diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-10-18 16:40:15 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-18 16:40:15 +0200 |
| commit | 35fdbc81480cdeaafc593fe952b2b28ebccbb0c2 (patch) | |
| tree | 3cc1eaaf1716cb037236eee98725daed592e41f8 /src/lib/protocols/tls.c | |
| parent | 223a6fb9f7403b34a93b04f6266db6b6e430782c (diff) | |
TLS: explicit ignore client certificate (#1776)
TLS classification usually stops after processing *server* certificates
(if any). That means, that *client* certificate, if present, is usually
ignored.
However in some corner cases (i.e. unidirectional traffic) we might end
up processing client certificate and exposing its metadata: the issue is
that the application will think that this metadata are about the server
and not about the client.
So, for the time being, always ignore client certificate processing.
As a future work, we might find an efficient way to process and export both
certificates.
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 55eed7ca9..a602fbeeb 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -861,6 +861,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, case 0x02: /* Server Hello */ processClientServerHello(ndpi_struct, flow, 0); flow->protos.tls_quic.hello_processed = 1; + flow->protos.tls_quic.ch_direction = (packet->payload[0] == 0x01 ? packet->packet_direction : !packet->packet_direction); ndpi_int_tls_add_connection(ndpi_struct, flow); #ifdef DEBUG_TLS @@ -882,10 +883,17 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, /* Important: populate the tls union fields only after * ndpi_int_tls_add_connection has been called */ if(flow->protos.tls_quic.hello_processed) { - ret = processCertificate(ndpi_struct, flow); - if(ret != 1) { + /* Only certificates from the server */ + if(flow->protos.tls_quic.ch_direction != packet->packet_direction) { + ret = processCertificate(ndpi_struct, flow); + if(ret != 1) { #ifdef DEBUG_TLS - printf("[TLS] Error processing certificate: %d\n", ret); + printf("[TLS] Error processing certificate: %d\n", ret); +#endif + } + } else { +#ifdef DEBUG_TLS + printf("[TLS] Certificate from client. Ignoring it\n"); #endif } flow->tls_quic.certificate_processed = 1; |