Support of extracting TLS version from handshake extension

Author: lukacan

pcaps/tls_ver_ext.pcapng

@@ -121,7 +121,11 @@ bool TLSPlugin::obtain_tls_data(TLSData &payload, RecordExtTLS *rec, std::string
       } else if (hs_type == TLS_HANDSHAKE_SERVER_HELLO) {
          if (type == TLS_EXT_ALPN) {
             tls_parser.tls_get_alpn(payload, rec->alpn, BUFF_SIZE);
-            return true;
+            // not sure, but probably don`t return yet, as 
+            // this is not only field we want to parse
+            //return true;
+         } else if (type == TLS_EXT_SUPPORTED_VER){
+            tls_parser.tls_get_supp_ver(payload, rec->version);
          }
       }
       payload.start += length;
@@ -159,7 +163,7 @@ bool TLSPlugin::parse_tls(const uint8_t *data, uint16_t payload_len, RecordExtTL
    }
    tls_handshake tls_hs = tls_parser.tls_get_handshake();
 
-   rec->version = ((uint16_t) tls_hs.version.major << 8) | tls_hs.version.minor;
+   rec->version = (rec->version == 0)?(((uint16_t) tls_hs.version.major << 8) | tls_hs.version.minor) : rec->version;
    ja3 += std::to_string((uint16_t) tls_hs.version.version) + ',';
 
    if (!tls_parser.tls_skip_random(payload)) {

process/tls.cpp

@@ -144,6 +144,7 @@ struct RecordExtTLS : public RecordExt {
 #define TLS_EXT_ECLIPTIC_CURVES  10 // AKA supported_groups
 #define TLS_EXT_EC_POINT_FORMATS 11
 #define TLS_EXT_ALPN             16
+#define TLS_EXT_SUPPORTED_VER    43
 
 
 /**

process/tls.hpp

@@ -126,6 +126,13 @@ void TLSParser::tls_get_server_name(TLSData &data, char *buffer, size_t buffer_s
    return;
 }
 
+void TLSParser::tls_get_supp_ver(TLSData &data, uint16_t &version)
+{
+   tls_version* ext_ver = (tls_version *) data.start;
+   version = ((uint16_t) ext_ver->major << 8) | ext_ver->minor;
+   return;
+}
+
 void TLSParser::tls_get_alpn(TLSData &data, char *buffer, size_t buffer_size)
 {
    uint16_t list_len       = ntohs(*(uint16_t *) data.start);

process/tls_parser.cpp

@@ -86,6 +86,7 @@ class TLSParser
    bool tls_check_rec(TLSData&);
    void tls_get_server_name(TLSData &, char *, size_t);
    void tls_get_alpn(TLSData &, char *, size_t);
+   void tls_get_supp_ver(TLSData &, uint16_t &);
 
    void tls_get_quic_user_agent(TLSData &, char *, size_t);
    bool tls_check_handshake(TLSData&);