Skip to content

Commit

Permalink
TLS: remove JA3C
Browse files Browse the repository at this point in the history
Last step of removing JA3C fingerprint

Remove some duplicate tests: testing with ja4c/ja3s disabled is already
performed by `disable_metadata_and_flowrisks` configuration.

Close:ntop#2551
  • Loading branch information
IvanNardi committed Jan 14, 2025
1 parent 63a3547 commit 62dc77b
Show file tree
Hide file tree
Showing 19 changed files with 8 additions and 182 deletions.
3 changes: 1 addition & 2 deletions doc/configuration_parameters.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,8 @@ List of the supported configuration options:
| "tls " | "dpi.heuristics", | 0x00 | 0x00 | 0x07 | Enable/disable some heuristics to detect encrypted/obfuscated/proxied TLS flows. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable basic detection (i.e. encrypted TLS without any encapsulation); 0x02 = enable detection over TLS (i.e. TLS-in-TLS); 0x04 = enable detection over HTTP (i.e. TLS-over-WebSocket). If enabled, some false positives are expected. See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting |
| "tls " | "dpi.heuristics.max_packets_extra_dissection", | 25 | 0 | 255 | If at least one TLS heuristics is enabled (see `tls,"dpi.heuristics"`, this parameter set the upper limit on the number of packets required/processed for each flow. Higher the value, lower the false positive rate but more packets are required by nDPI for processing. |
| "tls" | "metadata.sha1_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
| "tls" | "metadata.ja3c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_JA3` is not checked |
| "tls" | "metadata.ja3s_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA3S fingerprint for TLS flows |
| "tls" | "metadata.ja4c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows |
| "tls" | "metadata.ja4c_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_FINGERPRINT` is not checked |
| "tls" | "metadata.ja4r_fingerprint" | disable | NULL | NULL | Enable/disable computation and export of JA4C fingerprint for TLS flows also in raw format |
| "tls" | "subclassification" | enable | NULL | NULL | Enable/disable sub-classification of TLS/DTLS flows |
| "quic" | "subclassification" | enable | NULL | NULL | Enable/disable sub-classification of QUIC flows |
Expand Down
2 changes: 0 additions & 2 deletions example/reader_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -1534,8 +1534,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl

flow->ssh_tls.notBefore = flow->ndpi_flow->protos.tls_quic.notBefore;
flow->ssh_tls.notAfter = flow->ndpi_flow->protos.tls_quic.notAfter;
ndpi_snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s",
flow->ndpi_flow->protos.tls_quic.ja3_client);
ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s",
flow->ndpi_flow->protos.tls_quic.ja4_client);

Expand Down
2 changes: 1 addition & 1 deletion example/reader_util.h
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ typedef struct ndpi_flow_info {
client_hassh[33], server_hassh[33], *server_names,
*advertised_alpns, *negotiated_alpn, *tls_supported_versions,
*tls_issuerDN, *tls_subjectDN,
ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw,
ja3_server[33], ja4_client[37], *ja4_client_raw,
sha1_cert_fingerprint[20];
u_int8_t sha1_cert_fingerprint_set;
struct tls_heuristics browser_heuristics;
Expand Down
5 changes: 0 additions & 5 deletions fuzz/fuzz_config.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value);
}
if(fuzzed_data.ConsumeBool()) {
value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
ndpi_set_config(ndpi_info_mod, "tls", "metadata.ja3c_fingerprint", cfg_value);
}
if(fuzzed_data.ConsumeBool()) {
value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
Expand Down
1 change: 0 additions & 1 deletion src/include/ndpi_private.h
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,6 @@ struct ndpi_detection_module_config_struct {
int tls_heuristics;
int tls_heuristics_max_packets;
int tls_sha1_fingerprint_enabled;
int tls_ja3c_fingerprint_enabled;
int tls_ja3s_fingerprint_enabled;
int tls_ja4c_fingerprint_enabled;
int tls_ja4r_fingerprint_enabled;
Expand Down
2 changes: 1 addition & 1 deletion src/include/ndpi_typedefs.h
Original file line number Diff line number Diff line change
Expand Up @@ -1424,7 +1424,7 @@ struct ndpi_flow_struct {
struct {
char *server_names, *advertised_alpns, *negotiated_alpn, *tls_supported_versions, *issuerDN, *subjectDN;
u_int32_t notBefore, notAfter;
char ja3_client[33], ja3_server[33], ja4_client[37], *ja4_client_raw;
char ja3_server[33], ja4_client[37], *ja4_client_raw;
u_int16_t server_cipher;
u_int8_t sha1_certificate_fingerprint[20];
u_int8_t client_hello_processed:1, ch_direction:1, subprotocol_detected:1, server_hello_processed:1, fingerprint_set:1, webrtc:1, _pad:2;
Expand Down
1 change: 0 additions & 1 deletion src/lib/ndpi_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -11562,7 +11562,6 @@ static const struct cfg_param {
{ "tls", "dpi.heuristics", "0x00", "0", "0x07", CFG_PARAM_INT, __OFF(tls_heuristics), NULL },
{ "tls", "dpi.heuristics.max_packets_extra_dissection", "25", "0", "255", CFG_PARAM_INT, __OFF(tls_heuristics_max_packets), NULL },
{ "tls", "metadata.sha1_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled), NULL },
{ "tls", "metadata.ja3c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL },
{ "tls", "metadata.ja3s_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL },
{ "tls", "metadata.ja4c_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4c_fingerprint_enabled), NULL },
{ "tls", "metadata.ja4r_fingerprint", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4r_fingerprint_enabled), NULL },
Expand Down
1 change: 0 additions & 1 deletion src/lib/ndpi_utils.c
Original file line number Diff line number Diff line change
Expand Up @@ -1218,7 +1218,6 @@ static void ndpi_tls2json(ndpi_serializer *serializer, struct ndpi_flow_struct *
ndpi_serialize_string_string(serializer, "notafter", notAfter);
}

ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic.ja3_client);
ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic.ja3_server);
ndpi_serialize_string_string(serializer, "ja4", flow->protos.tls_quic.ja4_client);
ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic.server_unsafe_cipher);
Expand Down
70 changes: 4 additions & 66 deletions src/lib/protocols/tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -3184,71 +3184,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
} /* while */

if(!invalid_ja) {
/* Compute JA3 client */

compute_ja3c:
if(ndpi_struct->cfg.tls_ja3c_fingerprint_enabled) {
int rc;
u_int16_t ja_str_len;
char ja_str[JA_STR_LEN];
ndpi_MD5_CTX ctx;
u_char md5_hash[16];

ja_str_len = ndpi_snprintf(ja_str, JA_STR_LEN, "%u,", ja.client.tls_handshake_version);

for(i=0; i<ja.client.num_ciphers; i++) {
rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u",
(i > 0) ? "-" : "", ja.client.cipher[i]);
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break;
}

rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ",");
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc;

/* ********** */

for(i=0; i<ja.client.num_tls_extensions; i++) {
rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u",
(i > 0) ? "-" : "", ja.client.tls_extension[i]);
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break;
}

rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ",");
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc;

/* ********** */

for(i=0; i<ja.client.num_elliptic_curve; i++) {
rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u",
(i > 0) ? "-" : "", ja.client.elliptic_curve[i]);
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break;
}

rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ",");
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc;

for(i=0; i<ja.client.num_elliptic_curve_point_format; i++) {
rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u",
(i > 0) ? "-" : "", ja.client.elliptic_curve_point_format[i]);
if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; else break;
}

ndpi_MD5Init(&ctx);
ndpi_MD5Update(&ctx, (const unsigned char *)ja_str, strlen(ja_str));
ndpi_MD5Final(md5_hash, &ctx);

for(i=0, j=0; i<16; i++) {
rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_client[j],
sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x",
md5_hash[i]);
if(rc > 0) j += rc; else break;
}

#ifdef DEBUG_JA
printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client);
#endif
}
/* Compute JA4 client */

compute_ja4c:
if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) {
ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja);

Expand All @@ -3262,7 +3200,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja4_client);
}
}
/* End JA3/JA4 */
/* End JA4 */
}

/* Before returning to the caller we need to make a final check */
Expand Down Expand Up @@ -3307,7 +3245,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(offset == total_len) {
/* TLS does not have extensions etc */
goto compute_ja3c;
goto compute_ja4c;
}
} else {
#ifdef DEBUG_TLS
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/disable_metadata_and_flowrisks/config.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3c_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 --cfg=flow_risk.all,0
--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 --cfg=flow_risk.all,0
1 change: 0 additions & 1 deletion tests/cfgs/tls_ja3c_disabled/config.txt

This file was deleted.

This file was deleted.

This file was deleted.

1 change: 0 additions & 1 deletion tests/cfgs/tls_ja3s_disabled/config.txt

This file was deleted.

This file was deleted.

Loading

0 comments on commit 62dc77b

Please sign in to comment.