Myra Canyon  v0.0.1-768
network control
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Myra::Traffic::TLS Namespace Reference

Detect and examine TLS packets. More...

Classes

struct  ClientHello
 

Enumerations

enum  ContentType {
  ContentType::Change_cipher_spec = 20,
  ContentType::Alert = 21,
  ContentType::Handshake = 22,
  ContentType::Application_data = 23
}
 
enum  HandshakeType {
  HandshakeType::Hello_request = 0,
  HandshakeType::Client_hello = 1,
  HandshakeType::Server_hello = 2,
  HandshakeType::Certificate = 11,
  HandshakeType::Server_key_exchange = 12,
  HandshakeType::Certificate_request = 13,
  HandshakeType::Server_hello_done = 14,
  HandshakeType::Certificate_verify = 15,
  HandshakeType::Client_key_exchange = 16,
  HandshakeType::Finished = 20
}
 

Functions

bool examine (Flow &flow, const Myra::PktInfo &info)
 Examine a packet for TLS, and mark the flow if found. More...
 

Detailed Description

Detect and examine TLS packets.

See also
RFC 5246

Enumeration Type Documentation

See also
RFC 5246 Appendix A.1
Enumerator
Change_cipher_spec 
Alert 
Handshake 

0x16

Application_data 
See also
RFC 5246 Appendix A.4
Enumerator
Hello_request 
Client_hello 
Server_hello 
Certificate 
Server_key_exchange 
Certificate_request 
Server_hello_done 
Certificate_verify 
Client_key_exchange 
Finished 

Function Documentation

bool Myra::Traffic::TLS::examine ( Myra::Flow flow,
const Myra::PktInfo info 
)

Examine a packet for TLS, and mark the flow if found.

Returns
true if this exam needs to be called again for the given flow
false if this exam never needs to be called again
See also
http://tools.ietf.org/html/rfc5246

TLS "client hello" handshake packets start like this:

   -> flow #4853955849062914786: Unknown+FlowStart+IP+IPv4+TCP: 10.0.1.11:57530->31.13.70.1:443 (data len: 195, number of packets: 4)
   -> flow #4853955849062914786: payload: number of bytes: 195
     0: 16 03 01 00 be 01 00 00 ba 03 03 54 da 2d 99 8b 40 3a 9f 0d f9 1e e8 34 06 fd 95 2f 4b 5e 63 0e - ...........T.-...:.....4.../K^c.
    20: d3 71 99 9d 61 ee 9f 8c d9 4d e1 00 00 38 cc 14 cc 13 cc 15 c0 14 c0 0a 00 39 00 38 00 35 c0 12 - .q..a....M...8...........9.8.5..
    40: c0 08 00 16 00 13 00 0a c0 2f c0 2b c0 13 c0 09 00 a2 00 9e 00 33 00 32 00 9c 00 2f c0 11 c0 07 - ........./.+.........3.2.../....
    60: 00 05 00 04 00 ff 01 00 00 59 00 00 00 15 00 13 00 00 10 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e - .........Y.........www.facebook.
    80: 63 6f 6d 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 - com.#.....". ...................

Note the first few bytes:

Value | Meaning -------------------——+--—— 0x16 | handshake (22 decimal) 0x03 | major version 0x01 | minor version 0x00 0xbe | length 0x01 | client hello 0x00 0x00 0xba | length 0x03 | client major version 0x03 | client minor version

If the packet is TLS client hello, also check to see if we have a SNI (server name indication) extension.

See also
https://en.wikipedia.org/wiki/Server_Name_Indication
http://tools.ietf.org/html/rfc4366#section-3.1

SNI looks like this:

     60: 00 05 00 04 00 ff 01 00 00 59 00 00 00 15 00 13 00 00 10 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e - .........Y.........www.facebook.
     80: 63 6f 6d 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 - com.#.....". ...................

Value | Meaning --------------------------—+-----— 0x00 0x00 | server name extension (RFC 4366 section 2.3) 0x00 0x15 | extension length 0x00 0x13 | list length 0x00 | name type (must be zero for "hostname") 0x00 0x10 | name length www.facebook.com | host name

Here is the call graph for this function:

Here is the caller graph for this function: