Added TLS certifiacate caching

Added Fortigate protocol
author: Luca Deri <deri@ntop.org> 2021-05-15 10:52:16 +0200
committer: Luca Deri <deri@ntop.org> 2021-05-15 10:52:16 +0200
commit: abd6bce6f9f046797ab897330605cb69e76ca953 (patch)
tree: d51f02951bb43de3949ebc832c51788febe59dc4 /src
parent: ca92660d981da0dcea9597d7ad560af0a6e21774 (diff)
5 files changed, 73 insertions, 12 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index d4c7bda88..f1480643b 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -287,6 +287,7 @@ typedef enum {
   NDPI_PROTOCOL_HPVIRTGRP             = 256, /* Toni Uhlig <matzeton@googlemail.com> */
   NDPI_PROTOCOL_GENSHIN_IMPACT        = 257, /* Toni Uhlig <matzeton@googlemail.com> */
   NDPI_PROTOCOL_ACTIVISION            = 258,
+  NDPI_PROTOCOL_FORTICLIENT           = 259,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index d863c4e24..48bb8488c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1184,6 +1184,9 @@ struct ndpi_detection_module_struct {
   /* NDPI_PROTOCOL_STUN and subprotocols */
   struct ndpi_lru_cache *stun_cache;
 
+  /* NDPI_PROTOCOL_TLS and subprotocols */
+  struct ndpi_lru_cache *tls_cert_cache;
+  
   /* NDPI_PROTOCOL_MINING and subprotocols */
   struct ndpi_lru_cache *mining_cache;
 
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 7b807e7d9..4a3e6c554 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -9432,11 +9432,12 @@ static ndpi_protocol_match host_match[] =
 /* ******************************************************************** */
 
 static ndpi_tls_cert_name_match tls_certificate_match [] = {
-  { "CN=AnyDesk Client",               NDPI_PROTOCOL_ANYDESK   },
-  { "O=Kakao",                         NDPI_PROTOCOL_KAKAOTALK },
-  { "O=ntop.org",                      NDPI_PROTOCOL_NTOP      },
-  { "CN=simplednscrypt.org",           NDPI_PROTOCOL_DNSCRYPT  },
-  { "CN=*.gateway.messenger.live.com", NDPI_PROTOCOL_SKYPE     },
+  { "CN=AnyDesk Client",               NDPI_PROTOCOL_ANYDESK     },
+  { "O=Kakao",                         NDPI_PROTOCOL_KAKAOTALK   },
+  { "O=ntop.org",                      NDPI_PROTOCOL_NTOP        },
+  { "CN=simplednscrypt.org",           NDPI_PROTOCOL_DNSCRYPT    },
+  { "CN=*.gateway.messenger.live.com", NDPI_PROTOCOL_SKYPE       },
+  { "OU=FortiGate",                    NDPI_PROTOCOL_FORTICLIENT },
 
   { NULL, 0 }
 };
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index ae3e08ac3..b7de36497 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1632,6 +1632,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "Activision", NDPI_PROTOCOL_CATEGORY_GAME,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FORTICLIENT,
+			  "FortiClient", NDPI_PROTOCOL_CATEGORY_VPN,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -2562,6 +2566,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->stun_cache)
       ndpi_lru_free_cache(ndpi_str->stun_cache);
 
+    if(ndpi_str->tls_cert_cache)
+      ndpi_lru_free_cache(ndpi_str->tls_cert_cache);
+
     if(ndpi_str->mining_cache)
       ndpi_lru_free_cache(ndpi_str->mining_cache);
 
@@ -6753,6 +6760,16 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
   }
 
   /* ****************************************************** */
+  
+  void ndpi_check_subprotocol_risk(struct ndpi_flow_struct *flow, u_int16_t subprotocol_id) {
+    switch(subprotocol_id) {
+    case NDPI_PROTOCOL_ANYDESK:
+      ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+      break;
+    }
+  }
+
+  /* ****************************************************** */
 
   u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_str,
 					struct ndpi_flow_struct *flow,
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 871b6f435..107bc501d 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -297,6 +297,31 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
 
 /* **************************************** */
 
+static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct,
+				struct ndpi_flow_struct *flow) {
+  if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
+    /* Subprotocol not yet set */
+
+    if(ndpi_struct->tls_cert_cache && flow->packet.iph) {
+      u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest;
+      u_int16_t cached_proto;
+
+      if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key,
+			     &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) {
+	ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
+
+	flow->detected_protocol_stack[0] = cached_proto,
+	flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
+
+	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
+	ndpi_check_subprotocol_risk(flow, cached_proto);
+      }
+    }
+  }
+}
+
+/* **************************************** */
+
 /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */
 static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct,
 				       struct ndpi_flow_struct *flow,
@@ -569,11 +594,23 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 				       rdnSeqBuf, strlen(rdnSeqBuf),&proto_id);
 
       if(rc == 0) {
+	/* Match found */
+	ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED};
+
 	flow->detected_protocol_stack[0] = proto_id,
 	  flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
 
-	if(proto_id == NDPI_PROTOCOL_ANYDESK)
-	  ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
+	ndpi_check_subprotocol_risk(flow, proto_id);
+
+	if(ndpi_struct->tls_cert_cache == NULL)
+	  ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024);
+
+	if(ndpi_struct->tls_cert_cache && flow->packet.iph) {
+	  u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest;
+
+	  ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id);
+	}
       }
     }
   }
@@ -736,6 +773,8 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
        && (packet->payload[0] == 0x02 /* Server Hello */)) {
       flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
     }
+
+    checkTLSSubprotocol(ndpi_struct, flow);
     break;
 
   case 0x0b: /* Certificate */
@@ -1442,7 +1481,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	    case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
 	      safari_ciphers++;
 	      break;
-	      
+
 	    case TLS_CIPHER_GREASE_RESERVED_0:
 	    case TLS_AES_128_GCM_SHA256:
 	    case TLS_AES_256_GCM_SHA384:
@@ -1452,14 +1491,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 	    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
 	    case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
-	    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:	
+	    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
 	    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
 	    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
 	    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
 	    case TLS_RSA_WITH_AES_128_CBC_SHA:
 	    case TLS_RSA_WITH_AES_256_CBC_SHA:
 	    case TLS_RSA_WITH_AES_128_GCM_SHA256:
-	    case TLS_RSA_WITH_AES_256_GCM_SHA384:	 
+	    case TLS_RSA_WITH_AES_256_GCM_SHA384:
 	      safari_ciphers++, chrome_ciphers++;
 	      break;
 	    }
@@ -1682,7 +1721,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  if(rc < 0) break;
 		}
-		
+
 		for(i=0; i<tot_signature_algorithms_len; i+=2) {
 		  u_int16_t cipher_id = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+i]));
 
@@ -1715,7 +1754,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		if(chrome_signature_algorithms != 8)
 		   flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0;
-		
+
 		ja3.client.signature_algorithms[i*2] = '\0';
 
 #ifdef DEBUG_TLS
author	Luca Deri <deri@ntop.org>	2021-05-15 10:52:16 +0200
committer	Luca Deri <deri@ntop.org>	2021-05-15 10:52:16 +0200
commit	abd6bce6f9f046797ab897330605cb69e76ca953 (patch)
tree	d51f02951bb43de3949ebc832c51788febe59dc4 /src
parent	ca92660d981da0dcea9597d7ad560af0a6e21774 (diff)