diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 59 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 1969 |
5 files changed, 844 insertions, 1201 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index cd9ae19bf..9f960277b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8754,7 +8754,7 @@ static ndpi_protocol_match host_match[] = { // { ".googlezip.net", NULL, "\\.googlezip" TLD, "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { "dns.google", NULL, "dns\\.google" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, - // { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ + { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", NULL, "cloudflare-dns\\.com" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "commons.host", NULL, "commons\\.host" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "doh.li", NULL, "doh\\.li" TLD, "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 84c6883a4..c5269171c 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -651,7 +651,6 @@ static int init_hyperscan(struct ndpi_detection_module_struct *ndpi_str) { ndpi_free(expressions[i]); ndpi_free(expressions), ndpi_free(ids); - ndpi_free(need_to_be_free); return(rc); @@ -3834,6 +3833,9 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->http.content_type) ndpi_free(flow->http.content_type); if(flow->http.user_agent) ndpi_free(flow->http.user_agent); + if(flow->l4.tcp.tls.message.buffer) + ndpi_free(flow->l4.tcp.tls.message.buffer); + backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; backup2 = flow->guessed_host_protocol_id; @@ -4216,13 +4218,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st || (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); - else if((flow->l4.tcp.tls_seen_client_cert == 1) + else if((flow->l4.tcp.tls.hello_processed == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) - && (flow->l4.tcp.tls_stage > 1)) + && flow->l4.tcp.tls.hello_processed) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id; @@ -4270,7 +4272,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st } } } else { - flow->detected_protocol_stack[1] = flow->guessed_protocol_id, + if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol_stack[1] = flow->guessed_protocol_id; + + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; if(flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0]) @@ -4347,9 +4352,10 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, if(flow->extra_packets_func) { if((flow->extra_packets_func(ndpi_str, flow)) == 0) flow->check_extra_packets = 0; - } - flow->num_extra_packets_checked++; + if(++flow->num_extra_packets_checked == flow->max_extra_packets_to_check) + flow->extra_packets_func = NULL; /* Enough packets detected */ + } } /* ********************************************************************************* */ @@ -4614,7 +4620,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, } } - if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { unsigned long id; int rc = ndpi_match_custom_category(ndpi_str, (char *)flow->protos.stun_ssl.ssl.client_certificate, @@ -6329,6 +6335,33 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ return(rc); } +/* **************************************** */ + +int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol, + char *name, u_int name_len) { + ndpi_protocol_match_result ret_match; + u_int16_t subproto, what_len; + char *what; + + if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) + what = &name[1], what_len = name_len - 1; + else + what = name, what_len = name_len; + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + what, what_len, + &ret_match, master_protocol); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) { + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol); + ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category); + return(1); + } else + return(0); +} + /* ****************************************************** */ u_int16_t ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_str, @@ -6378,10 +6411,12 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow->http.content_type) ndpi_free(flow->http.content_type); if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf); - + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_free(flow->protos.stun_ssl.ssl.server_names); + if(flow->l4_proto == IPPROTO_TCP) { - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) - ndpi_free(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); + if(flow->l4.tcp.tls.srv_cert_fingerprint_ctx) + ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); } ndpi_free(flow); @@ -6561,8 +6596,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp switch(proto) { case NDPI_PROTOCOL_TLS: - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(1); + if(!flow->l4.tcp.tls.certificate_processed) + return(1); /* TODO: add check for TLS 1.3 */ break; case NDPI_PROTOCOL_HTTP: diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index cc44df2e2..6979d099c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1044,7 +1044,8 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); ndpi_serialize_string_string(serializer, "client_cert", flow->protos.stun_ssl.ssl.client_certificate); - ndpi_serialize_string_string(serializer, "server_cert", flow->protos.stun_ssl.ssl.server_certificate); + if(flow->protos.stun_ssl.ssl.server_names) + ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names); ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); if(before) { @@ -1061,10 +1062,10 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.stun_ssl.ssl.server_unsafe_cipher); ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.stun_ssl.ssl.server_cipher)); - if(flow->l4.tcp.tls_sha1_certificate_fingerprint[0] != '\0') { + if(flow->l4.tcp.tls.sha1_certificate_fingerprint[0] != '\0') { for(i=0, off=0; i<20; i++) { int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "", - flow->l4.tcp.tls_sha1_certificate_fingerprint[i] & 0xFF); + flow->l4.tcp.tls.sha1_certificate_fingerprint[i] & 0xFF); if(rc <= 0) break; else off += rc; } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b599b82a9..0e995aa46 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -159,14 +159,12 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - ndpi_protocol_match_result ret_match; if(double_col) double_col[0] = '\0'; - ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_HTTP); + ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, + (char *)flow->host_server_name, + strlen((const char *)flow->host_server_name)); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 3fda1d22a..1130eb7fe 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -31,9 +31,17 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); +extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +#if 0 +#define DEBUG_TLS_MEMORY 1 +#define DEBUG_TLS 1 +#endif -/* #define DEBUG_TLS 1 */ +// #define DEBUG_CERTIFICATE_HASH + /* #define DEBUG_FINGERPRINT 1 */ /* @@ -60,8 +68,8 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); -extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol); /* **************************************** */ @@ -93,30 +101,61 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st } } - return protocol; + return(protocol); } /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; +void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} + /* TCP */ +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n", + packet->payload_packet_len, + flow->l4.tcp.tls.message.buffer_len, + packet->packet_direction); +#endif -/* **************************************** */ + if(flow->l4.tcp.tls.message.buffer == NULL) { + /* Allocate buffer */ + flow->l4.tcp.tls.message.buffer_len = 2048, flow->l4.tcp.tls.message.buffer_used = 0; + flow->l4.tcp.tls.message.buffer = (u_int8_t*)ndpi_malloc(flow->l4.tcp.tls.message.buffer_len); -static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, u_int32_t protocol) { - if(protocol != NDPI_PROTOCOL_TLS) - ; - else - protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); + if(flow->l4.tcp.tls.message.buffer == NULL) + return; - ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); - sslInitExtraPacketProcessing(flow); +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Allocating %u buffer\n", flow->l4.tcp.tls.message.buffer_len); +#endif + } + + u_int avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + if(avail_bytes < packet->payload_packet_len) { + u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len; + void *newbuf = ndpi_realloc(flow->l4.tcp.tls.message.buffer, + flow->l4.tcp.tls.message.buffer_len, new_len); + if(!newbuf) return; + + flow->l4.tcp.tls.message.buffer = (u_int8_t*)newbuf, flow->l4.tcp.tls.message.buffer_len = new_len; + avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used; + +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Enlarging %u -> %u buffer\n", flow->l4.tcp.tls.message.buffer_len, new_len); +#endif + } + + if(avail_bytes >= packet->payload_packet_len) { + memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used], + packet->payload, packet->payload_packet_len); + + flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len; +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Copied data to buffer [%u/%u bytes]\n", + flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len); +#endif + } } /* **************************************** */ @@ -134,9 +173,12 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* **************************************** */ -static void stripCertificateTrailer(char *buffer, int buffer_len) { - int i, is_puny; - +static void cleanupServerName(char *buffer, int buffer_len) { + u_int i; + +#if 0 + int is_puny; + // printf("->%s<-\n", buffer); for(i = 0; i < buffer_len; i++) { @@ -159,7 +201,6 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { // not a punycode string - need more checks if(is_puny == 0) { - if(i > 0) i--; while(i > 0) { @@ -177,7 +218,8 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { buffer[i] = '\0', buffer_len = i; } } - +#endif + /* Now all lowecase */ for(i=0; i<buffer_len; i++) buffer[i] = tolower(buffer[i]); @@ -185,1399 +227,966 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { /* **************************************** */ -/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - -#define JA3_STR_LEN 1024 -#define MAX_NUM_JA3 128 +/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ +static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t offset, u_int16_t certificate_len) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int num_found = 0, i, j; + char buffer[64] = { '\0' }; + +#ifdef DEBUG_TLS + printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, offset, certificate_len); +#endif -struct ja3_info { - u_int16_t tls_handshake_version; - u_int16_t num_cipher, cipher[MAX_NUM_JA3]; - u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; - u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; - u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; -}; + /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ + for(i = offset; i < certificate_len; i++) { + /* Organization OID: 2.5.4.10 */ + if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { + u_int8_t server_len = packet->payload[i+4]; -/* **************************************** */ + num_found++; + /* what we want is subject certificate, so we bypass the issuer certificate */ + if(num_found != 2) continue; -int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; - struct ja3_info ja3; - u_int8_t invalid_ja3 = 0; - u_int16_t pkt_tls_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len; - char ja3_str[JA3_STR_LEN]; - ndpi_MD5_CTX ctx; - u_char md5_hash[16]; - int i; + // packet is truncated... further inspection is not needed + if(i+4+server_len >= packet->payload_packet_len) { + break; + } - if(packet->udp) { - /* Check if this is DTLS or return */ - if((packet->payload[1] != 0xfe) - || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return(0); - } - } + char *server_org = (char*)&packet->payload[i+5]; - flow->protos.stun_ssl.ssl.ssl_version = pkt_tls_version; + u_int len = (u_int)ndpi_min(server_len, sizeof(buffer)-1); + strncpy(buffer, server_org, len); + buffer[len] = '\0'; - memset(&ja3, 0, sizeof(ja3)); + // check if organization string are all printable + u_int8_t is_printable = 1; + for(j = 0; j < len; j++) { + if(!ndpi_isprint(buffer[j])) { + is_printable = 0; + break; + } + } + if(is_printable == 1) { + snprintf(flow->protos.stun_ssl.ssl.server_organization, + sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef DEBUG_TLS - { - u_int16_t tls_len = (packet->payload[3] << 8) + packet->payload[4]; - - printf("SSL Record [version: 0x%04X][len: %u]\n", pkt_tls_version, tls_len); - } + printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); #endif + } + } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { + /* Certificate Validity */ + u_int8_t len = packet->payload[i+3]; + u_int offset = i+4; - /* - Nothing matched so far: let's decode the certificate with some heuristics - Patches courtesy of Denys Fedoryshchenko <nuclearcat@nuclearcat.com> - */ - if(packet->payload[0] == 0x16 /* Handshake */) { - u_int16_t total_len; - u_int8_t handshake_protocol, header_len; - - if(packet->tcp) { - header_len = 5; /* SSL Header */ - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - total_len = (packet->payload[3] << 8) + packet->payload[4]; - } else { - header_len = 13; /* DTLS header */ - handshake_protocol = packet->payload[13]; - total_len = ntohs(*((u_int16_t*)&packet->payload[11])); - } + if((offset+len) < packet->payload_packet_len) { + char utcDate[32]; - total_len += header_len; - memset(buffer, 0, buffer_len); +#ifdef DEBUG_TLS + printf("[CERTIFICATE] notBefore [len: %u][", len); + for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); + printf("]\n"); +#endif - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; + if(len < (sizeof(utcDate)-1)) { + struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ - /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ - if(total_len > 4) { - u_int16_t base_offset = packet->tcp ? 43 : 59; + strncpy(utcDate, (const char*)&packet->payload[i+4], len); + utcDate[len] = '\0'; + /* 141021000000Z */ + if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); #ifdef DEBUG_TLS - printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol); + printf("[CERTIFICATE] notBefore %u [%s]\n", + flow->protos.stun_ssl.ssl.notBefore, utcDate); #endif + } + } - if((handshake_protocol == 0x02) - || (handshake_protocol == 0x0b) /* Server Hello and Certificate message types are interesting for us */) { - u_int num_found = 0; - u_int16_t tls_version; - int i, rc; - - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + offset += len; - ja3.tls_handshake_version = tls_version; + if((offset+1) < packet->payload_packet_len) { + len = packet->payload[offset+1]; - if(handshake_protocol == 0x02) { - u_int16_t offset = base_offset, extension_len, j; - u_int8_t session_id_len = packet->payload[offset]; + offset += 2; + if((offset+len) < packet->payload_packet_len) { #ifdef DEBUG_TLS - printf("SSL Server Hello [version: 0x%04X]\n", tls_version); + printf("[CERTIFICATE] notAfter [len: %u][", len); + for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); + printf("]\n"); #endif - /* - The server hello decides about the SSL version of this flow - https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 - */ - flow->protos.stun_ssl.ssl.ssl_version = tls_version; - - if(packet->udp) - offset += 1; - else { - if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) - offset += session_id_len+1; - } + if(len < (sizeof(utcDate)-1)) { + struct tm utc; + utc.tm_isdst = -1; /* Not set by strptime */ - ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); - flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); - flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; + strncpy(utcDate, (const char*)&packet->payload[offset], len); + utcDate[len] = '\0'; + /* 141021000000Z */ + if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { + flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); #ifdef DEBUG_TLS - printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); + printf("[CERTIFICATE] notAfter %u [%s]\n", + flow->protos.stun_ssl.ssl.notAfter, utcDate); #endif - - offset += 2 + 1; - - if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - else - extension_len = 0; + } + } + } + } + } + } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { + /* Organization OID: 2.5.29.17 (subjectAltName) */ + u_int16_t servernames_len = 0; + char servernames[2048]; #ifdef DEBUG_TLS - printf("TLS [server][extension_len: %u]\n", extension_len); + printf("******* [TLS] Found subjectAltName\n"); #endif - offset += 2; - for(i=0; i<extension_len; ) { - u_int16_t extension_id, extension_len; + i += 3 /* skip the initial patten 55 1D 11 */; + i++; /* skip the first type, 0x04 == BIT STRING, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip BIT STRING length */ + i += 2; /* skip the second type, 0x30 == SEQUENCE, and jump to it's length */ + i += packet->payload[i] & 0x80 ? packet->payload[i] & 0x7F : 0; /* skip SEQUENCE length */ + i++; + + while(i < packet->payload_packet_len) { + if(packet->payload[i] == 0x82) { + if((i < (packet->payload_packet_len - 1)) + && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { + u_int8_t len = packet->payload[i + 1]; + char dNSName[256]; + int rc; + + i += 2; + + strncpy(dNSName, (const char*)&packet->payload[i], len); + dNSName[len] = '\0'; - if(offset >= (packet->payload_packet_len+4)) break; + cleanupServerName(dNSName, len); - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); + rc = snprintf(&servernames[servernames_len], sizeof(servernames)-servernames_len, "%s%s", + (servernames_len == 0) ? "" : ",", dNSName); - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + if(rc > 0) + servernames_len += rc; -#ifdef DEBUG_TLS - printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", - extension_id, extension_id, extension_len); +#if DEBUG_TLS + printf("[TLS] dNSName %s [%s]\n", dNSName, servernames); #endif - if(extension_id == 43 /* supported versions */) { - if(extension_len >= 2) { - u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); - -#ifdef DEBUG_TLS - printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); -#endif - - flow->protos.stun_ssl.ssl.ssl_version = tls_version; + if(flow->protos.stun_ssl.ssl.server_names == NULL) + flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); + else { + u_int16_t dNSName_len = strlen(dNSName); + u_int16_t newstr_len = flow->protos.stun_ssl.ssl.server_names_len + dNSName_len + 1; + char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names, flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1); + + if(newstr) { + flow->protos.stun_ssl.ssl.server_names = newstr; + flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; + strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], + dNSName, dNSName_len); + flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; + flow->protos.stun_ssl.ssl.server_names_len = newstr_len; } } + + if(!flow->l4.tcp.tls.subprotocol_detected) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len)) + flow->l4.tcp.tls.subprotocol_detected = 1; - i += 4 + extension_len, offset += 4 + extension_len; + i += len; + } else { +#if DEBUG_TLS + printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); +#endif + break; } + } else { + break; + } + } /* while */ + } + } +} - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); +/* **************************************** */ - for(i=0; i<ja3.num_cipher; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); +/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ +int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + u_int16_t certificates_offset = 7; + u_int8_t num_certificates_found = 0; + +#ifdef DEBUG_TLS + printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n", + __FUNCTION__, packet->payload_packet_len, + packet->packet_direction, + packet->payload[0], packet->payload[1], packet->payload[2], + packet->payload[3], packet->payload[4], packet->payload[5]); +#endif - if(rc <= 0) break; else ja3_str_len += rc; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ + if(packet->payload_packet_len != (length + 4)) + return(-1); /* Invalid length */ - for(i=0; i<ja3.num_tls_extension; i++) { - int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); + certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6]; + + if((certificates_length+3) != length) + return(-2); /* Invalid length */ + + if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL) + return(-3); /* Not enough memory */ - if(rc <= 0) break; else ja3_str_len += rc; - } - + /* Now let's process each individual certificates */ + while(certificates_offset < certificates_length) { + u_int16_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2]; + + certificates_offset += 3; #ifdef DEBUG_TLS - printf("TLS [server] %s\n", ja3_str); + printf("[TLS] Processing %u bytes certificate [%02X %02X %02X]\n", + certificate_len, + packet->payload[certificates_offset], + packet->payload[certificates_offset+1], + packet->payload[certificates_offset+2]); #endif + if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ { + /* For SHA-1 we take into account only the first certificate and not all of them */ + + SHA1Init(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + +#ifdef DEBUG_CERTIFICATE_HASH + { + int i; + + for(i=0;i<certificate_len;i++) + printf("%02X ", packet->payload[certificates_offset+i]); + + printf("\n"); + } +#endif + + SHA1Update(flow->l4.tcp.tls.srv_cert_fingerprint_ctx, + &packet->payload[certificates_offset], + certificate_len); + + SHA1Final(flow->l4.tcp.tls.sha1_certificate_fingerprint, flow->l4.tcp.tls.srv_cert_fingerprint_ctx); + #ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", ja3_str); + { + int i; + + printf("[TLS] SHA-1: "); + for(i=0;i<20;i++) + printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls.sha1_certificate_fingerprint[i]); + printf("\n"); + } #endif - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); + processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len); + } + + certificates_offset += certificate_len; + } + + flow->extra_packets_func = NULL; /* We're good now */ + return(1); +} - for(i=0, j=0; i<16; i++) { - int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); - if(rc <= 0) break; else j += rc; - } - -#ifdef DEBUG_TLS - printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); -#endif +/* **************************************** */ - flow->l4.tcp.tls_seen_server_cert = 1; - } else - flow->l4.tcp.tls_seen_certificate = 1; +static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + switch(packet->payload[0] /* block type */) { + case 0x01: /* Client Hello */ + case 0x02: /* Server Hello */ + processClientServerHello(ndpi_struct, flow); + flow->l4.tcp.tls.hello_processed = 1; + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + break; + + case 0x0b: /* Certificate */ + processCertificate(ndpi_struct, flow); + flow->l4.tcp.tls.certificate_processed = 1; + break; - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - for(i = 9; i < packet->payload_packet_len-3; i++) { - if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c)) - || ((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x13)) - || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) { - u_int8_t server_len, off = 0; + default: + return(-1); + } - if(packet->payload[i] == 0x55) { - num_found++, off++; + return(0); +} - if(num_found != 2) continue; - } +/* **************************************** */ - server_len = packet->payload[i+3+off]; - - if((server_len+i+3) < packet->payload_packet_len) { - char *server_name = (char*)&packet->payload[i+4+off]; - u_int8_t begin = 0, len, j, num_dots; - - while(begin < server_len) { - if(!ndpi_isprint(server_name[begin])) - begin++; - else - break; - } +static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + int rc = 1; - len = ndpi_min(server_len-begin, buffer_len-1); - // len = buffer_len-1; - - strncpy(buffer, &server_name[begin], len); - buffer[len] = '\0'; - - // if(len != (buffer_len-1)) printf("len=%u / buffer_len-1=%u\n", len, buffer_len-1); - - /* We now have to check if this looks like an IP address or host name */ - for(j=0, num_dots = 0; j<len; j++) { - if(!ndpi_isprint((buffer[j]))) { - num_dots = 0; /* This is not what we look for */ - break; - } else if(buffer[j] == '.') { - num_dots++; - if(num_dots >=1) break; - } - } +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] ndpi_search_tls_tcp() [payload_packet_len: %u]\n", + packet->payload_packet_len); +#endif - if(num_dots >= 1) { - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.stun_ssl.ssl.server_certificate, - sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); - -#ifdef DEBUG_TLS - printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); + if(packet->payload_packet_len == 0) + return(1); /* Keep working */ + + ndpi_search_tls_tcp_memory(ndpi_struct, flow); + + while(1) { + u_int16_t len, p_len; + const u_int8_t *p; + + if(flow->l4.tcp.tls.message.buffer_used < 5) + return(1); /* Keep working */ + + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; + + if(len > flow->l4.tcp.tls.message.buffer_used) { +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n", + len, flow->l4.tcp.tls.message.buffer_used, + flow->l4.tcp.tls.message.buffer[0], + flow->l4.tcp.tls.message.buffer[1], + flow->l4.tcp.tls.message.buffer[2], + flow->l4.tcp.tls.message.buffer[3], + flow->l4.tcp.tls.message.buffer[4]); #endif - - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, - flow->protos.stun_ssl.ssl.server_certificate, - strlen(flow->protos.stun_ssl.ssl.server_certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); - return(1 /* Server Certificate */); - } - } - } - } - } else if(handshake_protocol == 0x01 /* Client Hello */) { - u_int offset; + break; + } -#ifdef DEBUG_TLS - printf("[base_offset: %u][payload_packet_len: %u]\n", base_offset, packet->payload_packet_len); +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Processing %u bytes message\n", len); #endif - if(base_offset + 2 <= packet->payload_packet_len) { - u_int16_t session_id_len; - u_int16_t tls_version; + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ + + /* Split the element in blocks */ + u_int16_t processed = 5; + + while(processed < len) { + const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed]; + u_int16_t block_len = (block[1] << 16) + (block[2] << 8) + block[3]; - if(packet->tcp) - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4])); - else - tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12])); + packet->payload = block, packet->payload_packet_len = block_len+4; + + if((processed+packet->payload_packet_len) > len) + break; + +#ifdef DEBUG_TLS_MEMORY + printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n", + packet->payload_packet_len, + packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]); +#endif - session_id_len = packet->payload[base_offset]; - ja3.tls_handshake_version = tls_version; + processTLSBlock(ndpi_struct, flow); + processed += packet->payload_packet_len; + } + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + flow->l4.tcp.tls.message.buffer_used -= len; - if((session_id_len+base_offset+2) <= total_len) { - u_int16_t cipher_len, cipher_offset; + memmove(flow->l4.tcp.tls.message.buffer, + &flow->l4.tcp.tls.message.buffer[len], + flow->l4.tcp.tls.message.buffer_used); - if(packet->tcp) { - cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); - cipher_offset = base_offset + session_id_len + 3; - } else { - cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); - cipher_offset = base_offset+4; - } +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Left memory buffer %u bytes\n", flow->l4.tcp.tls.message.buffer_used); +#endif + } -#ifdef DEBUG_TLS - printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); +#ifdef DEBUG_TLS_MEMORY + printf("[TLS Mem] Returning %u\n", rc); #endif - if((cipher_offset+cipher_len) <= total_len) { - for(i=0; i<cipher_len;) { - u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; + return(rc); +} +/* **************************************** */ + +static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t handshake_type; + u_int32_t handshake_len; + u_int16_t p_len; + const u_int8_t *p; + #ifdef DEBUG_TLS - printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); + printf("[TLS] %s()\n", __FUNCTION__); #endif - if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { - /* - Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] - https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 - */ - - if(ja3.num_cipher < MAX_NUM_JA3) - ja3.cipher[ja3.num_cipher++] = ntohs(*id); - else { - invalid_ja3 = 1; + + /* Consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len < 17) + || (packet->payload[0] != 0x16) + || (packet->payload[1] != 0xfe) /* We ignore old DTLS versions */ + || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd)) + || ((ntohs(*((u_int16_t*)&packet->payload[11]))+13) != packet->payload_packet_len) + ) { + no_dtls: + #ifdef DEBUG_TLS - printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); + printf("[TLS] No DTLS found\n"); #endif - } - } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(0); /* Giveup */ + } - i += 2; - } - } else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); -#endif - } + handshake_type = packet->payload[13]; + handshake_len = (packet->payload[14] << 16) + (packet->payload[15] << 8) + packet->payload[16]; - offset = base_offset + session_id_len + cipher_len + 2; + if((handshake_len+25) != packet->payload_packet_len) + goto no_dtls; + + /* Overwriting packet payload */ + p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ + packet->payload = &packet->payload[13], packet->payload_packet_len -= 13; - flow->l4.tcp.tls_seen_client_cert = 1; + processTLSBlock(ndpi_struct, flow); + + packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ + + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + return(1); /* Keep working */ +} - if(offset < total_len) { - u_int16_t compression_len; - u_int16_t extensions_len; +/* **************************************** */ - offset += packet->tcp ? 1 : 2; - compression_len = packet->payload[offset]; - offset++; +static void tlsInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; -#ifdef DEBUG_TLS - printf("Client SSL [compression_len: %u]\n", compression_len); + /* At most 12 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; +} + +/* **************************************** */ + +static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int32_t protocol) { +#if DEBUG_TLS + printf("[TLS] %s()\n", __FUNCTION__); #endif - // offset += compression_len + 3; - offset += compression_len; + if((flow->detected_protocol_stack[0] == protocol) + || (flow->detected_protocol_stack[1] == protocol)) { + if(!flow->check_extra_packets) + tlsInitExtraPacketProcessing(flow); + return; + } + + if(protocol != NDPI_PROTOCOL_TLS) + ; + else + protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); - if(offset < total_len) { - extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); - offset += 2; + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + tlsInitExtraPacketProcessing(flow); +} -#ifdef DEBUG_TLS - printf("Client SSL [extensions_len: %u]\n", extensions_len); -#endif +/* **************************************** */ - if((extensions_len+offset) <= total_len) { - /* Move to the first extension - Type is u_int to avoid possible overflow on extension_len addition */ - u_int extension_offset = 0; - u_int32_t j; +/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ - while(extension_offset < extensions_len) { - u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; +#define JA3_STR_LEN 1024 +#define MAX_NUM_JA3 128 - extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; +struct ja3_info { + u_int16_t tls_handshake_version; + u_int16_t num_cipher, cipher[MAX_NUM_JA3]; + u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; + u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; +}; - extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); - extension_offset += 2; +/* **************************************** */ +int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + struct ja3_info ja3; + u_int8_t invalid_ja3 = 0; + u_int16_t tls_version, ja3_str_len; + char ja3_str[JA3_STR_LEN]; + ndpi_MD5_CTX ctx; + u_char md5_hash[16]; + int i; + u_int16_t total_len; + u_int8_t handshake_type; + char buffer[64] = { '\0' }; + #ifdef DEBUG_TLS - printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); + printf("SSL %s() called\n", __FUNCTION__); #endif - if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { - /* Skip GREASE */ + memset(&ja3, 0, sizeof(ja3)); - if(ja3.num_tls_extension < MAX_NUM_JA3) - ja3.tls_extension[ja3.num_tls_extension++] = extension_id; - else { - invalid_ja3 = 1; + handshake_type = packet->payload[0]; + total_len = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; + + if(total_len > packet->payload_packet_len) + return(0); /* Not found */ + + total_len = packet->payload_packet_len; + + /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ + if(total_len > 4) { + u_int16_t base_offset = packet->tcp ? 38 : 46; + u_int16_t version_offset = packet->tcp ? 4 : 12; + u_int16_t offset = 38, extension_len, j; + u_int8_t session_id_len = packet->tcp ? packet->payload[offset] : packet->payload[46]; + #ifdef DEBUG_TLS - printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); + printf("SSL [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); #endif - } - } - - if(extension_id == 0 /* server name */) { - u_int16_t len; - - len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; - len = (u_int)ndpi_min(len, buffer_len-1); - - if((offset+extension_offset+5+len) < packet->payload_packet_len) { - strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); - buffer[len] = '\0'; - - stripCertificateTrailer(buffer, buffer_len); - - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), - "%s", buffer); - } - } else if(extension_id == 10 /* supported groups */) { - u_int16_t s_offset = offset+extension_offset + 2; + tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); + flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; + + if(handshake_type == 0x02 /* Server Hello */) { + int i, rc; + #ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); + printf("SSL Server Hello [version: 0x%04X]\n", tls_version); #endif - if((s_offset+extension_len-2) <= total_len) { - for(i=0; i<extension_len-2;) { - u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); + /* + The server hello decides about the SSL version of this flow + https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 + */ + if(packet->udp) + offset += 1; + else { + if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) + offset += session_id_len+1; + } -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); -#endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { - /* Skip GREASE */ - if(ja3.num_elliptic_curve < MAX_NUM_JA3) - ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); -#endif - } - } + ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); + flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]); + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; - i += 2; - } - } else { - invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); + printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]); #endif - } - } else if(extension_id == 11 /* ec_point_formats groups */) { - u_int16_t s_offset = offset+extension_offset + 1; -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); -#endif - if((s_offset+extension_len) < total_len) { - for(i=0; i<extension_len-1;i++) { - u_int8_t s_group = packet->payload[s_offset+i]; + offset += 2 + 1; -#ifdef DEBUG_TLS - printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); -#endif + if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + else + extension_len = 0; - if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) - ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; - else { - invalid_ja3 = 1; -#ifdef DEBUG_TLS - printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); -#endif - } - } - } else { - invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); + printf("TLS [server][extension_len: %u]\n", extension_len); #endif - } - } else if(extension_id == 43 /* supported versions */) { - u_int8_t version_len = packet->payload[offset+4]; - - if(version_len == (extension_len-1)) { -#ifdef DEBUG_TLS - u_int8_t j; - - for(j=0; j<version_len; j += 2) { - u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+5+j])); - - printf("Client SSL [TLS version: 0x%04X]\n", tls_version); - } -#endif - } - } + offset += 2; - extension_offset += extension_len; + for(i=0; i<extension_len; ) { + u_int16_t extension_id, extension_len; -#ifdef DEBUG_TLS - printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); -#endif - } /* while */ - - if(!invalid_ja3) { - int rc; - - compute_ja3c: - ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); - - for(i=0; i<ja3.num_cipher; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.cipher[i]); - if(rc > 0) ja3_str_len += rc; else break; - } + if(offset >= (packet->payload_packet_len+4)) break; - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); - for(i=0; i<ja3.num_tls_extension; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.tls_extension[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - /* ********** */ - - for(i=0; i<ja3.num_elliptic_curve; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve[i]); - if(rc > 0) ja3_str_len += rc; else break; - } - - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); - if(rc > 0) ja3_str_len += rc; - - for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { - rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", - (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); - if(rc > 0) ja3_str_len += rc; else break; - } + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; #ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", ja3_str); + printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", + extension_id, extension_id, extension_len); #endif - ndpi_MD5Init(&ctx); - ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); - ndpi_MD5Final(md5_hash, &ctx); + if(extension_id == 43 /* supported versions */) { + if(extension_len >= 2) { + u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); - for(i=0, j=0; i<16; i++) { - rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], - sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", - md5_hash[i]); - if(rc > 0) j += rc; else break; - } #ifdef DEBUG_TLS - printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); + printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); #endif - } - return(2 /* Client Certificate */); - } - } else if(offset == total_len) { - /* SSL does not have extensions etc */ - goto compute_ja3c; - } - } + flow->protos.stun_ssl.ssl.ssl_version = tls_version; } } + + i += 4 + extension_len, offset += 4 + extension_len; } - } - } - return(0); /* Not found */ -} + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); -/* **************************************** */ + for(i=0; i<ja3.num_cipher; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); -/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t multiple_messages; + if(rc <= 0) break; else ja3_str_len += rc; + } - if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ - -#ifdef DEBUG_TLS - printf("=>> [TLS] %s() [tls_record_offset=%d][payload_packet_len=%u][direction: %u][%02X %02X %02X...]\n", - __FUNCTION__, flow->l4.tcp.tls_record_offset, packet->payload_packet_len, - packet->packet_direction, - packet->payload[0], packet->payload[1], packet->payload[2]); -#endif - - if((packet->packet_direction == 0) /* Client -> Server */ - || (packet->payload_packet_len == 0)) - return(1); /* More packets please */ - else if(flow->l4.tcp.tls_srv_cert_fingerprint_processed) - return(0); /* We're good */ - - if(packet->payload_packet_len <= flow->l4.tcp.tls_record_offset) { - /* Avoid invalid memory accesses */ - return(1); - } + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(flow->l4.tcp.tls_fingerprint_len > 0) { - unsigned int avail = packet->payload_packet_len - flow->l4.tcp.tls_record_offset; + /* ********** */ - if(avail > flow->l4.tcp.tls_fingerprint_len) - avail = flow->l4.tcp.tls_fingerprint_len; + for(i=0; i<ja3.num_tls_extension; i++) { + int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); -#ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record [%02X %02X %02X...][missing: %u][offset: %u][avail: %u] (B)\n", - packet->payload[flow->l4.tcp.tls_record_offset], - packet->payload[flow->l4.tcp.tls_record_offset+1], - packet->payload[flow->l4.tcp.tls_record_offset+2], - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset, avail - ); -#endif - -#ifdef DEBUG_CERTIFICATE_HASH - for(i=0;i<avail;i++) - printf("%02X ", packet->payload[flow->l4.tcp.tls_record_offset+i]); - printf("\n"); -#endif - - SHA1Update(flow->l4.tcp.tls_srv_cert_fingerprint_ctx, - &packet->payload[flow->l4.tcp.tls_record_offset], - avail); - - flow->l4.tcp.tls_fingerprint_len -= avail; - - if(flow->l4.tcp.tls_fingerprint_len == 0) { - SHA1Final(flow->l4.tcp.tls_sha1_certificate_fingerprint, flow->l4.tcp.tls_srv_cert_fingerprint_ctx); + if(rc <= 0) break; else ja3_str_len += rc; + } #ifdef DEBUG_TLS - { - int i; - - printf("=>> [TLS] SHA-1: "); - for(i=0;i<20;i++) - printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls_sha1_certificate_fingerprint[i]); - printf("\n"); - } + printf("TLS [server] %s\n", ja3_str); #endif - - flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; - return(0); /* We're good */ - } else { - flow->l4.tcp.tls_record_offset = 0; + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate record: still missing %u bytes\n", flow->l4.tcp.tls_fingerprint_len); + printf("[JA3] Server: %s \n", ja3_str); #endif - return(1); /* More packets please */ - } - } - if(packet->payload[flow->l4.tcp.tls_record_offset] == 0x15 /* Alert */) { - u_int len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+3]) + 5 /* SSL header len */; + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); - if(len < 10 /* Sanity check */) { - if((flow->l4.tcp.tls_record_offset+len) < packet->payload_packet_len) - flow->l4.tcp.tls_record_offset += len; - } else - goto invalid_len; - } - - multiple_messages = (packet->payload[flow->l4.tcp.tls_record_offset] == 0x16 /* Handshake */) ? 0 : 1; + for(i=0, j=0; i<16; i++) { + int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]); + if(rc <= 0) break; else j += rc; + } #ifdef DEBUG_TLS - printf("=>> [TLS] [multiple_messages: %d]\n", multiple_messages); -#endif - - if((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset] != 0x16 /* Handshake */)) - return(1); - else if(((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset+5] == 0xb) /* Certificate */) - || (packet->payload[flow->l4.tcp.tls_record_offset] == 0xb) /* Certificate */) { - /* TODO: Do not take into account all certificates but only the first one */ + printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server); +#endif + } else if(handshake_type == 0x01 /* Client Hello */) { + u_int16_t cipher_len, cipher_offset; + + if(packet->tcp) { + cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); + cipher_offset = base_offset + session_id_len + 3; + } else { + cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2])); + cipher_offset = base_offset+4; + } + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate found\n"); + printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); #endif - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx == NULL) - flow->l4.tcp.tls_srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX)); - else { -#ifdef DEBUG_TLS - printf("[TLS] Internal error: double allocation\n:"); -#endif - } - - if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) { - SHA1Init(flow->l4.tcp.tls_srv_cert_fingerprint_ctx); - flow->l4.tcp.tls_srv_cert_fingerprint_found = 1; - flow->l4.tcp.tls_record_offset += (!multiple_messages) ? 13 : 8; - flow->l4.tcp.tls_fingerprint_len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset]); - flow->l4.tcp.tls_record_offset = flow->l4.tcp.tls_record_offset+2; + if((cipher_offset+cipher_len) <= total_len) { + for(i=0; i<cipher_len;) { + u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i]; + #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total certificate len: %u][certificate initial offset: %u]\n", - flow->l4.tcp.tls_fingerprint_len, flow->l4.tcp.tls_record_offset); + printf("Client SSL [cipher suite: %u/0x%04X] [%d/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len); #endif - return(getSSCertificateFingerprint(ndpi_struct, flow)); - } else - return(0); /* That's all */ - } else if(flow->l4.tcp.tls_seen_certificate) - return(0); /* That's all */ - else if(packet->payload_packet_len > flow->l4.tcp.tls_record_offset+7+1/* +1 because we are going to read 2 bytes */) { - /* This is a handshake but not a certificate record */ - u_int16_t len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+7]); - + if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) { + /* + Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] + https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 + */ + + if(ja3.num_cipher < MAX_NUM_JA3) + ja3.cipher[ja3.num_cipher++] = ntohs(*id); + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("=>> [TLS] Found record %02X [len: %u]\n", - packet->payload[flow->l4.tcp.tls_record_offset+5], len); + printf("Client SSL Invalid cipher %u\n", ja3.num_cipher); #endif + } + } - if(len > 4096) { - invalid_len: - /* This looks an invalid len: we giveup */ - flow->l4.tcp.tls_record_offset = 0, flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1; + i += 2; + } + } else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("=>> [TLS] Invalid fingerprint processing %u <-> %u\n", - ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); + printf("Client SSL Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); #endif - return(0); - } else { - flow->l4.tcp.tls_record_offset += len + 9; - - if(flow->l4.tcp.tls_record_offset < packet->payload_packet_len) - return(getSSCertificateFingerprint(ndpi_struct, flow)); - else { - flow->l4.tcp.tls_record_offset -= packet->payload_packet_len; } - } - } - flow->extra_packets_func = NULL; /* We're good now */ - return(1); -} + offset = base_offset + session_id_len + cipher_len + 2; -/* **************************************** */ + if(offset < total_len) { + u_int16_t compression_len; + u_int16_t extensions_len; -/* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ -void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - char *buffer, int buffer_len) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t total_len; - u_int8_t handshake_protocol; - - if(packet->payload[0] != 0x16 /* Handshake */) - return; - - total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */; - handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */ - - if((handshake_protocol != 0x02) - && (handshake_protocol != 0xb) /* Server Hello and Certificate message types are interesting for us */) - return; + offset += packet->tcp ? 1 : 2; + compression_len = packet->payload[offset]; + offset++; #ifdef DEBUG_TLS - printf("=>> [TLS] Certificate [total_len: %u/%u]\n", ntohs(*(u_int16_t*)&packet->payload[3]), total_len); + printf("Client SSL [compression_len: %u]\n", compression_len); #endif - - /* Truncate total len, search at least in incomplete packet */ - if(total_len > packet->payload_packet_len) - total_len = packet->payload_packet_len; - memset(buffer, 0, buffer_len); + // offset += compression_len + 3; + offset += compression_len; - /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ - u_int num_found = 0, i, j; - - for(i = 9; i < packet->payload_packet_len-4; i++) { - /* Organization OID: 2.5.4.10 */ - if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { - u_int8_t server_len = packet->payload[i+4]; + if(offset < total_len) { + extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + offset += 2; - num_found++; - /* what we want is subject certificate, so we bypass the issuer certificate */ - if(num_found != 2) continue; +#ifdef DEBUG_TLS + printf("Client SSL [extensions_len: %u]\n", extensions_len); +#endif - // packet is truncated... further inspection is not needed - if(i+4+server_len >= packet->payload_packet_len) { - break; - } + if((extensions_len+offset) <= total_len) { + /* Move to the first extension + Type is u_int to avoid possible overflow on extension_len addition */ + u_int extension_offset = 0; + u_int32_t j; - char *server_org = (char*)&packet->payload[i+5]; + while(extension_offset < extensions_len) { + u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; - u_int len = (u_int)ndpi_min(server_len, buffer_len-1); - strncpy(buffer, server_org, len); - buffer[len] = '\0'; + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; - // check if organization string are all printable - u_int8_t is_printable = 1; - for (j = 0; j < len; j++) { - if(!ndpi_isprint(buffer[j])) { - is_printable = 0; - break; - } - } + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); + extension_offset += 2; - if(is_printable == 1) { - snprintf(flow->protos.stun_ssl.ssl.server_organization, - sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef DEBUG_TLS - printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); + printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif - } - } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { - u_int8_t len = packet->payload[i+3]; - u_int offset = i+4; - if((offset+len) < packet->payload_packet_len) { - char utcDate[32]; + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + /* Skip GREASE */ + if(ja3.num_tls_extension < MAX_NUM_JA3) + ja3.tls_extension[ja3.num_tls_extension++] = extension_id; + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("[CERTIFICATE] notBefore [len: %u][", len); - for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); - printf("]\n"); + printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension); #endif + } + } - if(len < (sizeof(utcDate)-1)) { - struct tm utc; - utc.tm_isdst = -1; /* Not set by strptime */ - - strncpy(utcDate, (const char*)&packet->payload[i+4], len); - utcDate[len] = '\0'; + if(extension_id == 0 /* server name */) { + u_int16_t len; - /* 141021000000Z */ - if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { - flow->protos.stun_ssl.ssl.notBefore = timegm(&utc); #ifdef DEBUG_TLS - printf("[CERTIFICATE] notBefore %u [%s]\n", - flow->protos.stun_ssl.ssl.notBefore, utcDate); + printf("[TLS] Extensions: found server name\n"); #endif - } - } - offset += len; + len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; + len = (u_int)ndpi_min(len, sizeof(buffer)-1); - if((offset+1) < packet->payload_packet_len) { - len = packet->payload[offset+1]; + if((offset+extension_offset+5+len) < packet->payload_packet_len) { + strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); + buffer[len] = '\0'; - offset += 2; + cleanupServerName(buffer, sizeof(buffer)); - if((offset+len) < packet->payload_packet_len) { + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) + flow->l4.tcp.tls.subprotocol_detected = 1; + } else { #ifdef DEBUG_TLS - printf("[CERTIFICATE] notAfter [len: %u][", len); - for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); - printf("]\n"); + printf("[TLS] Extensions server len too short: %u vs %u\n", + offset+extension_offset+5+len, + packet->payload_packet_len); #endif + } + } else if(extension_id == 10 /* supported groups */) { + u_int16_t s_offset = offset+extension_offset + 2; - if(len < (sizeof(utcDate)-1)) { - struct tm utc; - utc.tm_isdst = -1; /* Not set by strptime */ - - strncpy(utcDate, (const char*)&packet->payload[offset], len); - utcDate[len] = '\0'; - - /* 141021000000Z */ - if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { - flow->protos.stun_ssl.ssl.notAfter = timegm(&utc); #ifdef DEBUG_TLS - printf("[CERTIFICATE] notAfter %u [%s]\n", - flow->protos.stun_ssl.ssl.notAfter, utcDate); + printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); #endif - } - } - } - } - } - } - } -} - -/* **************************************** */ - -int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - int rc = 1; - - if(packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - - /* consider only specific SSL packets (handshake) */ - if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; - - if(rc > 0) { - char organization[64]; - - // try fetch server organization once server certificate is found - organization[0] = '\0'; - getSSLorganization(ndpi_struct, flow, organization, sizeof(organization)); - - packet->tls_certificate_detected++; - } - - if(flow->l4.tcp.tls_record_offset == 0) { - /* Client hello, Server Hello, and certificate packets probably all checked in this case */ - if(((packet->tls_certificate_num_checks >= 3) - && (flow->l4.tcp.seen_syn) - && (flow->l4.tcp.seen_syn_ack) - && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) - /* || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') */ - ) { - /* We're done processing extra packets since we've probably checked all possible cert packets */ - return(rc); - } - } - } - - /* 1 means keep looking for more packets */ - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) rc = 1; - return(rc); -} -/* **************************************** */ - -int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { - struct ndpi_packet_struct *packet = &flow->packet; - - if((!skip_cert_processing) && packet->tcp) { - if(!flow->l4.tcp.tls_srv_cert_fingerprint_processed) - getSSCertificateFingerprint(ndpi_struct, flow); - } - - if((packet->payload_packet_len > 9) - && (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) { - if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)) { - char certificate[64]; - int rc; - - certificate[0] = '\0'; - rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->tls_certificate_num_checks++; + if((s_offset+extension_len-2) <= total_len) { + for(i=0; i<extension_len-2;) { + u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); - if(rc > 0) { - packet->tls_certificate_detected++; #ifdef DEBUG_TLS - NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); + printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif - ndpi_protocol_match_result ret_match; - u_int16_t subproto; - - if(certificate[0] == '\0') - subproto = NDPI_PROTOCOL_UNKNOWN; - else - subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), - &ret_match, - NDPI_PROTOCOL_TLS); - - if(subproto != NDPI_PROTOCOL_UNKNOWN) { - /* If we've detected the subprotocol from client certificate but haven't had a chance - * to see the server certificate yet, set up extra packet processing to wait - * a few more packets. */ - if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) - && ((flow->l4.tcp.tls_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) { - sslInitExtraPacketProcessing(flow); - } - - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_tls_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS)); - return(rc); - } - - if(ndpi_is_tls_tor(ndpi_struct, flow, certificate) != 0) - return(rc); - } - + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + /* Skip GREASE */ + if(ja3.num_elliptic_curve < MAX_NUM_JA3) + ja3.elliptic_curve[ja3.num_elliptic_curve++] = s_group; + else { + invalid_ja3 = 1; #ifdef DEBUG_TLS - printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", - __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, - packet->tls_certificate_detected, - flow->l4.tcp.tls_seen_client_cert, - flow->l4.tcp.tls_seen_server_cert - ); + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); #endif + } + } - - if(((packet->tls_certificate_num_checks >= 1) -#if 0 - && (flow->l4.tcp.seen_syn /* User || to be tolerant */ - || flow->l4.tcp.seen_syn_ack - || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) + i += 2; + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); #endif - && (flow->l4.tcp.tls_srv_cert_fingerprint_processed - || flow->l4.tcp.tls_seen_client_cert - || flow->l4.tcp.tls_seen_server_cert - || packet->tls_certificate_detected) - ) - /* - || ((flow->l4.tcp.tls_seen_certificate == 1) - && (flow->l4.tcp.tls_seen_server_cert == 1) - && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) - */ - /* || ((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ - ) { - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } - } - - return(0); -} - -/* **************************************** */ + } + } else if(extension_id == 11 /* ec_point_formats groups */) { + u_int16_t s_offset = offset+extension_offset + 1; -static void tls_mark_and_payload_search(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t skip_cert_processing) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t a; - u_int32_t end; +#ifdef DEBUG_TLS + printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); +#endif + if((s_offset+extension_len) < total_len) { + for(i=0; i<extension_len-1;i++) { + u_int8_t s_group = packet->payload[s_offset+i]; #ifdef DEBUG_TLS - printf("[TLS] %s()\n", __FUNCTION__); + printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); #endif - - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) - goto check_for_tls_payload; - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) - goto check_for_tls_payload; - else - goto no_check_for_tls_payload; - - check_for_tls_payload: - end = packet->payload_packet_len - 20; - for (a = 5; a < end; a++) { - - if(packet->payload[a] == 't') { - if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK - (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { - NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); - return; - } - } - } + if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) + ja3.elliptic_curve_point_format[ja3.num_elliptic_curve_point_format++] = s_group; + else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); +#endif + } + } + } else { + invalid_ja3 = 1; +#ifdef DEBUG_TLS + printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); +#endif + } + } else if(extension_id == 43 /* supported versions */) { + u_int8_t version_len = packet->payload[offset+4]; - if(packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' - || packet->payload[a] == 'h') { - if(((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) - // || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 ) - // || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0) - || ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0) - || ((a + 14) < packet->payload_packet_len && memcmp(&packet->payload[a], "corehc@aol.net", 14) == 0) - || ((a + 41) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://crl.aol.com/AOLMSPKI/aolServerCert", 41) == 0) - || ((a + 28) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) - || ((a + 32) < packet->payload_packet_len - && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - - if(flow->dst != NULL && packet->payload_packet_len > 75) { - memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); - flow->dst->oscar_ssl_session_id[32] = '\0'; - flow->dst->oscar_last_safe_access_time = packet->tick_timestamp; - } + if(version_len == (extension_len-1)) { +#ifdef DEBUG_TLS + u_int8_t j; - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } + for(j=0; j<version_len; j += 2) { + u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+5+j])); - if(packet->payload[a] == 'm' || packet->payload[a] == 's') { - if((a + 21) < packet->payload_packet_len && - (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 - || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { - NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); - return; - } - } - } + printf("Client SSL [TLS version: 0x%04X]\n", tls_version); + } +#endif + } + } - no_check_for_tls_payload: - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); - tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); + extension_offset += extension_len; #ifdef DEBUG_TLS - printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, - flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); + printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); #endif + } /* while */ - if(!packet->tls_certificate_detected - && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { - /* SSL without certificate (Skype, Ultrasurf?) */ - NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } else if((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.tls_srv_cert_fingerprint_processed) { - NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } -} + if(!invalid_ja3) { + int rc; -/* **************************************** */ + compute_ja3c: + ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); -static u_int8_t ndpi_search_tlsv3_direction1(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + for(i=0; i<ja3.num_cipher; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.cipher[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - if((packet->payload_packet_len >= 5) - && ((packet->payload[0] == 0x16) || packet->payload[0] == 0x17) - && (packet->payload[1] == 0x03) - && ((packet->payload[2] == 0x00) || (packet->payload[2] == 0x01) || - (packet->payload[2] == 0x02) || (packet->payload[2] == 0x03))) { - u_int32_t temp; - NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); - // SSLv3 Record - if(packet->payload_packet_len >= 1300) { - return 1; - } - temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp - || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { - return 1; - } + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(packet->payload_packet_len < temp && temp < 5000 && packet->payload_packet_len > 9) { - /* the server hello may be split into small packets */ - u_int32_t cert_start; + /* ********** */ - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets\n"); + for(i=0; i<ja3.num_tls_extension; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.tls_extension[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - /* lets hope at least the server hello and the start of the certificate block are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } + /* ********** */ - if((packet->payload_packet_len > temp) && (packet->payload_packet_len > 100)) { - /* the server hello may be split into small packets and the certificate has its own SSL Record - * so temp contains only the length for the first ServerHello block */ - u_int32_t cert_start; + for(i=0; i<ja3.num_elliptic_curve; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); + if(rc > 0) ja3_str_len += rc; - /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ - cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; - NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { + rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + if(rc > 0) ja3_str_len += rc; else break; + } - if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); - return 2; - } - } +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", ja3_str); +#endif + ndpi_MD5Init(&ctx); + ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str)); + ndpi_MD5Final(md5_hash, &ctx); - if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) - && packet->payload[temp + 1] == 0x03) { - u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(packet->payload_packet_len == temp) { - return 1; - } - if(packet->payload_packet_len >= temp + 5 && - packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { - temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) { - return 1; - } - temp += temp2; - NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); - if(temp == packet->payload_packet_len) { - return 1; + for(i=0, j=0; i<16; i++) { + rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j], + sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", + md5_hash[i]); + if(rc > 0) j += rc; else break; + } +#ifdef DEBUG_TLS + printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client); +#endif + } + + return(2 /* Client Certificate */); + } else { +#ifdef DEBUG_TLS + printf("[TLS] Client: too short [%u vs %u]\n", + (extensions_len+offset), total_len); +#endif } + } else if(offset == total_len) { + /* SSL does not have extensions etc */ + goto compute_ja3c; } + } else { +#ifdef DEBUG_TLS + printf("[JA3] Client: invalid length detected\n"); +#endif } } } - - return 0; + + return(0); /* Not found */ } /* **************************************** */ -void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t ret, skip_cert_processing = 0; #ifdef DEBUG_TLS - printf("==>> %u [len: %u][version: %u]\n", + printf("==>> %s() %u [len: %u][version: %u]\n", + __FUNCTION__, flow->guessed_host_protocol_id, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ssl_version); #endif - - if(packet->udp != NULL) { - /* DTLS dissector */ - int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); - - if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) { - flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; - - if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - if(ndpi_struct->stun_cache == NULL) - ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); - - if(ndpi_struct->stun_cache) { -#ifdef DEBUG_TLS - printf("[LRU] Adding Signal cached keys\n"); -#endif - - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 0), NDPI_PROTOCOL_SIGNAL); - ndpi_lru_add_to_cache(ndpi_struct->stun_cache, get_stun_lru_key(flow, 1), NDPI_PROTOCOL_SIGNAL); - } - - /* In Signal protocol STUN turns into DTLS... */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL); - } else if(flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') { - /* Wait the server certificate the bless this flow as TLS */ - ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); - } - } - return; - } - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - if(flow->l4.tcp.tls_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { - /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets - * so go on checking for certificate patterns for a couple more packets - */ - NDPI_LOG_DBG2(ndpi_struct, - "ssl flow but check another packet for patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) { - /* still ssl so check another packet */ - return; - } else { - /* protocol has changed so we are done */ - return; - } - } - - return; - } - - NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); - - /* Check if this is whatsapp first (this proto runs over port 443) */ - if((packet->payload_packet_len > 5) - && ((packet->payload[0] == 'W') - && (packet->payload[1] == 'A') - && (packet->payload[4] == 0) - && (packet->payload[2] <= 9) - && (packet->payload[3] <= 9))) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else if((packet->payload_packet_len == 4) - && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - return; - } else { - /* No whatsapp, let's try SSL */ - if(tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing) > 0) - return; - else - skip_cert_processing = 1; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 0) { - NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - packet->payload[1] == 2)) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - if(packet->payload[0] == 0x16 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) - && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { - // SSLv3 Record - NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - - // Application Data pkt - if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03 - && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || - packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) { - if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { - NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); - flow->l4.tcp.tls_stage = 1 + packet->packet_direction; - return; - } - } - } - - if(packet->payload_packet_len > 40 && - flow->l4.tcp.tls_stage == 1 + packet->packet_direction - && flow->packet_direction_counter[packet->packet_direction] < 5) { - return; - } - - if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 2 - packet->packet_direction) { - NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n"); - // SSLv2 Record - if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 - && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) - && (packet->payload_packet_len - 2) >= packet->payload[1]) { - NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } - - ret = ndpi_search_tlsv3_direction1(ndpi_struct, flow); - if(ret == 1) { - NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - return; - } else if(ret == 2) { - NDPI_LOG_DBG2(ndpi_struct, - "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); - tls_mark_and_payload_search(ndpi_struct, flow, skip_cert_processing); - - if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) - flow->l4.tcp.tls_stage = 3; - return; - } - - if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { - NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); - return; - } - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - - return; + if(packet->udp != NULL) + ndpi_search_tls_udp(ndpi_struct, flow); + else + ndpi_search_tls_tcp(ndpi_struct, flow); } /* **************************************** */ |