From d72a760ac3895dd8a0bd3e55d4b51f9e22e04e6c Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Tue, 9 Jan 2024 08:41:44 +0100
Subject: New API for library configuration

This is the first step into providing (more) configuration options in nDPI.

The idea is to have a simple way to configure (most of) nDPI: only one
function (`ndpi_set_config()`) to set any configuration parameters
(in the present or on in the future) and we try to keep this function
prototype as agnostic as possible.

You can configure the library:
* via API, using `ndpi_set_config()`
* via a configuration file, in a text format

This way, anytime we need to add a new configuration parameter:
* we don't need to add two public functions (a getter and a setter)
* we don't break API/ABI compatibility of the library; even changing
the parameter type (from integer to a list of integer, for example)
doesn't break the compatibility.

The complete list of configuration options is provided in
`doc/configuration_parameters.md`.

As a first example, two configuration knobs are provided:
* the ability to enable/disable the extraction of the sha1 fingerprint of
the TLS certificates.
* the upper limit on the number of packets per flow that will be subject
to inspection
---
 src/lib/protocols/tls.c | 60 +++++++++++++++++++++++++------------------------
 1 file changed, 31 insertions(+), 29 deletions(-)

(limited to 'src/lib/protocols/tls.c')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 485357e06..943b817a4 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -772,7 +772,6 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
   u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3];
   u_int32_t certificates_offset = 7 + (is_dtls ? 8 : 0);
   u_int8_t num_certificates_found = 0;
-  SHA1_CTX srv_cert_fingerprint_ctx ;
 
 #ifdef DEBUG_TLS
   printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n",
@@ -824,9 +823,6 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 
     if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ {
-      /* For SHA-1 we take into account only the first certificate and not all of them */
-
-      SHA1Init(&srv_cert_fingerprint_ctx);
 
 #ifdef DEBUG_CERTIFICATE_HASH
       {
@@ -839,36 +835,42 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
       }
 #endif
 
-      SHA1Update(&srv_cert_fingerprint_ctx,
-		 &packet->payload[certificates_offset],
-		 certificate_len);
-
-      SHA1Final(flow->protos.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
-
-      flow->protos.tls_quic.fingerprint_set = 1;
-
-      uint8_t * sha1 = flow->protos.tls_quic.sha1_certificate_fingerprint;
-      const size_t sha1_siz = sizeof(flow->protos.tls_quic.sha1_certificate_fingerprint);
-      char sha1_str[20 /* sha1_siz */ * 2 + 1];
-      static const char hexalnum[] = "0123456789ABCDEF";
-      size_t i;
-      for (i = 0; i < sha1_siz; ++i) {
-        u_int8_t lower = (sha1[i] & 0x0F);
-        u_int8_t upper = (sha1[i] & 0xF0) >> 4;
-        sha1_str[i*2] = hexalnum[upper];
-        sha1_str[i*2 + 1] = hexalnum[lower];
-      }
-      sha1_str[sha1_siz * 2] = '\0';
+      /* For SHA-1 we take into account only the first certificate and not all of them */
+      if(ndpi_struct->cfg.tls_sha1_fingerprint_enabled) {
+        SHA1_CTX srv_cert_fingerprint_ctx ;
+
+	SHA1Init(&srv_cert_fingerprint_ctx);
+	SHA1Update(&srv_cert_fingerprint_ctx,
+                   &packet->payload[certificates_offset],
+                   certificate_len);
+
+        SHA1Final(flow->protos.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
+
+        flow->protos.tls_quic.fingerprint_set = 1;
+
+        uint8_t * sha1 = flow->protos.tls_quic.sha1_certificate_fingerprint;
+        const size_t sha1_siz = sizeof(flow->protos.tls_quic.sha1_certificate_fingerprint);
+        char sha1_str[20 /* sha1_siz */ * 2 + 1];
+        static const char hexalnum[] = "0123456789ABCDEF";
+        size_t i;
+        for (i = 0; i < sha1_siz; ++i) {
+          u_int8_t lower = (sha1[i] & 0x0F);
+          u_int8_t upper = (sha1[i] & 0xF0) >> 4;
+          sha1_str[i*2] = hexalnum[upper];
+          sha1_str[i*2 + 1] = hexalnum[lower];
+        }
+        sha1_str[sha1_siz * 2] = '\0';
 
 #ifdef DEBUG_TLS
-      printf("[TLS] SHA-1: %s\n", sha1_str);
+        printf("[TLS] SHA-1: %s\n", sha1_str);
 #endif
 
-      if(ndpi_struct->malicious_sha1_hashmap != NULL) {
-        u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL);
+        if(ndpi_struct->malicious_sha1_hashmap != NULL) {
+          u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL);
 
-        if(rc1 == 0)
-          ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str);
+          if(rc1 == 0)
+            ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str);
+        }
       }
 
       processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
-- 
cgit v1.2.3