diff options
| author | Luca Deri <deri@ntop.org> | 2021-07-24 17:50:32 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-07-24 17:50:32 +0200 |
| commit | 51e48884429015b94d58d9e3240c0fb3ceb465f2 (patch) | |
| tree | 10ed46614347ef18f38569e1f3ff90ed6ac05608 /src/lib/protocols/tls.c | |
| parent | 526568fcd519ccef3216b563f79e77c7326e11b9 (diff) | |
Implemented ALPN automa for checking uncommon ALPNs
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 51 |
1 files changed, 8 insertions, 43 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index cec43c890..38f1ffbca 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -464,7 +464,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE) if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD) ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/ - + if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter)) ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ @@ -1064,54 +1064,19 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - /* TODO: make search more efficient instead of a linear scan */ - /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ - static char const * const common_alpns[] = { - "http/0.9", "http/1.0", "http/1.1", - "spdy/1", "spdy/2", "spdy/3", "spdy/3.1", - "stun.turn", "stun.nat-discovery", - "h2", "h2c", "h2-16", "h2-15", "h2-14", "h2-fb", - "webrtc", "c-webrtc", - "ftp", "imap", "pop3", "managesieve", "coap", - "xmpp-client", "xmpp-server", - "acme-tls/1", - "mqtt", "dot", "ntske/1", "sunrpc", - "h3", - "smb", - "irc", - - /* QUIC ALPNs */ - "h3-T051", "h3-T050", - "h3-32", "h3-30", "h3-29", "h3-28", "h3-27", "h3-24", "h3-22", - "hq-30", "hq-29", "hq-28", "hq-27", - "h3-fb-05", "h1q-fb", - "doq-i00" - }; - char * alpn_start = flow->protos.tls_quic_stun.tls_quic.alpn; char * comma_or_nul = alpn_start; do { + int alpn_len; + comma_or_nul = strchr(comma_or_nul, ','); - if (comma_or_nul == NULL) - { - comma_or_nul = alpn_start + strlen(alpn_start); - } - int alpn_found = 0; - int alpn_len = comma_or_nul - alpn_start; - char const * const alpn = alpn_start; - for (size_t i = 0; i < sizeof(common_alpns)/sizeof(common_alpns[0]); ++i) - { - if (strlen(common_alpns[i]) == alpn_len && - strncmp(alpn, common_alpns[i], alpn_len) == 0) - { - alpn_found = 1; - break; - } - } + if(comma_or_nul == NULL) + comma_or_nul = alpn_start + strlen(alpn_start); - if (alpn_found == 0) - { + alpn_len = comma_or_nul - alpn_start; + + if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) { #ifdef DEBUG_TLS printf("TLS uncommon ALPN found: %.*s\n", alpn_len, alpn); #endif |