diff options
| author | Luca Deri <deri@ntop.org> | 2019-10-24 19:48:55 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-10-24 19:48:55 +0200 |
| commit | 0974075fa0411d4a652baa96f5a1f801e999a075 (patch) | |
| tree | 83a62cdd42b4192d34fb0b476864ab326f4fed82 /src/lib/protocols | |
| parent | 0ffe5cf1ff7ab2ec90b5674936aa0f2555e3d414 (diff) | |
Major cleanup
Removed ndpi_pref_http_dont_dissect_response and ndpi_pref_dns_dont_dissect_response as the ndpi_extra_dissection_possible() call will now handle everything
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 89 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 140 | ||||
| -rw-r--r-- | src/lib/protocols/iec60870-5-104.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 66 |
4 files changed, 195 insertions, 142 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f41eb65ee..7051b2227 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -32,6 +32,8 @@ // #define DNS_DEBUG 1 +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); + /* *********************************************** */ static u_int16_t get16(int *i, const u_int8_t *payload) { @@ -84,6 +86,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, memcpy(dns_header, (struct ndpi_dns_packet_header*)&flow->packet.payload[x], sizeof(struct ndpi_dns_packet_header)); + dns_header->tr_id = ntohs(dns_header->tr_id); dns_header->flags = ntohs(dns_header->flags); dns_header->num_queries = ntohs(dns_header->num_queries); @@ -134,58 +137,69 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* This is a good reply: we dissect it both for request and response */ /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - /* if(ndpi_struct->dns_dont_dissect_response == 0) */ { - x++; - - if(flow->packet.payload[x] != '\0') { - while((x < flow->packet.payload_packet_len) - && (flow->packet.payload[x] != '\0')) { - x++; - } + x++; + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { x++; } - x += 4; + x++; + } - if(dns_header->num_answers > 0) { - u_int16_t rsp_type; - u_int16_t num; + x += 4; - for(num = 0; num < dns_header->num_answers; num++) { - u_int16_t data_len; + if(dns_header->num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; - if((x+6) >= flow->packet.payload_packet_len) { - break; - } + for(num = 0; num < dns_header->num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { - break; - } else - x += data_len; + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; - rsp_type = get16(&x, flow->packet.payload); - flow->protos.dns.rsp_type = rsp_type; + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; - /* here x points to the response "class" field */ - if((x+12) <= flow->packet.payload_packet_len) { - x += 6; - data_len = get16(&x, flow->packet.payload); + /* here x points to the response "class" field */ + if((x+12) <= flow->packet.payload_packet_len) { + x += 6; + data_len = get16(&x, flow->packet.payload); - if(((x + data_len) <= flow->packet.payload_packet_len) - && (((rsp_type == 0x1) && (data_len == 4)) /* A */ + if(((x + data_len) <= flow->packet.payload_packet_len) + && (((rsp_type == 0x1) && (data_len == 4)) /* A */ #ifdef NDPI_DETECTION_SUPPORT_IPV6 - || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ + || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ #endif - )) { - memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); - } + )) { + memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); } - - break; } + + break; } } + + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + /* Request already set the protocol */ + flow->extra_packets_func = NULL; /* We're good now */ + } else { + /* We missed the request */ + u_int16_t s_port = flow->packet.udp ? ntohs(flow->packet.udp->source) : ntohs(flow->packet.tcp->source); + + ndpi_set_detected_protocol(ndpi_struct, flow, + (s_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, + NDPI_PROTOCOL_UNKNOWN); + } } else return(1 /* invalid */); } @@ -202,6 +216,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->protos.dns.num_answers > 0) { /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ return(0); } @@ -211,7 +226,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st /* *********************************************** */ -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -290,7 +305,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd /* Report if this is a DNS query or reply */ flow->protos.dns.is_query = is_query; - if(is_query && (ndpi_struct->dns_dont_dissect_response == 0) && (flow->check_extra_packets == 0)) { + if(is_query) { /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cc27b8eb6..b73a1aeee 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -28,40 +28,54 @@ #include "ndpi_api.h" #include <stdlib.h> -static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t category) { -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", __FUNCTION__, - ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); -#endif - - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); - ndpi_search_tcp_or_udp(ndpi_struct, flow); +/* *********************************************** */ - /* If no custom protocol has been detected */ - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - ndpi_int_reset_protocol(flow); - flow->http_upper_protocol = flow->guessed_host_protocol_id, flow->http_lower_protocol = NDPI_PROTOCOL_HTTP; - } else - flow->http_upper_protocol = NDPI_PROTOCOL_HTTP, flow->http_lower_protocol = NDPI_PROTOCOL_UNKNOWN; +static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_http_tcp(ndpi_struct, flow); - if(ndpi_struct->http_dont_dissect_response) - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); - else { - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } - } else { - if((!ndpi_struct->http_dont_dissect_response) && (flow->http.response_status_code == 0)) { - flow->http_upper_protocol = flow->detected_protocol_stack[0], flow->http_lower_protocol = flow->detected_protocol_stack[1]; - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); +#endif + + if((flow->host_server_name[0] != '\0') && (flow->http.response_status_code != 0)) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); } + /* Possibly more processing */ + return(1); +} + +/* *********************************************** */ + +static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t category) { +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); +#endif + + if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) + return; /* Nothing new to add */ + + /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ + ndpi_search_tcp_or_udp(ndpi_struct, flow); + + /* If no custom protocol has been detected */ + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); + } else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 5; + flow->extra_packets_func = ndpi_search_http_tcp_again; flow->http_detected = 1, flow->guessed_category = category; } @@ -103,11 +117,6 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc if(double_col) double_col[0] = '\0'; - /** - NOTE - If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen - */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), &ret_match, @@ -124,14 +133,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ struct ndpi_packet_struct *packet = &flow->packet; - if((!ndpi_struct->http_dont_dissect_response) && flow->http_detected && (flow->http.response_status_code != 0)) { - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", - __FUNCTION__, ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); -#endif - return; - } + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + + if(flow->http_detected && (flow->http.response_status_code != 0)) + return; #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ @@ -156,9 +161,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #endif - /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - - /* if(!ndpi_struct->http_dont_dissect_response) */ { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) && (packet->host_line.len > 0)) { @@ -207,8 +209,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->content_line.len); flow->http.content_type[packet->content_line.len] = '\0'; } - } - } + } if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** @@ -287,7 +288,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */ - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -302,6 +303,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); flow->host_server_name[len] = '\0'; + flow->extra_packets_func = NULL; /* We're good now */ } flow->server_id = flow->dst; @@ -314,8 +316,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if(!ndpi_struct->http_dont_dissect_response) - parseHttpSubprotocol(ndpi_struct, flow); + parseHttpSubprotocol(ndpi_struct, flow); /** check result of host subprotocol detection @@ -339,7 +340,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) + && (flow->http_detected) && (packet->http_origin.len > 0)) { ndpi_protocol_match_result ret_match; @@ -361,7 +362,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #if 0 - if(!ndpi_struct->http_dont_dissect_response && flow->http_detected) + if(flow->http_detected) parseHttpSubprotocol(ndpi_struct, flow); #endif @@ -382,7 +383,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_content_subprotocol(ndpi_struct, flow, @@ -592,6 +593,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct goto ookla_found; } +#if OBSOLETE /* Check for additional field introduced by Steam */ int x = 1; if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { @@ -612,7 +614,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } x++; } - +#endif + #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service (iqiyi is delivered by ppstream) */ @@ -681,17 +684,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct in 99.99% of the cases is like that. */ - if(ndpi_struct->http_dont_dissect_response) { - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */ - NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - } else { - flow->http_detected = 1; - NDPI_LOG_DBG2(ndpi_struct, - "HTTP START Found, we will look further for the response...\n"); - flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - } - + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + flow->http_detected = 1; + NDPI_LOG_DBG2(ndpi_struct, + "HTTP START Found, we will look further for the response...\n"); + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -799,10 +796,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } } -void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; +/* ********************************* */ +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { /* Break after 20 packets. */ if(flow->packet_counter > 20) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -810,10 +807,6 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - return; - } - NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); } @@ -850,8 +843,7 @@ char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, - NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("HTTP",ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_HTTP, ndpi_search_http_tcp, diff --git a/src/lib/protocols/iec60870-5-104.c b/src/lib/protocols/iec60870-5-104.c index b7439f3e0..e34ca3d63 100644 --- a/src/lib/protocols/iec60870-5-104.c +++ b/src/lib/protocols/iec60870-5-104.c @@ -2,7 +2,26 @@ * iec60870-5-104.c * Extension for industrial 104 protocol recognition * - * Created by Cesar HM + * Created by Cesar HM <cesar91hoyos@gmail.com> + * + * Copyright (C) 2019 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * */ #include "ndpi_protocol_ids.h" @@ -21,23 +40,22 @@ void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { /* The start byte of 104 is 0x68 * The usual port: 2404 - */ - if ( packet->payload[0] == 0x68 && - ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ - NDPI_LOG_INFO(ndpi_struct, "found 104\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); - return; - } + */ + if((packet->payload[0] == 0x68) && + ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ + NDPI_LOG_INFO(ndpi_struct, "found 104\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); + return; } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("104", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_104, ndpi_search_104_tcp, diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index cce5e0471..261f2ab28 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -32,8 +32,7 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); /* #define DEBUG_TLS 1 */ - -#define DEBUG_FINGERPRINT 1 +/* #define DEBUG_FINGERPRINT 1 */ /* NOTE @@ -59,6 +58,9 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); +extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + /* **************************************** */ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -94,6 +96,16 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st /* **************************************** */ +static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; +} + +/* **************************************** */ + static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { if(protocol != NDPI_PROTOCOL_TLS) @@ -102,6 +114,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + sslInitExtraPacketProcessing(flow); } /* **************************************** */ @@ -869,7 +882,8 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct } } } - + + flow->extra_packets_func = NULL; /* We're good now */ return(1); } @@ -1070,16 +1084,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; - - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} - -/* **************************************** */ - int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t skip_cert_processing) { @@ -1130,11 +1134,26 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s return(rc); } - if(((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", + __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, + packet->tls_certificate_detected, + flow->l4.tcp.tls_seen_client_cert, + flow->l4.tcp.tls_seen_server_cert + ); +#endif + + + if(((packet->tls_certificate_num_checks >= 1) +#if 0 + && (flow->l4.tcp.seen_syn /* User || to be tolerant */ + || flow->l4.tcp.seen_syn_ack + || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) +#endif + && (flow->l4.tcp.tls_srv_cert_fingerprint_processed + || flow->l4.tcp.tls_seen_client_cert + || flow->l4.tcp.tls_seen_server_cert + || packet->tls_certificate_detected) ) /* || ((flow->l4.tcp.tls_seen_certificate == 1) @@ -1228,7 +1247,12 @@ static void tls_mark_and_payload_search(struct ndpi_detection_module_struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); - + +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, + flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); +#endif + if(!packet->tls_certificate_detected && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ @@ -1354,6 +1378,10 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int8_t ret, skip_cert_processing = 0; +#ifdef DEBUG_TLS + printf("%s()\n", __FUNCTION__); +#endif + if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); |