aboutsummaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorLuca <deri@ntop.org>2019-08-08 15:20:05 +0200
committerLuca <deri@ntop.org>2019-08-08 15:20:05 +0200
commitcce8a6026fab8d62e8e2cf484ed14531b1dc248b (patch)
treede8e9b2539386cf9525a79ff4be371ce9769afaf /src/lib
parent419160f351c35c9ccf1f4d4c148b68f846a828a6 (diff)
Reworked SSL/TLS field naming
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/ndpi_main.c22
-rw-r--r--src/lib/ndpi_utils.c4
-rw-r--r--src/lib/protocols/directconnect.c161
-rw-r--r--src/lib/protocols/msn.c6
-rw-r--r--src/lib/protocols/oscar.c2
-rw-r--r--src/lib/protocols/rtp.c2
-rw-r--r--src/lib/protocols/stun.c34
-rw-r--r--src/lib/protocols/tls.c98
8 files changed, 165 insertions, 164 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b039f585e..3906b717e 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4023,8 +4023,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
goto check_stun_export;
- else if((flow->l4.tcp.tls_seen_client_cert == 1)
- && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) {
+ else if((flow->l4.tcp.ssl_seen_client_cert == 1)
+ && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
} else {
ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_struct, flow);
@@ -4038,7 +4038,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
&& (flow->packet.l4_protocol == IPPROTO_TCP)
- && (flow->l4.tcp.tls_stage > 1))
+ && (flow->l4.tcp.ssl_stage > 1))
flow->guessed_protocol_id = NDPI_PROTOCOL_TLS_NO_CERT;
guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id;
@@ -4061,8 +4061,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
|| (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
if((guessed_protocol_id == 0)
- && (flow->protos.stun_tls.stun.num_binding_requests > 0)
- && (flow->protos.stun_tls.stun.num_processed_pkts > 0))
+ && (flow->protos.stun_ssl.stun.num_binding_requests > 0)
+ && (flow->protos.stun_ssl.stun.num_processed_pkts > 0))
guessed_protocol_id = NDPI_PROTOCOL_STUN;
@@ -4095,9 +4095,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)
&& (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
check_stun_export:
- if(flow->protos.stun_tls.stun.num_processed_pkts || flow->protos.stun_tls.stun.num_udp_pkts) {
- // if(/* (flow->protos.stun_tls.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
- if(flow->protos.stun_tls.stun.num_processed_pkts && flow->protos.stun_tls.stun.is_skype) {
+ if(flow->protos.stun_ssl.stun.num_processed_pkts || flow->protos.stun_ssl.stun.num_udp_pkts) {
+ // if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
+ if(flow->protos.stun_ssl.stun.num_processed_pkts && flow->protos.stun_ssl.stun.is_skype) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else
ndpi_set_detected_protocol(ndpi_struct, flow,
@@ -4411,9 +4411,11 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc
}
}
- if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) {
+ if((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
unsigned long id;
- int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_tls.tls.client_certificate, &id);
+ int rc = ndpi_match_custom_category(ndpi_struct,
+ (char *)flow->protos.stun_ssl.ssl.client_certificate,
+ &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t)id;
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index af43f2bef..00e75c822 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -303,7 +303,7 @@ int strncasecmp(const char *s1, const char *s2, size_t n) {
/* **************************************** */
-u_int8_t ndpi_is_safe_tls_cipher(u_int32_t cipher) {
+u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) {
/* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */
/* INSECURE */
switch(cipher) {
@@ -709,7 +709,7 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st
/* ********************************** */
-char* ndpi_tls_version2str(u_int16_t version) {
+char* ndpi_ssl_version2str(u_int16_t version) {
static char v[8];
switch(version) {
diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c
index 969af69fc..563540fba 100644
--- a/src/lib/protocols/directconnect.c
+++ b/src/lib/protocols/directconnect.c
@@ -58,9 +58,9 @@ static u_int16_t parse_binf_message(struct ndpi_detection_module_struct
u_int16_t ssl_port = 0;
while (i < payload_len) {
i = skip_unknown_headers(payload, payload_len, i);
- if ((i + 30) < payload_len) {
- if (memcmp(&payload[i], "DCTM", 4) == 0) {
- if (memcmp(&payload[i + 15], "ADCS", 4) == 0) {
+ if((i + 30) < payload_len) {
+ if(memcmp(&payload[i], "DCTM", 4) == 0) {
+ if(memcmp(&payload[i + 15], "ADCS", 4) == 0) {
ssl_port = ntohs_ndpi_bytestream_to_number(&payload[i + 25], 5, &bytes_read);
NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ssl_port);
}
@@ -84,15 +84,15 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
- if (src != NULL) {
+ if(src != NULL) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
- if (connection_type == DIRECT_CONNECT_TYPE_PEER) {
- if (packet->tcp != NULL
+ if(connection_type == DIRECT_CONNECT_TYPE_PEER) {
+ if(packet->tcp != NULL
&& flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) {
src->detected_directconnect_port = packet->tcp->source;
NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port));
}
- if (packet->udp != NULL && src->detected_directconnect_udp_port == 0) {
+ if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) {
src->detected_directconnect_udp_port = packet->udp->source;
NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port));
@@ -100,10 +100,10 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s
}
}
- if (dst != NULL) {
+ if(dst != NULL) {
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
- if (connection_type == DIRECT_CONNECT_TYPE_PEER) {
- if (packet->tcp != NULL
+ if(connection_type == DIRECT_CONNECT_TYPE_PEER) {
+ if(packet->tcp != NULL
&& flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) {
/* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS
* seen at large customer http servers, where someone has send faked DC tcp packets
@@ -121,38 +121,37 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s
}
}
-static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
- if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) {
- if (packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) {
- u_int16_t tls_port = 0;
- tls_port = parse_binf_message(ndpi_struct, &packet->payload[4], packet->payload_packet_len - 4);
- if (dst != NULL && tls_port) {
- dst->detected_directconnect_tls_port = tls_port;
- }
- if (src != NULL && tls_port) {
- src->detected_directconnect_tls_port = tls_port;
- }
-
-
+ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) {
+ if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) {
+ u_int16_t ssl_port = parse_binf_message(ndpi_struct,
+ &packet->payload[4],
+ packet->payload_packet_len - 4);
+ if(dst != NULL && ssl_port)
+ dst->detected_directconnect_ssl_port = ssl_port;
+
+ if(src != NULL && ssl_port)
+ src->detected_directconnect_ssl_port = ssl_port;
}
- if ((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42)
+
+ if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42)
&& memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) {
u_int16_t bytes_read = 0;
- if (dst != NULL) {
- dst->detected_directconnect_tls_port =
+ if(dst != NULL) {
+ dst->detected_directconnect_ssl_port =
ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
- NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_tls_port));
+ NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port));
}
- if (src != NULL) {
- src->detected_directconnect_tls_port =
+ if(src != NULL) {
+ src->detected_directconnect_ssl_port =
ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
- NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_tls_port));
+ NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port));
}
@@ -160,9 +159,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
return;
}
- if (src != NULL) {
- if (src->detected_directconnect_port == packet->tcp->source) {
- if ((u_int32_t)
+ if(src != NULL) {
+ if(src->detected_directconnect_port == packet->tcp->source) {
+ if((u_int32_t)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
@@ -175,16 +174,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
return;
}
}
- if (src->detected_directconnect_tls_port == packet->tcp->dest) {
- if ((u_int32_t)
+ if(src->detected_directconnect_ssl_port == packet->tcp->dest) {
+ if((u_int32_t)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
- NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_tls_port));
+ NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port));
ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
- src->detected_directconnect_tls_port = 0;
+ src->detected_directconnect_ssl_port = 0;
NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n");
return;
}
@@ -192,9 +191,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
- if (dst != NULL) {
- if (dst->detected_directconnect_port == packet->tcp->dest) {
- if ((u_int32_t)
+ if(dst != NULL) {
+ if(dst->detected_directconnect_port == packet->tcp->dest) {
+ if((u_int32_t)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
@@ -207,16 +206,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
return;
}
}
- if (dst->detected_directconnect_tls_port == packet->tcp->dest) {
- if ((u_int32_t)
+ if(dst->detected_directconnect_ssl_port == packet->tcp->dest) {
+ if((u_int32_t)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
- NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_tls_port));
+ NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port));
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
- dst->detected_directconnect_tls_port = 0;
+ dst->detected_directconnect_ssl_port = 0;
NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n");
return;
}
@@ -224,17 +223,17 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
- if (flow->directconnect_stage == 0) {
+ if(flow->directconnect_stage == 0) {
- if (packet->payload_packet_len > 6) {
- if (packet->payload[0] == '$'
+ if(packet->payload_packet_len > 6) {
+ if(packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& (memcmp(&packet->payload[1], "Lock ", 5) == 0)) {
NDPI_LOG_DBG2(ndpi_struct, "maybe first dc connect to hub detected\n");
flow->directconnect_stage = 1;
return;
}
- if (packet->payload_packet_len > 7
+ if(packet->payload_packet_len > 7
&& packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& (memcmp(&packet->payload[1], "MyNick ", 7) == 0)) {
@@ -244,15 +243,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
}
- if (packet->payload_packet_len >= 11) {
+ if(packet->payload_packet_len >= 11) {
/* did not see this pattern in any trace */
- if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
+ if(memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
|| memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB);
return;
/* did not see this pattern in any trace */
- } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
+ } else if(memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC CSUP ADBAS0 E\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER);
@@ -262,16 +261,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
- } else if (flow->directconnect_stage == 1) {
- if (packet->payload_packet_len >= 11) {
+ } else if(flow->directconnect_stage == 1) {
+ if(packet->payload_packet_len >= 11) {
/* did not see this pattern in any trace */
- if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
+ if(memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0
|| memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS E in second packet\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB);
return;
/* did not see this pattern in any trace */
- } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
+ } else if(memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 ||
memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E in second packet\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER);
@@ -280,8 +279,8 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
}
/* get client hello answer or server message */
- if (packet->payload_packet_len > 6) {
- if ((packet->payload[0] == '$' || packet->payload[0] == '<')
+ if(packet->payload_packet_len > 6) {
+ if((packet->payload[0] == '$' || packet->payload[0] == '<')
&& packet->payload[packet->payload_packet_len - 1] == '|') {
NDPI_LOG_INFO(ndpi_struct, "found DC second\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB);
@@ -291,10 +290,10 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
}
}
- } else if (flow->directconnect_stage == 2) {
+ } else if(flow->directconnect_stage == 2) {
/* get client hello answer or server message */
- if (packet->payload_packet_len > 6) {
- if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') {
+ if(packet->payload_packet_len > 6) {
+ if(packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') {
NDPI_LOG_INFO(ndpi_struct, "found DC between peers\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER);
return;
@@ -318,8 +317,8 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct
struct ndpi_id_struct *dst = flow->dst;
int pos, count = 0;
- if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) {
- if ((u_int32_t)
+ if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) {
+ if((u_int32_t)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
@@ -334,21 +333,21 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct
}
}
- if (packet->payload_packet_len > 58) {
- if (src != NULL
+ if(packet->payload_packet_len > 58) {
+ if(src != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) {
- if (packet->payload[0] == '$'
+ if(packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
- if (packet->payload[pos] == ')') {
+ if(packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
- if (packet->payload[pos] == '(') {
+ if(packet->payload[pos] == '(') {
pos = pos - 44;
- if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
+ if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC udp\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER);
return;
@@ -356,25 +355,25 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct
}
}
flow->directconnect_stage++;
- if (flow->directconnect_stage < 3)
+ if(flow->directconnect_stage < 3)
return;
}
}
- if (dst != NULL
+ if(dst != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) {
- if (packet->payload[0] == '$'
+ if(packet->payload[0] == '$'
&& packet->payload[packet->payload_packet_len - 1] == '|'
&& memcmp(&packet->payload[1], "SR ", 3) == 0) {
pos = packet->payload_packet_len - 2;
- if (packet->payload[pos] == ')') {
+ if(packet->payload[pos] == ')') {
while (pos > 0 && packet->payload[pos] != '(' && count < 21) {
pos--;
count++;
}
- if (packet->payload[pos] == '(') {
+ if(packet->payload[pos] == '(') {
pos = pos - 44;
- if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
+ if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found DC udp\n");
ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER);
return;
@@ -382,7 +381,7 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct
}
}
flow->directconnect_stage++;
- if (flow->directconnect_stage < 3)
+ if(flow->directconnect_stage < 3)
return;
}
}
@@ -404,14 +403,14 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct
NDPI_LOG_DBG(ndpi_struct, "search DC\n");
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) {
- if (src != NULL && ((u_int32_t)
+ if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) {
+ if(src != NULL && ((u_int32_t)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) <
ndpi_struct->directconnect_connection_ip_tick_timeout)) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
- } else if (dst != NULL && ((u_int32_t)
+ } else if(dst != NULL && ((u_int32_t)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) <
ndpi_struct->directconnect_connection_ip_tick_timeout)) {
@@ -423,9 +422,9 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct
return;
}
- if (packet->tcp != NULL) {
+ if(packet->tcp != NULL) {
ndpi_search_directconnect_tcp(ndpi_struct, flow);
- } else if (packet->udp != NULL) {
+ } else if(packet->udp != NULL) {
ndpi_search_directconnect_udp(ndpi_struct, flow);
}
}
diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c
index 26d7557b1..8d52d690b 100644
--- a/src/lib/protocols/msn.c
+++ b/src/lib/protocols/msn.c
@@ -80,12 +80,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
if(flow->packet_counter >= 5 && flow->packet_counter <= 10
&& (get_u_int32_t(packet->payload, 0) == htonl(0x18000000)
&& get_u_int32_t(packet->payload, 4) == 0x00000000)) {
- flow->l4.tcp.msn_tls_ft++;
+ flow->l4.tcp.msn_ssl_ft++;
NDPI_LOG_DBG2(ndpi_struct,
"increased msn ft ssl stage to: %u at packet nr: %u\n",
- flow->l4.tcp.msn_tls_ft,
+ flow->l4.tcp.msn_ssl_ft,
flow->packet_counter);
- if (flow->l4.tcp.msn_tls_ft == 2) {
+ if (flow->l4.tcp.msn_ssl_ft == 2) {
NDPI_LOG_INFO(ndpi_struct,
"found MSN File Transfer, ifdef ssl 2.\n");
ndpi_int_msn_add_connection(ndpi_struct, flow);
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index 1a848ea12..010a620e9 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -774,7 +774,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n");
ndpi_int_oscar_add_connection(ndpi_struct, flow);
if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) {
- flow->oscar_tls_voice_stage = 1;
+ flow->oscar_ssl_voice_stage = 1;
}
return;
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index 6583b727a..90b73ab1e 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -78,7 +78,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
const u_int8_t * payload, const u_int16_t payload_len) {
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
- if((payload_len < 2) || flow->protos.stun_tls.stun.num_binding_requests) {
+ if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index a35ab1ad7..bcf957340 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -105,7 +105,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(payload_length < sizeof(struct stun_packet_header)) {
/* This looks like an invlid packet */
- if(flow->protos.stun_tls.stun.num_udp_pkts > 0) {
+ if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
*is_whatsapp = 1;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
@@ -125,7 +125,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
if(msg_type == 0x01 /* Binding Request */) {
- flow->protos.stun_tls.stun.num_binding_requests++;
+ flow->protos.stun_ssl.stun.num_binding_requests++;
if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
}
@@ -136,11 +136,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
}
- flow->protos.stun_tls.stun.num_udp_pkts++;
+ flow->protos.stun_ssl.stun.num_udp_pkts++;
/*
printf("[msg_type: %04X][payload_length: %u][num_binding_request: %u]\n",
- msg_type, payload_length, flow->protos.stun_tls.stun.num_binding_requests);
+ msg_type, payload_length, flow->protos.stun_ssl.stun.num_binding_requests);
*/
if(((payload[0] == 0x80)
@@ -150,7 +150,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else if((payload[0] == 0x90)
&& (((msg_len+11) == payload_length) /* WhatsApp Video */
- || (flow->protos.stun_tls.stun.num_binding_requests >= 4))) {
+ || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
*is_whatsapp = 2;
return(NDPI_IS_STUN); /* This is WhatsApp Video */
}
@@ -211,7 +211,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
&& (payload[offset+6] == 0x00)
&& (payload[offset+7] == 0x00)) {
/* Either skype for business or "normal" skype with multiparty call */
- flow->protos.stun_tls.stun.is_skype = 1;
+ flow->protos.stun_ssl.stun.is_skype = 1;
return(NDPI_IS_STUN);
}
break;
@@ -226,7 +226,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
case 0x8095:
case 0x0800:
/* printf("====>>>> %04X\n", attribute); */
- flow->protos.stun_tls.stun.is_skype = 1;
+ flow->protos.stun_ssl.stun.is_skype = 1;
return(NDPI_IS_STUN);
break;
@@ -238,7 +238,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
&& (payload[offset+6] == 0x00)
&& ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))
) {
- flow->protos.stun_tls.stun.is_skype = 1;
+ flow->protos.stun_ssl.stun.is_skype = 1;
return(NDPI_IS_STUN);
}
break;
@@ -266,7 +266,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
}
- if((flow->protos.stun_tls.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
+ if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
*is_whatsapp = 1;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
@@ -276,7 +276,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(can_this_be_whatsapp_voice) {
struct ndpi_packet_struct *packet = &flow->packet;
- flow->protos.stun_tls.stun.num_processed_pkts++;
+ flow->protos.stun_ssl.stun.num_processed_pkts++;
#ifdef DEBUG_STUN
printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n");
#endif
@@ -287,7 +287,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else
flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE;
- return((flow->protos.stun_tls.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN);
+ return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN);
} else {
/*
We cannot immediately say that this is STUN as there are other protocols
@@ -330,10 +330,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
} else if(is_duo) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
return;
- } else if(flow->protos.stun_tls.stun.is_skype) {
+ } else if(flow->protos.stun_ssl.stun.is_skype) {
NDPI_LOG_INFO(ndpi_struct, "found Skype\n");
- if((flow->protos.stun_tls.stun.num_processed_pkts >= 8) || (flow->protos.stun_tls.stun.num_binding_requests >= 4))
+ if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else {
NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */
@@ -358,11 +358,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
} else if(is_duo) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
return;
- } else if(flow->protos.stun_tls.stun.is_skype) {
+ } else if(flow->protos.stun_ssl.stun.is_skype) {
NDPI_LOG_INFO(ndpi_struct, "Found Skype\n");
- /* flow->protos.stun_tls.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */
- if((flow->protos.stun_tls.stun.num_processed_pkts >= 8) || (flow->protos.stun_tls.stun.num_binding_requests >= 4))
+ /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */
+ if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else {
NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n");
@@ -375,7 +375,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.stun_tls.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
+ if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
if(flow->packet_counter > 0) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 188d0bc9a..635967380 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -237,8 +237,8 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
struct ndpi_flow_struct *flow, u_int32_t protocol) {
struct ndpi_packet_struct *packet = &flow->packet;
- if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.ja3_client[0] != '\0'))
- || ((flow->l4.tcp.tls_seen_server_cert == 1) && (flow->protos.stun_tls.tls.ja3_server[0] != '\0'))
+ if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_client[0] != '\0'))
+ || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0'))
// || (flow->host_server_name[0] != '\0')
)
protocol = NDPI_PROTOCOL_TLS;
@@ -387,7 +387,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
}
- flow->protos.stun_tls.tls.tls_version = pkt_tls_version;
+ flow->protos.stun_ssl.ssl.ssl_version = pkt_tls_version;
memset(&ja3, 0, sizeof(ja3));
@@ -458,7 +458,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
The server hello decides about the SSL version of this flow
https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3
*/
- flow->protos.stun_tls.tls.tls_version = tls_version;
+ flow->protos.stun_ssl.ssl.ssl_version = tls_version;
if(packet->udp)
offset += 1;
@@ -468,8 +468,8 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
- flow->protos.stun_tls.tls.server_unsafe_cipher = ndpi_is_safe_tls_cipher(ja3.cipher[0]);
- flow->protos.stun_tls.tls.server_cipher = ja3.cipher[0];
+ flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]);
+ flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
#ifdef CERTIFICATE_DEBUG
printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
@@ -526,16 +526,16 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++)
- j += snprintf(&flow->protos.stun_tls.tls.ja3_server[j],
- sizeof(flow->protos.stun_tls.tls.ja3_server)-j, "%02x", md5_hash[i]);
+ j += snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j],
+ sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]);
#ifdef CERTIFICATE_DEBUG
- printf("[JA3] Server: %s \n", flow->protos.stun_tls.tls.ja3_server);
+ printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server);
#endif
- flow->l4.tcp.tls_seen_server_cert = 1;
+ flow->l4.tcp.ssl_seen_server_cert = 1;
} else
- flow->l4.tcp.tls_seen_certificate = 1;
+ flow->l4.tcp.ssl_seen_certificate = 1;
/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
for(i = 9; i < packet->payload_packet_len-3; i++) {
@@ -580,8 +580,8 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
if(num_dots >= 1) {
if(!ndpi_struct->disable_metadata_export) {
stripCertificateTrailer(buffer, buffer_len);
- snprintf(flow->protos.stun_tls.tls.server_certificate,
- sizeof(flow->protos.stun_tls.tls.server_certificate), "%s", buffer);
+ snprintf(flow->protos.stun_ssl.ssl.server_certificate,
+ sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
}
return(1 /* Server Certificate */);
@@ -658,7 +658,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
offset = base_offset + session_id_len + cipher_len + 2;
- flow->l4.tcp.tls_seen_client_cert = 1;
+ flow->l4.tcp.ssl_seen_client_cert = 1;
if(offset < total_len) {
u_int16_t compression_len;
@@ -726,8 +726,8 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
stripCertificateTrailer(buffer, buffer_len);
if(!ndpi_struct->disable_metadata_export) {
- snprintf(flow->protos.stun_tls.tls.client_certificate,
- sizeof(flow->protos.stun_tls.tls.client_certificate), "%s", buffer);
+ snprintf(flow->protos.stun_ssl.ssl.client_certificate,
+ sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer);
}
} else if(extension_id == 10 /* supported groups */) {
u_int16_t s_offset = offset+extension_offset + 2;
@@ -840,11 +840,11 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++)
- j += snprintf(&flow->protos.stun_tls.tls.ja3_client[j],
- sizeof(flow->protos.stun_tls.tls.ja3_client)-j, "%02x", md5_hash[i]);
+ j += snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j],
+ sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", md5_hash[i]);
#ifdef CERTIFICATE_DEBUG
- printf("[JA3] Client: %s \n", flow->protos.stun_tls.tls.ja3_client);
+ printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client);
#endif
}
@@ -916,10 +916,10 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
}
if(is_printable == 1) {
- snprintf(flow->protos.stun_tls.tls.server_organization,
- sizeof(flow->protos.stun_tls.tls.server_organization), "%s", buffer);
+ snprintf(flow->protos.stun_ssl.ssl.server_organization,
+ sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
#ifdef CERTIFICATE_DEBUG
- printf("Certificate organization: %s\n", flow->protos.stun_tls.tls.server_organization);
+ printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
#endif
}
}
@@ -939,7 +939,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
certificate[0] = '\0';
rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate));
- packet->tls_certificate_num_checks++;
+ packet->ssl_certificate_num_checks++;
if(rc > 0) {
char organization[64];
@@ -948,14 +948,14 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
organization[0] = '\0';
getSSLorganization(ndpi_struct, flow, organization, sizeof(organization));
- packet->tls_certificate_detected++;
- if((flow->l4.tcp.tls_seen_server_cert == 1) && (flow->protos.stun_tls.tls.server_certificate[0] != '\0'))
+ packet->ssl_certificate_detected++;
+ if((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
/* 0 means we're done processing extra packets (since we found what we wanted) */
return 0;
}
/* Client hello, Server Hello, and certificate packets probably all checked in this case */
- if((packet->tls_certificate_num_checks >= 3)
+ if((packet->ssl_certificate_num_checks >= 3)
&& (flow->l4.tcp.seen_syn)
&& (flow->l4.tcp.seen_syn_ack)
&& (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */)
@@ -996,10 +996,10 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
certificate[0] = '\0';
rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate));
- packet->tls_certificate_num_checks++;
+ packet->ssl_certificate_num_checks++;
if(rc > 0) {
- packet->tls_certificate_detected++;
+ packet->ssl_certificate_detected++;
#ifdef CERTIFICATE_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate);
#endif
@@ -1013,8 +1013,8 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
/* If we've detected the subprotocol from client certificate but haven't had a chance
* to see the server certificate yet, set up extra packet processing to wait
* a few more packets. */
- if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0'))
- && ((flow->l4.tcp.tls_seen_server_cert != 1) && (flow->protos.stun_tls.tls.server_certificate[0] == '\0'))) {
+ if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0'))
+ && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
sslInitExtraPacketProcessing(0, flow);
}
@@ -1027,14 +1027,14 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
return(rc);
}
- if(((packet->tls_certificate_num_checks >= 3)
+ if(((packet->ssl_certificate_num_checks >= 3)
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */)
- || ((flow->l4.tcp.tls_seen_certificate == 1)
- && (flow->l4.tcp.tls_seen_server_cert == 1)
- && (flow->protos.stun_tls.tls.server_certificate[0] != '\0'))
- /* || ((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) */
+ || ((flow->l4.tcp.ssl_seen_certificate == 1)
+ && (flow->l4.tcp.ssl_seen_server_cert == 1)
+ && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+ /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */
) {
ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
}
@@ -1090,8 +1090,8 @@ static void tls_mark_and_payload_search_for_other_protocols(struct ndpi_detectio
NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n");
if(flow->dst != NULL && packet->payload_packet_len > 75) {
- memcpy(flow->dst->oscar_tls_session_id, &packet->payload[44], 32);
- flow->dst->oscar_tls_session_id[32] = '\0';
+ memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32);
+ flow->dst->oscar_ssl_session_id[32] = '\0';
flow->dst->oscar_last_safe_access_time = packet->tick_timestamp;
}
@@ -1116,12 +1116,12 @@ static void tls_mark_and_payload_search_for_other_protocols(struct ndpi_detectio
NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n");
tlsDetectProtocolFromCertificate(ndpi_struct, flow);
- if(!packet->tls_certificate_detected
- && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) {
+ if(!packet->ssl_certificate_detected
+ && (!(flow->l4.tcp.ssl_seen_client_cert && flow->l4.tcp.ssl_seen_server_cert))) {
/* SSL without certificate (Skype, Ultrasurf?) */
NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n");
ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS_NO_CERT);
- } else if(packet->tls_certificate_num_checks >= 3) {
+ } else if(packet->ssl_certificate_num_checks >= 3) {
NDPI_LOG_INFO(ndpi_struct, "found ssl\n");
ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
}
@@ -1246,13 +1246,13 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
if(rc) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
- if(flow->l4.tcp.tls_seen_server_cert)
+ if(flow->l4.tcp.ssl_seen_server_cert)
ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
return;
}
if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
- if(flow->l4.tcp.tls_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) {
+ if(flow->l4.tcp.ssl_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) {
/* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets
* so go on checking for certificate patterns for a couple more packets
*/
@@ -1294,14 +1294,14 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
return;
}
- if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 0) {
+ if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n");
// SSLv2 Record
if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03
&& (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02)
&& (packet->payload_packet_len - packet->payload[1] == 2)) {
NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n");
- flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
+ flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
return;
}
@@ -1310,7 +1310,7 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) {
// SSLv3 Record
NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n");
- flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
+ flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
return;
}
@@ -1320,19 +1320,19 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) {
if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) {
NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n");
- flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
+ flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
return;
}
}
}
if(packet->payload_packet_len > 40 &&
- flow->l4.tcp.tls_stage == 1 + packet->packet_direction
+ flow->l4.tcp.ssl_stage == 1 + packet->packet_direction
&& flow->packet_direction_counter[packet->packet_direction] < 5) {
return;
}
- if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 2 - packet->packet_direction) {
+ if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) {
NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n");
// SSLv2 Record
if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03
@@ -1353,7 +1353,7 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
"sslv3 server len match with split packet -> check some more packets for SSL patterns\n");
tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
- flow->l4.tcp.tls_stage = 3;
+ flow->l4.tcp.ssl_stage = 3;
}
return;
}
Powered by cgit, Themed by Ted Yin.