From 5918a6542d4640e702516fe92d7d23d5a969c73c Mon Sep 17 00:00:00 2001
From: Toni <matzeton@googlemail.com>
Date: Tue, 11 May 2021 21:38:26 +0200
Subject: Improved SSL certificate name wildcard handling and risk. #1182
 (#1183)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/lib/protocols/tls.c                      |  16 ++++++++++++++--
 tests/pcap/ssl-cert-name-mismatch.pcap       | Bin 0 -> 5772 bytes
 tests/result/ssl-cert-name-mismatch.pcap.out |   8 ++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 tests/pcap/ssl-cert-name-mismatch.pcap
 create mode 100644 tests/result/ssl-cert-name-mismatch.pcap.out

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 1fdaf5dee..cb8180166 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -497,8 +497,20 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		  if(matched_name == 0) {
 		    if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
 		      matched_name = 1;	/* No SNI */
-		    else if((dNSName[0] == '*') && strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]))
-		      matched_name = 1;
+		    else if (dNSName[0] == '*')
+		    {
+		      char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]);
+
+		      if (label != NULL)
+		      {
+		        char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.');
+
+		        if (first_dot == NULL || first_dot >= label)
+		        {
+		          matched_name = 1;
+		        }
+		      }
+		    }
 		    else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0)
 		      matched_name = 1;
 		  }
diff --git a/tests/pcap/ssl-cert-name-mismatch.pcap b/tests/pcap/ssl-cert-name-mismatch.pcap
new file mode 100644
index 000000000..9fa488c0a
Binary files /dev/null and b/tests/pcap/ssl-cert-name-mismatch.pcap differ
diff --git a/tests/result/ssl-cert-name-mismatch.pcap.out b/tests/result/ssl-cert-name-mismatch.pcap.out
new file mode 100644
index 000000000..88fc96aad
--- /dev/null
+++ b/tests/result/ssl-cert-name-mismatch.pcap.out
@@ -0,0 +1,8 @@
+Google	21	5412	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.2.222            	 1      
+
+
+	1	TCP 192.168.2.222:54772 <-> 104.154.89.105:443 [proto: 91.126/TLS.Google][cat: Web/5][11 pkts/1136 bytes <-> 10 pkts/4276 bytes][Goodput ratio: 35/84][0.72 sec][ALPN: http/1.1][bytes ratio: -0.580 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 79/48 167/160 64/68][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/428 311/1474 70/548][Risk: ** TLS Certificate Mismatch **][TLSv1.2][Client: wrong.host.badssl.com][JA3C: 4e69e4e5627c5e4c2846ba3e64d23fb9][ServerNames: *.badssl.com,badssl.com][JA3S: b898351eb5e266aefd3723d466935494][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=Walnut Creek, O=Lucas Garron Torres, CN=*.badssl.com][Certificate SHA-1: 18:45:B2:16:EF:D0:83:9A:18:51:A9:57:32:5D:A3:36:21:70:49:CB][Validity: 2020-03-23 00:00:00 - 2022-05-17 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,12,12,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
-- 
cgit v1.2.3