diff options
author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-10-25 17:06:29 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-25 17:06:29 +0200 |
commit | ca5ffc498873805c07a29c6d8af3e995963c055d (patch) | |
tree | efbc859babc7668069c9576b54439ffe10cc9859 /example | |
parent | 2ed2e5dc7e072d41065a7c04da5db598150c71fa (diff) |
TLS: improve handling of ALPN(s) (#1784)
Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is
extracted from the CH, the latter from the SH.
Add some entries to the known ALPN list.
Fix printing of "TLS Supported Versions" field.
Diffstat (limited to 'example')
-rw-r--r-- | example/ndpiReader.c | 27 | ||||
-rw-r--r-- | example/ndpiSimpleIntegration.c | 6 | ||||
-rw-r--r-- | example/reader_util.c | 43 | ||||
-rw-r--r-- | example/reader_util.h | 8 |
4 files changed, 35 insertions, 49 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 2e206b578..96dd46881 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -767,7 +767,7 @@ void printCSVHeader() { fprintf(csv_fp, "server_info,"); fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); fprintf(csv_fp, "ja3s,tls_server_unsafe,"); - fprintf(csv_fp, "tls_alpn,tls_supported_versions,"); + fprintf(csv_fp, "advertised_alpns,negotiated_alpn,tls_supported_versions,"); #if 0 fprintf(csv_fp, "tls_issuerDN,tls_subjectDN,"); #endif @@ -1341,8 +1341,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa (flow->ssh_tls.ja3_server[0] != '\0') ? flow->ssh_tls.ja3_server : "", (flow->ssh_tls.ja3_server[0] != '\0') ? is_unsafe_cipher(flow->ssh_tls.server_unsafe_cipher) : "0"); - fprintf(csv_fp, "%s,%s,", - flow->ssh_tls.tls_alpn ? flow->ssh_tls.tls_alpn : "", + fprintf(csv_fp, "%s,%s,%s,", + flow->ssh_tls.advertised_alpns ? flow->ssh_tls.advertised_alpns : "", + flow->ssh_tls.negotiated_alpn ? flow->ssh_tls.negotiated_alpn : "", flow->ssh_tls.tls_supported_versions ? flow->ssh_tls.tls_supported_versions : "" ); @@ -1541,16 +1542,16 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } } break; + } - case INFO_TLS_QUIC_ALPN_VERSION: - fprintf(out, "[ALPN: %s][TLS Supported Versions: %s]", - flow->tls_quic.alpn, flow->tls_quic.tls_supported_versions); - break; + if(flow->ssh_tls.advertised_alpns) + fprintf(out, "[(Advertised) ALPNs: %s]", flow->ssh_tls.advertised_alpns); - case INFO_TLS_QUIC_ALPN_ONLY: - fprintf(out, "[ALPN: %s]", flow->tls_quic.alpn); - break; - } + if(flow->ssh_tls.negotiated_alpn) + fprintf(out, "[(Negotiated) ALPN: %s]", flow->ssh_tls.negotiated_alpn); + + if(flow->ssh_tls.tls_supported_versions) + fprintf(out, "[TLS Supported Versions: %s]", flow->ssh_tls.tls_supported_versions); if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info); @@ -3249,14 +3250,14 @@ static void printFlowsStats() { || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DOH_DOT) ) - && all_flows[i].flow->ssh_tls.tls_alpn /* ALPN */ + && all_flows[i].flow->ssh_tls.advertised_alpns /* ALPN */ ) { if(check_bin_doh_similarity(&bins[i], &s)) printf("[DoH (%f distance)]", s); else printf("[NO DoH (%f distance)]", s); } else { - if(all_flows[i].flow->ssh_tls.tls_alpn == NULL) + if(all_flows[i].flow->ssh_tls.advertised_alpns == NULL) printf("[NO DoH check: missing ALPN]"); } } diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index 604fef242..81ac179da 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -943,7 +943,7 @@ static void ndpi_process_packet(uint8_t * const args, { uint8_t unknown_tls_version = 0; char buf_ver[16]; - printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | alpn: %s\n", + printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | (advertised) ALPNs: %s\n", workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id, @@ -951,8 +951,8 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->ndpi_flow->protos.tls_quic.ssl_version, &unknown_tls_version), flow_to_process->ndpi_flow->host_server_name, - (flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ? - flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-")); + (flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns != NULL ? + flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns : "-")); flow_to_process->tls_client_hello_seen = 1; } if (flow_to_process->tls_server_hello_seen == 0 && diff --git a/example/reader_util.c b/example/reader_util.c index 498c834f8..ba8031185 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -480,9 +480,14 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { flow->ssh_tls.server_names = NULL; } - if(flow->ssh_tls.tls_alpn) { - ndpi_free(flow->ssh_tls.tls_alpn); - flow->ssh_tls.tls_alpn = NULL; + if(flow->ssh_tls.advertised_alpns) { + ndpi_free(flow->ssh_tls.advertised_alpns); + flow->ssh_tls.advertised_alpns = NULL; + } + + if(flow->ssh_tls.negotiated_alpn) { + ndpi_free(flow->ssh_tls.negotiated_alpn); + flow->ssh_tls.negotiated_alpn = NULL; } if(flow->ssh_tls.tls_supported_versions) { @@ -1248,11 +1253,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics; - if(flow->ndpi_flow->protos.tls_quic.alpn) { - if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL) - correct_csv_data_field(flow->ssh_tls.tls_alpn); - } - if(flow->ndpi_flow->protos.tls_quic.issuerDN) flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN); @@ -1264,28 +1264,19 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite; } - if(flow->ssh_tls.tls_supported_versions) { + if(flow->ndpi_flow->protos.tls_quic.tls_supported_versions) { if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL) correct_csv_data_field(flow->ssh_tls.tls_supported_versions); } - if(flow->ndpi_flow->protos.tls_quic.alpn - && flow->ndpi_flow->protos.tls_quic.tls_supported_versions) { - correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn); - correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.tls_supported_versions); - - flow->info_type = INFO_TLS_QUIC_ALPN_VERSION; - ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s", - flow->ndpi_flow->protos.tls_quic.alpn); - ndpi_snprintf(flow->tls_quic.tls_supported_versions, - sizeof(flow->tls_quic.tls_supported_versions), - "%s", flow->ndpi_flow->protos.tls_quic.tls_supported_versions); - } else if(flow->ndpi_flow->protos.tls_quic.alpn) { - correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn); - - flow->info_type = INFO_TLS_QUIC_ALPN_ONLY; - ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s", - flow->ndpi_flow->protos.tls_quic.alpn); + if(flow->ndpi_flow->protos.tls_quic.advertised_alpns) { + if((flow->ssh_tls.advertised_alpns = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.advertised_alpns)) != NULL) + correct_csv_data_field(flow->ssh_tls.advertised_alpns); + } + + if(flow->ndpi_flow->protos.tls_quic.negotiated_alpn) { + if((flow->ssh_tls.negotiated_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.negotiated_alpn)) != NULL) + correct_csv_data_field(flow->ssh_tls.negotiated_alpn); } if(enable_doh_dot_detection) { diff --git a/example/reader_util.h b/example/reader_util.h index 6a9c7cd40..d8c02c8b6 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -165,8 +165,6 @@ enum info_type { INFO_SOFTETHER, INFO_TIVOCONNECT, INFO_FTP_IMAP_POP_SMTP, - INFO_TLS_QUIC_ALPN_VERSION, - INFO_TLS_QUIC_ALPN_ONLY, INFO_NATPMP, }; @@ -217,10 +215,6 @@ typedef struct ndpi_flow_info { union { char info[256]; struct { - char alpn[128]; - char tls_supported_versions[128]; - } tls_quic; - struct { unsigned char auth_failed; char username[127]; char password[128]; @@ -263,7 +257,7 @@ typedef struct ndpi_flow_info { u_int16_t ssl_version; char server_info[64], client_hassh[33], server_hassh[33], *server_names, - *tls_alpn, *tls_supported_versions, + *advertised_alpns, *negotiated_alpn, *tls_supported_versions, *tls_issuerDN, *tls_subjectDN, ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; |