TLS: improve handling of Change Cipher message (#2564)

ntop · Sep 23, 2024 · 2bf869c · 2bf869c
1 parent efe1930
commit 2bf869c
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 5 deletions.
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -1068,13 +1068,18 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	*/
 	flow->l4.tcp.tls.num_tls_blocks = 0;
       }
+      if(len == 6 &&
+         message->buffer[1] == 0x03 && /* TLS >= 1.0 */
+         ((message->buffer[3] << 8) + (message->buffer[4])) == 1) {
 #ifdef DEBUG_TLS
-      printf("[TLS] Change Cipher Spec\n");
+        printf("[TLS] Change Cipher Spec\n");
 #endif
-      flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1;
-      /* Further data is encrypted so we are not able to parse it without
-         erros and without setting `something_went_wrong` variable */
-      break;
+        ndpi_int_tls_add_connection(ndpi_struct, flow);
+        flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1;
+        /* Further data is encrypted so we are not able to parse it without
+           erros and without setting `something_went_wrong` variable */
+        break;
+      }
     } else if(content_type == 0x15 /* Alert */) {
       /* https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132 */
 #ifdef DEBUG_TLS

diff --git a/tests/cfgs/default/pcap/tls_change_cipher.pcap b/tests/cfgs/default/pcap/tls_change_cipher.pcap
diff --git a/tests/cfgs/default/result/tls_change_cipher.pcap.out b/tests/cfgs/default/result/tls_change_cipher.pcap.out
@@ -0,0 +1,27 @@
+DPI Packets (TCP):	14	(14.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/1/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   1/1 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+TLS	14	13753	1
+
+Safe                            14 13753         1            
+
+	1	TCP 18.139.7.8:443 <-> 172.29.190.157:62797 [VLAN: 113][proto: GTP:91/TLS][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][FPC: 265/AmazonAWS, Confidence: IP address][DPI packets: 14][cat: Web/5][1 pkts/134 bytes <-> 13 pkts/13619 bytes][Goodput ratio: 0/88][4.99 sec][bytes ratio: -0.981 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/438 0/4677 0/1341][Pkt Len c2s/s2c min/avg/max/stddev: 134/194 134/1048 134/1458 0/494][PLAIN TEXT (oCpI.P7)][Plen Bins: 0,0,7,0,7,0,0,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,7,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,55,0,0,0,0,0,0]