*value_sz=msg->certificate->serial.len;
} }
void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->subject_key.value;
*value_sz=msg->certificate->subject_key.len;
} }
void ssl_message_ssl_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->algorithm_identifier.value;
*value_sz=msg->certificate->algorithm_identifier.len;
} }
void ssl_message_ssl_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
*value=(char *)msg->certificate->signature_algorithm.value;
*value_sz=msg->certificate->signature_algorithm.len;
} }
void ssl_message_subject_alter_next(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_subject_alter_next(const struct ssl_message *msg, char **value, size_t *value_sz)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return;
}
if(msg->certificate->subject_alter.num==0 || msg->certificate->subject_alter.offset>=msg->certificate->subject_alter.num)
{
*value=NULL;
*value_sz=0;
return;
}
*value=(char *)msg->certificate->subject_alter.name[msg->certificate->subject_alter.offset];
*value_sz=strlen(msg->certificate->subject_alter.name[msg->certificate->subject_alter.offset]);
msg->certificate->subject_alter.offset++;
} }
int ssl_message_reset_subject_alter_iter(struct ssl_message *msg) int ssl_message_reset_subject_alter_iter(struct ssl_message *msg)
{ {
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE)
{
return -1;
}
msg->certificate->subject_alter.offset=0;
return 0; return 0;
} }
struct ssl_rdn_sequence *ssl_message_issuer_rdn_sequence_get0(const struct ssl_message *msg) struct ssl_rdn_sequence *ssl_message_issuer_rdn_sequence_get0(const struct ssl_message *msg)
{ {
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->issuer) : NULL); return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? NULL : &(msg->certificate->issuer));
} }
struct ssl_rdn_sequence *ssl_message_subject_rdn_sequence_get0(const struct ssl_message *msg) struct ssl_rdn_sequence *ssl_message_subject_rdn_sequence_get0(const struct ssl_message *msg)
{ {
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->subject) : NULL); return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? NULL : &(msg->certificate->subject));
} }
void ssl_rdn_sequence_common_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_common_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->common);
*value=(((*value_sz)>0) ? rdn->common : NULL);
} }
void ssl_rdn_sequence_country_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_country_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->country);
*value=(((*value_sz)>0) ? rdn->country : NULL);
} }
void ssl_rdn_sequence_locality_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_locality_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->locality);
*value=(((*value_sz)>0) ? rdn->locality : NULL);
} }
void ssl_rdn_sequence_postal_code_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_postal_code_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->postal_code);
*value=(((*value_sz)>0) ? rdn->postal_code : NULL);
} }
void ssl_rdn_sequence_organization_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_organization_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->organization);
*value=(((*value_sz)>0) ? rdn->organization : NULL);
} }
void ssl_rdn_sequence_street_address_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_street_address_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->street_address);
*value=(((*value_sz)>0) ? rdn->street_address : NULL);
} }
void ssl_rdn_sequence_state_or_province_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_state_or_province_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->state_or_Province);
*value=(((*value_sz)>0) ? rdn->state_or_Province : NULL);
} }
void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->organizational_unit);
*value=(((*value_sz)>0) ? rdn->organizational_unit : NULL);
} }
void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz) void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{ {
if(rdn==NULL)
{
return;
}
*value_sz=strlen(rdn->rdn_sequence_list);
*value=(((*value_sz)>0) ? rdn->rdn_sequence_list : NULL);
} }
void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz) void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz)

13
src/ssl_internal.h
View File

@@ -6,19 +6,21 @@
#include <uthash/utarray.h> #include <uthash/utarray.h>
#include "ssl_decoder.h" #include "ssl_decoder.h"
#define SSL_DECODER_TOML_PATH "conf/ssl/ssl_decoder.toml" #define SSL_DECODER_TOML_PATH "etc/ssl/ssl_decoder.toml"
#define SSL_DECODER_FALSE 0 #define SSL_DECODER_FALSE 0
#define SSL_DECODER_TRUE 1 #define SSL_DECODER_TRUE 1
#define SSL_DECODER_CONTINUE 2
#define SSL_UUID_BYTES_SZ 16 #define SSL_UUID_BYTES_SZ 16
#define SSL_RANDOM_TIME_LEN 4 #define SSL_RANDOM_TIME_LEN 4
#define SSL_RANDOM_SIZE 28 #define SSL_RANDOM_SIZE 28
#define SSL_HANDSHAKE_CLIENT_HELLO 1 #define SSL_HANDSHAKE_ENCRYPTED_MESSAGE 0
#define SSL_HANDSHAKE_SERVER_HELLO 2 #define SSL_HANDSHAKE_CLIENT_HELLO 1
#define SSL_HANDSHAKE_CERTIFICATE 11 #define SSL_HANDSHAKE_SERVER_HELLO 2
#define SSL_HANDSHAKE_CERTIFICATE 11
#define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12 #define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12
#define SSL_CONTENT_TYPE_HANDSHAKE 0x16 #define SSL_CONTENT_TYPE_HANDSHAKE 0x16
@@ -116,6 +118,7 @@ struct ssl_new_session_ticket
struct ssl_subject_alter_name struct ssl_subject_alter_name
{ {
int num; int num;
int offset;
char (*name)[MAX_ALTER_NAME_LEN]; char (*name)[MAX_ALTER_NAME_LEN];
}; };
@@ -193,6 +196,7 @@ struct ssl_message
char uuid_bytes[SSL_UUID_BYTES_SZ]; char uuid_bytes[SSL_UUID_BYTES_SZ];
struct session *ss; struct session *ss;
struct ssl_decoder_plugin_env *plugin_env; struct ssl_decoder_plugin_env *plugin_env;
size_t data_sz;
union union
{ {
struct ssl_client_hello *chello; struct ssl_client_hello *chello;
@@ -200,5 +204,4 @@ struct ssl_message
struct ssl_certificate *certificate; struct ssl_certificate *certificate;
void *data; void *data;
}; };
}; };

21
src/version.map
View File

@@ -13,6 +13,27 @@ global:
*ssl_message_ja3shash_get0*; *ssl_message_ja3shash_get0*;
*ssl_message_extensions_next*; *ssl_message_extensions_next*;
*ssl_message_reset_extensions_iter*; *ssl_message_reset_extensions_iter*;
*ssl_certificate_type_get*;
*ssl_message_validity_before_get0*;
*ssl_message_validity_after_get0*;
*ssl_message_issuer_serial_number_get0*;
*ssl_message_subject_public_key_algorithm_get0*;
*ssl_message_algorithm_identifier_get0*;
*ssl_message_signature_algorithm_id_get0*;
*ssl_message_subject_alter_next*;
*ssl_message_reset_subject_alter_iter*;
*ssl_message_issuer_rdn_sequence_get0*;
*ssl_message_subject_rdn_sequence_get0*;
*ssl_rdn_sequence_common_get0*;
*ssl_rdn_sequence_country_get0*;
*ssl_rdn_sequence_locality_get0*;
*ssl_rdn_sequence_postal_code_get0*;
*ssl_rdn_sequence_organization_get0*;
*ssl_rdn_sequence_street_address_get0*;
*ssl_rdn_sequence_state_or_province_get0*;
*ssl_rdn_sequence_organizational_unit_get0*;
*ssl_rdn_sequence_list_get0*;
*ssl_message_protected_payload_get0;
*GIT*; *GIT*;
}; };
local: *; local: *;

8
test/CMakeLists.txt
View File

@@ -58,7 +58,9 @@ add_test(NAME RUN_BUG_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case
add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_EXTENSION_EXCEED_16 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/extensions_exceed_16_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) add_test(NAME RUN_EXTENSION_EXCEED_16 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/extensions_exceed_16_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLIENT_HELLO_FRAGMENT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) add_test(NAME RUN_CLIENT_HELLO_FRAGMENT1 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment1/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment1/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLIENT_HELLO_FRAGMENT2 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment2/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment2/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLIENT_HELLO_FRAGMENT3 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment3/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment3/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_ACK_CONTAINS_PAYLOAD COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR}) add_test(NAME RUN_ACK_CONTAINS_PAYLOAD COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
set_tests_properties(RUN_SSL_TEST set_tests_properties(RUN_SSL_TEST
@@ -68,7 +70,9 @@ set_tests_properties(RUN_SSL_TEST
RUN_MULTIPLE_HANDSHAKE_TEST RUN_MULTIPLE_HANDSHAKE_TEST
RUN_CLOSE_CONTAINS_PAYLOAD_TEST RUN_CLOSE_CONTAINS_PAYLOAD_TEST
RUN_EXTENSION_EXCEED_16 RUN_EXTENSION_EXCEED_16
RUN_CLIENT_HELLO_FRAGMENT RUN_CLIENT_HELLO_FRAGMENT1
RUN_CLIENT_HELLO_FRAGMENT2
RUN_CLIENT_HELLO_FRAGMENT3
RUN_ACK_CONTAINS_PAYLOAD RUN_ACK_CONTAINS_PAYLOAD
PROPERTIES FIXTURES_REQUIRED TestFixture PROPERTIES FIXTURES_REQUIRED TestFixture
) )

27
test/case/bug/ssl_bug_result.json
View File

@@ -4,20 +4,23 @@
"ssl_sni": "match.adsrvr.org", "ssl_sni": "match.adsrvr.org",
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_esni": 0,
"ssl_ech": 0,
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039", "ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039",
"ssl_cert_version": "v3", "ssl_cert_version": "v3",
"ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE", "ssl_cert_issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE",
"ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020", "ssl_cert_issuer_common": "GlobalSign GCC R3 DV TLS CA 2020",
"ssl_cert_IssuerO": "GlobalSign nv-sa", "ssl_cert_issuer_organization": "GlobalSign nv-sa",
"ssl_cert_IssuerC": "BE", "ssl_cert_issuer_country": "BE",
"ssl_cert_Sub": "*.adsrvr.org;;;;;;", "ssl_cert_subject": "*.adsrvr.org;;;;;;",
"ssl_cert_SubCN": "*.adsrvr.org", "ssl_cert_subject_common": "*.adsrvr.org",
"ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org", "ssl_cert_subject_alt_name": "*.adsrvr.org;adsrvr.org;",
"ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1", "ssl_cert_serial_number": "0x2ddaa6f359d4ce458fe983f1",
"ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_From": "220331203750Z", "ssl_cert_validity_before": "220331203750Z",
"ssl_cert_To": "230502203749Z", "ssl_cert_validity_after": "230502203749Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1" "name": "SSL_RESULT_1"
} }
] ]

58
test/case/client_hello_fragment/ssl_client_hello_fragment_result.json
View File

@@ -1,58 +0,0 @@
[
{
"Tuple4": "192.168.56.31.53868>74.118.186.107.443",
"ssl_sni": "sync.targeting.unrulymedia.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "bc93a67ef4492974195865dc0262e65e",
"ssl_ja3s_hash": "b898351eb5e266aefd3723d466935494",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "Sectigo RSA Domain Validation Secure Server CA;Sectigo Limited;;Salford;;Greater Manchester;GB",
"ssl_cert_IssuerCN": "Sectigo RSA Domain Validation Secure Server CA",
"ssl_cert_IssuerO": "Sectigo Limited",
"ssl_cert_IssuerC": "GB",
"ssl_cert_IssuerP": "Greater Manchester",
"ssl_cert_IssuerL": "Salford",
"ssl_cert_Sub": "*.targeting.unrulymedia.com;;;;;;",
"ssl_cert_SubCN": "*.targeting.unrulymedia.com",
"ssl_cert_SubAltName": "*.targeting.unrulymedia.com;targeting.unrulymedia.com",
"ssl_cert_SerialNum": "0x888d5e51787e0f1f485dc542465d2034",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "230510000000Z",
"ssl_cert_To": "240510235959Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "192.168.58.17.49218>23.216.55.29.443",
"ssl_sni": "www.missionsports.org",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "a69708a64f853c3bcc214c2c5faf84f3",
"ssl_ja3s_hash": "10a2ad147a870ef37af153dea9fe4dd3",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "DigiCert TLS RSA SHA256 2020 CA1;DigiCert Inc;;;;;US",
"ssl_cert_IssuerCN": "DigiCert TLS RSA SHA256 2020 CA1",
"ssl_cert_IssuerO": "DigiCert Inc",
"ssl_cert_IssuerC": "US",
"ssl_cert_Sub": "a248.e.akamai.net;Akamai Technologies, Inc.;;Cambridge;;Massachusetts;US",
"ssl_cert_SubCN": "a248.e.akamai.net",
"ssl_cert_SubO": "Akamai Technologies, Inc.",
"ssl_cert_SubC": "US",
"ssl_cert_SubP": "Massachusetts",
"ssl_cert_SubL": "Cambridge",
"ssl_cert_SubAltName": "a248.e.akamai.net;*.akamaized.net;*.akamaized-staging.net;*.akamaihd.net;*.akamaihd-staging.net",
"ssl_cert_SerialNum": "0x0d61f7742d583251a2b8d5a26a1dda0b",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "230516000000Z",
"ssl_cert_To": "240515235959Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_2"
},
{
"Tuple4": "36.251.161.167.39777>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555",
"name": "SSL_RESULT_3"
}
]

0
test/case/client_hello_fragment/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap → test/case/client_hello_fragment1/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap
View File

28
test/case/client_hello_fragment1/ssl_client_hello_fragment_result.json Normal file
View File

@@ -0,0 +1,28 @@
[
{
"Tuple4": "192.168.56.31.53868>74.118.186.107.443",
"ssl_client_version": "TLS1.2",
"ssl_sni": "sync.targeting.unrulymedia.com",
"ssl_ja3_hash": "bc93a67ef4492974195865dc0262e65e",
"ssl_esni": 0,
"ssl_ech": 0,
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "b898351eb5e266aefd3723d466935494",
"ssl_cert_version": "v3",
"ssl_cert_issuer": "Sectigo RSA Domain Validation Secure Server CA;Sectigo Limited;;Salford;;Greater Manchester;GB",
"ssl_cert_issuer_common": "Sectigo RSA Domain Validation Secure Server CA",
"ssl_cert_issuer_organization": "Sectigo Limited",
"ssl_cert_issuer_country": "GB",
"ssl_cert_issuer_state_or_Province": "Greater Manchester",
"ssl_cert_issuer_locality": "Salford",
"ssl_cert_subject": "*.targeting.unrulymedia.com;;;;;;",
"ssl_cert_subject_common": "*.targeting.unrulymedia.com",
"ssl_cert_subject_alt_name": "*.targeting.unrulymedia.com;targeting.unrulymedia.com;",
"ssl_cert_serial_number": "0x888d5e51787e0f1f485dc542465d2034",
"ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_validity_before": "230510000000Z",
"ssl_cert_validity_after": "240510235959Z",
"ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
}
]

0
test/case/client_hello_fragment/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap → test/case/client_hello_fragment2/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap
View File

30
test/case/client_hello_fragment2/ssl_client_hello_fragment_result.json Normal file
View File

@@ -0,0 +1,30 @@
[
{
"Tuple4": "192.168.58.17.49218>23.216.55.29.443",
"ssl_sni": "www.missionsports.org",
"ssl_client_version": "TLS1.2",
"ssl_esni": 0,
"ssl_ech": 0,
"ssl_ja3_hash": "a69708a64f853c3bcc214c2c5faf84f3",
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "10a2ad147a870ef37af153dea9fe4dd3",
"ssl_cert_version": "v3",
"ssl_cert_issuer": "DigiCert TLS RSA SHA256 2020 CA1;DigiCert Inc;;;;;US",
"ssl_cert_issuer_common": "DigiCert TLS RSA SHA256 2020 CA1",
"ssl_cert_issuer_organization": "DigiCert Inc",
"ssl_cert_issuer_country": "US",
"ssl_cert_subject": "a248.e.akamai.net;Akamai Technologies, Inc.;;Cambridge;;Massachusetts;US",
"ssl_cert_subject_common": "a248.e.akamai.net",
"ssl_cert_subject_organization": "Akamai Technologies, Inc.",
"ssl_cert_subject_country": "US",
"ssl_cert_subject_state_or_Province": "Massachusetts",
"ssl_cert_subject_locality": "Cambridge",
"ssl_cert_subject_alt_name": "a248.e.akamai.net;*.akamaized.net;*.akamaized-staging.net;*.akamaihd.net;*.akamaihd-staging.net;",
"ssl_cert_serial_number": "0x0d61f7742d583251a2b8d5a26a1dda0b",
"ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_validity_before": "230516000000Z",
"ssl_cert_validity_after": "240515235959Z",
"ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
}
]

0
test/case/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap → test/case/client_hello_fragment3/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap
View File

11
test/case/client_hello_fragment3/ssl_client_hello_fragment_result.json Normal file
View File

@@ -0,0 +1,11 @@
[
{
"Tuple4": "36.251.161.167.39777>143.92.57.79.443",
"ssl_client_version": "TLS1.2",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555",
"ssl_esni": 0,
"ssl_ech": 1,
"name": "SSL_RESULT_1"
}
]

39
test/case/close_contains_payload/ssl_close_contains_payload_result.json
View File

@@ -4,25 +4,28 @@
"ssl_sni": "www.firefox.com", "ssl_sni": "www.firefox.com",
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "45b1a0eca9605cd8789cd7e1a5ccd9b0", "ssl_ja3_hash": "45b1a0eca9605cd8789cd7e1a5ccd9b0",
"ssl_esni": 0,
"ssl_ech": 0,
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "9a1de6823a92d66172ce93d309e73e4e", "ssl_ja3s_hash": "9a1de6823a92d66172ce93d309e73e4e",
"ssl_cert_version": "v3", "ssl_cert_version": "v3",
"ssl_cert_Issuer": "DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US", "ssl_cert_issuer": "DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US",
"ssl_cert_IssuerCN": "DigiCert SHA2 Secure Server CA", "ssl_cert_issuer_common": "DigiCert SHA2 Secure Server CA",
"ssl_cert_IssuerO": "DigiCert Inc", "ssl_cert_issuer_organization": "DigiCert Inc",
"ssl_cert_IssuerC": "US", "ssl_cert_issuer_country": "US",
"ssl_cert_Sub": "redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US", "ssl_cert_subject": "redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US",
"ssl_cert_SubCN": "redirect-san.mozilla.org", "ssl_cert_subject_common": "redirect-san.mozilla.org",
"ssl_cert_SubO": "Mozilla Corporation", "ssl_cert_subject_organization": "Mozilla Corporation",
"ssl_cert_SubC": "US", "ssl_cert_subject_country": "US",
"ssl_cert_SubP": "California", "ssl_cert_subject_state_or_Province": "California",
"ssl_cert_SubL": "Mountain View", "ssl_cert_subject_locality": "Mountain View",
"ssl_cert_SubU": "WebOps", "ssl_cert_subject_organizational_unit": "WebOps",
"ssl_cert_SubAltName": "leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com", "ssl_cert_subject_alt_name": "leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com;",
"ssl_cert_SerialNum": "0x019d2b994ec99445c735d2a6d739e43a", "ssl_cert_serial_number": "0x019d2b994ec99445c735d2a6d739e43a",
"ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_From": "200406000000Z", "ssl_cert_validity_before": "200406000000Z",
"ssl_cert_To": "210414120000Z", "ssl_cert_validity_after": "210414120000Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1" "name": "SSL_RESULT_1"
} }
] ]

1094
test/case/e21/ssl_e21_target_result.json
View File

File diff suppressed because it is too large Load Diff

5
test/case/extensions_exceed_16/extensions_exceed_16_result.json
View File

@@ -1,10 +1,11 @@
[ [
{ {
"Tuple4": "192.168.64.8.53466>185.63.190.2.443", "Tuple4": "192.168.64.8.53466>185.63.190.2.443",
"ssl_sni": "fermer.ru",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_sni": "fermer.ru",
"ssl_ja3_hash": "afa0d02228072fc4b02a7772a668c64a", "ssl_ja3_hash": "afa0d02228072fc4b02a7772a668c64a",
"ssl_esni": 0,
"ssl_ech": 1,
"name": "SSL_RESULT_1" "name": "SSL_RESULT_1"
} }
] ]

27
test/case/multiple_handshake/ssl_multiple_handshake_result.json
View File

@@ -4,20 +4,23 @@
"ssl_sni": "cn.bing.com", "ssl_sni": "cn.bing.com",
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9", "ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_esni": 0,
"ssl_ech": 0,
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "67bfe5d15ae567fb35fd7837f0116eec", "ssl_ja3s_hash": "67bfe5d15ae567fb35fd7837f0116eec",
"ssl_cert_version": "v3", "ssl_cert_version": "v3",
"ssl_cert_Issuer": "Microsoft RSA TLS CA 02;Microsoft Corporation;;;;;US", "ssl_cert_issuer": "Microsoft RSA TLS CA 02;Microsoft Corporation;;;;;US",
"ssl_cert_IssuerCN": "Microsoft RSA TLS CA 02", "ssl_cert_issuer_common": "Microsoft RSA TLS CA 02",
"ssl_cert_IssuerO": "Microsoft Corporation", "ssl_cert_issuer_organization": "Microsoft Corporation",
"ssl_cert_IssuerC": "US", "ssl_cert_issuer_country": "US",
"ssl_cert_Sub": "www.bing.com;;;;;;", "ssl_cert_subject": "www.bing.com;;;;;;",
"ssl_cert_SubCN": "www.bing.com", "ssl_cert_subject_common": "www.bing.com",
"ssl_cert_SubAltName": "www.bing.com;dict.bing.com.cn;*.platform.bing.com;*.bing.com;bing.com;ieonline.microsoft.com;*.windowssearch.com;cn.ieonline.microsoft.com;*.origin.bing.com;*.mm.bing.net;*.api.bing.com;ecn.dev.virtualearth.net;*.cn.bing.net;*.cn.bing.com;ssl-api.bing.com;ssl-api.bing.net;*.api.bing.net;*.bingapis.com;bingsandbox.com;feedback.microsoft.com;insertmedia.bing.office.net;r.bat.bing.com;*.r.bat.bing.com;*.dict.bing.com.cn;*.dict.bing.com;*.ssl.bing.com;*.appex.bing.com;*.platform.cn.bing.com;wp.m.bing.com;*.m.bing.com;global.bing.com;windowssearch.com;search.msn.com;*.bingsandbox.com;*.api.tiles.ditu.live.com;*.ditu.live.com;*.t0.tiles.ditu.live.com;*.t1.tiles.ditu.live.com;*.t2.tiles.ditu.live.com;*.t3.tiles.ditu.live.com;*.tiles.ditu.live.com;3d.live.com;api.search.live.com;beta.search.live.com;cnweb.search.live.com;dev.live.com;ditu.live.com;farecast.live.com;image.live.com;images.live.com;local.live.com.au;localsearch.live.com;ls4d.search.live.com;mail.live.com;mapindia.live.com;local.live.com;maps.live.com;maps.live.com.au;mindia.live.com;news.live.com;origin.cnweb.search.live.com;preview.local.live.com;search.live.com;test.maps.live.com;video.live.com;videos.live.com;virtualearth.live.com;wap.live.com;webmaster.live.com;webmasters.live.com;www.local.live.com.au;www.maps.live.com.au", "ssl_cert_subject_alt_name": "www.bing.com;dict.bing.com.cn;*.platform.bing.com;*.bing.com;bing.com;ieonline.microsoft.com;*.windowssearch.com;cn.ieonline.microsoft.com;*.origin.bing.com;*.mm.bing.net;*.api.bing.com;ecn.dev.virtualearth.net;*.cn.bing.net;*.cn.bing.com;ssl-api.bing.com;ssl-api.bing.net;*.api.bing.net;*.bingapis.com;bingsandbox.com;feedback.microsoft.com;insertmedia.bing.office.net;r.bat.bing.com;*.r.bat.bing.com;*.dict.bing.com.cn;*.dict.bing.com;*.ssl.bing.com;*.appex.bing.com;*.platform.cn.bing.com;wp.m.bing.com;*.m.bing.com;global.bing.com;windowssearch.com;search.msn.com;*.bingsandbox.com;*.api.tiles.ditu.live.com;*.ditu.live.com;*.t0.tiles.ditu.live.com;*.t1.tiles.ditu.live.com;*.t2.tiles.ditu.live.com;*.t3.tiles.ditu.live.com;*.tiles.ditu.live.com;3d.live.com;api.search.live.com;beta.search.live.com;cnweb.search.live.com;dev.live.com;ditu.live.com;farecast.live.com;image.live.com;images.live.com;local.live.com.au;localsearch.live.com;ls4d.search.live.com;mail.live.com;mapindia.live.com;local.live.com;maps.live.com;maps.live.com.au;mindia.live.com;news.live.com;origin.cnweb.search.live.com;preview.local.live.com;search.live.com;test.maps.live.com;video.live.com;videos.live.com;virtualearth.live.com;wap.live.com;webmaster.live.com;webmasters.live.com;www.local.live.com.au;www.maps.live.com.au;",
"ssl_cert_SerialNum": "0x7f0012e261129541195fac1a6000000012e261", "ssl_cert_serial_number": "0x7f0012e261129541195fac1a6000000012e261",
"ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_From": "210706015313Z", "ssl_cert_validity_before": "210706015313Z",
"ssl_cert_To": "220106015313Z", "ssl_cert_validity_after": "220106015313Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", "ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1" "name": "SSL_RESULT_1"
} }
] ]

111
test/case/ssl/ssl_result.json
View File

@@ -1,53 +1,62 @@
[ [
{ {
"Tuple4": "192.168.50.38.52391>104.16.123.96.443", "Tuple4": "90.143.182.94.55835>93.186.227.131.443",
"ssl_sni": "ESNI", "ssl_client_version": "TLS1.2",
"ssl_client_version": "TLS1.2", "ssl_sni": "sun9-20.userapi.com",
"ssl_ja3_hash": "62a4a00de930bd0a5bee0309cc8362ed", "ssl_ja3_hash": "6f5e62edfa5933b1332ddf8b9fb3ef9d",
"ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054", "ssl_esni": 0,
"name": "SSL_RESULT_1" "ssl_ech": 0,
}, "ssl_server_version": "TLS1.2",
{ "ssl_ja3s_hash": "2d1eb5817ece335c24904f516ad5da12",
"Tuple4": "192.168.2.102.56768>34.138.246.121.443", "ssl_cert_version": "v3",
"ssl_sni": "public.tls-ech.dev", "ssl_cert_issuer": "GlobalSign Organization Validation CA - SHA256 - G2;GlobalSign nv-sa;;;;;BE",
"ssl_ech": "1", "ssl_cert_issuer_common": "GlobalSign Organization Validation CA - SHA256 - G2",
"ssl_client_version": "TLS1.2", "ssl_cert_issuer_organization": "GlobalSign nv-sa",
"ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362", "ssl_cert_issuer_country": "BE",
"ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", "ssl_cert_subject": "*.userapi.com;V Kontakte LLC;;Saint-Petersburg;;Saint-Petersburg;RU",
"name": "SSL_RESULT_2" "ssl_cert_subject_common": "*.userapi.com",
}, "ssl_cert_subject_organization": "V Kontakte LLC",
{ "ssl_cert_subject_country": "RU",
"Tuple4": "90.143.182.94.55835>93.186.227.131.443", "ssl_cert_subject_state_or_Province": "Saint-Petersburg",
"ssl_sni": "sun9-20.userapi.com", "ssl_cert_subject_locality": "Saint-Petersburg",
"ssl_client_version": "TLS1.2", "ssl_cert_subject_alt_name": "*.userapi.com;vk.me;*.vk-cdn.net;*.vkuserlive.com;*.vkuserlive.net;*.vkuseraudio.net;*.vkuseraudio.com;*.vkuservideo.net;*.vkuservideo.com;*.vk.me;userapi.com;",
"ssl_ja3_hash": "6f5e62edfa5933b1332ddf8b9fb3ef9d", "ssl_cert_serial_number": "0x5afa3a189e6a5c11e1e18b0f",
"ssl_ja3s_hash": "2d1eb5817ece335c24904f516ad5da12", "ssl_cert_signature_algorithm": "1.2.840.113549.1.1.11",
"ssl_cert_version": "v3", "ssl_cert_validity_before": "180717083809Z",
"ssl_cert_Issuer": "GlobalSign Organization Validation CA - SHA256 - G2;GlobalSign nv-sa;;;;;BE", "ssl_cert_validity_after": "190714162604Z",
"ssl_cert_IssuerCN": "GlobalSign Organization Validation CA - SHA256 - G2", "ssl_cert_algorithm_identifier": "1.2.840.113549.1.1.11",
"ssl_cert_IssuerO": "GlobalSign nv-sa", "name": "SSL_RESULT_1"
"ssl_cert_IssuerC": "BE", },
"ssl_cert_Sub": "*.userapi.com;V Kontakte LLC;;Saint-Petersburg;;Saint-Petersburg;RU", {
"ssl_cert_SubCN": "*.userapi.com", "Tuple4": "192.168.2.102.56776>34.138.246.121.443",
"ssl_cert_SubO": "V Kontakte LLC", "ssl_client_version": "TLS1.2",
"ssl_cert_SubC": "RU", "ssl_sni": "public.tls-ech.dev",
"ssl_cert_SubP": "Saint-Petersburg", "ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362",
"ssl_cert_SubL": "Saint-Petersburg", "ssl_esni": 0,
"ssl_cert_SubAltName": "*.userapi.com;vk.me;*.vk-cdn.net;*.vkuserlive.com;*.vkuserlive.net;*.vkuseraudio.net;*.vkuseraudio.com;*.vkuservideo.net;*.vkuservideo.com;*.vk.me;userapi.com", "ssl_ech": 1,
"ssl_cert_SerialNum": "0x5afa3a189e6a5c11e1e18b0f", "ssl_server_version": "TLS1.2",
"ssl_cert_AgID": "1.2.840.113549.1.1.11", "ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e",
"ssl_cert_From": "180717083809Z", "name": "SSL_RESULT_2"
"ssl_cert_To": "190714162604Z", },
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11", {
"name": "SSL_RESULT_3" "Tuple4": "192.168.50.38.52391>104.16.123.96.443",
}, "ssl_client_version": "TLS1.2",
{ "ssl_ja3_hash": "62a4a00de930bd0a5bee0309cc8362ed",
"Tuple4": "192.168.2.102.56776>34.138.246.121.443", "ssl_esni": 1,
"ssl_sni": "public.tls-ech.dev", "ssl_ech": 0,
"ssl_ech": "1", "ssl_server_version": "TLS1.2",
"ssl_client_version": "TLS1.2", "ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054",
"ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362", "name": "SSL_RESULT_3"
"ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e", },
"name": "SSL_RESULT_4" {
} "Tuple4": "192.168.2.102.56768>34.138.246.121.443",
"ssl_client_version": "TLS1.2",
"ssl_sni": "public.tls-ech.dev",
"ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362",
"ssl_esni": 0,
"ssl_ech": 1,
"ssl_server_version": "TLS1.2",
"ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e",
"name": "SSL_RESULT_4"
}
] ]

96
test/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json
View File

@@ -1,24 +1,27 @@
[ [
{
"Tuple4": "36.251.161.167.39018>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "6f7971785f5cbbcb21819b6639f0e8f7",
"name": "SSL_RESULT_1"
},
{ {
"Tuple4": "36.251.161.167.39025>143.92.57.79.443", "Tuple4": "36.251.161.167.39025>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "0ac1d260c0b1f0e3bf645d6580ea6343", "ssl_ja3_hash": "0ac1d260c0b1f0e3bf645d6580ea6343",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "36.251.161.167.39018>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "6f7971785f5cbbcb21819b6639f0e8f7",
"name": "SSL_RESULT_2" "name": "SSL_RESULT_2"
}, },
{ {
"Tuple4": "36.251.161.167.39112>143.92.57.79.443", "Tuple4": "36.251.161.167.39112>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "ca54aeeb513ecacf4d7bc22c5d8f0b75", "ssl_ja3_hash": "ca54aeeb513ecacf4d7bc22c5d8f0b75",
"name": "SSL_RESULT_3" "name": "SSL_RESULT_3"
@@ -26,7 +29,8 @@
{ {
"Tuple4": "36.251.161.167.39423>143.92.57.79.443", "Tuple4": "36.251.161.167.39423>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "9e41793e6f0a1696bedc0876465e1f42", "ssl_ja3_hash": "9e41793e6f0a1696bedc0876465e1f42",
"name": "SSL_RESULT_4" "name": "SSL_RESULT_4"
@@ -34,81 +38,91 @@
{ {
"Tuple4": "36.251.161.167.39680>143.92.57.79.443", "Tuple4": "36.251.161.167.39680>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "47c3fabcf1bc65a32a9d3fb8e70ab79d", "ssl_ja3_hash": "47c3fabcf1bc65a32a9d3fb8e70ab79d",
"name": "SSL_RESULT_5" "name": "SSL_RESULT_5"
}, },
{
"Tuple4": "36.251.161.167.39809>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "04331a57b3e122e689c373712edf42c0",
"name": "SSL_RESULT_6"
},
{ {
"Tuple4": "36.251.161.167.39816>143.92.57.79.443", "Tuple4": "36.251.161.167.39816>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "34c3efe4e6565e8eef2eaaeb7c12a1a6", "ssl_ja3_hash": "34c3efe4e6565e8eef2eaaeb7c12a1a6",
"name": "SSL_RESULT_7" "name": "SSL_RESULT_6"
}, },
{ {
"Tuple4": "36.251.161.167.39820>143.92.57.79.443", "Tuple4": "36.251.161.167.39820>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cc97290a5bb4651489fe7a88e93ace90", "ssl_ja3_hash": "cc97290a5bb4651489fe7a88e93ace90",
"name": "SSL_RESULT_8" "name": "SSL_RESULT_7"
}, },
{ {
"Tuple4": "36.251.161.167.39825>143.92.57.79.443", "Tuple4": "36.251.161.167.39809>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "4e6ae21ce8b876dc7cad2f5ca9a60b23", "ssl_ja3_hash": "04331a57b3e122e689c373712edf42c0",
"name": "SSL_RESULT_9" "name": "SSL_RESULT_8"
}, },
{ {
"Tuple4": "36.251.161.167.39832>143.92.57.79.443", "Tuple4": "36.251.161.167.39832>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "89cb560e9ee2d33728756a2d4d7b2900", "ssl_ja3_hash": "89cb560e9ee2d33728756a2d4d7b2900",
"name": "SSL_RESULT_10" "name": "SSL_RESULT_9"
}, },
{ {
"Tuple4": "36.251.161.167.39850>143.92.57.79.443", "Tuple4": "36.251.161.167.39825>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "7324d30178b21f4c3a60550ef43d5ab0", "ssl_ja3_hash": "4e6ae21ce8b876dc7cad2f5ca9a60b23",
"name": "SSL_RESULT_11" "name": "SSL_RESULT_10"
}, },
{ {
"Tuple4": "36.251.161.167.39867>143.92.57.79.443", "Tuple4": "36.251.161.167.39867>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "53fed08198669268c271fc320627c0c4", "ssl_ja3_hash": "53fed08198669268c271fc320627c0c4",
"name": "SSL_RESULT_12" "name": "SSL_RESULT_11"
}, },
{ {
"Tuple4": "36.251.161.167.39777>143.92.57.79.443", "Tuple4": "36.251.161.167.39850>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555", "ssl_ja3_hash": "7324d30178b21f4c3a60550ef43d5ab0",
"name": "SSL_RESULT_13" "name": "SSL_RESULT_12"
}, },
{ {
"Tuple4": "36.251.161.167.39810>143.92.57.79.443", "Tuple4": "36.251.161.167.39810>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn", "ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1", "ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2", "ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "ff194650bab04e7b4cd55e66fd91c010", "ssl_ja3_hash": "ff194650bab04e7b4cd55e66fd91c010",
"name": "SSL_RESULT_13"
},
{
"Tuple4": "36.251.161.167.39777>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_esni": 0,
"ssl_ech": 1,
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555",
"name": "SSL_RESULT_14" "name": "SSL_RESULT_14"
} }
] ]

3174
test/case/xxg/ssl_xxg_target_result.json
View File

File diff suppressed because it is too large Load Diff

BIN
test/env/sapp-4.3.63.ea64461-1.el8.x86_64.rpm vendored Normal file
View File

Binary file not shown.

BIN
test/env/stellar-on-sapp-2.1.7.4e4f933-1.el8.x86_64.rpm vendored Normal file
View File

Binary file not shown.

191
test/ssl_decoder_test.cpp
View File

@@ -42,6 +42,11 @@ struct ssl_decoder_test_plugin_env
extern "C" int commit_test_result_json(cJSON *node, const char *name); extern "C" int commit_test_result_json(cJSON *node, const char *name);
int get_current_worker_thread_id()
{
return 0;
}
void ssl_real_result_write_file(char *result_str) void ssl_real_result_write_file(char *result_str)
{ {
FILE *fp=fopen("ssl_real_result.json", "a+"); FILE *fp=fopen("ssl_real_result.json", "a+");
@@ -67,17 +72,17 @@ void ssl_decoder_test_message_cb(struct session *ss, int topic_id, const void *m
{ {
case SSL_MESSAGE_CLIENT_HELLO: case SSL_MESSAGE_CLIENT_HELLO:
{ {
yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_client_version", ssl_message_readable_version_get0(ssl_msg)); yyjson_mut_obj_add_strcpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_client_version", ssl_message_readable_version_get0(ssl_msg));
char *sni=NULL; char *sni=NULL;
size_t sni_sz=0; size_t sni_sz=0;
ssl_message_sni_get0(ssl_msg, &sni, &sni_sz); ssl_message_sni_get0(ssl_msg, &sni, &sni_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_sni", sni, sni_sz); yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_sni", sni, sni_sz);
char *ja3=NULL; char *ja3=NULL;
size_t ja3_sz=0; size_t ja3_sz=0;
ssl_message_ja3hash_get0(ssl_msg, &ja3, &ja3_sz); ssl_message_ja3hash_get0(ssl_msg, &ja3, &ja3_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3_hash", ja3, ja3_sz); yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3_hash", ja3, ja3_sz);
int32_t esni_flag=ssl_message_esni_is_true(ssl_msg); int32_t esni_flag=ssl_message_esni_is_true(ssl_msg);
yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_esni", esni_flag); yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_esni", esni_flag);
@@ -88,17 +93,172 @@ void ssl_decoder_test_message_cb(struct session *ss, int topic_id, const void *m
break; break;
case SSL_MESSAGE_SERVER_HELLO: case SSL_MESSAGE_SERVER_HELLO:
{ {
yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_server_version", ssl_message_readable_version_get0(ssl_msg)); yyjson_mut_obj_add_strcpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_server_version", ssl_message_readable_version_get0(ssl_msg));
char *ja3s=NULL; char *ja3s=NULL;
size_t ja3s_sz=0; size_t ja3s_sz=0;
ssl_message_ja3shash_get0(ssl_msg, &ja3s, &ja3s_sz); ssl_message_ja3shash_get0(ssl_msg, &ja3s, &ja3s_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3s_hash", ja3s, ja3s_sz); yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3s_hash", ja3s, ja3s_sz);
} }
break; break;
case SSL_MESSAGE_CERTIFICATE: case SSL_MESSAGE_CERTIFICATE:
{
enum ssl_certificate_type type=ssl_certificate_type_get(ssl_msg);
if(type!=SSL_CERTIFICATE_TYPE_INDIVIDUAL)
{
break;
}
yyjson_mut_obj_add_strcpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_version", ssl_message_readable_version_get0(ssl_msg));
struct ssl_rdn_sequence *issuer=ssl_message_issuer_rdn_sequence_get0(ssl_msg);
if(issuer!=NULL)
{
size_t rdn_sequence_list_sz=0;
char *rdn_sequence_list=NULL;
ssl_rdn_sequence_list_get0(issuer, &rdn_sequence_list, &rdn_sequence_list_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer", rdn_sequence_list, rdn_sequence_list_sz);
size_t common_sz=0;
char *common=NULL;
ssl_rdn_sequence_common_get0(issuer, &common, &common_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_common", common, common_sz);
size_t organization_sz=0;
char *organization=NULL;
ssl_rdn_sequence_organization_get0(issuer, &organization, &organization_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_organization", organization, organization_sz);
size_t country_sz=0;
char *country=NULL;
ssl_rdn_sequence_country_get0(issuer, &country, &country_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_country", country, country_sz);
size_t state_or_Province_sz=0;
char *state_or_Province=NULL;
ssl_rdn_sequence_state_or_province_get0(issuer, &state_or_Province, &state_or_Province_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_state_or_Province", state_or_Province, state_or_Province_sz);
size_t locality_sz=0;
char *locality=NULL;
ssl_rdn_sequence_locality_get0(issuer, &locality, &locality_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_locality", locality, locality_sz);
size_t street_address_sz=0;
char *street_address=NULL;
ssl_rdn_sequence_street_address_get0(issuer, &street_address, &street_address_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_street_address", street_address, street_address_sz);
size_t organizational_unit_sz=0;
char *organizational_unit=NULL;
ssl_rdn_sequence_organizational_unit_get0(issuer, &organizational_unit, &organizational_unit_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_issuer_organizational_unit", organizational_unit, organizational_unit_sz);
}
struct ssl_rdn_sequence *subject=ssl_message_subject_rdn_sequence_get0(ssl_msg);
if(subject!=NULL)
{
size_t rdn_sequence_list_sz=0;
char *rdn_sequence_list=NULL;
ssl_rdn_sequence_list_get0(subject, &rdn_sequence_list, &rdn_sequence_list_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject", rdn_sequence_list, rdn_sequence_list_sz);
size_t common_sz=0;
char *common=NULL;
ssl_rdn_sequence_common_get0(subject, &common, &common_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_common", common, common_sz);
size_t organization_sz=0;
char *organization=NULL;
ssl_rdn_sequence_organization_get0(subject, &organization, &organization_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_organization", organization, organization_sz);
size_t country_sz=0;
char *country=NULL;
ssl_rdn_sequence_country_get0(subject, &country, &country_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_country", country, country_sz);
size_t state_or_Province_sz=0;
char *state_or_Province=NULL;
ssl_rdn_sequence_state_or_province_get0(subject, &state_or_Province, &state_or_Province_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_state_or_Province", state_or_Province, state_or_Province_sz);
size_t locality_sz=0;
char *locality=NULL;
ssl_rdn_sequence_locality_get0(subject, &locality, &locality_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_locality", locality, locality_sz);
size_t street_address_sz=0;
char *street_address=NULL;
ssl_rdn_sequence_street_address_get0(subject, &street_address, &street_address_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_street_address", street_address, street_address_sz);
size_t organizational_unit_sz=0;
char *organizational_unit=NULL;
ssl_rdn_sequence_organizational_unit_get0(subject, &organizational_unit, &organizational_unit_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_organizational_unit", organizational_unit, organizational_unit_sz);
}
size_t subject_alt_name_sz=0;
char *subject_alt_name=NULL;
while(1)
{
size_t name_sz=0;
char *name=NULL;
ssl_message_subject_alter_next(ssl_msg, &name, &name_sz);
if(name_sz==0)
{
break;
}
subject_alt_name=((subject_alt_name==NULL)) ? (char *)calloc(1, name_sz+1) : (char *)realloc(subject_alt_name, subject_alt_name_sz+name_sz+1);
memcpy(subject_alt_name+subject_alt_name_sz, name, name_sz);
subject_alt_name[subject_alt_name_sz+name_sz]=';';
subject_alt_name_sz+=name_sz+1;
}
ssl_message_reset_subject_alter_iter(ssl_msg);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_subject_alt_name", subject_alt_name, subject_alt_name_sz);
size_t serial_number_sz=0;
char *serial_number=NULL;
ssl_message_issuer_serial_number_get0(ssl_msg, &serial_number, &serial_number_sz);
if(serial_number_sz>0)
{
char *serialBuf=(char *)calloc(1, serial_number_sz*2+1+2);
size_t offset=snprintf(serialBuf, 3, "0x");
for(size_t i=0; i<serial_number_sz; i++)
{
offset+=snprintf(serialBuf+offset, serial_number_sz*2+1+2-offset, "%02hhx", (unsigned char )(serial_number[i]));
}
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_serial_number", serialBuf, offset);
free(serialBuf);
serialBuf=NULL;
}
size_t signature_algorithm_sz=0;
char *signature_algorithm=NULL;
ssl_message_signature_algorithm_id_get0(ssl_msg, &signature_algorithm, &signature_algorithm_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_signature_algorithm", signature_algorithm, signature_algorithm_sz);
size_t validity_before_sz=0;
char *validity_before=NULL;
ssl_message_validity_before_get0(ssl_msg, &validity_before, &validity_before_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_validity_before", validity_before, validity_before_sz);
size_t validity_after_sz=0;
char *validity_after=NULL;
ssl_message_validity_after_get0(ssl_msg, &validity_after, &validity_after_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_validity_after", validity_after, validity_after_sz);
size_t algorithm_identifier_sz=0;
char *algorithm_identifier=NULL;
ssl_message_algorithm_identifier_get0(ssl_msg, &algorithm_identifier, &algorithm_identifier_sz);
yyjson_mut_obj_add_strncpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_cert_algorithm_identifier", algorithm_identifier, algorithm_identifier_sz);
}
break; break;
case SSL_PROTECTED_PAYLOAD: case SSL_MESSAGE_ENCRYPTED_APPLICATION:
break; break;
default: default:
break; break;
@@ -111,6 +271,9 @@ void *ssl_decoder_test_per_session_context_new(struct session *ss, void *plugin_
per_ss_ctx->doc=yyjson_mut_doc_new(0); per_ss_ctx->doc=yyjson_mut_doc_new(0);
per_ss_ctx->ssl_object=yyjson_mut_obj(per_ss_ctx->doc); per_ss_ctx->ssl_object=yyjson_mut_obj(per_ss_ctx->doc);
// add Tuple
yyjson_mut_obj_add_strcpy(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "Tuple4", session_get0_readable_addr(ss));
return (void *)per_ss_ctx; return (void *)per_ss_ctx;
} }
@@ -127,10 +290,18 @@ void ssl_decoder_test_per_session_context_free(struct session *ss, void *per_ses
char *json_str=yyjson_mut_write(per_ss_ctx->doc, 0, 0); char *json_str=yyjson_mut_write(per_ss_ctx->doc, 0, 0);
yyjson_mut_doc_free(per_ss_ctx->doc); yyjson_mut_doc_free(per_ss_ctx->doc);
char result_name[16]=""; if(plugin_env->commit_result_enable==1)
sprintf(result_name, "SSL_RESULT_%d", plugin_env->result_index++); {
cJSON *real_result=cJSON_Parse(json_str); char result_name[16]="";
commit_test_result_json(real_result, result_name); sprintf(result_name, "SSL_RESULT_%d", plugin_env->result_index++);
cJSON *real_result=cJSON_Parse(json_str);
commit_test_result_json(real_result, result_name);
}
else
{
printf("%s\n", json_str);
}
free(json_str); free(json_str);
free(per_ss_ctx); free(per_ss_ctx);