diff options
| author | Toni <matzeton@googlemail.com> | 2021-05-11 21:38:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-11 21:38:26 +0200 |
| commit | 5918a6542d4640e702516fe92d7d23d5a969c73c (patch) | |
| tree | cc71825ded612b21fdb3382e85c7f9d0b50b1917 | |
| parent | a5ecdf9df8a2ac3edc7fafb4475c37452b681f20 (diff) | |
Improved SSL certificate name wildcard handling and risk. #1182 (#1183)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/protocols/tls.c | 16 | ||||
| -rw-r--r-- | tests/pcap/ssl-cert-name-mismatch.pcap | bin | 0 -> 5772 bytes | |||
| -rw-r--r-- | tests/result/ssl-cert-name-mismatch.pcap.out | 8 |
3 files changed, 22 insertions, 2 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1fdaf5dee..cb8180166 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -497,8 +497,20 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(matched_name == 0) { if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') matched_name = 1; /* No SNI */ - else if((dNSName[0] == '*') && strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1])) - matched_name = 1; + else if (dNSName[0] == '*') + { + char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]); + + if (label != NULL) + { + char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.'); + + if (first_dot == NULL || first_dot >= label) + { + matched_name = 1; + } + } + } else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0) matched_name = 1; } diff --git a/tests/pcap/ssl-cert-name-mismatch.pcap b/tests/pcap/ssl-cert-name-mismatch.pcap Binary files differnew file mode 100644 index 000000000..9fa488c0a --- /dev/null +++ b/tests/pcap/ssl-cert-name-mismatch.pcap diff --git a/tests/result/ssl-cert-name-mismatch.pcap.out b/tests/result/ssl-cert-name-mismatch.pcap.out new file mode 100644 index 000000000..88fc96aad --- /dev/null +++ b/tests/result/ssl-cert-name-mismatch.pcap.out @@ -0,0 +1,8 @@ +Google 21 5412 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.2.222 1 + + + 1 TCP 192.168.2.222:54772 <-> 104.154.89.105:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1136 bytes <-> 10 pkts/4276 bytes][Goodput ratio: 35/84][0.72 sec][ALPN: http/1.1][bytes ratio: -0.580 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 79/48 167/160 64/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/428 311/1474 70/548][Risk: ** TLS Certificate Mismatch **][TLSv1.2][Client: wrong.host.badssl.com][JA3C: 4e69e4e5627c5e4c2846ba3e64d23fb9][ServerNames: *.badssl.com,badssl.com][JA3S: b898351eb5e266aefd3723d466935494][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=Walnut Creek, O=Lucas Garron Torres, CN=*.badssl.com][Certificate SHA-1: 18:45:B2:16:EF:D0:83:9A:18:51:A9:57:32:5D:A3:36:21:70:49:CB][Validity: 2020-03-23 00:00:00 - 2022-05-17 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,12,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] |