diff options
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 66 |
1 files changed, 47 insertions, 19 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index cce5e0471..261f2ab28 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -32,8 +32,7 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); /* #define DEBUG_TLS 1 */ - -#define DEBUG_FINGERPRINT 1 +/* #define DEBUG_FINGERPRINT 1 */ /* NOTE @@ -59,6 +58,9 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); +extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + /* **************************************** */ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -94,6 +96,16 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st /* **************************************** */ +static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; +} + +/* **************************************** */ + static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { if(protocol != NDPI_PROTOCOL_TLS) @@ -102,6 +114,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + sslInitExtraPacketProcessing(flow); } /* **************************************** */ @@ -869,7 +882,8 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct } } } - + + flow->extra_packets_func = NULL; /* We're good now */ return(1); } @@ -1070,16 +1084,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; - - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} - -/* **************************************** */ - int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t skip_cert_processing) { @@ -1130,11 +1134,26 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s return(rc); } - if(((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", + __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, + packet->tls_certificate_detected, + flow->l4.tcp.tls_seen_client_cert, + flow->l4.tcp.tls_seen_server_cert + ); +#endif + + + if(((packet->tls_certificate_num_checks >= 1) +#if 0 + && (flow->l4.tcp.seen_syn /* User || to be tolerant */ + || flow->l4.tcp.seen_syn_ack + || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) +#endif + && (flow->l4.tcp.tls_srv_cert_fingerprint_processed + || flow->l4.tcp.tls_seen_client_cert + || flow->l4.tcp.tls_seen_server_cert + || packet->tls_certificate_detected) ) /* || ((flow->l4.tcp.tls_seen_certificate == 1) @@ -1228,7 +1247,12 @@ static void tls_mark_and_payload_search(struct ndpi_detection_module_struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); - + +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, + flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); +#endif + if(!packet->tls_certificate_detected && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ @@ -1354,6 +1378,10 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int8_t ret, skip_cert_processing = 0; +#ifdef DEBUG_TLS + printf("%s()\n", __FUNCTION__); +#endif + if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); |