aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/tls.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols/tls.c')
1 files changed, 35 insertions, 35 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 0fdac846a..db0f2b419 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -435,14 +435,14 @@ static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct*
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_AGGRESSIVE);
- ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic");
} else {
flow->confidence = NDPI_CONFIDENCE_DPI_AGGRESSIVE; /* Update the value */
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS ||
flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS)
- ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic");
else
- ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic");
}
ndpi_protocol ret = { { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL};
@@ -773,7 +773,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
char str[64];
snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN);
- ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str);
}
}
@@ -851,7 +851,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
snprintf(str, sizeof(str), "TLS Cert lasts %u days",
(flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) / 86400);
- ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */
}
if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) {
@@ -866,7 +866,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result));
snprintf(str, sizeof(str), "%s - %s", b, e);
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */
} else if((time_sec > flow->protos.tls_quic.notBefore)
&& (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) {
char str[96], b[32], e[32];
@@ -880,7 +880,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result));
snprintf(str, sizeof(str), "%s - %s", b, e);
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */
}
}
}
@@ -965,10 +965,10 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
here that will create false positives
*/
if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) {
- ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, dNSName);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName);
/* This looks like an attack */
- ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Invalid dNSName name");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid dNSName name");
}
if(matched_name == 0) {
@@ -1026,7 +1026,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
#if DEBUG_TLS
printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i);
#endif
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, buf);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, buf);
break;
}
} else {
@@ -1038,7 +1038,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
char str[128];
snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names);
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */
}
}
}
@@ -1082,7 +1082,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
return; /* This is a trusted DN */
if(!flow->protos.tls_quic.webrtc)
- ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN);
}
#if DEBUG_TLS
@@ -1111,7 +1111,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0) ||
certificates_offset >= packet->payload_packet_len) {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Unvalid lenght");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Unvalid lenght");
return(-1); /* Invalid length */
}
@@ -1120,7 +1120,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
packet->payload[certificates_offset - 1];
if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid certificate offset");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid certificate offset");
return(-2); /* Invalid length */
}
@@ -1197,7 +1197,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL);
if(rc1 == 0)
- ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str);
}
}
@@ -1412,7 +1412,7 @@ int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t alert_level = message->buffer[5];
if(alert_level == 2 /* Warning (1), Fatal (2) */)
- ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert");
}
u_int16_t const alert_len = ntohs(*(u_int16_t const *)&message->buffer[3]);
@@ -1713,7 +1713,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t alert_level = block[13];
if(alert_level == 2 /* Warning (1), Fatal (2) */)
- ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert");
}
} else {
#ifdef DEBUG_TLS
@@ -1863,7 +1863,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc
str[str_len - 1] = '\0';
}
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str);
break;
}
@@ -1917,7 +1917,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n",
extension_len, packet->payload_packet_len - extension_payload_offset);
#endif
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, "Invalid extension len");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, "Invalid extension len");
return;
}
@@ -1959,7 +1959,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("[TLS] suspicious extension id: %u\n", extension_id);
#endif
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str);
return;
}
}
@@ -1976,7 +1976,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
#endif
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str);
return;
}
}
@@ -2307,7 +2307,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
char unknown_cipher[8];
snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja.server.cipher[0], unknown_cipher));
- ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str);
}
flow->protos.tls_quic.server_cipher = ja.server.cipher[0];
@@ -2396,12 +2396,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
s_offset += alpn_len, alpn_str_len += alpn_len;;
} else {
alpn_str[alpn_str_len] = '\0';
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str);
break;
}
} else {
alpn_str[alpn_str_len] = '\0';
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str);
break;
}
} /* while */
@@ -2412,7 +2412,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
#endif
if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0)
- ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, alpn_str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str);
if(flow->protos.tls_quic.negotiated_alpn == NULL)
flow->protos.tls_quic.negotiated_alpn = ndpi_strdup(alpn_str);
@@ -2535,7 +2535,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf),
flow->protos.tls_quic.ssl_version,
&unknown_tls_version));
- ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION, str);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str);
}
if((session_id_len+base_offset+3) > packet->payload_packet_len)
@@ -2744,10 +2744,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("[TLS] SNI: [%s]\n", sni);
#endif
if(ndpi_is_valid_hostname((char *)&packet->payload[offset+extension_offset+5], len) == 0) {
- ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, sni);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, sni);
/* This looks like an attack */
- ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Invalid chars found in SNI: exploit or misconfiguration?");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid chars found in SNI: exploit or misconfiguration?");
}
if(!is_quic) {
@@ -2762,7 +2762,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if((flow->protos.tls_quic.subprotocol_detected == 0)
&& (check_sni_is_numeric_ip(sni) == 1)) {
- ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, sni);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni);
}
if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) {
@@ -3110,7 +3110,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(extension_id == 65486 /* encrypted server name */) {
/* ESNI has been superseded by ECH */
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL);
} else if(extension_id == 65037 /* ECH: latest drafts */) {
#ifdef DEBUG_TLS
printf("Client TLS: ECH version 0x%x\n", extension_id);
@@ -3196,7 +3196,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("Padding length: %d\n", extension_len);
#endif
- ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length");
}
}
@@ -3279,7 +3279,7 @@ compute_ja3c:
NULL);
if(rc1 == 0)
- ndpi_set_risk(flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client);
}
}
@@ -3293,7 +3293,7 @@ compute_ja3c:
if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
&& !flow->protos.tls_quic.webrtc
&& (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) {
- ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN");
}
/* Add check for missing SNI */
@@ -3302,7 +3302,7 @@ compute_ja3c:
&& !flow->protos.tls_quic.webrtc
) {
/* This is a bit suspicious */
- ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, "SNI should always be present");
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, "SNI should always be present");
if(flow->protos.tls_quic.advertised_alpns != NULL) {
char buf[256], *tmp, *item;
@@ -3314,7 +3314,7 @@ compute_ja3c:
while(item != NULL) {
if(item[0] == 'h') {
/* Example 'h2' */
- ndpi_set_risk(flow, NDPI_TLS_ALPN_SNI_MISMATCH, item);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, item);
break;
} else
item = strtok_r(NULL, ",", &tmp);
Powered by cgit, Themed by Ted Yin.