aboutsummaryrefslogtreecommitdiff
path: root/example
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2022-10-25 17:06:29 +0200
committerGitHub <noreply@github.com>2022-10-25 17:06:29 +0200
commitca5ffc498873805c07a29c6d8af3e995963c055d (patch)
treeefbc859babc7668069c9576b54439ffe10cc9859 /example
parent2ed2e5dc7e072d41065a7c04da5db598150c71fa (diff)
TLS: improve handling of ALPN(s) (#1784)
Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is extracted from the CH, the latter from the SH. Add some entries to the known ALPN list. Fix printing of "TLS Supported Versions" field.
Diffstat (limited to 'example')
-rw-r--r--example/ndpiReader.c27
-rw-r--r--example/ndpiSimpleIntegration.c6
-rw-r--r--example/reader_util.c43
-rw-r--r--example/reader_util.h8
4 files changed, 35 insertions, 49 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 2e206b578..96dd46881 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -767,7 +767,7 @@ void printCSVHeader() {
fprintf(csv_fp, "server_info,");
fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,");
fprintf(csv_fp, "ja3s,tls_server_unsafe,");
- fprintf(csv_fp, "tls_alpn,tls_supported_versions,");
+ fprintf(csv_fp, "advertised_alpns,negotiated_alpn,tls_supported_versions,");
#if 0
fprintf(csv_fp, "tls_issuerDN,tls_subjectDN,");
#endif
@@ -1341,8 +1341,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
(flow->ssh_tls.ja3_server[0] != '\0') ? flow->ssh_tls.ja3_server : "",
(flow->ssh_tls.ja3_server[0] != '\0') ? is_unsafe_cipher(flow->ssh_tls.server_unsafe_cipher) : "0");
- fprintf(csv_fp, "%s,%s,",
- flow->ssh_tls.tls_alpn ? flow->ssh_tls.tls_alpn : "",
+ fprintf(csv_fp, "%s,%s,%s,",
+ flow->ssh_tls.advertised_alpns ? flow->ssh_tls.advertised_alpns : "",
+ flow->ssh_tls.negotiated_alpn ? flow->ssh_tls.negotiated_alpn : "",
flow->ssh_tls.tls_supported_versions ? flow->ssh_tls.tls_supported_versions : ""
);
@@ -1541,16 +1542,16 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
}
}
break;
+ }
- case INFO_TLS_QUIC_ALPN_VERSION:
- fprintf(out, "[ALPN: %s][TLS Supported Versions: %s]",
- flow->tls_quic.alpn, flow->tls_quic.tls_supported_versions);
- break;
+ if(flow->ssh_tls.advertised_alpns)
+ fprintf(out, "[(Advertised) ALPNs: %s]", flow->ssh_tls.advertised_alpns);
- case INFO_TLS_QUIC_ALPN_ONLY:
- fprintf(out, "[ALPN: %s]", flow->tls_quic.alpn);
- break;
- }
+ if(flow->ssh_tls.negotiated_alpn)
+ fprintf(out, "[(Negotiated) ALPN: %s]", flow->ssh_tls.negotiated_alpn);
+
+ if(flow->ssh_tls.tls_supported_versions)
+ fprintf(out, "[TLS Supported Versions: %s]", flow->ssh_tls.tls_supported_versions);
if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info);
@@ -3249,14 +3250,14 @@ static void printFlowsStats() {
|| (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)
|| (all_flows[i].flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DOH_DOT)
)
- && all_flows[i].flow->ssh_tls.tls_alpn /* ALPN */
+ && all_flows[i].flow->ssh_tls.advertised_alpns /* ALPN */
) {
if(check_bin_doh_similarity(&bins[i], &s))
printf("[DoH (%f distance)]", s);
else
printf("[NO DoH (%f distance)]", s);
} else {
- if(all_flows[i].flow->ssh_tls.tls_alpn == NULL)
+ if(all_flows[i].flow->ssh_tls.advertised_alpns == NULL)
printf("[NO DoH check: missing ALPN]");
}
}
diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
index 604fef242..81ac179da 100644
--- a/example/ndpiSimpleIntegration.c
+++ b/example/ndpiSimpleIntegration.c
@@ -943,7 +943,7 @@ static void ndpi_process_packet(uint8_t * const args,
{
uint8_t unknown_tls_version = 0;
char buf_ver[16];
- printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | alpn: %s\n",
+ printf("[%8llu, %d, %4d][TLS-CLIENT-HELLO] version: %s | sni: %s | (advertised) ALPNs: %s\n",
workflow->packets_captured,
reader_thread->array_index,
flow_to_process->flow_id,
@@ -951,8 +951,8 @@ static void ndpi_process_packet(uint8_t * const args,
flow_to_process->ndpi_flow->protos.tls_quic.ssl_version,
&unknown_tls_version),
flow_to_process->ndpi_flow->host_server_name,
- (flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ?
- flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-"));
+ (flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns != NULL ?
+ flow_to_process->ndpi_flow->protos.tls_quic.advertised_alpns : "-"));
flow_to_process->tls_client_hello_seen = 1;
}
if (flow_to_process->tls_server_hello_seen == 0 &&
diff --git a/example/reader_util.c b/example/reader_util.c
index 498c834f8..ba8031185 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -480,9 +480,14 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) {
flow->ssh_tls.server_names = NULL;
}
- if(flow->ssh_tls.tls_alpn) {
- ndpi_free(flow->ssh_tls.tls_alpn);
- flow->ssh_tls.tls_alpn = NULL;
+ if(flow->ssh_tls.advertised_alpns) {
+ ndpi_free(flow->ssh_tls.advertised_alpns);
+ flow->ssh_tls.advertised_alpns = NULL;
+ }
+
+ if(flow->ssh_tls.negotiated_alpn) {
+ ndpi_free(flow->ssh_tls.negotiated_alpn);
+ flow->ssh_tls.negotiated_alpn = NULL;
}
if(flow->ssh_tls.tls_supported_versions) {
@@ -1248,11 +1253,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics;
- if(flow->ndpi_flow->protos.tls_quic.alpn) {
- if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL)
- correct_csv_data_field(flow->ssh_tls.tls_alpn);
- }
-
if(flow->ndpi_flow->protos.tls_quic.issuerDN)
flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN);
@@ -1264,28 +1264,19 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite;
}
- if(flow->ssh_tls.tls_supported_versions) {
+ if(flow->ndpi_flow->protos.tls_quic.tls_supported_versions) {
if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL)
correct_csv_data_field(flow->ssh_tls.tls_supported_versions);
}
- if(flow->ndpi_flow->protos.tls_quic.alpn
- && flow->ndpi_flow->protos.tls_quic.tls_supported_versions) {
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
-
- flow->info_type = INFO_TLS_QUIC_ALPN_VERSION;
- ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s",
- flow->ndpi_flow->protos.tls_quic.alpn);
- ndpi_snprintf(flow->tls_quic.tls_supported_versions,
- sizeof(flow->tls_quic.tls_supported_versions),
- "%s", flow->ndpi_flow->protos.tls_quic.tls_supported_versions);
- } else if(flow->ndpi_flow->protos.tls_quic.alpn) {
- correct_csv_data_field(flow->ndpi_flow->protos.tls_quic.alpn);
-
- flow->info_type = INFO_TLS_QUIC_ALPN_ONLY;
- ndpi_snprintf(flow->tls_quic.alpn, sizeof(flow->tls_quic.alpn), "%s",
- flow->ndpi_flow->protos.tls_quic.alpn);
+ if(flow->ndpi_flow->protos.tls_quic.advertised_alpns) {
+ if((flow->ssh_tls.advertised_alpns = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.advertised_alpns)) != NULL)
+ correct_csv_data_field(flow->ssh_tls.advertised_alpns);
+ }
+
+ if(flow->ndpi_flow->protos.tls_quic.negotiated_alpn) {
+ if((flow->ssh_tls.negotiated_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.negotiated_alpn)) != NULL)
+ correct_csv_data_field(flow->ssh_tls.negotiated_alpn);
}
if(enable_doh_dot_detection) {
diff --git a/example/reader_util.h b/example/reader_util.h
index 6a9c7cd40..d8c02c8b6 100644
--- a/example/reader_util.h
+++ b/example/reader_util.h
@@ -165,8 +165,6 @@ enum info_type {
INFO_SOFTETHER,
INFO_TIVOCONNECT,
INFO_FTP_IMAP_POP_SMTP,
- INFO_TLS_QUIC_ALPN_VERSION,
- INFO_TLS_QUIC_ALPN_ONLY,
INFO_NATPMP,
};
@@ -217,10 +215,6 @@ typedef struct ndpi_flow_info {
union {
char info[256];
struct {
- char alpn[128];
- char tls_supported_versions[128];
- } tls_quic;
- struct {
unsigned char auth_failed;
char username[127];
char password[128];
@@ -263,7 +257,7 @@ typedef struct ndpi_flow_info {
u_int16_t ssl_version;
char server_info[64],
client_hassh[33], server_hassh[33], *server_names,
- *tls_alpn, *tls_supported_versions,
+ *advertised_alpns, *negotiated_alpn, *tls_supported_versions,
*tls_issuerDN, *tls_subjectDN,
ja3_client[33], ja3_server[33],
sha1_cert_fingerprint[20];