Merge pull request #204 from netd-tud/feature-tls-extensions

Feature tls extensions

Author: SiskaPavel

README.md

@@ -288,12 +288,14 @@ List of unirec fields exported together with basic flow fields on interface by R
 ### TLS
 List of unirec fields exported together with basic flow fields on interface by TLS plugin.
 
-| Output field        | Type   | Description                                                   |
-|:-------------------:|:------:|:-------------------------------------------------------------:|
-| TLS_SNI             | string | TLS server name indication field from client                  |
-| TLS_ALPN            | string | TLS application protocol layer negotiation field from server  |
-| TLS_VERSION         | uint16 | TLS client protocol version                                   |
-| TLS_JA3             | string | TLS client JA3 fingerprint                                    |
+| Output field |   Type   |                         Description                          |
+|:------------:|:--------:|:------------------------------------------------------------:|
+|   TLS_SNI    |  string  |         TLS server name indication field from client         |
+|   TLS_ALPN   |  string  | TLS application protocol layer negotiation field from server |
+| TLS_VERSION  |  uint16  |                 TLS client protocol version                  |
+|   TLS_JA3    | string   |                  TLS client JA3 fingerprint                  |
+| TLS_EXT_TYPE | uint16\* |          TLS extensions in the TLS Client Hello              |
+| TLS_EXT_LEN  | uint16\* |                 Length of each TLS extension                 |
 
 ### DNS
 List of unirec fields exported together with basic flow fields on interface by DNS plugin.

include/ipfixprobe/ipfix-elements.hpp

@@ -186,6 +186,9 @@ namespace ipxp {
 #define TLS_VERSION(F)                F(39499,  333,    2,   nullptr)
 #define TLS_ALPN(F)                   F(39499,  337,   -1,   nullptr)
 #define TLS_JA3(F)                    F(39499,  357,   -1,   nullptr)
+#define TLS_EXT_TYPE(F)               F(0,      291,   -1,   nullptr)
+#define TLS_EXT_LEN(F)                F(0,      291,   -1,   nullptr)
+
 
 #define SMTP_COMMANDS(F)              F(8057,    810,   4,   nullptr)
 #define SMTP_MAIL_COUNT(F)            F(8057,    811,   4,   nullptr)
@@ -378,7 +381,9 @@ namespace ipxp {
    F(TLS_VERSION) \
    F(TLS_SNI) \
    F(TLS_ALPN) \
-   F(TLS_JA3)
+   F(TLS_JA3) \
+   F(TLS_EXT_TYPE) \
+   F(TLS_EXT_LEN)
 
 #define IPFIX_NTP_TEMPLATE(F) \
    F(NTP_LEAP) \

process/tls.cpp

@@ -9,6 +9,7 @@
  * \author Ondrej Sedlacek <[email protected]>
  * \author Karel Hynek <[email protected]>
  * \author Andrej Lukacovic [email protected]
+ * \author Jonas Mücke <[email protected]>
  * \date 2018-2022
  */
 
@@ -99,7 +100,6 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string
    std::string ecliptic_curves;
    std::string ec_point_formats;
 
-
    while (payload.start + sizeof(tls_ext) <= payload.end) {
       tls_ext *ext    = (tls_ext *) payload.start;
       uint16_t length = ntohs(ext->length);
@@ -118,6 +118,20 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string
          } else if (type == TLS_EXT_EC_POINT_FORMATS) {
             ec_point_formats = tls_parser.tls_get_ja3_ec_point_formats(payload);
          }
+
+          if (!rec->tls_ext_len_set && !rec->tls_ext_type_set) {
+                // Store extension type
+                if (rec->tls_ext_type_len < MAX_TLS_EXT_LEN) {
+                    rec->tls_ext_type[rec->tls_ext_type_len] = type;
+                    rec->tls_ext_type_len += 1;
+                }
+
+                // Store extension type length
+                if (rec->tls_ext_len_len < MAX_TLS_EXT_LEN) {
+                    rec->tls_ext_len[rec->tls_ext_len_len] = length;
+                    rec->tls_ext_len_len += 1;
+                }
+          }
       } else if (hs_type == TLS_HANDSHAKE_SERVER_HELLO) {
          rec->server_hello_parsed = true;
          if (type == TLS_EXT_ALPN) {
@@ -138,6 +152,12 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string
          }
       }
    }
+   if (rec->tls_ext_type_len > 0 ) {
+      rec->tls_ext_type_set = true;
+      rec->tls_ext_len_set = true;
+   }
+
+
    if (hs_type == TLS_HANDSHAKE_SERVER_HELLO) {
       return false;
    }

process/tls.hpp

@@ -8,6 +8,7 @@
  * \author Jiri Havranek <[email protected]>
  * \author Karel Hynek <[email protected]>
  * \author Andrej Lukacovic [email protected]
+ * \author Jonas Mücke <[email protected]>
  * \date 2022
  */
 
@@ -29,6 +30,7 @@
 #include <ipfixprobe/process.hpp>
 #include <ipfixprobe/flowifc.hpp>
 #include <ipfixprobe/packet.hpp>
+#include <ipfixprobe/ipfix-basiclist.hpp>
 #include <ipfixprobe/ipfix-elements.hpp>
 #include <ipfixprobe/utils.hpp>
 #include <process/tls_parser.hpp>
@@ -37,18 +39,23 @@
 #define BUFF_SIZE 255
 
 namespace ipxp {
-#define TLS_UNIREC_TEMPLATE "TLS_SNI,TLS_JA3,TLS_ALPN,TLS_VERSION"
+#define TLS_UNIREC_TEMPLATE "TLS_SNI,TLS_JA3,TLS_ALPN,TLS_VERSION,TLS_EXT_TYPE,TLS_EXT_LEN"
 
 UR_FIELDS(
    string TLS_SNI,
    string TLS_ALPN,
    uint16 TLS_VERSION,
-   bytes TLS_JA3
+   bytes TLS_JA3,
+   uint16* TLS_EXT_TYPE,
+   uint16* TLS_EXT_LEN
 )
 
 /**
  * \brief Flow record extension header for storing parsed HTTPS packets.
  */
+// TODO fix IEs
+#define TLS_EXT_TYPE_FIELD_ID 802
+#define TLS_EXT_LEN_FIELD_ID 803
 struct RecordExtTLS : public RecordExt {
    static int  REGISTERED_ID;
 
@@ -60,6 +67,14 @@ struct RecordExtTLS : public RecordExt {
    std::string ja3;
    bool        server_hello_parsed;
 
+   uint16_t tls_ext_type[MAX_TLS_EXT_LEN];
+   uint16_t tls_ext_type_len;
+   bool tls_ext_type_set;
+
+   uint16_t tls_ext_len[MAX_TLS_EXT_LEN];
+   uint8_t tls_ext_len_len;
+   bool tls_ext_len_set;
+
    /**
     * \brief Constructor.
     */
@@ -69,6 +84,14 @@ struct RecordExtTLS : public RecordExt {
       sni[0]      = 0;
       ja3_hash[0] = 0;
       server_hello_parsed = false;
+
+      memset(tls_ext_type, 0, sizeof(tls_ext_type));
+      tls_ext_type_len = 0;
+      tls_ext_type_set = false;
+
+      memset(tls_ext_len, 0, sizeof(tls_ext_len));
+      tls_ext_len_len = 0;
+      tls_ext_len_set = false;
    }
 
    #ifdef WITH_NEMEA
@@ -78,6 +101,14 @@ struct RecordExtTLS : public RecordExt {
       ur_set_string(tmplt, record, F_TLS_SNI, sni);
       ur_set_string(tmplt, record, F_TLS_ALPN, alpn);
       ur_set_var(tmplt, record, F_TLS_JA3, ja3_hash_bin, 16);
+      ur_array_allocate(tmplt, record, F_QUIC_TLS_EXT_TYPE, tls_ext_type_len);
+      for (int i = 0; i < tls_ext_type_len; i++) {
+          ur_array_set(tmplt, record, F_TLS_EXT_TYPE, i, tls_ext_type[i]);
+      }
+      ur_array_allocate(tmplt, record, F_TLS_EXT_LEN, tls_ext_len_len);
+      for (int i = 0; i < tls_ext_len_len; i++) {
+          ur_array_set(tmplt, record, F_TLS_EXT_LEN, i, tls_ext_len[i]);
+      }
    }
 
    const char *get_unirec_tmplt() const
@@ -89,11 +120,18 @@ struct RecordExtTLS : public RecordExt {
 
    virtual int fill_ipfix(uint8_t *buffer, int size)
    {
+      IpfixBasicList basiclist;
+      basiclist.hdrEnterpriseNum = IpfixBasicList::CesnetPEM;
+
       uint16_t sni_len  = strlen(sni);
       uint16_t alpn_len = strlen(alpn);
 
       uint32_t pos = 0;
-      uint32_t req_buff_len = (sni_len + 3) + (alpn_len + 3) + (2) + (16 + 3); // (SNI) + (ALPN) + (VERSION) + (JA3)
+
+      uint16_t len_tls_ext_type = sizeof(tls_ext_type[0]) * (tls_ext_type_len) + basiclist.HeaderSize();
+      uint16_t len_tls_len = sizeof(tls_ext_len[0]) * (tls_ext_len_len) + basiclist.HeaderSize();
+
+      uint32_t req_buff_len = (sni_len + 3) + (alpn_len + 3) + (2) + (16 + 3) + len_tls_ext_type + len_tls_len; // (SNI) + (ALPN) + (VERSION) + (JA3)
 
       if (req_buff_len > (uint32_t) size) {
          return -1;
@@ -108,7 +146,16 @@ struct RecordExtTLS : public RecordExt {
       buffer[pos++] = 16;
       memcpy(buffer + pos, ja3_hash_bin, 16);
       pos += 16;
-
+      pos += basiclist.FillBuffer(
+                    buffer + pos,
+                    tls_ext_type,
+                    (uint16_t) tls_ext_type_len,
+                    (uint16_t) TLS_EXT_TYPE_FIELD_ID);
+      pos += basiclist.FillBuffer(
+            buffer + pos,
+            tls_ext_len,
+            (uint16_t) tls_ext_len_len,
+            (uint16_t) TLS_EXT_LEN_FIELD_ID);
       return pos;
    }
 
@@ -133,6 +180,22 @@ struct RecordExtTLS : public RecordExt {
       for (int i = 0; i < 16; i++) {
          out << std::hex << std::setw(2) << std::setfill('0') << (unsigned) ja3_hash_bin[i];
       }
+      out << ",tlsexttype=(";
+              for (int i = 0; i < tls_ext_type_len; i++) {
+                  out << std::dec << (uint16_t) tls_ext_type[i];
+                  if (i != tls_ext_type_len - 1) {
+                      out << ",";
+                  }
+              }
+      out << "),tlsextlen=(";
+      for (int i = 0; i < tls_ext_len_len; i++) {
+          out << std::dec << (uint16_t) tls_ext_len[i];
+          if (i != tls_ext_len_len - 1) {
+              out << ",";
+          }
+      }
+      out << ")";
+
       return out.str();
    }
 };

process/tls_parser.hpp

@@ -26,6 +26,7 @@
 // draf-02 az draft-12 have this value defined as 0x26 == 38
 #define TLS_EXT_QUIC_TRANSPORT_PARAMETERS_V2 0x26
 #define TLS_EXT_GOOGLE_USER_AGENT            0x3129
+#define MAX_TLS_EXT_LEN                      30
 
 
 namespace ipxp {