More stuff and things and stuff

Author: LeeBrotherston

constants.go

@@ -2,7 +2,7 @@ package dactyloscopy
 
 const (
 	// Configuration Constants
-	minPacketLength = 47
+	minPacketLength = 45 // Theoretical minimum size of smallest TLS header (TLSv1.0)
 
 	// TLS Extension types
 	ExtServerName          uint16 = 0x0000

example/example.go

@@ -29,49 +29,43 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/ip4defrag"
 	"github.com/google/gopacket/layers"
-	"github.com/google/gopacket/pcap"
+	"github.com/google/gopacket/pcapgo"
 	"github.com/google/gopacket/tcpassembly"
 	"github.com/google/gopacket/tcpassembly/tcpreader"
 )
 
 func doSniff(device string, file string) error {
 	var (
-		handle *pcap.Handle
+		handle gopacket.PacketDataSource
 		err    error
 	)
 	if len(file) > 0 {
 		pcapFile, err := os.Open(file)
 		if err != nil {
 			return err
 		}
-		handle, err = pcap.OpenOfflineFile(pcapFile)
+		r, err := pcapgo.NewReader(pcapFile)
 		if err != nil {
 			return err
 		}
+		handle = r
 	} else if len(device) > 0 {
-		// Open device
-		// the 0 and true refer to snaplen and promisc mode.  For now we always want these.
-		handle, err = pcap.OpenLive(device, 0, true, pcap.BlockForever)
-		if err != nil {
-			return err
-		}
+		return fmt.Errorf("live capture not supported in Go-native mode; use a pcap file")
 	} else {
 		return fmt.Errorf("need a file or interface")
 	}
-	// Yes yes, I know... But offsetting this to the kernel *drastically* reduces processing time
-	//err = handle.SetBPFFilter("((tcp[tcp[12]/16*4]=22 and (tcp[tcp[12]/16*4+5]=1) and (tcp[tcp[12]/16*4+9]=3) and (tcp[tcp[12]/16*4+1]=3)) or (ip6[(ip6[52]/16*4)+40]=22 and (ip6[(ip6[52]/16*4+5)+40]=1) and (ip6[(ip6[52]/16*4+9)+40]=3) and (ip6[(ip6[52]/16*4+1)+40]=3)) or ((udp[14] = 6 and udp[16] = 32 and udp[17] = 1) and ((udp[(udp[60]/16*4)+48]=22) and (udp[(udp[60]/16*4)+53]=1) and (udp[(udp[60]/16*4)+57]=3) and (udp[(udp[60]/16*4)+49]=3))) or (proto 41 and ip[26] = 6 and ip[(ip[72]/16*4)+60]=22 and (ip[(ip[72]/16*4+5)+60]=1) and (ip[(ip[72]/16*4+9)+60]=3) and (ip[(ip[72]/16*4+1)+60]=3))) or (ip[6:2] & 0x1fff != 0)")
-	//if err != nil {
-	//	return err
-	//}
-	defer handle.Close()
+	defer func() {
+		if c, ok := handle.(interface{ Close() error }); ok {
+			c.Close()
+		}
+	}()
 
 	ip4defragger := ip4defrag.NewIPv4Defragmenter()
 	streamFactory := &tlsStreamFactory{}
 	streamPool := tcpassembly.NewStreamPool(streamFactory)
 	assembler := tcpassembly.NewAssembler(streamPool)
 
-	// Use the handle as a packet source to process all packets
-	packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
+	packetSource := gopacket.NewPacketSource(handle, layers.LinkTypeEthernet)
 
 	for packet := range packetSource.Packets() {
 		// IP defragmentation

example/go.mod

@@ -12,6 +12,7 @@ require (
 )
 
 require (
-	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 )

example/go.sum

@@ -1,9 +1,15 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
-golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -18,3 +24,5 @@ golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

extensions.go

@@ -80,8 +80,7 @@ func (f *Fingerprint) handleExtension(extensionType uint16, extContent cryptobyt
 		f.Extensions = append(f.Extensions, extensionType)
 
 	case ExtALPN:
-		// ALPN (Application-Layer Protocol Negotiation) handling
-		f.ALPNProtocols = nil // Always initialize to avoid stale data
+		// ALPN (Application-Layer Protocol Negotiation)
 		var alpnList cryptobyte.String
 		if !extContent.ReadUint16LengthPrefixed(&alpnList) {
 			return fmt.Errorf("could not read ALPN protocol list")
@@ -95,6 +94,66 @@ func (f *Fingerprint) handleExtension(extensionType uint16, extContent cryptobyt
 		}
 		f.Extensions = append(f.Extensions, extensionType)
 
+	// KeyShare (0x0033)
+	case 0x0033:
+		// TLS 1.3 KeyShare extension
+		var keyShareList cryptobyte.String
+		if !extContent.ReadUint16LengthPrefixed(&keyShareList) {
+			return fmt.Errorf("could not read key share list")
+		}
+		for !keyShareList.Empty() {
+			var group uint16
+			if !keyShareList.ReadUint16(&group) {
+				return fmt.Errorf("could not read key share group")
+			}
+			// Skip key_exchange length and value
+			var keyEx cryptobyte.String
+			if !keyShareList.ReadUint16LengthPrefixed(&keyEx) {
+				return fmt.Errorf("could not read key exchange value")
+			}
+			f.KeyShareGroups = append(f.KeyShareGroups, group)
+		}
+		f.Extensions = append(f.Extensions, extensionType)
+
+	// PSK Key Exchange Modes (0x002d)
+	case 0x002d:
+		var modes cryptobyte.String
+		if !extContent.ReadUint8LengthPrefixed(&modes) {
+			return fmt.Errorf("could not read PSK key exchange modes")
+		}
+		for !modes.Empty() {
+			var mode uint8
+			if !modes.ReadUint8(&mode) {
+				return fmt.Errorf("could not read PSK key exchange mode")
+			}
+			f.PSKKeyExchangeModes = append(f.PSKKeyExchangeModes, mode)
+		}
+		f.Extensions = append(f.Extensions, extensionType)
+
+	// Cookie (0x002c)
+	case 0x002c:
+		var cookie cryptobyte.String
+		if !extContent.ReadUint16LengthPrefixed(&cookie) {
+			return fmt.Errorf("could not read cookie value")
+		}
+		f.Cookie = string(cookie)
+		f.Extensions = append(f.Extensions, extensionType)
+
+	// Renegotiation Info (0xff01)
+	case 0xff01:
+		var reneg cryptobyte.String
+		if !extContent.ReadUint8LengthPrefixed(&reneg) {
+			return fmt.Errorf("could not read renegotiation info")
+		}
+		f.RenegotiationInfo = string(reneg)
+		f.Extensions = append(f.Extensions, extensionType)
+
+	// SessionTicket (0x0023)
+	case 0x0023:
+		// SessionTicket is just a length-prefixed blob
+		f.SessionTicketLen = len(extContent)
+		f.Extensions = append(f.Extensions, extensionType)
+
 	default:
 		// Append this list first as there are 0-length extensions
 		f.Extensions = append(f.Extensions, extensionType)

fingerprint_pub_test.go

@@ -0,0 +1,145 @@
+package dactyloscopy_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/LeeBrotherston/dactyloscopy"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/pcapgo"
+)
+
+func TestProcessClientHello(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   []byte
+		wantJA3 string
+		wantErr bool
+	}{
+		{
+			name:    "Empty input",
+			input:   []byte{},
+			wantErr: true,
+		},
+		// Add more test cases here
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fp := &dactyloscopy.Fingerprint{}
+			err := fp.ProcessClientHello(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ProcessClientHello() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr && fp.JA3 != tt.wantJA3 {
+				t.Errorf("JA3 = %v, want %v", fp.JA3, tt.wantJA3)
+			}
+		})
+	}
+}
+
+func TestFingerprint_Validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		fp      *dactyloscopy.Fingerprint
+		wantErr bool
+	}{
+		{
+			name: "Valid fingerprint",
+			fp: &dactyloscopy.Fingerprint{
+				MessageType: dactyloscopy.HandshakeType,
+				TLSVersion:  dactyloscopy.VersionTLS12,
+				Ciphersuite: []uint16{0x1301, 0x1302},
+				Extensions:  []uint16{dactyloscopy.ExtServerName},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Invalid message type",
+			fp: &dactyloscopy.Fingerprint{
+				MessageType: 0,
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.fp.Validate()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestSamplePcaps(t *testing.T) {
+	counter := 1
+	for _, file := range []string{"thing2.pcapng"} {
+		pcapFile, err := os.Open(file)
+		if err != nil {
+			t.Fatal(err)
+		}
+		r, err := pcapgo.NewNgReader(pcapFile, pcapgo.DefaultNgReaderOptions)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer pcapFile.Close()
+
+		packetSource := gopacket.NewPacketSource(r, r.LinkType())
+		for packet := range packetSource.Packets() {
+			if err := dactyloscopy.IsClientHello(packet.ApplicationLayer().Payload()); err != nil {
+				continue
+			}
+			t.Logf("processing client hello %d", counter)
+			counter++
+
+			payload := packet.ApplicationLayer()
+			if payload != nil {
+				processHello(t, payload.Payload())
+			}
+		}
+	}
+}
+
+func processHello(t *testing.T, data []byte) {
+	t.Helper()
+
+	fp := &dactyloscopy.Fingerprint{}
+	err := fp.ProcessClientHello(data)
+	if err != nil {
+		t.Logf("Oh no, error: %v", err)
+		t.FailNow()
+	}
+	t.Logf("parsed it: %+v", fp)
+}
+
+func FuzzProcessClientHello(f *testing.F) {
+	// Add initial corpus using known valid inputs
+	for _, file := range []string{"thing2.pcapng"} {
+		pcapFile, err := os.Open(file)
+		if err != nil {
+			f.Fatal(err)
+		}
+		r, err := pcapgo.NewNgReader(pcapFile, pcapgo.DefaultNgReaderOptions)
+		if err != nil {
+			f.Fatal(err)
+		}
+		defer pcapFile.Close()
+
+		packetSource := gopacket.NewPacketSource(r, r.LinkType())
+		for packet := range packetSource.Packets() {
+			payload := packet.ApplicationLayer()
+			if payload != nil {
+				f.Add(payload.Payload())
+			}
+		}
+	}
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		fp := &dactyloscopy.Fingerprint{}
+		// We only care that this doesn't panic, in this context errors are graceful handling
+		_ = fp.ProcessClientHello(data)
+	})
+}