diff options
| -rw-r--r-- | doc/configuration_parameters.md | 2 | ||||
| -rw-r--r-- | example/ndpiReader.c | 6 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 22 | ||||
| -rw-r--r-- | fuzz/fuzz_ndpi_reader.c | 2 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 3 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 43 |
8 files changed, 32 insertions, 53 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index bd7f826ac..64080177b 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -6,6 +6,7 @@ TODO | Protocol | Parameter | Default value | Min value | Max value | Description | Notes | | ------ | ------ | ------ | ------ | ------ | ------ | ------ | | NULL | "packets_limit_per_flow" | 32 | 0 | 255 | The upper limit on the number of packets per flow that will be subject to DPI, after which classification will be considered complete (0 = no limit) | +| NULL | "flow.direction_detection.enable" | 1 | NULL | NULL | Enable/disable internal detection of packet direction (client to server or server to client) | | NULL | "flow_risk_lists.load" | 1 | NULL | NULL | Enable/disable loading of every IP addresses lists used to check any flow risks | | NULL | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1 | NULL | NULL | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | | NULL | "flow_risk.anonymous_subscriber.list.protonvpn.load" | 1 | NULL | NULL | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | @@ -13,6 +14,7 @@ TODO | NULL | "filename.config" | NULL | NULL | NULL | Name of the file containing a list of configuration knobs itself (one per line)!. Useful to configure nDPI via text file instead of via API | | NULL | "lru.$CACHE_NAME.size" | See description | 0 | 16777215 | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "32768" for the bittorrent cache, "512" for the zoom cache and "1024" for all the other caches | | NULL | "lru.$CACHE_NAME.ttl" | See description | 0 | 16777215 | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "120" for the ookla cache, "60" for the msteams and stun_zoom caches and "0" for all the other caches | +| "tls" | "application_blocks_tracking.enable" | 0 | NULL | NULL | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow | | "tls" | "metadata.sha1_fingerprint.enable" | 1 | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | | "smtp" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets in cleartext SMTP flows (because of opportunistic TLS, via STARTTLS msg) | | "imap" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets in cleartext IMAP flows (because of opportunistic TLS, via STARTTLS msg) | diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 7a614c219..742e442fc 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2795,14 +2795,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { cfgs[i].proto, cfgs[i].param, cfgs[i].value, rc); } + if(enable_doh_dot_detection) + ndpi_set_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "tls", "application_blocks_tracking.enable", "1"); + ret = ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct); if(ret != 0) { fprintf(stderr, "Error ndpi_finalize_initialization: %d\n", ret); exit(-1); } - - if(enable_doh_dot_detection) - ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); } /* *********************************************** */ diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 73028a51a..b732a2507 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -57,6 +57,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_user_data(ndpi_info_mod, (void *)0xabcdabcd); /* Twice to trigger overwriting */ ndpi_get_user_data(ndpi_info_mod); + /* ndpi_set_config: try to keep the soame order of the definitions in ndpi_main.c. + + 1 to trigger unvalid parameter error */ + ndpi_set_tls_cert_expire_days(ndpi_info_mod, fuzzed_data.ConsumeIntegral<u_int8_t>()); if(fuzzed_data.ConsumeBool()) @@ -76,15 +79,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* TODO: stub for geo stuff */ ndpi_load_geoip(ndpi_info_mod, NULL, NULL); - if(fuzzed_data.ConsumeBool()) - ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_direction_detect_disable, - fuzzed_data.ConsumeBool()); - if(fuzzed_data.ConsumeBool()) - ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_enable_tls_block_dissection, - 0 /* unused */); - - ndpi_set_detection_preferences(ndpi_info_mod, static_cast<ndpi_detection_preference>(0xFF), 0xFF); /* Invalid preference */ - + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "application_blocks_tracking.enable", cfg_value); + } if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); sprintf(cfg_value, "%d", value); @@ -141,6 +140,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, NULL, "flow.direction_detection.enable", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "flow_risk_lists.load", cfg_value); } if(fuzzed_data.ConsumeBool()) { diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c index cd2292e66..6733a665f 100644 --- a/fuzz/fuzz_ndpi_reader.c +++ b/fuzz/fuzz_ndpi_reader.c @@ -72,7 +72,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all); - ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 0 /* unused */); + ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking.enable", "1"); memset(workflow->stats.protocol_counter, 0, sizeof(workflow->stats.protocol_counter)); diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 177f7bb75..775665dab 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1035,9 +1035,6 @@ extern "C" { int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_struct, char *name_or_ip, u_int name_len, ndpi_protocol_category_t *id); - int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod, - ndpi_detection_preference pref, - int value); u_int16_t ndpi_map_user_proto_id_to_ndpi_id(struct ndpi_detection_module_struct *ndpi_str, u_int16_t user_proto_id); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 3ec291f51..50a84ffc3 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -148,6 +148,7 @@ typedef struct { struct ndpi_detection_module_config_struct { int max_packets_to_process; + int direction_detect_enabled; char filename_config[CFG_MAX_LEN]; @@ -172,6 +173,7 @@ struct ndpi_detection_module_config_struct { /* Protocols */ + int tls_app_blocks_tracking_enabled; int tls_sha1_fingerprint_enabled; int smtp_opportunistic_tls_enabled; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index ecfdc3348..02a104d81 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1071,11 +1071,6 @@ typedef enum { NDPI_PROTOCOL_ANY_CATEGORY /* Used to handle wildcards */ } ndpi_protocol_category_t; -typedef enum { - ndpi_pref_direction_detect_disable = 0, - ndpi_pref_enable_tls_block_dissection, /* nDPI considers only those blocks past the certificate exchange */ -} ndpi_detection_preference; - /* ntop extensions */ typedef struct ndpi_proto_defaults { char *protoName; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index dea4770c3..f4b648ee2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -960,34 +960,6 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp /* ******************************************************************** */ -int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str, ndpi_detection_preference pref, - int value) { - if(!ndpi_str) - return -1; - - switch(pref) { - case ndpi_pref_direction_detect_disable: - ndpi_str->direction_detect_disable = (u_int8_t) value; - break; - - case ndpi_pref_enable_tls_block_dissection: - /* - If this option is enabled only the TLS Application data blocks past the - certificate negotiation are considered - */ - ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS; - ndpi_str->skip_tls_blocks_until_change_cipher = 1; - break; - - default: - return(-1); - } - - return(0); -} - -/* ******************************************************************** */ - static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) { u_int i; @@ -3655,6 +3627,11 @@ int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) ndpi_str->ac_automa_finalized = 1; + if(ndpi_str->cfg.tls_app_blocks_tracking_enabled) { + ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS; + ndpi_str->skip_tls_blocks_until_change_cipher = 1; + } + ndpi_str->finalized = 1; return 0; @@ -4057,7 +4034,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->public_domain_suffixes) ndpi_domain_classify_free(ndpi_str->public_domain_suffixes); - + ndpi_free(ndpi_str); } @@ -6616,7 +6593,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, packet->tcp_retransmission = 0, packet->packet_direction = 0; - if(ndpi_str->direction_detect_disable) { + if(!ndpi_str->cfg.direction_detect_enabled) { packet->packet_direction = flow->packet_direction; } else { if(iph != NULL && ntohl(iph->saddr) < ntohl(iph->daddr)) @@ -6641,7 +6618,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, else if(flags == (TH_FIN | TH_PUSH | TH_URG)) ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); - if(!ndpi_str->direction_detect_disable && + if(ndpi_str->cfg.direction_detect_enabled && (tcph->source != tcph->dest)) packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; @@ -6722,7 +6699,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, flow->next_tcp_seq_nr[1] = 0; } } else if(udph != NULL) { - if(!ndpi_str->direction_detect_disable && + if(ndpi_str->cfg.direction_detect_enabled && (udph->source != udph->dest)) packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; } @@ -10807,6 +10784,7 @@ static const struct cfg_param { } cfg_params[] = { /* Per-protocol parameters */ + { "tls", "application_blocks_tracking.enable", "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled) }, { "tls", "metadata.sha1_fingerprint.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled) }, { "smtp", "tls_dissection.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(smtp_opportunistic_tls_enabled) }, @@ -10826,6 +10804,7 @@ static const struct cfg_param { /* Global parameters */ { NULL, "packets_limit_per_flow", "32", "0", "255", CFG_PARAM_INT, __OFF(max_packets_to_process) }, + { NULL, "flow.direction_detection.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(direction_detect_enabled) }, { NULL, "flow_risk_lists.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled)}, |