++

Author: Zadamsa

process-plugin-api/process/common/tlsParser/tlsParser.hpp

@@ -121,7 +121,7 @@ class TLSParser {
 	std::optional<TLSParser::SignatureAlgorithms>
 	parseSignatureAlgorithms(std::span<const std::byte> extension) noexcept;
 
-	constexpr
+	constexpr static
 	std::optional<TLSParser::SupportedVersions>
 	parseSupportedVersions(
 		std::span<const std::byte> extension, const TLSHandshake& handshake) noexcept;
@@ -130,9 +130,9 @@ class TLSParser {
 
 	constexpr bool isServerHello() const noexcept;
 
-	constexpr const TLSHandshake& getHandshake() const noexcept;
+	//constexpr const TLSHandshake& getHandshake() const noexcept;
 
-	constexpr const CipherSuites& getCipherSuites() const noexcept;
+//	constexpr const CipherSuites& getCipherSuites() const noexcept;
 
 	constexpr bool parse(
 		std::span<const std::byte> payload, const bool isQUIC) noexcept;

process-plugin-api/process/common/utils/stringUtils.hpp

@@ -10,8 +10,7 @@ auto integerToCharPtrView = std::views::transform(
     [](const auto& value) mutable {
         static std::array<char, 100> buffer;
         auto [end, _] = std::to_chars(buffer.data(), buffer.end(), value);
-        *end = 0;
-        return buffer.data();
+        return std::string_view(buffer.data(), end);
     });
 
 constexpr static inline

process-plugin-api/process/tls/src/ja4.hpp

@@ -7,6 +7,7 @@
 
 #include <tlsParser/tlsParser.hpp>
 #include <utils/stringUtils.hpp>
+#include <utils/stringViewUtils.hpp>
 
 #include "sha256.hpp"
 #include "tlsExport.hpp"
@@ -67,7 +68,7 @@ char alpnByteToLabel(char byte, bool isHighNibble)
 }
 
 static 
-std::string_view getALPNLabel(std::span<std::string_view> alpns)
+std::string_view getALPNLabel(std::span<const std::string_view> alpns)
 {
 	std::string alpn_label;
 	if (alpns.empty() || alpns[0].empty()) {
@@ -151,46 +152,49 @@ std::string_view getTruncatedExtensionsHash(
     constexpr std::size_t MAX_STRING_LENGTH
         = 2 * MAX_EXTENSIONS * sizeof(uint16_t) + 1; 
     boost::static_string<MAX_STRING_LENGTH> finalString;
-    concatenateRangeTo(finalString, sortedExtensions | 
-        rangeToHexString, '-', '_');
+    concatenateRangeTo(sortedExtensions | 
+        rangeToHexString, finalString, '-', '_');
     concatenateRangeTo(signatureAlgorithms | 
             std::views::drop(1) |
-            rangeToHexString,
-            '-');
+            rangeToHexString, finalString, '-');
 
-	return getTruncatedHashHex(finalString);
+	return getTruncatedHashHex(toStringView(finalString));
 }
 
 class JA4 {
 public:
     constexpr
     JA4(const uint8_t l4Protocol,
-        const HandshakeHeader& handshake,
-        std::span<std::string_view> serverNames,
-        std::span<std::string_view> alpns,
+        const TLSHandshake& handshake,
+        std::span<const std::string_view> serverNames,
+        std::span<const std::string_view> alpns,
         std::span<const uint16_t> cipherSuites,
         std::span<const uint16_t> extensionTypes,
-        std::span<const uint16_t> signatureAlgorithms
+        std::span<const uint16_t> signatureAlgorithms,
+        std::span<const uint16_t> supportedVersions
     ) noexcept
     {
         // TODO USE VALUES FROM DISSECTOR
         constexpr uint8_t UDP_ID = 17;
         value.push_back(l4Protocol == UDP_ID ? 'q' : 't');
 
-        value.push_back(getVersionLabel(supportedVersions, handshake));
+        std::string_view versionLabel = getVersionLabel(supportedVersions, handshake);
+        value.append(versionLabel.begin(), versionLabel.end());
 
         value.push_back(serverNames.empty() ? 'i' : 'd');
 
         value.push_back(std::min(cipherSuites.size(), 99UL));
 
         value.push_back(std::min(extensionTypes.size(), 99UL));
 
-        value.push_back(getALPNLabel(alpns));
+        std::string_view alpnLabel = getALPNLabel(alpns);
+        value.append(alpnLabel.begin(), alpnLabel.end());
 
-        value.push_back(getTruncatedCipherHash(cipherSuites));
+        std::string_view cipherHash = getTruncatedCipherHash(cipherSuites);
+        value.append(cipherHash.begin(), cipherHash.end());
 
-        value.push_back(
-            getTruncatedExtensionsHash(extensionTypes, signatureAlgorithms));
+        std::string_view extensionsHash = getTruncatedExtensionsHash(extensionTypes, signatureAlgorithms);
+        value.append(extensionsHash.begin(), extensionsHash.end());
     }
 
     std::string_view getView() const noexcept

process-plugin-api/process/tls/src/tls.cpp

@@ -18,6 +18,7 @@
 #include <functional>
 #include <iostream>
 #include <numeric>
+#include <bit>
 
 #include <pluginManifest.hpp>
 #include <pluginRegistrar.hpp>
@@ -26,6 +27,7 @@
 #include <fieldManager.hpp>
 #include <utils.hpp>
 #include <utils/stringUtils.hpp>
+#include <utils/spanUtils.hpp>
 
 #include "ja3.hpp"
 #include "ja4.hpp"
@@ -102,12 +104,11 @@ bool TLSPlugin::parseClientHelloExtensions(TLSParser& parser) noexcept
 		switch (extension.type)
 		{
 		case TLSExtensionType::SERVER_NAME: {
-			const std::optional<TLSParser::ServerNames> serverNames 
-				= parser.parseServerNames(extension.payload);
-			if (!serverNames.has_value()) {
+			m_serverNames = parser.parseServerNames(extension.payload);
+			if (!m_serverNames.has_value()) {
 				return false;
 			}
-			concatenateRangeTo(*serverNames, m_exportData.serverNames, 0);
+			concatenateRangeTo(*m_serverNames, m_exportData.serverNames, 0);
 			break;
 		}
 		case TLSExtensionType::SUPPORTED_GROUPS: { 
@@ -184,33 +185,42 @@ bool TLSPlugin::parseServerHelloExtensions(TLSParser& parser) noexcept
 	});
 }
 
-constexpr
-void TLSPlugin::saveJA3() noexcept
+void TLSPlugin::saveJA3(const TLSParser& parser) noexcept
 {
-	JA3 ja3(parser.get_handshake()->version.version,
-		toSpan(parser.get_cipher_suits()),
-		toSpan(m_exportData.extensionTypes),
-		toSpan(m_exportData.extensionLengths),
-		toSpan(m_supportedGroups),
-		toSpan(m_pointFormats)
+	if (!parser.cipherSuites.has_value()
+		|| !m_supportedGroups.has_value()
+		|| !m_pointFormats.has_value()) {
+		return;
+	}
+
+	JA3 ja3(std::bit_cast<uint16_t>(parser.handshake->version),
+		toSpan<const uint16_t>(*parser.cipherSuites),
+		toSpan<const uint16_t>(m_exportData.extensionTypes),
+		toSpan<const uint16_t>(*m_supportedGroups),
+		toSpan<const uint8_t>(*m_pointFormats)
 	);
 
 	std::ranges::copy(ja3.getHash(), m_exportData.ja3.begin());
 }
 
-constexpr
-bool TLSPlugin::saveJA4(const uint8_t l4Protocol) noexcept
+void TLSPlugin::saveJA4(const TLSParser& parser, const uint8_t l4Protocol) noexcept
 {
-	if (!m_alpns.has_value() || !m_signatureAlgorithms.has_value()) {
-		return false;
+	if (!m_alpns.has_value() 
+		|| !m_signatureAlgorithms.has_value()
+		|| !parser.cipherSuites.has_value()
+		|| !m_serverNames.has_value()
+		|| !m_supportedVersions.has_value()) {
+		return;
 	}
 
-	JA4 ja4(parser.get_handshake(),
-		toSpan(parser.getServerNames()),
-		toSpan(*m_alpns),
-		toSpan(parser.getCipherSuites()),
-		toSpan(m_exportData.extensionTypes),
-		toSpan(*m_signatureAlgorithms)
+	JA4 ja4(l4Protocol,
+		*parser.handshake,
+		toSpan<const std::string_view>(*m_serverNames),
+		toSpan<const std::string_view>(*m_alpns),
+		toSpan<const uint16_t>(*parser.cipherSuites),
+		toSpan<const uint16_t>(m_exportData.extensionTypes),
+		toSpan<const uint16_t>(*m_signatureAlgorithms),
+		toSpan<const uint16_t>(*m_supportedVersions)
 	);
 
 	std::ranges::copy(ja4.getView(), m_exportData.ja4.begin());
@@ -225,7 +235,7 @@ bool TLSPlugin::parseTLS(
 		return false;
 	}
 
-	if (parser.isClienthello()) {
+	if (parser.isClientHello()) {
 		if (m_clientHelloParsed) {
 			return true;
 		}
@@ -234,10 +244,9 @@ bool TLSPlugin::parseTLS(
 			return false;
 		}
 
-		m_exportData.version = *reinterpret_cast<const uint16_t*>(
-			parser.getHandshake()->version);
-		saveJA3();
-		saveJA4();
+		m_exportData.version = std::bit_cast<uint16_t>(parser.handshake->version);
+		saveJA3(parser);
+		saveJA4(parser, l4Protocol);
 
 		m_clientHelloParsed = true;
 

process-plugin-api/process/tls/src/tls.hpp

@@ -53,8 +53,8 @@ class TLSPlugin : public ProcessPlugin {
 private:
 	constexpr bool parseTLS(
 	std::span<const std::byte> payload, const uint8_t l4Protocol) noexcept;
-	constexpr void saveJA3() noexcept;
-	constexpr void saveJA4() noexcept;
+	void saveJA3(const TLSParser& parser) noexcept;
+	void saveJA4(const TLSParser& parser, const uint8_t l4Protocol) noexcept;
 	bool parseClientHelloExtensions(TLSParser& parser) noexcept;
 	bool parseServerHelloExtensions(TLSParser& parser) noexcept;
 
@@ -66,6 +66,7 @@ class TLSPlugin : public ProcessPlugin {
 	std::optional<TLSParser::SupportedVersions> m_supportedVersions;
 	std::optional<TLSParser::SupportedGroups> m_supportedGroups;
 	std::optional<TLSParser::SignatureAlgorithms> m_signatureAlgorithms;
+	std::optional<TLSParser::ServerNames> m_serverNames;
 	bool m_clientHelloParsed{false};
 	bool m_serverHelloParsed{false};
 

process-plugin-api/process/tls/src/tls.o

@@ -76,7 +76,7 @@ ProcessPlugin* VLANPlugin::clone(std::byte* constructAtAddress) const
 }
 
 std::string VLANPlugin::getName() const { 
-	return packetStatsPluginManifest.name; 
+	return vlanPluginManifest.name; 
 }
 
 const void* VLANPlugin::getExportData() const noexcept {