Merge branch 'alexei-argus-SOMEIP' into dev

5 files changed, 238 insertions, 1 deletions

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index f1ba9d4a3..1e088ceaa 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -268,8 +268,11 @@
 #define NDPI_PROTOCOL_DRDA 	         227
 #define NDPI_PROTOCOL_PLAYSTORE          228 /* Google Play Store */
 
+#define NDPI_PROTOCOL_SOMEIP		 229
+
+
 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
-#define NDPI_LAST_IMPLEMENTED_PROTOCOL		        NDPI_PROTOCOL_PLAYSTORE
+#define NDPI_LAST_IMPLEMENTED_PROTOCOL		        NDPI_PROTOCOL_SOMEIP
 
 #define NDPI_MAX_SUPPORTED_PROTOCOLS                    (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1)
 #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS                   (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL)
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index f1d34f75e..2ac9485ab 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -190,6 +190,7 @@ void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, str
 void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
@@ -332,6 +333,7 @@ void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct,
 void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 375e9ce48..3af5881b7 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -158,6 +158,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \
 		     protocols/zeromq.c \
 		     protocols/smpp.c \
 		     protocols/tinc.c \
+		     protocols/SOMEIP.c \
 		     third_party/include/actypes.h \
 		     third_party/include/ahocorasick.h \
 		     third_party/include/ndpi_patricia.h \
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 52a7d7222..8ff3855af 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1571,6 +1571,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    no_master, "MQTT", NDPI_PROTOCOL_CATEGORY_RPC,
 			    ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0),  /* TCP */
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0));       /* UDP */
+	 ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOMEIP,
+			    no_master,
+			    no_master, "SOME/IP", NDPI_PROTOCOL_CATEGORY_RPC,
+			    ndpi_build_default_ports(ports_a, 30491, 30501, 0, 0, 0),  /* TCP */
+			    ndpi_build_default_ports(ports_b, 30491, 30501, 30490, 0, 0));       /* UDP */
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX,
 			    no_master,
 			    no_master, "RX", NDPI_PROTOCOL_CATEGORY_RPC,
@@ -2691,6 +2696,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
   /* MQTT */
   init_mqtt_dissector(ndpi_struct, &a, detection_bitmask);
 
+  /* SOME/IP */
+  init_someip_dissector(ndpi_struct, &a, detection_bitmask);
+
   /* RX */
   init_rx_dissector(ndpi_struct, &a, detection_bitmask);
 
diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c
new file mode 100644
index 000000000..adffb0c33
--- /dev/null
+++ b/src/lib/protocols/SOMEIP.c
@@ -0,0 +1,223 @@
+/*
+ * SOMEIP.c
+ *
+ * Copyright (C) 2016 Sorin Zamfir <sorin.zamfir@yahoo.com>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your omessage_typeion) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocols.h"
+#ifdef NDPI_PROTOCOL_SOMEIP
+
+enum SOMEIP_MESSAGE_TYPES {
+	REQUEST = 0x00,
+	REQUEST_NO_RETURN = 0x01,
+	NOTIFICATION = 0x02,
+	REQUEST_ACK = 0x40,
+	REQUEST_NO_RETURN_ACK = 0x41,
+	NOTIFICATION_ACK = 0x42,
+	RESPONSE = 0x80,
+	ERROR = 0x81,
+	RESPONSE_ACK = 0xc0,
+	ERROR_ACK = 0xc1
+};
+
+enum SOMEIP_RETURN_CODES {
+	E_OK = 0x00,
+	E_NOT_OK = 0x01,
+	E_UNKNOWN_SERVICE = 0x02,
+	E_UNKNOWN_METHOD = 0x03,
+	E_NOT_READY = 0x04,
+	E_NOT_REACHABLE = 0x05,
+	E_TIMEOUT = 0x06,
+	E_WRONG_PROTOCOL_VERSION = 0x07,
+	E_WRONG_INTERFACE_VERSION = 0x08,
+	E_MALFORMED_MESSAGE = 0x09,
+	E_WRONG_MESSAGE_TYPE = 0x0a,
+	E_RETURN_CODE_LEGAL_THRESHOLD = 0x40  //return codes from 0x40 (inclusive) and upwards are illegal.
+};
+
+enum SPECIAL_MESSAGE_IDS {
+	MSG_MAGIC_COOKIE = 0xffff0000,
+	MSG_MAGIC_COOKIE_ACK = 0xffff8000,
+	MSG_SD = 0xffff8100
+};
+
+enum PROTOCOL_VERSION{
+	LEGAL_PROTOCOL_VERSION = 0x01
+};
+
+enum MAGIC_COOKIE_CONSTANTS{
+	MC_REQUEST_ID = 0xDEADBEEF,
+	MC_LENGTH = 0x08,
+	MC_INTERFACE_VERSION = 0x01
+};
+
+enum DEFAULT_PROTOCOL_PORTS{
+	PORT_DEFAULT_CLIENT = 30491,
+	PORT_DEFAULT_SERVER = 30501,
+	PORT_DEFAULT_SD = 30490
+};
+
+/**
+ * Entry point when protocol is identified.
+ */
+static void ndpi_int_someip_add_connection (struct ndpi_detection_module_struct *ndpi_struct,
+		struct ndpi_flow_struct *flow)
+{
+	ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_SOMEIP,NDPI_PROTOCOL_UNKNOWN);
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found.\n");
+}
+
+/**
+ * Dissector function that searches SOME/IP headers
+ */
+void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct,
+		struct ndpi_flow_struct *flow)
+{
+
+	//####Maybe check carrier protocols?####
+
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n");
+	const struct ndpi_packet_struct *packet = &flow->packet;
+	if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
+		return;
+	}
+
+	//we extract the Message ID and Request ID and check for special cases later
+	u_int32_t message_id = ntohl(*((u_int32_t *)&packet->payload[0]));
+	u_int32_t request_id = ntohl(*((u_int32_t *)&packet->payload[8]));
+
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n",
+			message_id, packet->payload_packet_len);
+	if (packet->payload_packet_len < 16) {
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n");
+		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+		return;
+	}
+	
+	//####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2####
+
+	// we extract the remaining length
+	u_int32_t someip_len = ntohl(*((u_int32_t *)&packet->payload[4]));
+	if (packet->payload_packet_len != (someip_len + 8)) {
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n");
+		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+		return;
+	}
+
+	u_int8_t protocol_version = (u_int8_t) (packet->payload[12]);
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version);
+	if (protocol_version != LEGAL_PROTOCOL_VERSION){
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n");
+		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+		return;
+	}
+
+	u_int8_t interface_version = (packet->payload[13]);
+
+	u_int8_t message_type = (u_int8_t) (packet->payload[14]);
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type);
+
+	if ((message_type != REQUEST) && (message_type != REQUEST_NO_RETURN) && (message_type != NOTIFICATION) && (message_type != REQUEST_ACK) && 
+					(message_type != REQUEST_NO_RETURN_ACK) && (message_type != NOTIFICATION_ACK) && (message_type != RESPONSE) && 
+					(message_type != ERROR) && (message_type != RESPONSE_ACK) && (message_type != ERROR_ACK)) {
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid message type!\n");
+		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+		return;
+	}
+
+	u_int8_t return_code = (u_int8_t) (packet->payload[15]);
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n", return_code);
+	if ((return_code >= E_RETURN_CODE_LEGAL_THRESHOLD)) {
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n");
+		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+		return;
+	}
+	
+ 	if (message_id == MSG_MAGIC_COOKIE){
+		if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) &&
+					(message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type);
+			ndpi_int_someip_add_connection(ndpi_struct, flow);
+			return;
+		}											
+		else{
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie\n");
+			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+			return;
+		}
+ 	}
+	
+	if (message_id == MSG_MAGIC_COOKIE_ACK){
+		if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) &&
+					(message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type);
+			ndpi_int_someip_add_connection(ndpi_struct, flow);
+			return;
+		}											
+		else{
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie ACK\n");
+			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+			return;
+		}
+ 	}
+
+	if (message_id == MSG_SD){
+		NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP-SD currently not supported\n", message_type);
+	}
+
+	//Filtering by port. 
+	//This check is NOT a 100% thing - these ports are mentioned in the documentation but the documentation also states they haven't been approved by IANA yet, and that the user is free to use different ports.
+	//This is is PURELY for demo purposes and the rest of the check must be filled in later on!
+	if (packet->l4_protocol == IPPROTO_UDP){
+		if ((packet->udp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SERVER)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SD))) {
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type);
+			ndpi_int_someip_add_connection(ndpi_struct, flow);
+			return;
+		}
+	}
+	if (packet->l4_protocol == IPPROTO_TCP){
+		if ((packet->tcp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->tcp->dest == ntohs(PORT_DEFAULT_SERVER))) {
+			NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type);
+			ndpi_int_someip_add_connection(ndpi_struct, flow);
+			return;
+		}
+	}
+
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end without confirming SOME/IP ...\n");
+	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
+	return;
+}
+/**
+ * Entry point for the ndpi library
+ */
+void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct,
+		u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+	NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP dissector init...\n");
+	ndpi_set_bitmask_protocol_detection ("SOME/IP", ndpi_struct, detection_bitmask, *id,
+			NDPI_PROTOCOL_SOMEIP,
+			ndpi_search_someip,
+			NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD,
+			SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK);
+	*id +=1;
+}
+
+#endif // NDPI_PROTOCOL_SOMEIP
+