gfwleak/stellar-ssl-decoder
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feature: certificate decode

Browse Source
This commit is contained in:
liuxueli
2024-08-06 05:51:48 +00:00
parent 91ec4d1ee3
commit 4b3d68bc66
30 changed files with 3107 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
include/ssl_decoder.h
View File

@@ -12,9 +12,9 @@ extern "C"
enum ssl_message_type
{
SSL_CLIENT_HELLO,
SSL_SERVER_HELLO,
SSL_CERTIFICATE,
SSL_MESSAGE_CLIENT_HELLO,
SSL_MESSAGE_SERVER_HELLO,
SSL_MESSAGE_CERTIFICATE,
SSL_PROTECTED_PAYLOAD,
SSL_MSG_MAX,
};
@@ -22,22 +22,22 @@ enum ssl_message_type
struct ssl_message;
enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg);
// SSL_CLIENT_HELLO
// SSL_MESSAGE_CLIENT_HELLO
int32_t ssl_message_esni_is_true(const struct ssl_message *msg);
int32_t ssl_message_ech_is_true(const struct ssl_message *msg);
void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_ja3hash_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
const char *ssl_message_readable_version_get0(const struct ssl_message *msg);
const char *ssl_message_readable_ja3hash_get0(const struct ssl_message *msg);
// SSL_SERVER_HELLO
const char *ssl_message_readable_ja3shash_get0(const struct ssl_message *msg);
// SSL_MESSAGE_SERVER_HELLO
void ssl_message_ja3shash_get0(const struct ssl_message *msg, char **value, size_t *value_sz);
void ssl_message_extensions_next(const struct ssl_message *msg, char **value, size_t *value_sz);
int ssl_message_reset_extensions_iter(struct ssl_message *msg);
// SSL_CERTIFICATE
// SSL_MESSAGE_CERTIFICATE
enum ssl_certificate_type
{
SSL_CERTIFICATE_TYPE_UNKNOWN=0,

2
src/CMakeLists.txt
View File

@@ -6,7 +6,7 @@ include_directories(${PROJECT_SOURCE_DIR}/deps/)
aux_source_directory(${PROJECT_SOURCE_DIR}/deps/toml DEPS_SRC)
aux_source_directory(${PROJECT_SOURCE_DIR}/deps/yyjson DEPS_SRC)
set(SSL_DECODER_SRC ${DEPS_SRC} ssl_decoder.cpp)
set(SSL_DECODER_SRC ${DEPS_SRC} ssl_decoder.cpp ssl_export.cpp)
add_library(ssl_decoder SHARED ${SSL_DECODER_SRC})
set_target_properties(ssl_decoder PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/src/version.map")

452
src/ssl_decoder.cpp
View File

@@ -38,41 +38,14 @@ extern "C"
#include "ssl_internal.h"
#include "ssl_decoder.h"
#define SSL_DECODER_FALSE 0
#define SSL_DECODER_TRUE 1
#define SSL_UUID_BYTES_SZ 16
#define SSL_RANDOM_TIME_LEN 4
#define SSL_RANDOM_SIZE 28
#define SSL_HANDSHAKE_CLIENT_HELLO 1
#define SSL_HANDSHAKE_SERVER_HELLO 2
#define SSL_HANDSHAKE_CERTIFICATE 11
#define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12
#define SSL_CONTENT_TYPE_HANDSHAKE 0x16
#define SSL_CONTENT_TYPE_ALERT 0x15
#define SSL_CONTENT_TYPE_APPLICATION_DATA 0x17
#define SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC 0x14
#define ALPN_EXT_TYPE 0x0010
#define SERVER_NAME_EXT_TYPE 0x0000
#define SERVER_NAME_HOST_TYPE 0x0000
#define SERVER_NAME_OTHER_TYPE 0x0008
#define SESSION_TICKET_EXT_TYPE 0x0023
#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE
#define ENCRPTED_CLIENT_HELLO_EXT_TYPE 0xFE0D
#define EC_POINT_FORMATS_EXT_TYPE 0x000B
// https://datatracker.ietf.org/doc/html/rfc7919
// Supported Groups
#define SUPPORTED_GROUPS_EXT_TYPE 0x000A
#define SSL_DECODER_TOML_PATH "conf/ssl/ssl_decoder.toml"
UT_icd UT_ssl_hello_extension_icd={sizeof(struct ssl_decoder_ltv), NULL, NULL, NULL};
struct ssl_certificate_chain
{
uint8_t *data;
size_t data_sz;
};
struct ssl_handshake_type
{
unsigned char content_type;
@@ -133,15 +106,6 @@ struct ssl_decoder_context
struct ssl_record_trunk record_trunk;
};
struct ssl_message
{
int32_t magic;
enum ssl_message_type type;
char uuid_bytes[SSL_UUID_BYTES_SZ];
struct session *ss;
struct ssl_decoder_plugin_env *plugin_env;
};
void ssl_hello_md5sum(struct ssl_decoder_ltv *ltv, const char *str, size_t str_sz)
{
MD5_CTX ctx;
@@ -230,11 +194,6 @@ void ssl_recod_buff_get0(struct ssl_record_trunk *record_trunk, uint8_t **record
(*record_buff_sz)=record_trunk->cache_len;
}
void ssl_handshake_certificate_decode()
{
}
void ssl_handshake_server_key_exchange_decode()
{
@@ -348,6 +307,235 @@ int32_t ssl_decoder_ltv_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t
return ret;
}
uint32_t ssl_handshake_certificate_count_get(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset, struct ssl_certificate_chain *cert_chain, uint32_t cert_chain_num)
{
if(NULL==pdata || 0==pdata_sz)
{
return 0;
}
uint32_t count=0;
size_t offset=(*pdata_offset);
while(pdata_sz > offset)
{
if(count>=cert_chain_num)
{
break;
}
int32_t one_cert_sz=0;
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, &offset, (uint8_t *)&(one_cert_sz));
if(ret==SSL_DECODER_FALSE || one_cert_sz<=0 || (one_cert_sz+offset) > pdata_sz)
{
break;
}
cert_chain[count].data=pdata+offset;
cert_chain[count].data_sz=one_cert_sz;
offset+=one_cert_sz;
count++;
}
return count;
}
enum ssl_certificate_type ssl_handshake_certificate_type_get(uint32_t count, uint32_t offset)
{
if(offset>=count)
{
return SSL_CERTIFICATE_TYPE_UNKNOWN;
}
switch(offset)
{
case 0:
return SSL_CERTIFICATE_TYPE_INDIVIDUAL;
case 1:
return ((count==2) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_MIDDLE);
case 2:
return ((count==3) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_CHAIN);
default:
break;
}
return (offset==count-1) ? SSL_CERTIFICATE_TYPE_ROOT : SSL_CERTIFICATE_TYPE_CHAIN;
}
int32_t ssl_x509_certificate_detail_decode(struct ssl_certificate *certificate, uint8_t *pdata, int32_t pdata_sz)
{
X509_NAME *issuer=NULL;
X509_NAME *subject=NULL;
ASN1_STRING *serial=NULL;
ASN1_STRING *san_name=NULL;
GENERAL_NAME *generalName=NULL;
GENERAL_NAMES *subjectAltNames=NULL;
ASN1_TIME *start=NULL;
ASN1_TIME *end=NULL;
EVP_PKEY *pkey=NULL;
const ASN1_OBJECT *salg;
const X509_ALGOR *tsig_alg;
X509 *x509_handle=d2i_X509(NULL, (unsigned char const **)&pdata, pdata_sz);
if(x509_handle==NULL)
{
return SSL_DECODER_FALSE;
}
/*version*/
certificate->version=X509_get_version(x509_handle);
if(certificate->version>SSL_CERTIFICATE_VERSION_MAX)
{
X509_free(x509_handle);
return SSL_DECODER_FALSE;
}
/*serial num*/
serial=X509_get_serialNumber(x509_handle);
if(NULL != serial)
{
certificate->serial.len=MIN(ASN1_STRING_length(serial), (int)(sizeof(certificate->serial.value)-1));
memcpy(certificate->serial.value, ASN1_STRING_get0_data(serial), certificate->serial.len);
}
/*SSL AgID*/
tsig_alg=X509_get0_tbs_sigalg(x509_handle);
X509_ALGOR_get0(&salg, NULL, NULL, tsig_alg);
OBJ_obj2txt((char*)certificate->signature_algorithm.value, sizeof(certificate->signature_algorithm.value), salg, 1);
certificate->signature_algorithm.len=strlen((const char *)certificate->signature_algorithm.value);
/*SSL Issuer*/
issuer=X509_get_issuer_name(x509_handle);
if(NULL!=issuer)
{
X509_NAME_get_text_by_NID(issuer, NID_commonName, certificate->issuer.common, sizeof(certificate->issuer.common));
X509_NAME_get_text_by_NID(issuer, NID_organizationName, certificate->issuer.organization, sizeof(certificate->issuer.organization));
X509_NAME_get_text_by_NID(issuer, NID_organizationalUnitName, certificate->issuer.organizational_unit, sizeof(certificate->issuer.organizational_unit));
X509_NAME_get_text_by_NID(issuer, NID_localityName, certificate->issuer.locality, sizeof(certificate->issuer.locality));
X509_NAME_get_text_by_NID(issuer, NID_streetAddress, certificate->issuer.street_address, sizeof(certificate->issuer.street_address));
X509_NAME_get_text_by_NID(issuer, NID_stateOrProvinceName, certificate->issuer.state_or_Province, sizeof(certificate->issuer.state_or_Province));
X509_NAME_get_text_by_NID(issuer, NID_countryName, certificate->issuer.country, sizeof(certificate->issuer.country));
snprintf(certificate->issuer.rdn_sequence_list,
sizeof(certificate->issuer.rdn_sequence_list),
"%s;%s;%s;%s;%s;%s;%s",
certificate->issuer.common,
certificate->issuer.organization,
certificate->issuer.organizational_unit,
certificate->issuer.locality,
certificate->issuer.street_address,
certificate->issuer.state_or_Province,
certificate->issuer.country);
}
/*SSL Subject*/
subject=X509_get_subject_name(x509_handle);
if(NULL!=subject)
{
X509_NAME_get_text_by_NID(subject, NID_commonName, certificate->subject.common, sizeof(certificate->subject.common));
X509_NAME_get_text_by_NID(subject, NID_organizationName, certificate->subject.organization, sizeof(certificate->subject.organization));
X509_NAME_get_text_by_NID(subject, NID_countryName, certificate->subject.country, sizeof(certificate->subject.country));
X509_NAME_get_text_by_NID(subject, NID_organizationalUnitName, certificate->subject.organizational_unit, sizeof(certificate->subject.organizational_unit));
X509_NAME_get_text_by_NID(subject, NID_localityName, certificate->subject.locality, sizeof(certificate->subject.locality));
X509_NAME_get_text_by_NID(subject, NID_streetAddress, certificate->subject.street_address, sizeof(certificate->subject.street_address));
X509_NAME_get_text_by_NID(subject, NID_stateOrProvinceName, certificate->subject.state_or_Province, sizeof(certificate->subject.state_or_Province));
snprintf(certificate->subject.rdn_sequence_list,
sizeof(certificate->subject.rdn_sequence_list),
"%s;%s;%s;%s;%s;%s;%s",
certificate->subject.common,
certificate->subject.organization,
certificate->subject.organizational_unit,
certificate->subject.locality,
certificate->subject.street_address,
certificate->subject.state_or_Province,
certificate->subject.country);
}
/*SSL Subject keyInfo*/
pkey=X509_get_pubkey(x509_handle);
if(pkey!=NULL)
{
//https://www.openssl.org/docs/man3.0/man3/i2d_PublicKey.html
certificate->subject_key.len=i2d_PublicKey(pkey, NULL);
if(certificate->subject_key.len>0)
{
certificate->subject_key.value=(char *)malloc(certificate->subject_key.len);
int32_t ret=i2d_PublicKey(pkey, (unsigned char **)&(certificate->subject_key.value)); //!!! point32_t will be changed
if(ret>0)
{
certificate->subject_key.value=certificate->subject_key.value-certificate->subject_key.len;
}
else
{
free(certificate->subject_key.value);
certificate->subject_key.value=NULL;
certificate->subject_key.len=0;
}
}
EVP_PKEY_free(pkey);
}
/*validity*/
start=X509_get_notBefore(x509_handle);
end=X509_get_notAfter(x509_handle);
sprintf(certificate->validity.before, "%s", start->data);
sprintf(certificate->validity.after, "%s", end->data);
/*subject bak*/
subjectAltNames=(GENERAL_NAMES*)X509_get_ext_d2i(x509_handle, NID_subject_alt_name, NULL, NULL);
if(!subjectAltNames)
{
X509_free(x509_handle);
return SSL_DECODER_TRUE;
}
int32_t san_count=sk_GENERAL_NAME_num(subjectAltNames);
if(san_count>0)
{
certificate->subject_alter.num=0;
certificate->subject_alter.name=(char (*)[MAX_ALTER_NAME_LEN])malloc(san_count * sizeof(char[MAX_ALTER_NAME_LEN]));
for (int32_t i=0; i<san_count; i++)
{
generalName=sk_GENERAL_NAME_value(subjectAltNames, i);
if(!generalName)
{
break;
}
if(GEN_DNS == generalName->type)
{
san_name=(ASN1_STRING*)GENERAL_NAME_get0_value(generalName, NULL);
if(ASN1_STRING_length(san_name)>0)
{
char *san=(char*)ASN1_STRING_get0_data(san_name);
int32_t length=MIN(strlen(san), sizeof(certificate->subject_alter.name[certificate->subject_alter.num])-1);
memcpy(certificate->subject_alter.name[certificate->subject_alter.num], san, length);
certificate->subject_alter.name[certificate->subject_alter.num][length]='\0';
certificate->subject_alter.num++;
}
}
}
}
if(subjectAltNames)
{
GENERAL_NAMES_free(subjectAltNames);
}
//https://www.openssl.org/docs/man1.1.1/man3/X509_ALGOR_get0.html
X509_ALGOR_get0(&salg, NULL, NULL, X509_get0_tbs_sigalg(x509_handle));
OBJ_obj2txt(certificate->algorithm_identifier.value, sizeof(certificate->algorithm_identifier.value), salg, 1);
certificate->algorithm_identifier.len=strlen((const char *)certificate->algorithm_identifier.value);
return SSL_DECODER_TRUE;
}
int32_t ssl_decoder_random_bytes_get(struct ssl_decoder_ltv *ltv, uint16_t type, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
if(pdata_sz<(*pdata_offset)+SSL_RANDOM_SIZE)
@@ -402,18 +590,12 @@ int32_t ssl_server_name_decode(struct ssl_decoder_ltv *sni, uint8_t *pdata, uint
struct ssl_server_hello *ssl_handshake_server_hello_decode(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
int32_t total_len; //3
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&(total_len));
if(total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
{
return NULL;
}
int32_t ret=SSL_DECODER_FALSE;
struct ssl_server_hello *shello=(struct ssl_server_hello *)CALLOC(struct ssl_server_hello, 1);
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(shello->version));
ssl_read_be_u32(pdata, pdata_sz, pdata_offset, &(shello->random_gmt_time));
for(int i=1; i<SSL_HELLO_LTV_MAX; i++)
for(int32_t i=1; i<SSL_HELLO_LTV_MAX; i++)
{
struct ssl_decoder_ltv *ltv=&(shello->ltv[i]);
switch(i)
@@ -481,18 +663,12 @@ struct ssl_server_hello *ssl_handshake_server_hello_decode(uint8_t *pdata, size_
struct ssl_client_hello *ssl_handshake_client_hello_decode(uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
int32_t total_len; //3
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&(total_len));
if(total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
{
return NULL;
}
int32_t ret=SSL_DECODER_FALSE;
struct ssl_client_hello *chello=(struct ssl_client_hello *)CALLOC(struct ssl_client_hello, 1);
ssl_read_be_u16(pdata, pdata_sz, pdata_offset, &(chello->version));
ssl_read_be_u32(pdata, pdata_sz, pdata_offset, &(chello->random_gmt_time));
for(int i=1; i<SSL_HELLO_LTV_MAX; i++)
for(int32_t i=1; i<SSL_HELLO_LTV_MAX; i++)
{
struct ssl_decoder_ltv *ltv=&(chello->ltv[i]);
switch(i)
@@ -724,29 +900,134 @@ int32_t ssl_client_hello_ja3_generate(struct ssl_client_hello *chello)
return SSL_DECODER_TRUE;
}
void ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *segment_buff, size_t segment_buff_sz, size_t *segment_buff_offset)
void ssl_message_publish(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, enum ssl_message_type type, void *data)
{
if(segment_buff==NULL || ((*segment_buff_offset)+1>segment_buff_sz))
struct ssl_message *message=(struct ssl_message *)malloc(sizeof(struct ssl_message));
message->magic=SSL_MESSAGE_MAGIC;
message->type=type;
message->ss=ss;
message->plugin_env=plugin_env;
message->data=data;
session_mq_publish_message(ss, plugin_env->ssl.topic_id, (void *)message);
}
void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{
struct ssl_message *message=(struct ssl_message *)msg;
if(message==NULL || message->magic!=SSL_MESSAGE_MAGIC)
{
return ;
}
if(message->data!=NULL)
{
switch(message->type)
{
case SSL_MESSAGE_CLIENT_HELLO:
{
struct ssl_client_hello *chello=(struct ssl_client_hello *)message->data;
if(chello->extensions!=NULL)
{
utarray_free(chello->extensions);
}
}
break;
case SSL_MESSAGE_SERVER_HELLO:
{
struct ssl_server_hello *shello=(struct ssl_server_hello *)message->data;
if(shello->extensions!=NULL)
{
utarray_free(shello->extensions);
}
}
break;
case SSL_MESSAGE_CERTIFICATE:
{
struct ssl_certificate *certificate=(struct ssl_certificate *)message->data;
if(certificate->subject_alter.name!=NULL)
{
FREE(certificate->subject_alter.name);
}
if(certificate->subject_key.value!=NULL)
{
FREE(certificate->subject_key.value);
}
}
break;
default:
break;
}
FREE(message->data);
}
FREE(message);
}
void ssl_handshake_decode(struct ssl_decoder_plugin_env *plugin_env, struct session *ss, uint8_t *pdata, size_t pdata_sz, size_t *pdata_offset)
{
if(pdata==NULL || ((*pdata_offset)+1>pdata_sz))
{
return ;
}
struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(pdata+(*pdata_offset));
(*pdata_offset)+=sizeof(struct ssl_handshake_type);
int32_t total_len=0;
int32_t ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&total_len);
if(ret==SSL_DECODER_FALSE || total_len<0 || total_len+(*pdata_offset)>pdata_sz)
{
return ;
}
struct ssl_client_hello *chello=NULL;
struct ssl_server_hello *shello=NULL;
struct ssl_handshake_type *handshake_type=(struct ssl_handshake_type *)(segment_buff+(*segment_buff_offset));
(*segment_buff_offset)+=sizeof(struct ssl_handshake_type);
switch(handshake_type->content_type)
{
case SSL_HANDSHAKE_CLIENT_HELLO:
chello=ssl_handshake_client_hello_decode(segment_buff, segment_buff_sz, segment_buff_offset);
{
struct ssl_client_hello *chello=ssl_handshake_client_hello_decode(pdata, pdata_sz, pdata_offset);
ssl_client_hello_ja3_generate(chello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CLIENT_HELLO, (void *)chello);
}
break;
case SSL_HANDSHAKE_SERVER_HELLO:
shello=ssl_handshake_server_hello_decode(segment_buff, segment_buff_sz, segment_buff_offset);
{
struct ssl_server_hello *shello=ssl_handshake_server_hello_decode(pdata, pdata_sz, pdata_offset);
ssl_server_hello_ja3s_generate(shello);
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_SERVER_HELLO, (void *)shello);
}
break;
case SSL_HANDSHAKE_CERTIFICATE:
// ssl_handshake_certificate_decode();
{
int32_t cert_total_len=0;
ret=ssl_read_be_u24(pdata, pdata_sz, pdata_offset, (uint8_t *)&cert_total_len);
if(ret==SSL_DECODER_FALSE || cert_total_len<0 || cert_total_len+(*pdata_offset)>pdata_sz || (cert_total_len+3)!=total_len)
{
return ;
}
struct ssl_certificate_chain cert_unit[SSL_CERTIFICATE_NUM_MAX];
uint32_t cert_count=ssl_handshake_certificate_count_get(pdata, pdata_sz, pdata_offset, cert_unit, SSL_CERTIFICATE_NUM_MAX);
for(uint32_t i=0, cert_offset=0; i<cert_count; i++, cert_offset++)
{
struct ssl_certificate *certificate=(struct ssl_certificate *)CALLOC(struct ssl_certificate, 1);
certificate->type=ssl_handshake_certificate_type_get(cert_count, cert_offset);
int32_t state=ssl_x509_certificate_detail_decode(certificate, cert_unit[i].data, cert_unit[i].data_sz);
if(state==SSL_DECODER_FALSE)
{
FREE(certificate);
return ;
}
ssl_message_publish(plugin_env, ss, SSL_MESSAGE_CERTIFICATE, (void *)certificate);
}
}
break;
case SSL_HANDSHAKE_SERVER_KEY_EXCHANGE:
// ssl_handshake_server_key_exchange_decode();
@@ -773,11 +1054,11 @@ int32_t ssl_record_header_get(struct ssl_record_header *record_hdr, uint8_t *pda
void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id, const void *msg, void *per_session_ctx, void *penv)
{
size_t segment_buff_offset=0;
size_t segment_buff_sz=0;
uint8_t *segment_buff=NULL;
segment_buff=(uint8_t *)session_get0_current_payload(ss, &segment_buff_sz);
if(segment_buff_sz==0 || segment_buff==NULL)
size_t pdata_offset=0;
size_t pdata_sz=0;
uint8_t *pdata=NULL;
pdata=(uint8_t *)session_get0_current_payload(ss, &pdata_sz);
if(pdata_sz==0 || pdata==NULL)
{
return ;
}
@@ -790,17 +1071,17 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id
struct ssl_decoder_context *per_ss_ctx=(struct ssl_decoder_context *)(per_session_ctx);
ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &segment_buff, &segment_buff_sz);
if(segment_buff_sz<=SSL_RECORD_HEADER_SZ)
ssl_recod_buff_get0(&(per_ss_ctx->record_trunk), &pdata, &pdata_sz);
if(pdata_sz<=SSL_RECORD_HEADER_SZ)
{
return ;
}
struct ssl_record_header record_hdr={0};
ssl_record_header_get(&record_hdr, segment_buff, segment_buff_sz, &segment_buff_offset);
if(!is_trunk_cache(&(per_ss_ctx->record_trunk)) && segment_buff_sz<record_hdr.total_len)
ssl_record_header_get(&record_hdr, pdata, pdata_sz, &pdata_offset);
if(!is_trunk_cache(&(per_ss_ctx->record_trunk)) && pdata_sz<record_hdr.total_len)
{
ssl_trunk_cache(&(per_ss_ctx->record_trunk), segment_buff, segment_buff_sz);
ssl_trunk_cache(&(per_ss_ctx->record_trunk), pdata, pdata_sz);
return ;
}
@@ -809,7 +1090,7 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id
switch(record_hdr.content_type)
{
case SSL_CONTENT_TYPE_HANDSHAKE:
ssl_handshake_decode(plugin_env, ss, segment_buff, segment_buff_sz, &segment_buff_offset);
ssl_handshake_decode(plugin_env, ss, pdata, pdata_sz, &pdata_offset);
break;
case SSL_CONTENT_TYPE_ALERT:
break;
@@ -827,11 +1108,6 @@ void ssl_tcp_stream_session_segment_data_cb(struct session *ss, int32_t topic_id
}
}
void ssl_message_free(struct session *sess, void *msg, void *msg_free_arg)
{
}
void *ssl_decoder_per_session_context_new(struct session *ss, void *penv)
{
uint64_t inner_flag=0;

255
src/ssl_export.cpp Normal file
View File

@@ -0,0 +1,255 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "ssl_internal.h"
#include "ssl_decoder.h"
enum ssl_message_type ssl_message_type_get(const struct ssl_message *msg)
{
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC) ? SSL_MSG_MAX : msg->type);
}
// SSL_MESSAGE_CLIENT_HELLO
int32_t ssl_message_esni_is_true(const struct ssl_message *msg)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO)
{
return -1;
}
return ((msg->chello->esni==NULL) ? 1 : 0);
}
int32_t ssl_message_ech_is_true(const struct ssl_message *msg)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO)
{
return -1;
}
return ((msg->chello->ech==NULL) ? 1 : 0);
}
void ssl_message_sni_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO)
{
return;
}
if(msg->chello->sni==NULL)
{
return;
}
*value=(char *)msg->chello->sni->value;
*value_sz=msg->chello->sni->lv_u32;
}
const char *ssl_message_readable_version_get0(const struct ssl_message *msg)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC)
{
return NULL;
}
uint16_t version=0;
switch(msg->type)
{
case SSL_MESSAGE_CLIENT_HELLO:
if(msg->chello==NULL)
{
return NULL;
}
version=msg->chello->version;
break;
case SSL_MESSAGE_SERVER_HELLO:
if(msg->shello==NULL)
{
return NULL;
}
version=msg->shello->version;
break;
default:
return NULL;
}
switch(version)
{
case SSL_DECODER_VERSION_SSL_V2_0:
return "SSLv2.0";
case SSL_DECODER_VERSION_SSL_V3_0:
return "SSLv3.0";
case SSL_DECODER_VERSION_TLS_V1_0:
return "TLSv1.0";
case SSL_DECODER_VERSION_TLS_V1_1:
return "TLSv1.1";
case SSL_DECODER_VERSION_TLS_V1_2:
return "TLSv1.2";
case SSL_DECODER_VERSION_TLS_V1_3:
return "TLSv1.3";
case SSL_DECODER_VERSION_TLCP_V1_0:
return "TLCPv1.0";
default:
break;
}
return NULL;
}
void ssl_message_ja3hash_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CLIENT_HELLO)
{
*value=NULL;
*value_sz=0;
return ;
}
if(msg->chello->ja3.value==NULL || msg->chello->ja3.lv_u32==0)
{
*value=NULL;
*value_sz=0;
return ;
}
*value=(char *)msg->chello->ja3.value;
*value_sz=msg->chello->ja3.lv_u32;
}
// SSL_MESSAGE_SERVER_HELLO
void ssl_message_ja3shash_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
if(msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_SERVER_HELLO)
{
*value=NULL;
*value_sz=0;
return;
}
if(msg->shello->ja3s.value==NULL || msg->shello->ja3s.lv_u32==0)
{
*value=NULL;
*value_sz=0;
return;
}
*value=(char *)msg->shello->ja3s.value;
*value_sz=msg->shello->ja3s.lv_u32;
}
void ssl_message_extensions_next(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
int ssl_message_reset_extensions_iter(struct ssl_message *msg)
{
return 0;
}
enum ssl_certificate_type ssl_certificate_type_get(const struct ssl_message *msg)
{
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? msg->certificate->type : SSL_CERTIFICATE_TYPE_UNKNOWN);
}
void ssl_message_validity_before_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_validity_after_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_issuer_serial_number_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_subject_public_key_algorithm_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_ssl_algorithm_identifier_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_ssl_signature_algorithm_id_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
void ssl_message_subject_alter_next(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}
int ssl_message_reset_subject_alter_iter(struct ssl_message *msg)
{
return 0;
}
struct ssl_rdn_sequence *ssl_message_issuer_rdn_sequence_get0(const struct ssl_message *msg)
{
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->issuer) : NULL);
}
struct ssl_rdn_sequence *ssl_message_subject_rdn_sequence_get0(const struct ssl_message *msg)
{
return ((msg==NULL || msg->magic!=SSL_MESSAGE_MAGIC || msg->type!=SSL_MESSAGE_CERTIFICATE) ? &(msg->certificate->subject) : NULL);
}
void ssl_rdn_sequence_common_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_country_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_locality_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_postal_code_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_organization_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_street_address_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_state_or_province_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_organizational_unit_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_rdn_sequence_list_get0(struct ssl_rdn_sequence *rdn, char **value, size_t *value_sz)
{
}
void ssl_message_protected_payload_get0(const struct ssl_message *msg, char **value, size_t *value_sz)
{
}

65
src/ssl_internal.h
View File

@@ -4,6 +4,44 @@
#include <stddef.h>
#include <uthash/utarray.h>
#include "ssl_decoder.h"
#define SSL_DECODER_TOML_PATH "conf/ssl/ssl_decoder.toml"
#define SSL_DECODER_FALSE 0
#define SSL_DECODER_TRUE 1
#define SSL_UUID_BYTES_SZ 16
#define SSL_RANDOM_TIME_LEN 4
#define SSL_RANDOM_SIZE 28
#define SSL_HANDSHAKE_CLIENT_HELLO 1
#define SSL_HANDSHAKE_SERVER_HELLO 2
#define SSL_HANDSHAKE_CERTIFICATE 11
#define SSL_HANDSHAKE_SERVER_KEY_EXCHANGE 12
#define SSL_CONTENT_TYPE_HANDSHAKE 0x16
#define SSL_CONTENT_TYPE_ALERT 0x15
#define SSL_CONTENT_TYPE_APPLICATION_DATA 0x17
#define SSL_CONTENT_TYPE_CHANGE_CIPHER_SPEC 0x14
#define ALPN_EXT_TYPE 0x0010
#define SERVER_NAME_EXT_TYPE 0x0000
#define SERVER_NAME_HOST_TYPE 0x0000
#define SERVER_NAME_OTHER_TYPE 0x0008
#define SESSION_TICKET_EXT_TYPE 0x0023
#define ENCRPTED_SERVER_NAME_EXT_TYPE 0xFFCE
#define ENCRPTED_CLIENT_HELLO_EXT_TYPE 0xFE0D
#define EC_POINT_FORMATS_EXT_TYPE 0x000B
// https://datatracker.ietf.org/doc/html/rfc7919
// Supported Groups
#define SUPPORTED_GROUPS_EXT_TYPE 0x000A
#define SSL_CERTIFICATE_NUM_MAX 8
#define SSL_CERTIFICATE_VERSION_MAX 3
#define SSL_DECODER_VERSION_UNKNOWN 0x0000
#define SSL_DECODER_VERSION_SSL_V2_0 0x0002
@@ -132,11 +170,8 @@ struct ssl_algorithm_identifier
struct ssl_certificate
{
int total_len;
int cert_len;
char cert_type;
//struct ssl_l1v version;
uint16_t version;
enum ssl_certificate_type type;
struct ssl_validity validity;
struct ssl_serial_number serial;
struct ssl_rdn_sequence issuer;
@@ -147,3 +182,23 @@ struct ssl_certificate
struct ssl_algorithm_identifier algorithm_identifier;
struct ssl_signature_algorithm_id signature_algorithm;
};
#define SSL_MESSAGE_MAGIC 0xEF53534C
struct ssl_message
{
uint32_t magic;
enum ssl_message_type type;
char uuid_bytes[SSL_UUID_BYTES_SZ];
struct session *ss;
struct ssl_decoder_plugin_env *plugin_env;
union
{
struct ssl_client_hello *chello;
struct ssl_server_hello *shello;
struct ssl_certificate *certificate;
void *data;
};
};

20
src/version.map
View File

@@ -4,19 +4,15 @@ global:
*ssl_decoder_init*;
*ssl_decoder_exit*;
*ssl_message_type_get*;
*ssl_message_header_id_get*;
*ssl_message_header_flag_get0*;
*ssl_message_query_question_get0*;
*ssl_query_question_qname_get0*;
*ssl_query_question_qtype_get0*;
*ssl_query_question_qclass_get0*;
*ssl_message_answer_resource_record_get0*;
*ssl_message_authority_resource_record_get0*;
*ssl_message_additional_resource_record_get0*;
*ssl_message_resource_record_json_exporter*;
*ssl_message_uuid_get0*;
*ssl_message_resource_record_is_sslsec*;
*ssl_message_resource_record_cname_json_exporter*;
*ssl_message_esni_is_true*;
*ssl_message_ech_is_true*;
*ssl_message_sni_get0*;
*ssl_message_ja3hash_get0*;
*ssl_message_readable_version_get0*;
*ssl_message_ja3shash_get0*;
*ssl_message_extensions_next*;
*ssl_message_reset_extensions_iter*;
*GIT*;
};
local: *;

66
test/CMakeLists.txt
View File

@@ -4,7 +4,7 @@ aux_source_directory(${PROJECT_SOURCE_DIR}/deps/yyjson DEPS_SRC)
add_library(${PROJECT_NAME}_test_plug SHARED ssl_decoder_test.cpp ${DEPS_SRC})
add_dependencies(${PROJECT_NAME}_test_plug ${PROJECT_NAME})
target_link_libraries(${PROJECT_NAME}_test_plug cjson)
target_link_libraries(${PROJECT_NAME}_test_plug cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static)
set_target_properties(${PROJECT_NAME}_test_plug PROPERTIES PREFIX "")
add_executable(ssl_decoder_perf_test
@@ -12,9 +12,10 @@ add_executable(ssl_decoder_perf_test
ssl_decoder_perf_dummy.cpp
${DEPS_SRC} ssl_decoder_test.cpp
${PROJECT_SOURCE_DIR}/src/ssl_decoder.cpp
${PROJECT_SOURCE_DIR}/src/ssl_export.cpp
)
target_link_libraries(ssl_decoder_perf_test fieldstat4 pthread cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static)
target_link_libraries(ssl_decoder_perf_test fieldstat4 pthread cjson -Wl,--no-whole-archive openssl-crypto-static -Wl,--no-whole-archive openssl-ssl-static -ldl)
set(TEST_RUN_DIR ${CMAKE_CURRENT_BINARY_DIR}/sapp)
set(TEST_MAIN ${TEST_RUN_DIR}/plugin_test_main)
@@ -47,46 +48,27 @@ add_test(NAME UPDATE_TEST_SO COMMAND sh -c "cp ${CMAKE_CURRENT_BINARY_DIR}/${PRO
add_test(NAME MKDIR_PLUG_CONF COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/etc/ssl/")
add_test(NAME UPDATE_PLUG_CONF COMMAND sh -c "cp ${PROJECT_SOURCE_DIR}/bin/${PROJECT_NAME}.toml ${TEST_RUN_DIR}/etc/ssl/${PROJECT_NAME}.toml")
# set_tests_properties(INSTALL_TEST_MAIN INSTALL_STELLAR UPDATE_SAPP_LOG COPY_CONFLIST COPY_INF COPY_TEST_MAIN COPY_SPEC UPDATE_PLUG_SO UPDATE_TEST_SO MKDIR_PLUG_CONF UPDATE_PLUG_CONF PROPERTIES FIXTURES_SETUP TestFixture)
set_tests_properties(INSTALL_TEST_MAIN INSTALL_STELLAR UPDATE_SAPP_LOG COPY_CONFLIST COPY_INF COPY_TEST_MAIN COPY_SPEC UPDATE_PLUG_SO UPDATE_TEST_SO MKDIR_PLUG_CONF UPDATE_PLUG_CONF PROPERTIES FIXTURES_SETUP TestFixture)
# # run tests
# add_test(NAME MKDIR_METRICS COMMAND sh -c "mkdir -p ${TEST_RUN_DIR}/metrics/")
# add_test(NAME ssl_QUERY COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/query/query_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/query/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_CNAME COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cname/cname_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cname/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_NSEC_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec/nsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_NSEC_10_1_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec_10_1/nsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec_10_1/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_NSEC3_RR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec3/nsec3_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/nsec3/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_PTR COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ptr/ptr_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ptr/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_SRV COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/srv/srv_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/srv/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_TXT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/txt/txt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/txt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_HTTPS COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/https/https_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/https/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_CERT1 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet1/cernet1_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet1/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_CERT2 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet2/cernet2_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/cernet2/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_SEC COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/sslsec/sslsec_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/sslsec/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_TCP_MULTI_TRANSCATION COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_transcation/multi_transcation_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_transcation/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_TCP_MULTI_PKT_TRANS_2BYTES COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_pkt_trans_2bytes/multi_pkt_trans_2bytes_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_pkt_trans_2bytes/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_TCP_LOST_PKT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_lost_pkt/lost_pkt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_lost_pkt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_MULTI_SESSION COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_session/multi_session_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multi_session/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_NS_NSEC3_RRSIG_A_OPT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ns_nsec3_rrsig_a_opt/ns_nsec3_rrsig_a_opt_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ns_nsec3_rrsig_a_opt/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# add_test(NAME ssl_PORT5353 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/port5353/port5353_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/port5353/ -name *.pcap|sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_SSL_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/ssl/ssl_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/ssl -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_E21_BUG_E21_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/e21/ssl_e21_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/e21/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_E21_BUG_XXG_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/xxg/ssl_xxg_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/xxg/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_BUG_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/bug/ssl_bug_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/bug/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/multiple_handshake/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/close_contains_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_EXTENSION_EXCEED_16 COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/extensions_exceed_16_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/extensions_exceed_16/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_CLIENT_HELLO_FRAGMENT COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ssl_client_hello_fragment_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/client_hello_fragment/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
add_test(NAME RUN_ACK_CONTAINS_PAYLOAD COMMAND ${TEST_MAIN} ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/case/tcp_ack_contians_payload/ -name '*.pcap' | sort -V" WORKING_DIRECTORY ${TEST_RUN_DIR})
# set_tests_properties(ssl_QUERY
# ssl_CNAME
# ssl_NSEC_RR
# ssl_NSEC_10_1_RR
# ssl_NSEC3_RR
# ssl_PTR
# ssl_SRV
# ssl_TXT
# ssl_HTTPS
# ssl_CERT1
# ssl_CERT2
# ssl_SEC
# ssl_TCP_MULTI_TRANSCATION
# ssl_TCP_MULTI_PKT_TRANS_2BYTES
# ssl_TCP_LOST_PKT
# ssl_MULTI_SESSION
# ssl_NS_NSEC3_RRSIG_A_OPT
# ssl_PORT5353
# PROPERTIES FIXTURES_REQUIRED TestFixture
# )
set_tests_properties(RUN_SSL_TEST
RUN_E21_BUG_E21_TEST
RUN_E21_BUG_XXG_TEST
RUN_BUG_TEST
RUN_MULTIPLE_HANDSHAKE_TEST
RUN_CLOSE_CONTAINS_PAYLOAD_TEST
RUN_EXTENSION_EXCEED_16
RUN_CLIENT_HELLO_FRAGMENT
RUN_ACK_CONTAINS_PAYLOAD
PROPERTIES FIXTURES_REQUIRED TestFixture
)

BIN
test/case/bug/1-ssl-192.168.50.52.17434.15.197.193.217.443.pcap Normal file
View File

Binary file not shown.

23
test/case/bug/ssl_bug_result.json Normal file
View File

@@ -0,0 +1,23 @@
[
{
"Tuple4": "192.168.50.52.17434>15.197.193.217.443",
"ssl_sni": "match.adsrvr.org",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_ja3s_hash": "8d2a028aa94425f76ced7826b1f39039",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "GlobalSign GCC R3 DV TLS CA 2020;GlobalSign nv-sa;;;;;BE",
"ssl_cert_IssuerCN": "GlobalSign GCC R3 DV TLS CA 2020",
"ssl_cert_IssuerO": "GlobalSign nv-sa",
"ssl_cert_IssuerC": "BE",
"ssl_cert_Sub": "*.adsrvr.org;;;;;;",
"ssl_cert_SubCN": "*.adsrvr.org",
"ssl_cert_SubAltName": "*.adsrvr.org;adsrvr.org",
"ssl_cert_SerialNum": "0x2ddaa6f359d4ce458fe983f1",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "220331203750Z",
"ssl_cert_To": "230502203749Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
}
]

BIN
test/case/client_hello_fragment/1-ssl.client.hello.fragment.192.168.56.31.53868.74.118.186.107.443.pcap Normal file
View File

Binary file not shown.

BIN
test/case/client_hello_fragment/2-sni.client.hello.fragment.192.168.58.17.49218-23.216.55.29.443.pcap Normal file
View File

Binary file not shown.

BIN
test/case/client_hello_fragment/3-ssl.client.hello.fragment.36.251.161.167.39777-143.92.57.79.443.pcap Normal file
View File

Binary file not shown.

58
test/case/client_hello_fragment/ssl_client_hello_fragment_result.json Normal file
View File

@@ -0,0 +1,58 @@
[
{
"Tuple4": "192.168.56.31.53868>74.118.186.107.443",
"ssl_sni": "sync.targeting.unrulymedia.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "bc93a67ef4492974195865dc0262e65e",
"ssl_ja3s_hash": "b898351eb5e266aefd3723d466935494",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "Sectigo RSA Domain Validation Secure Server CA;Sectigo Limited;;Salford;;Greater Manchester;GB",
"ssl_cert_IssuerCN": "Sectigo RSA Domain Validation Secure Server CA",
"ssl_cert_IssuerO": "Sectigo Limited",
"ssl_cert_IssuerC": "GB",
"ssl_cert_IssuerP": "Greater Manchester",
"ssl_cert_IssuerL": "Salford",
"ssl_cert_Sub": "*.targeting.unrulymedia.com;;;;;;",
"ssl_cert_SubCN": "*.targeting.unrulymedia.com",
"ssl_cert_SubAltName": "*.targeting.unrulymedia.com;targeting.unrulymedia.com",
"ssl_cert_SerialNum": "0x888d5e51787e0f1f485dc542465d2034",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "230510000000Z",
"ssl_cert_To": "240510235959Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "192.168.58.17.49218>23.216.55.29.443",
"ssl_sni": "www.missionsports.org",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "a69708a64f853c3bcc214c2c5faf84f3",
"ssl_ja3s_hash": "10a2ad147a870ef37af153dea9fe4dd3",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "DigiCert TLS RSA SHA256 2020 CA1;DigiCert Inc;;;;;US",
"ssl_cert_IssuerCN": "DigiCert TLS RSA SHA256 2020 CA1",
"ssl_cert_IssuerO": "DigiCert Inc",
"ssl_cert_IssuerC": "US",
"ssl_cert_Sub": "a248.e.akamai.net;Akamai Technologies, Inc.;;Cambridge;;Massachusetts;US",
"ssl_cert_SubCN": "a248.e.akamai.net",
"ssl_cert_SubO": "Akamai Technologies, Inc.",
"ssl_cert_SubC": "US",
"ssl_cert_SubP": "Massachusetts",
"ssl_cert_SubL": "Cambridge",
"ssl_cert_SubAltName": "a248.e.akamai.net;*.akamaized.net;*.akamaized-staging.net;*.akamaihd.net;*.akamaihd-staging.net",
"ssl_cert_SerialNum": "0x0d61f7742d583251a2b8d5a26a1dda0b",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "230516000000Z",
"ssl_cert_To": "240515235959Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_2"
},
{
"Tuple4": "36.251.161.167.39777>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555",
"name": "SSL_RESULT_3"
}
]

BIN
test/case/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap Normal file
View File

Binary file not shown.

28
test/case/close_contains_payload/ssl_close_contains_payload_result.json Normal file
View File

@@ -0,0 +1,28 @@
[
{
"Tuple4": "192.168.50.28.63669>18.163.185.193.443",
"ssl_sni": "www.firefox.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "45b1a0eca9605cd8789cd7e1a5ccd9b0",
"ssl_ja3s_hash": "9a1de6823a92d66172ce93d309e73e4e",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US",
"ssl_cert_IssuerCN": "DigiCert SHA2 Secure Server CA",
"ssl_cert_IssuerO": "DigiCert Inc",
"ssl_cert_IssuerC": "US",
"ssl_cert_Sub": "redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US",
"ssl_cert_SubCN": "redirect-san.mozilla.org",
"ssl_cert_SubO": "Mozilla Corporation",
"ssl_cert_SubC": "US",
"ssl_cert_SubP": "California",
"ssl_cert_SubL": "Mountain View",
"ssl_cert_SubU": "WebOps",
"ssl_cert_SubAltName": "leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com",
"ssl_cert_SerialNum": "0x019d2b994ec99445c735d2a6d739e43a",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "200406000000Z",
"ssl_cert_To": "210414120000Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
}
]

BIN
test/case/e21/1-E21-target.com-196.188.136.150-151.101.2.187.443.pcap Normal file
View File

Binary file not shown.

502
test/case/e21/ssl_e21_target_result.json Normal file
View File

@@ -0,0 +1,502 @@
[
{
"Tuple4": "10.10.10.162.55173>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "10.10.10.162.55174>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_2"
},
{
"Tuple4": "10.10.10.162.55176>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_3"
},
{
"Tuple4": "10.10.10.162.55177>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_4"
},
{
"Tuple4": "10.10.10.162.55178>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_5"
},
{
"Tuple4": "10.10.10.162.55179>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_6"
},
{
"Tuple4": "10.10.10.162.55180>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_7"
},
{
"Tuple4": "10.10.10.162.55181>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_8"
},
{
"Tuple4": "10.10.10.162.55182>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_9"
},
{
"Tuple4": "10.10.10.162.55184>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_10"
},
{
"Tuple4": "10.10.10.162.55214>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_11"
},
{
"Tuple4": "10.10.10.162.55215>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_12"
},
{
"Tuple4": "10.10.10.162.55183>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE",
"ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021",
"ssl_cert_IssuerO": "GlobalSign nv-sa",
"ssl_cert_IssuerC": "BE",
"ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US",
"ssl_cert_SubCN": "sites.target.com",
"ssl_cert_SubO": "Target Corporation",
"ssl_cert_SubC": "US",
"ssl_cert_SubP": "Minnesota",
"ssl_cert_SubL": "Minneapolis",
"ssl_cert_SubCN": "sites.target.com",
"ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com",
"ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "210928164609Z",
"ssl_cert_To": "221030164608Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_13"
},
{
"Tuple4": "10.10.10.162.55242>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_ja3s_hash": "16c0b3e6a7b8173c16d944cfeaeee9cf",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "GlobalSign Atlas R3 OV TLS CA H2 2021;GlobalSign nv-sa;;;;;BE",
"ssl_cert_IssuerCN": "GlobalSign Atlas R3 OV TLS CA H2 2021",
"ssl_cert_IssuerO": "GlobalSign nv-sa",
"ssl_cert_IssuerC": "BE",
"ssl_cert_Sub": "sites.target.com;Target Corporation;;Minneapolis;;Minnesota;US",
"ssl_cert_SubCN": "sites.target.com",
"ssl_cert_SubO": "Target Corporation",
"ssl_cert_SubC": "US",
"ssl_cert_SubP": "Minnesota",
"ssl_cert_SubL": "Minneapolis",
"ssl_cert_SubCN": "sites.target.com",
"ssl_cert_SubAltName": "sites.target.com;affiliate.target.com;android.studioconnect.live;api.studioconnect.live;apollo-metrics.target.com;assethub.partnersonline.com;assethub.target.com;awesomeshop.target.com;bex.partnersonline.com;bex.target.com;cartster.target.com;cartwheel.target.com;cartwheelws-secure.target.com;circle.target.com;connect.roundel.com;connectedcommerce.target.com;corporate.target.com;developer.target.com;dojo.target.com;doppler.partnersonline.com;elevate.target.com;extgargantua.partnersonline.com;factorial.partnersonline.com;finds.target.com;gql.studioconnect.live;greenfield.partnersonline.com;greenfield.target.com;hrocdocrequest.target.com;iccon.target.com;incubator.target.com;india.target.com;ios.studioconnect.live;jira.target.com;launchpad.partnersonline.com;launchpad.target.com;leads.studioconnect.live;m.target.com;marketinghub.target.com;mercury.partnersonline.com;mickra.target.com;mickradashboard.target.com;mvs.partnersonline.com;mytime.target.com;nic.target;openhouse.target.com;opensource.target.com;osmosis.partnersonline.com;partnersonline.com;pcn.partnersonline.com;peg.partnersonline.com;photosubmission.target.com;pid.partnersonline.com;plus.target.com;pmworkorderadmin.partnersonline.com;poladmin.partnersonline.com;pop.partnersonline.com;qmp.partnersonline.com;qr.target.com;r2d2.target.com;rdmplus.target.com;recognize.target.com;redcard.target.com;redirect.studioconnect.live;rik.roundel.com;roundel.com;rubix.partnersonline.com;rubix.target.com;security.target.com;servicetech.target.com;sm.partnersonline.com;spark.partnersonline.com;spark.target.com;studioconnect.live;stylehub.target.com;synergy.partnersonline.com;target.com;targetmedianetwork.target.com;targetopenhouse.com;tepagent.target.com;tgt-files.target.com;tgtdriver.partnersonline.com;ti-event-prod.target.com;tiam.target.com;tiiam.target.com;tvi.partnersonline.com;viewpoint.target.com;weeklyad.target.com;www.partnersonline.com;www.roundel.com;www.target.com;www.targetopenhouse.com",
"ssl_cert_SerialNum": "0x012ede33fc9283773396e9b1ff995262",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "210928164609Z",
"ssl_cert_To": "221030164608Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_14"
},
{
"Tuple4": "10.10.10.162.55241>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_15"
},
{
"Tuple4": "10.10.10.162.55274>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_16"
},
{
"Tuple4": "10.10.10.162.55273>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_17"
},
{
"Tuple4": "10.10.10.162.55279>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_18"
},
{
"Tuple4": "10.10.10.162.55282>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_19"
},
{
"Tuple4": "10.10.10.162.55283>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_20"
},
{
"Tuple4": "10.10.10.162.55284>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_21"
},
{
"Tuple4": "10.10.10.162.55285>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_22"
},
{
"Tuple4": "10.10.10.162.55286>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_23"
},
{
"Tuple4": "10.10.10.162.55287>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_24"
},
{
"Tuple4": "10.10.10.162.55288>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_25"
},
{
"Tuple4": "10.10.10.162.55289>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_26"
},
{
"Tuple4": "10.10.10.162.55296>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_27"
},
{
"Tuple4": "10.10.10.162.55297>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_28"
},
{
"Tuple4": "10.10.10.162.55298>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_29"
},
{
"Tuple4": "10.10.10.162.55299>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_30"
},
{
"Tuple4": "10.10.10.162.55300>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_31"
},
{
"Tuple4": "10.10.10.162.55301>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_32"
},
{
"Tuple4": "10.10.10.162.55306>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_33"
},
{
"Tuple4": "10.10.10.162.55307>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_34"
},
{
"Tuple4": "10.10.10.162.55308>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_35"
},
{
"Tuple4": "10.10.10.162.55309>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_36"
},
{
"Tuple4": "10.10.10.162.55311>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_37"
},
{
"Tuple4": "10.10.10.162.55312>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_38"
},
{
"Tuple4": "10.10.10.162.55321>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_39"
},
{
"Tuple4": "10.10.10.162.55322>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_40"
},
{
"Tuple4": "10.10.10.162.55323>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_41"
},
{
"Tuple4": "10.10.10.162.55324>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_42"
},
{
"Tuple4": "10.10.10.162.55325>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_43"
},
{
"Tuple4": "10.10.10.162.55326>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_44"
},
{
"Tuple4": "10.10.10.162.55327>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_45"
},
{
"Tuple4": "10.10.10.162.55328>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_46"
},
{
"Tuple4": "10.10.10.162.55330>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_47"
},
{
"Tuple4": "10.10.10.162.55331>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_48"
},
{
"Tuple4": "10.10.10.162.55332>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_49"
},
{
"Tuple4": "10.10.10.162.55334>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_50"
},
{
"Tuple4": "10.10.10.162.55336>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_51"
},
{
"Tuple4": "10.10.10.162.55337>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_52"
},
{
"Tuple4": "10.10.10.162.55338>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_53"
},
{
"Tuple4": "10.10.10.162.55343>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_54"
},
{
"Tuple4": "10.10.10.162.55344>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_55"
},
{
"Tuple4": "10.10.10.162.55345>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_56"
},
{
"Tuple4": "10.10.10.162.55346>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_57"
},
{
"Tuple4": "10.10.10.162.55349>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_58"
},
{
"Tuple4": "10.10.10.162.55348>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_59"
},
{
"Tuple4": "10.10.10.162.55352>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_60"
},
{
"Tuple4": "10.10.10.162.55353>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_61"
},
{
"Tuple4": "10.10.10.162.55356>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_62"
},
{
"Tuple4": "10.10.10.162.55357>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_63"
},
{
"Tuple4": "10.10.10.162.55359>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_64"
},
{
"Tuple4": "10.10.10.162.55358>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_65"
},
{
"Tuple4": "10.10.10.162.55364>151.101.2.187.443",
"ssl_sni": "www.target.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"name": "SSL_RESULT_66"
}
]

BIN
test/case/extensions_exceed_16/1-ssl.ex.exceed16-192.168.64.8.53446-185.63.190.2.443.pcap Normal file
View File

Binary file not shown.

10
test/case/extensions_exceed_16/extensions_exceed_16_result.json Normal file
View File

@@ -0,0 +1,10 @@
[
{
"Tuple4": "192.168.64.8.53466>185.63.190.2.443",
"ssl_sni": "fermer.ru",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "afa0d02228072fc4b02a7772a668c64a",
"name": "SSL_RESULT_1"
}
]

BIN
test/case/multiple_handshake/3-ssl-with-cert.pcap Normal file
View File

Binary file not shown.

23
test/case/multiple_handshake/ssl_multiple_handshake_result.json Normal file
View File

@@ -0,0 +1,23 @@
[
{
"Tuple4": "192.168.32.27.52705>202.89.233.101.443",
"ssl_sni": "cn.bing.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cd08e31494f9531f560d64c695473da9",
"ssl_ja3s_hash": "67bfe5d15ae567fb35fd7837f0116eec",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "Microsoft RSA TLS CA 02;Microsoft Corporation;;;;;US",
"ssl_cert_IssuerCN": "Microsoft RSA TLS CA 02",
"ssl_cert_IssuerO": "Microsoft Corporation",
"ssl_cert_IssuerC": "US",
"ssl_cert_Sub": "www.bing.com;;;;;;",
"ssl_cert_SubCN": "www.bing.com",
"ssl_cert_SubAltName": "www.bing.com;dict.bing.com.cn;*.platform.bing.com;*.bing.com;bing.com;ieonline.microsoft.com;*.windowssearch.com;cn.ieonline.microsoft.com;*.origin.bing.com;*.mm.bing.net;*.api.bing.com;ecn.dev.virtualearth.net;*.cn.bing.net;*.cn.bing.com;ssl-api.bing.com;ssl-api.bing.net;*.api.bing.net;*.bingapis.com;bingsandbox.com;feedback.microsoft.com;insertmedia.bing.office.net;r.bat.bing.com;*.r.bat.bing.com;*.dict.bing.com.cn;*.dict.bing.com;*.ssl.bing.com;*.appex.bing.com;*.platform.cn.bing.com;wp.m.bing.com;*.m.bing.com;global.bing.com;windowssearch.com;search.msn.com;*.bingsandbox.com;*.api.tiles.ditu.live.com;*.ditu.live.com;*.t0.tiles.ditu.live.com;*.t1.tiles.ditu.live.com;*.t2.tiles.ditu.live.com;*.t3.tiles.ditu.live.com;*.tiles.ditu.live.com;3d.live.com;api.search.live.com;beta.search.live.com;cnweb.search.live.com;dev.live.com;ditu.live.com;farecast.live.com;image.live.com;images.live.com;local.live.com.au;localsearch.live.com;ls4d.search.live.com;mail.live.com;mapindia.live.com;local.live.com;maps.live.com;maps.live.com.au;mindia.live.com;news.live.com;origin.cnweb.search.live.com;preview.local.live.com;search.live.com;test.maps.live.com;video.live.com;videos.live.com;virtualearth.live.com;wap.live.com;webmaster.live.com;webmasters.live.com;www.local.live.com.au;www.maps.live.com.au",
"ssl_cert_SerialNum": "0x7f0012e261129541195fac1a6000000012e261",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "210706015313Z",
"ssl_cert_To": "220106015313Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_1"
}
]

BIN
test/case/ssl/1-ssl-sun9-20.userapi.com-90.143.182.94.55835-93.186.227.131.443.pcap Normal file
View File

Binary file not shown.

BIN
test/case/ssl/2-ssl-v1.3-esni-192.168.50.38.52391-104.16.123.96.443.pcap Normal file
View File

Binary file not shown.

BIN
test/case/ssl/3-tls_ech.pcap Normal file
View File

Binary file not shown.

53
test/case/ssl/ssl_result.json Normal file
View File

@@ -0,0 +1,53 @@
[
{
"Tuple4": "192.168.50.38.52391>104.16.123.96.443",
"ssl_sni": "ESNI",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "62a4a00de930bd0a5bee0309cc8362ed",
"ssl_ja3s_hash": "eb1d94daa7e0344597e756a1fb6e7054",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "192.168.2.102.56768>34.138.246.121.443",
"ssl_sni": "public.tls-ech.dev",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362",
"ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e",
"name": "SSL_RESULT_2"
},
{
"Tuple4": "90.143.182.94.55835>93.186.227.131.443",
"ssl_sni": "sun9-20.userapi.com",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "6f5e62edfa5933b1332ddf8b9fb3ef9d",
"ssl_ja3s_hash": "2d1eb5817ece335c24904f516ad5da12",
"ssl_cert_version": "v3",
"ssl_cert_Issuer": "GlobalSign Organization Validation CA - SHA256 - G2;GlobalSign nv-sa;;;;;BE",
"ssl_cert_IssuerCN": "GlobalSign Organization Validation CA - SHA256 - G2",
"ssl_cert_IssuerO": "GlobalSign nv-sa",
"ssl_cert_IssuerC": "BE",
"ssl_cert_Sub": "*.userapi.com;V Kontakte LLC;;Saint-Petersburg;;Saint-Petersburg;RU",
"ssl_cert_SubCN": "*.userapi.com",
"ssl_cert_SubO": "V Kontakte LLC",
"ssl_cert_SubC": "RU",
"ssl_cert_SubP": "Saint-Petersburg",
"ssl_cert_SubL": "Saint-Petersburg",
"ssl_cert_SubAltName": "*.userapi.com;vk.me;*.vk-cdn.net;*.vkuserlive.com;*.vkuserlive.net;*.vkuseraudio.net;*.vkuseraudio.com;*.vkuservideo.net;*.vkuservideo.com;*.vk.me;userapi.com",
"ssl_cert_SerialNum": "0x5afa3a189e6a5c11e1e18b0f",
"ssl_cert_AgID": "1.2.840.113549.1.1.11",
"ssl_cert_From": "180717083809Z",
"ssl_cert_To": "190714162604Z",
"ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
"name": "SSL_RESULT_3"
},
{
"Tuple4": "192.168.2.102.56776>34.138.246.121.443",
"ssl_sni": "public.tls-ech.dev",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "a195b9c006fcb23ab9a2343b0871e362",
"ssl_ja3s_hash": "2b0648ab686ee45e0e7c35fcfb0eea7e",
"name": "SSL_RESULT_4"
}
]

BIN
test/case/tcp_ack_contians_payload/1-tcp_ack_contains_payload.pcap Normal file
View File

Binary file not shown.

114
test/case/tcp_ack_contians_payload/ssl_tcp_ack_contians_payload_result.json Normal file
View File

@@ -0,0 +1,114 @@
[
{
"Tuple4": "36.251.161.167.39018>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "6f7971785f5cbbcb21819b6639f0e8f7",
"name": "SSL_RESULT_1"
},
{
"Tuple4": "36.251.161.167.39025>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "0ac1d260c0b1f0e3bf645d6580ea6343",
"name": "SSL_RESULT_2"
},
{
"Tuple4": "36.251.161.167.39112>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "ca54aeeb513ecacf4d7bc22c5d8f0b75",
"name": "SSL_RESULT_3"
},
{
"Tuple4": "36.251.161.167.39423>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "9e41793e6f0a1696bedc0876465e1f42",
"name": "SSL_RESULT_4"
},
{
"Tuple4": "36.251.161.167.39680>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "47c3fabcf1bc65a32a9d3fb8e70ab79d",
"name": "SSL_RESULT_5"
},
{
"Tuple4": "36.251.161.167.39809>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "04331a57b3e122e689c373712edf42c0",
"name": "SSL_RESULT_6"
},
{
"Tuple4": "36.251.161.167.39816>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "34c3efe4e6565e8eef2eaaeb7c12a1a6",
"name": "SSL_RESULT_7"
},
{
"Tuple4": "36.251.161.167.39820>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "cc97290a5bb4651489fe7a88e93ace90",
"name": "SSL_RESULT_8"
},
{
"Tuple4": "36.251.161.167.39825>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "4e6ae21ce8b876dc7cad2f5ca9a60b23",
"name": "SSL_RESULT_9"
},
{
"Tuple4": "36.251.161.167.39832>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "89cb560e9ee2d33728756a2d4d7b2900",
"name": "SSL_RESULT_10"
},
{
"Tuple4": "36.251.161.167.39850>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "7324d30178b21f4c3a60550ef43d5ab0",
"name": "SSL_RESULT_11"
},
{
"Tuple4": "36.251.161.167.39867>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "53fed08198669268c271fc320627c0c4",
"name": "SSL_RESULT_12"
},
{
"Tuple4": "36.251.161.167.39777>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "c3db97da3b30171e5cf9de314584b555",
"name": "SSL_RESULT_13"
},
{
"Tuple4": "36.251.161.167.39810>143.92.57.79.443",
"ssl_sni": "a.ywgyuv.cn",
"ssl_ech": "1",
"ssl_client_version": "TLS1.2",
"ssl_ja3_hash": "ff194650bab04e7b4cd55e66fd91c010",
"name": "SSL_RESULT_14"
}
]

BIN
test/case/xxg/1-18-target.com.pcap Normal file
View File

Binary file not shown.

1493
test/case/xxg/ssl_xxg_target_result.json Normal file
View File

File diff suppressed because it is too large Load Diff

143
test/ssl_decoder_test.cpp
View File

@@ -10,6 +10,7 @@ extern "C"
{
#include "cJSON.h"
#include "yyjson/yyjson.h"
#include "ssl_decoder.h"
#include "toml/toml.h"
@@ -25,17 +26,20 @@ extern "C"
#define ssl_DECODER_TEST_TOML_PATH "./etc/ssl/ssl_decoder.toml"
struct ssl_decoder_test_context
{
yyjson_mut_doc *doc;
yyjson_mut_val *ssl_object;
};
struct ssl_decoder_test_plugin_env
{
int plugin_id;
int topic_id;
int result_index;
int commit_result_enable;
int decode_resource_record_enable;
int export_resource_record_enable;
};
extern "C" void perf_resource_record_decode(struct ssl_message *ssl_msg);
extern "C" int commit_test_result_json(cJSON *node, const char *name);
void ssl_real_result_write_file(char *result_str)
@@ -50,17 +54,86 @@ void ssl_real_result_write_file(char *result_str)
void ssl_decoder_test_message_cb(struct session *ss, int topic_id, const void *msg, void *per_session_ctx, void *plugin_env_str)
{
struct ssl_message *ssl_msg=(struct ssl_message *)msg;
if(ssl_msg==NULL)
{
return;
}
void *ssl_decoder_test_per_session_context_new(struct session *sess, void *plugin_env)
struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)per_session_ctx;
enum ssl_message_type msg_type=ssl_message_type_get(ssl_msg);
switch(msg_type)
{
return NULL;
case SSL_MESSAGE_CLIENT_HELLO:
{
yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_client_version", ssl_message_readable_version_get0(ssl_msg));
char *sni=NULL;
size_t sni_sz=0;
ssl_message_sni_get0(ssl_msg, &sni, &sni_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_sni", sni, sni_sz);
char *ja3=NULL;
size_t ja3_sz=0;
ssl_message_ja3hash_get0(ssl_msg, &ja3, &ja3_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3_hash", ja3, ja3_sz);
int32_t esni_flag=ssl_message_esni_is_true(ssl_msg);
yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_esni", esni_flag);
int32_t ech_flag=ssl_message_ech_is_true(ssl_msg);
yyjson_mut_obj_add_int(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ech", ech_flag);
}
break;
case SSL_MESSAGE_SERVER_HELLO:
{
yyjson_mut_obj_add_str(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_server_version", ssl_message_readable_version_get0(ssl_msg));
char *ja3s=NULL;
size_t ja3s_sz=0;
ssl_message_ja3shash_get0(ssl_msg, &ja3s, &ja3s_sz);
yyjson_mut_obj_add_strn(per_ss_ctx->doc ,per_ss_ctx->ssl_object, "ssl_ja3s_hash", ja3s, ja3s_sz);
}
break;
case SSL_MESSAGE_CERTIFICATE:
break;
case SSL_PROTECTED_PAYLOAD:
break;
default:
break;
}
}
void ssl_decoder_test_per_session_context_free(struct session *sess, void *session_ctx, void *plugin_env)
void *ssl_decoder_test_per_session_context_new(struct session *ss, void *plugin_env)
{
struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)calloc(1, sizeof(struct ssl_decoder_test_context));
per_ss_ctx->doc=yyjson_mut_doc_new(0);
per_ss_ctx->ssl_object=yyjson_mut_obj(per_ss_ctx->doc);
return (void *)per_ss_ctx;
}
void ssl_decoder_test_per_session_context_free(struct session *ss, void *per_session_ctx, void *plugin_env_str)
{
struct ssl_decoder_test_plugin_env *plugin_env=(struct ssl_decoder_test_plugin_env *)plugin_env_str;
struct ssl_decoder_test_context *per_ss_ctx=(struct ssl_decoder_test_context *)per_session_ctx;
if(per_ss_ctx==NULL)
{
return;
}
yyjson_mut_doc_set_root(per_ss_ctx->doc, per_ss_ctx->ssl_object);
char *json_str=yyjson_mut_write(per_ss_ctx->doc, 0, 0);
yyjson_mut_doc_free(per_ss_ctx->doc);
char result_name[16]="";
sprintf(result_name, "SSL_RESULT_%d", plugin_env->result_index++);
cJSON *real_result=cJSON_Parse(json_str);
commit_test_result_json(real_result, result_name);
free(json_str);
free(per_ss_ctx);
}
int32_t ssl_decoder_test_config_load(const char *cfg_path, struct ssl_decoder_test_plugin_env *plugin_env)
@@ -125,62 +198,6 @@ int32_t ssl_decoder_test_config_load(const char *cfg_path, struct ssl_decoder_te
}
}
toml_table_t *perf_tbl=toml_table_in(test_tbl, "perf");
if(NULL==perf_tbl)
{
fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.perf]", __FUNCTION__, __LINE__, cfg_path);
toml_free(root);
return -1;
}
// decode_resource_record_enable
toml_datum_t decode_resource_record_enable_val=toml_string_in(perf_tbl, "decode_resource_record_enable");
if(decode_resource_record_enable_val.ok==0)
{
plugin_env->decode_resource_record_enable=0;
fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.decode_resource_record_enable]", __FUNCTION__, __LINE__, cfg_path);
}
else
{
if(memcmp("no", decode_resource_record_enable_val.u.s, strlen("no"))==0)
{
plugin_env->decode_resource_record_enable=0;
}
else if(memcmp("yes", decode_resource_record_enable_val.u.s, strlen("yes"))==0)
{
plugin_env->decode_resource_record_enable=1;
}
else
{
plugin_env->decode_resource_record_enable=1;
fprintf(stderr, "[%s:%d] config file: %s key: [decoder.ssl.test.decode_resource_record_enable] value is not yes or no", __FUNCTION__, __LINE__, cfg_path);
}
}
// export_resource_record_enable
toml_datum_t export_resource_record_enable_val=toml_string_in(perf_tbl, "export_resource_record_enable");
if(export_resource_record_enable_val.ok==0)
{
plugin_env->export_resource_record_enable=0;
fprintf(stderr, "[%s:%d] config file: %s has no key: [decoder.ssl.test.export_resource_record_enable]", __FUNCTION__, __LINE__, cfg_path);
}
else
{
if(memcmp("no", export_resource_record_enable_val.u.s, strlen("no"))==0)
{
plugin_env->export_resource_record_enable=0;
}
else if(memcmp("yes", export_resource_record_enable_val.u.s, strlen("yes"))==0)
{
plugin_env->export_resource_record_enable=1;
}
else
{
plugin_env->export_resource_record_enable=1;
fprintf(stderr, "[%s:%d] config file: %s key: [decoder.ssl.test.export_resource_record_enable] value is not yes or no", __FUNCTION__, __LINE__, cfg_path);
}
}
toml_free(root);
return ret;