From daae1cc9b1ae6b7c6b4187003fabb2a6ffab44f0 Mon Sep 17 00:00:00 2001 From: Luca Date: Wed, 1 Jan 2020 12:59:19 +0100 Subject: Reworked TLS dissection --- example/reader_util.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'example/reader_util.h') diff --git a/example/reader_util.h b/example/reader_util.h index c420ca211..d4f638d0b 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -94,7 +94,7 @@ typedef struct ndpi_ja3_info { // external hash table (host ip -> ) // used to aggregate ja3 fingerprints by hosts -typedef struct ndpi_host_ja3_fingerprints{ +typedef struct ndpi_host_ja3_fingerprints { u_int32_t ip; char *ip_string; char *dns_name; @@ -196,7 +196,7 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; char client_info[64], server_info[64], - client_hassh[33], server_hassh[33], + client_hassh[33], server_hassh[33], *server_names, server_organization[64], ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; -- cgit v1.2.3 From 8b01056b21905d4ad466aa74f7673ed06f66a64b Mon Sep 17 00:00:00 2001 From: Luca Date: Thu, 2 Jan 2020 07:37:03 +0100 Subject: Renamed TLS requested server name --- example/reader_util.c | 8 +++++--- example/reader_util.h | 2 +- src/include/ndpi_typedefs.h | 2 +- src/lib/ndpi_main.c | 8 ++++---- src/lib/ndpi_utils.c | 3 ++- src/lib/protocols/tls.c | 5 +++-- 6 files changed, 16 insertions(+), 12 deletions(-) (limited to 'example/reader_util.h') diff --git a/example/reader_util.c b/example/reader_util.c index 57286cb0f..79104ea91 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1017,7 +1017,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); snprintf(flow->telnet.password, sizeof(flow->telnet.password), "%s", flow->ndpi_flow->protos.telnet.password); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", flow->ndpi_flow->protos.ssh.client_signature); snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); @@ -1032,8 +1033,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); + snprintf(flow->ssh_tls.client_requested_server_name, + sizeof(flow->ssh_tls.client_requested_server_name), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.client_requested_server_name); if(flow->ndpi_flow->protos.stun_ssl.ssl.server_names_len > 0) flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.stun_ssl.ssl.server_names); diff --git a/example/reader_util.h b/example/reader_util.h index d4f638d0b..6fd1880e5 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -195,7 +195,7 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; - char client_info[64], server_info[64], + char client_requested_server_name[64], server_info[64], client_hassh[33], server_hassh[33], *server_names, server_organization[64], ja3_client[33], ja3_server[33], diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index ba00185ea..bbfc76d18 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1220,7 +1220,7 @@ struct ndpi_flow_struct { struct { struct { u_int16_t ssl_version, server_names_len; - char client_certificate[64], *server_names, server_organization[64]; + char client_requested_server_name[64], *server_names, server_organization[64]; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c5269171c..fc9eaf9ef 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4219,7 +4219,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); else if((flow->l4.tcp.tls.hello_processed == 1) - && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { + && (flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) @@ -4620,11 +4620,11 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, } } - if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { + if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { unsigned long id; int rc = ndpi_match_custom_category(ndpi_str, - (char *)flow->protos.stun_ssl.ssl.client_certificate, - strlen(flow->protos.stun_ssl.ssl.client_certificate), + (char *)flow->protos.stun_ssl.ssl.client_requested_server_name, + strlen(flow->protos.stun_ssl.ssl.client_requested_server_name), &id); if(rc == 0) { diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 6979d099c..2e7fe4966 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1043,7 +1043,8 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, if(!unknown_tls_version) { ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); - ndpi_serialize_string_string(serializer, "client_cert", flow->protos.stun_ssl.ssl.client_certificate); + ndpi_serialize_string_string(serializer, "client_requested_server_name", + flow->protos.stun_ssl.ssl.client_requested_server_name); if(flow->protos.stun_ssl.ssl.server_names) ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names); ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1130eb7fe..a73cc2976 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -987,8 +987,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, cleanupServerName(buffer, sizeof(buffer)); - snprintf(flow->protos.stun_ssl.ssl.client_certificate, - sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.client_requested_server_name, + sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name), + "%s", buffer); if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) flow->l4.tcp.tls.subprotocol_detected = 1; -- cgit v1.2.3 From 798bb6e2e113f10d9b710179553e4cef23222a61 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Thu, 2 Jan 2020 14:39:51 +0100 Subject: Fix leaks and sha1 certificate detection --- example/ndpiReader.c | 6 +----- example/reader_util.c | 6 +++++- example/reader_util.h | 1 + src/lib/ndpi_main.c | 15 +++++++++------ src/lib/protocols/tls.c | 4 ++-- 5 files changed, 18 insertions(+), 14 deletions(-) (limited to 'example/reader_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index c88df245a..15e4d1016 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1224,11 +1224,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS)) { - if((flow->ssh_tls.sha1_cert_fingerprint[0] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[1] == 0) - && (flow->ssh_tls.sha1_cert_fingerprint[2] == 0)) - ; /* Looks empty */ - else { + if(flow->ssh_tls.sha1_cert_fingerprint_set) { fprintf(out, "[Certificate SHA-1: "); for(i=0; i<20; i++) fprintf(out, "%s%02X", (i > 0) ? ":" : "", diff --git a/example/reader_util.c b/example/reader_util.c index 79104ea91..b8fce9632 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1049,8 +1049,12 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; - memcpy(flow->ssh_tls.sha1_cert_fingerprint, + + if(flow->ndpi_flow->l4.tcp.tls.fingerprint_set) { + memcpy(flow->ssh_tls.sha1_cert_fingerprint, flow->ndpi_flow->l4.tcp.tls.sha1_certificate_fingerprint, 20); + flow->ssh_tls.sha1_cert_fingerprint_set = 1; + } } if(flow->detection_completed && (!flow->check_extra_packets)) { diff --git a/example/reader_util.h b/example/reader_util.h index 6fd1880e5..55c260a54 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -200,6 +200,7 @@ typedef struct ndpi_flow_info { server_organization[64], ja3_client[33], ja3_server[33], sha1_cert_fingerprint[20]; + u_int8_t sha1_cert_fingerprint_set; time_t notBefore, notAfter; u_int16_t server_cipher; ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7ad648ee6..9296d10a2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3835,12 +3835,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str u_int8_t backup; u_int16_t backup1, backup2; - if(flow->http.url) ndpi_free(flow->http.url); - if(flow->http.content_type) ndpi_free(flow->http.content_type); - if(flow->http.user_agent) ndpi_free(flow->http.user_agent); - - if(flow->l4.tcp.tls.message.buffer) - ndpi_free(flow->l4.tcp.tls.message.buffer); + if(flow->http.url) ndpi_free(flow->http.url), flow->http.url = NULL; + if(flow->http.content_type) ndpi_free(flow->http.content_type), flow->http.content_type = NULL; + if(flow->http.user_agent) ndpi_free(flow->http.user_agent), flow->http.user_agent = NULL; + if(flow->l4.tcp.tls.message.buffer) ndpi_free(flow->l4.tcp.tls.message.buffer), flow->l4.tcp.tls.message.buffer = NULL; backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -6426,6 +6424,11 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) { ndpi_free(flow->l4.tcp.tls.srv_cert_fingerprint_ctx); } + if(flow->l4_proto == IPPROTO_TCP) { + if(flow->l4.tcp.tls.message.buffer) + ndpi_free(flow->l4.tcp.tls.message.buffer); + } + ndpi_free(flow); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 88bfa7590..655de7e2f 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -394,7 +394,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi flow->protos.stun_ssl.ssl.server_names = newstr; flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ','; strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1], - dNSName, dNSName_len-1); + dNSName, dNSName_len+1); flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0'; flow->protos.stun_ssl.ssl.server_names_len = newstr_len; } @@ -581,7 +581,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Split the element in blocks */ u_int16_t processed = 5; - while(processed < len) { + while((processed+4) < len) { const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed]; u_int16_t block_len = (block[1] << 16) + (block[2] << 8) + block[3]; -- cgit v1.2.3