Add logic to filter TLS_AES_128_CCM_8_SHA256

This commit is contained in:
yuhan6665 2022-11-13 12:18:23 -05:00
parent 04278a8940
commit 8006430c15

View File

@ -406,10 +406,18 @@ func XtlsFilterTls(buffer buf.MultiBuffer, numberOfPacketToFilter *int, enableXt
startsBytes := b.BytesTo(6) startsBytes := b.BytesTo(6)
if bytes.Equal(tlsServerHandShakeStart, startsBytes[:3]) && startsBytes[5] == 0x02 { if bytes.Equal(tlsServerHandShakeStart, startsBytes[:3]) && startsBytes[5] == 0x02 {
total := (int(startsBytes[3])<<8 | int(startsBytes[4])) + 5 total := (int(startsBytes[3])<<8 | int(startsBytes[4])) + 5
if b.Len() >= int32(total) { if b.Len() >= int32(total) && total >= 74 {
if bytes.Contains(b.BytesTo(int32(total)), tls13SupportedVersions) { if bytes.Contains(b.BytesTo(int32(total)), tls13SupportedVersions) {
*enableXtls = true sessionIdLen := int32(b.Byte(43))
newError("XtlsFilterTls13 found tls 1.3! ", buffer.Len()).WriteToLog(session.ExportIDToError(ctx)) cipherSuite := b.BytesRange(43 + sessionIdLen + 1, 43 + sessionIdLen + 3)
cipherNum := uint16(cipherSuite[0]) << 8 | uint16(cipherSuite[1])
v, ok := Tls13CipherSuiteDic[cipherNum]
if !ok {
v = "Unknown cipher!"
} else if (v != "TLS_AES_128_CCM_8_SHA256") {
*enableXtls = true
}
newError("XtlsFilterTls13 found tls 1.3! ", buffer.Len(), " ", v).WriteToLog(session.ExportIDToError(ctx))
} else { } else {
newError("XtlsFilterTls13 found tls 1.2! ", buffer.Len()).WriteToLog(session.ExportIDToError(ctx)) newError("XtlsFilterTls13 found tls 1.2! ", buffer.Len()).WriteToLog(session.ExportIDToError(ctx))
} }
@ -559,3 +567,11 @@ func XtlsUnpadding(ctx context.Context, buffer buf.MultiBuffer, userUUID []byte,
buf.ReleaseMulti(buffer) buf.ReleaseMulti(buffer)
return mb2 return mb2
} }
var Tls13CipherSuiteDic = map[uint16]string{
0x1301 : "TLS_AES_128_GCM_SHA256",
0x1302 : "TLS_AES_256_GCM_SHA384",
0x1303 : "TLS_CHACHA20_POLY1305_SHA256",
0x1304 : "TLS_AES_128_CCM_SHA256",
0x1305 : "TLS_AES_128_CCM_8_SHA256",
}