Merge remote-tracking branch 'upstream/dev' into dev

6 files changed, 209 insertions, 40 deletions

diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index e33f0c7dc..bea7622a0 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -376,19 +376,32 @@ static void ndpi_int_search_bittorrent_tcp(struct ndpi_detection_module_struct *
   return;
 }
 
+static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) {
+  return(((what == a) || (what == b)) ? 1 : 0);
+}
+  
 void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
   char *bt_proto = NULL;
 
   /* This is broadcast */
-  if(packet->iph
-     && (((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF))
-	 || (packet->udp
-	     && ((ntohs(packet->udp->source) == 3544) /* teredo.c */
-		 || (ntohs(packet->udp->dest) == 3544))))) {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
+  if(packet->iph) {
+
+    if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF))
+      goto exclude_bt;
+
+    
+    if(packet->udp) {
+      u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
+
+      if(is_port(sport, dport, 3544) /* teredo */
+	 || is_port(sport, dport, 5246) || is_port(sport, dport, 5247)/* CAPWAP */) {
+      exclude_bt:
+	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+	return;
+      }
+    }
   }
 
   if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_BITTORRENT) {
@@ -397,8 +410,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
     if((packet->tcp != NULL)
 	&& (packet->tcp_retransmission == 0 || packet->num_retried_bytes)) {
       ndpi_int_search_bittorrent_tcp(ndpi_struct, flow);
-    }
-    else if(packet->udp != NULL) {
+    } else if(packet->udp != NULL) {
+      /* UDP */
       char *bt_search = "BT-SEARCH * HTTP/1.1\r\n";
 
       if((ntohs(packet->udp->source) < 1024)
diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c
new file mode 100644
index 000000000..bfad1a593
--- /dev/null
+++ b/src/lib/protocols/capwap.c
@@ -0,0 +1,123 @@
+/*
+ * capwap.c
+ *
+ * Copyright (C) 2019 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CAPWAP
+
+#include "ndpi_api.h"
+
+#define NDPI_CAPWAP_CONTROL_PORT 5246
+#define NDPI_CAPWAP_DATA_PORT    5247
+
+
+static void ndpi_int_capwap_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+					   struct ndpi_flow_struct *flow) {
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CAPWAP, NDPI_PROTOCOL_UNKNOWN);
+}
+
+/* ************************************************** */
+
+static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_struct,
+				     struct ndpi_flow_struct *flow) {
+  struct ndpi_packet_struct *packet = &flow->packet;
+  u_int16_t sport, dport;
+   
+  if(!packet->iph) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
+  
+  if((dport == NDPI_CAPWAP_CONTROL_PORT)
+     && (packet->iph->daddr == 0xFFFFFFFF)
+     && (packet->payload_packet_len >= 16)
+     && (packet->payload[0] == 0x0)
+     && (packet->payload[8] == 6 /* Mac len */)
+     )
+    goto capwap_found;
+  
+  if(((sport == NDPI_CAPWAP_CONTROL_PORT) || (dport == NDPI_CAPWAP_CONTROL_PORT))
+     && ((packet->payload[0] == 0x0) || (packet->payload[0] == 0x1))
+     ) {
+    u_int16_t msg_len, offset, to_add;
+
+    if(packet->payload[0] == 0x0)
+      offset = 13, to_add = 13;
+    else
+      offset = 15, to_add = 17;
+
+    msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]);
+
+    if((msg_len+to_add) == packet->payload_packet_len)
+      goto capwap_found;
+  }
+  
+  if(
+     (((dport == NDPI_CAPWAP_DATA_PORT) && (packet->iph->daddr != 0xFFFFFFFF)) || (sport == NDPI_CAPWAP_DATA_PORT))
+     && (packet->payload_packet_len >= 16)
+     && (packet->payload[0] == 0x0)
+     ) {
+    u_int8_t is_80211_data = (packet->payload[9] & 0x0C) >> 2;
+
+      
+    if((sport == NDPI_CAPWAP_DATA_PORT) && (is_80211_data == 2 /* IEEE 802.11 Data */))
+      goto capwap_found;
+    else if(dport == NDPI_CAPWAP_DATA_PORT) {
+      u_int16_t msg_len = ntohs(*(u_int16_t*)&packet->payload[13]);
+      
+      if((packet->payload[8] == 1 /* Mac len */)
+	 || (packet->payload[8] == 6 /* Mac len */)
+	 || (packet->payload[8] == 4 /* Wireless len */)
+	 || ((msg_len+15) == packet->payload_packet_len))
+	goto capwap_found;	 
+    }
+  }
+  
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  return;
+
+ capwap_found:
+  ndpi_int_capwap_add_connection(ndpi_struct, flow);
+}
+
+void ndpi_search_capwap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &flow->packet;
+
+  if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN))
+    ndpi_search_setup_capwap(ndpi_struct, flow);
+}
+
+
+void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+			   u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("CAPWAP", ndpi_struct, detection_bitmask, *id,
+				      NDPI_PROTOCOL_CAPWAP,
+				      ndpi_search_capwap,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+				      ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index fa73ab0ae..b7fcfb61d 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -63,8 +63,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
 	      u_int realm_len, realm_offset = cname_len + name_offset + 4, i;
 	      char cname_str[24];
 
-	      if(cname_len >= sizeof(cname_str))
-		cname_len = sizeof(cname_str);
+	      if(cname_len > sizeof(cname_str)-1)
+		cname_len = sizeof(cname_str)-1;
 
 	      strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len);
 	      cname_str[cname_len] = '\0';
diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
index 8ada5d997..e758fd5b8 100644
--- a/src/lib/protocols/skype.c
+++ b/src/lib/protocols/skype.c
@@ -32,11 +32,17 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s
   // const u_int8_t *packet_payload = packet->payload;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  if(flow->host_server_name[0] != '\0')
+  /* No need to do ntohl() with 0xFFFFFFFF */
+  if(packet->iph && (packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
+  }
 
+  if(flow->host_server_name[0] != '\0')
+    return;
+  
   // UDP check
-  if(packet->udp != NULL) {
+  if(packet->udp != NULL) {    
     flow->l4.udp.skype_packet_id++;
 
     if(flow->l4.udp.skype_packet_id < 5) {
@@ -52,6 +58,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s
 	if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d)) ||
 	   ((payload_len >= 16)
 	    && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */
+	    && (packet->payload[0] != 0x0)  /* Avoid invalid CAPWAP detection */
 	    && (packet->payload[2] == 0x02))) {
 
 	  if(is_port(sport, dport, 8801))
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 448062f47..e95965f6b 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -38,7 +38,6 @@ struct stun_packet_header {
   u_int8_t  transaction_id[8];
 };
 
-
 /* ************************************************************ */
 
 u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
@@ -147,9 +146,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
   int rc;
   
   /* STUN over TCP does not look good */
-  if (flow->packet.tcp)
+  if(flow->packet.tcp)
     return(NDPI_IS_NOT_STUN);
 
+  /* No need to do ntohl() with 0xFFFFFFFF */
+  if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return(NDPI_IS_NOT_STUN);;
+  }
+
   if(payload_length >= 512) {
     return(NDPI_IS_NOT_STUN);
   } else if(payload_length < sizeof(struct stun_packet_header)) {
@@ -174,7 +179,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     return(NDPI_IS_NOT_STUN);  
   
   /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */
-  if ((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) {
+  if((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) {
 #ifdef DEBUG_STUN
     printf("[STUN] msg_type = %04X\n", msg_type);
 #endif
@@ -184,7 +189,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
      as this was a flow that started as STUN and turned into something
      else. Let's investigate what is that about
      */
-    if (payload[0] == 0x16) {
+    if(payload[0] == 0x16) {
       /* Let's check if this is DTLS used by some socials */
       struct ndpi_packet_struct *packet = &flow->packet;
       u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1]));
@@ -194,7 +199,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
         case 0xFEFD: /* DTLS 1.2 */
           total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
 
-          if (payload_length == total_len) {
+          if(payload_length == total_len) {
             /* This is DTLS and the only protocol we know behaves like this is signal */
             flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
             return(NDPI_IS_STUN);
@@ -212,7 +217,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     printf("[STUN] Here we go\n");;
 #endif
 
-  if (ndpi_struct->stun_cache) {
+  if(ndpi_struct->stun_cache) {
     u_int16_t proto;
     u_int32_t key = get_stun_lru_key(flow, 0);
     int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto,
@@ -222,7 +227,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     printf("[LRU] Searching %u\n", key);
 #endif
 
-    if (!rc) {
+    if(!rc) {
       key = get_stun_lru_key(flow, 1);
       rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto,
                                0 /* Don't remove it as it can be used for other connections */);
@@ -232,7 +237,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
     }
 
-    if (rc) {
+    if(rc) {
 #ifdef DEBUG_LRU
       printf("[LRU] Cache FOUND %u / %u\n", key, proto);
 #endif
@@ -253,18 +258,18 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
   if(msg_type == 0x01 /* Binding Request */) {
     flow->protos.stun_ssl.stun.num_binding_requests++;
 
-    if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)
+    if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)
       flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
     else
       flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
 
-    if (!msg_len) {
+    if(!msg_len) {
       /* flow->protos.stun_ssl.stun.num_udp_pkts++; */
       return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
     }
   }
 
-  if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
+  if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return(NDPI_IS_NOT_STUN);
   }
@@ -280,7 +285,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     return(NDPI_IS_STUN); /* This is WhatsApp Call */
   }
 
-  if (payload[0] != 0x80 && (msg_len + 20) > payload_length)
+  if(payload[0] != 0x80 && (msg_len + 20) > payload_length)
     return(NDPI_IS_NOT_STUN);
   else {
     switch(flow->guessed_protocol_id) {
@@ -296,8 +301,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     }
   }
 
-  if (payload_length == (msg_len+20)) {
-    if ((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ {
+  if(payload_length == (msg_len+20)) {
+    if((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ {
       u_int offset = 20;
 
       /*
@@ -314,7 +319,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
         u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2]));
         u_int16_t x = (len + 4) % 4;
 
-        if (x)
+        if(x)
           len += 4-x;
 
 #ifdef DEBUG_STUN
@@ -352,10 +357,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
             printf("==> [%s]\n", flow->host_server_name);
 #endif
 
-            if (strstr((char*) flow->host_server_name, "google.com") != NULL) {
+            if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
                 flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
                 return(NDPI_IS_STUN);
-            } else if (strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
+            } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
               flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
               return(NDPI_IS_STUN);
             }
@@ -364,8 +369,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
         break;
 
         case 0xC057: /* Messeger */
-          if (msg_type == 0x0001) {
-            if ((msg_len == 100) || (msg_len == 104)) {
+          if(msg_type == 0x0001) {
+            if((msg_len == 100) || (msg_len == 104)) {
               flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
               return(NDPI_IS_STUN);
             } else if(msg_len == 76) {
@@ -416,7 +421,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
           break;
 
         case 0x8070: /* Implementation Version */
-          if (len == 4 && ((offset+7) < payload_length)
+          if(len == 4 && ((offset+7) < payload_length)
              && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) &&
              ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))) {
 #ifdef DEBUG_STUN
@@ -450,7 +455,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     }
   }
 
-  if ((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
+  if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
     flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
     return(NDPI_IS_STUN);
   } else
@@ -507,7 +512,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
   if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload,
 			 packet->payload_packet_len) == NDPI_IS_STUN) {
   udp_stun_match:
-    if (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
+    if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
       flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
 
     if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 261f2ab28..c65d4fc69 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -67,7 +67,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 						 struct ndpi_flow_struct *flow, u_int32_t protocol) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  protocol = NDPI_PROTOCOL_TLS;
+  // protocol = NDPI_PROTOCOL_TLS;
 
   if(packet->tcp != NULL) {
     switch(protocol) {
@@ -424,9 +424,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
 
 	      if(num_dots >= 1) {
 		if(!ndpi_struct->disable_metadata_export) {
+		  ndpi_protocol_match_result ret_match;
+		  u_int16_t subproto;
+		  
 		  stripCertificateTrailer(buffer, buffer_len);
 		  snprintf(flow->protos.stun_ssl.ssl.server_certificate,
 			   sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
+		  
+#ifdef DEBUG_TLS
+		  printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate);
+#endif
+		  
+		  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow,
+							 flow->protos.stun_ssl.ssl.server_certificate,
+							 strlen(flow->protos.stun_ssl.ssl.server_certificate),
+							 &ret_match,
+							 NDPI_PROTOCOL_TLS);
+
+		  if(subproto != NDPI_PROTOCOL_UNKNOWN)
+		    ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS);
 		}
 
 		return(1 /* Server Certificate */);
@@ -1111,11 +1127,16 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
 	NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate);
 #endif
 	ndpi_protocol_match_result ret_match;
-	u_int16_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
-							 strlen(certificate),
-							 &ret_match,
-							 NDPI_PROTOCOL_TLS);
+	u_int16_t subproto;
 
+	if(certificate[0] == '\0')
+	  subproto = NDPI_PROTOCOL_UNKNOWN;
+	else
+	  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
+						 strlen(certificate),
+						 &ret_match,
+						 NDPI_PROTOCOL_TLS);
+	
 	if(subproto != NDPI_PROTOCOL_UNKNOWN) {
 	  /* If we've detected the subprotocol from client certificate but haven't had a chance
 	   * to see the server certificate yet, set up extra packet processing to wait