diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-14 15:02:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-14 15:02:20 +0100 |
| commit | af011e338e20ad065de958f00624b6b341579d81 (patch) | |
| tree | 35a67f573c4d7df76eccb69e6436f8341fd7e6c4 /src/lib | |
| parent | 63a3547f998bfbe52c2bc8a540e0f33d37f3ad88 (diff) | |
TLS: remove JA3C (#2679)
Last step of removing JA3C fingerprint
Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.
Close:#2551
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 70 |
3 files changed, 4 insertions, 68 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f25c50fc5..f4b8a5612 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -11562,7 +11562,6 @@ static const struct cfg_param { { "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL }, { "tls", "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL }, { "tls", "metadata.sha1_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL }, - { "tls", "metadata.ja3c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL }, { "tls", "metadata.ja3s_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL }, { "tls", "metadata.ja4c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4c_fingerprint_enabled), NULL }, { "tls", "metadata.ja4r_fingerprint", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4r_fingerprint_enabled), NULL }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index f71013793..3ea01c457 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1218,7 +1218,6 @@ static void ndpi_tls2json(ndpi_serializer *serializer, struct ndpi_flow_struct * ndpi_serialize_string_string(serializer, "notafter", notAfter); } - ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic.ja3_client); ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic.ja3_server); ndpi_serialize_string_string(serializer, "ja4", flow->protos.tls_quic.ja4_client); ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic.server_unsafe_cipher); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 8a00da661..6be99ecd0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3184,71 +3184,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } /* while */ if(!invalid_ja) { - /* Compute JA3 client */ - -compute_ja3c: - if(ndpi_struct->cfg.tls_ja3c_fingerprint_enabled) { - int rc; - u_int16_t ja_str_len; - char ja_str[JA_STR_LEN]; - ndpi_MD5_CTX ctx; - u_char md5_hash[16]; - - ja_str_len = ndpi_snprintf(ja_str, JA_STR_LEN, "%u,", ja.client.tls_handshake_version); - - for(i=0; i<ja.client.num_ciphers; i++) { - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", - (i > 0) ? "-" : "", ja.client.cipher[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - /* ********** */ - - for(i=0; i<ja.client.num_tls_extensions; i++) { - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", - (i > 0) ? "-" : "", ja.client.tls_extension[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - /* ********** */ - - for(i=0; i<ja.client.num_elliptic_curve; i++) { - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", - (i > 0) ? "-" : "", ja.client.elliptic_curve[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; - - for(i=0; i<ja.client.num_elliptic_curve_point_format; i++) { - rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", - (i > 0) ? "-" : "", ja.client.elliptic_curve_point_format[i]); - if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break; - } - - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja_str, strlen(ja_str)); - ndpi_MD5Final(md5_hash, &ctx); - - for(i=0, j=0; i<16; i++) { - rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_client[j], - sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x", - md5_hash[i]); - if(rc > 0) j += rc; else break; - } - -#ifdef DEBUG_JA - printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client); -#endif - } + /* Compute JA4 client */ +compute_ja4c: if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); @@ -3262,7 +3200,7 @@ compute_ja3c: ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client); } } - /* End JA3/JA4 */ + /* End JA4 */ } /* Before returning to the caller we need to make a final check */ @@ -3307,7 +3245,7 @@ compute_ja3c: } } else if(offset == total_len) { /* TLS does not have extensions etc */ - goto compute_ja3c; + goto compute_ja4c; } } else { #ifdef DEBUG_TLS |