As TLS certificate fingerprint is computed, TLS without certificate protocol has been removed

Various improvemenets in detection quality

2 files changed, 28 insertions, 26 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index d456cdada..3b28ae7c3 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1118,10 +1118,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
-    custom_master[0] = NDPI_PROTOCOL_TLS, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
-    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TLS_NO_CERT,
-			    1 /* can_have_a_subprotocol */, custom_master,
-			    no_master, "TLS_No_Cert", NDPI_PROTOCOL_CATEGORY_WEB,
+    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_FREE_64,
+			    0 /* can_have_a_subprotocol */, no_master,
+			    no_master, "Free64", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT,
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_IRC,
@@ -1262,10 +1261,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
-    custom_master[0] = NDPI_PROTOCOL_TLS_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_TLS,
 			    1 /* can_have_a_subprotocol */, no_master,
-			    custom_master, "TLS", NDPI_PROTOCOL_CATEGORY_WEB,
+			    no_master, "TLS", NDPI_PROTOCOL_CATEGORY_WEB,
 			    ndpi_build_default_ports(ports_a, 443, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSH,
@@ -4071,7 +4069,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
       if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
 	 && (flow->packet.l4_protocol == IPPROTO_TCP)
 	 && (flow->l4.tcp.tls_stage > 1))
-	flow->guessed_protocol_id = NDPI_PROTOCOL_TLS_NO_CERT;
+	flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
 
       guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id;
 
@@ -4484,6 +4482,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
   flow->num_processed_pkts++;
 
+  /* Init default */
+  ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+  
   if(flow->server_id == NULL) flow->server_id = dst; /* Default */
   if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
     /*
@@ -4492,13 +4493,10 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     */
     if(flow->check_extra_packets
        /*
-	 && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)
-	 || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS))
+	 && (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)
        */
        ) {
       ndpi_process_extra_packet(ndpi_struct, flow, packet, packetlen, current_tick_l, src, dst);
-      if(flow->check_extra_packets == 0)
-	ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
       
       return(ret);
     } else
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 991b0be44..4ecbee651 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -65,19 +65,11 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 						 struct ndpi_flow_struct *flow, u_int32_t protocol) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_client[0] != '\0'))
-     || ((flow->l4.tcp.tls_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0'))
-     // || (flow->host_server_name[0] != '\0')
-     )
-    protocol = NDPI_PROTOCOL_TLS;
-  else
-    protocol =  NDPI_PROTOCOL_TLS_NO_CERT;
+  protocol = NDPI_PROTOCOL_TLS;
 
   if(packet->tcp != NULL) {
     switch(protocol) {
-
     case NDPI_PROTOCOL_TLS:
-    case NDPI_PROTOCOL_TLS_NO_CERT:
       {
 	/*
 	  In case of SSL there are probably sub-protocols
@@ -104,9 +96,9 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 
 static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					struct ndpi_flow_struct *flow, u_int32_t protocol) {
-  if((protocol != NDPI_PROTOCOL_TLS) && (protocol != NDPI_PROTOCOL_TLS_NO_CERT)) {
+  if(protocol != NDPI_PROTOCOL_TLS)
     ;
-  } else
+  else
     protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
 
   ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS);
@@ -763,13 +755,23 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
       return(1); /* More packets please */
     }
   }  
+
+  if(packet->payload[flow->l4.tcp.tls_record_offset] == 0x15 /* Alert */) {
+    u_int len = ntohs(*(u_int16_t*)&packet->payload[flow->l4.tcp.tls_record_offset+3]) + 5 /* SSL header len */;
+
+    if(len < 10 /* Sanity check */) {
+      if((flow->l4.tcp.tls_record_offset+len) < packet->payload_packet_len)
+	flow->l4.tcp.tls_record_offset += len;
+    } else
+      goto invalid_len;
+  }
   
   multiple_messages = (packet->payload[flow->l4.tcp.tls_record_offset] == 0x16 /* Handshake */) ? 0 : 1;
 
 #ifdef DEBUG_TLS
   printf("=>> [TLS] [multiple_messages: %d]\n", multiple_messages);
 #endif
-  
+
   if((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset] != 0x16 /* Handshake */))
     return(1);
   else if(((!multiple_messages) && (packet->payload[flow->l4.tcp.tls_record_offset+5] == 0xb) /* Certificate */)
@@ -809,6 +811,7 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
 #endif
 
     if(len > 4096) {
+    invalid_len:
       /* This looks an invalid len: we giveup */
       flow->l4.tcp.tls_record_offset = 0, flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1;
 #ifdef DEBUG_TLS
@@ -1007,8 +1010,9 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
       if(((packet->tls_certificate_num_checks >= 3)
 	  && (flow->l4.tcp.seen_syn)
 	  && (flow->l4.tcp.seen_syn_ack)
-	  && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */)
-	 || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0')
+	  && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */
+	  && flow->l4.tcp.tls_srv_cert_fingerprint_processed)
+	 /* || (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0') */
 	 ) {
 	/* We're done processing extra packets since we've probably checked all possible cert packets */
 	return(rc);
@@ -1188,7 +1192,7 @@ static void tls_mark_and_payload_search(struct ndpi_detection_module_struct
        && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) {
       /* SSL without certificate (Skype, Ultrasurf?) */
       NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n");
-      ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS_NO_CERT);
+      ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
     } else if((packet->tls_certificate_num_checks >= 3)
 	      && flow->l4.tcp.tls_srv_cert_fingerprint_processed) {
       NDPI_LOG_INFO(ndpi_struct, "found ssl\n");