TLS: avoid zeroing large structures (#1300)

Zeroing large structures (i.e. size > KB) is quite costly (from a CPU point
of view): we can safely avoid doing that for a couple of big structures.

Standard and Valgrind tests have been diverging quite a lot: it is time
to re-sync them. Use the same script and enable Valgrind via an
enviroment variable:

  NDPI_TESTS_VALGRIND=1 ./tests/do.sh

4 files changed, 25 insertions, 63 deletions

diff --git a/configure.seed b/configure.seed
index 54a403efe..5c51a1d8e 100644
--- a/configure.seed
+++ b/configure.seed
@@ -259,7 +259,6 @@ fi
 
 AC_CONFIG_FILES([Makefile example/Makefile example/Makefile.dpdk tests/Makefile tests/unit/Makefile tests/dga/Makefile libndpi.pc src/include/ndpi_define.h src/lib/Makefile python/Makefile fuzz/Makefile src/include/ndpi_api.h])
 AC_CONFIG_FILES([tests/do.sh], [chmod +x tests/do.sh])
-AC_CONFIG_FILES([tests/do_valgrind.sh], [chmod +x tests/do_valgrind.sh])
 AC_CONFIG_HEADERS(src/include/ndpi_config.h)
 AC_SUBST(GIT_RELEASE)
 AC_SUBST(NDPI_MAJOR)
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index b1d3d2c5e..2270b05ab 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -313,9 +313,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 				       u_int16_t p_offset, u_int16_t certificate_len) {
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int16_t num_found = 0, i;
-  char buffer[64] = { '\0' }, rdnSeqBuf[2048] = { '\0' };
+  char buffer[64] = { '\0' }, rdnSeqBuf[2048];
   u_int rdn_len = 0;
 
+  rdnSeqBuf[0] = '\0';
+
 #ifdef DEBUG_TLS
   printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, p_offset, certificate_len);
 #endif
@@ -1222,7 +1224,6 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
   printf("TLS %s() called\n", __FUNCTION__);
 #endif
 
-  memset(&ja3, 0, sizeof(ja3));
 
   handshake_type = packet->payload[0];
   total_len = (packet->payload[1] << 16) +  (packet->payload[2] << 8) + packet->payload[3];
@@ -1254,6 +1255,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
     if(handshake_type == 0x02 /* Server Hello */) {
       int i, rc;
 
+      ja3.server.num_cipher = 0;
+      ja3.server.num_tls_extension = 0;
+      ja3.server.num_elliptic_curve_point_format = 0;
+      ja3.server.alpn[0] = '\0';
+
       ja3.server.tls_handshake_version = tls_version;
 
 #ifdef DEBUG_TLS
@@ -1474,6 +1480,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       u_int16_t cipher_len, cipher_offset;
       u_int8_t cookie_len = 0;
 
+      ja3.client.num_cipher = 0;
+      ja3.client.num_tls_extension = 0;
+      ja3.client.num_elliptic_curve = 0;
+      ja3.client.num_elliptic_curve_point_format = 0;
+      ja3.client.signature_algorithms[0] = '\0';
+      ja3.client.supported_versions[0] = '\0';
+      ja3.client.alpn[0] = '\0';
+
       flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
       if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */
 	ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION);
diff --git a/tests/do.sh.in b/tests/do.sh.in
index 01fad8497..cf14e653c 100755
--- a/tests/do.sh.in
+++ b/tests/do.sh.in
@@ -4,9 +4,15 @@ cd "$(dirname "${0}")"
 
 FUZZY_TESTING_ENABLED=@BUILD_FUZZTARGETS@
 
+#Remember: valgrind and *SAN are incompatible!
+VALGRIND=""
+if [ "$NDPI_TESTS_VALGRIND" = "1" ]; then
+   VALGRIND="valgrind -q --leak-check=full"
+fi
+
 GCRYPT_ENABLED=@GCRYPT_ENABLED@
 GCRYPT_PCAPS="gquic.pcap quic-23.pcap quic-24.pcap quic-27.pcap quic-28.pcap quic-29.pcap quic-mvfst-22.pcap quic-mvfst-27.pcapng quic-mvfst-exp.pcap quic_q50.pcap quic_t50.pcap quic_t51.pcap quic_0RTT.pcap quic_interop_V.pcapng quic-33.pcapng doq.pcapng doq_adguard.pcapng dlt_ppp.pcap os_detected.pcapng quic_frags_ch_out_of_order_same_packet_craziness.pcapng quic_frags_ch_in_multiple_packets.pcapng"
-READER="../example/ndpiReader -p ../example/protos.txt -c ../example/categories.txt -r ../example/risky_domains.txt -j ../example/ja3_fingerprints.csv -S ../example/sha1_fingerprints.csv"
+READER="$VALGRIND ../example/ndpiReader -p ../example/protos.txt -c ../example/categories.txt -r ../example/risky_domains.txt -j ../example/ja3_fingerprints.csv -S ../example/sha1_fingerprints.csv"
 
 RC=0
 PCAPS=`cd pcap; /bin/ls *.pcap *.pcapng`
@@ -61,9 +67,9 @@ check_results() {
 	    NUM_DIFF=`diff result/$f.out /tmp/reader.out | wc -l`
 
 	    if [ $NUM_DIFF -eq 0 ]; then
-		printf "%-32s\tOK\n" "$f"
+		printf "%-48s\tOK\n" "$f"
 	    else
-		printf "%-32s\tERROR\n" "$f"
+		printf "%-48s\tERROR\n" "$f"
 		echo "$CMD [old vs new]"
 		diff result/$f.out /tmp/reader.out
 		RC=1
diff --git a/tests/do_valgrind.sh.in b/tests/do_valgrind.sh.in
deleted file mode 100755
index 8ab0509a8..000000000
--- a/tests/do_valgrind.sh.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/sh
-
-cd "$(dirname "${0}")"
-
-GCRYPT_ENABLED=@GCRYPT_ENABLED@
-GCRYPT_PCAPS="gquic.pcap quic-23.pcap quic-24.pcap quic-27.pcap quic-28.pcap quic-29.pcap quic-mvfst-22.pcap quic-mvfst-27.pcap quic-mvfst-exp.pcap quic_q50.pcap quic_t50.pcap quic_t51.pcap quic_0RTT.pcap quic_interop_V.pcapng quic-33.pcapng doq.pcapng doq_adguard.pcapng dlt_ppp.pcap"
-READER="valgrind -q --leak-check=full ../example/ndpiReader -p ../example/protos.txt -c ../example/categories.txt"
-
-RC=0
-PCAPS=`cd pcap; /bin/ls *.pcap`
-
-if [ ! -x "../example/ndpiReader" ]; then
-  echo "$0: Missing $(realpath ../example/ndpiReader)"
-  echo "$0: Run ./configure and make first"
-  exit 1
-fi
-
-check_results() {
-	for f in $PCAPS; do 
-	  SKIP_PCAP=0
-	  if [ $GCRYPT_ENABLED -eq 0 ]; then
-	    for g in $GCRYPT_PCAPS; do
-	      if [ $f = $g ]; then
-	        SKIP_PCAP=1
-	        break
-	      fi
-	    done
-	  fi
-	  if [ $SKIP_PCAP -eq 1 ]; then
-	    printf "%-32s\tSKIPPED\n" "$f"
-	    continue
-	  fi
-
-	  CMD="$READER -q -i pcap/$f > /tmp/reader.out"
-	  $CMD
-	  NUM_DIFF=0
-
-	  if [ -f /tmp/reader.out ]; then
-	    NUM_DIFF=`wc -l /tmp/reader.out`
-	  fi
-
-	  if [ $NUM_DIFF -eq 0 ]; then
-	      printf "%-32s\tOK\n" "$f"
-	  else
-	      printf "%-32s\tERROR\n" "$f"
-	      echo "$CMD"
-	      cat /tmp/reader.out
-	      RC=1
-	  fi
-
-	  /bin/rm -f /tmp/reader.out
-    done
-}
-
-check_results
-
-exit $RC