Merge RTP and RTCP logic (#2416)

Avoid code duplication between these two protocols.

We remove support for RTCP over TCP; it is quite rare to find this kind
of traffic and, more important, we have never had support for RTP
over TCP: we should try to add both detecion as follow-up.

Fix a message log in the LINE code

7 files changed, 38 insertions, 105 deletions

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 935f58377..c5192f2be 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -668,6 +668,9 @@ int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struc
 
 /* Stun */
 int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+int is_stun(struct ndpi_detection_module_struct *ndpi_struct,
+            struct ndpi_flow_struct *flow,
+            u_int16_t *app_proto);
 
 /* TPKT */
 int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9b5e294da..0f01a4a87 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -914,6 +914,9 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_RTP */
   u_int32_t rtp_stage:2;
 
+  /* NDPI_PROTOCOL_RTCP */
+  u_int32_t rtcp_stage:2;
+
   /* NDPI_PROTOCOL_QUIC */
   u_int32_t quic_0rtt_found:1;
   u_int32_t quic_vn_pair:1;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index ee58c2cdb..2a081f8a4 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5745,9 +5745,6 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* SKINNY */
   init_skinny_dissector(ndpi_str, &a);
 
-  /* RTCP */
-  init_rtcp_dissector(ndpi_str, &a);
-
   /* RSYNC */
   init_rsync_dissector(ndpi_str, &a);
 
diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c
index 0de5e856e..6b69d690c 100644
--- a/src/lib/protocols/line.c
+++ b/src/lib/protocols/line.c
@@ -86,7 +86,7 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct,
          (packet->payload[1] == 201 || /* RTCP, Receiver Report */
           packet->payload[1] == 200 || /* RTCP, Sender Report */
           is_valid_rtp_payload_type(packet->payload[1] & 0x7F)) /* RTP */) {
-        NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE");
+        NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE\n");
         return;
       } else {
         if((u_int8_t)(flow->l4.udp.line_base_cnt[packet->packet_direction] +
diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c
deleted file mode 100644
index 25910a602..000000000
--- a/src/lib/protocols/rtcp.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * rtcp.c (RTP Control Protocol)
- *
- * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
- *
- */
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTCP
-
-#include "ndpi_api.h"
-#include "ndpi_private.h"
-
-static void ndpi_int_rtcp_add_connection(struct ndpi_detection_module_struct
-					 *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP,
-			     NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-}
-
-static void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
-			     struct ndpi_flow_struct *flow)
-{
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  u_int16_t dport = 0, sport = 0;
-
-  NDPI_LOG_DBG(ndpi_struct, "search RTCP\n");
-
-  if(packet->tcp != NULL) {
-    sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
-    NDPI_LOG_DBG2(ndpi_struct, "calculating dport over tcp\n");
-
-    if(packet->payload_packet_len > 13 && (sport == 554 || dport == 554) &&
-       packet->payload[0] == 0x00 && packet->payload[1] == 0x00 &&
-       packet->payload[2] == 0x01 && packet->payload[3] == 0x01 &&
-       packet->payload[4] == 0x08 && packet->payload[5] == 0x0a &&
-       packet->payload[6] == 0x00 && packet->payload[7] == 0x01) {
-      NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
-      ndpi_int_rtcp_add_connection(ndpi_struct, flow);
-    }
-
-    if(flow->packet_counter > 3)
-      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  } else if(packet->udp != NULL) {
-    /* Let's check first the RTCP packet length */
-    u_int32_t len, offset = 0, rtcp_section_len;
-    
-    while(offset + 3 < packet->payload_packet_len) {
-      len = packet->payload[2+offset] * 256 + packet->payload[2+offset+1];
-      rtcp_section_len = (len + 1) * 4;
-      
-      if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0) || (len == 0)) {
-        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-	return;
-      } else
-	offset += rtcp_section_len;
-    }
-    
-    NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n");
-    /* TODO changed a pair of length condition to the && from ||. Is it correct? */
-    if(((packet->payload_packet_len >= 28 && packet->payload_packet_len <= 1200) &&
-	((packet->payload[0] == 0x80) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00)))
-       || (packet->payload_packet_len >= 3 && ((packet->payload[0] == 0x81) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9))
-	    && (packet->payload[2] == 0x00)))) {
-      NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
-      ndpi_int_rtcp_add_connection(ndpi_struct, flow);
-    }
-
-    if(flow->packet_counter > 3)
-      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  }
-}
-
-
-void init_rtcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
-{
-  ndpi_set_bitmask_protocol_detection("RTCP", ndpi_struct, *id,
-				      NDPI_PROTOCOL_RTCP,
-				      ndpi_search_rtcp,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-
-  *id += 1;
-}
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index afa5e2bf2..9a4c15117 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -150,22 +150,26 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   const u_int8_t *payload = packet->payload;
 
-  NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
+  NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->l4.udp.rtp_stage, flow->l4.udp.rtcp_stage);
 
   if(d_port == 5355 || /* LLMNR_PORT */
      d_port == 5353 || /* MDNS_PORT */
      d_port == 9600    /* FINS_PORT */) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
     return;
   }
 
-  /* * Let some "unknown" packets at the beginning
-     * search for 3 consecutive RTP/RTCP packets
-   */
+  /* * Let some "unknown" packets at the beginning:
+     * search for 3/4 consecutive RTP/RTCP packets.
+     * Wait a little longer (4 vs 3 pkts) for RTCP to try to tell if there are only
+     * RTCP packets in the flow or if RTP/RTCP are multiplexed together */
 
   if(flow->packet_counter > 3 &&
-     flow->l4.udp.rtp_stage == 0) {
+     flow->l4.udp.rtp_stage == 0 &&
+     flow->l4.udp.rtcp_stage == 0) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
     return;
   }
 
@@ -189,10 +193,26 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     flow->l4.udp.rtp_stage += 1;
   } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage > 0) {
     /* RTCP after (some) RTP. Keep looking for RTP */
+  } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage == 0) {
+    if(flow->l4.udp.rtcp_stage == 3) {
+      NDPI_LOG_INFO(ndpi_struct, "Found RTCP\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow,
+                                 NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTCP,
+                                 NDPI_CONFIDENCE_DPI);
+      return;
+    }
+    flow->l4.udp.rtcp_stage += 1;
   } else {
-    if(flow->l4.udp.rtp_stage) {
-      flow->l4.udp.rtp_stage = 0;
-      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    if(flow->l4.udp.rtp_stage || flow->l4.udp.rtcp_stage) {
+      u_int16_t app_proto; /* unused */
+      u_int32_t unused;
+
+      /* TODO: we should switch to the demultiplexing-code in stun dissector */
+      if(!is_stun(ndpi_struct, flow, &app_proto) &&
+         !is_dtls(packet->payload, packet->payload_packet_len, &unused)) {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
+      }
     }
   }
 }
@@ -205,16 +225,14 @@ static void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, st
   u_int16_t source = ntohs(packet->udp->source);
   u_int16_t dest = ntohs(packet->udp->dest);
 
-  // printf("==> %s()\n", __FUNCTION__);
-
-  /* printf("*** %s(pkt=%d)\n", __FUNCTION__, flow->packet_counter); */
-
   if((source != 30303) && (dest != 30303 /* Avoid to mix it with Ethereum that looks alike */)
      && (dest > 1023)
      )
     ndpi_rtp_search(ndpi_struct, flow);
-  else
+  else {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
+  }
 }
 
 /* *************************************************************** */
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 40f00dca0..0cc0d1d80 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -311,9 +311,6 @@ static void parse_xor_ip_port_attribute(struct ndpi_detection_module_struct *ndp
     }
   }
 }
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-static
-#endif
 int is_stun(struct ndpi_detection_module_struct *ndpi_struct,
             struct ndpi_flow_struct *flow,
             u_int16_t *app_proto)