Merge pull request #973 from IvanNardi/esni3

Add risk flag about suspicious ESNI usage

3 files changed, 10 insertions, 1 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 66fac35af..53d143327 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -79,6 +79,7 @@ typedef enum {
   NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
   NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
   NDPI_SMB_INSECURE_VERSION,
+  NDPI_TLS_SUSPICIOUS_ESNI_USAGE,
   
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 00583dd26..0d2f5cf3c 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1533,7 +1533,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
     
   case NDPI_SMB_INSECURE_VERSION:
     return("SMB Insecure Version");
-    
+
+  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
+    return("TLS Suspicious ESNI Usage");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 5642ebdf0..f96745dc6 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1434,6 +1434,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
+	    if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
+	       flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
+	      NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+	    }
+
 	    return(2 /* Client Certificate */);
 	  } else {
 #ifdef DEBUG_TLS