Merge pull request #11 from ntop/dev

Add all dev branch modifications

1 files changed, 120 insertions, 42 deletions

diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index 25d535a57..05988a8d4 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -28,6 +28,7 @@
 #include "ndpi_api.h"
 
 // #define CERTIFICATE_DEBUG 1
+
 #define NDPI_MAX_SSL_REQUEST_SIZE 10000
 
 /* Skype.c */
@@ -150,9 +151,10 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
 
 #ifdef CERTIFICATE_DEBUG
   {
-    static u_int8_t id = 0;
-
-    NDPI_LOG_DBG2(ndpi_struct,"-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF);
+    u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2];
+    u_int16_t ssl_len     = (packet->payload[3] << 8) + packet->payload[4];    
+      
+    printf("SSL Record [version: 0x%02X][len: %u]\n", ssl_version, ssl_len);
   }
 #endif
 
@@ -174,10 +176,18 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
     if(total_len > 4) {
       int i;
 
-      if(handshake_protocol == 0x02 || handshake_protocol == 0xb /* Server Hello and Certificate message types are interesting for us */) {
+#ifdef CERTIFICATE_DEBUG
+      printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol);
+#endif
+
+      if((handshake_protocol == 0x02)
+	 || (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) {
 	u_int num_found = 0;
 
-	flow->l4.tcp.ssl_seen_server_cert = 1;
+	if(handshake_protocol == 0x02)
+	  flow->l4.tcp.ssl_seen_server_cert = 1;
+	else
+	  flow->l4.tcp.ssl_seen_certificate = 1;
 
 	/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
 	for(i = 9; i < packet->payload_packet_len-3; i++) {
@@ -215,11 +225,11 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
 		  break;
 		} else if(buffer[j] == '.') {
 		  num_dots++;
-		  if(num_dots >=2) break;
+		  if(num_dots >=1) break;
 		}
 	      }
 
-	      if(num_dots >= 2) {
+	      if(num_dots >= 1) {
 		if(!ndpi_struct->disable_metadata_export) {
 		  stripCertificateTrailer(buffer, buffer_len);
 		  snprintf(flow->protos.stun_ssl.ssl.server_certificate,
@@ -232,8 +242,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
 	}
       } else if(handshake_protocol == 0x01 /* Client Hello */) {
 	u_int offset, base_offset = 43;
-	if (base_offset + 2 <= packet->payload_packet_len)
-	  {
+	if(base_offset + 2 <= packet->payload_packet_len) {
 	    u_int16_t session_id_len = packet->payload[base_offset];
 
 	    if((session_id_len+base_offset+2) <= total_len) {
@@ -335,25 +344,94 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
   return(0); /* Not found */
 }
 
+void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
+	struct ndpi_flow_struct *flow,
+	char *buffer, int buffer_len) {
+    struct ndpi_packet_struct *packet = &flow->packet;
+
+    if(packet->payload[0] != 0x16 /* Handshake */)
+	return;
+
+    u_int16_t total_len  = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
+    u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
+
+    if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */)
+	return;
+
+    /* Truncate total len, search at least in incomplete packet */
+    if(total_len > packet->payload_packet_len)
+	total_len = packet->payload_packet_len;
+
+    memset(buffer, 0, buffer_len);
+
+    /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
+    u_int num_found = 0;
+    u_int i, j;
+    for(i = 9; i < packet->payload_packet_len-4; i++) {
+	/* Organization OID: 2.5.4.10 */
+	if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) {
+	    u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string
+	    u_int8_t server_len = packet->payload[i+4];
+
+	    num_found++;
+	    /* what we want is subject certificate, so we bypass the issuer certificate */
+	    if(num_found != 2) continue;
+
+	    // packet is truncated... further inspection is not needed
+	    if(i+4+server_len >= packet->payload_packet_len) {
+		break;
+	    }
+
+	    char *server_org = (char*)&packet->payload[i+5];
+
+	    u_int len = (u_int)ndpi_min(server_len, buffer_len-1);
+	    strncpy(buffer, server_org, len);
+	    buffer[len] = '\0';
+
+	    // check if organization string are all printable
+	    u_int8_t is_printable = 1;
+	    for (j = 0; j < len; j++) {
+		if(!ndpi_isprint(buffer[j])) {
+		    is_printable = 0;
+		    break;
+		}
+	    }
+
+	    if(is_printable == 1) {
+		snprintf(flow->protos.stun_ssl.ssl.server_organization,
+			sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
+#ifdef CERTIFICATE_DEBUG
+		printf("Certificate origanization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
+#endif
+	    }
+	}
+    }
+}
+
 int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
   /* consider only specific SSL packets (handshake) */
   if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) {
     char certificate[64];
+    char organization[64];
     int rc;
 
     certificate[0] = '\0';
     rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate));
     packet->ssl_certificate_num_checks++;
-    if (rc > 0) {
+    if(rc > 0) {
+      // try fetch server organization once server certificate is found
+      organization[0] = '\0';
+      getSSLorganization(ndpi_struct, flow, organization, sizeof(organization));
+
       packet->ssl_certificate_detected++;
-      if ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+      if((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
         /* 0 means we're done processing extra packets (since we found what we wanted) */
         return 0;
     }
     /* Client hello, Server Hello, and certificate packets probably all checked in this case */
-    if ((packet->ssl_certificate_num_checks >= 3)
+    if((packet->ssl_certificate_num_checks >= 3)
 	&& (flow->l4.tcp.seen_syn)
 	&& (flow->l4.tcp.seen_syn_ack)
 	&& (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */)
@@ -369,7 +447,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
 void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) {
   flow->check_extra_packets = 1;
   /* 0 is the case for waiting for the server certificate */
-  if (caseNum == 0) {
+  if(caseNum == 0) {
     /* At most 7 packets should almost always be enough to find the server certificate if it's there */
     flow->max_extra_packets_to_check = 7;
     flow->extra_packets_func = sslTryAndRetrieveServerCertificate;
@@ -405,7 +483,8 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
 	  /* If we've detected the subprotocol from client certificate but haven't had a chance
 	   * to see the server certificate yet, set up extra packet processing to wait
 	   * a few more packets. */
-	  if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
+	  if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0'))
+	     && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
 	    sslInitExtraPacketProcessing(0, flow);
 	  }
 
@@ -418,11 +497,13 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
 	  return(rc);
       }
 
-      if(((packet->ssl_certificate_num_checks >= 2)
+      if(((packet->ssl_certificate_num_checks >= 3)
 	  && flow->l4.tcp.seen_syn
 	  && flow->l4.tcp.seen_syn_ack
 	  && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */)
-	 || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+	 || ((flow->l4.tcp.ssl_seen_certificate == 1)
+	     && (flow->l4.tcp.ssl_seen_server_cert == 1)
+	     && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
 	 /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */
 	 ) {
 	ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
@@ -432,8 +513,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
   return(0);
 }
 
-static void ssl_mark_and_payload_search_for_other_protocols(struct
-							    ndpi_detection_module_struct
+static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct
 							    *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
@@ -510,16 +590,16 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct
       /* SSL without certificate (Skype, Ultrasurf?) */
       NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n");
       ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT);
-    } else
+    } else if(packet->ssl_certificate_num_checks >= 3) {
       NDPI_LOG_INFO(ndpi_struct, "found ssl\n");
-    ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+      ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+    }
   }
 }
 
 
 static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct *ndpi_struct,
 					     struct ndpi_flow_struct *flow) {
-
   struct ndpi_packet_struct *packet = &flow->packet;
 
   if((packet->payload_packet_len >= 5)
@@ -559,7 +639,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
       }
     }
 
-    if((packet->payload_packet_len > temp && packet->payload_packet_len > 100) && packet->payload_packet_len > 9) {
+    if((packet->payload_packet_len > temp) && (packet->payload_packet_len > 100)) {
       /* the server hello may be split into small packets and the certificate has its own SSL Record
        * so temp contains only the length for the first ServerHello block */
       u_int32_t cert_start;
@@ -647,27 +727,25 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
 
   NDPI_LOG_DBG(ndpi_struct, "search ssl\n");
 
-  {
-    /* Check if this is whatsapp first (this proto runs over port 443) */
-    if((packet->payload_packet_len > 5)
-       && ((packet->payload[0] == 'W')
-	   && (packet->payload[1] == 'A')
-	   && (packet->payload[4] == 0)
-	   && (packet->payload[2] <= 9)
-	   && (packet->payload[3] <= 9))) {
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
-      return;
-    } else if((packet->payload_packet_len == 4)
-	      && (packet->payload[0] == 'W')
-	      && (packet->payload[1] == 'A')) {
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+  /* Check if this is whatsapp first (this proto runs over port 443) */
+  if((packet->payload_packet_len > 5)
+     && ((packet->payload[0] == 'W')
+	 && (packet->payload[1] == 'A')
+	 && (packet->payload[4] == 0)
+	 && (packet->payload[2] <= 9)
+	 && (packet->payload[3] <= 9))) {
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+    return;
+  } else if((packet->payload_packet_len == 4)
+	    && (packet->payload[0] == 'W')
+	    && (packet->payload[1] == 'A')) {
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+    return;
+  } else {
+    /* No whatsapp, let's try SSL */
+    if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
       return;
-    } else {
-      /* No whatsapp, let's try SSL */
-      if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
-	return;
-    }
-  }
+  }  
 
   if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) {
     NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n");