diff options
| author | Luca Deri <deri@ntop.org> | 2022-05-27 17:35:30 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-05-27 17:35:30 +0200 |
| commit | 7e3d0614287bba51d881c89e75c1f9671cccd1b8 (patch) | |
| tree | 194ab27d1c72ac8d65ab4fbceafcfde8f72564bf | |
| parent | 6d543808ade2268bbdaf325f51f60550ac21b593 (diff) | |
Compilation fixes
| -rw-r--r-- | src/lib/protocols/kerberos.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 86 | ||||
| -rw-r--r-- | src/lib/protocols/raknet.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tftp.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 380 |
5 files changed, 243 insertions, 235 deletions
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index e1297d230..9c166128f 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -203,11 +203,11 @@ static int krb_decode_asn1_blocks_skip(struct ndpi_detection_module_struct *ndpi static void krb_strncpy_lower(char * const dst, size_t dst_siz, char const * const src, size_t src_siz) { - int dst_len = ndpi_min(src_siz, dst_siz - 1); + int i, dst_len = ndpi_min(src_siz, dst_siz - 1); dst[dst_len] = '\0'; - for(int i = 0; i < dst_len; ++i) + for(i = 0; i < dst_len; ++i) { if (ndpi_isprint(src[i]) == 0) { diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 32347b9c1..a8b2827f2 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -350,6 +350,7 @@ static gcry_error_t hkdf_expand(int hashalgo, const uint8_t *prk, uint32_t prk_l gcry_md_hd_t h; gcry_error_t err; const unsigned int hash_len = gcry_md_get_algo_dlen(hashalgo); + uint32_t offset; /* Some sanity checks */ if(!(out_len > 0 && out_len <= 255 * hash_len) || @@ -362,7 +363,7 @@ static gcry_error_t hkdf_expand(int hashalgo, const uint8_t *prk, uint32_t prk_l return err; } - for(uint32_t offset = 0; offset < out_len; offset += hash_len) { + for(offset = 0; offset < out_len; offset += hash_len) { gcry_md_reset(h); gcry_md_setkey(h, prk, prk_len); /* Set PRK */ if(offset > 0) { @@ -654,7 +655,7 @@ static int quic_ciphers_prepare(struct ndpi_detection_module_struct *ndpi_struct quic_ciphers *ciphers, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) { return quic_hp_cipher_prepare(ndpi_struct, &ciphers->hp_cipher, hash_algo, cipher_algo, secret, version) && - quic_pp_cipher_prepare(ndpi_struct, &ciphers->pp_cipher, hash_algo, cipher_algo, cipher_mode, secret, version); + quic_pp_cipher_prepare(ndpi_struct, &ciphers->pp_cipher, hash_algo, cipher_algo, cipher_mode, secret, version); } /** * Given a header protection cipher, a buffer and the packet number offset, @@ -712,8 +713,8 @@ static int quic_decrypt_header(const uint8_t *packet_payload, uint8_t pkn_bytes[4]; memcpy(pkn_bytes, packet_payload + pn_offset, pkn_len); - uint32_t pkt_pkn = 0; - for(uint32_t i = 0; i < pkn_len; i++) { + uint32_t pkt_pkn = 0, i; + for(i = 0; i < pkn_len; i++) { pkt_pkn |= (uint32_t)(pkn_bytes[i] ^ mask[1 + i]) << (8 * (pkn_len - 1 - i)); } *first_byte = packet0; @@ -739,7 +740,7 @@ static void quic_decrypt_message(struct ndpi_detection_module_struct *ndpi_struc uint8_t nonce[TLS13_AEAD_NONCE_LENGTH]; uint8_t *buffer; uint8_t atag[16]; - uint32_t buffer_length; + uint32_t buffer_length, i; #ifdef NDPI_ENABLE_DEBUG_MESSAGES char buferr[128]; #endif @@ -748,7 +749,7 @@ static void quic_decrypt_message(struct ndpi_detection_module_struct *ndpi_struc !(pp_cipher->pp_cipher != NULL) || !(pkn_len < header_length) || !(1 <= pkn_len && pkn_len <= 4)) { - NDPI_LOG_DBG(ndpi_struct, "Failed sanity checks\n"); + NDPI_LOG_DBG(ndpi_struct, "Failed sanity checks\n"); return; } /* Copy header, but replace encrypted first byte and PKN by plaintext. */ @@ -756,7 +757,7 @@ static void quic_decrypt_message(struct ndpi_detection_module_struct *ndpi_struc if(!header) return; header[0] = first_byte; - for(uint32_t i = 0; i < pkn_len; i++) { + for( i = 0; i < pkn_len; i++) { header[header_length - 1 - i] = (uint8_t)(packet_number >> (8 * i)); } @@ -835,36 +836,36 @@ static int quic_derive_initial_secrets(struct ndpi_detection_module_struct *ndpi * Hash for handshake packets is SHA-256 (output size 32). */ static const uint8_t handshake_salt_draft_22[20] = { - 0x7f, 0xbc, 0xdb, 0x0e, 0x7c, 0x66, 0xbb, 0xe9, 0x19, 0x3a, - 0x96, 0xcd, 0x21, 0x51, 0x9e, 0xbd, 0x7a, 0x02, 0x64, 0x4a + 0x7f, 0xbc, 0xdb, 0x0e, 0x7c, 0x66, 0xbb, 0xe9, 0x19, 0x3a, + 0x96, 0xcd, 0x21, 0x51, 0x9e, 0xbd, 0x7a, 0x02, 0x64, 0x4a }; static const uint8_t handshake_salt_draft_23[20] = { - 0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb, 0x5a, 0x11, 0xa7, - 0xd2, 0x43, 0x2b, 0xb4, 0x63, 0x65, 0xbe, 0xf9, 0xf5, 0x02, + 0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb, 0x5a, 0x11, 0xa7, + 0xd2, 0x43, 0x2b, 0xb4, 0x63, 0x65, 0xbe, 0xf9, 0xf5, 0x02, }; static const uint8_t handshake_salt_draft_29[20] = { - 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, - 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99 + 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, + 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99 }; static const uint8_t hanshake_salt_draft_q50[20] = { - 0x50, 0x45, 0x74, 0xEF, 0xD0, 0x66, 0xFE, 0x2F, 0x9D, 0x94, - 0x5C, 0xFC, 0xDB, 0xD3, 0xA7, 0xF0, 0xD3, 0xB5, 0x6B, 0x45 + 0x50, 0x45, 0x74, 0xEF, 0xD0, 0x66, 0xFE, 0x2F, 0x9D, 0x94, + 0x5C, 0xFC, 0xDB, 0xD3, 0xA7, 0xF0, 0xD3, 0xB5, 0x6B, 0x45 }; static const uint8_t hanshake_salt_draft_t50[20] = { - 0x7f, 0xf5, 0x79, 0xe5, 0xac, 0xd0, 0x72, 0x91, 0x55, 0x80, - 0x30, 0x4c, 0x43, 0xa2, 0x36, 0x7c, 0x60, 0x48, 0x83, 0x10 + 0x7f, 0xf5, 0x79, 0xe5, 0xac, 0xd0, 0x72, 0x91, 0x55, 0x80, + 0x30, 0x4c, 0x43, 0xa2, 0x36, 0x7c, 0x60, 0x48, 0x83, 0x10 }; static const uint8_t hanshake_salt_draft_t51[20] = { - 0x7a, 0x4e, 0xde, 0xf4, 0xe7, 0xcc, 0xee, 0x5f, 0xa4, 0x50, - 0x6c, 0x19, 0x12, 0x4f, 0xc8, 0xcc, 0xda, 0x6e, 0x03, 0x3d + 0x7a, 0x4e, 0xde, 0xf4, 0xe7, 0xcc, 0xee, 0x5f, 0xa4, 0x50, + 0x6c, 0x19, 0x12, 0x4f, 0xc8, 0xcc, 0xda, 0x6e, 0x03, 0x3d }; static const uint8_t handshake_salt_v1[20] = { - 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, - 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a + 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, + 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a }; static const uint8_t handshake_salt_v2_draft_00[20] = { - 0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, - 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3 + 0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d, + 0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3 }; gcry_error_t err; uint8_t secret[HASH_SHA2_256_LENGTH]; @@ -1007,9 +1008,9 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi } static void update_reasm_buf_bitmap(u_int8_t *buffer_bitmap, - const u_int32_t buffer_bitmap_size, - const u_int32_t recv_pos, - const u_int32_t recv_len) + const u_int32_t buffer_bitmap_size, + const u_int32_t recv_pos, + const u_int32_t recv_len) { if (!recv_len || !buffer_bitmap_size || recv_pos + recv_len > buffer_bitmap_size * 8) return; @@ -1020,7 +1021,9 @@ static void update_reasm_buf_bitmap(u_int8_t *buffer_bitmap, if (start_byte == end_byte) buffer_bitmap[start_byte] |= (((1U << recv_len) - 1U) << start_bit); // fill from bit 'start_bit' until bit 'end_bit', both inclusive else{ - for (u_int32_t i = start_byte + 1; i <= end_byte - 1; i++) + u_int32_t i; + + for (i = start_byte + 1; i <= end_byte - 1; i++) buffer_bitmap[i] = 0xff; // completely received byte buffer_bitmap[start_byte] |= ~((1U << start_bit) - 1U); // fill from bit 'start_bit' until bit 7, both inclusive buffer_bitmap[end_byte] |= (1U << (end_bit + 1U)) - 1U; // fill from bit 0 until bit 'end_bit', both inclusive @@ -1032,8 +1035,9 @@ static int is_reasm_buf_complete(const u_int8_t *buffer_bitmap, { const u_int32_t complete_bytes = buffer_len / 8; const u_int32_t remaining_bits = buffer_len % 8; + u_int32_t i; - for(u_int32_t i = 0; i < complete_bytes; i++) + for(i = 0; i < complete_bytes; i++) if (buffer_bitmap[i] != 0xff) return 0; @@ -1084,8 +1088,8 @@ static int is_ch_complete(const u_int8_t *buf, uint64_t buf_len) static int is_ch_reassembler_pending(struct ndpi_flow_struct *flow) { return flow->l4.udp.quic_reasm_buf != NULL && - !(is_reasm_buf_complete(flow->l4.udp.quic_reasm_buf_bitmap, flow->l4.udp.quic_reasm_buf_last_pos) - && is_ch_complete(flow->l4.udp.quic_reasm_buf, flow->l4.udp.quic_reasm_buf_last_pos)); + !(is_reasm_buf_complete(flow->l4.udp.quic_reasm_buf_bitmap, flow->l4.udp.quic_reasm_buf_last_pos) + && is_ch_complete(flow->l4.udp.quic_reasm_buf, flow->l4.udp.quic_reasm_buf_last_pos)); } static const uint8_t *get_reassembled_crypto_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -1110,7 +1114,7 @@ static const uint8_t *get_reassembled_crypto_data(struct ndpi_detection_module_s &crypto_data, crypto_data_len); if(rc == 0) { if(is_reasm_buf_complete(flow->l4.udp.quic_reasm_buf_bitmap, *crypto_data_len) && - is_ch_complete(crypto_data, *crypto_data_len)) { + is_ch_complete(crypto_data, *crypto_data_len)) { NDPI_LOG_DBG2(ndpi_struct, "Reassembler completed!\n"); return crypto_data; } @@ -1493,10 +1497,10 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, of traffic with the QUIC bit greased i.e. having a server token. Accordind to https://tools.ietf.org/html/draft-thomson-quic-bit-grease-00#section-3.1 "A client MAY also clear the QUIC Bit in Initial packets that are sent - to establish a new connection. A client can only clear the QUIC Bit - if the packet includes a token provided by the server in a NEW_TOKEN - frame on a connection where the server also included the - grease_quic_bit transport parameter." */ + to establish a new connection. A client can only clear the QUIC Bit + if the packet includes a token provided by the server in a NEW_TOKEN + frame on a connection where the server also included the + grease_quic_bit transport parameter." */ if((*version & 0x0F0F0F0F) == 0x0a0a0a0a && !(pub_bit1 == 1 && pub_bit2 == 1)) { NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x with first byte 0x%x\n", *version, first_byte); @@ -1510,7 +1514,7 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, if (dest_conn_id_len > QUIC_MAX_CID_LENGTH || source_conn_id_len > QUIC_MAX_CID_LENGTH) { NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x invalid CIDs length %u %u", - *version, dest_conn_id_len, source_conn_id_len); + *version, dest_conn_id_len, source_conn_id_len); return 0; } } @@ -1523,14 +1527,14 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, /* ***************************************************************** */ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t version) + struct ndpi_flow_struct *flow, u_int32_t version) { /* For the time being we need extra processing in two cases only: 1) to detect Snapchat calls, i.e. RTP/RTCP multiplxed with QUIC. - We noticed that Snapchat uses Q046, without any SNI. + We noticed that Snapchat uses Q046, without any SNI. 2) to reassemble CH fragments on multiple UDP packets. These two cases are mutually exclusive - */ + */ if((version == V_Q046 && flow->host_server_name[0] == '\0') || @@ -1557,8 +1561,8 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru /* We are elaborating a packet following the initial CHLO/ClientHello. Two cases: 1) Mutiplexing QUIC with RTP/RTCP. It should be quite generic, but - for the time being, we known only NDPI_PROTOCOL_SNAPCHAT_CALL having - such behaviour + for the time being, we known only NDPI_PROTOCOL_SNAPCHAT_CALL having + such behaviour 2) CH reasssembling is going on */ /* TODO: could we unify ndpi_search_quic() and ndpi_search_quic_extra() somehow? */ diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c index 86e388a47..66fa0d066 100644 --- a/src/lib/protocols/raknet.c +++ b/src/lib/protocols/raknet.c @@ -165,12 +165,14 @@ void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, case 0x10: /* Connection Request Accepted */ case 0x13: /* New Incoming Connection */ { + size_t i; + ip_addr_offset = 4 + raknet_dissect_ip(packet, 0); if (op == 0x10) { ip_addr_offset += 2; // System Index } - for (size_t i = 0; i < 10; ++i) + for (i = 0; i < 10; ++i) { ip_addr_offset += 3 + raknet_dissect_ip(packet, ip_addr_offset); } diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index 2bf368cbe..07f2ca07f 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -66,8 +66,8 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct { char const * const possible_modes[] = { "netascii", "octet", "mail" }; - uint8_t mode_found = 0; - for (uint8_t mode_idx = 0; mode_idx < sizeof(possible_modes) / sizeof(possible_modes[0]); ++mode_idx) + uint8_t mode_found = 0, mode_idx; + for(mode_idx = 0; mode_idx < sizeof(possible_modes) / sizeof(possible_modes[0]); ++mode_idx) { size_t const mode_len = strlen(possible_modes[mode_idx]); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 81a17c457..608e4ffb3 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -83,15 +83,15 @@ union ja3_info { How to view the certificate fingerprint 1. Using wireshark save the certificate on certificate.bin file as explained - in https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file + in https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file 2. openssl x509 -inform der -in certificate.bin -text > certificate.der 3. openssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.der - SHA1 Fingerprint=15:9A:76.... + SHA1 Fingerprint=15:9A:76.... $ shasum -a 1 www.grc.com.bin - 159a76..... - */ + 159a76..... +*/ #define NDPI_MAX_TLS_REQUEST_SIZE 10000 #define TLS_THRESHOLD 34387200 /* Threshold for certificate validity */ @@ -229,9 +229,9 @@ static void cleanupServerName(char *buffer, u_int buffer_len) { /* Return code -1: error (buffer too short) - 0: OK but buffer is not human readeable (so something went wrong) - 1: OK - */ + 0: OK but buffer is not human readeable (so something went wrong) + 1: OK +*/ static int extractRDNSequence(struct ndpi_packet_struct *packet, u_int offset, char *buffer, u_int buffer_len, char *rdnSeqBuf, u_int *rdnSeqBuf_offset, @@ -264,9 +264,9 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, if(is_printable) { int rc = ndpi_snprintf(&rdnSeqBuf[*rdnSeqBuf_offset], - rdnSeqBuf_len-(*rdnSeqBuf_offset), - "%s%s=%s", (*rdnSeqBuf_offset > 0) ? ", " : "", - label, buffer); + rdnSeqBuf_len-(*rdnSeqBuf_offset), + "%s%s=%s", (*rdnSeqBuf_offset > 0) ? ", " : "", + label, buffer); if(rc > 0 && ((u_int)rc > rdnSeqBuf_len-(*rdnSeqBuf_offset))) return -1; /* Truncated; not enough buffer */ @@ -509,115 +509,115 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi || (general_name_type == 0x87) /* ipAddress */ ) { - if((i < (packet->payload_packet_len - 1)) - && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { - u_int8_t len = packet->payload[i + 1]; - char dNSName[256]; - u_int16_t dNSName_len; - - i += 2; - - /* The check "len > sizeof(dNSName) - 1" will be always false. If we add it, - the compiler is smart enough to detect it and throws a warning */ - if((len == 0 /* Looks something went wrong */) - || ((i+len) > packet->payload_packet_len)) - break; + if((i < (packet->payload_packet_len - 1)) + && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { + u_int8_t len = packet->payload[i + 1]; + char dNSName[256]; + u_int16_t dNSName_len; + + i += 2; + + /* The check "len > sizeof(dNSName) - 1" will be always false. If we add it, + the compiler is smart enough to detect it and throws a warning */ + if((len == 0 /* Looks something went wrong */) + || ((i+len) > packet->payload_packet_len)) + break; - if(general_name_type == 0x87) { - if(len == 4 /* IPv4 */) { - ndpi_snprintf(dNSName, sizeof(dNSName), "%u.%u.%u.%u", - packet->payload[i] & 0xFF, - packet->payload[i+1] & 0xFF, - packet->payload[i+2] & 0xFF, - packet->payload[i+3] & 0xFF); - } else if(len == 16 /* IPv6 */) { - struct in6_addr addr = *(struct in6_addr *)&packet->payload[i]; - inet_ntop(AF_INET6, &addr, dNSName, sizeof(dNSName)); + if(general_name_type == 0x87) { + if(len == 4 /* IPv4 */) { + ndpi_snprintf(dNSName, sizeof(dNSName), "%u.%u.%u.%u", + packet->payload[i] & 0xFF, + packet->payload[i+1] & 0xFF, + packet->payload[i+2] & 0xFF, + packet->payload[i+3] & 0xFF); + } else if(len == 16 /* IPv6 */) { + struct in6_addr addr = *(struct in6_addr *)&packet->payload[i]; + inet_ntop(AF_INET6, &addr, dNSName, sizeof(dNSName)); + } else { + /* Is that possibile? Better safe than sorry */ + dNSName[0] = '\0'; + } } else { - /* Is that possibile? Better safe than sorry */ - dNSName[0] = '\0'; + strncpy(dNSName, (const char*)&packet->payload[i], len); + dNSName[len] = '\0'; } - } else { - strncpy(dNSName, (const char*)&packet->payload[i], len); - dNSName[len] = '\0'; - } - dNSName_len = strlen(dNSName); - cleanupServerName(dNSName, dNSName_len); + dNSName_len = strlen(dNSName); + cleanupServerName(dNSName, dNSName_len); #if DEBUG_TLS - printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName, - flow->host_server_name, len, - packet->payload_packet_len-i-len); + printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName, + flow->host_server_name, len, + packet->payload_packet_len-i-len); #endif - /* - We cannot use ndpi_is_valid_hostname() as we can have wildcards - here that will create false positives - */ - if(ndpi_is_printable_string(dNSName, dNSName_len) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + /* + We cannot use ndpi_is_valid_hostname() as we can have wildcards + here that will create false positives + */ + if(ndpi_is_printable_string(dNSName, dNSName_len) == 0) { + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); - /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); - } + /* This looks like an attack */ + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } - if(matched_name == 0) { + if(matched_name == 0) { #if DEBUG_TLS - printf("[TLS] Trying to match '%s' with '%s'\n", - flow->host_server_name, - dNSName); + printf("[TLS] Trying to match '%s' with '%s'\n", + flow->host_server_name, + dNSName); #endif - if(flow->host_server_name[0] == '\0') { - matched_name = 1; /* No SNI */ - } else if(dNSName[0] == '*') { - char * label = strstr(flow->host_server_name, &dNSName[1]); + if(flow->host_server_name[0] == '\0') { + matched_name = 1; /* No SNI */ + } else if(dNSName[0] == '*') { + char * label = strstr(flow->host_server_name, &dNSName[1]); - if(label != NULL) { - char * first_dot = strchr(flow->host_server_name, '.'); + if(label != NULL) { + char * first_dot = strchr(flow->host_server_name, '.'); - if((first_dot == NULL) || (first_dot <= label)) { - matched_name = 1; + if((first_dot == NULL) || (first_dot <= label)) { + matched_name = 1; + } } - } - } - else if(strcmp(flow->host_server_name, dNSName) == 0) { - matched_name = 1; + } + else if(strcmp(flow->host_server_name, dNSName) == 0) { + matched_name = 1; + } } - } - if(flow->protos.tls_quic.server_names == NULL) - flow->protos.tls_quic.server_names = ndpi_strdup(dNSName), - flow->protos.tls_quic.server_names_len = strlen(dNSName); - else { - u_int16_t newstr_len = flow->protos.tls_quic.server_names_len + dNSName_len + 1; - char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic.server_names, - flow->protos.tls_quic.server_names_len+1, newstr_len+1); - - if(newstr) { - flow->protos.tls_quic.server_names = newstr; - flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len] = ','; - strncpy(&flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len+1], - dNSName, dNSName_len+1); - flow->protos.tls_quic.server_names[newstr_len] = '\0'; - flow->protos.tls_quic.server_names_len = newstr_len; + if(flow->protos.tls_quic.server_names == NULL) + flow->protos.tls_quic.server_names = ndpi_strdup(dNSName), + flow->protos.tls_quic.server_names_len = strlen(dNSName); + else { + u_int16_t newstr_len = flow->protos.tls_quic.server_names_len + dNSName_len + 1; + char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic.server_names, + flow->protos.tls_quic.server_names_len+1, newstr_len+1); + + if(newstr) { + flow->protos.tls_quic.server_names = newstr; + flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len] = ','; + strncpy(&flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len+1], + dNSName, dNSName_len+1); + flow->protos.tls_quic.server_names[newstr_len] = '\0'; + flow->protos.tls_quic.server_names_len = newstr_len; + } } - } - if(!flow->protos.tls_quic.subprotocol_detected) - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, dNSName_len)) - flow->protos.tls_quic.subprotocol_detected = 1; + if(!flow->protos.tls_quic.subprotocol_detected) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, dNSName_len)) + flow->protos.tls_quic.subprotocol_detected = 1; - i += len; - } else { + i += len; + } else { #if DEBUG_TLS - printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); + printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); - break; - } - } else { + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); + break; + } + } else { break; } } /* while */ @@ -712,8 +712,8 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, } certificates_length = (packet->payload[certificates_offset - 3] << 16) + - (packet->payload[certificates_offset - 2] << 8) + - packet->payload[certificates_offset - 1]; + (packet->payload[certificates_offset - 2] << 8) + + packet->payload[certificates_offset - 1]; if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) { ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); @@ -956,9 +956,9 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if (flow->l4.tcp.tls.message.buffer[1] == 0x03 && flow->l4.tcp.tls.message.buffer[2] <= 0x04 && alert_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5) - { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } + { + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + } } if((len > 9) @@ -999,12 +999,12 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(block_len < 16384 /* Max TLS block size */) ndpi_looks_like_tls(ndpi_struct, flow); - if (flow->l4.tcp.tls.message.buffer[1] == 0x03 && - flow->l4.tcp.tls.message.buffer[2] <= 0x04 && - block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5) - { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } + if (flow->l4.tcp.tls.message.buffer[1] == 0x03 && + flow->l4.tcp.tls.message.buffer[2] <= 0x04 && + block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5) + { + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + } if(flow->l4.tcp.tls.certificate_processed) { if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) @@ -1102,7 +1102,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, #endif no_dtls = 1; break; - } + } /* TODO: handle (certificate) fragments */ if(block_len > 16) { handshake_len = (block[14] << 16) + (block[15] << 8) + block[16]; @@ -1165,7 +1165,7 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd /* **************************************** */ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { char * alpn_start = flow->protos.tls_quic.alpn; char * comma_or_nul = alpn_start; do { @@ -1229,14 +1229,14 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; if(extension_payload_offset + extension_len > packet->payload_packet_len) - { + { #ifdef DEBUG_TLS - printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", - extension_len, packet->payload_packet_len - extension_payload_offset); + printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", + extension_len, packet->payload_packet_len - extension_payload_offset); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); - return; - } + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); + return; + } /* see: https://www.wireshark.org/docs/wsar_html/packet-tls-utils_8h_source.html */ static u_int16_t const allowed_non_iana_extensions[] = { @@ -1252,42 +1252,44 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, 102, 129, 52243, 52244, 57363, 65279, 65413 }; size_t const allowed_non_iana_extensions_size = sizeof(allowed_non_iana_extensions) / - sizeof(allowed_non_iana_extensions[0]); + sizeof(allowed_non_iana_extensions[0]); /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ if(extension_id > 59 && extension_id != 65281) - { - u_int8_t extension_found = 0; - for (size_t i = 0; i < allowed_non_iana_extensions_size; ++i) - { - if(allowed_non_iana_extensions[i] == extension_id) - { - extension_found = 1; - break; - } - } - if(extension_found == 0) { + u_int8_t extension_found = 0; + size_t i; + + for (i = 0; i < allowed_non_iana_extensions_size; ++i) + { + if(allowed_non_iana_extensions[i] == extension_id) + { + extension_found = 1; + break; + } + } + if(extension_found == 0) + { #ifdef DEBUG_TLS - printf("[TLS] suspicious extension id: %u\n", extension_id); + printf("[TLS] suspicious extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); - return; + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); + return; + } } - } /* Check for DTLS-only extensions. */ if(is_dtls == 0) - { - if(extension_id == 53 || extension_id == 54) { + if(extension_id == 53 || extension_id == 54) + { #ifdef DEBUG_TLS - printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); + printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); - return; + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION); + return; + } } - } } /* **************************************** */ @@ -1452,9 +1454,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } for(alpn_i=0; alpn_i<alpn_len; alpn_i++) - { - alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i]; - } + { + alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i]; + } s_offset += alpn_len, alpn_str_len += alpn_len;; } else { @@ -1544,7 +1546,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_struct->enable_ja3_plus) { for(i=0; (i<ja3.server.num_elliptic_curve_point_format) && (JA3_STR_LEN > ja3_str_len); i++) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.server.elliptic_curve_point_format[i]); + (i > 0) ? "-" : "", ja3.server.elliptic_curve_point_format[i]); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break; } @@ -1568,7 +1570,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0, j=0; i<16; i++) { int rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_server[j], - sizeof(flow->protos.tls_quic.ja3_server)-j, "%02x", md5_hash[i]); + sizeof(flow->protos.tls_quic.ja3_server)-j, "%02x", md5_hash[i]); if(rc <= 0) break; else j += rc; } @@ -1621,7 +1623,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(cipher_offset+i+1 < packet->payload_packet_len && ((packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1]) || - ((packet->payload[cipher_offset+i] & 0xF) != 0xA)) /* Skip Grease */) { + ((packet->payload[cipher_offset+i] & 0xF) != 0xA)) /* Skip Grease */) { /* Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 @@ -1768,7 +1770,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1]) || - ((packet->payload[extn_off] & 0xF) != 0xA)) { + ((packet->payload[extn_off] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_tls_extension < MAX_NUM_JA3) @@ -1852,7 +1854,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) - || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { + || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_elliptic_curve < MAX_NUM_JA3) ja3.client.elliptic_curve[ja3.client.num_elliptic_curve++] = s_group; @@ -1994,10 +1996,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; if(safari_signature_algorithms != 8) - flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0; + flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0; if((chrome_signature_algorithms != 8) || duplicate_found) - flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; + flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; /* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */ if(flow->protos.tls_quic.browser_heuristics.is_safari_tls) @@ -2070,7 +2072,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.tls_quic.alpn == NULL) flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str); - ndpi_snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str); + ndpi_snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str); /* Replace , with - as in JA3 */ for(i=0; ja3.client.alpn[i] != '\0'; i++) @@ -2106,17 +2108,17 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((version_str_len+8) < sizeof(version_str)) { int rc = ndpi_snprintf(&version_str[version_str_len], - sizeof(version_str) - version_str_len, "%s%s", - (version_str_len > 0) ? "," : "", - ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version)); + sizeof(version_str) - version_str_len, "%s%s", + (version_str_len > 0) ? "," : "", + ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version)); if(rc <= 0) break; else version_str_len += rc; rc = ndpi_snprintf(&ja3.client.supported_versions[supported_versions_offset], - sizeof(ja3.client.supported_versions)-supported_versions_offset, - "%s%04X", (j > 0) ? "-" : "", tls_version); + sizeof(ja3.client.supported_versions)-supported_versions_offset, + "%s%04X", (j > 0) ? "-" : "", tls_version); if(rc > 0) supported_versions_offset += rc; @@ -2133,8 +2135,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } else if(extension_id == 65486 /* encrypted server name */ && offset+extension_offset+1 < total_len) { /* - - https://tools.ietf.org/html/draft-ietf-tls-esni-06 - - https://blog.cloudflare.com/encrypted-sni/ + - https://tools.ietf.org/html/draft-ietf-tls-esni-06 + - https://blog.cloudflare.com/encrypted-sni/ */ int e_offset = offset+extension_offset; int e_sni_len; @@ -2148,44 +2150,44 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* Key Share Entry */ e_offset += 2; /* Group */ if(e_offset + 2 < packet->payload_packet_len) { - e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - - if((e_offset+4) < packet->payload_packet_len) { - /* Record Digest */ - e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ + e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ if((e_offset+4) < packet->payload_packet_len) { - e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); - e_offset += 2; + /* Record Digest */ + e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - if((e_offset+e_sni_len-(int)extension_len-initial_offset) >= 0 && - e_offset+e_sni_len < packet->payload_packet_len) { + if((e_offset+4) < packet->payload_packet_len) { + e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); + e_offset += 2; + + if((e_offset+e_sni_len-(int)extension_len-initial_offset) >= 0 && + e_offset+e_sni_len < packet->payload_packet_len) { #ifdef DEBUG_ENCRYPTED_SNI - printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len); + printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len); #endif - if(flow->protos.tls_quic.encrypted_sni.esni == NULL) { - flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); + if(flow->protos.tls_quic.encrypted_sni.esni == NULL) { + flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); - if(flow->protos.tls_quic.encrypted_sni.esni) { - u_int16_t off; - int i; + if(flow->protos.tls_quic.encrypted_sni.esni) { + u_int16_t off; + int i; - for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { - int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); + for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { + int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); - if(rc <= 0) { - break; - } else - off += rc; + if(rc <= 0) { + break; + } else + off += rc; + } + flow->protos.tls_quic.encrypted_sni.esni[off] = '\0'; } - flow->protos.tls_quic.encrypted_sni.esni[off] = '\0'; } } } } } - } } else if(extension_id == 65445 || /* QUIC transport parameters (drafts version) */ extension_id == 57) { /* QUIC transport parameters (final version) */ u_int16_t s_offset = offset+extension_offset; @@ -2233,11 +2235,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(param_type==0x3129) { #ifdef DEBUG_TLS - printf("UA [%.*s]\n", (int)param_len, &packet->payload[s_offset]); + printf("UA [%.*s]\n", (int)param_len, &packet->payload[s_offset]); #endif - http_process_user_agent(ndpi_struct, flow, - &packet->payload[s_offset], param_len); - break; + http_process_user_agent(ndpi_struct, flow, + &packet->payload[s_offset], param_len); + break; } s_offset += param_len; } @@ -2258,7 +2260,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<ja3.client.num_cipher; i++) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.client.cipher[i]); + (i > 0) ? "-" : "", ja3.client.cipher[i]); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break; } @@ -2269,7 +2271,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<ja3.client.num_tls_extension; i++) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.client.tls_extension[i]); + (i > 0) ? "-" : "", ja3.client.tls_extension[i]); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break; } @@ -2280,7 +2282,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<ja3.client.num_elliptic_curve; i++) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.client.elliptic_curve[i]); + (i > 0) ? "-" : "", ja3.client.elliptic_curve[i]); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break; } @@ -2289,13 +2291,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0; i<ja3.client.num_elliptic_curve_point_format; i++) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.client.elliptic_curve_point_format[i]); + (i > 0) ? "-" : "", ja3.client.elliptic_curve_point_format[i]); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break; } if(ndpi_struct->enable_ja3_plus) { rc = ndpi_snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, - ",%s,%s,%s", ja3.client.signature_algorithms, ja3.client.supported_versions, ja3.client.alpn); + ",%s,%s,%s", ja3.client.signature_algorithms, ja3.client.supported_versions, ja3.client.alpn); if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; } @@ -2309,8 +2311,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, for(i=0, j=0; i<16; i++) { rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_client[j], - sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x", - md5_hash[i]); + sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x", + md5_hash[i]); if(rc > 0) j += rc; else break; } |