Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DTLS: add support for DTLS 1.3 #2445

Merged
merged 1 commit into from
May 21, 2024
Merged

DTLS: add support for DTLS 1.3 #2445

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/lib/ndpi_utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -849,6 +849,7 @@ char* ndpi_ssl_version2str(char *buf, int buf_len,
case 0XFB1A: strncpy(buf, "TLSv1.3 (Fizz)", buf_len); buf[buf_len - 1] = '\0'; return buf; /* https://engineering.fb.com/security/fizz/ */
case 0XFEFF: strncpy(buf, "DTLSv1.0", buf_len); buf[buf_len - 1] = '\0'; return buf;
case 0XFEFD: strncpy(buf, "DTLSv1.2", buf_len); buf[buf_len - 1] = '\0'; return buf;
case 0XFEFC: strncpy(buf, "DTLSv1.3", buf_len); buf[buf_len - 1] = '\0'; return buf;
case 0x0A0A:
case 0x1A1A:
case 0x2A2A:
Expand Down
6 changes: 5 additions & 1 deletion src/lib/protocols/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -918,11 +918,14 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
(packet->payload[0] == 0x01) ? "Client" : "Server");
#endif

/* Not support for DTLS 1.3 yet, then certificates are always visible in DTLS */
if((packet->tcp && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
&& (packet->payload[0] == 0x02 /* Server Hello */)) {
flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
}
if((packet->udp && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */)
&& (packet->payload[0] == 0x02 /* Server Hello */)) {
flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */
}

checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01);
break;
Expand Down Expand Up @@ -1198,6 +1201,7 @@ int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) {
if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17 && buf[0] != 0x15) || /* Handshake, change-cipher-spec, Application-Data, Alert */
!((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */
(buf[1] == 0xfe && buf[2] == 0xfd) ||
(buf[1] == 0xfe && buf[2] == 0xfc) ||
(buf[1] == 0x01 && buf[2] == 0x00))) {
#ifdef DEBUG_TLS
printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n",
Expand Down
Binary file modified tests/cfgs/default/pcap/dtls.pcap
View file
Open in desktop
Binary file not shown.
22 changes: 12 additions & 10 deletions tests/cfgs/default/result/dtls.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
DPI Packets (UDP): 6 (3.00 pkts/flow)
Confidence DPI : 2 (flows)
Num dissector calls: 5 (2.50 diss/flow)
DPI Packets (UDP): 8 (2.67 pkts/flow)
Confidence DPI : 3 (flows)
Num dissector calls: 7 (2.33 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/5/0 (insert/search/found)
LRU cache tls_cert: 0/7/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Expand All @@ -13,22 +13,24 @@ Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 4/0 (search/found)
Patricia risk mask: 6/0 (search/found)
Patricia risk mask IPv6: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia risk IPv6: 0/0 (search/found)
Patricia protocols: 3/1 (search/found)
Patricia protocols: 5/1 (search/found)
Patricia protocols IPv6: 0/0 (search/found)

DTLS 6 1341 2
DTLS 24 8508 3

Safe 6 1341 2
Safe 24 8508 3

JA3 Host Stats:
IP Address # JA3C
1 10.191.227.13 1
2 192.168.13.203 1
3 127.0.0.1 1


1 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_ea2cef574603][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 127.0.0.1:40983 <-> 127.0.0.1:11111 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][7 pkts/3187 bytes <-> 11 pkts/3980 bytes][Goodput ratio: 91/88][0.02 sec][TLS Supported Versions: DTLSv1.3][bytes ratio: -0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/1 5/5 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 455/362 1398/1425 441/474][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 60][Risk Info: No ALPN / SNI should always be present][DTLSv1.3][JA3C: 320d2222212f652e923c3458b463c5b4][JA4: t00d270600_991e33d7eb74_10f9deb96590][JA3S: ecfd4f82776364c3015565f97e8c3897][Firefox][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 11,16,22,0,11,0,0,0,0,11,0,0,0,0,0,0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,5,5,0,0,0,0]
2 UDP 10.191.227.13:54162 <-> 157.240.16.128:3478 [VLAN: 10][proto: GTP:30/DTLS][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 4][cat: Web/5][3 pkts/665 bytes <-> 1 pkts/282 bytes][Goodput ratio: 61/69][0.20 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** TLS Fatal Alert **][Risk Score: 70][Risk Info: No ALPN / SNI should always be present / Found fatal TLS alert][DTLSv1.2][JA3C: b2a6643b6798940d25020cb4abe9e2aa][JA4: t00d160700_7c8d7d5e37b2_ea2cef574603][Firefox][Plen Bins: 25,0,0,0,0,0,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 UDP 192.168.13.203:40739 -> 192.168.13.57:56515 [proto: 30/DTLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: Web/5][2 pkts/394 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][< 1 sec][Risk: ** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Unidirectional Traffic **][Risk Score: 70][Risk Info: No server to client traffic / No ALPN / SNI should always be present][DTLSv1.2][JA3C: bd743610892cec1efed851b2b5efd4f5][JA4: t00d120700_7c0e62f61317_d9dd6182da81][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Loading