Merge branch 'main' of https://github.com/Squiblydoo/ja4

FoxIO-LLC · Sep 2, 2024 · 57b9536 · 57b9536
2 parents ad3f536 + a3ff48e
commit 57b9536
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 9 deletions.
diff --git a/technical_details/JA4.md b/technical_details/JA4.md
@@ -58,16 +58,16 @@ If the SNI extension (0x0000) exists, then the destination of the connection is
 Same as counting ciphers. Ignore GREASE. Include SNI and ALPN.
 
 ### ALPN Extension Value:
-The first and last characters of the ALPN (Application-Layer Protocol Negotiation) first value.  
+The first and last alphanumeric characters of the ALPN (Application-Layer Protocol Negotiation) first value.  
 List of possible ALPN Values (scroll down): https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
 
-
-
 In the above example, the first ALPN value is h2 so the first and last characters to use in the fingerprint are “h2”. IF the first ALPN listed was http/1.1 then the first and last characters to use in the fingerprint would be “h1”.
 
 In Wireshark this field is located under tls.handshake.extensions_alpn_str
 
-If there are no ALPN values or no ALPN extension then we print “00” as the value in the fingerprint.
+If there are no ALPN values or no ALPN extension then we print “00” as the value in the fingerprint.  
+
+If the ALPN value is non-alphanumeric (`0x30-0x39`, `0x41-0x5A`, `0x61-0x7A`), we take the first high-nibble and the last low-nibble. For example, if the ALPN value were `0xAB 0xCD` the ALPN value in the JA4 string would be "ad". If the ALPN value were just `0xAB` then the JA4 value would be "ab". This is a very edge case as non-alphanumeric characters at the beginning or end of an ALPN string would violate RFC8447 section 17. The purpose of this logic is to prevent malformed JA4 fingerprints.
 
 ### Cipher hash:
 A 12 character truncated sha256 hash of the list of ciphers sorted in hex order, first 12 characters. The list is created using the 4 character hex values of the ciphers, lower case, comma delimited, ignoring GREASE.  

diff --git a/wireshark/binaries/macos/4.2.0/arm/ja4.so b/wireshark/binaries/macos/4.2.0/arm/ja4.so
diff --git a/wireshark/binaries/windows/4.2.0/ja4.dll b/wireshark/binaries/windows/4.2.0/ja4.dll
diff --git a/wireshark/source/packet-ja4.c b/wireshark/source/packet-ja4.c
@@ -936,24 +936,32 @@ dissect_ja4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *dummy
                 	if ((strcmp(field->hfinfo->abbrev, "x509if.oid") == 0) && (handshake_type == 11)) {
 				cert_t *current_cert = (cert_t *) wmem_array_index(certificate_list, cert_num);
 
+				//Append a comma to previous OIDs, if any
+				if (wmem_strbuf_get_len(current_cert->oids[oid_type])) {
+				    wmem_strbuf_append(current_cert->oids[oid_type], ",");
+				}
 				//BUG-FIX: Ja4x should use Hex codes instead of ascii
 				const guint8 *bytes = fvalue_get_bytes_data(field->value);
 				gsize size = g_bytes_get_size(fvalue_get_bytes(field->value));
 				for (int j=0; j< (int)size; j++) {
 				    wmem_strbuf_append_printf(current_cert->oids[oid_type], "%02x", bytes[j]);
 				}
-				wmem_strbuf_append_printf(current_cert->oids[oid_type], "%x", 0);
 			}
 
                 	if ((strcmp(field->hfinfo->abbrev, "x509af.extension.id") == 0) && (handshake_type == 11)) {
 				cert_t *current_cert = (cert_t *) wmem_array_index(certificate_list, cert_num);
+				oid_type = 2;
+
+				//Append a comma to previous OIDs, if any
+				if (wmem_strbuf_get_len(current_cert->oids[oid_type])) {
+				    wmem_strbuf_append(current_cert->oids[oid_type], ",");
+				}
 				//BUG-FIX: Ja4x should use Hex codes instead of ascii
 				const guint8 *bytes = fvalue_get_bytes_data(field->value);
 				gsize size = g_bytes_get_size(fvalue_get_bytes(field->value));
 				for (int j=0; j< (int)size; j++) {
 				    wmem_strbuf_append_printf(current_cert->oids[oid_type], "%02x", bytes[j]);
 				}
-				wmem_strbuf_append_printf(current_cert->oids[oid_type], "%x", 0);
 			}
 
 			// Added for JA4H - HTTP1.0 and 1.1
@@ -1297,9 +1305,6 @@ dissect_ja4(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *dummy
         if (handshake_type == 11) {
                 for (guint i=0; i<cert_num+1; i++) {
                         cert_t *current_cert = (cert_t *) wmem_array_index(certificate_list, i);
-                        wmem_strbuf_truncate(current_cert->oids[0], wmem_strbuf_get_len(current_cert->oids[0])-1);
-                        wmem_strbuf_truncate(current_cert->oids[1], wmem_strbuf_get_len(current_cert->oids[1])-1);
-                        wmem_strbuf_truncate(current_cert->oids[2], wmem_strbuf_get_len(current_cert->oids[2])-1);
                         wmem_strbuf_append_printf(current_cert->raw,
                                 "%s_%s_%s",
                                 wmem_strbuf_get_str(current_cert->oids[0]),