aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols')
-rw-r--r--src/lib/protocols/btlib.c5
-rw-r--r--src/lib/protocols/coap.c2
-rw-r--r--src/lib/protocols/csgo.c5
-rw-r--r--src/lib/protocols/directconnect.c1
-rw-r--r--src/lib/protocols/dns.c4
-rw-r--r--src/lib/protocols/dropbox.c10
-rw-r--r--src/lib/protocols/edonkey.c3
-rw-r--r--src/lib/protocols/ftp_data.c4
-rw-r--r--src/lib/protocols/gnutella.c1
-rw-r--r--src/lib/protocols/http.c2
-rw-r--r--src/lib/protocols/icecast.c2
-rw-r--r--src/lib/protocols/mail_smtp.c7
-rw-r--r--src/lib/protocols/memcached.c3
-rw-r--r--src/lib/protocols/mysql.c52
-rw-r--r--src/lib/protocols/sip.c22
-rw-r--r--src/lib/protocols/ssl.c682
16 files changed, 643 insertions, 162 deletions
diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c
index 5992c1b28..ea06a6348 100644
--- a/src/lib/protocols/btlib.c
+++ b/src/lib/protocols/btlib.c
@@ -204,8 +204,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) {
if(cbd->t == 0) return;
if(cbd->t == 1) {
-
- DEBUG_TRACE(printf("%s %lld\n",cbd->buf,cbd->v.i));
+ DEBUG_TRACE(printf("%s %lld\n",cbd->buf, (long long)cbd->v.i));
if(STREQ(cbd->buf,"a.port")) {
p->a.port = (u_int16_t)(cbd->v.i & 0xffff);
@@ -234,7 +233,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) {
p->h_mint = 1;
return;
}
- DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf,cbd->v.i));
+ DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf, (long long)cbd->v.i));
return;
}
if(cbd->t != 2) {
diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c
index cf5061bbe..c99ab5fc1 100644
--- a/src/lib/protocols/coap.c
+++ b/src/lib/protocols/coap.c
@@ -130,7 +130,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct,
if(h->version == 1) {
if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) {
if(h->tkl < 8) {
- if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) ||
+ if((/* h->code >= 0 && */ h->code <= 5) || (h->code >= 65 && h->code <= 69) ||
(h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) ||
(h->code >= 160 && h->code <= 165)) {
diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
index 7f4479419..f316f96b7 100644
--- a/src/lib/protocols/csgo.c
+++ b/src/lib/protocols/csgo.c
@@ -30,6 +30,11 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n
struct ndpi_packet_struct* packet = &flow->packet;
if (packet->udp != NULL) {
+ if (packet->payload_packet_len < sizeof(uint32_t)) {
+ NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n");
+ return;
+ }
+
uint32_t w = htonl(get_u_int32_t(packet->payload, 0));
NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w);
diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c
index 5088685e4..19582724d 100644
--- a/src/lib/protocols/directconnect.c
+++ b/src/lib/protocols/directconnect.c
@@ -318,7 +318,6 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct
struct ndpi_id_struct *dst = flow->dst;
int pos, count = 0;
-
if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) {
if ((u_int32_t)
(packet->tick_timestamp -
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 1c2593feb..dc97f3fe7 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -190,11 +190,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
flow->protos.dns.rsp_type = rsp_type;
/* here x points to the response "class" field */
- if((x+12) < flow->packet.payload_packet_len) {
+ if((x+12) <= flow->packet.payload_packet_len) {
x += 6;
data_len = get16(&x, flow->packet.payload);
- if(((x + data_len) < flow->packet.payload_packet_len)
+ if(((x + data_len) <= flow->packet.payload_packet_len)
&& (((rsp_type == 0x1) && (data_len == 4)) /* A */
#ifdef NDPI_DETECTION_SUPPORT_IPV6
|| ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */
diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c
index 39bb96ff2..895bb0164 100644
--- a/src/lib/protocols/dropbox.c
+++ b/src/lib/protocols/dropbox.c
@@ -30,11 +30,9 @@
#define DB_LSP_PORT 17500
-
static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
- u_int8_t due_to_correlation)
-{
+ u_int8_t due_to_correlation) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN);
}
@@ -51,8 +49,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct,
if(packet->udp->dest == dropbox_port) {
if(packet->udp->source == dropbox_port) {
if(payload_len > 10) {
- if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) {
-
+ if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) {
NDPI_LOG_INFO(ndpi_struct, "found dropbox\n");
ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0);
return;
@@ -60,8 +57,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct,
}
} else {
if(payload_len > 10) {
- if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) {
-
+ if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) {
NDPI_LOG_INFO(ndpi_struct, "found dropbox\n");
ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0);
return;
diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
index 547bafc5f..ca5abebad 100644
--- a/src/lib/protocols/edonkey.c
+++ b/src/lib/protocols/edonkey.c
@@ -177,7 +177,6 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->edonkey_stage = packet->packet_direction + 1;
}
-
} else {
NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage);
@@ -187,7 +186,7 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
}
/* This is a packet in another direction. Check if we find the proper response. */
- if((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) {
+ if(ndpi_edonkey_payload_check(packet->payload, payload_len)) {
NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n");
ndpi_int_edonkey_add_connection(ndpi_struct, flow);
} else {
diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c
index 7c646c363..3aaf6f97e 100644
--- a/src/lib/protocols/ftp_data.c
+++ b/src/lib/protocols/ftp_data.c
@@ -62,9 +62,11 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd
;
} else
return 0;
+
+ return 1;
}
- return 1;
+ return 0;
}
static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c
index 5bc2980cc..75a8e534b 100644
--- a/src/lib/protocols/gnutella.c
+++ b/src/lib/protocols/gnutella.c
@@ -68,7 +68,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
-
u_int16_t c;
NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n");
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 33ef9e2ed..e715dd499 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -184,6 +184,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
case 'P':
switch(flow->packet.http_method.ptr[1]) {
+ case 'A': flow->http.method = NDPI_HTTP_METHOD_PATCH; break;
case 'O': flow->http.method = NDPI_HTTP_METHOD_POST; break;
case 'U': flow->http.method = NDPI_HTTP_METHOD_PUT; break;
}
@@ -414,6 +415,7 @@ static struct l_string {
STATIC_STRING_L("OPTIONS "),
STATIC_STRING_L("HEAD "),
STATIC_STRING_L("PUT "),
+ STATIC_STRING_L("PATCH "),
STATIC_STRING_L("DELETE "),
STATIC_STRING_L("CONNECT "),
STATIC_STRING_L("PROPFIND "),
diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c
index 515d5b572..0bb87b88a 100644
--- a/src/lib/protocols/icecast.c
+++ b/src/lib/protocols/icecast.c
@@ -64,6 +64,8 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s
goto icecast_exclude;
}
+ if(flow == NULL) return;
+
if((packet->packet_direction == flow->setup_packet_direction)
&& (flow->packet_counter < 10)) {
return;
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index f7fbd337c..fdc47d15c 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -58,13 +58,16 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct
NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n");
- if (packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) {
+ if((packet->payload_packet_len > 2)
+ && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET)
+ && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a)
+ ) {
u_int8_t a;
u_int8_t bit_count = 0;
NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow,packet);
- for (a = 0; a < packet->parsed_lines; a++) {
+ for (a = 0; a < packet->parsed_lines; a++) {
// expected server responses
if (packet->line[a].len >= 3) {
if (memcmp(packet->line[a].ptr, "220", 3) == 0) {
diff --git a/src/lib/protocols/memcached.c b/src/lib/protocols/memcached.c
index e9deb5cc9..44a8b0858 100644
--- a/src/lib/protocols/memcached.c
+++ b/src/lib/protocols/memcached.c
@@ -89,7 +89,7 @@
#define MEMCACHED_MIN_MATCH 2 /* Minimum number of command/responses required */
-#define MEMCACHED_MATCH(cr) memcmp(offset, cr, cr ## _LEN)
+#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN))
static void ndpi_int_memcached_add_connection(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
@@ -105,6 +105,7 @@ void ndpi_search_memcached(
{
struct ndpi_packet_struct *packet = &flow->packet;
const u_int8_t *offset = packet->payload;
+ const u_int16_t length = packet->payload_packet_len;
u_int8_t *matches;
NDPI_LOG_DBG(ndpi_struct, "search memcached\n");
diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c
index d1602a2fe..1306c381d 100644
--- a/src/lib/protocols/mysql.c
+++ b/src/lib/protocols/mysql.c
@@ -29,42 +29,46 @@
#include "ndpi_api.h"
-
-static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN);
-}
-
-void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search MySQL\n");
if(packet->tcp) {
- if (packet->payload_packet_len > 38 //min length
- && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length
- && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length
- && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet
- && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0
- && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7
- && get_u_int8_t(packet->payload, 6) == 0x2e //dot
- ) {
+ if(packet->payload_packet_len > 38 //min length
+ && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length
+ && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length
+ && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet
+ && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0
+ && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7
+ && get_u_int8_t(packet->payload, 6) == 0x2e //dot
+ ) {
+#if 0
+ /* Old code */
u_int32_t a;
- for (a = 7; a + 31 < packet->payload_packet_len; a++) {
- if (packet->payload[a] == 0x00) {
- if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte
- && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more
- && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes
- && get_u_int8_t(packet->payload, a + 31) == 0x0) {
+
+ for(a = 7; a + 31 < packet->payload_packet_len; a++) {
+ if(packet->payload[a] == 0x00) {
+ if(get_u_int8_t(packet->payload, a + 13) == 0x00 // filler byte
+ && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more
+ && get_u_int32_t(packet->payload, a + 27) == 0x0 // filler bytes
+ && get_u_int8_t(packet->payload, a + 31) == 0x0) {
NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
- ndpi_int_mysql_add_connection(ndpi_struct, flow);
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN);
return;
}
+
break;
}
}
+#else
+ if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22],
+ "mysql_", 6) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
+#endif
}
}
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 1436b2cec..2583dbfdf 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -123,6 +123,28 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
return;
}
+ if ((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if ((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0)
+ && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* SIP message extension RFC 3248 */
+ if ((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
/* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
if ((memcmp(packet_payload, "OPTIONS ", 8) == 0
|| memcmp(packet_payload, "options ", 8) == 0)
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index 05988a8d4..eee31e94b 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -27,7 +27,7 @@
#include "ndpi_api.h"
-// #define CERTIFICATE_DEBUG 1
+/* #define CERTIFICATE_DEBUG 1 */
#define NDPI_MAX_SSL_REQUEST_SIZE 10000
@@ -35,6 +35,204 @@
extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
+/* **************************************** */
+
+typedef struct MD5Context {
+ uint32_t buf[4];
+ uint32_t bits[2];
+ unsigned char in[64];
+} MD5_CTX;
+
+/* **************************************** */
+
+static int is_big_endian(void) {
+ static const int n = 1;
+ return ((char *) &n)[0] == 0;
+}
+
+static void byteReverse(unsigned char *buf, unsigned longs) {
+ uint32_t t;
+
+ // Forrest: MD5 expect LITTLE_ENDIAN, swap if BIG_ENDIAN
+ if (is_big_endian()) {
+ do {
+ t = (uint32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
+ ((unsigned) buf[1] << 8 | buf[0]);
+ * (uint32_t *) buf = t;
+ buf += 4;
+ } while (--longs);
+ }
+}
+
+#define F1(x, y, z) (z ^ (x & (y ^ z)))
+#define F2(x, y, z) F1(z, x, y)
+#define F3(x, y, z) (x ^ y ^ z)
+#define F4(x, y, z) (y ^ (x | ~z))
+
+#define MD5STEP(f, w, x, y, z, data, s) \
+ ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
+
+// Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
+// initialization constants.
+static void MD5Init(MD5_CTX *ctx) {
+ ctx->buf[0] = 0x67452301;
+ ctx->buf[1] = 0xefcdab89;
+ ctx->buf[2] = 0x98badcfe;
+ ctx->buf[3] = 0x10325476;
+
+ ctx->bits[0] = 0;
+ ctx->bits[1] = 0;
+}
+
+static void MD5Transform(uint32_t buf[4], uint32_t const in[16]) {
+ uint32_t a, b, c, d;
+
+ a = buf[0];
+ b = buf[1];
+ c = buf[2];
+ d = buf[3];
+
+ MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+ MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+ MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+ MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+ MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+ MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+ MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+ MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+ MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+ MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+ MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+ MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+ MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+ MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+ MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+ MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+
+ MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+ MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+ MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+ MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+ MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+ MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+ MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+ MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+ MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+ MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+ MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+ MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+ MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+ MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+ MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+ MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+
+ MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+ MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+ MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+ MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+ MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+ MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+ MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+ MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+ MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+ MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+ MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+ MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+ MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+ MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+ MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+ MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+
+ MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+ MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+ MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+ MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+ MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+ MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+ MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+ MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+ MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+ MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+ MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+ MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+ MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+ MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+ MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+ MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+
+ buf[0] += a;
+ buf[1] += b;
+ buf[2] += c;
+ buf[3] += d;
+}
+
+static void MD5Update(MD5_CTX *ctx, unsigned char const *buf, unsigned len) {
+ uint32_t t;
+
+ t = ctx->bits[0];
+ if ((ctx->bits[0] = t + ((uint32_t) len << 3)) < t)
+ ctx->bits[1]++;
+ ctx->bits[1] += len >> 29;
+
+ t = (t >> 3) & 0x3f;
+
+ if (t) {
+ unsigned char *p = (unsigned char *) ctx->in + t;
+
+ t = 64 - t;
+ if (len < t) {
+ memcpy(p, buf, len);
+ return;
+ }
+ memcpy(p, buf, t);
+ byteReverse(ctx->in, 16);
+ MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+ buf += t;
+ len -= t;
+ }
+
+ while (len >= 64) {
+ memcpy(ctx->in, buf, 64);
+ byteReverse(ctx->in, 16);
+ MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+ buf += 64;
+ len -= 64;
+ }
+
+ memcpy(ctx->in, buf, len);
+}
+
+static void MD5Final(unsigned char digest[16], MD5_CTX *ctx) {
+ unsigned count;
+ unsigned char *p;
+ uint32_t *c = (uint32_t*)ctx->in;
+
+ count = (ctx->bits[0] >> 3) & 0x3F;
+
+ p = ctx->in + count;
+ *p++ = 0x80;
+ count = 64 - 1 - count;
+ if (count < 8) {
+ memset(p, 0, count);
+ byteReverse(ctx->in, 16);
+ MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+ memset(ctx->in, 0, 56);
+ } else {
+ memset(p, 0, count - 8);
+ }
+ byteReverse(ctx->in, 14);
+
+ c[14] = ctx->bits[0];
+ c[15] = ctx->bits[1];
+
+ MD5Transform(ctx->buf, (uint32_t *) ctx->in);
+ byteReverse((unsigned char *) ctx->buf, 4);
+ memcpy(digest, ctx->buf, 16);
+ memset((char *) ctx, 0, sizeof(*ctx));
+}
+
+/* **************************************** */
+
static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, u_int32_t protocol)
{
@@ -143,18 +341,42 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) {
}
}
-/* Code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */
+/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */
+
+#define JA3_STR_LEN 1024
+#define MAX_NUM_JA3 128
+
+struct ja3_info {
+ u_int16_t ssl_version;
+ u_int16_t num_cipher, cipher[MAX_NUM_JA3];
+ u_int16_t num_ssl_extension, ssl_extension[MAX_NUM_JA3];
+ u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
+ u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
+};
+
+/* **************************************** */
+
+/* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */
int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
char *buffer, int buffer_len) {
struct ndpi_packet_struct *packet = &flow->packet;
+ struct ja3_info ja3;
+ u_int8_t invalid_ja3 = 0;
+ u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len;
+ char ja3_str[JA3_STR_LEN];
+ MD5_CTX ctx;
+ u_char md5_hash[16];
+
+ flow->protos.stun_ssl.ssl.ssl_version = ssl_version;
+
+ memset(&ja3, 0, sizeof(ja3));
#ifdef CERTIFICATE_DEBUG
{
- u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2];
- u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4];
-
- printf("SSL Record [version: 0x%02X][len: %u]\n", ssl_version, ssl_len);
+ u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4];
+
+ printf("SSL Record [version: %u][len: %u]\n", ssl_version, ssl_len);
}
#endif
@@ -183,10 +405,84 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
if((handshake_protocol == 0x02)
|| (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) {
u_int num_found = 0;
+ u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9]));
+
+ ja3.ssl_version = ssl_version;
+
+ if(handshake_protocol == 0x02) {
+ u_int16_t offset = 43, extension_len, j;
+ u_int8_t session_id_len = packet->payload[43];
+
+ offset += session_id_len+1;
+
+ ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
+ flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]);
+ flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
+
+#ifdef CERTIFICATE_DEBUG
+ printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
+#endif
+
+ offset += 2 + 1;
+ extension_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
+
+#ifdef CERTIFICATE_DEBUG
+ printf("SSL [server][extension_len: %u]\n", extension_len);
+#endif
+ offset += 2;
+
+ for(i=0; i<extension_len; ) {
+ u_int16_t id, len;
+
+ if(offset >= (packet->payload_packet_len+4)) break;
+
+ id = ntohs(*((u_int16_t*)&packet->payload[offset]));
+ len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
+
+ if(ja3.num_ssl_extension < MAX_NUM_JA3)
+ ja3.ssl_extension[ja3.num_ssl_extension++] = id;
+
+#ifdef CERTIFICATE_DEBUG
+ printf("SSL [server][extension_id: %u]\n", id);
+#endif
+
+ i += 4 + len, offset += 4 + len;
+ }
+
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version);
+
+ for(i=0; i<ja3.num_cipher; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
+
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+
+ /* ********** */
- if(handshake_protocol == 0x02)
+ for(i=0; i<ja3.num_ssl_extension; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.ssl_extension[i]);
+
+#ifdef CERTIFICATE_DEBUG
+ printf("SSL [server] %s\n", ja3_str);
+#endif
+
+#ifdef CERTIFICATE_DEBUG
+ printf("[JA3] Server: %s \n", ja3_str);
+#endif
+
+ MD5Init(&ctx);
+ MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str));
+ MD5Final(md5_hash, &ctx);
+
+ for(i=0, j=0; i<16; i++)
+ j += snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j],
+ sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]);
+
+#ifdef CERTIFICATE_DEBUG
+ printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server);
+#endif
+
flow->l4.tcp.ssl_seen_server_cert = 1;
- else
+ } else
flow->l4.tcp.ssl_seen_certificate = 1;
/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
@@ -235,6 +531,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
snprintf(flow->protos.stun_ssl.ssl.server_certificate,
sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
}
+
return(1 /* Server Certificate */);
}
}
@@ -242,101 +539,251 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(handshake_protocol == 0x01 /* Client Hello */) {
u_int offset, base_offset = 43;
+
if(base_offset + 2 <= packet->payload_packet_len) {
- u_int16_t session_id_len = packet->payload[base_offset];
+ u_int16_t session_id_len = packet->payload[base_offset];
+ u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9]));
- if((session_id_len+base_offset+2) <= total_len) {
- u_int16_t cypher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8);
- offset = base_offset + session_id_len + cypher_len + 2;
+ ja3.ssl_version = ssl_version;
- flow->l4.tcp.ssl_seen_client_cert = 1;
+ if((session_id_len+base_offset+2) <= total_len) {
+ u_int16_t cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8);
+ u_int16_t i, cipher_offset = base_offset + session_id_len + 3;
- if(offset < total_len) {
- u_int16_t compression_len;
- u_int16_t extensions_len;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [client cipher_len: %u]\n", cipher_len);
+#endif
+
+ if((cipher_offset+cipher_len) <= total_len) {
+ for(i=0; i<cipher_len;) {
+ u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
+
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [cipher suite: %u] [%u/%u]\n", ntohs(*id), i, cipher_len);
+#endif
+ if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) {
+ /*
+ Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html]
+ https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
+ */
+
+ if(ja3.num_cipher < MAX_NUM_JA3)
+ ja3.cipher[ja3.num_cipher++] = ntohs(*id);
+ else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid cipher %u\n", ja3.num_cipher);
+#endif
+ }
+ }
+
+ i += 2;
+ }
+ } else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len);
+#endif
+ }
+
+ offset = base_offset + session_id_len + cipher_len + 2;
+
+ flow->l4.tcp.ssl_seen_client_cert = 1;
+
+ if(offset < total_len) {
+ u_int16_t compression_len;
+ u_int16_t extensions_len;
- offset++;
- compression_len = packet->payload[offset];
- offset++;
+ offset++;
+ compression_len = packet->payload[offset];
+ offset++;
#ifdef CERTIFICATE_DEBUG
- printf("SSL [compression_len: %u]\n", compression_len);
+ printf("Client SSL [compression_len: %u]\n", compression_len);
#endif
- // offset += compression_len + 3;
- offset += compression_len;
+ // offset += compression_len + 3;
+ offset += compression_len;
- if(offset < total_len) {
- extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
- offset += 2;
+ if(offset < total_len) {
+ extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
+ offset += 2;
#ifdef CERTIFICATE_DEBUG
- printf("SSL [extensions_len: %u]\n", extensions_len);
+ printf("Client SSL [extensions_len: %u]\n", extensions_len);
#endif
- if((extensions_len+offset) <= total_len) {
- /* Move to the first extension
- Type is u_int to avoid possible overflow on extension_len addition */
- u_int extension_offset = 0;
+ if((extensions_len+offset) <= total_len) {
+ /* Move to the first extension
+ Type is u_int to avoid possible overflow on extension_len addition */
+ u_int extension_offset = 0;
+ u_int32_t md5h[4], j;
- while(extension_offset < extensions_len) {
- u_int16_t extension_id, extension_len;
+ while(extension_offset < extensions_len) {
+ u_int16_t extension_id, extension_len, extn_off = offset+extension_offset;
- extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
- extension_offset += 2;
+ extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
+ extension_offset += 2;
- extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
- extension_offset += 2;
+ extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
+ extension_offset += 2;
#ifdef CERTIFICATE_DEBUG
- printf("SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len);
+ printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len);
#endif
- if(extension_id == 0) {
-#if 1
- u_int16_t len;
-
- len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4];
- len = (u_int)ndpi_min(len, buffer_len-1);
- strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len);
- buffer[len] = '\0';
-#else
- /* old code */
- u_int begin = 0;
- char *server_name = (char*)&packet->payload[offset+extension_offset];
-
- while(begin < extension_len) {
- if((!ndpi_isprint(server_name[begin]))
- || ndpi_ispunct(server_name[begin])
- || ndpi_isspace(server_name[begin]))
- begin++;
- else
- break;
- }
+ if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) {
+ /* Skip GREASE */
- len = (u_int)ndpi_min(extension_len-begin, buffer_len-1);
- strncpy(buffer, &server_name[begin], len);
- buffer[len] = '\0';
+ if(ja3.num_ssl_extension < MAX_NUM_JA3)
+ ja3.ssl_extension[ja3.num_ssl_extension++] = extension_id;
+ else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid extensions %u\n", ja3.num_ssl_extension);
#endif
+ }
+ }
+
+ if(extension_id == 0 /* server name */) {
+ u_int16_t len;
+
+ len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4];
+ len = (u_int)ndpi_min(len, buffer_len-1);
+ strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len);
+ buffer[len] = '\0';
+
+ stripCertificateTrailer(buffer, buffer_len);
+
+ if(!ndpi_struct->disable_metadata_export) {
+ snprintf(flow->protos.stun_ssl.ssl.client_certificate,
+ sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer);
+ }
+ } else if(extension_id == 10 /* supported groups */) {
+ u_int16_t i, s_offset = offset+extension_offset + 2;
+
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len);
+#endif
+
+ if((s_offset+extension_len-2) <= total_len) {
+ for(i=0; i<extension_len-2;) {
+ u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i]));
- stripCertificateTrailer(buffer, buffer_len);
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [EllipticCurve: %u]\n", s_group);
+#endif
+ if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) {
+ /* Skip GREASE */
+ if(ja3.num_elliptic_curve < MAX_NUM_JA3)
+ ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group;
+ else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve);
+#endif
+ }
+ }
- if(!ndpi_struct->disable_metadata_export) {
- snprintf(flow->protos.stun_ssl.ssl.client_certificate,
- sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer);
+ i += 2;
}
+ } else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len);
+#endif
+ }
+ } else if(extension_id == 11 /* ec_point_formats groups */) {
+ u_int16_t i, s_offset = offset+extension_offset + 1;
- /* We're happy now */
- return(2 /* Client Certificate */);
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len);
+#endif
+ if((s_offset+extension_len) < total_len) {
+ for(i=0; i<extension_len-1;i++) {
+ u_int8_t s_group = packet->payload[s_offset+i];
+
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [EllipticCurveFormat: %u]\n", s_group);
+#endif
+
+ if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3)
+ ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group;
+ else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format);
+#endif
+ }
+ }
+ } else {
+ invalid_ja3 = 1;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len);
+#endif
}
+ }
+
+ extension_offset += extension_len;
- extension_offset += extension_len;
+#ifdef CERTIFICATE_DEBUG
+ printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len);
+#endif
+ } /* while */
+
+ if(!invalid_ja3) {
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version);
+
+ for(i=0; i<ja3.num_cipher; i++) {
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+ (i > 0) ? "-" : "", ja3.cipher[i]);
}
+
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+
+ /* ********** */
+
+ for(i=0; i<ja3.num_ssl_extension; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+ (i > 0) ? "-" : "", ja3.ssl_extension[i]);
+
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+
+ /* ********** */
+
+ for(i=0; i<ja3.num_elliptic_curve; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+ (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
+
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+
+ for(i=0; i<ja3.num_elliptic_curve_point_format; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+ (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
+
+#ifdef CERTIFICATE_DEBUG
+ printf("[JA3] Client: %s \n", ja3_str);
+#endif
+
+ MD5Init(&ctx);
+ MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str));
+ MD5Final(md5_hash, &ctx);
+
+ for(i=0, j=0; i<16; i++)
+ j += snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j],
+ sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", md5_hash[i]);
+
+#ifdef CERTIFICATE_DEBUG
+ printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client);
+#endif
}
+
+ return(2 /* Client Certificate */);
}
}
}
}
+ }
}
}
}
@@ -345,69 +792,70 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow,
- char *buffer, int buffer_len) {
- struct ndpi_packet_struct *packet = &flow->packet;
+ struct ndpi_flow_struct *flow,
+ char *buffer, int buffer_len) {
+ struct ndpi_packet_struct *packet = &flow->packet;
- if(packet->payload[0] != 0x16 /* Handshake */)
- return;
+ if(packet->payload[0] != 0x16 /* Handshake */)
+ return;
- u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
- u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
+ u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
+ u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
- if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */)
- return;
+ if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */)
+ return;
- /* Truncate total len, search at least in incomplete packet */
- if(total_len > packet->payload_packet_len)
- total_len = packet->payload_packet_len;
+ /* Truncate total len, search at least in incomplete packet */
+ if(total_len > packet->payload_packet_len)
+ total_len = packet->payload_packet_len;
- memset(buffer, 0, buffer_len);
+ memset(buffer, 0, buffer_len);
- /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
- u_int num_found = 0;
- u_int i, j;
- for(i = 9; i < packet->payload_packet_len-4; i++) {
- /* Organization OID: 2.5.4.10 */
- if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) {
- u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string
- u_int8_t server_len = packet->payload[i+4];
-
- num_found++;
- /* what we want is subject certificate, so we bypass the issuer certificate */
- if(num_found != 2) continue;
-
- // packet is truncated... further inspection is not needed
- if(i+4+server_len >= packet->payload_packet_len) {
- break;
- }
+ /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
+ u_int num_found = 0;
+ u_int i, j;
+ for(i = 9; i < packet->payload_packet_len-4; i++) {
+ /* Organization OID: 2.5.4.10 */
+ if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) {
+ u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string
+ u_int8_t server_len = packet->payload[i+4];
- char *server_org = (char*)&packet->payload[i+5];
+ num_found++;
+ /* what we want is subject certificate, so we bypass the issuer certificate */
+ if(num_found != 2) continue;
- u_int len = (u_int)ndpi_min(server_len, buffer_len-1);
- strncpy(buffer, server_org, len);
- buffer[len] = '\0';
+ // packet is truncated... further inspection is not needed
+ if(i+4+server_len >= packet->payload_packet_len) {
+ break;
+ }
- // check if organization string are all printable
- u_int8_t is_printable = 1;
- for (j = 0; j < len; j++) {
- if(!ndpi_isprint(buffer[j])) {
- is_printable = 0;
- break;
- }
- }
+ char *server_org = (char*)&packet->payload[i+5];
+
+ u_int len = (u_int)ndpi_min(server_len, buffer_len-1);
+ strncpy(buffer, server_org, len);
+ buffer[len] = '\0';
- if(is_printable == 1) {
- snprintf(flow->protos.stun_ssl.ssl.server_organization,
- sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
+ // check if organization string are all printable
+ u_int8_t is_printable = 1;
+ for (j = 0; j < len; j++) {
+ if(!ndpi_isprint(buffer[j])) {
+ is_printable = 0;
+ break;
+ }
+ }
+
+ if(is_printable == 1) {
+ snprintf(flow->protos.stun_ssl.ssl.server_organization,
+ sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
#ifdef CERTIFICATE_DEBUG
- printf("Certificate origanization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
+ printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
#endif
- }
- }
+ }
}
+ }
}
+
int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
@@ -745,7 +1193,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
/* No whatsapp, let's try SSL */
if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
return;
- }
+ }
if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n");
Powered by cgit, Themed by Ted Yin.