From bde08ddbd5ef15e96e339cb4a5e6ae6faa037979 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Wed, 9 Aug 2023 15:36:52 +0200 Subject: [PATCH 01/12] Initial cmake setup --- CMakeLists.txt | 76 +++++ base/pcap-snoop.c | 575 +-------------------------------- base/pcap-snoop.c.in | 574 ++++++++++++++++++++++++++++++++ cmake/modules/FindLIBNET.cmake | 111 +++++++ cmake/modules/FindPCAP.cmake | 86 +++++ 5 files changed, 848 insertions(+), 574 deletions(-) create mode 100644 CMakeLists.txt mode change 100644 => 120000 base/pcap-snoop.c create mode 100644 base/pcap-snoop.c.in create mode 100644 cmake/modules/FindLIBNET.cmake create mode 100644 cmake/modules/FindPCAP.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..e3dcaa8 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,76 @@ +cmake_minimum_required(VERSION 3.18.4) +include(CheckSymbolExists) + +set(CMAKE_VERBOSE_MAKEFILE ON) + +project( + ssldump + VERSION 1.9 + LANGUAGES C +) + +configure_file(base/pcap-snoop.c.in base/pcap-snoop.c) + +set(SOURCES + ${CMAKE_BINARY_DIR}/base/pcap-snoop.c + base/network.c + base/proto_mod.c + base/tcppack.c + base/tcpconn.c + null/null_analyze.c + common/lib/r_data.c + common/lib/r_assoc.c + common/lib/r_errors.c + common/lib/debug.c + ssl/ssl_analyze.c + ssl/ssldecode.c + ssl/sslprint.c + ssl/ssl.enums.c + ssl/sslxprint.c + ssl/ciphersuites.c + ssl/ssl_rec.c + pcap/logpkt.c + pcap/pcap_logger.c + pcap/sys.c +) + +set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake/modules/") + +find_package(OpenSSL REQUIRED) +find_package(PCAP REQUIRED) +find_package(LIBNET REQUIRED) +find_package(json-c REQUIRED) + +add_executable(${PROJECT_NAME} ${SOURCES}) + +check_symbol_exists(strdup "string.h" HAVE_STRDUP) +if(HAVE_STRDUP) + add_definitions(-DHAVE_STRDUP) +endif() + +add_definitions(-DLINUX) +add_definitions(-DOPENSSL) +add_definitions(-D_DEFAULT_SOURCE=1) + +target_include_directories(ssldump + PRIVATE + ${PROJECT_SOURCE_DIR}/common/include + ${PROJECT_SOURCE_DIR}/common/lib + ${PROJECT_SOURCE_DIR}/null + ${PROJECT_SOURCE_DIR}/ssl + ${PROJECT_SOURCE_DIR}/base + ${PROJECT_SOURCE_DIR}/pcap + ${OPENSSL_INCLUDE_DIR} + ${PCAP_INCLUDE_DIR} + ${LIBNET_INCLUDE_DIR} + ${json-c_INCLUDE_DIR} +) + +target_link_libraries(ssldump + PRIVATE + ${OPENSSL_LIBRARIES} + pcap + net + json-c +) + diff --git a/base/pcap-snoop.c b/base/pcap-snoop.c deleted file mode 100644 index 3d3a85b..0000000 --- a/base/pcap-snoop.c +++ /dev/null @@ -1,574 +0,0 @@ -/** - pcap-snoop.c - - - Copyright (C) 1999-2001 RTFM, Inc. - All Rights Reserved - - This package is a SSLv3/TLS protocol analyzer written by Eric - Rescorla and licensed by RTFM, Inc. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above - copyright notice, this list of conditions and the following - disclaimer in the documentation and/or other materials provided - with the distribution. - 3. All advertising materials mentioning features or use of this - software must display the following acknowledgement: - - This product includes software developed by Eric Rescorla for - RTFM, Inc. - - 4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may - be used to endorse or promote products derived from this - software without specific prior written permission. - - THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' - AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR - CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF - USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT - OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY - SUCH DAMAGE. - - $Id: pcap-snoop.c,v 1.14 2002/09/09 21:02:58 ekr Exp $ - - - ekr@rtfm.com Tue Dec 29 10:17:41 1998 - */ - - - - -#include -#include -#include -#ifndef _WIN32 -#include -#endif -#include -#ifndef _WIN32 -#include -#include -#else -#include -#include -#endif -#include - -#include -#include -#include "network.h" -#include -#include -#include "null_analyze.h" -#include "ssl_analyze.h" -#ifdef ENABLE_RECORD -#include "record_analyze.h" -#endif -#include "pcap_logger.h" - -#ifndef ETHERTYPE_8021Q -# define ETHERTYPE_8021Q 0x8100 -#endif - -char *collapse_args PROTO_LIST((int argc,char **argv)); -static int pcap_if_type=DLT_NULL; -int err_exit PROTO_LIST((char *str,int num)); -int usage PROTO_LIST((void)); -int print_version PROTO_LIST((void)); -void sig_handler PROTO_LIST((int sig)); -void pcap_cb PROTO_LIST((u_char *ptr,const struct pcap_pkthdr *hdr,const u_char *data)); -int main PROTO_LIST((int argc,char **argv)); - -int packet_cnt = 0; // Packet counter used for connection pool cleaning -int conn_freq = 100; // Number of packets after which a connection pool - // cleaning is performed -int conn_ttl = 100; // TTL of inactive connections in connection pool -struct timeval last_packet_seen_time = // Timestamp of the last packet of the - (struct timeval) {0}; // last block of conn_freq packets seen - -logger_mod *logger=NULL; - -int err_exit(str,num) - char *str; - int num; - { - fprintf(stderr,"ERROR: %s\n",str); - sig_handler(SIGQUIT); - exit(num); - } - -int usage() - { - fprintf(stderr,"Usage: ssldump [-r dumpfile] [-i interface] [-l sslkeylogfile] [-w outpcapfile]\n"); - fprintf(stderr," [-k keyfile] [-p password] [-vtaTznsAxVNde]\n"); - fprintf(stderr," [filter]\n"); - exit(0); - } - -int print_version() - { - printf(PACKAGE_STRING "\n"); - printf("Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS\n"); - printf("Copyright (C) 2015-2023 the aforementioned volunteers\n"); - printf("Copyright (C) 1998-2001 RTFM, Inc.\n"); - printf("All rights reserved.\n"); -#ifdef OPENSSL - printf("Compiled with OpenSSL: decryption enabled\n"); -#endif - exit(0); - } - -pcap_t *p; -proto_mod *mod=&ssl_mod; -n_handler *n; -char *interface_name=0; -char *file=0; -char *filter=0; -void sig_handler(int sig) - { - int freed_conn = 0; - fflush(stdout); - if (logger) - logger->vtbl->deinit(); - - freed_conn = destroy_all_conn(); - if(freed_conn && !(NET_print_flags & NET_PRINT_JSON)) - printf("Cleaned %d remaining connection(s) from connection pool\n", freed_conn); - - network_handler_destroy(mod, &n); - - if(p) - pcap_close(p); - if(interface_name) - free(interface_name); - if(filter) - free(filter); - if(file) - free(file); - - exit(sig); - } - -void pcap_cb(ptr,hdr,data) - u_char *ptr; - const struct pcap_pkthdr *hdr; - const u_char *data; - { - n_handler *n; - int len; - struct ether_header *e_hdr=(struct ether_header *)data; - int type, cleaned_conn; - - n=(n_handler *)ptr; - if(hdr->caplen!=hdr->len) err_exit("Length mismatch",-1); - - len=hdr->len; - - switch(pcap_if_type){ - case DLT_RAW: -#ifdef DLT_LOOP - case DLT_LOOP: -#endif - case DLT_NULL: - data+=4; - len-=4; - break; - case DLT_EN10MB: - if(len < sizeof(struct ether_header)) { - if(!(NET_print_flags & NET_PRINT_JSON)) - printf("Frame size too small to contain Ethernet header, skipping ...\n"); - return; - } - - type=ntohs(e_hdr->ether_type); - - data+=sizeof(struct ether_header); - len-=sizeof(struct ether_header); - - /* if vlans, push past VLAN header (4 bytes) */ - if(type==ETHERTYPE_8021Q) { - type=ntohs(*(u_int16_t *)(data + 2)); - - data+=4; - len+=4; - } - - if(type!=ETHERTYPE_IP && type!=ETHERTYPE_IPV6) - return; - - break; - case DLT_IEEE802: - data+=22; - len-=22; - break; - case DLT_FDDI: - data+=21; - len-=21; - break; -#ifdef __amigaos__ - case DLT_MIAMI: - data+=16; - len-=16; - break; -#endif - case DLT_SLIP: -#ifdef DLT_SLIP_BSDOS - case DLT_SLIP_BSDOS: -#endif -#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__bsdi__) || defined(__APPLE__) - data+=16; - len-=16; -#else - data+=24; - len-=24; -#endif - break; - case DLT_PPP: -#ifdef DLT_PPP_BSDOS - case DLT_PPP_BSDOS: -#endif -#ifdef DLT_PPP_SERIAL - case DLT_PPP_SERIAL: -#endif -#ifdef DLT_PPP_ETHER - case DLT_PPP_ETHER: -#endif -#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__bsdi__) || defined(__APPLE__) - data+=4; - len-=4; -#else -#if defined(sun) || defined(__sun) - data+=8; - len-=8; -#else - data+=24; - len-=24; -#endif -#endif - break; -#ifdef DLT_ENC - case DLT_ENC: - data+=12; - len-=12; - break; -#endif -#ifdef DLT_LINUX_SLL - case DLT_LINUX_SLL: - data+=16; - len-=16; - break; -#endif -#ifdef DLT_IPNET - case DLT_IPNET: - data+=24; - len-=24; - break; -#endif - } - - if(type == ETHERTYPE_IPV6) - network_process_packet(n,(struct timeval *) &hdr->ts,(u_char *)data,len, AF_INET6); - else - network_process_packet(n,(struct timeval *) &hdr->ts,(u_char *)data,len, AF_INET); - - if(packet_cnt == conn_freq) { - packet_cnt = 0; - memcpy(&last_packet_seen_time,&hdr->ts,sizeof(struct timeval)); - if((cleaned_conn = clean_old_conn()) && !(NET_print_flags & NET_PRINT_JSON)) - printf("%d inactive connection(s) cleaned from connection pool\n", cleaned_conn); - } else { - packet_cnt++; - } - } - -typedef struct module_def_ { - char *name; - proto_mod *mod; -} module_def; - -static module_def modules[]={ - {"SSL",&ssl_mod}, - {"NULL",&null_mod}, -#ifdef ENABLE_RECORD - {"RECORD",&record_mod}, -#endif - {0,0} -}; - - -int parse_ssl_flag PROTO_LIST((int c)); - -int main(argc,argv) - int argc; - char **argv; - { - int r; -#ifdef _WIN32 - __declspec(dllimport) char *optarg; - __declspec(dllimport) int optind; -#else - extern char *optarg; - extern int optind; -#endif - pcap_if_t *interfaces; - bpf_u_int32 localnet,netmask; - int c; - module_def *m=0; - int no_promiscuous=0; - int freed_conn=0; - - char errbuf[PCAP_ERRBUF_SIZE]; - - signal(SIGINT,sig_handler); - - while((c=getopt(argc,argv,"vr:F:f:S:jyTt:ai:k:l:w:p:znsAxXhHVNdqem:P"))!=EOF){ - switch(c){ - case 'v': - print_version(); - break; - case 'f': - fprintf(stderr,"-f option replaced by -r. Use that in the future\n"); - case 'r': - file=strdup(optarg); - break; - case 'S': - ssl_mod.vtbl->parse_flags(optarg); - break; - case 'y': - NET_print_flags|=NET_PRINT_TYPESET; - /*Kludge*/ - SSL_print_flags |= SSL_PRINT_NROFF; - break; - case 'j': - NET_print_flags |= NET_PRINT_JSON; - SSL_print_flags |= SSL_PRINT_JSON; - break; - case 'z': - NET_print_flags |= NET_PRINT_TS; - break; - case 'a': - NET_print_flags |= NET_PRINT_ACKS; - break; - case 'A': - SSL_print_flags |= SSL_PRINT_ALL_FIELDS; - break; - case 'T': - NET_print_flags |= NET_PRINT_TCP_HDR; - break; - case 'i': - interface_name=strdup(optarg); - break; - case 'k': - SSL_keyfile=strdup(optarg); - break; - case 'l': - SSL_keylogfile=strdup(optarg); - break; - case 'w': - logger=&pcap_mod; - if(logger->vtbl->init(optarg)!=0){ - fprintf(stderr,"Can not open/create out pcap %s\n", - optarg); - exit(1); - } - break; - case 'p': - SSL_password=strdup(optarg); - break; - case 'P': - ++no_promiscuous; - break; - case 'n': - NET_print_flags |= NET_PRINT_NO_RESOLVE; - break; - case 't': - conn_ttl=atoi(optarg); - break; - case 'F': - conn_freq=atoi(optarg); - break; - case 'm': - for(m=modules;m->name!=0;m++){ - if(!strcmp(m->name,optarg)){ - mod=m->mod; - break; - } - } - if(!m->name){ - fprintf(stderr,"Request analysis module %s not found\n", - optarg); - exit(1); - } - break; - case 'h': - usage(); - printf("Do 'man ssldump' for documentation\n"); - exit(1); - - case '?': - usage(); - exit(1); - - /* must be an SSL flag. This is kind of a gross - special case */ - default: - parse_ssl_flag(c); - break; - } - } - - argv+=optind; - argc-=optind; - - if(!file){ - if(!interface_name){ - if(pcap_findalldevs(&interfaces,errbuf)==-1) { - fprintf(stderr,"PCAP: %s\n",errbuf); - err_exit("Aborting",-1); - } - interface_name=interfaces->name; - if(!interface_name){ - fprintf(stderr,"PCAP: %s\n",errbuf); - err_exit("Aborting",-1); - } - } - if(!(p=pcap_open_live(interface_name,65535,!no_promiscuous,1000,errbuf))){ - fprintf(stderr,"PCAP: %s\n",errbuf); - err_exit("Aborting",-1); - } - - if (pcap_lookupnet(interface_name, &localnet, &netmask, errbuf) < 0) - fprintf(stderr,"PCAP: %s\n", errbuf); - } - else{ - if(!(p=pcap_open_offline(file,errbuf))){ - fprintf(stderr,"PCAP: %s\n",errbuf); - err_exit("Aborting",-1); - } - - netmask=0; - localnet=0; - } - - if(argc!=0) - filter=collapse_args(argc,argv); - - if(filter){ - struct bpf_program fp; - - /* (F5 patch) - * reformat filter to include traffic with or without the 802.1q - * vlan header. for example, "port 80" becomes: - * "( port 80 ) or ( vlan and port 80 )". - * note that if the filter includes the literals vlan, tagged, or - * untagged, then it is assumed that the user knows what she is - * doing, and the filter is not reformatted. - */ - if ((pcap_datalink(p) == DLT_EN10MB) && - (filter != NULL) && - (strstr(filter,"vlan") == NULL)) { - char *tmp_filter; - char *fmt = "( (not ether proto 0x8100) and (%s) ) or ( vlan and (%s) )"; - - tmp_filter = (char *)malloc((strlen(filter) * 2) + strlen(fmt) + 1); - if (tmp_filter == NULL) { - fprintf(stderr,"PCAP: malloc failed\n"); - err_exit("Aborting",-1); - } - - sprintf(tmp_filter,fmt,filter,filter); - free(filter); - filter = tmp_filter; - } - - if(pcap_compile(p,&fp,filter,0,netmask)<0) - verr_exit("PCAP: %s\n",pcap_geterr(p)); - - if(pcap_setfilter(p,&fp)<0) - verr_exit("PCAP: %s\n",pcap_geterr(p)); - } - - pcap_if_type=pcap_datalink(p); - - if(!(NET_print_flags & NET_PRINT_JSON)) - if(NET_print_flags & NET_PRINT_TYPESET) - printf("\n.nf\n.ps -2\n"); - - if((r=network_handler_create(mod,&n))) - err_exit("Couldn't create network handler",r); - - pcap_loop(p,-1,pcap_cb,(u_char *)n); - - if(!(NET_print_flags & NET_PRINT_JSON)) - if(NET_print_flags & NET_PRINT_TYPESET) - printf("\n.ps\n.fi\n"); - - freed_conn = destroy_all_conn(); - if(freed_conn && !(NET_print_flags & NET_PRINT_JSON)) - printf("Cleaned %d remaining connection(s) from connection pool\n", freed_conn); - - network_handler_destroy(mod, &n); - pcap_close(p); - - free(n); - - if(filter) - free(filter); - if(file) - free(file); - if(interface_name) - free(interface_name); - if(SSL_keyfile) - free(SSL_keyfile); - if(SSL_keylogfile) - free(SSL_keylogfile); - if(SSL_password) - free(SSL_password); - if (logger) - { - logger->vtbl->deinit(); - } - - exit(0); - } - - -char *collapse_args(argc,argv) - int argc; - char **argv; - { - int i,len=0; - char *ret; - - if(!argc) - return(0); - - for(i=0;i and licensed by RTFM, Inc. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: + + This product includes software developed by Eric Rescorla for + RTFM, Inc. + + 4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may + be used to endorse or promote products derived from this + software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY + SUCH DAMAGE. + + $Id: pcap-snoop.c,v 1.14 2002/09/09 21:02:58 ekr Exp $ + + + ekr@rtfm.com Tue Dec 29 10:17:41 1998 + */ + + + + +#include +#include +#include +#ifndef _WIN32 +#include +#endif +#include +#ifndef _WIN32 +#include +#include +#else +#include +#include +#endif +#include + +#include +#include +#include "network.h" +#include +#include +#include "null_analyze.h" +#include "ssl_analyze.h" +#ifdef ENABLE_RECORD +#include "record_analyze.h" +#endif +#include "pcap_logger.h" + +#ifndef ETHERTYPE_8021Q +# define ETHERTYPE_8021Q 0x8100 +#endif + +char *collapse_args PROTO_LIST((int argc,char **argv)); +static int pcap_if_type=DLT_NULL; +int err_exit PROTO_LIST((char *str,int num)); +int usage PROTO_LIST((void)); +int print_version PROTO_LIST((void)); +void sig_handler PROTO_LIST((int sig)); +void pcap_cb PROTO_LIST((u_char *ptr,const struct pcap_pkthdr *hdr,const u_char *data)); +int main PROTO_LIST((int argc,char **argv)); + +int packet_cnt = 0; // Packet counter used for connection pool cleaning +int conn_freq = 100; // Number of packets after which a connection pool + // cleaning is performed +int conn_ttl = 100; // TTL of inactive connections in connection pool +struct timeval last_packet_seen_time = // Timestamp of the last packet of the + (struct timeval) {0}; // last block of conn_freq packets seen + +logger_mod *logger=NULL; + +int err_exit(str,num) + char *str; + int num; + { + fprintf(stderr,"ERROR: %s\n",str); + sig_handler(SIGQUIT); + exit(num); + } + +int usage() + { + fprintf(stderr,"Usage: ssldump [-r dumpfile] [-i interface] [-l sslkeylogfile] [-w outpcapfile]\n"); + fprintf(stderr," [-k keyfile] [-p password] [-vtaTznsAxVNde]\n"); + fprintf(stderr," [filter]\n"); + exit(0); + } + +int print_version() + { + printf("@ssldump_VERSION@\n"); + printf("Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS\n"); + printf("Copyright (C) 2015-2023 the aforementioned volunteers\n"); + printf("Copyright (C) 1998-2001 RTFM, Inc.\n"); + printf("All rights reserved.\n"); +#ifdef OPENSSL + printf("Compiled with OpenSSL: decryption enabled\n"); +#endif + exit(0); + } + +pcap_t *p; +proto_mod *mod=&ssl_mod; +n_handler *n; +char *interface_name=0; +char *file=0; +char *filter=0; +void sig_handler(int sig) + { + int freed_conn = 0; + fflush(stdout); + if (logger) + logger->vtbl->deinit(); + + freed_conn = destroy_all_conn(); + if(freed_conn && !(NET_print_flags & NET_PRINT_JSON)) + printf("Cleaned %d remaining connection(s) from connection pool\n", freed_conn); + + network_handler_destroy(mod, &n); + + if(p) + pcap_close(p); + if(interface_name) + free(interface_name); + if(filter) + free(filter); + if(file) + free(file); + + exit(sig); + } + +void pcap_cb(ptr,hdr,data) + u_char *ptr; + const struct pcap_pkthdr *hdr; + const u_char *data; + { + n_handler *n; + int len; + struct ether_header *e_hdr=(struct ether_header *)data; + int type, cleaned_conn; + + n=(n_handler *)ptr; + if(hdr->caplen!=hdr->len) err_exit("Length mismatch",-1); + + len=hdr->len; + + switch(pcap_if_type){ + case DLT_RAW: +#ifdef DLT_LOOP + case DLT_LOOP: +#endif + case DLT_NULL: + data+=4; + len-=4; + break; + case DLT_EN10MB: + if(len < sizeof(struct ether_header)) { + if(!(NET_print_flags & NET_PRINT_JSON)) + printf("Frame size too small to contain Ethernet header, skipping ...\n"); + return; + } + + type=ntohs(e_hdr->ether_type); + + data+=sizeof(struct ether_header); + len-=sizeof(struct ether_header); + + /* if vlans, push past VLAN header (4 bytes) */ + if(type==ETHERTYPE_8021Q) { + type=ntohs(*(u_int16_t *)(data + 2)); + + data+=4; + len+=4; + } + + if(type!=ETHERTYPE_IP && type!=ETHERTYPE_IPV6) + return; + + break; + case DLT_IEEE802: + data+=22; + len-=22; + break; + case DLT_FDDI: + data+=21; + len-=21; + break; +#ifdef __amigaos__ + case DLT_MIAMI: + data+=16; + len-=16; + break; +#endif + case DLT_SLIP: +#ifdef DLT_SLIP_BSDOS + case DLT_SLIP_BSDOS: +#endif +#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__bsdi__) || defined(__APPLE__) + data+=16; + len-=16; +#else + data+=24; + len-=24; +#endif + break; + case DLT_PPP: +#ifdef DLT_PPP_BSDOS + case DLT_PPP_BSDOS: +#endif +#ifdef DLT_PPP_SERIAL + case DLT_PPP_SERIAL: +#endif +#ifdef DLT_PPP_ETHER + case DLT_PPP_ETHER: +#endif +#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__bsdi__) || defined(__APPLE__) + data+=4; + len-=4; +#else +#if defined(sun) || defined(__sun) + data+=8; + len-=8; +#else + data+=24; + len-=24; +#endif +#endif + break; +#ifdef DLT_ENC + case DLT_ENC: + data+=12; + len-=12; + break; +#endif +#ifdef DLT_LINUX_SLL + case DLT_LINUX_SLL: + data+=16; + len-=16; + break; +#endif +#ifdef DLT_IPNET + case DLT_IPNET: + data+=24; + len-=24; + break; +#endif + } + + if(type == ETHERTYPE_IPV6) + network_process_packet(n,(struct timeval *) &hdr->ts,(u_char *)data,len, AF_INET6); + else + network_process_packet(n,(struct timeval *) &hdr->ts,(u_char *)data,len, AF_INET); + + if(packet_cnt == conn_freq) { + packet_cnt = 0; + memcpy(&last_packet_seen_time,&hdr->ts,sizeof(struct timeval)); + if((cleaned_conn = clean_old_conn()) && !(NET_print_flags & NET_PRINT_JSON)) + printf("%d inactive connection(s) cleaned from connection pool\n", cleaned_conn); + } else { + packet_cnt++; + } + } + +typedef struct module_def_ { + char *name; + proto_mod *mod; +} module_def; + +static module_def modules[]={ + {"SSL",&ssl_mod}, + {"NULL",&null_mod}, +#ifdef ENABLE_RECORD + {"RECORD",&record_mod}, +#endif + {0,0} +}; + + +int parse_ssl_flag PROTO_LIST((int c)); + +int main(argc,argv) + int argc; + char **argv; + { + int r; +#ifdef _WIN32 + __declspec(dllimport) char *optarg; + __declspec(dllimport) int optind; +#else + extern char *optarg; + extern int optind; +#endif + pcap_if_t *interfaces; + bpf_u_int32 localnet,netmask; + int c; + module_def *m=0; + int no_promiscuous=0; + int freed_conn=0; + + char errbuf[PCAP_ERRBUF_SIZE]; + + signal(SIGINT,sig_handler); + + while((c=getopt(argc,argv,"vr:F:f:S:jyTt:ai:k:l:w:p:znsAxXhHVNdqem:P"))!=EOF){ + switch(c){ + case 'v': + print_version(); + break; + case 'f': + fprintf(stderr,"-f option replaced by -r. Use that in the future\n"); + case 'r': + file=strdup(optarg); + break; + case 'S': + ssl_mod.vtbl->parse_flags(optarg); + break; + case 'y': + NET_print_flags|=NET_PRINT_TYPESET; + /*Kludge*/ + SSL_print_flags |= SSL_PRINT_NROFF; + break; + case 'j': + NET_print_flags |= NET_PRINT_JSON; + SSL_print_flags |= SSL_PRINT_JSON; + break; + case 'z': + NET_print_flags |= NET_PRINT_TS; + break; + case 'a': + NET_print_flags |= NET_PRINT_ACKS; + break; + case 'A': + SSL_print_flags |= SSL_PRINT_ALL_FIELDS; + break; + case 'T': + NET_print_flags |= NET_PRINT_TCP_HDR; + break; + case 'i': + interface_name=strdup(optarg); + break; + case 'k': + SSL_keyfile=strdup(optarg); + break; + case 'l': + SSL_keylogfile=strdup(optarg); + break; + case 'w': + logger=&pcap_mod; + if(logger->vtbl->init(optarg)!=0){ + fprintf(stderr,"Can not open/create out pcap %s\n", + optarg); + exit(1); + } + break; + case 'p': + SSL_password=strdup(optarg); + break; + case 'P': + ++no_promiscuous; + break; + case 'n': + NET_print_flags |= NET_PRINT_NO_RESOLVE; + break; + case 't': + conn_ttl=atoi(optarg); + break; + case 'F': + conn_freq=atoi(optarg); + break; + case 'm': + for(m=modules;m->name!=0;m++){ + if(!strcmp(m->name,optarg)){ + mod=m->mod; + break; + } + } + if(!m->name){ + fprintf(stderr,"Request analysis module %s not found\n", + optarg); + exit(1); + } + break; + case 'h': + usage(); + printf("Do 'man ssldump' for documentation\n"); + exit(1); + + case '?': + usage(); + exit(1); + + /* must be an SSL flag. This is kind of a gross + special case */ + default: + parse_ssl_flag(c); + break; + } + } + + argv+=optind; + argc-=optind; + + if(!file){ + if(!interface_name){ + if(pcap_findalldevs(&interfaces,errbuf)==-1) { + fprintf(stderr,"PCAP: %s\n",errbuf); + err_exit("Aborting",-1); + } + interface_name=interfaces->name; + if(!interface_name){ + fprintf(stderr,"PCAP: %s\n",errbuf); + err_exit("Aborting",-1); + } + } + if(!(p=pcap_open_live(interface_name,65535,!no_promiscuous,1000,errbuf))){ + fprintf(stderr,"PCAP: %s\n",errbuf); + err_exit("Aborting",-1); + } + + if (pcap_lookupnet(interface_name, &localnet, &netmask, errbuf) < 0) + fprintf(stderr,"PCAP: %s\n", errbuf); + } + else{ + if(!(p=pcap_open_offline(file,errbuf))){ + fprintf(stderr,"PCAP: %s\n",errbuf); + err_exit("Aborting",-1); + } + + netmask=0; + localnet=0; + } + + if(argc!=0) + filter=collapse_args(argc,argv); + + if(filter){ + struct bpf_program fp; + + /* (F5 patch) + * reformat filter to include traffic with or without the 802.1q + * vlan header. for example, "port 80" becomes: + * "( port 80 ) or ( vlan and port 80 )". + * note that if the filter includes the literals vlan, tagged, or + * untagged, then it is assumed that the user knows what she is + * doing, and the filter is not reformatted. + */ + if ((pcap_datalink(p) == DLT_EN10MB) && + (filter != NULL) && + (strstr(filter,"vlan") == NULL)) { + char *tmp_filter; + char *fmt = "( (not ether proto 0x8100) and (%s) ) or ( vlan and (%s) )"; + + tmp_filter = (char *)malloc((strlen(filter) * 2) + strlen(fmt) + 1); + if (tmp_filter == NULL) { + fprintf(stderr,"PCAP: malloc failed\n"); + err_exit("Aborting",-1); + } + + sprintf(tmp_filter,fmt,filter,filter); + free(filter); + filter = tmp_filter; + } + + if(pcap_compile(p,&fp,filter,0,netmask)<0) + verr_exit("PCAP: %s\n",pcap_geterr(p)); + + if(pcap_setfilter(p,&fp)<0) + verr_exit("PCAP: %s\n",pcap_geterr(p)); + } + + pcap_if_type=pcap_datalink(p); + + if(!(NET_print_flags & NET_PRINT_JSON)) + if(NET_print_flags & NET_PRINT_TYPESET) + printf("\n.nf\n.ps -2\n"); + + if((r=network_handler_create(mod,&n))) + err_exit("Couldn't create network handler",r); + + pcap_loop(p,-1,pcap_cb,(u_char *)n); + + if(!(NET_print_flags & NET_PRINT_JSON)) + if(NET_print_flags & NET_PRINT_TYPESET) + printf("\n.ps\n.fi\n"); + + freed_conn = destroy_all_conn(); + if(freed_conn && !(NET_print_flags & NET_PRINT_JSON)) + printf("Cleaned %d remaining connection(s) from connection pool\n", freed_conn); + + network_handler_destroy(mod, &n); + pcap_close(p); + + free(n); + + if(filter) + free(filter); + if(file) + free(file); + if(interface_name) + free(interface_name); + if(SSL_keyfile) + free(SSL_keyfile); + if(SSL_keylogfile) + free(SSL_keylogfile); + if(SSL_password) + free(SSL_password); + if (logger) + { + logger->vtbl->deinit(); + } + + exit(0); + } + + +char *collapse_args(argc,argv) + int argc; + char **argv; + { + int i,len=0; + char *ret; + + if(!argc) + return(0); + + for(i=0;i Date: Wed, 9 Aug 2023 16:12:15 +0200 Subject: [PATCH 02/12] Remove autotools files --- Makefile.am | 37 --------- autogen.sh | 5 -- base/Makefile.am | 0 common/Makefile.am | 1 - common/lib/Makefile.am | 0 configure.ac | 182 ----------------------------------------- null/Makefile.am | 0 pcap/Makefile.am | 0 ssl/Makefile.am | 0 9 files changed, 225 deletions(-) delete mode 100644 Makefile.am delete mode 100755 autogen.sh delete mode 100644 base/Makefile.am delete mode 100644 common/Makefile.am delete mode 100644 common/lib/Makefile.am delete mode 100644 configure.ac delete mode 100644 null/Makefile.am delete mode 100644 pcap/Makefile.am delete mode 100644 ssl/Makefile.am diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index 77d0190..0000000 --- a/Makefile.am +++ /dev/null @@ -1,37 +0,0 @@ -sbin_PROGRAMS = ssldump -man_MANS = ssldump.1 - -ssldump_SOURCES = \ - base/pcap-snoop.c\ - base/network.c\ - base/proto_mod.c\ - base/tcppack.c\ - base/tcpconn.c\ - null/null_analyze.c\ - common/lib/r_data.c\ - common/lib/r_assoc.c\ - common/lib/r_errors.c\ - common/lib/debug.c\ - ssl/ssl_analyze.c\ - ssl/ssldecode.c\ - ssl/sslprint.c\ - ssl/ssl.enums.c\ - ssl/sslxprint.c\ - ssl/ciphersuites.c\ - ssl/ssl_rec.c\ - pcap/logpkt.c\ - pcap/pcap_logger.c\ - pcap/sys.c - - -ssldump_CPPFLAGS = \ - -I$(top_srcdir)\ - -I$(top_srcdir)/common/include\ - -I$(top_srcdir)/common/lib\ - -I$(top_srcdir)/null\ - -I$(top_srcdir)/ssl\ - -I$(top_srcdir)/base\ - -I$(top_srcdir)/pcap\ - -D_DEFAULT_SOURCE=1\ - -DLINUX\ - -DOPENSSL diff --git a/autogen.sh b/autogen.sh deleted file mode 100755 index 4bc5834..0000000 --- a/autogen.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -autoreconf -v -i - - diff --git a/base/Makefile.am b/base/Makefile.am deleted file mode 100644 index e69de29..0000000 diff --git a/common/Makefile.am b/common/Makefile.am deleted file mode 100644 index 0262e4d..0000000 --- a/common/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = lib diff --git a/common/lib/Makefile.am b/common/lib/Makefile.am deleted file mode 100644 index e69de29..0000000 diff --git a/configure.ac b/configure.ac deleted file mode 100644 index 5eafab7..0000000 --- a/configure.ac +++ /dev/null @@ -1,182 +0,0 @@ -# -*- Autoconf -*- -# Process this file with autoconf to produce a configure script. - -AC_PREREQ([2.69]) -AC_INIT([ssldump], [1.4]) -AM_INIT_AUTOMAKE([subdir-objects]) -AC_CONFIG_SRCDIR([base/pcap-snoop.c]) -AC_CONFIG_HEADERS([config.h]) - -AC_CANONICAL_HOST - -# Checks for programs. -: ${CFLAGS=""} -AC_PROG_CC([gcc clang]) -AM_PROG_CC_C_O -AC_PROG_MAKE_SET -AC_PROG_INSTALL - -# Checks for header files. -AC_CHECK_HEADERS([arpa/inet.h memory.h netdb.h netinet/in.h stdlib.h string.h sys/param.h sys/socket.h sys/time.h unistd.h],,[AC_MSG_ERROR([Missing header.])]) -AC_HEADER_STDC -AC_HEADER_TIME - -# Checks for typedefs, structures, and compiler characteristics. -AC_CHECK_SIZEOF([unsigned short]) -AC_CHECK_SIZEOF([unsigned int]) -AC_CHECK_SIZEOF([unsigned long]) -AC_CHECK_SIZEOF([unsigned long long]) - -# Checks for library functions. -AC_CHECK_FUNCS([malloc realloc gethostbyaddr gettimeofday inet_ntoa isascii memmove memset strchr strdup strstr strtol]) - -have_pcap=no -AC_SEARCH_LIBS([pcap_create], [pcap], [have_pcap=yes]) - -if test "x${have_pcap}" = xyes; then - AC_CHECK_HEADERS([pcap.h pcap-bpf.h], [], [have_pcap=no]) -fi - -if test "x${have_pcap}" = xno; then - AC_MSG_ERROR([ ---------------------------------------- -Unable to find libpcap on this system -Check 'config.log' for more information - -On Debian and Ubuntu systems you can -install the required library and header -files with - apt install libpcap-dev ---------------------------------------- - ]) -fi - -have_ssl=no -AC_SEARCH_LIBS([OPENSSL_init_ssl], [ssl], [have_ssl=yes]) -AC_SEARCH_LIBS(CRYPTO_new_ex_data, [crypto], [have_crypto=yes]) - -if test "x${have_ssl}" = xyes; then - AC_CHECK_HEADERS([openssl/ssl.h], [], [have_ssl=no]) -fi - -if test "x${have_ssl}" = xno; then - AC_MSG_ERROR([ ---------------------------------------- -Unable to find libssl on this system -Check 'config.log' for more information - -On Debian and Ubuntu systems you can -install the required library and header -files with - apt install libssl-dev ---------------------------------------- - ]) -fi - -have_libnet=no -AC_SEARCH_LIBS([libnet_init], [net], [have_libnet=yes]) - -if test "x${have_libnet}" = xyes; then - AC_CHECK_HEADERS([libnet.h], [], [have_libnet=no]) -fi - -if test "x${have_libnet}" = xno; then - AC_MSG_ERROR([ ---------------------------------------- -Unable to find libnet on this system -Check 'config.log' for more information - -On Debian and Ubuntu systems you can -install the required library and header -files with - apt install libnet1-dev ---------------------------------------- - ]) -fi - -have_libjson_c=no -AC_SEARCH_LIBS([json_object_new_object], [json-c], [have_libjson_c=yes]) - -if test "x${have_libjson_c}" = xyes; then - AC_CHECK_HEADERS([json-c/json.h], [], [have_libjson_c=no]) -fi - -if test "x${have_libjson_c}" = xno; then - AC_MSG_ERROR([ ---------------------------------------- -Unable to find libjson-c on this system -Check 'config.log' for more information - -On Debian and Ubuntu systems you can -install the required library and header -files with - apt install libjson-c-dev ---------------------------------------- - ]) -fi - -AC_ARG_ENABLE([optimization], - [ --disable-optimization disable compiler optimizations], - [optimization=${enableval}], [optimization=yes]) - -if test "x${optimization}" = xno; then - CFLAGS="$CFLAGS -O0" -else - CFLAGS="$CFLAGS -O2" -fi - -AC_ARG_ENABLE([debug], - [ --enable-debug enable debug info], - [debug=${enableval}], [debug=no]) - -if test "x${debug}" = xyes; then - CFLAGS="$CFLAGS -g -DDEBUG" -fi - -AC_ARG_ENABLE([asan], - [ --enable-asan enable AddressSanitizer and other checks], - [asan=${enableval}], [asan=no]) - -if test "x${asan}" = xyes; then - AS_CASE([$CC], - [*gcc*], [AC_CHECK_LIB(asan, _init)], - [*clang*], [have_clang=yes], - [have_clang=no]) - - if (test "x${ac_cv_lib_asan__init}" = xyes || test "x$have_clang" = xyes); then - CFLAGS="$CFLAGS \ --fsanitize=address,undefined,leak \ --Wformat \ --Werror=format-security \ --Werror=array-bounds" - else - AC_MSG_WARN("AddressSanitizer not supported") - asan=no - fi -fi - -AC_CONFIG_FILES([Makefile - common/Makefile - common/lib/Makefile - null/Makefile - ssl/Makefile - pcap/Makefile - base/Makefile]) - -AC_OUTPUT - -echo -echo "################################################" -echo "SSLDump build setup" -echo " Host system: $host_os" -echo " Host architecture: $host_cpu" -echo " Compiler: $CC" -echo " Installation prefix: $prefix" -echo " CFLAGS: $CFLAGS" -echo " LDFLAGS: $LDFLAGS" -echo " LIBS: $LIBS" -echo " Optimizations enabled: $optimization" -echo " Debug info enabled: $debug" -echo " ASAN enabled: $asan" -echo "################################################" - diff --git a/null/Makefile.am b/null/Makefile.am deleted file mode 100644 index e69de29..0000000 diff --git a/pcap/Makefile.am b/pcap/Makefile.am deleted file mode 100644 index e69de29..0000000 diff --git a/ssl/Makefile.am b/ssl/Makefile.am deleted file mode 100644 index e69de29..0000000 From a4bfc7fb366adc88931f662c20208dff8bc2899d Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 09:36:12 +0200 Subject: [PATCH 03/12] Add FindJSONC.cmake module + fix CMakeLists.txt --- CMakeLists.txt | 12 ++++----- cmake/modules/FindJSONC.cmake | 49 +++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 cmake/modules/FindJSONC.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index e3dcaa8..777b306 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,12 +34,12 @@ set(SOURCES pcap/sys.c ) -set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake/modules/") +set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake/modules/" ${CMAKE_MODULE_PATH}) find_package(OpenSSL REQUIRED) find_package(PCAP REQUIRED) find_package(LIBNET REQUIRED) -find_package(json-c REQUIRED) +find_package(JSONC REQUIRED) add_executable(${PROJECT_NAME} ${SOURCES}) @@ -63,14 +63,14 @@ target_include_directories(ssldump ${OPENSSL_INCLUDE_DIR} ${PCAP_INCLUDE_DIR} ${LIBNET_INCLUDE_DIR} - ${json-c_INCLUDE_DIR} + ${JSONC_INCLUDE_DIRS} ) target_link_libraries(ssldump PRIVATE ${OPENSSL_LIBRARIES} - pcap - net - json-c + ${PCAP_LIBRARY} + ${LIBNET_LIBRARY} + ${JSONC_LIBRARIES} ) diff --git a/cmake/modules/FindJSONC.cmake b/cmake/modules/FindJSONC.cmake new file mode 100644 index 0000000..69b792f --- /dev/null +++ b/cmake/modules/FindJSONC.cmake @@ -0,0 +1,49 @@ +# From https://github.com/fastogt/cmake/blob/master/FindJSON-C.cmake +# Copyright (c) 2018, FastoGT +# License: BSD 3-Clause +# Modified by: Micah Snyder + +# JSONC_FOUND - true if library and headers were found +# JSONC_INCLUDE_DIRS - include directories +# JSONC_LIBRARIES - library directories + +if(JSONC_USE_STATIC) + add_library(jsonc STATIC IMPORTED GLOBAL) +else() + add_library(jsonc SHARED IMPORTED GLOBAL) +endif(JSONC_USE_STATIC) + +find_package(PkgConfig QUIET) +PKG_CHECK_MODULES(PC_JSONC QUIET json-c) + +find_path(JSONC_INCLUDE_DIR json.h + HINTS ${PC_JSONC_INCLUDEDIR} ${PC_JSONC_INCLUDE_DIRS} PATH_SUFFIXES json-c json) + +if(JSONC_USE_STATIC) + find_library(JSONC_LIBRARY NAMES libjson-c.a libjson-c-static.a + HINTS ${PC_JSONC_LIBDIR} ${PC_JSONC_LIBRARY_DIRS}) +else() + find_library(JSONC_LIBRARY NAMES json-c libjson-c + HINTS ${PC_JSONC_LIBDIR} ${PC_JSONC_LIBRARY_DIRS}) +endif(JSONC_USE_STATIC) + +set(JSONC_LIBRARIES ${JSONC_LIBRARY}) +set(JSONC_INCLUDE_DIRS ${JSONC_INCLUDE_DIR}) + +include(FindPackageHandleStandardArgs) +find_package_handle_standard_args(JSONC DEFAULT_MSG JSONC_LIBRARIES JSONC_INCLUDE_DIRS) + +if(JSONC_FOUND AND NOT TARGET JSONC::jsonc) + add_library(JSONC::jsonc UNKNOWN IMPORTED) + set_target_properties(JSONC::jsonc PROPERTIES + IMPORTED_LOCATION "${JSONC_LIBRARY}" + INTERFACE_COMPILE_OPTIONS "${PC_JSONC_CFLAGS_OTHER}" + INTERFACE_INCLUDE_DIRECTORIES "${JSONC_INCLUDE_DIRS}" + ) +endif() + +mark_as_advanced( + JSONC_INCLUDE_DIR + JSONC_LIBRARY +) + From ced211ef0a93ff8944a608b5c09e4d1f0cdd00da Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 09:43:20 +0200 Subject: [PATCH 04/12] Lower cmake version requirement (Ubuntu Focal) --- CMakeLists.txt | 2 +- base/pcap-snoop.c.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 777b306..430ea18 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.18.4) +cmake_minimum_required(VERSION 3.16.3) include(CheckSymbolExists) set(CMAKE_VERBOSE_MAKEFILE ON) diff --git a/base/pcap-snoop.c.in b/base/pcap-snoop.c.in index 1c6ec7a..e7ddd8e 100644 --- a/base/pcap-snoop.c.in +++ b/base/pcap-snoop.c.in @@ -118,7 +118,7 @@ int usage() int print_version() { - printf("@ssldump_VERSION@\n"); + printf("Version: @ssldump_VERSION@\n"); printf("Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS\n"); printf("Copyright (C) 2015-2023 the aforementioned volunteers\n"); printf("Copyright (C) 1998-2001 RTFM, Inc.\n"); From 3a6892ef5ce9db552a6738f72ba34ea6a700b4ff Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 10:41:45 +0200 Subject: [PATCH 05/12] Print meaningful error messages --- CMakeLists.txt | 45 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 430ea18..73b2e05 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -36,10 +36,47 @@ set(SOURCES set(CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake/modules/" ${CMAKE_MODULE_PATH}) -find_package(OpenSSL REQUIRED) -find_package(PCAP REQUIRED) -find_package(LIBNET REQUIRED) -find_package(JSONC REQUIRED) +find_package(OpenSSL) +if(NOT OPENSSL_FOUND) + message( FATAL_ERROR +"Unable to find OpenSSL development files on this system +On Debian and Ubuntu systems you can install the required library and header files with + apt install libssl-dev +On Fedora systems, with + dnf install openssl-devel" ) +endif() + +#dnf install openssl-devel libpcap-devel libnet-devel json-c-devel + +find_package(PCAP) +if(NOT PCAP_FOUND) + message( FATAL_ERROR +"Unable to find libpcap development files on this system +On Debian and Ubuntu systems you can install the required library and header files with + apt install libpcap-dev +On Fedora systems, with + dnf install libpcap-devel" ) +endif() + +find_package(LIBNET) +if(NOT LIBNET_FOUND) + message( FATAL_ERROR +"Unable to find libnet development files on this system +On Debian and Ubuntu systems you can install the required library and header files with + apt install libnet1-dev +On Fedora systems, with + dnf install libnet-devel" ) +endif() + +find_package(JSONC) +if(NOT JSONC_FOUND) + message( FATAL_ERROR +"Unable to find libjson-c development files on this system +On Debian and Ubuntu systems you can install the required library and header files with + apt install libjson-c-dev +On Fedora systems, with + dnf install json-c-devel" ) +endif() add_executable(${PROJECT_NAME} ${SOURCES}) From d94cbfa0881c20802bddf768086eb33f8c3d5b05 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 11:07:37 +0200 Subject: [PATCH 06/12] Update gh workflows --- .github/workflows/build.yml | 17 ++++++----------- .github/workflows/codeql-analysis.yml | 7 +++---- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16e9331..89c1b27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,27 +25,22 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 - - name: Install macOS autogen prerequisites - run: brew install autoconf automake - if: ${{ runner.os == 'macOS' }} - - name: ./autogen.sh - run: ./autogen.sh - name: Compiler version run: $CC -v env: CC: ${{ matrix.compiler }} - name: Install Linux dependencies - run: sudo apt install autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev + run: sudo apt install cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev if: ${{ runner.os == 'Linux' }} - name: Install macOS dependencies run: | - brew install openssl@3 libpcap libnet json-c + brew install cmake ninja openssl@3 libpcap libnet json-c echo "LDFLAGS=-L$(brew --prefix openssl@3)/lib" >> $GITHUB_ENV echo "CPPFLAGS=-I$(brew --prefix openssl@3)/include" >> $GITHUB_ENV if: ${{ runner.os == 'macOS' }} - - name: ./configure - run: ./configure + - name: cmake -B ${{github.workspace}}/build -G Ninja + run: cmake -B ${{github.workspace}}/build -G Ninja env: CC: ${{ matrix.compiler }} - - name: make - run: make + - name: ninja -C ${{github.workspace}}/build + run: ninja -C ${{github.workspace}}/build diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2cd3a79..3aec2a5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,10 +31,9 @@ jobs: languages: ${{ matrix.language }} - name: Build Application using script run: | - ./autogen.sh - sudo apt install autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev - ./configure - make + sudo apt install cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev + cmake -B ${{github.workspace}}/build -G Ninja + ninja -C ${{github.workspace}}/build - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 with: From 6937dbc3fa3ba300e8f06818dac9fb4a520a2186 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 11:40:34 +0200 Subject: [PATCH 07/12] Update README & fix version --- CMakeLists.txt | 2 +- README.md | 41 ++++++++++------------------------------- 2 files changed, 11 insertions(+), 32 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 73b2e05..3d0c8d8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,7 +5,7 @@ set(CMAKE_VERBOSE_MAKEFILE ON) project( ssldump - VERSION 1.9 + VERSION 1.8 LANGUAGES C ) diff --git a/README.md b/README.md index 66535c0..5a7d52d 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ includes a JSON output option, supports [JA3](https://github.com/salesforce/ja3) # How to do I run ssldump? -`./ssldump -j -ANH -n -i any | jq` will run ssldump on all interfaces and output the result in JSON format including ja3 hashes. +`./ssldump -j -ANH -n -i any | jq` will run ssldump on all interfaces and output the result in JSON format including ja3 hashes. For more details, check the man page. @@ -29,7 +29,7 @@ For more details, check the man page. This example will query ja3er.com service to display the known ja3 hashes from the TLS handshaked in the pcap. -`ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'` +`ssldump -r yourcapture.pcap -j | jq -r 'select(.ja3_fp != null) | .ja3_fp' | parallel 'curl -s -X GET 'https://ja3er.com/search/{}' | jq .'` # Why do you maintain this repository? @@ -55,39 +55,18 @@ other too (but this is just a collateral damage). On Debian & Ubuntu: ``` -apt install build-essential autoconf libssl-dev libpcap-dev libnet1-dev libjson-c-dev -./autogen.sh -./configure --prefix=/usr/local -make -(optional) make install +apt install build-essential cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev +cmake -G Ninja -B build +ninja -C build +./build/ssldump -v ``` On Fedora, CentOS, RHEL & Rocky: ``` -dnf install autoconf automake gcc make openssl-devel libpcap-devel libnet-devel json-c-devel -./autogen.sh -./configure --prefix=/usr/local -make -(optional) make install -``` - -Optional configuration features (aka ./configure options): -``` - --disable-optimization disable compiler optimizations (change from -O2 to -O0) - --enable-debug enable debug info (add "-g -DDEBUG" to CFLAGS) - --enable-asan enable AddressSanitizer and other checks - add "-fsanitize=address,undefined,leak -Wformat -Werror=format-security - -Werror=array-bounds" to CFLAGS - use libasan with GCC and embedded ASAN with Clang -``` - -Configuration examples: -``` -- Use GCC with libasan, debug info and custom CFLAGS: - ./configure CC=/usr/bin/gcc --enable-asan --enable-debug CFLAGS="-Wall" - -- Use Clang with ASAN and no optimizations (-O0) - ./configure CC=/usr/bin/clang --enable-asan --disable-optimization +dnf install cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel +cmake -G Ninja -B build +ninja -C build +./build/ssldump -v ``` # Notes From 7af04ca7ea2e298c140ac2b8bad4a61b0bb52138 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 12:07:09 +0200 Subject: [PATCH 08/12] Set binary install target, update doc --- CMakeLists.txt | 3 +++ README.md | 13 +++++++------ ssldump.1 | 2 +- ssldump.md | 4 +++- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3d0c8d8..05cc39b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -111,3 +111,6 @@ target_link_libraries(ssldump ${JSONC_LIBRARIES} ) +set(CMAKE_INSTALL_PREFIX "/usr/local") +install(TARGETS ssldump DESTINATION ${CMAKE_INSTALL_PREFIX}/bin) + diff --git a/README.md b/README.md index 5a7d52d..e01df02 100644 --- a/README.md +++ b/README.md @@ -53,22 +53,23 @@ other too (but this is just a collateral damage). # Build instructions -On Debian & Ubuntu: +Install dependencies on Debian & Ubuntu (as root): ``` apt install build-essential cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev -cmake -G Ninja -B build -ninja -C build -./build/ssldump -v ``` -On Fedora, CentOS, RHEL & Rocky: +On Fedora, CentOS, RHEL & Rocky (as root): ``` dnf install cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel +``` + +Compile & install: +``` cmake -G Ninja -B build ninja -C build ./build/ssldump -v +(optional, as root) ninja -C build install ``` - # Notes The "save to pcap" (-w) option by @ryabkov, is heavily based on the work of diff --git a/ssldump.1 b/ssldump.1 index 027aca7..474c309 100644 --- a/ssldump.1 +++ b/ssldump.1 @@ -61,7 +61,7 @@ ssldump \- dump SSL traffic on a network .na .B ssldump [ -.B \-aAdeFHjnNPqtTvxXy +.B \-aAdeFHjnNPqtTvxXyz ] [ .B \-i .I interface diff --git a/ssldump.md b/ssldump.md index bab1e49..aa61f2d 100644 --- a/ssldump.md +++ b/ssldump.md @@ -3,7 +3,7 @@ 9th April 2023 - version 1.7 ``` -.na ssldump [ -aAdeFHjnNPqtTvxXy ] [ -i interface ] +.na ssldump [ -aAdeFHjnNPqtTvxXyz ] [ -i interface ] .ti +8 [ -k keyfile ] [ -l sslkeylogfile ] [ -p password ] [ -r dumpfile ] [ -w outputpcap ] .ti +8 [ -S [ crypto | d | ht | H | nroff ] ] [ expression ] @@ -138,6 +138,8 @@ _/dev/bpf*_. * **-y** Decorate the output for processing with nroff/troff. Not very useful for the average user. +* **-z** + Add timestamp in front of TCP packet description (-T) * _expression_ Selects what packets _ssldump_ will examine. Technically speaking, _ssldump_ supports the full expression syntax from PCAP and tcpdump. From a01f07f999e1671d6e88e56cdcf21bd5251be67f Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 12:45:02 +0200 Subject: [PATCH 09/12] Add install target for man page --- CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 05cc39b..fd79bdd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -114,3 +114,5 @@ target_link_libraries(ssldump set(CMAKE_INSTALL_PREFIX "/usr/local") install(TARGETS ssldump DESTINATION ${CMAKE_INSTALL_PREFIX}/bin) +set(CMAKE_INSTALL_MANDIR "/usr/local/share/man") +install(FILES ssldump.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) From ca5dc95043ff902f0b65d9c848b885ab016ffa14 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 16:29:45 +0200 Subject: [PATCH 10/12] Make it work on OpenBSD and FreeBSD --- CMakeLists.txt | 4 +--- README.md | 17 +++++++++++++++-- base/pcap-snoop.c | 1 - base/pcap-snoop.c.in | 2 ++ pcap/pcap_logger.c | 2 ++ ssl/ssl.enums.c | 2 +- ssl/ssl_analyze.c | 2 +- ssl/sslprint.c | 2 +- ssl/sslxprint.c | 2 +- 9 files changed, 24 insertions(+), 10 deletions(-) delete mode 120000 base/pcap-snoop.c diff --git a/CMakeLists.txt b/CMakeLists.txt index fd79bdd..8e9964f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,8 +1,6 @@ cmake_minimum_required(VERSION 3.16.3) include(CheckSymbolExists) -set(CMAKE_VERBOSE_MAKEFILE ON) - project( ssldump VERSION 1.8 @@ -100,7 +98,7 @@ target_include_directories(ssldump ${OPENSSL_INCLUDE_DIR} ${PCAP_INCLUDE_DIR} ${LIBNET_INCLUDE_DIR} - ${JSONC_INCLUDE_DIRS} + ${JSONC_INCLUDE_DIR} ) target_link_libraries(ssldump diff --git a/README.md b/README.md index e01df02..43f299c 100644 --- a/README.md +++ b/README.md @@ -55,21 +55,34 @@ other too (but this is just a collateral damage). Install dependencies on Debian & Ubuntu (as root): ``` -apt install build-essential cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev +apt install build-essential git cmake ninja-build libssl-dev libpcap-dev libnet1-dev libjson-c-dev ``` On Fedora, CentOS, RHEL & Rocky (as root): ``` -dnf install cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel +dnf install git cmake ninja-build gcc openssl-devel libpcap-devel libnet-devel json-c-devel +``` + +On OpenBSD (as root): +``` +pkg_add git cmake ninja json-c libnet +``` + +On FreeBSD (as root): +``` +pkg install git cmake ninja json-c libnet ``` Compile & install: ``` +git clone https://github.com/adulau/ssldump.git +cd ssldump cmake -G Ninja -B build ninja -C build ./build/ssldump -v (optional, as root) ninja -C build install ``` + # Notes The "save to pcap" (-w) option by @ryabkov, is heavily based on the work of diff --git a/base/pcap-snoop.c b/base/pcap-snoop.c deleted file mode 120000 index a087352..0000000 --- a/base/pcap-snoop.c +++ /dev/null @@ -1 +0,0 @@ -../build/base/pcap-snoop.c \ No newline at end of file diff --git a/base/pcap-snoop.c.in b/base/pcap-snoop.c.in index e7ddd8e..b28435b 100644 --- a/base/pcap-snoop.c.in +++ b/base/pcap-snoop.c.in @@ -51,7 +51,9 @@ #include #include +#ifndef __OpenBSD__ #include +#endif #ifndef _WIN32 #include #endif diff --git a/pcap/pcap_logger.c b/pcap/pcap_logger.c index 4f76eed..a2ada57 100644 --- a/pcap/pcap_logger.c +++ b/pcap/pcap_logger.c @@ -1,7 +1,9 @@ #include #include +#ifndef __OpenBSD__ #include +#endif #include #include #include diff --git a/ssl/ssl.enums.c b/ssl/ssl.enums.c index 2ecbd63..0f4eb4f 100644 --- a/ssl/ssl.enums.c +++ b/ssl/ssl.enums.c @@ -1,4 +1,4 @@ -#include +#include #include #include "network.h" #include "ssl_h.h" diff --git a/ssl/ssl_analyze.c b/ssl/ssl_analyze.c index 188f2b7..de2d7f0 100644 --- a/ssl/ssl_analyze.c +++ b/ssl/ssl_analyze.c @@ -44,7 +44,7 @@ */ -#include +#include #include #include #include "network.h" diff --git a/ssl/sslprint.c b/ssl/sslprint.c index 355db29..7e62bbb 100644 --- a/ssl/sslprint.c +++ b/ssl/sslprint.c @@ -44,7 +44,7 @@ */ -#include +#include #include #include #include "network.h" diff --git a/ssl/sslxprint.c b/ssl/sslxprint.c index 4127eb4..3e0f02a 100644 --- a/ssl/sslxprint.c +++ b/ssl/sslxprint.c @@ -44,7 +44,7 @@ */ -#include +#include #include "network.h" #include "ssl_h.h" #include "sslprint.h" From 8ae59381636477cc7222c4efc06d13005ba14ac1 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Thu, 10 Aug 2023 17:03:54 +0200 Subject: [PATCH 11/12] Add comment for MacOS --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 43f299c..a9aaf5a 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,11 @@ On FreeBSD (as root): pkg install git cmake ninja json-c libnet ``` +On MacOS (as root): +``` +brew install cmake ninja openssl@3 libpcap libnet json-c +``` + Compile & install: ``` git clone https://github.com/adulau/ssldump.git From ae16d572de5b8e052a097665ddfc79ecbfcffc12 Mon Sep 17 00:00:00 2001 From: William Robinet Date: Fri, 11 Aug 2023 11:25:29 +0200 Subject: [PATCH 12/12] Add date to version output --- CMakeLists.txt | 1 + base/pcap-snoop.c.in | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8e9964f..de5f87d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4,6 +4,7 @@ include(CheckSymbolExists) project( ssldump VERSION 1.8 + DESCRIPTION 20230811 LANGUAGES C ) diff --git a/base/pcap-snoop.c.in b/base/pcap-snoop.c.in index b28435b..c25e9b0 100644 --- a/base/pcap-snoop.c.in +++ b/base/pcap-snoop.c.in @@ -120,7 +120,7 @@ int usage() int print_version() { - printf("Version: @ssldump_VERSION@\n"); + printf("Version: @ssldump_VERSION@ (@ssldump_DESCRIPTION@)\n"); printf("Maintained by a bunch of volunteers, see https://github.com/adulau/ssldump/blob/master/CREDITS\n"); printf("Copyright (C) 2015-2023 the aforementioned volunteers\n"); printf("Copyright (C) 1998-2001 RTFM, Inc.\n");