PcapPlusPlus  21.05
pcpp::SSLServerHelloMessage Class Reference

#include <SSLHandshake.h>

Inheritance diagram for pcpp::SSLServerHelloMessage:
pcpp::SSLHandshakeMessage

Classes

struct  ServerHelloTLSFingerprint
 

Public Member Functions

 SSLServerHelloMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container)
 
ssl_tls_client_server_hellogetServerHelloHeader () const
 
SSLVersion getHandshakeVersion () const
 
uint8_t getSessionIDLength () const
 
uint8_t * getSessionID () const
 
SSLCipherSuitegetCipherSuite () const
 
uint16_t getCipherSuiteID (bool &isValid) const
 
uint8_t getCompressionMethodsValue () const
 
int getExtensionCount () const
 
uint16_t getExtensionsLenth () const
 
SSLExtensiongetExtension (int index) const
 
SSLExtensiongetExtensionOfType (uint16_t type) const
 
SSLExtensiongetExtensionOfType (SSLExtensionType type) const
 
template<class TExtension >
TExtension * getExtensionOfType () const
 
ServerHelloTLSFingerprint generateTLSFingerprint () const
 
std::string toString () const
 
- Public Member Functions inherited from pcpp::SSLHandshakeMessage
virtual SSLHandshakeType getHandshakeType () const
 
virtual size_t getMessageLength () const
 
virtual bool isMessageComplete () const
 
SSLHandshakeLayergetContainingLayer () const
 

Additional Inherited Members

- Static Public Member Functions inherited from pcpp::SSLHandshakeMessage
static SSLHandshakeMessagecreateHandhakeMessage (uint8_t *data, size_t dataLen, SSLHandshakeLayer *container)
 

Detailed Description

Represents SSL/TLS server-hello message (type 2). Inherits from SSLHandshakeMessage and adds parsing of all fields of this message including the message extensions, cipher-suite, etc.

Constructor & Destructor Documentation

◆ SSLServerHelloMessage()

pcpp::SSLServerHelloMessage::SSLServerHelloMessage ( uint8_t *  data,
size_t  dataLen,
SSLHandshakeLayer container 
)

C'tor for this class. Currently only in use in SSLHandshakeMessage::createHandhakeMessage() and shouldn't be used by a user

Parameters
[in]dataThe message as raw data
[in]dataLenMessage raw data length in bytes
[in]containerThe SSL handshake layer which shall contain this message

Member Function Documentation

◆ generateTLSFingerprint()

ServerHelloTLSFingerprint pcpp::SSLServerHelloMessage::generateTLSFingerprint ( ) const

ServerHello TLS fingerprinting is a way to fingerprint TLS Server Hello messages. In conjuction with ClientHello TLS fingerprinting it can assist in identifying specific client-server communication (for example: a malware connecting to its backend server). ServerHello TLS fingerprinting was introduced in Salesforce's JA3S open source project: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 This implementation is a C++ version of Salesforce's JAS3 (originally written in Python and Zeek)

Returns
A SSLServerHelloMessage::ServerHelloTLSFingerprint struct that contains all the elements needed for creating a TLS fingerprint out of this Server Hello message. This struct has also methods to extract the TLS fingerprint itself in a string or MD5 formats

◆ getCipherSuite()

SSLCipherSuite* pcpp::SSLServerHelloMessage::getCipherSuite ( ) const
Returns
A pointer to the cipher suite encapsulated in this message (server-hello message contains one cipher-suite, the one that will be used to for encryption between client and server). May return NULL if the parsing of the message failed or the cipher-suite ID is unknown. If you still want to get the cipher-suite ID you can use the getCipherSuiteID() method

◆ getCipherSuiteID()

uint16_t pcpp::SSLServerHelloMessage::getCipherSuiteID ( bool &  isValid) const

Get the cipher-suite ID. This method just parses the ID from the server-hello message and returns it. To get more information on the cipher-suite you can use the getCipherSuite() method

Parameters
[out]isValidSet to "true" if parsing succeeded and the return value is valid or "false" otherwise. If the value is "false" the return value can be ignored
Returns
The cipher-suite ID if "isValid" is set to "true". If "isValid" is set to "false" the return value can be ignored

◆ getCompressionMethodsValue()

uint8_t pcpp::SSLServerHelloMessage::getCompressionMethodsValue ( ) const
Returns
The value of the compression method byte

◆ getExtension()

SSLExtension* pcpp::SSLServerHelloMessage::getExtension ( int  index) const

Get a pointer to an extension by index. The extensions are numbered according to their order of appearance in the message. If index is out of bounds (less than 0 or larger than total amount of extensions) NULL will be returned

Parameters
[in]indexThe index of the extension to return
Returns
The pointer to the extension or NULL if index is out of bounds

◆ getExtensionCount()

int pcpp::SSLServerHelloMessage::getExtensionCount ( ) const
Returns
The number of extensions in this message

◆ getExtensionOfType() [1/3]

SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType ( uint16_t  type) const

Get a pointer to an extension by numeric type field. Every extension has a 2-byte numeric value representing its type (for example: renegotiation info extension type is 0x1ff). This method gets the type and returns a pointer to the extension object

Parameters
[in]typeThe 2-byte numeric type of the extension
Returns
A pointer to the extension object of NULL if this type doesn't exist in this message

◆ getExtensionOfType() [2/3]

SSLExtension* pcpp::SSLServerHelloMessage::getExtensionOfType ( SSLExtensionType  type) const

Get a pointer to an extension by its enum type

Parameters
[in]typeThe type of extension to return
Returns
A pointer to the extension object or NULL if this type doesn't exist in this message

◆ getExtensionOfType() [3/3]

template<class TExtension >
TExtension * pcpp::SSLServerHelloMessage::getExtensionOfType ( ) const

Get a pointer to an extension by its class type. This is a templated method that is used with the type of the requested extension and returns the first extension instance of this type

Returns
A pointer to the extension object or NULL if this extension type doesn't exist in this message

◆ getExtensionsLenth()

uint16_t pcpp::SSLServerHelloMessage::getExtensionsLenth ( ) const
Returns
The size (in bytes) of all extensions data in this message. Extracted from the "extensions length" field

◆ getHandshakeVersion()

SSLVersion pcpp::SSLServerHelloMessage::getHandshakeVersion ( ) const
Returns
Handshake SSL/TLS version (notice it may be different than SSLLayer::getRecordVersion(). Each client-hello or server-hello message has both record version and handshake version and they may differ from one another).

NOTE: for TLS 1.3 the hanshake version written in ssl_tls_client_server_hello::handshakeVersion is still TLS 1.2, so a special check is made here see if a SupportedVersions extension exists and if so extract the version from it. This is the most straight-forward way to detect TLS 1.3.

◆ getServerHelloHeader()

ssl_tls_client_server_hello* pcpp::SSLServerHelloMessage::getServerHelloHeader ( ) const
inline
Returns
A struct containing common fields for client-hello and server-hello messages. Notice this points directly to the data, so every change will change the actual packet data

◆ getSessionID()

uint8_t* pcpp::SSLServerHelloMessage::getSessionID ( ) const
Returns
Session ID as byte array. If server-hello message doesn't include session ID NULL will be returned

◆ getSessionIDLength()

uint8_t pcpp::SSLServerHelloMessage::getSessionIDLength ( ) const
Returns
Session ID length in bytes. If server-hello message doesn't include session ID 0 will be returned

◆ toString()

std::string pcpp::SSLServerHelloMessage::toString ( ) const
virtual
Returns
A string representation of the message type (e.g "Client Hello message")

Implements pcpp::SSLHandshakeMessage.