diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-21 12:49:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-21 12:49:27 +0200 |
| commit | 83840f1bb9e8825bb8000025ef7331a1d2e68ac4 (patch) | |
| tree | ef322b65ad442fdb467c994216b332b83a33bd65 /src | |
| parent | 0109014f2c640106bd970dc7559fb0f15cc51271 (diff) | |
DTLS: add support for DTLS 1.3 (#2445)
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_utils.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 6 |
2 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ce86b4426..dc732e522 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -849,6 +849,7 @@ char* ndpi_ssl_version2str(char *buf, int buf_len, case 0XFB1A: strncpy(buf, "TLSv1.3 (Fizz)", buf_len); buf[buf_len - 1] = '\0'; return buf; /* https://engineering.fb.com/security/fizz/ */ case 0XFEFF: strncpy(buf, "DTLSv1.0", buf_len); buf[buf_len - 1] = '\0'; return buf; case 0XFEFD: strncpy(buf, "DTLSv1.2", buf_len); buf[buf_len - 1] = '\0'; return buf; + case 0XFEFC: strncpy(buf, "DTLSv1.3", buf_len); buf[buf_len - 1] = '\0'; return buf; case 0x0A0A: case 0x1A1A: case 0x2A2A: diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0a3dda4ec..056de2937 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -918,11 +918,14 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, (packet->payload[0] == 0x01) ? "Client" : "Server"); #endif - /* Not support for DTLS 1.3 yet, then certificates are always visible in DTLS */ if((packet->tcp && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) && (packet->payload[0] == 0x02 /* Server Hello */)) { flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ } + if((packet->udp && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) + && (packet->payload[0] == 0x02 /* Server Hello */)) { + flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ + } checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); break; @@ -1198,6 +1201,7 @@ int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) { if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17 && buf[0] != 0x15) || /* Handshake, change-cipher-spec, Application-Data, Alert */ !((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */ (buf[1] == 0xfe && buf[2] == 0xfd) || + (buf[1] == 0xfe && buf[2] == 0xfc) || (buf[1] == 0x01 && buf[2] == 0x00))) { #ifdef DEBUG_TLS printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n", |