TLS: explicit ignore client certificate (#1776)

TLS classification usually stops after processing *server* certificates
(if any). That means, that *client* certificate, if present, is usually
ignored.
However in some corner cases (i.e. unidirectional traffic) we might end
up processing client certificate and exposing its metadata: the issue is
that the application will think that this metadata are about the server
and not about the client.
So, for the time being, always ignore client certificate processing.

As a future work, we might find an efficient way to process and export both
certificates.

6 files changed, 74 insertions, 4 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index f39b2b6bd..c83280e0a 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1405,7 +1405,7 @@ struct ndpi_flow_struct {
       char ja3_client[33], ja3_server[33];
       u_int16_t server_cipher;
       u_int8_t sha1_certificate_fingerprint[20];
-      u_int8_t hello_processed:1, subprotocol_detected:1, fingerprint_set:1, _pad:5;
+      u_int8_t hello_processed:1, ch_direction:1, subprotocol_detected:1, fingerprint_set:1, _pad:4;
 
 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
       /* Under #ifdef to save memory for those who do not need them */
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 55eed7ca9..a602fbeeb 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -861,6 +861,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   case 0x02: /* Server Hello */
     processClientServerHello(ndpi_struct, flow, 0);
     flow->protos.tls_quic.hello_processed = 1;
+    flow->protos.tls_quic.ch_direction = (packet->payload[0] == 0x01 ? packet->packet_direction : !packet->packet_direction);
     ndpi_int_tls_add_connection(ndpi_struct, flow);
 
 #ifdef DEBUG_TLS
@@ -882,10 +883,17 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
     /* Important: populate the tls union fields only after
      * ndpi_int_tls_add_connection has been called */
     if(flow->protos.tls_quic.hello_processed) {
-      ret = processCertificate(ndpi_struct, flow);
-      if(ret != 1) {
+      /* Only certificates from the server */
+      if(flow->protos.tls_quic.ch_direction != packet->packet_direction) {
+        ret = processCertificate(ndpi_struct, flow);
+        if(ret != 1) {
 #ifdef DEBUG_TLS
-        printf("[TLS] Error processing certificate: %d\n", ret);
+          printf("[TLS] Error processing certificate: %d\n", ret);
+#endif
+        }
+      } else {
+#ifdef DEBUG_TLS
+        printf("[TLS] Certificate from client. Ignoring it\n");
 #endif
       }
       flow->tls_quic.certificate_processed = 1;
diff --git a/tests/pcap/tls_client_certificate_with_missing_server_one.pcapng b/tests/pcap/tls_client_certificate_with_missing_server_one.pcapng
new file mode 100644
index 000000000..40cb1eb30
--- /dev/null
+++ b/tests/pcap/tls_client_certificate_with_missing_server_one.pcapng
diff --git a/tests/pcap/tls_unidirectional.pcap b/tests/pcap/tls_unidirectional.pcap
new file mode 100644
index 000000000..c46674086
--- /dev/null
+++ b/tests/pcap/tls_unidirectional.pcap
diff --git a/tests/result/tls_client_certificate_with_missing_server_one.pcapng.out b/tests/result/tls_client_certificate_with_missing_server_one.pcapng.out
new file mode 100644
index 000000000..65d569510
--- /dev/null
+++ b/tests/result/tls_client_certificate_with_missing_server_one.pcapng.out
@@ -0,0 +1,31 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	16	(8.00 pkts/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 4 (2.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/3/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   4/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+
+TLS	17	5526	2
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.128            	 1      
+	2	 195.181.174.176          	 1      
+
+
+	1	TCP 195.181.174.176:443 <-> 192.168.1.128:48260 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][3 pkts/1654 bytes <-> 6 pkts/1779 bytes][Goodput ratio: 87/78][0.04 sec][ALPN: anydesk/6.2.0/linux][bytes ratio: -0.036 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 3/0 10/8 17/20 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 551/296 1514/1160 681/400][Risk: ** Missing SNI TLS Extn **][Risk Score: 50][TLSv1.2][JA3C: 29b5a018fa5992fe23560c16af0dc9fc][JA3S: e58f0b3c1e9eefb8ee4f92aeceee5858][Firefox][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,33,0,0]
+	2	TCP 192.168.1.128:59754 <-> 192.168.1.181:7070 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][6 pkts/1953 bytes <-> 2 pkts/140 bytes][Goodput ratio: 79/0][0.08 sec][bytes ratio: 0.866 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/6 15/6 54/6 20/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 326/70 1352/74 469/4][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: No ALPN][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][Firefox][Plen Bins: 0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0]
diff --git a/tests/result/tls_unidirectional.pcap.out b/tests/result/tls_unidirectional.pcap.out
new file mode 100644
index 000000000..4f8fa35e7
--- /dev/null
+++ b/tests/result/tls_unidirectional.pcap.out
@@ -0,0 +1,31 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	12	(6.00 pkts/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 4 (2.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/2/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+Automa host:          1/1 (search/found)
+Automa domain:        1/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   4/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   3/1 (search/found)
+
+TLS	27	7693	1
+Google	6	6972	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.1.128            	 1      
+
+
+	1	TCP 192.168.1.128:48260 -> 195.181.174.176:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][cat: Web/5][27 pkts/7693 bytes -> 0 pkts/0 bytes][Goodput ratio: 77/0][58.79 sec][ALPN: anydesk/6.2.0/linux][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2023/0 10210/0 3873/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/0 285/0 1514/0 460/0][Risk: ** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][TLSv1.2][JA3C: 29b5a018fa5992fe23560c16af0dc9fc][Firefox][Plen Bins: 0,20,20,0,10,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,10,0,0,0,0,0,0,20,0,0]
+	2	TCP 142.250.27.188:5228 -> 10.140.72.24:12654 [VLAN: 308][proto: 91.126/TLS.Google][IP: 126/Google][Encrypted][Confidence: DPI][cat: Web/5][6 pkts/6972 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][0.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/0 160/0 64/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 1162/0 1418/0 490/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No client to server traffic][ServerNames: *.google.com,*.appengine.google.com,*.bdn.dev,*.cloud.google.com,*.crowdsource.google.com,*.datacompute.google.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlevideo.com,*.gstatic.cn,*.gstatic-cn.com,googlecnapps.cn,*.googlecnapps.cn,googleapps-cn.com,*.googleapps-cn.com,gkecnapps.cn,*.gkecnapps.cn,googledownloads.cn,*.googledownloads.cn,recaptcha.net.cn,*.recaptcha.net.cn,widevine.cn,*.widevine.cn,ampproject.org.cn,*.ampproject.org.cn,ampproject.net.cn,*.ampproject.net.cn,google-analytics-cn.com,*.google-analytics-cn.com,googleadservices-cn.com,*.googleadservices-cn.com,googlevads-cn.com,*.googlevads-cn.com,googleapis-cn.com,*.googleapis-cn.com,googleoptimize-cn.com,*.googleoptimize-cn.com,doubleclick-cn.net,*.doubleclick-cn.net,*.fls.doubleclick-cn.net,*.g.doubleclick-cn.net,doubleclick.cn,*.doubleclick.cn,*.fls.doubleclick.cn,*.g.doubleclick.cn,dartsearch-cn.net,*.dartsearch-cn.net,googletraveladservices-cn.com,*.googletraveladservices-cn.com,googletagservices-cn.com,*.googletagservices-cn.com,googletagmanager-cn.com,*.googletagmanager-cn.com,googlesyndication-cn.com,*.googlesyndication-cn.com,*.safeframe.googlesyndication-cn.com,app-measurement-cn.com,*.app-measurement-cn.com,gvt1-cn.com,*.gvt1-cn.com,gvt2-cn.com,*.gvt2-cn.com,2mdn-cn.net,*.2mdn-cn.net,googleflights-cn.net,*.googleflights-cn.net,admob-cn.com,*.admob-cn.com,*.gstatic.com,*.metric.gstatic.com,*.gvt1.com,*.gcpcdn.gvt1.com,*.gvt2.com,*.gcp.gvt2.com,*.url.google.com,*.youtube-nocookie.com,*.ytimg.com,android.com,*.android.com,*.flash.android.com,g.cn,*.g.cn,g.co,*.g.co,goo.gl,www.goo.gl,google-analytics.com,*.google-analytics.com,google.com,googlecommerce.com,*.googlecommerce.com,ggpht.cn,*.ggpht.cn,urchin.com,*.urchin.com,youtu.be,youtube.com,*.youtube.com,youtubeeducation.com,*.youtubeeducation.com,youtubekids.com,*.youtubekids.com,yt.be,*.yt.be,android.clients.google.com,developer.android.google.cn,developers.android.google.cn,source.android.google.cn][JA3S: 84aaf6d03fc8c5bfb56d1d188735b268][Issuer: C=US, O=Google Trust Services LLC, CN=GTS CA 1C3][Subject: CN=*.google.com][Certificate SHA-1: 02:64:CA:2E:8A:2F:BB:C4:97:9D:A7:AC:2B:47:FF:DE:28:0E:71:B1][Validity: 2021-11-01 02:19:52 - 2022-01-24 02:19:51][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,80,0,0,0,0,0]