Added NDPI_TLS_ALPN_SNI_MISMATCH flow risk

author: Luca Deri <deri@ntop.org> 2023-09-07 23:42:42 +0200
committer: Luca Deri <deri@ntop.org> 2023-09-07 23:42:42 +0200
commit: 770e460ba9be589c9793ad118f9dc7697b188d33 (patch)
tree: 8cb9d2cd4986fe94bc2b9b309c69164f2c79a6a6 /src/lib/protocols/tls.c
parent: 47fb5e9f3d4a00a51d385b858454d7e7850fc9c0 (diff)
1 files changed, 20 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index b1c97225f..bedc3be59 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1428,6 +1428,8 @@ void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
   ndpi_search_tls_wrapper(ndpi_struct, flow);
 }
 
+/* **************************************** */
+
 static void tls_subclassify_by_alpn(struct ndpi_detection_module_struct *ndpi_struct,
 				    struct ndpi_flow_struct *flow) {
   /* Right now we have only one rule so we can keep it trivial */
@@ -2709,8 +2711,25 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	       ) {
 	      /* This is a bit suspicious */
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, NULL);
-	    }
+	      
+	      if(flow->protos.tls_quic.advertised_alpns != NULL) {
+		char buf[256], *tmp, *item;
 
+		snprintf(buf, sizeof(buf), "%s", flow->protos.tls_quic.advertised_alpns);
+
+		item = strtok_r(buf, ",", &tmp);
+		
+		while(item != NULL) {
+		  if(item[0] == 'h') {
+		    /* Example 'h2' */
+		    ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, NULL);
+		    break;
+		  } else
+		    item = strtok_r(NULL, ",", &tmp);
+		}
+	      }
+	    }
+	    
 	    return(2 /* Client Certificate */);
 	  } else {
 #ifdef DEBUG_TLS
author	Luca Deri <deri@ntop.org>	2023-09-07 23:42:42 +0200
committer	Luca Deri <deri@ntop.org>	2023-09-07 23:42:42 +0200
commit	770e460ba9be589c9793ad118f9dc7697b188d33 (patch)
tree	8cb9d2cd4986fe94bc2b9b309c69164f2c79a6a6 /src/lib/protocols/tls.c
parent	47fb5e9f3d4a00a51d385b858454d7e7850fc9c0 (diff)