From e16b6a18be1ccc9877995afdc757a77c452da071 Mon Sep 17 00:00:00 2001 From: havsah <98101641+havsah@users.noreply.github.com> Date: Fri, 21 Jan 2022 12:40:35 +0100 Subject: Fix Grease values parsing (#1416) The check for grease was too broad and filtered some valid values. In particular, the value 257 was skipped because it matched the previous check. This has been discovered while parsing tests/pcap/443-firefox.pcap expected ja3: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256-257,0 previously generated ja3: 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-51-57-47-53-10,0-23-65281-10-11-35-16-5-51-43-13-45-28-21,29-23-24-25-256,0 Signed-off-by: Patrick Havelange --- src/lib/protocols/tls.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b5a0bb1cb..0f12194f0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1596,7 +1596,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t cipher_id = ntohs(*id); if(cipher_offset+i+1 < packet->payload_packet_len && - packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1] /* Skip Grease */) { + ((packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1]) || + ((packet->payload[cipher_offset+i] & 0xF) != 0xA)) /* Skip Grease */) { /* Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 @@ -1742,7 +1743,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, break; } - if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { + if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1]) || + ((packet->payload[extn_off] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_tls_extension < MAX_NUM_JA3) @@ -1823,7 +1825,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); #endif - if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { + if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) + || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { /* Skip GREASE */ if(ja3.client.num_elliptic_curve < MAX_NUM_JA3) ja3.client.elliptic_curve[ja3.client.num_elliptic_curve++] = s_group; -- cgit v1.2.3