Improved TLS application data detection. (#1541)

* #1532 did fx TLS appdata detection only partially * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload Signed-off-by: lns <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2022-05-08 19:56:08 +0200
committer: GitHub <noreply@github.com> 2022-05-08 19:56:08 +0200
commit: 34882d9cf0b725fff87e38bd6dcc7a9cce645d4f (patch)
tree: fb59ec1f5a9b92ef55fa017a627ee81c94bd9b0c /src/lib/protocols/tls.c
parent: b2648a45a377fb891319e59e2aa94729705c6c2a (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 8324cb9ea..09ff86eb6 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -987,8 +987,9 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	if(block_len < 16384 /* Max TLS block size */)
 	  ndpi_looks_like_tls(ndpi_struct, flow);
 
-    if (packet->payload[1] == 0x03 && packet->payload[2] <= 4 &&
-        block_len == (u_int32_t)packet->payload_packet_len - 5)
+    if (flow->l4.tcp.tls.message.buffer[1] == 0x03 &&
+        flow->l4.tcp.tls.message.buffer[2] <= 0x04 &&
+        block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5)
     {
       ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
     }
author	Toni <matzeton@googlemail.com>	2022-05-08 19:56:08 +0200
committer	GitHub <noreply@github.com>	2022-05-08 19:56:08 +0200
commit	34882d9cf0b725fff87e38bd6dcc7a9cce645d4f (patch)
tree	fb59ec1f5a9b92ef55fa017a627ee81c94bd9b0c /src/lib/protocols/tls.c
parent	b2648a45a377fb891319e59e2aa94729705c6c2a (diff)