Added fixes to properly honour subprotocols

3 files changed, 52 insertions, 35 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 094558548..8d799a6c1 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -781,7 +781,6 @@ typedef struct ndpi_proto {
 #define NDPI_PROTOCOL_NULL { NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN }
 
 struct ndpi_detection_module_struct {
-
   NDPI_PROTOCOL_BITMASK detection_bitmask;
   NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 7dd3b04a1..dd1c7bc3d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3215,7 +3215,8 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
 	  func = ndpi_struct->proto_defaults[flow->guessed_protocol_id].func;
     }
 
-    if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
+    if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)
+       && (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)) {
       for(a = 0; a < ndpi_struct->callback_buffer_size_tcp_payload; a++) {
         if((func != ndpi_struct->callback_buffer_tcp_payload[a].func)
 	   && (ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask & *ndpi_selection_packet) == ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask
@@ -3408,22 +3409,27 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
 
   /* TODO: add the remaining stage_XXXX protocols */
   if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
-    if(flow->http_detected)
-      ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN);
-    else if((flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.ssl_stage > 1)) {
-      if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
-	ndpi_int_change_protocol(ndpi_struct, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_SSL);
-      else
-	ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN);
-    } else {
-      flow->detected_protocol_stack[1] = flow->guessed_protocol_id, flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id;
-
+      if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
+	 && (flow->packet.l4_protocol == IPPROTO_TCP)
+	 && (flow->l4.tcp.ssl_stage > 1))
+	  flow->guessed_protocol_id = NDPI_PROTOCOL_SSL;
+      
+      ndpi_int_change_protocol(ndpi_struct, flow,
+			       flow->guessed_host_protocol_id,
+			       flow->guessed_protocol_id);
+  } else {
+      flow->detected_protocol_stack[1] = flow->guessed_protocol_id,
+	  flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id;
+      
       if(flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0])
-	flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN;
-    }
+	  flow->detected_protocol_stack[1] = flow->guessed_host_protocol_id;
   }
+  
+  if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && (flow->num_stun_udp_pkts > 0))
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STUN, flow->guessed_host_protocol_id);
 
   ret.master_protocol = flow->detected_protocol_stack[1], ret.protocol = flow->detected_protocol_stack[0];
+
   return(ret);
 }
 
@@ -3525,6 +3531,15 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
     if(user_defined_proto && (flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
       ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.protocol = flow->guessed_protocol_id;
       return(ret);
+    } else {
+	/*
+	  TODO
+	  The statement below at some point should be modified as we should not
+	  guess the protocol id unless users requested us to do that. Probably
+	  we need to modify the nDPI API as since we introduced ndpi_detection_giveup()
+	  we need to make some changes to have a consistent behaviour
+	 */
+	// flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
     }
 
     if(flow->packet.iph) {
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index c93e525bf..dc17921bd 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -33,7 +33,7 @@ static u_int16_t iqiyi_counter;
 static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					 struct ndpi_flow_struct *flow,
 					 u_int32_t protocol) {
-  
+
   if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
     /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */
 
@@ -105,7 +105,7 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str
      for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp
   **/
   if(packet->empty_line_position_set != 0) {
-    
+
     u_int32_t p = packet->empty_line_position + 2;
 
     // check for avi header
@@ -169,10 +169,13 @@ static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) {
 }
 
 static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
-
   if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) {
+      char *double_col = strchr((char*)flow->host_server_name, ':');
+
+      if(double_col) double_col[0] = '\0';
+
     /**
-       NOTE      
+       NOTE
        If http_dont_dissect_response = 1 dissection of HTTP response
        mime types won't happen
     */
@@ -188,11 +191,11 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc
 */
 static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
 						   struct ndpi_flow_struct *flow) {
-  
+
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int8_t a;
 
-  
+
 #ifdef NDPI_PROTOCOL_PPSTREAM
   /* PPStream */
   if(flow->l4.tcp.ppstream_stage > 0 && iqiyi_counter == 0) {
@@ -205,16 +208,14 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   }
 #endif
 
-  
 #ifdef NDPI_SERVICE_1KXUN
   /* 1KXUN */
-  if( kxun_counter > 0) {
+  if(kxun_counter > 0) {
     NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "1kxun found.\n");
     ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_SERVICE_1KXUN);
   }
 #endif
 
-  
   if(!ndpi_struct->http_dont_dissect_response) {
     if((flow->http.url == NULL)
        && (packet->http_url_name.len > 0)
@@ -381,6 +382,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   if(!ndpi_struct->http_dont_dissect_response && flow->http_detected)
     parseHttpSubprotocol(ndpi_struct, flow);
 
+  flow->guessed_protocol_id = NDPI_PROTOCOL_HTTP;
+
   /* check for accept line */
   if(packet->accept_line.ptr != NULL) {
     NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Accept Line found %.*s\n",
@@ -451,9 +454,9 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd
 	   packet->payload_packet_len);
 
   /**
-     FIRST PAYLOAD PACKET FROM CLIENT 
+     FIRST PAYLOAD PACKET FROM CLIENT
   **/
-  
+
   /* check if the packet starts with POST or GET */
   if(packet->payload_packet_len >= 4 && memcmp(packet->payload, "GET ", 4) == 0) {
     NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: GET FOUND\n");
@@ -813,7 +816,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	x++;
       }
 
-      /* check PPStream protocol or iQiyi service 
+      /* check PPStream protocol or iQiyi service
 	 (iqiyi is deliverd by ppstream) */
       // substring in url
       if(strstr((const char*) &packet->payload[filename_start], "iqiyi.com") != NULL) {
@@ -837,7 +840,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	}
 	x++;
       }
-      
+
       /* Check for 1kxun packet */
       int a;
       for (a = 0; a < packet->parsed_lines; a++) {
@@ -849,7 +852,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	  }
 	}
       }
-    
+
       if((packet->http_url_name.len > 7)
           && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
         NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP_PROXY Found.\n");
@@ -884,27 +887,27 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 		   "HTTP START Found, we will look further for the response...\n");
 	  flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
 	}
-	
+
 	check_content_type_and_change_protocol(ndpi_struct, flow);
-	
+
 	return;
       }
     }
-    
+
     NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n");
     http_bitmask_exclude(flow);
   } else if((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) {
     NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n",
 	     flow->l4.tcp.http_stage);
-    
+
     /**
        At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return,
        otherwise check the second packet for the http request . */
     if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) {
-      
+
       if(flow->http_detected)
         return;
-      
+
       NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
 	       " SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP...UNKNOWN TRAFFIC, HERE FOR HTTP again.. \n");
 
@@ -942,7 +945,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 
     /**
        This is a packet in another direction. Check if we find the proper response.
-       We have received a response for a previously identified partial HTTP request 
+       We have received a response for a previously identified partial HTTP request
     */
 
     if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) {