1 files changed, 24 insertions, 22 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 7d9e99171..816b23a50 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -223,7 +223,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
     if(rc > 0)
       (*rdnSeqBuf_offset) += rc;
   }
-  
+
   return(is_printable);
 }
 
@@ -244,7 +244,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
   /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
   for(i = p_offset; i < certificate_len; i++) {
-    /* 
+    /*
        See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm
        for X.509 certificate labels
     */
@@ -252,7 +252,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
       /* Common Name */
       int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN");
       if(rc == -1) break;
-      
+
 #ifdef DEBUG_TLS
       printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer);
 #endif
@@ -260,7 +260,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
       /* Country */
       int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C");
       if(rc == -1) break;
-	 
+
 #ifdef DEBUG_TLS
       printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer);
 #endif
@@ -315,10 +315,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
       if((offset+len) < packet->payload_packet_len) {
 	char utcDate[32];
-	
+
 #ifdef DEBUG_TLS
 	u_int j;
-	
+
 	printf("[CERTIFICATE] notBefore [len: %u][", len);
 	for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]);
 	printf("]\n");
@@ -352,7 +352,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	    u_int32_t time_sec = flow->packet.current_time_ms / 1000;
 #ifdef DEBUG_TLS
 	    u_int j;
-	    
+
 	    printf("[CERTIFICATE] notAfter [len: %u][", len);
 	    for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]);
 	    printf("]\n");
@@ -375,7 +375,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	      }
 	    }
 
-	    
+
 	    if((time_sec < flow->protos.stun_ssl.ssl.notBefore)
 	       || (time_sec > flow->protos.stun_ssl.ssl.notAfter))
 	    NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
@@ -385,7 +385,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
     } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) {
       /* Organization OID: 2.5.29.17 (subjectAltName) */
       u_int8_t matched_name = 0;
-      
+
 #ifdef DEBUG_TLS
       printf("******* [TLS] Found subjectAltName\n");
 #endif
@@ -428,7 +428,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		    else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0)
 		      matched_name = 1;
 		  }
-	    
+
 		  if(flow->protos.stun_ssl.ssl.server_names == NULL)
 		    flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName),
 		      flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName);
@@ -477,7 +477,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
   if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN
      && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN)))
     NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
-      
+
 #if DEBUG_TLS
   printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
 #endif
@@ -864,7 +864,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
     flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version;
     if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */
       NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
-    
+
     if(handshake_type == 0x02 /* Server Hello */) {
       int i, rc;
 
@@ -889,7 +889,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
       if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
 	NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER);
-      
+
       flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
 
 #ifdef DEBUG_TLS
@@ -1108,6 +1108,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
 		    flow->l4.tcp.tls.subprotocol_detected = 1;
+
+		  ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name);
 		} else {
 #ifdef DEBUG_TLS
 		  printf("[TLS] Extensions server len too short: %u vs %u\n",
@@ -1261,8 +1263,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		  flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str);
 		}
 	      } else if(extension_id == 65486 /* encrypted server name */) {
-		/* 
-		   - https://tools.ietf.org/html/draft-ietf-tls-esni-06 
+		/*
+		   - https://tools.ietf.org/html/draft-ietf-tls-esni-06
 		   - https://blog.cloudflare.com/encrypted-sni/
 		*/
 		u_int16_t e_offset = offset+extension_offset;
@@ -1270,9 +1272,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 
 		flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite;
-		
+
 		e_offset += 2; /* Cipher suite len */
-		
+
 		/* Key Share Entry */
 		e_offset += 2; /* Group */
 		e_offset +=  ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
@@ -1280,11 +1282,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		if((e_offset+4) < packet->payload_packet_len) {
 		  /* Record Digest */
 		  e_offset +=  ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
-		  
+
 		  if((e_offset+4) < packet->payload_packet_len) {
 		    e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 		    e_offset += 2;
-		    
+
 		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
 #ifdef DEBUG_ENCRYPTED_SNI
 		      printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
@@ -1292,13 +1294,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		      if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) {
 			flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
-			
+
 			if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) {
 			  u_int16_t i, off;
-			  
+
 			  for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
 			    int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
-			    
+
 			    if(rc <= 0) {
 			      flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0';
 			      break;