diff options
| author | Luca Deri <deri@ntop.org> | 2021-01-21 19:06:05 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-01-21 19:06:05 +0100 |
| commit | 15295ef4c520f1e74163d15119e217ee799a24aa (patch) | |
| tree | 96c41348cd8b365c433900eb852fa62621441c8b /src | |
| parent | 399755607d5bf5b68e62f324a8614351437051c1 (diff) | |
Reworked TLS fingerprint calcolation
Modified TLS memory free
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 7 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 21 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 14 |
4 files changed, 18 insertions, 28 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 76f9198da..7a1d0d9bd 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -672,13 +672,11 @@ struct ndpi_flow_tcp_struct { u_int buffer_len, buffer_used; u_int32_t next_seq[2]; /* Directions */ } message; - - void* srv_cert_fingerprint_ctx; /* SHA-1 */ /* NDPI_PROTOCOL_TLS */ u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, fingerprint_set:1, _pad:4; - u_int8_t sha1_certificate_fingerprint[20], num_tls_blocks; + u_int8_t num_tls_blocks; int16_t tls_application_blocks_len[NDPI_MAX_NUM_TLS_APPL_BLOCKS]; /* + = src->dst, - = dst->src */ } tls; @@ -1264,7 +1262,8 @@ struct ndpi_flow_struct { u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; - + u_int8_t sha1_certificate_fingerprint[20]; + struct { u_int16_t cipher_suite; char *esni; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 45caa56ce..e4616b4cb 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6341,19 +6341,14 @@ void ndpi_free_flow_data(struct ndpi_flow_struct *flow) { if(flow->protos.stun_ssl.ssl.tls_supported_versions) ndpi_free(flow->protos.stun_ssl.ssl.tls_supported_versions); - if(!is_quic) { - if(flow->protos.stun_ssl.ssl.issuerDN) - ndpi_free(flow->protos.stun_ssl.ssl.issuerDN); - - if(flow->protos.stun_ssl.ssl.subjectDN) - ndpi_free(flow->protos.stun_ssl.ssl.subjectDN); - - if(flow->l4.tcp.tls.srv_cert_fingerprint_ctx) - ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); - - if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) - ndpi_free(flow->protos.stun_ssl.ssl.encrypted_sni.esni); - } + if(flow->protos.stun_ssl.ssl.issuerDN) + ndpi_free(flow->protos.stun_ssl.ssl.issuerDN); + + if(flow->protos.stun_ssl.ssl.subjectDN) + ndpi_free(flow->protos.stun_ssl.ssl.subjectDN); + + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) + ndpi_free(flow->protos.stun_ssl.ssl.encrypted_sni.esni); } if(flow->l4_proto == IPPROTO_TCP) { diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 4f31369af..294be770a 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1318,10 +1318,10 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.stun_ssl.ssl.tls_supported_versions) ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.stun_ssl.ssl.tls_supported_versions); - if(flow->l4.tcp.tls.sha1_certificate_fingerprint[0] != '\0') { + if(flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint[0] != '\0') { for(i=0, off=0; i<20; i++) { int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "", - flow->l4.tcp.tls.sha1_certificate_fingerprint[i] & 0xFF); + flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint[i] & 0xFF); if(rc <= 0) break; else off += rc; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 9933ca8b2..344a85d6b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -540,7 +540,8 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; u_int16_t certificates_offset = 7; u_int8_t num_certificates_found = 0; - + SHA1_CTX srv_cert_fingerprint_ctx ; + #ifdef DEBUG_TLS printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n", __FUNCTION__, packet->payload_packet_len, @@ -561,11 +562,6 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, return(-2); /* Invalid length */ } - if(!flow->l4.tcp.tls.srv_cert_fingerprint_ctx) { - if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL) - return(-3); /* Not enough memory */ - } - /* Now let's process each individual certificates */ while(certificates_offset < certificates_length) { u_int32_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2]; @@ -595,7 +591,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ { /* For SHA-1 we take into account only the first certificate and not all of them */ - SHA1Init(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + SHA1Init(&srv_cert_fingerprint_ctx); #ifdef DEBUG_CERTIFICATE_HASH { @@ -608,11 +604,11 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, } #endif - SHA1Update(flow->l4.tcp.tls.srv_cert_fingerprint_ctx, + SHA1Update(&srv_cert_fingerprint_ctx, &packet->payload[certificates_offset], certificate_len); - SHA1Final(flow->l4.tcp.tls.sha1_certificate_fingerprint, flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + SHA1Final(flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx); flow->l4.tcp.tls.fingerprint_set = 1; |