diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-03 12:44:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-03 12:44:22 +0200 |
| commit | eb133b8fa5525330fc4e045b2184d5a5ac0197eb (patch) | |
| tree | 4dde665f441cf225d147fb5056a29d6584916598 | |
| parent | f2da1698953cca5797003935bb90d69d4fbc3dda (diff) | |
TLS: better state about handshake (#2534)
Keep track if we received CH or/and SH messsages: usefull with
unidirectional flows
| -rw-r--r-- | example/ndpiSimpleIntegration.c | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 34 |
5 files changed, 28 insertions, 16 deletions
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index dca3cdd29..e51ceba3f 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -952,7 +952,7 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->detected_l7_protocol.proto.app_protocol == NDPI_PROTOCOL_TLS) { if (flow_to_process->tls_client_hello_seen == 0 && - flow_to_process->ndpi_flow->protos.tls_quic.hello_processed != 0) + flow_to_process->ndpi_flow->protos.tls_quic.client_hello_processed != 0) { uint8_t unknown_tls_version = 0; char buf_ver[16]; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 6c07341f7..0756e5a24 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1356,7 +1356,7 @@ struct ndpi_flow_struct { char ja3_client[33], ja3_server[33], ja4_client[37]; u_int16_t server_cipher; u_int8_t sha1_certificate_fingerprint[20]; - u_int8_t hello_processed:1, ch_direction:1, subprotocol_detected:1, fingerprint_set:1, webrtc:1, _pad:3; + u_int8_t client_hello_processed:1, ch_direction:1, subprotocol_detected:1, server_hello_processed:1, fingerprint_set:1, webrtc:1, _pad:2; #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS /* Under #ifdef to save memory for those who do not need them */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index dfe6cf1f5..543c784b9 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -809,7 +809,7 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const case NDPI_PROTOCOL_QUIC: case NDPI_PROTOCOL_TLS: - if(flow->protos.tls_quic.hello_processed != 0) + if(flow->protos.tls_quic.client_hello_processed != 0) return flow->host_server_name; break; } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 5ff7e0e88..939413ea7 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1395,7 +1395,7 @@ void process_tls(struct ndpi_detection_module_struct *ndpi_struct, packet->payload_packet_len = crypto_data_len; processClientServerHello(ndpi_struct, flow, flow->protos.tls_quic.quic_version); - flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */ + flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ /* Restore */ packet->payload = p; @@ -1462,7 +1462,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, flow->host_server_name, strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_QUIC); - flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */ + flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0bdcf216b..a41b2d691 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -913,24 +913,34 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, switch(packet->payload[0] /* block type */) { case 0x01: /* Client Hello */ + flow->protos.tls_quic.client_hello_processed = 1; + flow->protos.tls_quic.ch_direction = packet->packet_direction; + processClientServerHello(ndpi_struct, flow, 0); + ndpi_int_tls_add_connection(ndpi_struct, flow); + +#ifdef DEBUG_TLS + printf("*** TLS [version: %02X][Client Hello]\n", + flow->protos.tls_quic.ssl_version); +#endif + + checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); + break; + case 0x02: /* Server Hello */ + flow->protos.tls_quic.server_hello_processed = 1; + flow->protos.tls_quic.ch_direction = !packet->packet_direction; processClientServerHello(ndpi_struct, flow, 0); - flow->protos.tls_quic.hello_processed = 1; - flow->protos.tls_quic.ch_direction = (packet->payload[0] == 0x01 ? packet->packet_direction : !packet->packet_direction); ndpi_int_tls_add_connection(ndpi_struct, flow); #ifdef DEBUG_TLS - printf("*** TLS [version: %02X][%s Hello]\n", - flow->protos.tls_quic.ssl_version, - (packet->payload[0] == 0x01) ? "Client" : "Server"); + printf("*** TLS [version: %02X][Server Hello]\n", + flow->protos.tls_quic.ssl_version); #endif - if((!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) - && (packet->payload[0] == 0x02 /* Server Hello */)) { + if(!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) { flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ } - if((is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) - && (packet->payload[0] == 0x02 /* Server Hello */)) { + if(is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) { flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ } @@ -940,7 +950,8 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, case 0x0b: /* Certificate */ /* Important: populate the tls union fields only after * ndpi_int_tls_add_connection has been called */ - if(flow->protos.tls_quic.hello_processed) { + if(flow->protos.tls_quic.client_hello_processed || + flow->protos.tls_quic.server_hello_processed) { /* Only certificates from the server */ if(flow->protos.tls_quic.ch_direction != packet->packet_direction) { ret = processCertificate(ndpi_struct, flow); @@ -1174,7 +1185,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((ndpi_struct->cfg.ookla_aggressiveness & NDPI_AGGRESSIVENESS_OOKLA_TLS) && /* Feature enabled */ (!something_went_wrong && flow->tls_quic.certificate_processed == 1 && - flow->protos.tls_quic.hello_processed == 1) && /* TLS handshake found without errors */ + flow->protos.tls_quic.client_hello_processed == 1 && + flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */ flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS && /* No IMAPS/FTPS/... */ flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && /* No sub-classification */ ntohs(flow->s_port) == 8080 && /* Ookla port */ |