Improve MySQL detection (#2279)

* Improve MySQL detection

* Update copyright

1 files changed, 21 insertions, 43 deletions

diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c
index c3e04ef8b..7560f6030 100644
--- a/src/lib/protocols/mysql.c
+++ b/src/lib/protocols/mysql.c
@@ -2,7 +2,8 @@
  * mysql.c
  * 
  * Copyright (C) 2009-11 - ipoque GmbH
- * Copyright (C) 2011-22 - ntop.org
+ * Copyright (C) 2011-24 - ntop.org
+ * Copyright (C) 2024 - V.G <jacendi@protonmail.com>
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -30,50 +31,27 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
-static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
 
-  NDPI_LOG_DBG(ndpi_struct, "search MySQL\n");
-	
-  if(packet->tcp) {
-    if(packet->payload_packet_len > 38) { //min length
-      u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0];
+  if(packet->payload_packet_len > 70 && packet->payload_packet_len < 120) {
+    u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0];
 
-      if(length == (u_int32_t)packet->payload_packet_len - 4	//first 3 bytes are length
-         && get_u_int8_t(packet->payload, 2) == 0x00	//3rd byte of packet length
-         && get_u_int8_t(packet->payload, 3) == 0x00	//packet sequence number is 0 for startup packet
-         && get_u_int8_t(packet->payload, 5) > 0x30	//server version > 0
-         && get_u_int8_t(packet->payload, 5) < 0x39	//server version < 9
-         && get_u_int8_t(packet->payload, 6) == 0x2e	//dot
-        ) {
-#if 0
-      /* Old code */
-      u_int32_t a;
-      
-      for(a = 7; a + 31 < packet->payload_packet_len; a++) {
-	if(packet->payload[a] == 0x00) {
-	  if(get_u_int8_t(packet->payload, a + 13) == 0x00	 // filler byte
-	     && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more
-	     && get_u_int32_t(packet->payload, a + 27) == 0x0	 // filler bytes
-	     && get_u_int8_t(packet->payload, a + 31) == 0x0) {
-	    NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
-	    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-	    return;
-	  }
-	  
-	  break;
-	}
-      }
-#else
-        if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22],
-		   "mysql_", 6) == 0 ||
-           strncmp((const char*)&packet->payload[packet->payload_packet_len-22],
-		   "caching_", 8) == 0) {
-	  NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
-	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL,  NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-	  return;
-        }
-#endif
+    if ((u_int32_t)(packet->payload_packet_len-4) == length && 
+        packet->payload[4] == 0x0A && ((memcmp(&packet->payload[5], "5.5.5-", 6) == 0) || 
+        (packet->payload[5] > 0x33 && packet->payload[5] < 0x39)))
+    {
+      if ((memcmp(&packet->payload[packet->payload_packet_len-10], "_password", 9) == 0) ||
+          (memcmp(&packet->payload[packet->payload_packet_len-10], "_kerberos", 9) == 0) ||
+          (memcmp(&packet->payload[packet->payload_packet_len-9], "_windows", 8) == 0) ||
+          (memcmp(&packet->payload[packet->payload_packet_len-8], "_simple", 7) == 0) ||
+          (memcmp(&packet->payload[packet->payload_packet_len-8], "_gssapi", 7) == 0) ||
+          (memcmp(&packet->payload[packet->payload_packet_len-5], "_pam", 4) == 0))
+      {
+        NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
+        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+        return;
       }
     }
   }