diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6e1eef68d19..17dbb04a861 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -250,7 +250,7 @@ jobs: echo "deb http://dk.archive.ubuntu.com/ubuntu/ xenial universe" | sudo tee -a /etc/apt/sources.list sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D05B5 #For gcc-13 (on ubuntu-22.04) - sudo add-apt-repository ppa:ubuntu-toolchain-r/ppa + sudo add-apt-repository ppa:ubuntu-toolchain-r/test -y sudo apt-get update sudo apt-get install ${{ matrix.compiler }} - name: Setup Ubuntu specified (newest) compiler diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 9f71974c46a..cc2e1b22f78 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -849,6 +849,7 @@ char* ndpi_ssl_version2str(char *buf, int buf_len, case 0XFB1A: strncpy(buf, "TLSv1.3 (Fizz)", buf_len); buf[buf_len - 1] = '\0'; return buf; /* https://engineering.fb.com/security/fizz/ */ case 0XFEFF: strncpy(buf, "DTLSv1.0", buf_len); buf[buf_len - 1] = '\0'; return buf; case 0XFEFD: strncpy(buf, "DTLSv1.2", buf_len); buf[buf_len - 1] = '\0'; return buf; + case 0XFEFC: strncpy(buf, "DTLSv1.3", buf_len); buf[buf_len - 1] = '\0'; return buf; case 0x0A0A: case 0x1A1A: case 0x2A2A: diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0a3dda4ec59..056de293726 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -918,11 +918,14 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, (packet->payload[0] == 0x01) ? "Client" : "Server"); #endif - /* Not support for DTLS 1.3 yet, then certificates are always visible in DTLS */ if((packet->tcp && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) && (packet->payload[0] == 0x02 /* Server Hello */)) { flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ } + if((packet->udp && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) + && (packet->payload[0] == 0x02 /* Server Hello */)) { + flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ + } checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); break; @@ -1198,6 +1201,7 @@ int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) { if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17 && buf[0] != 0x15) || /* Handshake, change-cipher-spec, Application-Data, Alert */ !((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */ (buf[1] == 0xfe && buf[2] == 0xfd) || + (buf[1] == 0xfe && buf[2] == 0xfc) || (buf[1] == 0x01 && buf[2] == 0x00))) { #ifdef DEBUG_TLS printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n", diff --git a/tests/cfgs/default/pcap/dtls.pcap b/tests/cfgs/default/pcap/dtls.pcap index a1b5f39d2df..acb8362580a 100644 Binary files a/tests/cfgs/default/pcap/dtls.pcap and b/tests/cfgs/default/pcap/dtls.pcap differ diff --git a/tests/cfgs/default/result/dtls.pcap.out b/tests/cfgs/default/result/dtls.pcap.out index 4dbfdf4e812..d3f002aa5a0 100644 --- a/tests/cfgs/default/result/dtls.pcap.out +++ b/tests/cfgs/default/result/dtls.pcap.out @@ -1,10 +1,10 @@ -DPI Packets (UDP): 6 (3.00 pkts/flow) -Confidence DPI : 2 (flows) -Num dissector calls: 5 (2.50 diss/flow) +DPI Packets (UDP): 8 (2.67 pkts/flow) +Confidence DPI : 3 (flows) +Num dissector calls: 7 (2.33 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/5/0 (insert/search/found) +LRU cache tls_cert: 0/7/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache stun_zoom: 0/0/0 (insert/search/found) @@ -13,22 +13,24 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 4/0 (search/found) +Patricia risk mask: 6/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 3/1 (search/found) +Patricia protocols: 5/1 (search/found) Patricia protocols IPv6: 0/0 (search/found) -DTLS 6 1341 2 +DTLS 24 8508 3 -Safe 6 1341 2 +Safe 24 8508 3 JA3 Host Stats: IP Address # JA3C 1 10.191.227.13 1 2 192.168.13.203 1 + 3 127.0.0.1 1 - 1 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_ea2cef574603][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 127.0.0.1:40983 <-> 127.0.0.1:11111 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][7 pkts/3187 bytes <-> 11 pkts/3980 bytes][Goodput ratio: 91/88][0.02 sec][TLS Supported Versions: DTLSv1.3][bytes ratio: -0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/1 5/5 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 455/362 1398/1425 441/474][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 60][Risk Info: No ALPN / SNI should always be present][DTLSv1.3][JA3C: 320d2222212f652e923c3458b463c5b4][JA4: t00d270600_991e33d7eb74_10f9deb96590][JA3S: ecfd4f82776364c3015565f97e8c3897][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 11,16,22,0,11,0,0,0,0,11,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0] + 2 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_ea2cef574603][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]