From faaa5c5799440117f7a9cc78499433396dba7eb3 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Fri, 11 Oct 2024 19:23:29 +0200 Subject: [PATCH] Added support for printing JA4r when enabled --- example/ndpiReader.c | 2 ++ example/reader_util.c | 11 ++++++++++- example/reader_util.h | 2 +- src/lib/protocols/tls.c | 6 ++++-- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 12cd7feadfa..17a1a24572c 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2056,6 +2056,8 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->ssh_tls.ja4_client[0] != '\0') fprintf(out, "[JA4: %s%s]", flow->ssh_tls.ja4_client, print_cipher(flow->ssh_tls.client_unsafe_cipher)); + if(flow->ssh_tls.ja4_client_raw != NULL) fprintf(out, "[JA4_r: %s]", flow->ssh_tls.ja4_client_raw); + if(flow->ssh_tls.server_info[0] != '\0') fprintf(out, "[Server: %s]", flow->ssh_tls.server_info); if(flow->ssh_tls.server_names) fprintf(out, "[ServerNames: %s]", flow->ssh_tls.server_names); diff --git a/example/reader_util.c b/example/reader_util.c index 8ed32cad495..702ff4dc70b 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -549,6 +549,11 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { ndpi_free(flow->ssh_tls.encrypted_sni.esni); flow->ssh_tls.encrypted_sni.esni = NULL; } + + if(flow->ssh_tls.ja4_client_raw) { + ndpi_free(flow->ssh_tls.ja4_client_raw); + flow->ssh_tls.ja4_client_raw = NULL; + } } /* ***************************************************** */ @@ -1353,7 +1358,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ndpi_flow->protos.tls_quic.ja3_client); ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s", flow->ndpi_flow->protos.tls_quic.ja4_client); - ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", + + if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw) + flow->ssh_tls.ja4_client_raw = strdup(flow->ndpi_flow->protos.tls_quic.ja4_client_raw); + + ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", flow->ndpi_flow->protos.tls_quic.ja3_server); flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic.server_unsafe_cipher; flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.tls_quic.server_cipher; diff --git a/example/reader_util.h b/example/reader_util.h index 956bb1955b0..03a1b8d5f4c 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -275,7 +275,7 @@ typedef struct ndpi_flow_info { client_hassh[33], server_hassh[33], *server_names, *advertised_alpns, *negotiated_alpn, *tls_supported_versions, *tls_issuerDN, *tls_subjectDN, - ja3_client[33], ja3_server[33], ja4_client[37], + ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw, sha1_cert_fingerprint[20]; u_int8_t sha1_cert_fingerprint_set; struct tls_heuristics browser_heuristics; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b42d200fc53..3b9aff4e765 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -29,7 +29,7 @@ #include "ndpi_encryption.h" #include "ndpi_private.h" -#define JA4R_DECIMAL 1 +//#define JA4R_DECIMAL 1 static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -2029,7 +2029,9 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, _ (sha256 hash of the list of cipher hex codes sorted in hex order, truncated to 12 characters) _ - (sha256 hash of (the list of extension hex codes sorted in hex order)_(the list of signature algorithms), truncated to 12 characters) + (sha256 hash of (the list of extension hex codes sorted in hex order) + _ + (the list of signature algorithms), truncated to 12 characters) */ ja_str[0] = is_dtls ? 'd' : ((quic_version != 0) ? 'q' : 't');