PcapPlusPlus
22.11
|
#include <SSLHandshake.h>
Classes | |
struct | ServerHelloTLSFingerprint |
Public Member Functions | |
SSLServerHelloMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container) | |
ssl_tls_client_server_hello * | getServerHelloHeader () const |
SSLVersion | getHandshakeVersion () const |
uint8_t | getSessionIDLength () const |
uint8_t * | getSessionID () const |
SSLCipherSuite * | getCipherSuite () const |
uint16_t | getCipherSuiteID (bool &isValid) const |
uint8_t | getCompressionMethodsValue () const |
int | getExtensionCount () const |
uint16_t | getExtensionsLenth () const |
uint16_t | getExtensionsLength () const |
SSLExtension * | getExtension (int index) const |
SSLExtension * | getExtensionOfType (uint16_t type) const |
SSLExtension * | getExtensionOfType (SSLExtensionType type) const |
template<class TExtension > | |
TExtension * | getExtensionOfType () const |
ServerHelloTLSFingerprint | generateTLSFingerprint () const |
std::string | toString () const |
Additional Inherited Members |
Represents SSL/TLS server-hello message (type 2). Inherits from SSLHandshakeMessage and adds parsing of all fields of this message including the message extensions, cipher-suite, etc.
pcpp::SSLServerHelloMessage::SSLServerHelloMessage | ( | uint8_t * | data, |
size_t | dataLen, | ||
SSLHandshakeLayer * | container | ||
) |
C'tor for this class. Currently only in use in SSLHandshakeMessage::createHandshakeMessage() and shouldn't be used by a user
[in] | data | The message as raw data |
[in] | dataLen | Message raw data length in bytes |
[in] | container | The SSL handshake layer which shall contain this message |
ServerHelloTLSFingerprint pcpp::SSLServerHelloMessage::generateTLSFingerprint | ( | ) | const |
ServerHello TLS fingerprinting is a way to fingerprint TLS Server Hello messages. In conjunction with ClientHello TLS fingerprinting it can assist in identifying specific client-server communication (for example: a malware connecting to its backend server). ServerHello TLS fingerprinting was introduced in Salesforce's JA3S open source project: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 This implementation is a C++ version of Salesforce's JAS3 (originally written in Python and Zeek)
SSLCipherSuite* pcpp::SSLServerHelloMessage::getCipherSuite | ( | ) | const |
uint16_t pcpp::SSLServerHelloMessage::getCipherSuiteID | ( | bool & | isValid | ) | const |
Get the cipher-suite ID. This method just parses the ID from the server-hello message and returns it. To get more information on the cipher-suite you can use the getCipherSuite() method
[out] | isValid | Set to "true" if parsing succeeded and the return value is valid or "false" otherwise. If the value is "false" the return value can be ignored |
uint8_t pcpp::SSLServerHelloMessage::getCompressionMethodsValue | ( | ) | const |
SSLExtension* pcpp::SSLServerHelloMessage::getExtension | ( | int | index | ) | const |
Get a pointer to an extension by index. The extensions are numbered according to their order of appearance in the message. If index is out of bounds (less than 0 or larger than total amount of extensions) NULL will be returned
[in] | index | The index of the extension to return |
int pcpp::SSLServerHelloMessage::getExtensionCount | ( | ) | const |
SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType | ( | uint16_t | type | ) | const |
Get a pointer to an extension by numeric type field. Every extension has a 2-byte numeric value representing its type (for example: renegotiation info extension type is 0x1ff). This method gets the type and returns a pointer to the extension object
[in] | type | The 2-byte numeric type of the extension |
SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType | ( | SSLExtensionType | type | ) | const |
Get a pointer to an extension by its enum type
[in] | type | The type of extension to return |
TExtension * pcpp::SSLServerHelloMessage::getExtensionOfType | ( | ) | const |
Get a pointer to an extension by its class type. This is a templated method that is used with the type of the requested extension and returns the first extension instance of this type
uint16_t pcpp::SSLServerHelloMessage::getExtensionsLength | ( | ) | const |
|
inline |
SSLVersion pcpp::SSLServerHelloMessage::getHandshakeVersion | ( | ) | const |
NOTE: for TLS 1.3 the handshake version written in ssl_tls_client_server_hello::handshakeVersion is still TLS 1.2, so a special check is made here see if a SupportedVersions extension exists and if so extract the version from it. This is the most straight-forward way to detect TLS 1.3.
|
inline |
uint8_t* pcpp::SSLServerHelloMessage::getSessionID | ( | ) | const |
uint8_t pcpp::SSLServerHelloMessage::getSessionIDLength | ( | ) | const |
|
virtual |
Implements pcpp::SSLHandshakeMessage.