diff options
| author | Mikhail Smirnov <2miksyn@users.noreply.github.com> | 2018-11-09 00:46:25 +0300 |
|---|---|---|
| committer | Mikhail Smirnov <2miksyn@users.noreply.github.com> | 2018-11-09 00:46:25 +0300 |
| commit | 8f8ca40f63bb47f337253074f395bc44f3cd6a86 (patch) | |
| tree | 6abe87c9f2fd0a2dd828bb4a8255f036600ac03d /src/lib/protocols/ssl.c | |
| parent | 9c5a4a6d1f117dbc8e3d0d46fa2d36f1d65761b3 (diff) | |
Improve SSL detection, prevent false positive SSL detection
Diffstat (limited to 'src/lib/protocols/ssl.c')
| -rw-r--r-- | src/lib/protocols/ssl.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 979d234b9..d7f7a9687 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -39,8 +39,8 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st { struct ndpi_packet_struct *packet = &flow->packet; - if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') - || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) + || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) || (flow->host_server_name[0] != '\0')) protocol = NDPI_PROTOCOL_SSL; else @@ -348,7 +348,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi packet->ssl_certificate_num_checks++; if (rc > 0) { packet->ssl_certificate_detected++; - if (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + if ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) /* 0 means we're done processing extra packets (since we found what we wanted) */ return 0; } @@ -405,7 +405,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s /* If we've detected the subprotocol from client certificate but haven't had a chance * to see the server certificate yet, set up extra packet processing to wait * a few more packets. */ - if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0')) { + if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) { sslInitExtraPacketProcessing(0, flow); } @@ -422,8 +422,8 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) - || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') - /* || (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') */ + || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) + /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } |