QUIC: improve handling of SNI (#1105)

* QUIC: SNI should be always saved in flow->protos.stun_ssl.ssl.client_requested_server_name Close #1077 * QUIC: fix matching of custom categories * QUIC: add NDPI_TLS_MISSING_SNI support for older GQUIC versions * QUIC: fix serialization * QUIC: add DGA check for older GQUIC versions
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2021-01-07 10:55:23 +0100
committer: GitHub <noreply@github.com> 2021-01-07 10:55:23 +0100
commit: b8a5358e8010f5e46df528b440cd9cc26910fdb9 (patch)
tree: 514fe84e7e308cc443ed001601e99834ac2c1d32 /src
parent: eb37f8f1fbf62fce7e8997a24408b998f895d07b (diff)
2 files changed, 36 insertions, 7 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 97b94ed68..8938a35f2 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1213,8 +1213,23 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
 
   case NDPI_PROTOCOL_QUIC:
     ndpi_serialize_start_of_block(serializer, "quic");
-    if(flow->host_server_name[0] != '\0')
-      ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
+    if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')
+      ndpi_serialize_string_string(serializer, "client_requested_server_name",
+                                   flow->protos.stun_ssl.ssl.client_requested_server_name);
+    if(flow->http.user_agent)
+      ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
+    if(flow->protos.stun_ssl.ssl.ssl_version) {
+      u_int8_t unknown_tls_version;
+      char *version = ndpi_ssl_version2str(flow, flow->protos.stun_ssl.ssl.ssl_version, &unknown_tls_version);
+
+      if(!unknown_tls_version)
+	ndpi_serialize_string_string(serializer, "version", version);
+      if(flow->protos.stun_ssl.ssl.alpn)
+        ndpi_serialize_string_string(serializer, "alpn", flow->protos.stun_ssl.ssl.alpn);
+      ndpi_serialize_string_string(serializer, "ja3", flow->protos.stun_ssl.ssl.ja3_client);
+      if(flow->protos.stun_ssl.ssl.tls_supported_versions)
+        ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.stun_ssl.ssl.tls_supported_versions);
+    }
     ndpi_serialize_end_of_block(serializer);
     break;
 
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index dc3341a2b..9f768f15e 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1171,6 +1171,7 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
   packet->payload_packet_len = crypto_data_len;
 
   processClientServerHello(ndpi_struct, flow, version);
+  flow->l4.tcp.tls.hello_processed = 1; /* Allow matching of custom categories */
 
   /* Restore */
   packet->payload = p;
@@ -1222,16 +1223,23 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
     if((memcmp(tag, "SNI\0", 4) == 0) &&
        (tag_offset_start + prev_offset + len < crypto_data_len)) {
-      sni_len = MIN(len, sizeof(flow->host_server_name) - 1);
-      memcpy(flow->host_server_name,
+      sni_len = MIN(len, sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name) - 1);
+      memcpy(flow->protos.stun_ssl.ssl.client_requested_server_name,
              &crypto_data[tag_offset_start + prev_offset], sni_len);
+      flow->protos.stun_ssl.ssl.client_requested_server_name[sni_len] = '\0';
 
-      NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n", flow->host_server_name);
+      NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n",
+                    flow->protos.stun_ssl.ssl.client_requested_server_name);
 
       ndpi_match_host_subprotocol(ndpi_struct, flow,
-                                  (char *)flow->host_server_name,
-                                  strlen((const char*)flow->host_server_name),
+                                  (char *)flow->protos.stun_ssl.ssl.client_requested_server_name,
+                                  strlen((const char*)flow->protos.stun_ssl.ssl.client_requested_server_name),
                                   &ret_match, NDPI_PROTOCOL_QUIC);
+      flow->l4.tcp.tls.hello_processed = 1; /* Allow matching of custom categories */
+
+      ndpi_check_dga_name(ndpi_struct, flow,
+                          flow->protos.stun_ssl.ssl.client_requested_server_name, 1);
+
       sni_found = 1;
       if (ua_found)
         return;
@@ -1255,6 +1263,12 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
   }
   if(i != num_tags)
     NDPI_LOG_DBG(ndpi_struct, "Something went wrong in tags iteration\n");
+
+  /* Add check for missing SNI */
+  if((flow->protos.stun_ssl.ssl.client_requested_server_name[0] == 0)) {
+    /* This is a bit suspicious */
+    NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
+  }
 }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2021-01-07 10:55:23 +0100
committer	GitHub <noreply@github.com>	2021-01-07 10:55:23 +0100
commit	b8a5358e8010f5e46df528b440cd9cc26910fdb9 (patch)
tree	514fe84e7e308cc443ed001601e99834ac2c1d32 /src
parent	eb37f8f1fbf62fce7e8997a24408b998f895d07b (diff)