diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-03 12:44:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-03 12:44:22 +0200 |
| commit | eb133b8fa5525330fc4e045b2184d5a5ac0197eb (patch) | |
| tree | 4dde665f441cf225d147fb5056a29d6584916598 /src/lib | |
| parent | f2da1698953cca5797003935bb90d69d4fbc3dda (diff) | |
TLS: better state about handshake (#2534)
Keep track if we received CH or/and SH messsages: usefull with
unidirectional flows
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_utils.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 34 |
3 files changed, 26 insertions, 14 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index dfe6cf1f5..543c784b9 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -809,7 +809,7 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const case NDPI_PROTOCOL_QUIC: case NDPI_PROTOCOL_TLS: - if(flow->protos.tls_quic.hello_processed != 0) + if(flow->protos.tls_quic.client_hello_processed != 0) return flow->host_server_name; break; } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 5ff7e0e88..939413ea7 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1395,7 +1395,7 @@ void process_tls(struct ndpi_detection_module_struct *ndpi_struct, packet->payload_packet_len = crypto_data_len; processClientServerHello(ndpi_struct, flow, flow->protos.tls_quic.quic_version); - flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */ + flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ /* Restore */ packet->payload = p; @@ -1462,7 +1462,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, flow->host_server_name, strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_QUIC); - flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */ + flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0bdcf216b..a41b2d691 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -913,24 +913,34 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, switch(packet->payload[0] /* block type */) { case 0x01: /* Client Hello */ + flow->protos.tls_quic.client_hello_processed = 1; + flow->protos.tls_quic.ch_direction = packet->packet_direction; + processClientServerHello(ndpi_struct, flow, 0); + ndpi_int_tls_add_connection(ndpi_struct, flow); + +#ifdef DEBUG_TLS + printf("*** TLS [version: %02X][Client Hello]\n", + flow->protos.tls_quic.ssl_version); +#endif + + checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); + break; + case 0x02: /* Server Hello */ + flow->protos.tls_quic.server_hello_processed = 1; + flow->protos.tls_quic.ch_direction = !packet->packet_direction; processClientServerHello(ndpi_struct, flow, 0); - flow->protos.tls_quic.hello_processed = 1; - flow->protos.tls_quic.ch_direction = (packet->payload[0] == 0x01 ? packet->packet_direction : !packet->packet_direction); ndpi_int_tls_add_connection(ndpi_struct, flow); #ifdef DEBUG_TLS - printf("*** TLS [version: %02X][%s Hello]\n", - flow->protos.tls_quic.ssl_version, - (packet->payload[0] == 0x01) ? "Client" : "Server"); + printf("*** TLS [version: %02X][Server Hello]\n", + flow->protos.tls_quic.ssl_version); #endif - if((!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) - && (packet->payload[0] == 0x02 /* Server Hello */)) { + if(!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) { flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ } - if((is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) - && (packet->payload[0] == 0x02 /* Server Hello */)) { + if(is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) { flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ } @@ -940,7 +950,8 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, case 0x0b: /* Certificate */ /* Important: populate the tls union fields only after * ndpi_int_tls_add_connection has been called */ - if(flow->protos.tls_quic.hello_processed) { + if(flow->protos.tls_quic.client_hello_processed || + flow->protos.tls_quic.server_hello_processed) { /* Only certificates from the server */ if(flow->protos.tls_quic.ch_direction != packet->packet_direction) { ret = processCertificate(ndpi_struct, flow); @@ -1174,7 +1185,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((ndpi_struct->cfg.ookla_aggressiveness & NDPI_AGGRESSIVENESS_OOKLA_TLS) && /* Feature enabled */ (!something_went_wrong && flow->tls_quic.certificate_processed == 1 && - flow->protos.tls_quic.hello_processed == 1) && /* TLS handshake found without errors */ + flow->protos.tls_quic.client_hello_processed == 1 && + flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */ flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS && /* No IMAPS/FTPS/... */ flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && /* No sub-classification */ ntohs(flow->s_port) == 8080 && /* Ookla port */ |