TLS disection improvements

author: Luca Deri <deri@ntop.org> 2019-09-15 10:56:08 +0200
committer: Luca Deri <deri@ntop.org> 2019-09-15 10:56:08 +0200
commit: 2b0945b88dc30430e2e40bd422fffc92308147c0 (patch)
tree: 32dc5539cc91c0024fbcd40172dac013e75782fd /src
parent: 00e639d51301ccbaa2c14a47e829bdfe1831e226 (diff)
3 files changed, 43 insertions, 29 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index cb790ad40..1f14cb2ad 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1116,7 +1116,7 @@ struct ndpi_flow_struct {
 
   /* init parameter, internal used to set up timestamp,... */
   u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category;
-  u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1;
+  u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1;
 
   /*
     if ndpi_struct->direction_detect_disable == 1
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8eb9f2260..d456cdada 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3532,8 +3532,7 @@ void ndpi_apply_flow_protocol_to_packet(struct ndpi_flow_struct *flow,
 
 static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_struct,
 				   struct ndpi_flow_struct *flow,
-				   unsigned short packetlen)
-{
+				   unsigned short packetlen) {
   const struct ndpi_iphdr *decaps_iph = NULL;
   u_int16_t l3len;
   u_int16_t l4len;
@@ -3541,17 +3540,15 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
   u_int8_t l4protocol;
   u_int8_t l4_result;
 
-  if (!flow) {
-    return 1;
-  }
+  if (!flow)
+    return 1;  
 
   /* reset payload_packet_len, will be set if ipv4 tcp or udp */
   flow->packet.payload_packet_len = 0;
   flow->packet.l4_packet_len = 0;
   flow->packet.l3_packet_len = packetlen;
 
-  flow->packet.tcp = NULL;
-  flow->packet.udp = NULL;
+  flow->packet.tcp = NULL, flow->packet.udp = NULL;
   flow->packet.generic_l4_ptr = NULL;
 #ifdef NDPI_DETECTION_SUPPORT_IPV6
   flow->packet.iphv6 = NULL;
@@ -3587,14 +3584,12 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
     return 1;
   }
 
-
   /* needed:
    *  - unfragmented packets
    *  - ip header <= packet len
    *  - ip total length >= packet len
    */
 
-
   l4ptr = NULL;
   l4len = 0;
   l4protocol = 0;
@@ -3608,12 +3603,12 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
 
   flow->packet.l4_protocol = l4protocol;
   flow->packet.l4_packet_len = l4len;
-
+  flow->l4_proto = l4protocol;
+  
   /* tcp / udp detection */
   if(l4protocol == IPPROTO_TCP && flow->packet.l4_packet_len >= 20 /* min size of tcp */ ) {
     /* tcp */
     flow->packet.tcp = (struct ndpi_tcphdr *) l4ptr;
-
     if(flow->packet.l4_packet_len >=flow->packet.tcp->doff * 4) {
       flow->packet.payload_packet_len =
 	flow->packet.l4_packet_len -flow->packet.tcp->doff * 4;
@@ -3863,6 +3858,7 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
        && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_udp[a].detection_bitmask,
 			       detection_bitmask) != 0) {
       ndpi_struct->callback_buffer_udp[a].func(ndpi_struct, flow);
+	     
       // NDPI_LOG_DBG(ndpi_struct, "[UDP,CALL] dissector of protocol as callback_buffer idx =  %d\n",a);
       if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
 	break; /* Stop after detecting the first protocol */
@@ -6120,9 +6116,11 @@ void ndpi_free_flow(struct ndpi_flow_struct *flow) {
     if(flow->http.url)          ndpi_free(flow->http.url);
     if(flow->http.content_type) ndpi_free(flow->http.content_type);
 
-    if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx)
-      ndpi_free(flow->l4.tcp.tls_srv_cert_fingerprint_ctx);
-
+    if(flow->l4_proto == IPPROTO_TCP) {
+      if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx)
+	ndpi_free(flow->l4.tcp.tls_srv_cert_fingerprint_ctx);
+    }
+    
     ndpi_free(flow);
   }
 }
@@ -6136,8 +6134,7 @@ char* ndpi_revision() { return(NDPI_GIT_RELEASE); }
 #ifdef WIN32
 
 /* https://stackoverflow.com/questions/10905892/equivalent-of-gettimeday-for-windows */
-int gettimeofday(struct timeval * tp, struct timezone * tzp)
-{
+int gettimeofday(struct timeval * tp, struct timezone * tzp) {
   // Note: some broken versions only have 8 trailing zero's, the correct epoch has 9 trailing zero's
   // This magic number is the number of 100 nanosecond intervals since January 1, 1601 (UTC)
   // until 00:00:00 January 1, 1970
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index f5957b1ba..991b0be44 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -31,7 +31,7 @@
 
 extern char *strptime(const char *s, const char *format, struct tm *tm);
 
-/* #define DEBUG_TLS 1 */
+// #define DEBUG_TLS 1
 
 #define DEBUG_FINGERPRINT 1
 
@@ -696,6 +696,9 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int8_t multiple_messages;
 
+  if(flow->l4.tcp.tls_srv_cert_fingerprint_processed)
+    return(0); /* We're good */
+  
 #ifdef DEBUG_TLS
   printf("=>> [TLS] %s() [tls_record_offset=%d][payload_packet_len=%u][direction: %u][%02X %02X %02X...]\n",
 	 __FUNCTION__, flow->l4.tcp.tls_record_offset, packet->payload_packet_len,
@@ -710,7 +713,7 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
     return(0); /* We're good */
   
   if(flow->l4.tcp.tls_fingerprint_len > 0) {
-    unsigned int i, avail = packet->payload_packet_len - flow->l4.tcp.tls_record_offset;
+    unsigned int avail = packet->payload_packet_len - flow->l4.tcp.tls_record_offset;
 
     if(avail > flow->l4.tcp.tls_fingerprint_len)
       avail = flow->l4.tcp.tls_fingerprint_len;
@@ -740,10 +743,14 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
       SHA1Final(flow->l4.tcp.tls_sha1_certificate_fingerprint, flow->l4.tcp.tls_srv_cert_fingerprint_ctx);
 
 #ifdef DEBUG_TLS
-      printf("=>> [TLS] SHA-1: ");
-      for(i=0;i<20;i++)
-	printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls_sha1_certificate_fingerprint[i]);
-      printf("\n");
+      {
+	int i;
+	
+	printf("=>> [TLS] SHA-1: ");
+	for(i=0;i<20;i++)
+	  printf("%s%02X", (i > 0) ? ":" : "", flow->l4.tcp.tls_sha1_certificate_fingerprint[i]);
+	printf("\n");
+      }
 #endif
       
       flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1;
@@ -800,13 +807,23 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct
     printf("=>> [TLS] Found record %02X [len: %u]\n",
 	   packet->payload[flow->l4.tcp.tls_record_offset+5], len);
 #endif
-    
-    flow->l4.tcp.tls_record_offset += len + 9;
 
-    if(flow->l4.tcp.tls_record_offset < packet->payload_packet_len)
-      return(getSSCertificateFingerprint(ndpi_struct, flow));
-    else {
-      flow->l4.tcp.tls_record_offset -= packet->payload_packet_len;      
+    if(len > 4096) {
+      /* This looks an invalid len: we giveup */
+      flow->l4.tcp.tls_record_offset = 0, flow->l4.tcp.tls_srv_cert_fingerprint_processed = 1;
+#ifdef DEBUG_TLS
+      printf("=>> [TLS] Invalid fingerprint processing %u <-> %u\n",
+	     ntohs(packet->tcp->source), ntohs(packet->tcp->dest));
+#endif
+      return(0);
+    } else {
+      flow->l4.tcp.tls_record_offset += len + 9;
+      
+      if(flow->l4.tcp.tls_record_offset < packet->payload_packet_len)
+	return(getSSCertificateFingerprint(ndpi_struct, flow));
+      else {
+	flow->l4.tcp.tls_record_offset -= packet->payload_packet_len;      
+      }
     }
   }
author	Luca Deri <deri@ntop.org>	2019-09-15 10:56:08 +0200
committer	Luca Deri <deri@ntop.org>	2019-09-15 10:56:08 +0200
commit	2b0945b88dc30430e2e40bd422fffc92308147c0 (patch)
tree	32dc5539cc91c0024fbcd40172dac013e75782fd /src
parent	00e639d51301ccbaa2c14a47e829bdfe1831e226 (diff)