1 /*
2 * tls.c - TLS/TLS/DTLS dissector
3 *
4 * Copyright (C) 2016-21 - ntop.org
5 *
6 * nDPI is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * nDPI is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "ndpi_protocol_ids.h"
22
23 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TLS
24
25 #include "ndpi_api.h"
26 #include "ndpi_md5.h"
27 #include "ndpi_sha1.h"
28 #include "ndpi_encryption.h"
29
30 extern char *strptime(const char *s, const char *format, struct tm *tm);
31 extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
32 struct ndpi_flow_struct *flow, uint32_t quic_version);
33 extern int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
34 struct ndpi_flow_struct *flow,
35 const u_int8_t *ua_ptr, u_int16_t ua_ptr_len);
36 /* QUIC/GQUIC stuff */
37 extern int quic_len(const uint8_t *buf, uint64_t *value);
38 extern int quic_len_buffer_still_required(uint8_t value);
39 extern int is_version_with_var_int_transport_params(uint32_t version);
40
41 // #define DEBUG_TLS_MEMORY 1
42 // #define DEBUG_TLS 1
43 // #define DEBUG_TLS_BLOCKS 1
44 // #define DEBUG_CERTIFICATE_HASH
45
46 // #define DEBUG_HEURISTIC
47
48 // #define DEBUG_JA3C 1
49
50 /* #define DEBUG_FINGERPRINT 1 */
51 /* #define DEBUG_ENCRYPTED_SNI 1 */
52
53 /* **************************************** */
54
55 /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */
56
57 #define JA3_STR_LEN 1024
58 #define MAX_NUM_JA3 512
59 #define MAX_JA3_STRLEN 256
60
61 union ja3_info {
62 struct {
63 u_int16_t tls_handshake_version;
64 u_int16_t num_cipher, cipher[MAX_NUM_JA3];
65 u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
66 u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
67 u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
68 char signature_algorithms[MAX_JA3_STRLEN], supported_versions[MAX_JA3_STRLEN], alpn[MAX_JA3_STRLEN];
69 } client;
70
71 struct {
72 u_int16_t tls_handshake_version;
73 u_int16_t num_cipher, cipher[MAX_NUM_JA3];
74 u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
75 u_int16_t tls_supported_version;
76 u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
77 char alpn[MAX_JA3_STRLEN];
78 } server; /* Used for JA3+ */
79 };
80
81 /*
82 NOTE
83
84 How to view the certificate fingerprint
85 1. Using wireshark save the certificate on certificate.bin file as explained
86 in https://security.stackexchange.com/questions/123851/how-can-i-extract-the-certificate-from-this-pcap-file
87
88 2. openssl x509 -inform der -in certificate.bin -text > certificate.der
89 3. openssl x509 -noout -fingerprint -sha1 -inform pem -in certificate.der
90 SHA1 Fingerprint=15:9A:76....
91
92 $ shasum -a 1 www.grc.com.bin
93 159a76.....
94 */
95
96 #define NDPI_MAX_TLS_REQUEST_SIZE 10000
97 #define TLS_THRESHOLD 34387200 /* Threshold for certificate validity */
98 #define TLS_LIMIT_DATE 1598918400 /* From 01/09/2020 TLS certificates lifespan is limited to 13 months */
99
100 /* skype.c */
101 extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
102 struct ndpi_flow_struct *flow);
103
104 /* stun.c */
105 extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev);
106
107 static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
108 struct ndpi_flow_struct *flow, u_int32_t protocol);
109
110 /* **************************************** */
111
ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,u_int32_t protocol)112 static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
113 struct ndpi_flow_struct *flow, u_int32_t protocol) {
114 struct ndpi_packet_struct *packet = &flow->packet;
115
116 // protocol = NDPI_PROTOCOL_TLS;
117
118 if(packet->tcp != NULL) {
119 switch(protocol) {
120 case NDPI_PROTOCOL_TLS:
121 {
122 /*
123 In case of TLS there are probably sub-protocols
124 such as IMAPS that can be otherwise detected
125 */
126 u_int16_t sport = ntohs(packet->tcp->source);
127 u_int16_t dport = ntohs(packet->tcp->dest);
128
129 if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587))
130 protocol = NDPI_PROTOCOL_MAIL_SMTPS;
131 else if((sport == 993) || (dport == 993)
132 || (flow->l4.tcp.mail_imap_starttls)
133 ) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
134 else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS;
135 }
136 break;
137 }
138 }
139
140 return(protocol);
141 }
142
143 /* **************************************** */
144
ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)145 void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct,
146 struct ndpi_flow_struct *flow) {
147 struct ndpi_packet_struct *packet = &flow->packet;
148 u_int avail_bytes;
149
150 /* TCP */
151 #ifdef DEBUG_TLS_MEMORY
152 printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n",
153 packet->payload_packet_len,
154 flow->l4.tcp.tls.message.buffer_len,
155 packet->packet_direction);
156 #endif
157
158 if(flow->l4.tcp.tls.message.buffer == NULL) {
159 /* Allocate buffer */
160 flow->l4.tcp.tls.message.buffer_len = 2048, flow->l4.tcp.tls.message.buffer_used = 0;
161 flow->l4.tcp.tls.message.buffer = (u_int8_t*)ndpi_malloc(flow->l4.tcp.tls.message.buffer_len);
162
163 if(flow->l4.tcp.tls.message.buffer == NULL)
164 return;
165
166 #ifdef DEBUG_TLS_MEMORY
167 printf("[TLS Mem] Allocating %u buffer\n", flow->l4.tcp.tls.message.buffer_len);
168 #endif
169 }
170
171 avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used;
172
173 if(avail_bytes < packet->payload_packet_len) {
174 u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len - avail_bytes + 1;
175 void *newbuf = ndpi_realloc(flow->l4.tcp.tls.message.buffer,
176 flow->l4.tcp.tls.message.buffer_len, new_len);
177 if(!newbuf) return;
178
179 #ifdef DEBUG_TLS_MEMORY
180 printf("[TLS Mem] Enlarging %u -> %u buffer\n", flow->l4.tcp.tls.message.buffer_len, new_len);
181 #endif
182
183 flow->l4.tcp.tls.message.buffer = (u_int8_t*)newbuf;
184 flow->l4.tcp.tls.message.buffer_len = new_len;
185 avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used;
186 }
187
188 if(packet->payload_packet_len > 0 && avail_bytes >= packet->payload_packet_len) {
189 u_int8_t ok = 0;
190
191 if(flow->l4.tcp.tls.message.next_seq[packet->packet_direction] != 0) {
192 if(ntohl(packet->tcp->seq) == flow->l4.tcp.tls.message.next_seq[packet->packet_direction])
193 ok = 1;
194 } else
195 ok = 1;
196
197 if(ok) {
198 memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used],
199 packet->payload, packet->payload_packet_len);
200
201 flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len;
202 #ifdef DEBUG_TLS_MEMORY
203 printf("[TLS Mem] Copied data to buffer [%u/%u bytes][direction: %u][tcp_seq: %u][next: %u]\n",
204 flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len,
205 packet->packet_direction,
206 ntohl(packet->tcp->seq),
207 ntohl(packet->tcp->seq)+packet->payload_packet_len);
208 #endif
209
210 flow->l4.tcp.tls.message.next_seq[packet->packet_direction] = ntohl(packet->tcp->seq)+packet->payload_packet_len;
211 } else {
212 #ifdef DEBUG_TLS_MEMORY
213 printf("[TLS Mem] Skipping packet [%u bytes][direction: %u][tcp_seq: %u][expected next: %u]\n",
214 flow->l4.tcp.tls.message.buffer_len,
215 packet->packet_direction,
216 ntohl(packet->tcp->seq),
217 ntohl(packet->tcp->seq)+packet->payload_packet_len);
218 #endif
219 }
220 }
221 }
222
223 /* **************************************** */
224
cleanupServerName(char * buffer,int buffer_len)225 static void cleanupServerName(char *buffer, int buffer_len) {
226 u_int i;
227
228 /* Now all lowecase */
229 for(i=0; i<buffer_len; i++)
230 buffer[i] = tolower(buffer[i]);
231 }
232
233 /* **************************************** */
234
235 /*
236 Return code
237 -1: error (buffer too short)
238 0: OK but buffer is not human readeable (so something went wrong)
239 1: OK
240 */
extractRDNSequence(struct ndpi_packet_struct * packet,u_int offset,char * buffer,u_int buffer_len,char * rdnSeqBuf,u_int * rdnSeqBuf_offset,u_int rdnSeqBuf_len,const char * label)241 static int extractRDNSequence(struct ndpi_packet_struct *packet,
242 u_int offset, char *buffer, u_int buffer_len,
243 char *rdnSeqBuf, u_int *rdnSeqBuf_offset,
244 u_int rdnSeqBuf_len,
245 const char *label) {
246 u_int8_t str_len = packet->payload[offset+4], is_printable = 1;
247 char *str;
248 u_int len, j;
249
250 if (*rdnSeqBuf_offset >= rdnSeqBuf_len) {
251 #ifdef DEBUG_TLS
252 printf("[TLS] %s() [buffer capacity reached][%u]\n",
253 __FUNCTION__, rdnSeqBuf_len);
254 #endif
255 return -1;
256 }
257
258 // packet is truncated... further inspection is not needed
259 if((offset+4+str_len) >= packet->payload_packet_len)
260 return(-1);
261
262 str = (char*)&packet->payload[offset+5];
263
264 len = (u_int)ndpi_min(str_len, buffer_len-1);
265 strncpy(buffer, str, len);
266 buffer[len] = '\0';
267
268 // check string is printable
269 for(j = 0; j < len; j++) {
270 if(!ndpi_isprint(buffer[j])) {
271 is_printable = 0;
272 break;
273 }
274 }
275
276 if(is_printable) {
277 int rc = snprintf(&rdnSeqBuf[*rdnSeqBuf_offset],
278 rdnSeqBuf_len-(*rdnSeqBuf_offset),
279 "%s%s=%s", (*rdnSeqBuf_offset > 0) ? ", " : "",
280 label, buffer);
281
282 if(rc > 0)
283 (*rdnSeqBuf_offset) += rc;
284 }
285
286 return(is_printable);
287 }
288
289 /* **************************************** */
290
checkTLSSubprotocol(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)291 static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct,
292 struct ndpi_flow_struct *flow) {
293 if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
294 /* Subprotocol not yet set */
295
296 if(ndpi_struct->tls_cert_cache && flow->packet.iph && flow->packet.tcp) {
297 u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest;
298 u_int16_t cached_proto;
299
300 if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key,
301 &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) {
302 ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
303
304 flow->detected_protocol_stack[0] = cached_proto,
305 flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
306
307 flow->category = ndpi_get_proto_category(ndpi_struct, ret);
308 ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto);
309 }
310 }
311 }
312 }
313
314 /* **************************************** */
315
316 /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */
processCertificateElements(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,u_int16_t p_offset,u_int16_t certificate_len)317 static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct,
318 struct ndpi_flow_struct *flow,
319 u_int16_t p_offset, u_int16_t certificate_len) {
320 struct ndpi_packet_struct *packet = &flow->packet;
321 u_int num_found = 0, i;
322 char buffer[64] = { '\0' }, rdnSeqBuf[2048] = { '\0' };
323 u_int rdn_len = 0;
324
325 #ifdef DEBUG_TLS
326 printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, p_offset, certificate_len);
327 #endif
328
329 /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
330 for(i = p_offset; i < certificate_len; i++) {
331 /*
332 See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm
333 for X.509 certificate labels
334 */
335 if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03)) {
336 /* Common Name */
337 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN");
338 if(rc == -1) break;
339
340 #ifdef DEBUG_TLS
341 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer);
342 #endif
343 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x06)) {
344 /* Country */
345 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C");
346 if(rc == -1) break;
347
348 #ifdef DEBUG_TLS
349 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer);
350 #endif
351 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x07)) {
352 /* Locality */
353 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "L");
354 if(rc == -1) break;
355
356 #ifdef DEBUG_TLS
357 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Locality", buffer);
358 #endif
359 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x08)) {
360 /* State or Province */
361 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "ST");
362 if(rc == -1) break;
363
364 #ifdef DEBUG_TLS
365 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "State or Province", buffer);
366 #endif
367 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) {
368 /* Organization Name */
369 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "O");
370 if(rc == -1) break;
371
372 #ifdef DEBUG_TLS
373 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Organization Name", buffer);
374 #endif
375
376 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0b)) {
377 /* Organization Unit */
378 int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "OU");
379 if(rc == -1) break;
380
381 #ifdef DEBUG_TLS
382 printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Organization Unit", buffer);
383 #endif
384 } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) {
385 /* Certificate Validity */
386 u_int8_t len = packet->payload[i+3];
387 u_int offset = i+4;
388
389 if(num_found == 0) {
390 num_found++;
391
392 #ifdef DEBUG_TLS
393 printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf);
394 #endif
395
396 if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.issuerDN == NULL))
397 flow->protos.tls_quic_stun.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
398
399 rdn_len = 0; /* Reset buffer */
400 }
401
402 if((offset+len) < packet->payload_packet_len) {
403 char utcDate[32];
404
405 #ifdef DEBUG_TLS
406 u_int j;
407
408 printf("[CERTIFICATE] notBefore [len: %u][", len);
409 for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]);
410 printf("]\n");
411 #endif
412
413 if(len < (sizeof(utcDate)-1)) {
414 struct tm utc;
415 utc.tm_isdst = -1; /* Not set by strptime */
416
417 strncpy(utcDate, (const char*)&packet->payload[i+4], len);
418 utcDate[len] = '\0';
419
420 /* 141021000000Z */
421 if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
422 flow->protos.tls_quic_stun.tls_quic.notBefore = timegm(&utc);
423 #ifdef DEBUG_TLS
424 printf("[CERTIFICATE] notBefore %u [%s]\n",
425 flow->protos.tls_quic_stun.tls_quic.notBefore, utcDate);
426 #endif
427 }
428 }
429
430 offset += len;
431
432 if((offset+1) < packet->payload_packet_len) {
433 len = packet->payload[offset+1];
434
435 offset += 2;
436
437 if((offset+len) < packet->payload_packet_len) {
438 u_int32_t time_sec = flow->packet.current_time_ms / 1000;
439 #ifdef DEBUG_TLS
440 u_int j;
441
442 printf("[CERTIFICATE] notAfter [len: %u][", len);
443 for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]);
444 printf("]\n");
445 #endif
446
447 if(len < (sizeof(utcDate)-1)) {
448 struct tm utc;
449 utc.tm_isdst = -1; /* Not set by strptime */
450
451 strncpy(utcDate, (const char*)&packet->payload[offset], len);
452 utcDate[len] = '\0';
453
454 /* 141021000000Z */
455 if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
456 flow->protos.tls_quic_stun.tls_quic.notAfter = timegm(&utc);
457 #ifdef DEBUG_TLS
458 printf("[CERTIFICATE] notAfter %u [%s]\n",
459 flow->protos.tls_quic_stun.tls_quic.notAfter, utcDate);
460 #endif
461 }
462 }
463
464 if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
465 if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
466 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
467
468 if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
469 || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
470 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
471 }
472 }
473 }
474 } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) {
475 /* Organization OID: 2.5.29.17 (subjectAltName) */
476 u_int8_t matched_name = 0;
477
478 #ifdef DEBUG_TLS
479 printf("******* [TLS] Found subjectAltName\n");
480 #endif
481
482 i += 3 /* skip the initial patten 55 1D 11 */;
483 i++; /* skip the first type, 0x04 == BIT STRING, and jump to it's length */
484 if(i < packet->payload_packet_len) {
485 i += (packet->payload[i] & 0x80) ? (packet->payload[i] & 0x7F) : 0; /* skip BIT STRING length */
486 if(i < packet->payload_packet_len) {
487 i += 2; /* skip the second type, 0x30 == SEQUENCE, and jump to it's length */
488 if(i < packet->payload_packet_len) {
489 i += (packet->payload[i] & 0x80) ? (packet->payload[i] & 0x7F) : 0; /* skip SEQUENCE length */
490 i++;
491
492 while(i < packet->payload_packet_len) {
493 if(packet->payload[i] == 0x82) {
494 if((i < (packet->payload_packet_len - 1))
495 && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) {
496 u_int8_t len = packet->payload[i + 1];
497 char dNSName[256];
498
499 i += 2;
500
501 /* The check "len > sizeof(dNSName) - 1" will be always false. If we add it,
502 the compiler is smart enough to detect it and throws a warning */
503 if((len == 0 /* Looks something went wrong */)
504 || ((i+len) > packet->payload_packet_len))
505 break;
506
507 strncpy(dNSName, (const char*)&packet->payload[i], len);
508 dNSName[len] = '\0';
509
510 cleanupServerName(dNSName, len);
511
512 #if DEBUG_TLS
513 printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
514 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, len,
515 packet->payload_packet_len-i-len);
516 #endif
517 if (ndpi_is_printable_string(dNSName, len) == 0)
518 {
519 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
520 }
521
522 if(matched_name == 0) {
523 if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
524 matched_name = 1; /* No SNI */
525 else if (dNSName[0] == '*')
526 {
527 char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]);
528
529 if (label != NULL)
530 {
531 char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.');
532
533 if (first_dot == NULL || first_dot >= label)
534 {
535 matched_name = 1;
536 }
537 }
538 }
539 else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0)
540 matched_name = 1;
541 }
542
543 if(flow->protos.tls_quic_stun.tls_quic.server_names == NULL)
544 flow->protos.tls_quic_stun.tls_quic.server_names = ndpi_strdup(dNSName),
545 flow->protos.tls_quic_stun.tls_quic.server_names_len = strlen(dNSName);
546 else {
547 u_int16_t dNSName_len = strlen(dNSName);
548 u_int16_t newstr_len = flow->protos.tls_quic_stun.tls_quic.server_names_len + dNSName_len + 1;
549 char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic_stun.tls_quic.server_names,
550 flow->protos.tls_quic_stun.tls_quic.server_names_len+1, newstr_len+1);
551
552 if(newstr) {
553 flow->protos.tls_quic_stun.tls_quic.server_names = newstr;
554 flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len] = ',';
555 strncpy(&flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len+1],
556 dNSName, dNSName_len+1);
557 flow->protos.tls_quic_stun.tls_quic.server_names[newstr_len] = '\0';
558 flow->protos.tls_quic_stun.tls_quic.server_names_len = newstr_len;
559 }
560 }
561
562 if(!flow->l4.tcp.tls.subprotocol_detected)
563 if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len))
564 flow->l4.tcp.tls.subprotocol_detected = 1;
565
566 i += len;
567 } else {
568 #if DEBUG_TLS
569 printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i);
570 #endif
571 break;
572 }
573 } else {
574 break;
575 }
576 } /* while */
577
578 if(!matched_name)
579 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
580 }
581 }
582 }
583 }
584 }
585
586 if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL)) {
587 flow->protos.tls_quic_stun.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
588
589 if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
590 /* No idea what is happening behind the scenes: let's check the certificate */
591 u_int32_t val;
592 int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa,
593 rdnSeqBuf, strlen(rdnSeqBuf), &val);
594
595 if(rc == 0) {
596 /* Match found */
597 u_int16_t proto_id = (u_int16_t)val;
598 ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED};
599
600 flow->detected_protocol_stack[0] = proto_id,
601 flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
602
603 flow->category = ndpi_get_proto_category(ndpi_struct, ret);
604 ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id);
605
606 if(ndpi_struct->tls_cert_cache == NULL)
607 ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024);
608
609 if(ndpi_struct->tls_cert_cache && flow->packet.iph) {
610 u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest;
611
612 ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id);
613 }
614 }
615 }
616 }
617
618 if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
619 && (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
620 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
621
622 #if DEBUG_TLS
623 printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
624 #endif
625 }
626
627 /* **************************************** */
628
629 /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */
processCertificate(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)630 int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
631 struct ndpi_flow_struct *flow) {
632 struct ndpi_packet_struct *packet = &flow->packet;
633 int is_dtls = packet->udp ? 1 : 0;
634 u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3];
635 u_int32_t certificates_offset = 7 + (is_dtls ? 8 : 0);
636 u_int8_t num_certificates_found = 0;
637 SHA1_CTX srv_cert_fingerprint_ctx ;
638
639 #ifdef DEBUG_TLS
640 printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n",
641 __FUNCTION__, packet->payload_packet_len,
642 packet->packet_direction,
643 packet->payload[0], packet->payload[1], packet->payload[2],
644 packet->payload[3], packet->payload[4], packet->payload[5]);
645 #endif
646
647 if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0)) {
648 ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
649 return(-1); /* Invalid length */
650 }
651
652 certificates_length = (packet->payload[certificates_offset - 3] << 16) +
653 (packet->payload[certificates_offset - 2] << 8) +
654 packet->payload[certificates_offset - 1];
655
656 if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) {
657 ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
658 return(-2); /* Invalid length */
659 }
660
661 /* Now let's process each individual certificates */
662 while(certificates_offset < certificates_length) {
663 u_int32_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2];
664
665 /* Invalid lenght */
666 if((certificate_len == 0)
667 || (packet->payload[certificates_offset] != 0x0)
668 || ((certificates_offset+certificate_len) > (4+certificates_length+(is_dtls ? 8 : 0)))) {
669 #ifdef DEBUG_TLS
670 printf("[TLS] Invalid length [certificate_len: %u][certificates_offset: %u][%u vs %u]\n",
671 certificate_len, certificates_offset,
672 (certificates_offset+certificate_len),
673 certificates_length);
674 #endif
675 break;
676 }
677
678 certificates_offset += 3;
679 #ifdef DEBUG_TLS
680 printf("[TLS] Processing %u bytes certificate [%02X %02X %02X]\n",
681 certificate_len,
682 packet->payload[certificates_offset],
683 packet->payload[certificates_offset+1],
684 packet->payload[certificates_offset+2]);
685 #endif
686
687 if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ {
688 /* For SHA-1 we take into account only the first certificate and not all of them */
689
690 SHA1Init(&srv_cert_fingerprint_ctx);
691
692 #ifdef DEBUG_CERTIFICATE_HASH
693 {
694 int i;
695
696 for(i=0;i<certificate_len;i++)
697 printf("%02X ", packet->payload[certificates_offset+i]);
698
699 printf("\n");
700 }
701 #endif
702
703 SHA1Update(&srv_cert_fingerprint_ctx,
704 &packet->payload[certificates_offset],
705 certificate_len);
706
707 SHA1Final(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
708
709 flow->l4.tcp.tls.fingerprint_set = 1;
710
711 uint8_t * sha1 = flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint;
712 const size_t sha1_siz = sizeof(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint);
713 char sha1_str[20 /* sha1_siz */ * 2 + 1];
714 static const char hexalnum[] = "0123456789ABCDEF";
715 for (size_t i = 0; i < sha1_siz; ++i) {
716 u_int8_t lower = (sha1[i] & 0x0F);
717 u_int8_t upper = (sha1[i] & 0xF0) >> 4;
718 sha1_str[i*2] = hexalnum[upper];
719 sha1_str[i*2 + 1] = hexalnum[lower];
720 }
721 sha1_str[sha1_siz * 2] = '\0';
722
723 #ifdef DEBUG_TLS
724 printf("[TLS] SHA-1: %s\n", sha1_str);
725 #endif
726
727 if (ndpi_struct->malicious_sha1_automa.ac_automa != NULL) {
728 u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
729
730 if(rc1 > 0)
731 ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE);
732 }
733
734 processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
735 }
736
737 certificates_offset += certificate_len;
738 }
739
740 if((ndpi_struct->num_tls_blocks_to_follow != 0)
741 && (flow->l4.tcp.tls.num_tls_blocks >= ndpi_struct->num_tls_blocks_to_follow)) {
742 #ifdef DEBUG_TLS_BLOCKS
743 printf("*** [TLS Block] Enough blocks dissected\n");
744 #endif
745
746 flow->extra_packets_func = NULL; /* We're good now */
747 }
748
749 return(1);
750 }
751
752 /* **************************************** */
753
processTLSBlock(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)754 static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
755 struct ndpi_flow_struct *flow) {
756 struct ndpi_packet_struct *packet = &flow->packet;
757 int ret;
758
759 switch(packet->payload[0] /* block type */) {
760 case 0x01: /* Client Hello */
761 case 0x02: /* Server Hello */
762 processClientServerHello(ndpi_struct, flow, 0);
763 flow->l4.tcp.tls.hello_processed = 1;
764 ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
765
766 #ifdef DEBUG_TLS
767 printf("*** TLS [version: %02X][%s Hello]\n",
768 flow->protos.tls_quic_stun.tls_quic.ssl_version,
769 (packet->payload[0] == 0x01) ? "Client" : "Server");
770 #endif
771
772 if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
773 && (packet->payload[0] == 0x02 /* Server Hello */)) {
774 flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
775 }
776
777 checkTLSSubprotocol(ndpi_struct, flow);
778 break;
779
780 case 0x0b: /* Certificate */
781 /* Important: populate the tls union fields only after
782 * ndpi_int_tls_add_connection has been called */
783 if(flow->l4.tcp.tls.hello_processed) {
784 ret = processCertificate(ndpi_struct, flow);
785 if (ret != 1) {
786 #ifdef DEBUG_TLS
787 printf("[TLS] Error processing certificate: %d\n", ret);
788 #endif
789 }
790 flow->l4.tcp.tls.certificate_processed = 1;
791 }
792 break;
793
794 default:
795 return(-1);
796 }
797
798 return(0);
799 }
800
801 /* **************************************** */
802
ndpi_looks_like_tls(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)803 static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct,
804 struct ndpi_flow_struct *flow) {
805 // ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
806
807 if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
808 flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
809 }
810
811 /* **************************************** */
812
ndpi_search_tls_tcp(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)813 static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
814 struct ndpi_flow_struct *flow) {
815 struct ndpi_packet_struct *packet = &flow->packet;
816 u_int8_t something_went_wrong = 0;
817
818 #ifdef DEBUG_TLS_MEMORY
819 printf("[TLS Mem] ndpi_search_tls_tcp() Processing new packet [payload_packet_len: %u]\n",
820 packet->payload_packet_len);
821 #endif
822
823 if(packet->payload_packet_len == 0)
824 return(1); /* Keep working */
825
826 ndpi_search_tls_tcp_memory(ndpi_struct, flow);
827
828 while(!something_went_wrong) {
829 u_int16_t len, p_len;
830 const u_int8_t *p;
831 u_int8_t content_type;
832
833 if(flow->l4.tcp.tls.message.buffer_used < 5)
834 return(1); /* Keep working */
835
836 len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5;
837
838 if(len > flow->l4.tcp.tls.message.buffer_used) {
839 #ifdef DEBUG_TLS_MEMORY
840 printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n",
841 len, flow->l4.tcp.tls.message.buffer_used,
842 flow->l4.tcp.tls.message.buffer[0],
843 flow->l4.tcp.tls.message.buffer[1],
844 flow->l4.tcp.tls.message.buffer[2],
845 flow->l4.tcp.tls.message.buffer[3],
846 flow->l4.tcp.tls.message.buffer[4]);
847 #endif
848 break;
849 }
850
851 if(len == 0) {
852 something_went_wrong = 1;
853 break;
854 }
855
856 #ifdef DEBUG_TLS_MEMORY
857 printf("[TLS Mem] Processing %u bytes message\n", len);
858 #endif
859
860 content_type = flow->l4.tcp.tls.message.buffer[0];
861
862 /* Overwriting packet payload */
863 p = packet->payload;
864 p_len = packet->payload_packet_len; /* Backup */
865
866 if(content_type == 0x14 /* Change Cipher Spec */) {
867 if(ndpi_struct->skip_tls_blocks_until_change_cipher) {
868 /*
869 Ignore Application Data up until change cipher
870 so in this case we reset the number of observed
871 TLS blocks
872 */
873 flow->l4.tcp.tls.num_tls_blocks = 0;
874 }
875 }
876
877 if((len > 9)
878 && (content_type != 0x17 /* Application Data */)
879 && (!flow->l4.tcp.tls.certificate_processed)) {
880 /* Split the element in blocks */
881 u_int16_t processed = 5;
882
883 while((processed+4) <= len) {
884 const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed];
885 u_int32_t block_len = (block[1] << 16) + (block[2] << 8) + block[3];
886
887 if(/* (block_len == 0) || */ /* Note blocks can have zero lenght */
888 (block_len > len) || ((block[1] != 0x0))) {
889 something_went_wrong = 1;
890 break;
891 }
892
893 packet->payload = block;
894 packet->payload_packet_len = ndpi_min(block_len+4, flow->l4.tcp.tls.message.buffer_used);
895
896 if((processed+packet->payload_packet_len) > len) {
897 something_went_wrong = 1;
898 break;
899 }
900
901 processTLSBlock(ndpi_struct, flow);
902 ndpi_looks_like_tls(ndpi_struct, flow);
903
904 processed += packet->payload_packet_len;
905 }
906 } else {
907 /* Process element as a whole */
908 if(content_type == 0x17 /* Application Data */) {
909 ndpi_looks_like_tls(ndpi_struct, flow);
910
911 if(flow->l4.tcp.tls.certificate_processed) {
912 if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
913 flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] =
914 (packet->packet_direction == 0) ? (len-5) : -(len-5);
915
916 #ifdef DEBUG_TLS_BLOCKS
917 printf("*** [TLS Block] [len: %u][num_tls_blocks: %u/%u]\n",
918 len-5, flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->num_tls_blocks_to_follow);
919 #endif
920 }
921 }
922 }
923
924 packet->payload = p;
925 packet->payload_packet_len = p_len; /* Restore */
926 flow->l4.tcp.tls.message.buffer_used -= len;
927
928 if(flow->l4.tcp.tls.message.buffer_used > 0)
929 memmove(flow->l4.tcp.tls.message.buffer,
930 &flow->l4.tcp.tls.message.buffer[len],
931 flow->l4.tcp.tls.message.buffer_used);
932 else
933 break;
934
935 #ifdef DEBUG_TLS_MEMORY
936 printf("[TLS Mem] Left memory buffer %u bytes\n", flow->l4.tcp.tls.message.buffer_used);
937 #endif
938 }
939
940 if(something_went_wrong
941 || ((ndpi_struct->num_tls_blocks_to_follow > 0)
942 && (flow->l4.tcp.tls.num_tls_blocks == ndpi_struct->num_tls_blocks_to_follow))
943 ) {
944 #ifdef DEBUG_TLS_BLOCKS
945 printf("*** [TLS Block] No more blocks\n");
946 #endif
947 flow->check_extra_packets = 0;
948 flow->extra_packets_func = NULL;
949 return(0); /* That's all */
950 } else
951 return(1);
952 }
953
954 /* **************************************** */
955
ndpi_search_tls_udp(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)956 static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
957 struct ndpi_flow_struct *flow) {
958 struct ndpi_packet_struct *packet = &flow->packet;
959 u_int32_t handshake_len;
960 u_int16_t p_len, processed;
961 const u_int8_t *p;
962 u_int8_t no_dtls = 0, change_cipher_found = 0;
963
964 #ifdef DEBUG_TLS
965 printf("[TLS] %s()\n", __FUNCTION__);
966 #endif
967
968 /* Overwriting packet payload */
969 p = packet->payload, p_len = packet->payload_packet_len; /* Backup */
970
971 /* Split the element in blocks */
972 processed = 0;
973 while(processed + 13 < p_len) {
974 u_int32_t block_len;
975 const u_int8_t *block = (const u_int8_t *)&p[processed];
976
977 if((block[0] != 0x16 && block[0] != 0x14) || /* Handshake, change-cipher-spec */
978 (block[1] != 0xfe) || /* We ignore old DTLS versions */
979 ((block[2] != 0xff) && (block[2] != 0xfd))) {
980 #ifdef DEBUG_TLS
981 printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n",
982 block[0], block[1], block[2], block[3]);
983 #endif
984 no_dtls = 1;
985 break;
986 }
987 block_len = ntohs(*((u_int16_t*)&block[11]));
988 #ifdef DEBUG_TLS
989 printf("[TLS] DTLS block len: %d\n", block_len);
990 #endif
991 if (block_len == 0 || (processed + block_len + 12 >= p_len)) {
992 #ifdef DEBUG_TLS
993 printf("[TLS] DTLS invalid block len %d (processed %d, p_len %d)\n",
994 block_len, processed, p_len);
995 #endif
996 no_dtls = 1;
997 break;
998 }
999 /* We process only handshake msgs */
1000 if(block[0] == 0x16) {
1001 if (processed + block_len + 13 > p_len) {
1002 #ifdef DEBUG_TLS
1003 printf("[TLS] DTLS invalid len %d %d %d\n", processed, block_len, p_len);
1004 #endif
1005 no_dtls = 1;
1006 break;
1007 }
1008 /* TODO: handle (certificate) fragments */
1009 handshake_len = (block[14] << 16) + (block[15] << 8) + block[16];
1010 if((handshake_len + 12) != block_len) {
1011 #ifdef DEBUG_TLS
1012 printf("[TLS] DTLS invalid handshake_len %d, %d)\n",
1013 handshake_len, block_len);
1014 #endif
1015 no_dtls = 1;
1016 break;
1017 }
1018 packet->payload = &block[13];
1019 packet->payload_packet_len = block_len;
1020 processTLSBlock(ndpi_struct, flow);
1021 } else {
1022 /* Change-cipher-spec: any subsequent block might be encrypted */
1023 #ifdef DEBUG_TLS
1024 printf("[TLS] Change-cipher-spec\n");
1025 #endif
1026 change_cipher_found = 1;
1027 processed += block_len + 13;
1028 break;
1029 }
1030
1031 processed += block_len + 13;
1032 }
1033 if(processed != p_len) {
1034 #ifdef DEBUG_TLS
1035 printf("[TLS] DTLS invalid processed len %d/%d (%d)\n", processed, p_len, change_cipher_found);
1036 #endif
1037 if(!change_cipher_found)
1038 no_dtls = 1;
1039 }
1040
1041 packet->payload = p;
1042 packet->payload_packet_len = p_len; /* Restore */
1043
1044 if(no_dtls || change_cipher_found) {
1045 NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
1046 return(0); /* That's all */
1047 } else {
1048 return(1); /* Keep working */
1049 }
1050 }
1051
1052 /* **************************************** */
1053
tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)1054 static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *ndpi_struct,
1055 struct ndpi_flow_struct *flow) {
1056 flow->check_extra_packets = 1;
1057
1058 /* At most 12 packets should almost always be enough to find the server certificate if it's there */
1059 flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*4);
1060 flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp;
1061 }
1062
1063 /* **************************************** */
1064
tlsCheckUncommonALPN(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)1065 static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct,
1066 struct ndpi_flow_struct *flow) {
1067 char * alpn_start = flow->protos.tls_quic_stun.tls_quic.alpn;
1068 char * comma_or_nul = alpn_start;
1069 do {
1070 int alpn_len;
1071
1072 comma_or_nul = strchr(comma_or_nul, ',');
1073
1074 if(comma_or_nul == NULL)
1075 comma_or_nul = alpn_start + strlen(alpn_start);
1076
1077 alpn_len = comma_or_nul - alpn_start;
1078
1079 if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) {
1080 #ifdef DEBUG_TLS
1081 printf("TLS uncommon ALPN found: %.*s\n", alpn_len, alpn);
1082 #endif
1083 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
1084 break;
1085 }
1086
1087 alpn_start = comma_or_nul + 1;
1088 } while (*(comma_or_nul++) != '\0');
1089 }
1090
1091 /* **************************************** */
1092
ndpi_int_tls_add_connection(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,u_int32_t protocol)1093 static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
1094 struct ndpi_flow_struct *flow, u_int32_t protocol) {
1095 #if DEBUG_TLS
1096 printf("[TLS] %s()\n", __FUNCTION__);
1097 #endif
1098
1099 if((flow->packet.udp != NULL) && (protocol == NDPI_PROTOCOL_TLS))
1100 protocol = NDPI_PROTOCOL_DTLS;
1101
1102 if((flow->detected_protocol_stack[0] == protocol)
1103 || (flow->detected_protocol_stack[1] == protocol)) {
1104 if(!flow->check_extra_packets)
1105 tlsInitExtraPacketProcessing(ndpi_struct, flow);
1106 return;
1107 }
1108
1109 if(protocol != NDPI_PROTOCOL_TLS)
1110 ;
1111 else
1112 protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
1113
1114 ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol);
1115
1116 tlsInitExtraPacketProcessing(ndpi_struct, flow);
1117 }
1118
1119 /* **************************************** */
1120
checkExtensions(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * const flow,int is_dtls,u_int16_t extension_id,u_int16_t extension_len,u_int16_t extension_payload_offset)1121 static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
1122 struct ndpi_flow_struct * const flow, int is_dtls,
1123 u_int16_t extension_id, u_int16_t extension_len, u_int16_t extension_payload_offset)
1124 {
1125 struct ndpi_packet_struct const * const packet = &flow->packet;
1126
1127 if (extension_payload_offset + extension_len > packet->payload_packet_len)
1128 {
1129 #ifdef DEBUG_TLS
1130 printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n",
1131 extension_len, packet->payload_packet_len - extension_payload_offset);
1132 #endif
1133 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
1134 return;
1135 }
1136
1137 /* see: https://www.wireshark.org/docs/wsar_html/packet-tls-utils_8h_source.html */
1138 static u_int16_t const allowed_non_iana_extensions[] = {
1139 65486 /* ESNI */, 13172 /* NPN - Next Proto Neg */, 17513 /* ALPS */,
1140 30032 /* Channel ID */, 65445 /* QUIC transport params */,
1141 /* GREASE extensions */
1142 2570, 6682, 10794, 14906, 19018, 23130, 27242,
1143 31354, 35466, 39578, 43690, 47802, 51914, 56026,
1144 60138, 64250,
1145 /* Groups */
1146 1035, 10794, 16696, 23130, 31354, 35466, 51914,
1147 /* Ciphers */
1148 102, 129, 52243, 52244, 57363, 65279, 65413
1149 };
1150 size_t const allowed_non_iana_extensions_size = sizeof(allowed_non_iana_extensions) /
1151 sizeof(allowed_non_iana_extensions[0]);
1152
1153 /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
1154 if (extension_id > 59 && extension_id != 65281)
1155 {
1156 u_int8_t extension_found = 0;
1157 for (size_t i = 0; i < allowed_non_iana_extensions_size; ++i)
1158 {
1159 if (allowed_non_iana_extensions[i] == extension_id)
1160 {
1161 extension_found = 1;
1162 break;
1163 }
1164 }
1165 if (extension_found == 0)
1166 {
1167 #ifdef DEBUG_TLS
1168 printf("[TLS] suspicious extension id: %u\n", extension_id);
1169 #endif
1170 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
1171 return;
1172 }
1173 }
1174
1175 /* Check for DTLS-only extensions. */
1176 if (is_dtls == 0)
1177 {
1178 if (extension_id == 53 || extension_id == 54)
1179 {
1180 #ifdef DEBUG_TLS
1181 printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
1182 #endif
1183 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
1184 return;
1185 }
1186 }
1187 }
1188
1189 /* **************************************** */
1190
processClientServerHello(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,uint32_t quic_version)1191 int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
1192 struct ndpi_flow_struct *flow, uint32_t quic_version) {
1193 struct ndpi_packet_struct *packet = &flow->packet;
1194 union ja3_info ja3;
1195 u_int8_t invalid_ja3 = 0;
1196 u_int16_t tls_version, ja3_str_len;
1197 char ja3_str[JA3_STR_LEN];
1198 ndpi_MD5_CTX ctx;
1199 u_char md5_hash[16];
1200 int i;
1201 u_int16_t total_len;
1202 u_int8_t handshake_type;
1203 char buffer[64] = { '\0' };
1204 int is_quic = (quic_version != 0);
1205 int is_dtls = packet->udp && (!is_quic);
1206
1207 #ifdef DEBUG_TLS
1208 printf("TLS %s() called\n", __FUNCTION__);
1209 #endif
1210
1211 memset(&ja3, 0, sizeof(ja3));
1212
1213 handshake_type = packet->payload[0];
1214 total_len = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3];
1215
1216 if((total_len > packet->payload_packet_len) || (packet->payload[1] != 0x0))
1217 return(0); /* Not found */
1218
1219 total_len = packet->payload_packet_len;
1220
1221 /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */
1222 if(total_len > 4) {
1223 u_int16_t base_offset = (!is_dtls) ? 38 : 46;
1224 u_int16_t version_offset = (!is_dtls) ? 4 : 12;
1225 u_int16_t offset = (!is_dtls) ? 38 : 46, extension_len, j;
1226 u_int8_t session_id_len = 0;
1227
1228 if((base_offset >= total_len) ||
1229 (version_offset + 1) >= total_len)
1230 return 0; /* Not found */
1231
1232 session_id_len = packet->payload[base_offset];
1233
1234 #ifdef DEBUG_TLS
1235 printf("TLS [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type);
1236 #endif
1237
1238 tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset]));
1239
1240 if(handshake_type == 0x02 /* Server Hello */) {
1241 int i, rc;
1242
1243 ja3.server.tls_handshake_version = tls_version;
1244
1245 #ifdef DEBUG_TLS
1246 printf("TLS Server Hello [version: 0x%04X]\n", tls_version);
1247 #endif
1248
1249 /*
1250 The server hello decides about the TLS version of this flow
1251 https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3
1252 */
1253 if(packet->udp)
1254 offset += session_id_len + 1;
1255 else {
1256 if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */)
1257 offset += session_id_len+1;
1258 }
1259
1260 if((offset+3) > packet->payload_packet_len)
1261 return(0); /* Not found */
1262
1263 ja3.server.num_cipher = 1, ja3.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
1264 if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
1265 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER);
1266
1267 flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.server.cipher[0];
1268
1269 #ifdef DEBUG_TLS
1270 printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.server.cipher[0]);
1271 #endif
1272
1273 offset += 2 + 1;
1274
1275 if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */
1276 extension_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
1277 else
1278 extension_len = 0;
1279
1280 #ifdef DEBUG_TLS
1281 printf("TLS [server][extension_len: %u]\n", extension_len);
1282 #endif
1283 offset += 2;
1284
1285 for(i=0; i<extension_len; ) {
1286 u_int16_t extension_id, extension_len;
1287
1288 if((offset+4) > packet->payload_packet_len) break;
1289
1290 extension_id = ntohs(*((u_int16_t*)&packet->payload[offset]));
1291 extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
1292
1293 if(ja3.server.num_tls_extension < MAX_NUM_JA3)
1294 ja3.server.tls_extension[ja3.server.num_tls_extension++] = extension_id;
1295
1296 #ifdef DEBUG_TLS
1297 printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n",
1298 extension_id, extension_id, extension_len);
1299 #endif
1300 checkExtensions(ndpi_struct, flow, is_dtls, extension_id, extension_len, offset + 4);
1301
1302 if(extension_id == 43 /* supported versions */) {
1303 if(extension_len >= 2) {
1304 u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4]));
1305
1306 #ifdef DEBUG_TLS
1307 printf("TLS [server] [TLS version: 0x%04X]\n", tls_version);
1308 #endif
1309
1310 flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version;
1311 }
1312 } else if(extension_id == 16 /* application_layer_protocol_negotiation (ALPN) */) {
1313 u_int16_t s_offset = offset+4;
1314 u_int16_t tot_alpn_len = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
1315 char alpn_str[256];
1316 u_int8_t alpn_str_len = 0, i;
1317
1318 #ifdef DEBUG_TLS
1319 printf("Server TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len);
1320 #endif
1321 s_offset += 2;
1322 tot_alpn_len += s_offset;
1323
1324 while(s_offset < tot_alpn_len && s_offset < total_len) {
1325 u_int8_t alpn_i, alpn_len = packet->payload[s_offset++];
1326
1327 if((s_offset + alpn_len) <= tot_alpn_len) {
1328 #ifdef DEBUG_TLS
1329 printf("Server TLS [ALPN: %u]\n", alpn_len);
1330 #endif
1331
1332 if((alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) {
1333 if(alpn_str_len > 0) {
1334 alpn_str[alpn_str_len] = ',';
1335 alpn_str_len++;
1336 }
1337
1338 for(alpn_i=0; alpn_i<alpn_len; alpn_i++)
1339 {
1340 alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i];
1341 }
1342
1343 s_offset += alpn_len, alpn_str_len += alpn_len;;
1344 } else {
1345 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
1346 break;
1347 }
1348 } else {
1349 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
1350 break;
1351 }
1352 } /* while */
1353
1354 alpn_str[alpn_str_len] = '\0';
1355
1356 #ifdef DEBUG_TLS
1357 printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
1358 #endif
1359 if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
1360 flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
1361
1362 if(flow->protos.tls_quic_stun.tls_quic.alpn != NULL)
1363 tlsCheckUncommonALPN(ndpi_struct, flow);
1364
1365 snprintf(ja3.server.alpn, sizeof(ja3.server.alpn), "%s", alpn_str);
1366
1367 /* Replace , with - as in JA3 */
1368 for(i=0; ja3.server.alpn[i] != '\0'; i++)
1369 if(ja3.server.alpn[i] == ',') ja3.server.alpn[i] = '-';
1370 } else if(extension_id == 11 /* ec_point_formats groups */) {
1371 u_int16_t s_offset = offset+4 + 1;
1372
1373 #ifdef DEBUG_TLS
1374 printf("Server TLS [EllipticCurveFormat: len=%u]\n", extension_len);
1375 #endif
1376 if((s_offset+extension_len-1) <= total_len) {
1377 for(i=0; i<extension_len-1; i++) {
1378 u_int8_t s_group = packet->payload[s_offset+i];
1379
1380 #ifdef DEBUG_TLS
1381 printf("Server TLS [EllipticCurveFormat: %u]\n", s_group);
1382 #endif
1383
1384 if(ja3.server.num_elliptic_curve_point_format < MAX_NUM_JA3)
1385 ja3.server.elliptic_curve_point_format[ja3.server.num_elliptic_curve_point_format++] = s_group;
1386 else {
1387 invalid_ja3 = 1;
1388 #ifdef DEBUG_TLS
1389 printf("Server TLS Invalid num elliptic %u\n", ja3.server.num_elliptic_curve_point_format);
1390 #endif
1391 }
1392 }
1393 } else {
1394 invalid_ja3 = 1;
1395 #ifdef DEBUG_TLS
1396 printf("Server TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len);
1397 #endif
1398 }
1399 }
1400
1401 i += 4 + extension_len, offset += 4 + extension_len;
1402 } /* for */
1403
1404 ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.server.tls_handshake_version);
1405
1406 for(i=0; (i<ja3.server.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
1407 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.server.cipher[i]);
1408
1409 if(rc <= 0) break; else ja3_str_len += rc;
1410 }
1411
1412 if(JA3_STR_LEN > ja3_str_len) {
1413 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
1414 if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
1415 }
1416
1417 /* ********** */
1418
1419 for(i=0; (i<ja3.server.num_tls_extension) && (JA3_STR_LEN > ja3_str_len); i++) {
1420 int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.server.tls_extension[i]);
1421
1422 if(rc <= 0) break; else ja3_str_len += rc;
1423 }
1424
1425 if(ndpi_struct->enable_ja3_plus) {
1426 for(i=0; (i<ja3.server.num_elliptic_curve_point_format) && (JA3_STR_LEN > ja3_str_len); i++) {
1427 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
1428 (i > 0) ? "-" : "", ja3.server.elliptic_curve_point_format[i]);
1429 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break;
1430 }
1431
1432 if((ja3.server.alpn[0] != '\0') && (JA3_STR_LEN > ja3_str_len)) {
1433 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",%s", ja3.server.alpn);
1434 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc;
1435 }
1436
1437 #ifdef DEBUG_TLS
1438 printf("[JA3+] Server: %s \n", ja3_str);
1439 #endif
1440 } else {
1441 #ifdef DEBUG_TLS
1442 printf("[JA3] Server: %s \n", ja3_str);
1443 #endif
1444 }
1445
1446 ndpi_MD5Init(&ctx);
1447 ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str));
1448 ndpi_MD5Final(md5_hash, &ctx);
1449
1450 for(i=0, j=0; i<16; i++) {
1451 int rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_server[j],
1452 sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
1453 if(rc <= 0) break; else j += rc;
1454 }
1455
1456 #ifdef DEBUG_TLS
1457 printf("[JA3] Server: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_server);
1458 #endif
1459 } else if(handshake_type == 0x01 /* Client Hello */) {
1460 u_int16_t cipher_len, cipher_offset;
1461 u_int8_t cookie_len = 0;
1462
1463 flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
1464 if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */
1465 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION);
1466
1467 if((session_id_len+base_offset+3) > packet->payload_packet_len)
1468 return(0); /* Not found */
1469
1470 if(!is_dtls) {
1471 cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8);
1472 cipher_offset = base_offset + session_id_len + 3;
1473 } else {
1474 cookie_len = packet->payload[base_offset+session_id_len+1];
1475 #ifdef DEBUG_TLS
1476 printf("[JA3] Client: DTLS cookie len %d\n", cookie_len);
1477 #endif
1478 if((session_id_len+base_offset+cookie_len+4) > packet->payload_packet_len)
1479 return(0); /* Not found */
1480 cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+session_id_len+cookie_len+2]));
1481 cipher_offset = base_offset + session_id_len + cookie_len + 4;
1482 }
1483
1484 #ifdef DEBUG_TLS
1485 printf("Client TLS [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version);
1486 #endif
1487
1488 if((cipher_offset+cipher_len) <= total_len) {
1489 u_int8_t safari_ciphers = 0, chrome_ciphers = 0, this_is_not_safari = 0, looks_like_safari_on_big_sur = 0;
1490
1491 for(i=0; i<cipher_len;) {
1492 u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
1493 u_int16_t cipher_id = ntohs(*id);
1494
1495 if(packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1] /* Skip Grease */) {
1496 /*
1497 Skip GREASE [https://tools.ietf.org/id/draft-ietf-tls-grease-01.html]
1498 https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
1499 */
1500
1501 #if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC)
1502 printf("Client TLS [non-GREASE cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len);
1503 #endif
1504
1505 if(ja3.client.num_cipher < MAX_NUM_JA3)
1506 ja3.client.cipher[ja3.client.num_cipher++] = cipher_id;
1507 else {
1508 invalid_ja3 = 1;
1509 #ifdef DEBUG_TLS
1510 printf("Client TLS Invalid cipher %u\n", ja3.client.num_cipher);
1511 #endif
1512 }
1513
1514 #if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC)
1515 printf("Client TLS [cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len);
1516 #endif
1517
1518 switch(cipher_id) {
1519 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1520 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1521 safari_ciphers++;
1522 break;
1523
1524 case TLS_AES_128_GCM_SHA256:
1525 case TLS_AES_256_GCM_SHA384:
1526 case TLS_CHACHA20_POLY1305_SHA256:
1527 chrome_ciphers++;
1528 break;
1529
1530 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1531 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1532 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1533 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1534 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1535 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1536 case TLS_RSA_WITH_AES_128_CBC_SHA:
1537 case TLS_RSA_WITH_AES_256_CBC_SHA:
1538 case TLS_RSA_WITH_AES_128_GCM_SHA256:
1539 case TLS_RSA_WITH_AES_256_GCM_SHA384:
1540 safari_ciphers++, chrome_ciphers++;
1541 break;
1542
1543 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
1544 looks_like_safari_on_big_sur = 1;
1545 break;
1546 }
1547 } else {
1548 #if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC)
1549 printf("Client TLS [GREASE cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len);
1550 #endif
1551
1552 this_is_not_safari = 1; /* NOTE: BugSur and up have grease support */
1553 }
1554
1555 i += 2;
1556 } /* for */
1557
1558 /* NOTE:
1559 we do not check for duplicates as with signatures because
1560 this is time consuming and we want to avoid overhead whem possible
1561 */
1562 if(this_is_not_safari)
1563 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
1564 else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur))
1565 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1;
1566
1567 if(chrome_ciphers == 13)
1568 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1;
1569
1570 /* Note that both Safari and Chrome can overlap */
1571 #ifdef DEBUG_HEURISTIC
1572 printf("[CIPHERS] [is_chrome_tls: %u (%u)][is_safari_tls: %u (%u)][this_is_not_safari: %u]\n",
1573 flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls,
1574 chrome_ciphers,
1575 flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls,
1576 safari_ciphers,
1577 this_is_not_safari);
1578 #endif
1579 } else {
1580 invalid_ja3 = 1;
1581 #ifdef DEBUG_TLS
1582 printf("Client TLS Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len);
1583 #endif
1584 }
1585
1586 offset = base_offset + session_id_len + cookie_len + cipher_len + 2;
1587 offset += (!is_dtls) ? 1 : 2;
1588
1589 if(offset < total_len) {
1590 u_int16_t compression_len;
1591 u_int16_t extensions_len;
1592
1593 compression_len = packet->payload[offset];
1594 offset++;
1595
1596 #ifdef DEBUG_TLS
1597 printf("Client TLS [compression_len: %u]\n", compression_len);
1598 #endif
1599
1600 // offset += compression_len + 3;
1601 offset += compression_len;
1602
1603 if(offset+1 < total_len) {
1604 extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
1605 offset += 2;
1606
1607 #ifdef DEBUG_TLS
1608 printf("Client TLS [extensions_len: %u]\n", extensions_len);
1609 #endif
1610
1611 if((extensions_len+offset) <= total_len) {
1612 /* Move to the first extension
1613 Type is u_int to avoid possible overflow on extension_len addition */
1614 u_int extension_offset = 0;
1615 u_int32_t j;
1616
1617 while(extension_offset < extensions_len &&
1618 offset+extension_offset+4 <= total_len) {
1619 u_int16_t extension_id, extension_len, extn_off = offset+extension_offset;
1620
1621
1622 extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
1623 extension_offset += 2;
1624
1625 extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset]));
1626 extension_offset += 2;
1627
1628 #ifdef DEBUG_TLS
1629 printf("Client TLS [extension_id: %u][extension_len: %u]\n", extension_id, extension_len);
1630 #endif
1631 checkExtensions(ndpi_struct, flow, is_dtls,
1632 extension_id, extension_len, offset + extension_offset);
1633
1634 if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) {
1635 /* Skip GREASE */
1636
1637 if(ja3.client.num_tls_extension < MAX_NUM_JA3)
1638 ja3.client.tls_extension[ja3.client.num_tls_extension++] = extension_id;
1639 else {
1640 invalid_ja3 = 1;
1641 #ifdef DEBUG_TLS
1642 printf("Client TLS Invalid extensions %u\n", ja3.client.num_tls_extension);
1643 #endif
1644 }
1645 }
1646
1647 if(extension_id == 0 /* server name */) {
1648 u_int16_t len;
1649
1650 #ifdef DEBUG_TLS
1651 printf("[TLS] Extensions: found server name\n");
1652 #endif
1653 if((offset+extension_offset+4) < packet->payload_packet_len) {
1654
1655 len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4];
1656 len = (u_int)ndpi_min(len, sizeof(buffer)-1);
1657
1658 if((offset+extension_offset+5+len) <= packet->payload_packet_len) {
1659 strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len);
1660 buffer[len] = '\0';
1661
1662 cleanupServerName(buffer, sizeof(buffer));
1663
1664 snprintf(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
1665 sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
1666 "%s", buffer);
1667 #ifdef DEBUG_TLS
1668 printf("[TLS] SNI: [%s]\n", buffer);
1669 #endif
1670 if (ndpi_is_printable_string(buffer, len) == 0)
1671 {
1672 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
1673 }
1674
1675 if(!is_quic) {
1676 if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
1677 flow->l4.tcp.tls.subprotocol_detected = 1;
1678 } else {
1679 if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer)))
1680 flow->l4.tcp.tls.subprotocol_detected = 1;
1681 }
1682
1683 if(ndpi_check_dga_name(ndpi_struct, flow,
1684 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1)) {
1685 char *sni = flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
1686 int len = strlen(sni);
1687
1688 #ifdef DEBUG_TLS
1689 printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
1690 #endif
1691
1692 if((len >= 4)
1693 /* Check if it ends in .com or .net */
1694 && ((strcmp(&sni[len-4], ".com") == 0) || (strcmp(&sni[len-4], ".net") == 0))
1695 && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */
1696 ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
1697 } else {
1698 #ifdef DEBUG_TLS
1699 printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
1700 #endif
1701 }
1702 } else {
1703 #ifdef DEBUG_TLS
1704 printf("[TLS] Extensions server len too short: %u vs %u\n",
1705 offset+extension_offset+5+len,
1706 packet->payload_packet_len);
1707 #endif
1708 }
1709 }
1710 } else if(extension_id == 10 /* supported groups */) {
1711 u_int16_t s_offset = offset+extension_offset + 2;
1712
1713 #ifdef DEBUG_TLS
1714 printf("Client TLS [EllipticCurveGroups: len=%u]\n", extension_len);
1715 #endif
1716
1717 if((s_offset+extension_len-2) <= total_len) {
1718 for(i=0; i<extension_len-2;) {
1719 u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i]));
1720
1721 #ifdef DEBUG_TLS
1722 printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group);
1723 #endif
1724 if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) {
1725 /* Skip GREASE */
1726 if(ja3.client.num_elliptic_curve < MAX_NUM_JA3)
1727 ja3.client.elliptic_curve[ja3.client.num_elliptic_curve++] = s_group;
1728 else {
1729 invalid_ja3 = 1;
1730 #ifdef DEBUG_TLS
1731 printf("Client TLS Invalid num elliptic %u\n", ja3.client.num_elliptic_curve);
1732 #endif
1733 }
1734 }
1735
1736 i += 2;
1737 }
1738 } else {
1739 invalid_ja3 = 1;
1740 #ifdef DEBUG_TLS
1741 printf("Client TLS Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len);
1742 #endif
1743 }
1744 } else if(extension_id == 11 /* ec_point_formats groups */) {
1745 u_int16_t s_offset = offset+extension_offset + 1;
1746
1747 #ifdef DEBUG_TLS
1748 printf("Client TLS [EllipticCurveFormat: len=%u]\n", extension_len);
1749 #endif
1750 if((s_offset+extension_len-1) <= total_len) {
1751 for(i=0; i<extension_len-1; i++) {
1752 u_int8_t s_group = packet->payload[s_offset+i];
1753
1754 #ifdef DEBUG_TLS
1755 printf("Client TLS [EllipticCurveFormat: %u]\n", s_group);
1756 #endif
1757
1758 if(ja3.client.num_elliptic_curve_point_format < MAX_NUM_JA3)
1759 ja3.client.elliptic_curve_point_format[ja3.client.num_elliptic_curve_point_format++] = s_group;
1760 else {
1761 invalid_ja3 = 1;
1762 #ifdef DEBUG_TLS
1763 printf("Client TLS Invalid num elliptic %u\n", ja3.client.num_elliptic_curve_point_format);
1764 #endif
1765 }
1766 }
1767 } else {
1768 invalid_ja3 = 1;
1769 #ifdef DEBUG_TLS
1770 printf("Client TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len);
1771 #endif
1772 }
1773 } else if(extension_id == 13 /* signature algorithms */) {
1774 u_int16_t s_offset = offset+extension_offset, safari_signature_algorithms = 0, chrome_signature_algorithms = 0,
1775 duplicate_found = 0, last_signature = 0;
1776 u_int16_t tot_signature_algorithms_len = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
1777
1778 #ifdef DEBUG_TLS
1779 printf("Client TLS [SIGNATURE_ALGORITHMS: block_len=%u/len=%u]\n", extension_len, tot_signature_algorithms_len);
1780 #endif
1781
1782 s_offset += 2;
1783 tot_signature_algorithms_len = ndpi_min((sizeof(ja3.client.signature_algorithms) / 2) - 1, tot_signature_algorithms_len);
1784
1785 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
1786 flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
1787
1788 memcpy(flow->protos.tls_quic_stun.tls_quic.client_signature_algorithms,
1789 &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms);
1790 #endif
1791
1792 for(i=0; i<tot_signature_algorithms_len; i++) {
1793 int rc = snprintf(&ja3.client.signature_algorithms[i*2], sizeof(ja3.client.signature_algorithms)-i*2, "%02X", packet->payload[s_offset+i]);
1794
1795 if(rc < 0) break;
1796 }
1797
1798 for(i=0; i<tot_signature_algorithms_len; i+=2) {
1799 u_int16_t signature_algo = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+i]));
1800
1801 if(last_signature == signature_algo) {
1802 /* Consecutive duplication */
1803 duplicate_found = 1;
1804 continue;
1805 } else {
1806 /* Check for other duplications */
1807 u_int j, all_ok = 1;
1808
1809 for(j=0; j<tot_signature_algorithms_len; j+=2) {
1810 if(j != i) {
1811 u_int16_t j_signature_algo = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+j]));
1812
1813 if((signature_algo == j_signature_algo)
1814 && (i < j) /* Don't skip both of them */) {
1815 #ifdef DEBUG_HEURISTIC
1816 printf("[SIGNATURE] [TLS Signature Algorithm] Skipping duplicate 0x%04X\n", signature_algo);
1817 #endif
1818
1819 duplicate_found = 1, all_ok = 0;
1820 break;
1821 }
1822 }
1823 }
1824
1825 if(!all_ok)
1826 continue;
1827 }
1828
1829 last_signature = signature_algo;
1830
1831 #ifdef DEBUG_HEURISTIC
1832 printf("[SIGNATURE] [TLS Signature Algorithm] 0x%04X\n", signature_algo);
1833 #endif
1834 switch(signature_algo) {
1835 case ECDSA_SECP521R1_SHA512:
1836 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1;
1837 break;
1838
1839 case ECDSA_SECP256R1_SHA256:
1840 case ECDSA_SECP384R1_SHA384:
1841 case RSA_PKCS1_SHA256:
1842 case RSA_PKCS1_SHA384:
1843 case RSA_PKCS1_SHA512:
1844 case RSA_PSS_RSAE_SHA256:
1845 case RSA_PSS_RSAE_SHA384:
1846 case RSA_PSS_RSAE_SHA512:
1847 chrome_signature_algorithms++, safari_signature_algorithms++;
1848 #ifdef DEBUG_HEURISTIC
1849 printf("[SIGNATURE] [Chrome/Safari] Found 0x%04X [chrome: %u][safari: %u]\n",
1850 signature_algo, chrome_signature_algorithms, safari_signature_algorithms);
1851 #endif
1852
1853 break;
1854 }
1855 }
1856
1857 #ifdef DEBUG_HEURISTIC
1858 printf("[SIGNATURE] [safari_signature_algorithms: %u][chrome_signature_algorithms: %u]\n",
1859 safari_signature_algorithms, chrome_signature_algorithms);
1860 #endif
1861
1862 if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls)
1863 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0,
1864 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
1865
1866 if(safari_signature_algorithms != 8)
1867 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
1868
1869 if((chrome_signature_algorithms != 8) || duplicate_found)
1870 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
1871
1872 /* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */
1873 if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls)
1874 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
1875
1876 if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0)
1877 && duplicate_found)
1878 flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
1879
1880 #ifdef DEBUG_HEURISTIC
1881 printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n",
1882 flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls,
1883 flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls,
1884 flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls,
1885 duplicate_found);
1886 #endif
1887
1888 if (i >= tot_signature_algorithms_len) {
1889 ja3.client.signature_algorithms[i*2 - 1] = '\0';
1890 } else {
1891 ja3.client.signature_algorithms[i*2] = '\0';
1892 }
1893
1894 #ifdef DEBUG_TLS
1895 printf("Client TLS [SIGNATURE_ALGORITHMS: %s]\n", ja3.client.signature_algorithms);
1896 #endif
1897 } else if(extension_id == 16 /* application_layer_protocol_negotiation */) {
1898 u_int16_t s_offset = offset+extension_offset;
1899 u_int16_t tot_alpn_len = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
1900 char alpn_str[256];
1901 u_int8_t alpn_str_len = 0, i;
1902
1903 #ifdef DEBUG_TLS
1904 printf("Client TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len);
1905 #endif
1906 s_offset += 2;
1907 tot_alpn_len += s_offset;
1908
1909 while(s_offset < tot_alpn_len && s_offset < total_len) {
1910 u_int8_t alpn_i, alpn_len = packet->payload[s_offset++];
1911
1912 if((s_offset + alpn_len) <= tot_alpn_len &&
1913 (s_offset + alpn_len) <= total_len) {
1914 #ifdef DEBUG_TLS
1915 printf("Client TLS [ALPN: %u]\n", alpn_len);
1916 #endif
1917
1918 if((alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) {
1919 if(alpn_str_len > 0) {
1920 alpn_str[alpn_str_len] = ',';
1921 alpn_str_len++;
1922 }
1923
1924 for(alpn_i=0; alpn_i<alpn_len; alpn_i++)
1925 alpn_str[alpn_str_len+alpn_i] = packet->payload[s_offset+alpn_i];
1926
1927 s_offset += alpn_len, alpn_str_len += alpn_len;;
1928 } else
1929 break;
1930 } else
1931 break;
1932 } /* while */
1933
1934 alpn_str[alpn_str_len] = '\0';
1935
1936 #ifdef DEBUG_TLS
1937 printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
1938 #endif
1939 if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
1940 flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
1941
1942 snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str);
1943
1944 /* Replace , with - as in JA3 */
1945 for(i=0; ja3.client.alpn[i] != '\0'; i++)
1946 if(ja3.client.alpn[i] == ',') ja3.client.alpn[i] = '-';
1947
1948 } else if(extension_id == 43 /* supported versions */) {
1949 u_int16_t s_offset = offset+extension_offset;
1950 u_int8_t version_len = packet->payload[s_offset];
1951 char version_str[256];
1952 u_int8_t version_str_len = 0;
1953 version_str[0] = 0;
1954 #ifdef DEBUG_TLS
1955 printf("Client TLS [TLS version len: %u]\n", version_len);
1956 #endif
1957
1958 if(version_len == (extension_len-1)) {
1959 u_int8_t j;
1960 u_int16_t supported_versions_offset = 0;
1961
1962 s_offset++;
1963
1964 // careful not to overflow and loop forever with u_int8_t
1965 for(j=0; j+1<version_len; j += 2) {
1966 u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[s_offset+j]));
1967 u_int8_t unknown_tls_version;
1968
1969 #ifdef DEBUG_TLS
1970 printf("Client TLS [TLS version: %s/0x%04X]\n",
1971 ndpi_ssl_version2str(flow, tls_version, &unknown_tls_version), tls_version);
1972 #endif
1973
1974 if((version_str_len+8) < sizeof(version_str)) {
1975 int rc = snprintf(&version_str[version_str_len],
1976 sizeof(version_str) - version_str_len, "%s%s",
1977 (version_str_len > 0) ? "," : "",
1978 ndpi_ssl_version2str(flow, tls_version, &unknown_tls_version));
1979 if(rc <= 0)
1980 break;
1981 else
1982 version_str_len += rc;
1983
1984 rc = snprintf(&ja3.client.supported_versions[supported_versions_offset],
1985 sizeof(ja3.client.supported_versions)-supported_versions_offset,
1986 "%s%04X", (j > 0) ? "-" : "", tls_version);
1987
1988 if(rc > 0)
1989 supported_versions_offset += rc;
1990 }
1991 }
1992
1993 #ifdef DEBUG_TLS
1994 printf("Client TLS [SUPPORTED_VERSIONS: %s]\n", ja3.client.supported_versions);
1995 #endif
1996
1997 if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions == NULL)
1998 flow->protos.tls_quic_stun.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
1999 }
2000 } else if(extension_id == 65486 /* encrypted server name */) {
2001 /*
2002 - https://tools.ietf.org/html/draft-ietf-tls-esni-06
2003 - https://blog.cloudflare.com/encrypted-sni/
2004 */
2005 u_int16_t e_offset = offset+extension_offset;
2006 u_int16_t initial_offset = e_offset;
2007 u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
2008
2009 flow->protos.tls_quic_stun.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
2010
2011 e_offset += 2; /* Cipher suite len */
2012
2013 /* Key Share Entry */
2014 e_offset += 2; /* Group */
2015 e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
2016
2017 if((e_offset+4) < packet->payload_packet_len) {
2018 /* Record Digest */
2019 e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
2020
2021 if((e_offset+4) < packet->payload_packet_len) {
2022 e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
2023 e_offset += 2;
2024
2025 if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 &&
2026 e_offset+e_sni_len < packet->payload_packet_len) {
2027 #ifdef DEBUG_ENCRYPTED_SNI
2028 printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len);
2029 #endif
2030
2031 if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) {
2032 flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
2033
2034 if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni) {
2035 u_int16_t i, off;
2036
2037 for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
2038 int rc = sprintf(&flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
2039
2040 if(rc <= 0) {
2041 flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off] = '\0';
2042 break;
2043 } else
2044 off += rc;
2045 }
2046 }
2047 }
2048 }
2049 }
2050 }
2051 } else if(extension_id == 65445 || /* QUIC transport parameters (drafts version) */
2052 extension_id == 57) { /* QUIC transport parameters (final version) */
2053 u_int16_t s_offset = offset+extension_offset;
2054 uint16_t final_offset;
2055 int using_var_int = is_version_with_var_int_transport_params(quic_version);
2056
2057 if(!using_var_int) {
2058 if(s_offset+1 >= total_len) {
2059 final_offset = 0; /* Force skipping extension */
2060 } else {
2061 u_int16_t seq_len = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
2062 s_offset += 2;
2063 final_offset = MIN(total_len, s_offset + seq_len);
2064 }
2065 } else {
2066 final_offset = MIN(total_len, s_offset + extension_len);
2067 }
2068
2069 while(s_offset < final_offset) {
2070 u_int64_t param_type, param_len;
2071
2072 if(!using_var_int) {
2073 if(s_offset+3 >= final_offset)
2074 break;
2075 param_type = ntohs(*((u_int16_t*)&packet->payload[s_offset]));
2076 param_len = ntohs(*((u_int16_t*)&packet->payload[s_offset + 2]));
2077 s_offset += 4;
2078 } else {
2079 if(s_offset >= final_offset ||
2080 (s_offset + quic_len_buffer_still_required(packet->payload[s_offset])) >= final_offset)
2081 break;
2082 s_offset += quic_len(&packet->payload[s_offset], ¶m_type);
2083
2084 if(s_offset >= final_offset ||
2085 (s_offset + quic_len_buffer_still_required(packet->payload[s_offset])) >= final_offset)
2086 break;
2087 s_offset += quic_len(&packet->payload[s_offset], ¶m_len);
2088 }
2089
2090 #ifdef DEBUG_TLS
2091 printf("Client TLS [QUIC TP: Param 0x%x Len %d]\n", (int)param_type, (int)param_len);
2092 #endif
2093 if(s_offset+param_len > final_offset)
2094 break;
2095
2096 if(param_type==0x3129) {
2097 #ifdef DEBUG_TLS
2098 printf("UA [%.*s]\n", (int)param_len, &packet->payload[s_offset]);
2099 #endif
2100 http_process_user_agent(ndpi_struct, flow,
2101 &packet->payload[s_offset], param_len);
2102 break;
2103 }
2104 s_offset += param_len;
2105 }
2106 }
2107
2108 extension_offset += extension_len; /* Move to the next extension */
2109
2110 #ifdef DEBUG_TLS
2111 printf("Client TLS [extension_offset/len: %u/%u]\n", extension_offset, extension_len);
2112 #endif
2113 } /* while */
2114
2115 if(!invalid_ja3) {
2116 int rc;
2117
2118 compute_ja3c:
2119 ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.client.tls_handshake_version);
2120
2121 for(i=0; i<ja3.client.num_cipher; i++) {
2122 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
2123 (i > 0) ? "-" : "", ja3.client.cipher[i]);
2124 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break;
2125 }
2126
2127 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
2128 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc;
2129
2130 /* ********** */
2131
2132 for(i=0; i<ja3.client.num_tls_extension; i++) {
2133 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
2134 (i > 0) ? "-" : "", ja3.client.tls_extension[i]);
2135 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break;
2136 }
2137
2138 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
2139 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc;
2140
2141 /* ********** */
2142
2143 for(i=0; i<ja3.client.num_elliptic_curve; i++) {
2144 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
2145 (i > 0) ? "-" : "", ja3.client.elliptic_curve[i]);
2146 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break;
2147 }
2148
2149 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
2150 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc;
2151
2152 for(i=0; i<ja3.client.num_elliptic_curve_point_format; i++) {
2153 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
2154 (i > 0) ? "-" : "", ja3.client.elliptic_curve_point_format[i]);
2155 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc; else break;
2156 }
2157
2158 if(ndpi_struct->enable_ja3_plus) {
2159 rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len,
2160 ",%s,%s,%s", ja3.client.signature_algorithms, ja3.client.supported_versions, ja3.client.alpn);
2161 if((rc > 0) && (ja3_str_len + rc < JA3_STR_LEN)) ja3_str_len += rc;
2162 }
2163
2164 #ifdef DEBUG_JA3C
2165 printf("[JA3+] Client: %s \n", ja3_str);
2166 #endif
2167
2168 ndpi_MD5Init(&ctx);
2169 ndpi_MD5Update(&ctx, (const unsigned char *)ja3_str, strlen(ja3_str));
2170 ndpi_MD5Final(md5_hash, &ctx);
2171
2172 for(i=0, j=0; i<16; i++) {
2173 rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_client[j],
2174 sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_client)-j, "%02x",
2175 md5_hash[i]);
2176 if(rc > 0) j += rc; else break;
2177 }
2178
2179 #ifdef DEBUG_JA3C
2180 printf("[JA3] Client: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_client);
2181 #endif
2182
2183 if(ndpi_struct->malicious_ja3_automa.ac_automa != NULL) {
2184 u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_ja3_automa.ac_automa,
2185 flow->protos.tls_quic_stun.tls_quic.ja3_client);
2186
2187 if(rc1 > 0)
2188 ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3);
2189 }
2190 }
2191
2192 /* Before returning to the caller we need to make a final check */
2193 if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
2194 && (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
2195 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS);
2196 }
2197
2198 /* Suspicious Domain Fronting:
2199 https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
2200 if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
2201 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
2202 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
2203 }
2204
2205 /* Add check for missing SNI */
2206 if((flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == 0)
2207 && (flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
2208 && (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
2209 ) {
2210 /* This is a bit suspicious */
2211 ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
2212 }
2213
2214 return(2 /* Client Certificate */);
2215 } else {
2216 #ifdef DEBUG_TLS
2217 printf("[TLS] Client: too short [%u vs %u]\n",
2218 (extensions_len+offset), total_len);
2219 #endif
2220 }
2221 } else if(offset == total_len) {
2222 /* TLS does not have extensions etc */
2223 goto compute_ja3c;
2224 }
2225 } else {
2226 #ifdef DEBUG_TLS
2227 printf("[JA3] Client: invalid length detected\n");
2228 #endif
2229 }
2230 }
2231 }
2232
2233 return(0); /* Not found */
2234 }
2235
2236 /* **************************************** */
2237
ndpi_search_tls_wrapper(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)2238 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct,
2239 struct ndpi_flow_struct *flow) {
2240 struct ndpi_packet_struct *packet = &flow->packet;
2241
2242 #ifdef DEBUG_TLS
2243 printf("==>> %s() %u [len: %u][version: %u]\n",
2244 __FUNCTION__,
2245 flow->guessed_host_protocol_id,
2246 packet->payload_packet_len,
2247 flow->protos.tls_quic_stun.tls_quic.ssl_version);
2248 #endif
2249
2250 if(packet->udp != NULL)
2251 ndpi_search_tls_udp(ndpi_struct, flow);
2252 else
2253 ndpi_search_tls_tcp(ndpi_struct, flow);
2254 }
2255
2256 /* **************************************** */
2257
init_tls_dissector(struct ndpi_detection_module_struct * ndpi_struct,u_int32_t * id,NDPI_PROTOCOL_BITMASK * detection_bitmask)2258 void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct,
2259 u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
2260 ndpi_set_bitmask_protocol_detection("TLS", ndpi_struct, detection_bitmask, *id,
2261 NDPI_PROTOCOL_TLS,
2262 ndpi_search_tls_wrapper,
2263 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
2264 SAVE_DETECTION_BITMASK_AS_UNKNOWN,
2265 ADD_TO_DETECTION_BITMASK);
2266
2267 *id += 1;
2268
2269 /* *************************************************** */
2270
2271 ndpi_set_bitmask_protocol_detection("DTLS", ndpi_struct, detection_bitmask, *id,
2272 NDPI_PROTOCOL_DTLS,
2273 ndpi_search_tls_wrapper,
2274 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
2275 SAVE_DETECTION_BITMASK_AS_UNKNOWN,
2276 ADD_TO_DETECTION_BITMASK);
2277
2278 *id += 1;
2279 }
2280