Replaced malicious JA3-md5/SSL-cert-sha1 ac automata with hashmaps.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

4 files changed, 56 insertions, 85 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 727bf41f7..f63b2d670 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -969,6 +969,12 @@ typedef struct _ndpi_automa {
   void *ac_automa; /* Real type is AC_AUTOMATA_t */
 } ndpi_automa;
 
+typedef struct ndpi_str_hash {
+  unsigned int hash;
+  void *value;
+  u_int8_t private_data[0];
+} ndpi_str_hash;
+
 typedef struct ndpi_proto {
   /*
     Note
@@ -1058,8 +1064,8 @@ struct ndpi_detection_module_struct {
   /* HTTP/DNS/HTTPS/QUIC host matching */
   ndpi_automa host_automa,                     /* Used for DNS/HTTPS */
     risky_domain_automa, tls_cert_subject_automa,
-    malicious_ja3_automa, malicious_sha1_automa,
-    host_risk_mask_automa, common_alpns_automa;  
+    host_risk_mask_automa, common_alpns_automa;
+  ndpi_str_hash *malicious_ja3_hashmap, *malicious_sha1_hashmap;
   /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */
 
   ndpi_list *trusted_issuer_dn;
@@ -1621,14 +1627,6 @@ struct ndpi_bin {
 
 /* **************************************** */
 
-typedef struct ndpi_str_hash {
-  unsigned int hash;
-  void *value;
-  u_int8_t private_data[0];
-} ndpi_str_hash;
-
-/* **************************************** */
-
 #define HW_HISTORY_LEN               4
 #define MAX_SQUARE_ERROR_ITERATIONS 64 /* MUST be < num_values_rollup (256 max) */
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 3a1afa695..4a10257ec 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2609,8 +2609,8 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler);
   load_common_alpns(ndpi_str);
   ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(NULL);
-  ndpi_str->malicious_ja3_automa.ac_automa = NULL; /* Initialized on demand */
-  ndpi_str->malicious_sha1_automa.ac_automa = NULL; /* Initialized on demand */
+  ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */
+  ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */
   ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
   ndpi_str->trusted_issuer_dn = NULL;
 
@@ -2740,42 +2740,19 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str)
 
   if(ndpi_str->ac_automa_finalized) return;
 
-  for(i = 0; i < 99; i++) {
-    ndpi_automa *automa;
+  ndpi_automa * const automa[] = { &ndpi_str->host_automa,
+                                   &ndpi_str->tls_cert_subject_automa,
+                                   &ndpi_str->host_risk_mask_automa,
+                                   &ndpi_str->common_alpns_automa };
 
-    switch(i) {
-    case 0:
-      automa = &ndpi_str->host_automa;
-      break;
-
-    case 1:
-      automa = &ndpi_str->tls_cert_subject_automa;
-      break;
-
-    case 2:
-      automa = &ndpi_str->malicious_ja3_automa;
-      break;
-
-    case 3:
-      automa = &ndpi_str->malicious_sha1_automa;
-      break;
-
-    case 4:
-      automa = &ndpi_str->host_risk_mask_automa;
-      break;
-
-    case 5:
-      automa = &ndpi_str->common_alpns_automa;
-      break;
-
-    default:
-      ndpi_str->ac_automa_finalized = 1;
-      return;
-    }
+  for(i = 0; i < NDPI_ARRAY_LENGTH(automa); ++i) {
+    ndpi_automa *a = automa[i];
 
-    if(automa && automa->ac_automa)
-      ac_automata_finalize((AC_AUTOMATA_t *) automa->ac_automa);
+    if(a && a->ac_automa)
+      ac_automata_finalize((AC_AUTOMATA_t *) a->ac_automa);
   }
+
+  ndpi_str->ac_automa_finalized = 1;
 }
 
 /* *********************************************** */
@@ -3024,13 +3001,11 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL)
       ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0);
 
-    if(ndpi_str->malicious_ja3_automa.ac_automa != NULL)
-      ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_ja3_automa.ac_automa,
-                          1 /* free patterns strings memory */);
+    if(ndpi_str->malicious_ja3_hashmap != NULL)
+      ndpi_hash_free(&ndpi_str->malicious_ja3_hashmap, NULL);
 
-    if(ndpi_str->malicious_sha1_automa.ac_automa != NULL)
-      ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_sha1_automa.ac_automa,
-			  1 /* free patterns strings memory */);
+    if(ndpi_str->malicious_sha1_hashmap != NULL)
+      ndpi_hash_free(&ndpi_str->malicious_sha1_hashmap, NULL);
 
     if(ndpi_str->custom_categories.hostnames.ac_automa != NULL)
       ac_automata_release((AC_AUTOMATA_t *) ndpi_str->custom_categories.hostnames.ac_automa,
@@ -3656,14 +3631,12 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co
  *
  */
 int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) {
-  char buffer[128], *line, *str;
+  char buffer[128], *line;
   FILE *fd;
   int len, num = 0;
 
-  if(ndpi_str->malicious_ja3_automa.ac_automa == NULL)
-    ndpi_str->malicious_ja3_automa.ac_automa = ac_automata_init(NULL);
-  if(ndpi_str->malicious_ja3_automa.ac_automa)
-    ac_automata_name(ndpi_str->malicious_ja3_automa.ac_automa,"ja3",0);
+  if(ndpi_str->malicious_ja3_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_ja3_hashmap) != 0)
+    return(-1);
 
   fd = fopen(path, "r");
 
@@ -3690,13 +3663,14 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str,
     if((comma = strchr(line, ',')) != NULL)
       comma[0] = '\0';
 
-    str = ndpi_strdup(line);
-    if (str == NULL) {
-      NDPI_LOG_ERR(ndpi_str, "Memory allocation failure\n");
-      return -1;
-    };
+    len = strlen(line);
+
+    if(len != 32 /* size of MD5 hash */) {
+      NDPI_LOG_ERR(ndpi_str, "Not a JA3 md5 hash: [%s]\n", line);
+      continue;
+    }
 
-    if(ndpi_add_string_to_automa(ndpi_str->malicious_ja3_automa.ac_automa, str) >= 0)
+    if(ndpi_hash_add_entry(&ndpi_str->malicious_ja3_hashmap, line, len, NULL) == 0)
       num++;
   }
 
@@ -3718,15 +3692,13 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str,
 int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path)
 {
   char buffer[128];
-  char *first_comma, *second_comma, *str;
+  char *first_comma, *second_comma;
   FILE *fd;
   size_t i, len;
   int num = 0;
 
-  if (ndpi_str->malicious_sha1_automa.ac_automa == NULL)
-    ndpi_str->malicious_sha1_automa.ac_automa = ac_automata_init(NULL);
-  if(ndpi_str->malicious_sha1_automa.ac_automa)
-    ac_automata_name(ndpi_str->malicious_sha1_automa.ac_automa,"sha1",0);
+  if (ndpi_str->malicious_sha1_hashmap == NULL && ndpi_hash_init(&ndpi_str->malicious_sha1_hashmap) != 0)
+    return(-1);
 
   fd = fopen(path, "r");
 
@@ -3752,20 +3724,16 @@ int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str,
       second_comma = &buffer[len - 1];
     }
 
-    if ((second_comma - first_comma) != 40)
-      continue;
     second_comma[0] = '\0';
+    if ((second_comma - first_comma) != 40) {
+      NDPI_LOG_ERR(ndpi_str, "Not a SSL certificate sha1 hash: [%s]\n", first_comma);
+      continue;
+    }
 
     for (i = 0; i < 40; ++i)
       first_comma[i] = toupper(first_comma[i]);
 
-    str = ndpi_strdup(first_comma);
-    if (str == NULL) {
-      NDPI_LOG_ERR(ndpi_str, "Memory allocation failure\n");
-      return -1;
-    };
-
-    if (ndpi_add_string_to_automa(ndpi_str->malicious_sha1_automa.ac_automa, str) >= 0)
+    if(ndpi_hash_add_entry(&ndpi_str->malicious_sha1_hashmap, first_comma, second_comma - first_comma, NULL) == 0)
       num++;
   }
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index c75ecf151..f243b62fb 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2130,7 +2130,10 @@ int ndpi_hash_find_entry(ndpi_str_hash *h, char *key, u_int key_len, void **valu
   HASH_FIND_INT(h_priv, &hash_value, found);
   if (found != NULL)
   {
-    *value = found->value;
+    if (value != NULL)
+    {
+      *value = found->value;
+    }
     return 0;
   } else {
     return 1;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 9a1fa713c..79846f670 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -823,10 +823,10 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
       printf("[TLS] SHA-1: %s\n", sha1_str);
 #endif
 
-      if(ndpi_struct->malicious_sha1_automa.ac_automa != NULL) {
-        u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
+      if(ndpi_struct->malicious_sha1_hashmap != NULL) {
+        u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL);
 
-        if(rc1 > 0)
+        if(rc1 == 0)
           ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str);
       }
 
@@ -2392,12 +2392,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client);
 #endif
 
-	      if(ndpi_struct->malicious_ja3_automa.ac_automa != NULL) {
-		u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_ja3_automa.ac_automa,
-						  flow->protos.tls_quic.ja3_client);
+	      if(ndpi_struct->malicious_ja3_hashmap != NULL) {
+	        u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja3_hashmap,
+	                                             flow->protos.tls_quic.ja3_client,
+	                                             NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja3_client) - 1,
+	                                             NULL);
 
-		if(rc1 > 0)
-		  ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client);
+	      if(rc1 == 0)
+	        ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client);
 	      }
 	    }