diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-06 11:04:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-06 11:04:50 +0100 |
| commit | cae9fb9989838f213eeb857b8fc4bbeac6940049 (patch) | |
| tree | 1f44410c9362d8ff41f6f41916b37186092293f2 /src/lib | |
| parent | 19e531e20b5b8edf5952ddadff2d21106beae7e8 (diff) | |
TLS: remove ESNI support (#2648)
ESNI has been superseded by ECH for years, now.
See: https://blog.cloudflare.com/encrypted-client-hello/
Set the existing flow risk if we still found this extension.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 67 |
2 files changed, 3 insertions, 67 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index aeae555a3..6b3435f16 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6769,9 +6769,6 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow->protos.tls_quic.subjectDN) ndpi_free(flow->protos.tls_quic.subjectDN); - if(flow->protos.tls_quic.encrypted_sni.esni) - ndpi_free(flow->protos.tls_quic.encrypted_sni.esni); - if(flow->protos.tls_quic.ja4_client_raw) ndpi_free(flow->protos.tls_quic.ja4_client_raw); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 498147181..b6fe9d7a6 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -3108,62 +3108,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.tls_quic.tls_supported_versions == NULL) flow->protos.tls_quic.tls_supported_versions = ndpi_strdup(version_str); } - } else if(extension_id == 65486 /* encrypted server name */ && - offset+extension_offset+1 < total_len) { - /* - - https://tools.ietf.org/html/draft-ietf-tls-esni-06 - - https://blog.cloudflare.com/encrypted-sni/ - */ - int e_offset = offset+extension_offset; - int e_sni_len; - int initial_offset = e_offset; - u_int16_t cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset])); - - flow->protos.tls_quic.encrypted_sni.cipher_suite = cipher_suite; - - e_offset += 2; /* Cipher suite len */ - - /* Key Share Entry */ - e_offset += 2; /* Group */ - if(e_offset + 2 < packet->payload_packet_len) { - e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - - if((e_offset+4) < packet->payload_packet_len) { - /* Record Digest */ - e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - - if((e_offset+4) < packet->payload_packet_len) { - e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); - e_offset += 2; - - if((e_offset+e_sni_len-(int)extension_len-initial_offset) >= 0 && - e_offset+e_sni_len < packet->payload_packet_len) { -#ifdef DEBUG_ENCRYPTED_SNI - printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len); -#endif - - if(flow->protos.tls_quic.encrypted_sni.esni == NULL) { - flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); - - if(flow->protos.tls_quic.encrypted_sni.esni) { - u_int16_t off; - int i; - - for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { - int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); - - if(rc <= 0) { - break; - } else - off += rc; - } - flow->protos.tls_quic.encrypted_sni.esni[off] = '\0'; - } - } - } - } - } - } + } else if(extension_id == 65486 /* encrypted server name */) { + /* ESNI has been superseded by ECH */ + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL); } else if(extension_id == 65037 /* ECH: latest drafts */) { #ifdef DEBUG_TLS printf("Client TLS: ECH version 0x%x\n", extension_id); @@ -3332,18 +3279,10 @@ compute_ja3c: ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } - /* Suspicious Domain Fronting: - https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ - if(flow->protos.tls_quic.encrypted_sni.esni && - flow->host_server_name[0] != '\0') { - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, "Found ESNI w/o SNI"); - } - /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0' && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */ && !flow->protos.tls_quic.webrtc - && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { /* This is a bit suspicious */ ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, "SNI should always be present"); |