diff options
| author | Toni <matzeton@googlemail.com> | 2021-07-23 10:37:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-23 10:37:20 +0200 |
| commit | 6ad0d6666c5744713caa4eec4d43652680aaecab (patch) | |
| tree | ce8aa34398d2afe94d3d999d1b4577bd659da99f /src/lib | |
| parent | 8ea8ba8e9b52620989d515f0762be3ec906d4c30 (diff) | |
Implemented function to retrieve flow information. #1253 (#1254)
* fixed [h]euristic typo
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_utils.c | 35 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 26 |
2 files changed, 48 insertions, 13 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ab546403e..7158bd786 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -846,6 +846,41 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st /* ********************************** */ +static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow, + u_int16_t proto_id) +{ + switch (proto_id) + { + case NDPI_PROTOCOL_DNS: + case NDPI_PROTOCOL_HTTP: + return (char const *)flow->host_server_name; + case NDPI_PROTOCOL_QUIC: + case NDPI_PROTOCOL_TLS: + if (flow->l4.tcp.tls.hello_processed != 0) + { + return flow->protos.tls_quic_stun.tls_quic.client_requested_server_name; + } + break; + } + + return NULL; +} + +const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow, + ndpi_protocol const * const l7_protocol) +{ + char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol); + + if (app_protocol_info != NULL) + { + return app_protocol_info; + } + + return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol); +} + +/* ********************************** */ + char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow, u_int16_t version, u_int8_t *unknown_tls_version) { diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b0730a1c3..752c4b780 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1593,12 +1593,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, this is time consuming and we want to avoid overhead whem possible */ if(this_is_not_safari) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0; else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur)) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; if(chrome_ciphers == 13) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 1; /* Note that both Safari and Chrome can overlap */ #ifdef DEBUG_HEURISTIC @@ -1865,7 +1865,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #endif switch(signature_algo) { case ECDSA_SECP521R1_SHA512: - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls = 1; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls = 1; break; case ECDSA_SECP256R1_SHA256: @@ -1891,23 +1891,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, safari_signature_algorithms, chrome_signature_algorithms); #endif - if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_firefox_tls) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0, - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_firefox_tls) + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0, + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; if(safari_signature_algorithms != 8) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 0; if((chrome_signature_algorithms != 8) || duplicate_found) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; /* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */ - if(flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; + if(flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls) + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls = 0; - if((flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls == 0) + if((flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_chrome_tls == 0) && duplicate_found) - flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_safari_tls = 1; /* Safari */ + flow->protos.tls_quic_stun.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */ #ifdef DEBUG_HEURISTIC printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n", |