diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-23 17:58:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-23 17:58:21 +0200 |
| commit | 2bf869ca594ccceca05985de648f7221e9848d37 (patch) | |
| tree | 168d508a4265710588d22d1467380e37c64ddcdf | |
| parent | efe1930b02544ea5ac2be18297fb93bdebeee1ff (diff) | |
TLS: improve handling of Change Cipher message (#2564)
| -rw-r--r-- | src/lib/protocols/tls.c | 15 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/tls_change_cipher.pcap | bin | 0 -> 14001 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/tls_change_cipher.pcap.out | 27 |
3 files changed, 37 insertions, 5 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7f3b5f7ed..82caf0584 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1068,13 +1068,18 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ flow->l4.tcp.tls.num_tls_blocks = 0; } + if(len == 6 && + message->buffer[1] == 0x03 && /* TLS >= 1.0 */ + ((message->buffer[3] << 8) + (message->buffer[4])) == 1) { #ifdef DEBUG_TLS - printf("[TLS] Change Cipher Spec\n"); + printf("[TLS] Change Cipher Spec\n"); #endif - flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1; - /* Further data is encrypted so we are not able to parse it without - erros and without setting `something_went_wrong` variable */ - break; + ndpi_int_tls_add_connection(ndpi_struct, flow); + flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1; + /* Further data is encrypted so we are not able to parse it without + erros and without setting `something_went_wrong` variable */ + break; + } } else if(content_type == 0x15 /* Alert */) { /* https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132 */ #ifdef DEBUG_TLS diff --git a/tests/cfgs/default/pcap/tls_change_cipher.pcap b/tests/cfgs/default/pcap/tls_change_cipher.pcap Binary files differnew file mode 100644 index 000000000..ec41fa433 --- /dev/null +++ b/tests/cfgs/default/pcap/tls_change_cipher.pcap diff --git a/tests/cfgs/default/result/tls_change_cipher.pcap.out b/tests/cfgs/default/result/tls_change_cipher.pcap.out new file mode 100644 index 000000000..e6dac3166 --- /dev/null +++ b/tests/cfgs/default/result/tls_change_cipher.pcap.out @@ -0,0 +1,27 @@ +DPI Packets (TCP): 14 (14.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 1/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +TLS 14 13753 1 + +Safe 14 13753 1 + + 1 TCP 18.139.7.8:443 <-> 172.29.190.157:62797 [VLAN: 113][proto: GTP:91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 14][cat: Web/5][1 pkts/134 bytes <-> 13 pkts/13619 bytes][Goodput ratio: 0/88][4.99 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/438 0/4677 0/1341][Pkt Len c2s/s2c min/avg/max/stddev: 134/194 134/1048 134/1458 0/494][PLAIN TEXT (oCpI.P7)][Plen Bins: 0,0,7,0,7,0,0,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0,0] |