Fix writes to `flow->protos` union fields (#1354)

We can write to `flow->protos` only after a proper classification.

This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP,
SMTP, IMAP and POP code.
There are two kinds of fixes:
 * write to `flow->protos` only if a final protocol has been detected
 * move protocol state out of `flow->protos`
The hard part is to find, for each protocol, the right tradeoff between
memory usage and code complexity.

Handle Kerberos like DNS: if we find a request, we set the protocol
and an extra callback to further parsing the reply.

For all the other protocols, move the state out of `flow->protos`. This
is an issue only for the FTP/MAIL stuff.

Add DHCP Class Identification value to the output of ndpiReader and to
the Jason serialization.

Extend code coverage of fuzz tests.

Close #1343
Close #1342

1 files changed, 105 insertions, 105 deletions

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 5b2941405..d912ae947 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -391,8 +391,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf);
 #endif
 
-	if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.issuerDN == NULL)) {
-	  flow->protos.tls_quic_stun.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
+	if(rdn_len && (flow->protos.tls_quic.issuerDN == NULL)) {
+	  flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
 	  if (ndpi_is_printable_string(rdnSeqBuf, rdn_len) == 0) {
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
 	  }
@@ -421,10 +421,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	  /* 141021000000Z */
 	  if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
-	    flow->protos.tls_quic_stun.tls_quic.notBefore = timegm(&utc);
+	    flow->protos.tls_quic.notBefore = timegm(&utc);
 #ifdef DEBUG_TLS
 	    printf("[CERTIFICATE] notBefore %u [%s]\n",
-		   flow->protos.tls_quic_stun.tls_quic.notBefore, utcDate);
+		   flow->protos.tls_quic.notBefore, utcDate);
 #endif
 	  }
 	}
@@ -455,20 +455,20 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	      /* 141021000000Z */
 	      if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
-		flow->protos.tls_quic_stun.tls_quic.notAfter = timegm(&utc);
+		flow->protos.tls_quic.notAfter = timegm(&utc);
 #ifdef DEBUG_TLS
 		printf("[CERTIFICATE] notAfter %u [%s]\n",
-		       flow->protos.tls_quic_stun.tls_quic.notAfter, utcDate);
+		       flow->protos.tls_quic.notAfter, utcDate);
 #endif
 	      }
 	    }
 
-	    if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
-	      if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
+	    if (flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE)
+	      if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD)
 		ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
 
-	    if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
-	       || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
+	    if((time_sec < flow->protos.tls_quic.notBefore)
+	       || (time_sec > flow->protos.tls_quic.notAfter))
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
 	  }
 	}
@@ -478,7 +478,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
       u_int8_t matched_name = 0;
 
       /* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */
-      if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
+      if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
 	matched_name = 1;
 	
 #ifdef DEBUG_TLS
@@ -520,7 +520,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 #if DEBUG_TLS
 		  printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
-			 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, len,
+			 flow->protos.tls_quic.client_requested_server_name, len,
 			 packet->payload_packet_len-i-len);
 #endif
 		  if (ndpi_is_printable_string(dNSName, len) == 0) {
@@ -530,19 +530,19 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		  if(matched_name == 0) {
 #if DEBUG_TLS
 		    printf("[TLS] Trying to match '%s' with '%s'\n",
-			   flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+			   flow->protos.tls_quic.client_requested_server_name,
 			   dNSName);
 #endif
 
-		    if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
+		    if(flow->protos.tls_quic.client_requested_server_name[0] == '\0')
 		      matched_name = 1;	/* No SNI */
 		    else if (dNSName[0] == '*')
 		      {
-			char * label = strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]);
+			char * label = strstr(flow->protos.tls_quic.client_requested_server_name, &dNSName[1]);
 
 			if (label != NULL)
 			  {
-			    char * first_dot = strchr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, '.');
+			    char * first_dot = strchr(flow->protos.tls_quic.client_requested_server_name, '.');
 
 			    if (first_dot == NULL || first_dot >= label)
 			      {
@@ -550,33 +550,33 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 			      }
 			  }
 		      }
-		    else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0) {
+		    else if(strcmp(flow->protos.tls_quic.client_requested_server_name, dNSName) == 0) {
 		      matched_name = 1;
 		    }
 		  }
 
-		  if(flow->protos.tls_quic_stun.tls_quic.server_names == NULL)
-		    flow->protos.tls_quic_stun.tls_quic.server_names = ndpi_strdup(dNSName),
-		      flow->protos.tls_quic_stun.tls_quic.server_names_len = strlen(dNSName);
+		  if(flow->protos.tls_quic.server_names == NULL)
+		    flow->protos.tls_quic.server_names = ndpi_strdup(dNSName),
+		      flow->protos.tls_quic.server_names_len = strlen(dNSName);
 		  else {
 		    u_int16_t dNSName_len = strlen(dNSName);
-		    u_int16_t newstr_len = flow->protos.tls_quic_stun.tls_quic.server_names_len + dNSName_len + 1;
-		    char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic_stun.tls_quic.server_names,
-						       flow->protos.tls_quic_stun.tls_quic.server_names_len+1, newstr_len+1);
+		    u_int16_t newstr_len = flow->protos.tls_quic.server_names_len + dNSName_len + 1;
+		    char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic.server_names,
+						       flow->protos.tls_quic.server_names_len+1, newstr_len+1);
 
 		    if(newstr) {
-		      flow->protos.tls_quic_stun.tls_quic.server_names = newstr;
-		      flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len] = ',';
-		      strncpy(&flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len+1],
+		      flow->protos.tls_quic.server_names = newstr;
+		      flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len] = ',';
+		      strncpy(&flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len+1],
 			      dNSName, dNSName_len+1);
-		      flow->protos.tls_quic_stun.tls_quic.server_names[newstr_len] = '\0';
-		      flow->protos.tls_quic_stun.tls_quic.server_names_len = newstr_len;
+		      flow->protos.tls_quic.server_names[newstr_len] = '\0';
+		      flow->protos.tls_quic.server_names_len = newstr_len;
 		    }
 		  }
 
-		  if(!flow->protos.tls_quic_stun.tls_quic.subprotocol_detected)
+		  if(!flow->protos.tls_quic.subprotocol_detected)
 		    if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, dNSName, len))
-		      flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+		      flow->protos.tls_quic.subprotocol_detected = 1;
 
 		  i += len;
 		} else {
@@ -599,8 +599,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
     }
   } /* for */
 
-  if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL)) {
-    flow->protos.tls_quic_stun.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
+  if(rdn_len && (flow->protos.tls_quic.subjectDN == NULL)) {
+    flow->protos.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
 
     if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
       /* No idea what is happening behind the scenes: let's check the certificate */
@@ -631,8 +631,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
     }
   }
 
-  if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
-     && (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
+  if(flow->protos.tls_quic.subjectDN && flow->protos.tls_quic.issuerDN
+     && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN)))
     ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
 
 #if DEBUG_TLS
@@ -721,12 +721,12 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
 		 &packet->payload[certificates_offset],
 		 certificate_len);
 
-      SHA1Final(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
+      SHA1Final(flow->protos.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
 
       flow->l4.tcp.tls.fingerprint_set = 1;
 
-      uint8_t * sha1 = flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint;
-      const size_t sha1_siz = sizeof(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint);
+      uint8_t * sha1 = flow->protos.tls_quic.sha1_certificate_fingerprint;
+      const size_t sha1_siz = sizeof(flow->protos.tls_quic.sha1_certificate_fingerprint);
       char sha1_str[20 /* sha1_siz */ * 2 + 1];
       static const char hexalnum[] = "0123456789ABCDEF";
       size_t i;
@@ -774,7 +774,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   int ret;
 
-#ifdef DEBUG_TL
+#ifdef DEBUG_TLS
   printf("[TLS] Processing block %u\n", packet->payload[0]);
 #endif
 
@@ -782,16 +782,16 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   case 0x01: /* Client Hello */
   case 0x02: /* Server Hello */
     processClientServerHello(ndpi_struct, flow, 0);
-    flow->protos.tls_quic_stun.tls_quic.hello_processed = 1;
+    flow->protos.tls_quic.hello_processed = 1;
     ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
 
 #ifdef DEBUG_TLS
     printf("*** TLS [version: %02X][%s Hello]\n",
-	   flow->protos.tls_quic_stun.tls_quic.ssl_version,
+	   flow->protos.tls_quic.ssl_version,
 	   (packet->payload[0] == 0x01) ? "Client" : "Server");
 #endif
 
-    if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
+    if((flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
        && (packet->payload[0] == 0x02 /* Server Hello */)) {
       flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
     }
@@ -802,7 +802,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
   case 0x0b: /* Certificate */
     /* Important: populate the tls union fields only after
      * ndpi_int_tls_add_connection has been called */
-    if(flow->protos.tls_quic_stun.tls_quic.hello_processed) {
+    if(flow->protos.tls_quic.hello_processed) {
       ret = processCertificate(ndpi_struct, flow);
       if (ret != 1) {
 #ifdef DEBUG_TLS
@@ -1106,7 +1106,7 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd
 
 static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct,
 				  struct ndpi_flow_struct *flow) {
-  char * alpn_start = flow->protos.tls_quic_stun.tls_quic.alpn;
+  char * alpn_start = flow->protos.tls_quic.alpn;
   char * comma_or_nul = alpn_start;
   do {
     int alpn_len;
@@ -1310,10 +1310,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	return(0); /* Not found */
 
       ja3.server.num_cipher = 1, ja3.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
-      if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
+      if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
 	ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER);
 
-      flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.server.cipher[0];
+      flow->protos.tls_quic.server_cipher = ja3.server.cipher[0];
 
 #ifdef DEBUG_TLS
       printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.server.cipher[0]);
@@ -1360,7 +1360,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	    printf("TLS [server] [TLS version: 0x%04X]\n", tls_version);
 #endif
 
-	    flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version;
+	    flow->protos.tls_quic.ssl_version = ja3.server.tls_supported_version = tls_version;
 	  }
 	} else if(extension_id == 16 /* application_layer_protocol_negotiation (ALPN) */ &&
 	          offset + 6 < packet->payload_packet_len) {
@@ -1416,10 +1416,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	  if (ndpi_is_printable_string(alpn_str, alpn_str_len) == 0)
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
 
-	  if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
-	    flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
+	  if(flow->protos.tls_quic.alpn == NULL)
+	    flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str);
 
-	  if(flow->protos.tls_quic_stun.tls_quic.alpn != NULL)
+	  if(flow->protos.tls_quic.alpn != NULL)
 	    tlsCheckUncommonALPN(ndpi_struct, flow);
 
 	  snprintf(ja3.server.alpn, sizeof(ja3.server.alpn), "%s", alpn_str);
@@ -1508,13 +1508,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       ndpi_MD5Final(md5_hash, &ctx);
 
       for(i=0, j=0; i<16; i++) {
-	int rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_server[j],
-			  sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
+	int rc = snprintf(&flow->protos.tls_quic.ja3_server[j],
+			  sizeof(flow->protos.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
 	if(rc <= 0) break; else j += rc;
       }
 
 #ifdef DEBUG_TLS
-      printf("[JA3] Server: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_server);
+      printf("[JA3] Server: %s \n", flow->protos.tls_quic.ja3_server);
 #endif
     } else if(handshake_type == 0x01 /* Client Hello */) {
       u_int16_t cipher_len, cipher_offset;
@@ -1528,8 +1528,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
       ja3.client.supported_versions[0] = '\0';
       ja3.client.alpn[0] = '\0';
 
-      flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
-      if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */
+      flow->protos.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
+      if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */
 	ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION);
 
       if((session_id_len+base_offset+3) > packet->payload_packet_len)
@@ -1629,19 +1629,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	   this is time consuming and we want to avoid overhead whem possible
 	*/
 	if(this_is_not_safari)
-	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
+	  flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0;
 	else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur))
-	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1;
+	  flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1;
 
 	if(chrome_ciphers == 13)
-	  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1;
+	  flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 1;
 
 	/* Note that both Safari and Chrome can overlap */
 #ifdef DEBUG_HEURISTIC
 	printf("[CIPHERS] [is_chrome_tls: %u (%u)][is_safari_tls: %u (%u)][this_is_not_safari: %u]\n",
-	       flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls,
+	       flow->protos.tls_quic.browser_heuristics.is_chrome_tls,
 	       chrome_ciphers,
-	       flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls,
+	       flow->protos.tls_quic.browser_heuristics.is_safari_tls,
 	       safari_ciphers,
 	       this_is_not_safari);
 #endif
@@ -1729,8 +1729,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		    cleanupServerName(buffer, sizeof(buffer));
 
-		    snprintf(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
-			     sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
+		    snprintf(flow->protos.tls_quic.client_requested_server_name,
+			     sizeof(flow->protos.tls_quic.client_requested_server_name),
 			     "%s", buffer);
 #ifdef DEBUG_TLS
 		    printf("[TLS] SNI: [%s]\n", buffer);
@@ -1742,19 +1742,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		    if(!is_quic) {
 		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
-		        flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    } else {
 		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer)))
-		        flow->protos.tls_quic_stun.tls_quic.subprotocol_detected = 1;
+		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    }
 
 		    if(ndpi_check_dga_name(ndpi_struct, flow,
-					   flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1)) {
-		      char *sni = flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
+					   flow->protos.tls_quic.client_requested_server_name, 1)) {
+		      char *sni = flow->protos.tls_quic.client_requested_server_name;
 		      int len = strlen(sni);
 
 #ifdef DEBUG_TLS
-		      printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+		      printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
 #endif
 
 		      if((len >= 4)
@@ -1764,7 +1764,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
 		    } else {
 #ifdef DEBUG_TLS
-		      printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+		      printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name);
 #endif
 		    }
 		  } else {
@@ -1849,10 +1849,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		tot_signature_algorithms_len = ndpi_min((sizeof(ja3.client.signature_algorithms) / 2) - 1, tot_signature_algorithms_len);
 
 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
-		flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
+		flow->protos.tls_quic.num_tls_signature_algorithms = ndpi_min(tot_signature_algorithms_len / 2, MAX_NUM_TLS_SIGNATURE_ALGORITHMS);
 
-		memcpy(flow->protos.tls_quic_stun.tls_quic.client_signature_algorithms,
-		       &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic_stun.tls_quic.num_tls_signature_algorithms);
+		memcpy(flow->protos.tls_quic.client_signature_algorithms,
+		       &packet->payload[s_offset], 2 /* 16 bit */*flow->protos.tls_quic.num_tls_signature_algorithms);
 #endif
 
 		for(i=0; i<tot_signature_algorithms_len && s_offset+i<total_len; i++) {
@@ -1899,7 +1899,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 		  switch(signature_algo) {
 		  case ECDSA_SECP521R1_SHA512:
-		    flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1;
+		    flow->protos.tls_quic.browser_heuristics.is_firefox_tls = 1;
 		    break;
 
 		  case ECDSA_SECP256R1_SHA256:
@@ -1925,29 +1925,29 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		       safari_signature_algorithms, chrome_signature_algorithms);
 #endif
 
-		if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls)
-		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0,
-		    flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+		if(flow->protos.tls_quic.browser_heuristics.is_firefox_tls)
+		  flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0,
+		    flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
 		if(safari_signature_algorithms != 8)
-		   flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0;
+		   flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0;
 
 		if((chrome_signature_algorithms != 8) || duplicate_found)
-		   flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+		   flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
 		/* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */
-		if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls)
-		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0;
+		if(flow->protos.tls_quic.browser_heuristics.is_safari_tls)
+		  flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0;
 
-		if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0)
+		if((flow->protos.tls_quic.browser_heuristics.is_chrome_tls == 0)
 		   && duplicate_found)
-		  flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
+		  flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */
 
 #ifdef DEBUG_HEURISTIC
 		printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n",
-		       flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls,
-		       flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls,
-		       flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls,
+		       flow->protos.tls_quic.browser_heuristics.is_firefox_tls,
+		       flow->protos.tls_quic.browser_heuristics.is_chrome_tls,
+		       flow->protos..tls_quic.browser_heuristics.is_safari_tls,
 		       duplicate_found);
 #endif
 
@@ -2003,8 +2003,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
 		printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
 #endif
-		if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
-		  flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
+		if(flow->protos.tls_quic.alpn == NULL)
+		  flow->protos.tls_quic.alpn = ndpi_strdup(alpn_str);
 
 		snprintf(ja3.client.alpn, sizeof(ja3.client.alpn), "%s", alpn_str);
 
@@ -2061,8 +2061,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		  printf("Client TLS [SUPPORTED_VERSIONS: %s]\n", ja3.client.supported_versions);
 #endif
 
-		  if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions == NULL)
-		    flow->protos.tls_quic_stun.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
+		  if(flow->protos.tls_quic.tls_supported_versions == NULL)
+		    flow->protos.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
 		}
 	      } else if(extension_id == 65486 /* encrypted server name */) {
 		/*
@@ -2074,7 +2074,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		int initial_offset = e_offset;
 		u_int16_t cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 
-		flow->protos.tls_quic_stun.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
+		flow->protos.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
 
 		e_offset += 2; /* Cipher suite len */
 
@@ -2097,17 +2097,17 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		      printf("Client TLS [Encrypted Server Name len: %u]\n", e_sni_len);
 #endif
 
-		      if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) {
-			flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
+		      if(flow->protos.tls_quic.encrypted_sni.esni == NULL) {
+			flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
 
-			if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni) {
+			if(flow->protos.tls_quic.encrypted_sni.esni) {
 			  u_int16_t i, off;
 
 			  for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
-			    int rc = sprintf(&flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
+			    int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
 
 			    if(rc <= 0) {
-			      flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off] = '\0';
+			      flow->protos.tls_quic.encrypted_sni.esni[off] = '\0';
 			      break;
 			    } else
 			      off += rc;
@@ -2240,19 +2240,19 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	      ndpi_MD5Final(md5_hash, &ctx);
 
 	      for(i=0, j=0; i<16; i++) {
-		rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_client[j],
-			      sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_client)-j, "%02x",
+		rc = snprintf(&flow->protos.tls_quic.ja3_client[j],
+			      sizeof(flow->protos.tls_quic.ja3_client)-j, "%02x",
 			      md5_hash[i]);
 		if(rc > 0) j += rc; else break;
 	      }
 
 #ifdef DEBUG_JA3C
-	      printf("[JA3] Client: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_client);
+	      printf("[JA3] Client: %s \n", flow->protos.tls_quic.ja3_client);
 #endif
 
 	      if(ndpi_struct->malicious_ja3_automa.ac_automa != NULL) {
 		u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_ja3_automa.ac_automa,
-						  flow->protos.tls_quic_stun.tls_quic.ja3_client);
+						  flow->protos.tls_quic.ja3_client);
 
 		if(rc1 > 0)
 		  ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3);
@@ -2260,22 +2260,22 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	    }
 
 	    /* Before returning to the caller we need to make a final check */
-	    if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
-	       && (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
+	    if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
+	       && (flow->protos.tls_quic.alpn == NULL) /* No ALPN */) {
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
 	    /* Suspicious Domain Fronting:
 	       https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
-	    if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
-	       flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
+	    if(flow->protos.tls_quic.encrypted_sni.esni &&
+	       flow->protos.tls_quic.client_requested_server_name[0] != '\0') {
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
 	    }
 
 	    /* Add check for missing SNI */
-	    if((flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == 0)
-	       && (flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
-	       && (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
+	    if((flow->protos.tls_quic.client_requested_server_name[0] == 0)
+	       && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
+	       && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
 	       ) {
 	      /* This is a bit suspicious */
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
@@ -2314,7 +2314,7 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st
 	 __FUNCTION__,
 	 flow->guessed_host_protocol_id,
 	 packet->payload_packet_len,
-	 flow->protos.tls_quic_stun.tls_quic.ssl_version);
+	 flow->protos.tls_quic.ssl_version);
 #endif
 
   if(packet->udp != NULL)