pcpp::SSLServerHelloMessage Class Reference

#include <SSLHandshake.h>

Inheritance diagram for pcpp::SSLServerHelloMessage:

Classes
struct	ServerHelloTLSFingerprint

Public Member Functions
	SSLServerHelloMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container)
ssl_tls_client_server_hello *	getServerHelloHeader () const
SSLVersion	getHandshakeVersion () const
uint8_t	getSessionIDLength () const
uint8_t *	getSessionID () const
SSLCipherSuite *	getCipherSuite () const
uint16_t	getCipherSuiteID (bool &isValid) const
uint8_t	getCompressionMethodsValue () const
int	getExtensionCount () const
uint16_t	getExtensionsLenth () const
uint16_t	getExtensionsLength () const
SSLExtension *	getExtension (int index) const
SSLExtension *	getExtensionOfType (uint16_t type) const
SSLExtension *	getExtensionOfType (SSLExtensionType type) const
template<class TExtension >
TExtension *	getExtensionOfType () const
ServerHelloTLSFingerprint	generateTLSFingerprint () const
std::string	toString () const
Public Member Functions inherited from pcpp::SSLHandshakeMessage
virtual SSLHandshakeType	getHandshakeType () const
virtual size_t	getMessageLength () const
virtual bool	isMessageComplete () const
SSLHandshakeLayer *	getContainingLayer () const

Additional Inherited Members
Static Public Member Functions inherited from pcpp::SSLHandshakeMessage
static SSLHandshakeMessage *	createHandhakeMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container)
static SSLHandshakeMessage *	createHandshakeMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container)

Detailed Description

Represents SSL/TLS server-hello message (type 2). Inherits from SSLHandshakeMessage and adds parsing of all fields of this message including the message extensions, cipher-suite, etc.

Constructor & Destructor Documentation

SSLServerHelloMessage()

pcpp::SSLServerHelloMessage::SSLServerHelloMessage	(	uint8_t *	data,
		size_t	dataLen,
		SSLHandshakeLayer *	container
	)

C'tor for this class. Currently only in use in SSLHandshakeMessage::createHandshakeMessage() and shouldn't be used by a user

Parameters

[in]	data	The message as raw data
[in]	dataLen	Message raw data length in bytes
[in]	container	The SSL handshake layer which shall contain this message

Member Function Documentation

generateTLSFingerprint()

ServerHelloTLSFingerprint pcpp::SSLServerHelloMessage::generateTLSFingerprint

(

)

const

ServerHello TLS fingerprinting is a way to fingerprint TLS Server Hello messages. In conjunction with ClientHello TLS fingerprinting it can assist in identifying specific client-server communication (for example: a malware connecting to its backend server). ServerHello TLS fingerprinting was introduced in Salesforce's JA3S open source project: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 This implementation is a C++ version of Salesforce's JAS3 (originally written in Python and Zeek)

Returns

A SSLServerHelloMessage::ServerHelloTLSFingerprint struct that contains all the elements needed for creating a TLS fingerprint out of this Server Hello message. This struct has also methods to extract the TLS fingerprint itself in a string or MD5 formats

getCipherSuite()

SSLCipherSuite* pcpp::SSLServerHelloMessage::getCipherSuite

(

)

const

Returns

A pointer to the cipher suite encapsulated in this message (server-hello message contains one cipher-suite, the one that will be used to for encryption between client and server). May return NULL if the parsing of the message failed or the cipher-suite ID is unknown. If you still want to get the cipher-suite ID you can use the getCipherSuiteID() method

getCipherSuiteID()

uint16_t pcpp::SSLServerHelloMessage::getCipherSuiteID

(

bool &

isValid

)

const

Get the cipher-suite ID. This method just parses the ID from the server-hello message and returns it. To get more information on the cipher-suite you can use the getCipherSuite() method

Parameters

[out]

isValid

Set to "true" if parsing succeeded and the return value is valid or "false" otherwise. If the value is "false" the return value can be ignored

Returns

The cipher-suite ID if "isValid" is set to "true". If "isValid" is set to "false" the return value can be ignored

getCompressionMethodsValue()

uint8_t pcpp::SSLServerHelloMessage::getCompressionMethodsValue

(

)

const

Returns

The value of the compression method byte

getExtension()

SSLExtension* pcpp::SSLServerHelloMessage::getExtension

(

int

index

)

const

Get a pointer to an extension by index. The extensions are numbered according to their order of appearance in the message. If index is out of bounds (less than 0 or larger than total amount of extensions) NULL will be returned

Parameters

[in]

index

The index of the extension to return

Returns

The pointer to the extension or NULL if index is out of bounds

getExtensionCount()

int pcpp::SSLServerHelloMessage::getExtensionCount

(

)

const

Returns

The number of extensions in this message

getExtensionOfType() [1/3]

SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType

(

uint16_t

type

)

const

Get a pointer to an extension by numeric type field. Every extension has a 2-byte numeric value representing its type (for example: renegotiation info extension type is 0x1ff). This method gets the type and returns a pointer to the extension object

Parameters

[in]

type

The 2-byte numeric type of the extension

Returns

A pointer to the extension object of NULL if this type doesn't exist in this message

getExtensionOfType() [2/3]

SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType

(

SSLExtensionType

type

)

const

Get a pointer to an extension by its enum type

Parameters

[in]

type

The type of extension to return

Returns

A pointer to the extension object or NULL if this type doesn't exist in this message

getExtensionOfType() [3/3]

template<class TExtension >

TExtension * pcpp::SSLServerHelloMessage::getExtensionOfType

(

)

const

Get a pointer to an extension by its class type. This is a templated method that is used with the type of the requested extension and returns the first extension instance of this type

Returns

A pointer to the extension object or NULL if this extension type doesn't exist in this message

getExtensionsLength()

uint16_t pcpp::SSLServerHelloMessage::getExtensionsLength

(

)

const

Returns

The size (in bytes) of all extensions data in this message. Extracted from the "extensions length" field

getExtensionsLenth()

uint16_t pcpp::SSLServerHelloMessage::getExtensionsLenth ( ) const

inline

Deprecated:

Deprecated due to typo. Please use getExtensionLength()

getHandshakeVersion()

SSLVersion pcpp::SSLServerHelloMessage::getHandshakeVersion

(

)

const

Returns

Handshake SSL/TLS version (notice it may be different than SSLLayer::getRecordVersion(). Each client-hello or server-hello message has both record version and handshake version and they may differ from one another).

NOTE: for TLS 1.3 the handshake version written in ssl_tls_client_server_hello::handshakeVersion is still TLS 1.2, so a special check is made here see if a SupportedVersions extension exists and if so extract the version from it. This is the most straight-forward way to detect TLS 1.3.

getServerHelloHeader()

ssl_tls_client_server_hello* pcpp::SSLServerHelloMessage::getServerHelloHeader ( ) const

inline

Returns

A struct containing common fields for client-hello and server-hello messages. Notice this points directly to the data, so every change will change the actual packet data

getSessionID()

uint8_t* pcpp::SSLServerHelloMessage::getSessionID

(

)

const

Returns

Session ID as byte array. If server-hello message doesn't include session ID NULL will be returned

getSessionIDLength()

uint8_t pcpp::SSLServerHelloMessage::getSessionIDLength

(

)

const

Returns

Session ID length in bytes. If server-hello message doesn't include session ID 0 will be returned

toString()

std::string pcpp::SSLServerHelloMessage::toString ( ) const

virtual

Returns

A string representation of the message type (e.g "Client Hello message")

Implements pcpp::SSLHandshakeMessage.