Added NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow risk

Added ndpi_set_tls_cert_expire_days() API call to modify the number of days for triggering the above alert that by default is set to 30 days

3 files changed, 16 insertions, 4 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 2e528b6a4..e4106d58d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -109,6 +109,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_DNS_FRAGMENTED,                        NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_INVALID_CHARACTERS,                    NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_POSSIBLE_EXPLOIT,                      NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
+  { NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE,       NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE  },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -2398,7 +2399,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->tcp_max_retransmission_window_size = NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE;
   ndpi_str->directconnect_connection_ip_tick_timeout =
     NDPI_DIRECTCONNECT_CONNECTION_IP_TICK_TIMEOUT * ndpi_str->ticks_per_second;
-
+  ndpi_str->tls_certificate_expire_in_x_days = 30; /* NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow risk */
   ndpi_str->irc_timeout = NDPI_IRC_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second;
   ndpi_str->gnutella_timeout = NDPI_GNUTELLA_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second;
   ndpi_str->jabber_stun_timeout = NDPI_JABBER_STUN_TIMEOUT * ndpi_str->ticks_per_second;
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 1cc666f2c..4b1bd496c 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1837,6 +1837,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     return("Possible exploit detected");
     break;
     
+  case NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE:
+    return("TLS certificate about to expire");
+    break;
+    
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2305,7 +2309,6 @@ u_int8_t ndpi_is_valid_protoId(u_int16_t protoId) {
 
 u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
 				 ndpi_protocol proto) {
-
   if(proto.master_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_is_valid_protoId(proto.app_protocol)) {
     return(!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto);
   } else if(ndpi_is_valid_protoId(proto.master_protocol) && ndpi_is_valid_protoId(proto.app_protocol)) {
@@ -2319,3 +2322,9 @@ u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
     return(0);
 }
 
+/* ******************************************* */
+
+void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str,
+				   u_int8_t num_days) {
+  ndpi_str->tls_certificate_expire_in_x_days = num_days;
+}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 0f12194f0..96ee3e6a2 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -471,9 +471,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	      if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD)
 		ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months */
 
-	    if((time_sec < flow->protos.tls_quic.notBefore)
-	       || (time_sec > flow->protos.tls_quic.notAfter))
+	    if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter))
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+	    else if((time_sec > flow->protos.tls_quic.notBefore)
+		    && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->tls_certificate_expire_in_x_days * 86400))))
+	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE); /* Certificate almost expired */
 	  }
 	}
       }