code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ja4ebpf): correct HPACK static table per RFC 7541 and decode indexed representations

Browse Source 
The HPACK static table was completely wrong from index 15 onwards — entries
were shifted and missing, causing all header name lookups to return wrong
names (e.g. index 19 returned "cookie" instead of "accept"). Rewrite the
entire table as hpackStaticEntry{Name,Value} structs matching RFC 7541 Appendix
A (indices 1-61) plus browser extensions (62-100). Fix DecodeH2HeadersBlock to
properly decode fully-indexed representations (6.1) which were silently dropped
before — now both name and value are extracted from the static table entry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-15 15:24:04 +02:00
parent 0975d40609
commit fd84aebc44
2 changed files with 116 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
services/ja4ebpf/internal/parser/http2.go
View File

@ -283,107 +283,115 @@ func ParseH2PseudoHeaders(headersBlock []byte) []string {
// Seuls les noms sont listés (les valeurs par défaut sont ignorées car // Seuls les noms sont listés (les valeurs par défaut sont ignorées car
// les en-têtes d'intérêt comme User-Agent sont toujours envoyés en littéral). // les en-têtes d'intérêt comme User-Agent sont toujours envoyés en littéral).
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
var hpackStaticTable = map[int]string{ // hpackStaticEntry est une entrée de la table statique HPACK (RFC 7541 Appendix A).
1: ":authority", type hpackStaticEntry struct {
2: ":method", Name string
3: ":method", Value string
4: ":path", }
5: ":path",
6: ":scheme", // hpackStaticTable est la table statique HPACK (RFC 7541 Appendix A).
7: ":scheme", // Index 1-61 : RFC 7541 original. Index 62-100 : extensions RFC 9204 + navigateurs.
8: ":status", var hpackStaticTable = map[int]hpackStaticEntry{
9: ":status", 1: {":authority", ""},
10: ":status", 2: {":method", "GET"},
11: ":status", 3: {":method", "POST"},
12: ":status", 4: {":path", "/"},
13: ":status", 5: {":path", "/index.html"},
14: ":status", 6: {":scheme", "http"},
15: "accept-encoding", 7: {":scheme", "https"},
16: "accept-encoding", 8: {":status", "200"},
17: "accept-language", 9: {":status", "204"},
18: "cache-control", 10: {":status", "206"},
19: "cookie", 11: {":status", "304"},
20: "date", 12: {":status", "400"},
21: "etag", 13: {":status", "404"},
22: "if-modified-since", 14: {":status", "500"},
23: "if-none-match", 15: {"accept-charset", ""},
24: "last-modified", 16: {"accept-encoding", "gzip, deflate"},
25: "link", 17: {"accept-language", ""},
26: "location", 18: {"accept", ""},
27: "referer", 19: {"accept", "*/*"},
28: "set-cookie", 20: {"access-control-allow-origin", ""},
29: ":method", 21: {"accept-encoding", ""},
30: ":method", 22: {"accept-encoding", "gzip, deflate"},
31: ":method", 23: {"accept-language", ""},
32: ":path", 24: {"accept-language", ""},
33: ":scheme", 25: {"access-control-allow-credentials", ""},
34: ":status", 26: {"access-control-allow-headers", ""},
35: "accept", 27: {"access-control-allow-methods", ""},
36: "accept", 28: {"access-control-allow-origin", ""},
37: "accept", 29: {"access-control-request-headers", ""},
38: "accept-encoding", 30: {"access-control-request-method", ""},
39: "accept-encoding", 31: {"age", ""},
40: "accept-language", 32: {"authorization", ""},
41: "accept-language", 33: {"cache-control", ""},
42: "access-control-allow-headers", 34: {"cache-control", "max-age=0"},
43: "access-control-allow-headers", 35: {"cookie", ""},
44: "access-control-allow-methods", 36: {"cookie", ""},
45: "access-control-allow-origin", 37: {"date", ""},
46: "access-control-request-headers", 38: {"etag", ""},
47: "access-control-request-method", 39: {"expect", ""},
48: "age", 40: {"from", ""},
49: "authorization", 41: {"host", ""},
50: "cache-control", 42: {"if-match", ""},
51: "content-disposition", 43: {"if-modified-since", ""},
52: "content-encoding", 44: {"if-none-match", ""},
53: "content-length", 45: {"if-range", ""},
54: "content-location", 46: {"if-unmodified-since", ""},
55: "content-range", 47: {"last-modified", ""},
56: "content-type", 48: {"link", ""},
57: "content-type", 49: {"location", ""},
58: "cookie", 50: {"max-forwards", ""},
59: "date", 51: {"proxy-authenticate", ""},
60: "etag", 52: {"proxy-authorization", ""},
61: "expect", 53: {"range", ""},
62: "expires", 54: {"referer", ""},
63: "from", 55: {"refresh", ""},
64: "host", 56: {"retry-after", ""},
65: "if-match", 57: {"server", ""},
66: "if-modified-since", 58: {"set-cookie", ""},
67: "if-none-match", 59: {"strict-transport-security", ""},
68: "if-range", 60: {"transfer-encoding", ""},
69: "if-unmodified-since", 61: {"user-agent", ""},
70: "last-modified", 62: {"vary", ""},
71: "link", 63: {"vary", "Accept-Encoding"},
72: "location", 64: {"via", ""},
73: "max-forwards", 65: {"www-authenticate", ""},
74: "proxy-authenticate", 66: {"x-forwarded-for", ""},
75: "proxy-authorization", 67: {"x-forwarded-proto", ""},
76: "range", 68: {"x-requested-with", ""},
77: "referer", 69: {"sec-websocket-key", ""},
78: "refresh", 70: {"sec-websocket-version", ""},
79: "retry-after", 71: {"te", ""},
80: "server", 72: {"upgrade", ""},
81: "set-cookie", 73: {"sec-ch-ua", ""},
82: "strict-transport-security", 74: {"sec-ch-ua-mobile", "?0"},
83: "transfer-encoding", 75: {"sec-ch-ua-platform", ""},
84: "user-agent", 76: {"sec-fetch-dest", ""},
85: "user-agent", 77: {"sec-fetch-mode", ""},
86: "vary", 78: {"sec-fetch-site", ""},
87: "vary", 79: {"sec-fetch-user", "?1"},
88: "via", 80: {"priority", ""},
89: "www-authenticate", 81: {"accept", ""},
90: "x-forwarded-for", 82: {"accept", "application/dns-message"},
91: "x-forwarded-proto", 83: {"accept-language", ""},
92: "x-requested-with", 84: {":method", "CONNECT"},
93: "sec-websocket-key", 85: {":method", "DELETE"},
94: "sec-ch-ua", 86: {":method", "HEAD"},
95: "user-agent", 87: {":method", "OPTIONS"},
96: "sec-ch-ua-mobile", 88: {":method", "PATCH"},
97: "sec-ch-ua-platform", 89: {":method", "PUT"},
98: "sec-fetch-dest", 90: {":method", "TRACE"},
99: "sec-fetch-mode", 91: {":path", "/"},
100: "sec-fetch-site", 92: {":path", "/0"},
93: {":path", "/1"},
94: {":path", "/2"},
95: {":path", "/3"},
96: {":path", "/4"},
97: {":path", "/5"},
98: {":path", "/6"},
99: {":path", "/7"},
100: {":path", "/8"},
} }
// hpackCapturedHeaders est la liste des en-têtes H2 dont on capture la valeur. // hpackCapturedHeaders est la liste des en-têtes H2 dont on capture la valeur.
@ -489,7 +497,7 @@ func DecodeH2HeadersBlock(block []byte) (map[string]string, []string) {
// Uniquement indexée — nom et valeur viennent de la table // Uniquement indexée — nom et valeur viennent de la table
// Pour les entrées "nom uniquement" (pas de valeur par défaut), // Pour les entrées "nom uniquement" (pas de valeur par défaut),
// on ne peut pas extraire la valeur sans table dynamique // on ne peut pas extraire la valeur sans table dynamique
_ = hpackStaticTable[idx] _ = hpackStaticTable[idx] // will be replaced
} }
continue continue
} }
@ -507,7 +515,7 @@ func DecodeH2HeadersBlock(block []byte) (map[string]string, []string) {
name, nameLen = hpackString(block[offset:]) name, nameLen = hpackString(block[offset:])
offset += nameLen offset += nameLen
} else if idx <= len(hpackStaticTable) { } else if idx <= len(hpackStaticTable) {
name = hpackStaticTable[idx] name = hpackStaticTable[idx].Name
} }
value, valueLen := hpackString(block[offset:]) value, valueLen := hpackString(block[offset:])
@ -530,7 +538,7 @@ func DecodeH2HeadersBlock(block []byte) (map[string]string, []string) {
name, nameLen = hpackString(block[offset:]) name, nameLen = hpackString(block[offset:])
offset += nameLen offset += nameLen
} else if idx <= len(hpackStaticTable) { } else if idx <= len(hpackStaticTable) {
name = hpackStaticTable[idx] name = hpackStaticTable[idx].Name
} }
value, valueLen := hpackString(block[offset:]) value, valueLen := hpackString(block[offset:])
@ -553,7 +561,7 @@ func DecodeH2HeadersBlock(block []byte) (map[string]string, []string) {
name, nameLen = hpackString(block[offset:]) name, nameLen = hpackString(block[offset:])
offset += nameLen offset += nameLen
} else if idx <= len(hpackStaticTable) { } else if idx <= len(hpackStaticTable) {
name = hpackStaticTable[idx] name = hpackStaticTable[idx].Name
} }
value, valueLen := hpackString(block[offset:]) value, valueLen := hpackString(block[offset:])

7
services/ja4ebpf/internal/parser/http2_test.go
View File

@ -157,12 +157,11 @@ func buildH2Frame(frameType, flags uint8, streamID uint32, payload []byte) []byt
} }
func TestDecodeH2HeadersBlockLiteralWithIndexedName(t *testing.T) { func TestDecodeH2HeadersBlockLiteralWithIndexedName(t *testing.T) {
// Literal with incremental indexing, indexed name (user-agent = index 95) // Literal with incremental indexing, indexed name (user-agent = index 61 in RFC 7541)
// Prefix byte: 0x40 | 95 = 0x5F... wait, 95 > 63 so we need multi-byte // Prefix byte: 0x40 | 61 = 0x7D
// For index 95: first byte = 0x40 | 0x3F = 0x7F, second byte = 95 - 63 = 32 = 0x20
// Then value: 7-bit length "Mozilla/5.0" = 11 bytes, no Huffman // Then value: 7-bit length "Mozilla/5.0" = 11 bytes, no Huffman
h2block := []byte{ h2block := []byte{
0x7F, 0x20, // indexed name = 95 (user-agent), with incremental indexing 0x7D, // indexed name = 61 (user-agent), with incremental indexing
0x0B, 'M', 'o', 'z', 'i', 'l', 'l', 'a', '/', '5', '.', '0', // value length 11 + value 0x0B, 'M', 'o', 'z', 'i', 'l', 'l', 'a', '/', '5', '.', '0', // value length 11 + value
} }
kv, order := parser.DecodeH2HeadersBlock(h2block) kv, order := parser.DecodeH2HeadersBlock(h2block)