Cleaned-up issuer DN check code adding

u_int8_t ndpi_check_issuerdn_risk_exception(struct ndpi_detection_module_struct *ndpi_str, char *issuerDN); Added new API function for checking nDPI-configured exceptions u_int8_t ndpi_check_flow_risk_exception(struct ndpi_detection_module_struct *ndpi_str, u_int num_params, ndpi_risk_params **params);
author: Luca Deri <deri@ntop.org> 2022-07-04 17:38:31 +0200
committer: Luca Deri <deri@ntop.org> 2022-07-04 18:41:01 +0200
commit: e7a5eaecde866a028fce78ccfa5bcf8fda558036 (patch)
tree: 98a8c9c1767b85d33e7af95077442bf8030872bf
parent: 8ff286060115765474618f79a82cc6a04c5928de (diff)
4 files changed, 139 insertions, 37 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 2695c2400..b679e1015 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1640,6 +1640,12 @@ extern "C" {
   u_int16_t ndpi_risk2score(ndpi_risk risk,
 			    u_int16_t *client_score, u_int16_t *server_score);
 
+  u_int8_t ndpi_check_issuerdn_risk_exception(struct ndpi_detection_module_struct *ndpi_str,
+					      char *issuerDN);    
+  u_int8_t ndpi_check_flow_risk_exception(struct ndpi_detection_module_struct *ndpi_str,
+					  u_int num_params,
+					  ndpi_risk_params **params);
+  
   /* ******************************* */
 
   /* HyperLogLog cardinality estimator */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index e0a5a7e7c..434a0892a 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -128,6 +128,26 @@ typedef enum {
 typedef u_int64_t ndpi_risk; /* (**) */
 
 typedef enum {
+  NDPI_PARAM_HOSTNAME  /* char* */,
+  NDPI_PARAM_ISSUER_DN /* char* */,
+  NDPI_PARAM_HOST_IPV4 /* u_int32_t* */, /* Network byte order */
+
+  /*
+    IMPORTANT
+    please update ndpi_check_flow_risk_exceptions()
+    (in ndpi_utils.c) whenever you add a new parameter
+  */
+  
+  /* Leave this as last member */
+  NDPI_MAX_RISK_PARAM_ID
+} ndpi_risk_param_id;
+  
+typedef struct {
+  ndpi_risk_param_id id;
+  void *value; /* char* for strings, u_int32_t* for IPv4 addresses */
+} ndpi_risk_params;
+
+typedef enum {
   NDPI_RISK_LOW,
   NDPI_RISK_MEDIUM,
   NDPI_RISK_HIGH,
@@ -1440,8 +1460,7 @@ typedef struct {
 
 typedef u_int32_t ndpi_init_prefs;
 
-typedef enum
-  {
+typedef enum {
     ndpi_no_prefs                  = 0,
     ndpi_dont_load_tor_list        = (1 << 0),
     ndpi_dont_init_libgcrypt       = (1 << 1),
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index f243b62fb..cbfe38c8a 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2179,6 +2179,65 @@ static u_int64_t ndpi_host_ip_risk_ptree_match(struct ndpi_detection_module_stru
 
 /* ********************************************************************************* */
 
+/* Check isuerDN exception */
+u_int8_t ndpi_check_issuerdn_risk_exception(struct ndpi_detection_module_struct *ndpi_str,
+					    char *issuerDN) {
+  ndpi_list *head = ndpi_str->trusted_issuer_dn;
+
+    while(head != NULL) {
+      if(strcmp(issuerDN, head->value) == 0)
+	return(1); /* This is a trusted DN */
+      else
+	head = head->next;
+  }
+  
+    return(0 /* no exception */);
+}
+
+/* ********************************************************************************* */
+
+/* Check host exception */
+static u_int8_t ndpi_check_hostname_risk_exception(struct ndpi_detection_module_struct *ndpi_str,
+						   struct ndpi_flow_struct *flow,
+						   char *hostname) {
+  ndpi_automa *automa = &ndpi_str->host_risk_mask_automa;
+  u_int8_t ret = 0;
+  
+  if(automa->ac_automa) {
+    AC_TEXT_t ac_input_text;
+    AC_REP_t match;
+    
+    ac_input_text.astring = hostname, ac_input_text.length = strlen(hostname);
+    ac_input_text.option = 0;
+    
+    if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0) {
+      if(flow) flow->risk_mask &= match.number64;
+      ret = 1;
+    }
+  }
+  
+  return(ret);
+}
+
+/* ********************************************************************************* */
+
+/* Check host exception */
+static u_int8_t ndpi_check_ipv4_exception(struct ndpi_detection_module_struct *ndpi_str,
+					  struct ndpi_flow_struct *flow,
+					  u_int32_t addr) {
+  struct in_addr pin;
+  u_int64_t r;
+  
+  pin.s_addr = addr;
+  r = ndpi_host_ip_risk_ptree_match(ndpi_str, &pin);
+  
+  if(flow) flow->risk_mask &= r;
+  
+  return((r != (u_int64_t)-1) ? 1 : 0);
+}
+
+  /* ********************************************************************************* */
+
 static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str,
 					struct ndpi_flow_struct *flow) {
   char *host;
@@ -2194,19 +2253,8 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp
   if(!flow->host_risk_mask_evaluated) {
     if(host && (host[0] != '\0')) {
       /* Check host exception */
-      ndpi_automa *automa = &ndpi_str->host_risk_mask_automa;
-
-      if(automa->ac_automa) {
-	AC_TEXT_t ac_input_text;
-	AC_REP_t match;
-
-	ac_input_text.astring = host, ac_input_text.length = strlen(host);
-	ac_input_text.option = 0;
-
-	if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0)
-	   flow->risk_mask &= match.number64;
-      }
-
+      ndpi_check_hostname_risk_exception(ndpi_str, flow, host);
+      
       /* Used to avoid double checks (e.g. in DNS req/rsp) */
       flow->host_risk_mask_evaluated = 1;
     }
@@ -2215,13 +2263,8 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp
   /* TODO: add IPv6 support */
   if(!flow->ip_risk_mask_evaluated) {
     if(flow->is_ipv6 == 0) {
-      struct in_addr pin;
-
-      pin.s_addr = flow->saddr;
-      flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin);
-
-      pin.s_addr = flow->daddr;
-      flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin);
+      ndpi_check_ipv4_exception(ndpi_str, flow, flow->saddr /* Source */);
+      ndpi_check_ipv4_exception(ndpi_str, flow, flow->daddr /* Destination */);
     }
 
     flow->ip_risk_mask_evaluated = 1;
@@ -2589,3 +2632,48 @@ char* ndpi_get_flow_risk_info(struct ndpi_flow_struct *flow,
     return(out[0] == '\0' ? NULL : out);
   }
 }
+
+/* ******************************************* */
+/*
+  This function checks if a flow having the specified risk
+  parameters is an exception (i.e. the flow risk should not 
+  be triggered) or not.
+
+  You can use this function to check if a flow that
+  as a flow risk will match an exception or not.
+*/
+u_int8_t ndpi_check_flow_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str,
+					 u_int num_params,
+					 ndpi_risk_params **params) {
+  u_int i;
+
+  for(i=0; (i<num_params) && (params[i] != NULL); i++) {
+    switch(params[i]->id) {
+    case NDPI_PARAM_HOSTNAME:
+      if(ndpi_check_hostname_risk_exception(ndpi_str, NULL, (char*)params[i]->value))
+	return(1);
+      break;
+      
+    case NDPI_PARAM_ISSUER_DN:
+      if(ndpi_check_issuerdn_risk_exception(ndpi_str, (char*)params[i]->value))
+	return(1);
+      break;
+
+    case NDPI_PARAM_HOST_IPV4:
+      if(ndpi_check_ipv4_exception(ndpi_str, NULL, *((u_int32_t*)params[i]->value)))
+	return(1);
+      break;
+
+    case NDPI_MAX_RISK_PARAM_ID:
+      /* Nothing to do, just avoid warnings */
+      break;
+
+    default:
+      printf("nDPI [%s:%u] Ignored risk parameter id %u\n",
+	     __FILE__, __LINE__, params[i]->id);
+      break;
+    }
+  }
+  
+  return(0);
+}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 79846f670..71e7ae504 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -699,23 +699,12 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
   if(flow->protos.tls_quic.subjectDN && flow->protos.tls_quic.issuerDN
      && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN))) {
     /* Last resort: we check if this is a trusted issuerDN */
-    ndpi_list *head = ndpi_struct->trusted_issuer_dn;
-
-    while(head != NULL) {
-#if DEBUG_TLS
-      printf("TLS] %s() issuerDN %s / %s\n", __FUNCTION__,
-	     flow->protos.tls_quic.issuerDN, head->value);
-#endif
-
-      if(strcmp(flow->protos.tls_quic.issuerDN, head->value) == 0)
-	return; /* This is a trusted DN */
-      else
-	head = head->next;
-    }
-
+    if(ndpi_check_issuerdn_risk_exception(ndpi_struct, flow->protos.tls_quic.issuerDN))
+      return; /* This is a trusted DN */
+    
     ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN);
   }
-
+  
 #if DEBUG_TLS
   printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
 #endif
author	Luca Deri <deri@ntop.org>	2022-07-04 17:38:31 +0200
committer	Luca Deri <deri@ntop.org>	2022-07-04 18:41:01 +0200
commit	e7a5eaecde866a028fce78ccfa5bcf8fda558036 (patch)
tree	98a8c9c1767b85d33e7af95077442bf8030872bf
parent	8ff286060115765474618f79a82cc6a04c5928de (diff)