public void SetServerHello(TlsPacket.TlsServerHello serverHello, TlsPacketContext packetContext)
{
m_conversationModel.Version = TlsSecurityParameters.GetSslProtocolVersion(serverHello.Version.Major, serverHello.Version.Minor).ToString();
m_conversationModel.SessionId = ByteString.ByteArrayToString(serverHello.SessionId.Sid);
m_conversationModel.ServerRandom = ByteString.ByteArrayToString(serverHello.Random.RandomBytes);
m_conversationModel.ServerCipherSuite = $"{(TlsCipherSuite)serverHello.CipherSuite.CipherId}";
m_conversationModel.ServerExtensions = GetExtensions(serverHello.Extensions);
}
static void Main(string[] args)
{
if (args.Length != 2)
{
PrintUsage();
return;
}
var modelContext = TlsConversationContext.CreateInMemory();
if (String.Equals("extract", args[0], StringComparison.InvariantCultureIgnoreCase))
{
var filepath = args[1];
var frameKeyProvider = new FrameKeyProvider();
var keyFile = Path.ChangeExtension(filepath, "key");
var secretMap = File.Exists(keyFile) ? TlsMasterSecretMap.LoadFromFile(keyFile): new TlsMasterSecretMap();
var packets = FastPcapFileReaderDevice.ReadAll(args[1]).Select((p, i) => (Key: frameKeyProvider.GetKey(p), Value: (Meta: new PacketMeta {
Number = i + 1, Timestamp = p.Timestamp
}, Packet: p)));
var flows = from packet in packets
group packet by packet.Key;
var conversations = TcpStreamConversation.CreateConversations(flows.ToDictionary(x => x.Key, x => x.Select(y => y.Value)));
foreach (var conversation in conversations)
{
var modelBuilder = new TlsConversationModelBuilder(modelContext);
var decoderBuilder = new TlsDecoderBuilder();
var processor = new TlsSessionProcessor(modelBuilder, decoderBuilder);
processor.ProcessConversation(conversation);
var model = modelBuilder.ToModel();
modelContext.SaveChanges();
var tlsDecoder = decoderBuilder.ToDecoder();
var masterSecret = secretMap.GetMasterSecret(ByteString.ByteArrayToString(tlsDecoder.ClientRandom));
if (masterSecret != null)
{
tlsDecoder.MasterSecret = ByteString.StringToByteArray(masterSecret);
var tlsSecurityParameters = TlsSecurityParameters.Create(tlsDecoder.ProtocolVersion, tlsDecoder.CipherSuite.ToString(), tlsDecoder.Compression);
tlsDecoder.InitializeKeyBlock(tlsSecurityParameters);
// USE TLS DECODER
DumpConversationContent(tlsDecoder, conversation, processor.ClientDataRecords, processor.ServerDataRecords);
}
}
CsvFeatureWriter.WriteCsv(Path.ChangeExtension(filepath, "csv"), modelContext);
}
}
public void SetClientHello(TlsPacket.TlsClientHello clientHello, TlsPacketContext packetContext)
{
string GetCipherSuites(TlsPacket.CipherSuites cipherSuites)
{
var suites = cipherSuites.Items.Select(x => ((TlsCipherSuite)x).ToString());
return($"[{String.Join(',', suites)}]");
}
m_conversationModel.SessionId = ByteString.ByteArrayToString(clientHello.SessionId.Sid);
m_conversationModel.ClientRandom = ByteString.ByteArrayToString(clientHello.Random.RandomBytes);
m_conversationModel.ClientCipherSuites = GetCipherSuites(clientHello.CipherSuites);
m_conversationModel.ClientExtensions = GetExtensions(clientHello.Extensions);
m_conversationModel.Timestamp = DateTimeOffset.FromUnixTimeMilliseconds(packetContext.Metadata.Timestamp);
}
/// <summary>
/// Tests the PRF implementation (see https://www.ietf.org/mail-archive/web/tls/current/msg03416.html).
/// </summary>
public static void Test100()
{
var secret = "9b be 43 6b a9 40 f0 17 b1 76 52 84 9a 71 db 35".Replace(" ", "");
var seed = "a0 ba 9f 93 6c da 31 18 27 a6 f7 96 ff d5 19 8c".Replace(" ", "");
var label = "test label";
var expectedPrefix = ("e3 f2 29 ba 72 7b e1 7b").Replace(" ", "");
var prf = new ShaPrfAlgorithm();
var output = prf.GetSecretBytes(ByteString.StringToByteArray(secret), label, ByteString.StringToByteArray(seed), 100);
var outputString = ByteString.ByteArrayToString(output);
var isSame = outputString.StartsWith(expectedPrefix, StringComparison.InvariantCulture);
if (!isSame)
{
throw new InvalidOperationException("Something is wrong with PRF algorithm!");
}
}