Refactoring

Refactored Protocol.Name -> Protocol.Type; added Encapsulation field Refactored TLS parsing; added support for ALPN
2025-10-10 12:41:44 +02:00
parent f86a7f7a67
commit 81a3829382
20 changed files with 366 additions and 141 deletions
--- a/protocol/detect_tls_test.go
+++ b/protocol/detect_tls_test.go
@@ -76,6 +76,45 @@ func TestDetectTLS(t *testing.T) {
 		0x03, 0x02, // Client Version: TLS 1.1 (Major=3, Minor=2)
 	}

+	// A valid TLS 1.1 ServerHello
+	tls11ServerHello := []byte{
+		// --- Record Layer (5 bytes) ---
+		0x16,       // Content Type: Handshake (22)
+		0x03, 0x02, // Version: TLS 1.1 (for compatibility in a 1.3 hello)
+		0x00, 0x40, // Length of the handshake message below (64 bytes)
+
+		// --- Handshake Protocol: ServerHello (64 bytes) ---
+		0x02,             // Handshake Type: ServerHello (2)
+		0x00, 0x00, 0x3c, // Length of the rest of the message (60 bytes)
+		0x03, 0x02, // Server Version: TLS 1.1 (Major=3, Minor=2)
+
+		// Random (32 bytes)
+		0xb7, 0xa8, 0xdf, 0xd5, 0x17, 0xb1, 0x50, 0xb4,
+		0x28, 0xb7, 0xf6, 0xf3, 0xb9, 0x83, 0xcf, 0x9f,
+		0x31, 0x55, 0x79, 0x1f, 0x3b, 0x07, 0x6d, 0x17,
+		0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
+
+		// Session ID
+		0x00, // Session ID Length: 0 (new session)
+
+		0xc0, 0x09, // Cipher Suite
+		0x00, // Compression Method
+
+		// --- Extensions (20 bytes) ---
+		0x00, 0x14, // Extensions Length: 20 bytes
+		0xff, 0x01, // Extension Type: renegotiation_info
+		0x00, 0x01, // Extension Length: 1 byte
+		0x00,       // Renegotiation Info Length: 0 bytes
+		0x00, 0x10, // Extension Type: alpn
+		0x00, 0x05, // Extension Length: 5 bytes
+		0x00, 0x03, // ALPN Extension Length: 3 bytes
+		0x02, 'h', '2',
+		0x0, 0x0b, // Extension Type: ec_points_format
+		0x0, 0x02, // Extension Length: 2 bytes
+		0x01, // EC Points Format Length: 1 byte
+		0x00, // EC Point Format: uncompressed
+	}
+
 	// A synthesized TLSv1.2 ClientHello
 	tls12ClientHello := []byte{
 		// --- Record Layer (5 bytes) ---
@@ -129,35 +168,62 @@ func TestDetectTLS(t *testing.T) {

 	// A valid TLS 1.3 Client Hello (captured from a real connection)
 	tls13ClientHello := []byte{
+		// --- Record Layer (5 bytes) ---
 		0x16,       // Content Type: Handshake (22)
 		0x03, 0x01, // Version: TLS 1.0 (for compatibility in a 1.3 hello)
 		0x01, 0x3a, // Length
-		0x01, 0x00, 0x01, 0x36, 0x03, 0x03, 0xb1,
-		0x40, 0xd3, 0xf1, 0x7d, 0xa3, 0xb8, 0x33, 0xac, 0xad, 0x21, 0x79, 0x9c,
-		0xbe, 0x39, 0x96, 0x08, 0x49, 0x3b, 0x53, 0x75, 0xa0, 0x1b, 0xee, 0x6e,
-		0x6a, 0xbe, 0x6c, 0x41, 0xdf, 0x6c, 0xf4, 0x20, 0xa4, 0xaa, 0x0c, 0xca,
-		0xd4, 0x37, 0x76, 0x5f, 0x49, 0xc6, 0x06, 0x9b, 0xac, 0x90, 0x89, 0x76,
-		0x1c, 0xc7, 0xc4, 0x12, 0xb4, 0x4a, 0xe0, 0x27, 0x72, 0x89, 0x97, 0x85,
-		0x76, 0xf8, 0xc8, 0x83, 0x00, 0x62, 0x13, 0x03, 0x13, 0x02, 0x13, 0x01,
-		0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28,
-		0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
-		0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d,
-		0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27,
-		0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33,
-		0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba,
-		0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0x00, 0x04, 0xc0, 0x12,
-		0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x8b,
-		0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03, 0x03, 0x03, 0x02, 0x03,
-		0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x2c,
-		0x4b, 0xaa, 0xb4, 0xb3, 0xc8, 0x93, 0xcd, 0x5c, 0x24, 0xb9, 0x9b, 0xd4,
-		0x59, 0x04, 0xfe, 0x69, 0xaf, 0x68, 0xb9, 0xa6, 0x36, 0xbb, 0xab, 0x87,
-		0xfa, 0x15, 0x59, 0xea, 0xdd, 0x38, 0x68, 0x00, 0x00, 0x00, 0x0e, 0x00,
-		0x0c, 0x00, 0x00, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
-		0x74, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00,
-		0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x0d, 0x00,
-		0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05,
-		0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02,
-		0x03, 0x00, 0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68,
+
+		// --- Handshake Protocol: ClientHello ---
+		0x01,             // Handshake Type: ClientHello (1)
+		0x00, 0x01, 0x36, // Length of the rest of the message
+		0x03, 0x03, // Client Version: TLS 1.2 (Major=3, Minor=3)
+
+		// Random (32 bytes)
+		0xb1, 0x40, 0xd3, 0xf1, 0x7d, 0xa3, 0xb8, 0x33,
+		0xac, 0xad, 0x21, 0x79, 0x9c, 0xbe, 0x39, 0x96,
+		0x08, 0x49, 0x3b, 0x53, 0x75, 0xa0, 0x1b, 0xee,
+		0x6e, 0x6a, 0xbe, 0x6c, 0x41, 0xdf, 0x6c, 0xf4,
+
+		// Session ID
+		0x20,                                           // Session ID Length: 32
+		0xa4, 0xaa, 0x0c, 0xca, 0xd4, 0x37, 0x76, 0x5f, //
+		0x49, 0xc6, 0x06, 0x9b, 0xac, 0x90, 0x89, 0x76, //
+		0x1c, 0xc7, 0xc4, 0x12, 0xb4, 0x4a, 0xe0, 0x27, //
+		0x72, 0x89, 0x97, 0x85, 0x76, 0xf8, 0xc8, 0x83, //
+		0x00, 0x62, 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, //
+
+		// Cipher Suites
+		0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30,
+		0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
+		0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
+		0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81,
+		0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0,
+		0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27,
+		0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e,
+		0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45,
+		0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba,
+		0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05,
+		0x00, 0x04, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
+		0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x8b,
+		0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 0x04, 0x03,
+		0x03, 0x03, 0x02, 0x03, 0x01, 0x00, 0x33, 0x00,
+		0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x2c,
+		0x4b, 0xaa, 0xb4, 0xb3, 0xc8, 0x93, 0xcd, 0x5c,
+		0x24, 0xb9, 0x9b, 0xd4, 0x59, 0x04, 0xfe, 0x69,
+		0xaf, 0x68, 0xb9, 0xa6, 0x36, 0xbb, 0xab, 0x87,
+		0xfa, 0x15, 0x59, 0xea, 0xdd, 0x38, 0x68, 0x00,
+		0x00, 0x00, 0x0e, 0x00, 0x0c, 0x00, 0x00, 0x09,
+		0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
+		0x74, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
+		0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00,
+		0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x0d, 0x00,
+		0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06,
+		0x03, 0x08, 0x05, 0x05,
+
+		// Compression Methods, etc.
+		0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04,
+		0x03, 0x02, 0x01, 0x02, 0x03, 0x00, 0x10, 0x00,
+		0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68,
 		0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31,
 	}

@@ -172,15 +238,23 @@ func TestDetectTLS(t *testing.T) {
 			Direction:      Client,
 			Data:           sslV3ClientHello,
 			DstPort:        443,
-			WantProto:      ProtocolSSL,
+			WantType:       TypeSSL,
 			WantConfidence: .95,
 		},
 		{
-			Name:           "TLS 1.1",
+			Name:           "TLS 1.1 ClientHello",
 			Direction:      Client,
 			Data:           tls11ClientHello,
 			DstPort:        443,
-			WantProto:      ProtocolTLS,
+			WantType:       TypeTLS,
+			WantConfidence: .95,
+		},
+		{
+			Name:           "TLS 1.1 ServerHello",
+			Direction:      Server,
+			Data:           tls11ServerHello,
+			SrcPort:        443,
+			WantType:       TypeHTTP,
 			WantConfidence: .95,
 		},
 		{
@@ -188,7 +262,7 @@ func TestDetectTLS(t *testing.T) {
 			Direction:      Client,
 			Data:           tls12ClientHello,
 			DstPort:        443,
-			WantProto:      ProtocolTLS,
+			WantType:       TypeHTTP,
 			WantConfidence: .95,
 		},
 		{
@@ -196,7 +270,7 @@ func TestDetectTLS(t *testing.T) {
 			Direction:      Client,
 			Data:           tls13ClientHello,
 			DstPort:        443,
-			WantProto:      ProtocolTLS,
+			WantType:       TypeHTTP,
 			WantConfidence: .95,
 		},
 		{
@@ -225,7 +299,7 @@ func TestDetectTLS(t *testing.T) {
 						Direction:      Client,
 						Data:           tls11ClientHelloPartial,
 						DstPort:        443,
-						WantProto:      ProtocolTLS,
+						WantType:       TypeTLS,
 						WantConfidence: .50,
 					},
 				}, tests...))