Rework how hostname/SNI info is saved (#1330)

Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).

This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
 1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
 2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.

Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.

Hostnames/SNIs are always converted to lowercase.

Attention was given so as to be sure that unit-tests outputs are not
affected by this change.

Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.

1 files changed, 21 insertions, 34 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 993aac969..d417d247e 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4916,7 +4916,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
     ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
   }
   else if((flow->protos.tls_quic.hello_processed == 1) &&
-          (flow->protos.tls_quic.client_requested_server_name[0] != '\0')) {
+          (flow->host_server_name[0] != '\0')) {
     *protocol_was_guessed = 1;
     ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
   } else if(enable_guess) {
@@ -5198,21 +5198,8 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
 
     if(flow->host_server_name[0] != '\0') {
       u_int32_t id;
-      int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->host_server_name,
-					  strlen((char *) flow->host_server_name), &id);
-
-      if(rc == 0) {
-	flow->category = ret->category = (ndpi_protocol_category_t) id;
-	return;
-      }
-    }
-
-    if(flow->protos.tls_quic.hello_processed == 1 &&
-       flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
-      u_int32_t id;
-      int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic.client_requested_server_name,
-					  strlen(flow->protos.tls_quic.client_requested_server_name), &id);
-
+      int rc = ndpi_match_custom_category(ndpi_str, flow->host_server_name,
+					  strlen(flow->host_server_name), &id);
       if(rc == 0) {
 	flow->category = ret->category = (ndpi_protocol_category_t) id;
 	return;
@@ -5389,7 +5376,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 					    struct ndpi_id_struct *src, struct ndpi_id_struct *dst) {
   struct ndpi_packet_struct *packet = &ndpi_str->packet;
   NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet;
-  u_int32_t a, num_calls = 0;
+  u_int32_t num_calls = 0;
   ndpi_protocol ret = { flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], flow->category };
 
   if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE)
@@ -5467,23 +5454,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
   num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet);
 
-  a = flow->detected_protocol_stack[0];
-  if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->detection_bitmask, a) == 0)
-    a = NDPI_PROTOCOL_UNKNOWN;
-
-  if(a != NDPI_PROTOCOL_UNKNOWN) {
-    unsigned int i;
-
-    for(i = 0; i < sizeof(flow->host_server_name); i++) {
-      if(flow->host_server_name[i] != '\0')
-	flow->host_server_name[i] = tolower(flow->host_server_name[i]);
-      else {
-	flow->host_server_name[i] = '\0';
-	break;
-      }
-    }
-  }
-
  ret_protocols:
   if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) {
     ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
@@ -7783,3 +7753,20 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
 ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) {
   return(&ndpi_known_risks[risk]);
 }
+
+/* ******************************************************************** */
+
+char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len)
+{
+  char *dst;
+  size_t len, i;
+
+  len = ndpi_min(value_len, sizeof(flow->host_server_name) - 1);
+  dst = flow->host_server_name;
+
+  for(i = 0; i < len; i++)
+    dst[i] = tolower(value[value_len - len + i]);
+  dst[i] = '\0';
+
+  return dst;
+}