TLS: improve handling of ALPN(s) (#1784)

Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is extracted from the CH, the latter from the SH. Add some entries to the known ALPN list. Fix printing of "TLS Supported Versions" field.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-10-25 17:06:29 +0200
committer: GitHub <noreply@github.com> 2022-10-25 17:06:29 +0200
commit: ca5ffc498873805c07a29c6d8af3e995963c055d (patch)
tree: efbc859babc7668069c9576b54439ffe10cc9859 /example
parent: 2ed2e5dc7e072d41065a7c04da5db598150c71fa (diff)
4 files changed, 35 insertions, 49 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 2e206b578..96dd46881 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -767,7 +767,7 @@ void printCSVHeader() {
   fprintf(csv_fp, "server_info,");
   fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,");
   fprintf(csv_fp, "ja3s,tls_server_unsafe,");
-  fprintf(csv_fp, "tls_alpn,tls_supported_versions,");
+  fprintf(csv_fp, "advertised_alpns,negotiated_alpn,tls_supported_versions,");
 #if 0
   fprintf(csv_fp, "tls_issuerDN,tls_subjectDN,");
 #endif
@@ -1341,8 +1341,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
             (flow->ssh_tls.ja3_server[0] != '\0')   ? flow->ssh_tls.ja3_server : "",
             (flow->ssh_tls.ja3_server[0] != '\0')   ? is_unsafe_cipher(flow->ssh_tls.server_unsafe_cipher) : "0");
 
-    fprintf(csv_fp, "%s,%s,",
-            flow->ssh_tls.tls_alpn                  ? flow->ssh_tls.tls_alpn : "",
+    fprintf(csv_fp, "%s,%s,%s,",
+            flow->ssh_tls.advertised_alpns          ? flow->ssh_tls.advertised_alpns : "",
+            flow->ssh_tls.negotiated_alpn           ? flow->ssh_tls.negotiated_alpn : "",
             flow->ssh_tls.tls_supported_versions    ? flow->ssh_tls.tls_supported_versions : ""
             );
 
@@ -1541,16 +1542,16 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
           }
         }
         break;
+    }
 
-      case INFO_TLS_QUIC_ALPN_VERSION:
-        fprintf(out, "[ALPN: %s][TLS Supported Versions: %s]",
-                flow->tls_quic.alpn, flow->tls_quic.tls_supported_versions);
-        break;
+    if(flow->ssh_tls.advertised_alpns)
+        fprintf(out, "[(Advertised) ALPNs: %s]", flow->ssh_tls.advertised_alpns);
 
-      case INFO_TLS_QUIC_ALPN_ONLY:
-        fprintf(out, "[ALPN: %s]", flow->tls_quic.alpn);
-        break;
-    }
+    if(flow->ssh_tls.negotiated_alpn)
+        fprintf(out, "[(Negotiated) ALPN: %s]", flow->ssh_tls.negotiated_alpn);
+
+    if(flow->ssh_tls.tls_supported_versions)
+      fprintf(out, "[TLS Supported Versions: %s]", flow->ssh_tls.tls_supported_versions);
 
     if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info);
 
@@ -3249,14 +3250,14 @@ static void printFlowsStats() {
                     || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)
                     || (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DOH_DOT)
                     )
-                   && all_flows[i].flow->ssh_tls.tls_alpn /* ALPN */
+                   && all_flows[i].flow->ssh_tls.advertised_alpns /* ALPN */
                    ) {
                   if(check_bin_doh_similarity(&bins[i], &s))
                     printf("[DoH (%f distance)]", s);
                   else
                     printf("[NO DoH (%f distance)]", s);
                 } else {
-                  if(all_flows[i].flow->ssh_tls.tls_alpn == NULL)
+                  if(all_flows[i].flow->ssh_tls.advertised_alpns == NULL)
                     printf("[NO DoH check: missing ALPN]");
                 }
               }
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index 604fef242..81ac179da 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -943,7 +943,7 @@ static void ndpi_process_packet(uint8_t * const args,
             {
 	      uint8_t unknown_tls_version = 0;
 	      char buf_ver[16];
-	      printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | alpn: %s\n",
+	      printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | (advertised) ALPNs: %s\n",
 		     workflow->packets_captured,
 		     reader_thread->array_index,
 		     flow_to_process->flow_id,
@@ -951,8 +951,8 @@ static void ndpi_process_packet(uint8_t * const args,
 					  flow_to_process->ndpi_flow->protos.tls_quic.ssl_version,
 					  &unknown_tls_version),
 		     flow_to_process->ndpi_flow->host_server_name,
-		     (flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ?
-		      flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-"));
+		     (flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns != NULL ?
+		      flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns : "-"));
 	      flow_to_process->tls_client_hello_seen = 1;
             }
 	  if (flow_to_process->tls_server_hello_seen == 0 &&
diff --git a/example/reader_util.c b/example/reader_util.c
index 498c834f8..ba8031185 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -480,9 +480,14 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) {
     flow->ssh_tls.server_names = NULL;
   }
 
-  if(flow->ssh_tls.tls_alpn) {
-    ndpi_free(flow->ssh_tls.tls_alpn);
-    flow->ssh_tls.tls_alpn = NULL;
+  if(flow->ssh_tls.advertised_alpns) {
+    ndpi_free(flow->ssh_tls.advertised_alpns);
+    flow->ssh_tls.advertised_alpns = NULL;
+  }
+
+  if(flow->ssh_tls.negotiated_alpn) {
+    ndpi_free(flow->ssh_tls.negotiated_alpn);
+    flow->ssh_tls.negotiated_alpn = NULL;
   }
 
   if(flow->ssh_tls.tls_supported_versions) {
@@ -1248,11 +1253,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
 
     flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics;
 
-    if(flow->ndpi_flow->protos.tls_quic.alpn) {
-      if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL)
-	correct_csv_data_field(flow->ssh_tls.tls_alpn);
-    }
-
     if(flow->ndpi_flow->protos.tls_quic.issuerDN)
       flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN);
 
@@ -1264,28 +1264,19 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite;
     }
 
-    if(flow->ssh_tls.tls_supported_versions) {
+    if(flow->ndpi_flow->protos.tls_quic.tls_supported_versions) {
       if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL)
 	correct_csv_data_field(flow->ssh_tls.tls_supported_versions);
     }
 
-    if(flow->ndpi_flow->protos.tls_quic.alpn
-       && flow->ndpi_flow->protos.tls_quic.tls_supported_versions) {
-      correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
-      correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
-
-      flow->info_type = INFO_TLS_QUIC_ALPN_VERSION;
-      ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s",
-                    flow->ndpi_flow->protos.tls_quic.alpn);
-      ndpi_snprintf(flow->tls_quic.tls_supported_versions,
-                    sizeof(flow->tls_quic.tls_supported_versions),
-                    "%s", flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
-    } else if(flow->ndpi_flow->protos.tls_quic.alpn) {
-      correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
-
-      flow->info_type = INFO_TLS_QUIC_ALPN_ONLY;
-      ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s",
-                    flow->ndpi_flow->protos.tls_quic.alpn);
+    if(flow->ndpi_flow->protos.tls_quic.advertised_alpns) {
+      if((flow->ssh_tls.advertised_alpns = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.advertised_alpns)) != NULL)
+	correct_csv_data_field(flow->ssh_tls.advertised_alpns);
+    }
+
+    if(flow->ndpi_flow->protos.tls_quic.negotiated_alpn) {
+      if((flow->ssh_tls.negotiated_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.negotiated_alpn)) != NULL)
+	correct_csv_data_field(flow->ssh_tls.negotiated_alpn);
     }
 
     if(enable_doh_dot_detection) {
diff --git a/example/reader_util.h b/example/reader_util.h
index 6a9c7cd40..d8c02c8b6 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -165,8 +165,6 @@ enum info_type {
     INFO_SOFTETHER,
     INFO_TIVOCONNECT,
     INFO_FTP_IMAP_POP_SMTP,
-    INFO_TLS_QUIC_ALPN_VERSION,
-    INFO_TLS_QUIC_ALPN_ONLY,
     INFO_NATPMP,
 };
 
@@ -217,10 +215,6 @@ typedef struct ndpi_flow_info {
   union {
     char info[256];
     struct {
-      char alpn[128];
-      char tls_supported_versions[128];
-    } tls_quic;
-    struct {
       unsigned char auth_failed;
       char username[127];
       char password[128];
@@ -263,7 +257,7 @@ typedef struct ndpi_flow_info {
     u_int16_t ssl_version;
     char server_info[64],
       client_hassh[33], server_hassh[33], *server_names,
-      *tls_alpn, *tls_supported_versions,
+      *advertised_alpns, *negotiated_alpn, *tls_supported_versions,
       *tls_issuerDN, *tls_subjectDN,
       ja3_client[33], ja3_server[33],
       sha1_cert_fingerprint[20];
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-10-25 17:06:29 +0200
committer	GitHub <noreply@github.com>	2022-10-25 17:06:29 +0200
commit	ca5ffc498873805c07a29c6d8af3e995963c055d (patch)
tree	efbc859babc7668069c9576b54439ffe10cc9859 /example
parent	2ed2e5dc7e072d41065a7c04da5db598150c71fa (diff)