diff options
| author | havsah <98101641+havsah@users.noreply.github.com> | 2022-01-21 12:40:35 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-21 12:40:35 +0100 |
| commit | e16b6a18be1ccc9877995afdc757a77c452da071 (patch) | |
| tree | f7262594a235c79f3e29521bbadd4bc07fb15cdb /src/lib/protocols/tls.c | |
| parent | 6f336f83074ef8cd106a0979b43f84e5cf6df565 (diff) | |
Fix Grease values parsing (#1416)
The check for grease was too broad and filtered some valid values.
In particular, the value 257 was skipped because it matched the previous check.
This has been discovered while parsing tests/pcap/443-firefox.pcap
expected ja3:
771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256-257,0
previously generated ja3:
771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256,0
Signed-off-by: Patrick Havelange <patrick.havelange_ext@softathome.com>
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b5a0bb1cb..0f12194f0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1596,7 +1596,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t cipher_id = ntohs(*id); if(cipher_offset+i+1 < packet->payload_packet_len && - packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1] /* Skip Grease */) { + ((packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1]) || + ((packet->payload[cipher_offset+i] & 0xF) != 0xA)) /* Skip Grease */) { /* Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 @@ -1742,7 +1743,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, break; } - if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1]) || + ((packet->payload[extn_off] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_tls_extension < MAX_NUM_JA3) @@ -1823,7 +1825,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) + || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_elliptic_curve < MAX_NUM_JA3) ja3.client.elliptic_curve[ja3.client.num_elliptic_curve++] = s_group; |