Various improvemement when using ndpi_pref_enable_tls_block_dissection:

application data TLS blocks are now ignored when exchanged before - the end of certificate negotiation (up to TLS 1.2) - change cipher
author: Luca Deri <deri@ntop.org> 2020-10-24 19:22:56 +0200
committer: Luca Deri <deri@ntop.org> 2020-10-24 19:22:56 +0200
commit: 9873972acb2be4682434543b051833feff071f6e (patch)
tree: 037fab0a6d33a7a85153f341c6b6683cda74d968 /src
parent: 9b85669a648930f6f54346661c599ca79df937f5 (diff)
3 files changed, 48 insertions, 23 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 12f8f9719..1a53a93c6 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -965,7 +965,7 @@ typedef enum {
 
 typedef enum {
    ndpi_pref_direction_detect_disable = 0,
-   ndpi_pref_enable_tls_block_dissection
+   ndpi_pref_enable_tls_block_dissection /* nDPI considers only those blocks past the certificate exchange */
 } ndpi_detection_preference;
 
 /* ntop extensions */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8dce01814..9de47e471 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -602,6 +602,10 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str
     break;
 
   case ndpi_pref_enable_tls_block_dissection:
+    /*
+       If this option is enabled only the TLS Application data blocks past the
+       certificate negotiation are considered
+    */
     ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS;
     break;
 
@@ -1994,7 +1998,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
 #ifdef TEST_LRU_HANDLER
   ndpi_str->ndpi_notify_lru_add_handler_ptr = test_lru_handler;
 #endif
-  
+
 #ifdef NDPI_ENABLE_DEBUG_MESSAGES
   set_ndpi_debug_function(ndpi_str, (ndpi_debug_function_ptr) ndpi_debug_printf);
   NDPI_BITMASK_RESET(ndpi_str->debug_bitmask);
@@ -2850,7 +2854,7 @@ void ndpi_set_bitmask_protocol_detection(char *label, struct ndpi_detection_modu
     ndpi_str->proto_defaults[ndpi_protocol_id].protoIdx = idx;
     ndpi_str->proto_defaults[ndpi_protocol_id].func = ndpi_str->callback_buffer[idx].func = func;
     ndpi_str->callback_buffer[idx].ndpi_protocol_id = ndpi_protocol_id;
-    
+
     /*
       Set ndpi_selection_bitmask for protocol
     */
@@ -3443,25 +3447,25 @@ int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struct *ndpi
     if(*nxt_hdr == 59) {
       return(1);
     }
-    
+
     // fragment extension header has fixed size of 8 bytes and the first byte is the next header type
     if(*nxt_hdr == 44) {
       if(*l4len < 8) {
 	return(1);
       }
-      
+
       *nxt_hdr = (*l4ptr)[0];
       *l4len -= 8;
       (*l4ptr) += 8;
       continue;
     }
-    
+
     // the other extension headers have one byte for the next header type
     // and one byte for the extension header length in 8 byte steps minus the first 8 bytes
     if(*l4len < 2) {
       return(1);
     }
-    
+
     ehdr_len = (*l4ptr)[1];
     ehdr_len *= 8;
     ehdr_len += 8;
@@ -3469,16 +3473,16 @@ int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struct *ndpi
     if(*l4len < ehdr_len) {
       return(1);
     }
-    
+
     *nxt_hdr = (*l4ptr)[0];
 
     if(*l4len < ehdr_len)
       return(1);
-    
+
     *l4len -= ehdr_len;
     (*l4ptr) += ehdr_len;
   }
-  
+
   return(0);
 }
 #endif /* NDPI_DETECTION_SUPPORT_IPV6 */
@@ -3949,7 +3953,7 @@ static u_int32_t check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *n
 		 proto_id, ndpi_protocol2name(ndpi_str, proto, buf, sizeof(buf)));
 	}
 #endif
-	
+
 	if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
 	  break; /* Stop after detecting the first protocol */
       } else if(_ndpi_debug_callbacks)
@@ -3973,7 +3977,7 @@ static u_int32_t check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *n
   NDPI_PROTOCOL_BITMASK detection_bitmask;
 
   NDPI_SAVE_AS_BITMASK(detection_bitmask, flow->packet.detected_protocol_stack[0]);
-   
+
   if(flow->packet.payload_packet_len != 0) {
     if((proto_id != NDPI_PROTOCOL_UNKNOWN) &&
        NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
@@ -4001,7 +4005,7 @@ static u_int32_t check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *n
 	    break; /* Stop after detecting the first protocol */
 	}
       }
-    }      
+    }
   } else {
     /* no payload */
 
@@ -4578,7 +4582,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet;
   u_int32_t a, num_calls = 0;
   ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
-  
+
   if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE)
     NDPI_LOG(flow ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN, ndpi_str, NDPI_LOG_TRACE,
 	     "START packet processing\n");
@@ -4755,7 +4759,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   }
 
   num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
-  
+
   a = flow->packet.detected_protocol_stack[0];
   if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->detection_bitmask, a) == 0)
     a = NDPI_PROTOCOL_UNKNOWN;
@@ -4870,7 +4874,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
   if(num_calls == 0)
     flow->fail_with_unknown = 1;
-  
+
  invalidate_ptr:
   /*
     Invalidate packet memory to avoid accessing the pointers below
@@ -6700,7 +6704,7 @@ static int enough(int a, int b) {
 static u_int8_t endsWith(char *str, char *ends, u_int8_t ends_len) {
   u_int str_len = str ? strlen(str) : 0;
   u_int8_t rc;
-  
+
   if(str_len < ends_len) return(0);
 
   rc = (strncmp(&str[str_len-ends_len], ends, ends_len) != 0) ? 0 : 1;
@@ -6708,7 +6712,7 @@ static u_int8_t endsWith(char *str, char *ends, u_int8_t ends_len) {
 #ifdef DGA_DEBUG
   printf("[DGA] %s / %s [rc: %u]\n", str, ends, rc);
 #endif
-  
+
   return(rc);
 }
 
@@ -6726,14 +6730,14 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
 #ifdef DGA_DEBUG
   printf("[DGA] %s\n", name);
 #endif
-  
+
   len = strlen(name);
 
   if(len >= 5) {
     int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0, num_digits = 0, num_vowels = 0, num_words = 0;
     char tmp[128], *word, *tok_tmp;
     u_int max_tmp_len = sizeof(tmp)-1;
-  
+
     len = snprintf(tmp, max_tmp_len, "%s", name);
     if(len < 0) {
 #ifdef DGA_DEBUG
@@ -6752,7 +6756,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
 	if(!isdigit(tmp[j]))
 	  first_element_is_numeric = 0;
       }
-	
+
       if(last_char == tmp[j]) {
 	if(++num_char_repetitions > max_num_char_repetitions)
 	  max_num_char_repetitions = num_char_repetitions;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 5b572cae9..192625c5c 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -604,7 +604,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
     certificates_offset += certificate_len;
   }
 
-  if(( ndpi_struct->num_tls_blocks_to_follow != 0)
+  if((ndpi_struct->num_tls_blocks_to_follow != 0)
      && (flow->l4.tcp.tls.num_tls_blocks >= ndpi_struct->num_tls_blocks_to_follow)) {
 #ifdef DEBUG_TLS_BLOCKS
     printf("*** [TLS Block] Enough blocks dissected\n");
@@ -628,6 +628,17 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
     processClientServerHello(ndpi_struct, flow, 0);
     flow->l4.tcp.tls.hello_processed = 1;
     ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+
+#ifdef DEBUG_TLS
+    printf("*** TLS [version: %02X][%s Hello]\n",
+	   flow->protos.stun_ssl.ssl.ssl_version,
+	   (packet->payload[0] == 0x01) ? "Client" : "Server");
+#endif
+
+    if((flow->protos.stun_ssl.ssl.ssl_version >= 0x0304 /* TLS 1.3 */)
+       && (packet->payload[0] == 0x02 /* Server Hello */)) {
+      flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
+    }
     break;
 
   case 0x0b: /* Certificate */
@@ -700,6 +711,15 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     /* Overwriting packet payload */
     p = packet->payload, p_len = packet->payload_packet_len; /* Backup */
 
+    if(content_type == 0x14 /* Change Cipher Spec */) {
+      /*
+	Ignore Application Data up until change cipher
+	so in this case we reset the number of observed
+	TLS blocks
+      */
+      flow->l4.tcp.tls.num_tls_blocks = 0;
+    }
+
     if((len > 9)
        && (content_type != 0x17 /* Application Data */)
        && (!flow->l4.tcp.tls.certificate_processed)) {
@@ -729,7 +749,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
       }
     } else {
       /* Process element as a whole */
-      if(content_type == 0x17 /* Application Data */) {
+      if((content_type == 0x17 /* Application Data */)
+	 && (flow->l4.tcp.tls.certificate_processed)) {
 	if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
 	  flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] =
 	    (packet->packet_direction == 0) ? (len-5) : -(len-5);
author	Luca Deri <deri@ntop.org>	2020-10-24 19:22:56 +0200
committer	Luca Deri <deri@ntop.org>	2020-10-24 19:22:56 +0200
commit	9873972acb2be4682434543b051833feff071f6e (patch)
tree	037fab0a6d33a7a85153f341c6b6683cda74d968 /src
parent	9b85669a648930f6f54346661c599ca79df937f5 (diff)