diff options
| -rw-r--r-- | doc/configuration_parameters.md | 1 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 7 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 11 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 |
7 files changed, 9 insertions, 23 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index e88c96057..9bfa944ea 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -18,6 +18,7 @@ TODO | NULL | "filename.config" | NULL | NULL | NULL | Name of the file containing a list of configuration knobs itself (one per line)!. Useful to configure nDPI via text file instead of via API | | NULL | "lru.$CACHE_NAME.size" | See description | 0 | 16777215 | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "32768" for the bittorrent cache, "512" for the zoom cache and "1024" for all the other caches | | NULL | "lru.$CACHE_NAME.ttl" | See description | 0 | 16777215 | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "120" for the ookla cache, "60" for the msteams and stun_zoom caches and "0" for all the other caches | +| "tls" | "certificate_expiration_threshold" | 30 | 0 | 365 | The threshold (in days) used to trigger the `NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE` flow risk | | "tls" | "application_blocks_tracking.enable" | 0 | NULL | NULL | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow | | "tls" | "metadata.sha1_fingerprint.enable" | 1 | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked | | "smtp" | "tls_dissection.enable" | 1 | NULL | NULL | Enable/disable dissection of TLS packets in cleartext SMTP flows (because of opportunistic TLS, via STARTTLS msg) | diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index e5236caaa..13ee51e01 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -60,8 +60,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { /* ndpi_set_config: try to keep the soame order of the definitions in ndpi_main.c. + 1 to trigger unvalid parameter error */ - ndpi_set_tls_cert_expire_days(ndpi_info_mod, fuzzed_data.ConsumeIntegral<u_int8_t>()); - if(fuzzed_data.ConsumeBool()) ndpi_load_protocols_file(ndpi_info_mod, "protos.txt"); if(fuzzed_data.ConsumeBool()) @@ -80,6 +78,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_load_geoip(ndpi_info_mod, NULL, NULL); if(fuzzed_data.ConsumeBool()) { + value = fuzzed_data.ConsumeIntegralInRange(0, 365 + 1); + sprintf(cfg_value, "%d", value); + ndpi_set_config(ndpi_info_mod, "tls", "certificate_expiration_threshold", cfg_value); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); sprintf(cfg_value, "%d", value); ndpi_set_config(ndpi_info_mod, "tls", "application_blocks_tracking.enable", cfg_value); diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 9a0c240f8..df31e30b1 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1085,17 +1085,6 @@ extern "C" { ndpi_protocol_category_t *category, ndpi_protocol_breed_t *breed); - /** - * Specifies the threshold used to trigger the NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE - * flow risk that by default is set to 30 days - * - * @par ndpi_struct = the struct created for the protocol detection - * @par days = the number of days threshold for emitting the alert - * - */ - void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str, - u_int8_t days); - void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 7fac6d981..8f7208a05 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -191,6 +191,7 @@ struct ndpi_detection_module_config_struct { /* Protocols */ + int tls_certificate_expire_in_x_days; int tls_app_blocks_tracking_enabled; int tls_sha1_fingerprint_enabled; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e191a2877..33278c490 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3120,7 +3120,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { ndpi_str->user_data = NULL; ndpi_str->tcp_max_retransmission_window_size = NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE; - ndpi_str->tls_certificate_expire_in_x_days = 30; /* NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow risk */ ndpi_str->ndpi_num_supported_protocols = NDPI_MAX_SUPPORTED_PROTOCOLS; ndpi_str->ndpi_num_custom_protocols = 0; @@ -10777,6 +10776,7 @@ static const struct cfg_param { } cfg_params[] = { /* Per-protocol parameters */ + { "tls", "certificate_expiration_threshold", "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days) }, { "tls", "application_blocks_tracking.enable", "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled) }, { "tls", "metadata.sha1_fingerprint.enable", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled) }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 3c37f7f5e..03b845c30 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2800,14 +2800,6 @@ u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ -void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str, - u_int8_t num_days) { - if(ndpi_str) - ndpi_str->tls_certificate_expire_in_x_days = num_days; -} - -/* ******************************************* */ - u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow) { switch(flow->detected_protocol_stack[0] /* app_protocol */) { case NDPI_PROTOCOL_DNS: diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 11ef6dd4a..87643abe8 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -545,7 +545,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct snprintf(str, sizeof(str), "%s - %s", b, e); ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ } else if((time_sec > flow->protos.tls_quic.notBefore) - && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->tls_certificate_expire_in_x_days * 86400)))) { + && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { char str[96], b[32], e[32]; struct tm result; time_t theTime; |