diff options
| author | Daniele De Lorenzi <daniele.delorenzi@fastnetserv.net> | 2018-05-31 16:29:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-31 16:29:04 +0200 |
| commit | 3b1047b0c8136b85010554ac31f7845c68b5898b (patch) | |
| tree | 89827a5fc50b1d9fbab4e3698b84ac5a2f2f5d5d /src | |
| parent | 7989b8d9691d762b6afff58f7c8f65611611edba (diff) | |
| parent | 2b4321b5c3f8f00b99f2e52aea520c39f81a2beb (diff) | |
Merge pull request #9 from ntop/dev
updates from dev
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 18 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 21 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 20 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 30 | ||||
| -rw-r--r-- | src/lib/third_party/include/actypes.h | 2 | ||||
| -rw-r--r-- | src/lib/third_party/src/ahocorasick.c | 5 |
7 files changed, 52 insertions, 46 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 9dd6002eb..d04722b8d 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -287,7 +287,7 @@ #define NDPI_PROTOCOL_RAPIDVIDEO 244 /* RapidVideo streaming */ /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_WHATSAPP_FILES +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_RAPIDVIDEO #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 9f96d8e9a..77440b5c7 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1054,8 +1054,16 @@ struct ndpi_flow_struct { } ntp; struct { - char client_certificate[48], server_certificate[48]; - } ssl; + struct { + char client_certificate[48], server_certificate[48]; + } ssl; + + struct { + u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; + } stun; + + /* We can have STUN over SSL thus they need to live together */ + } stun_ssl; struct { char client_signature[48], server_signature[48]; @@ -1085,11 +1093,7 @@ struct ndpi_flow_struct { char fingerprint[48]; char class_ident[48]; } dhcp; - - struct { - u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; - } stun; - } protos; + } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6505463ee..5f1f9800d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1883,9 +1883,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp /* ****************************************************** */ -static int ac_match_handler(AC_MATCH_t *m, void *param) { +static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, void *param) { int *matching_protocol_id = (int*)param; - + int min_len = (txt->length < m->patterns->length) ? txt->length : m->patterns->length; /* Return 1 for stopping to the first match. We might consider searching for the more @@ -1893,7 +1893,10 @@ static int ac_match_handler(AC_MATCH_t *m, void *param) { */ *matching_protocol_id = m->patterns[0].rep.number; - return 0; /* 0 to continue searching, !0 to stop */ + if(strncmp(txt->astring, m->patterns->astring, min_len) == 0) + return(1); /* If the pattern found matches the string at the beginning we stop here */ + else + return 0; /* 0 to continue searching, !0 to stop */ } /* ******************************************************************** */ @@ -3791,7 +3794,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN) goto check_stun_export; - else if(flow->protos.ssl.client_certificate[0] != '\0') { + else if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) @@ -3830,9 +3833,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) { check_stun_export: - if(flow->protos.stun.num_processed_pkts > 0) { - if(flow->protos.stun.num_processed_pkts >= 8) { - u_int16_t proto = (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT; + if(flow->protos.stun_ssl.stun.num_processed_pkts > 0) { + if(flow->protos.stun_ssl.stun.num_processed_pkts >= 8) { + u_int16_t proto = (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT; ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_SKYPE); } else @@ -4096,9 +4099,9 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc } } - if(flow->protos.ssl.server_certificate[0] != '\0') { + if(flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') { unsigned long id; - int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.ssl.server_certificate, &id); + int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_ssl.ssl.server_certificate, &id); if(rc == 0) { ret->category = (ndpi_protocol_category_t)id; diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 7719eded9..5c65b83c1 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -42,8 +42,8 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st { struct ndpi_packet_struct *packet = &flow->packet; - if((flow->protos.ssl.client_certificate[0] != '\0') - || (flow->protos.ssl.server_certificate[0] != '\0') + if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') + || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') || (flow->host_server_name[0] != '\0')) protocol = NDPI_PROTOCOL_SSL; else @@ -227,8 +227,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, if(num_dots >= 2) { if(!ndpi_struct->disable_metadata_export) { stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.ssl.server_certificate, - sizeof(flow->protos.ssl.server_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.server_certificate, + sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); } return(1 /* Server Certificate */); } @@ -292,8 +292,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, stripCertificateTrailer(buffer, buffer_len); if(!ndpi_struct->disable_metadata_export) { - snprintf(flow->protos.ssl.client_certificate, - sizeof(flow->protos.ssl.client_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); } /* We're happy now */ @@ -326,7 +326,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi packet->ssl_certificate_num_checks++; if (rc > 0) { packet->ssl_certificate_detected++; - if (flow->protos.ssl.server_certificate[0] != '\0') + if (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') /* 0 means we're done processing extra packets (since we found what we wanted) */ return 0; } @@ -379,7 +379,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s /* If we've detected the subprotocol from client certificate but haven't had a chance * to see the server certificate yet, set up extra packet processing to wait * a few more packets. */ - if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { + if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0')) { sslInitExtraPacketProcessing(0, flow); } ndpi_set_detected_protocol(ndpi_struct, flow, subproto, @@ -396,8 +396,8 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) - || (flow->protos.ssl.server_certificate[0] != '\0') - /* || (flow->protos.ssl.client_certificate[0] != '\0') */ + || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + /* || (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') */ ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 80ae4a144..8f374ff59 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -57,10 +57,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * struct stun_packet_header *h = (struct stun_packet_header*)payload; u_int8_t can_this_be_whatsapp_voice = 1; - flow->protos.stun.num_processed_pkts++; + flow->protos.stun_ssl.stun.num_processed_pkts++; if(payload_length < sizeof(struct stun_packet_header)) { - if(flow->protos.stun.num_udp_pkts > 0) { + if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ } else @@ -76,7 +76,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * msg_type = ntohs(h->msg_type) & 0x3EEF, msg_len = ntohs(h->msg_len); if(ntohs(h->msg_type) == 0x01 /* Binding Request */) - flow->protos.stun.num_binding_requests++; + flow->protos.stun_ssl.stun.num_binding_requests++; if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) return(NDPI_IS_NOT_STUN); @@ -116,7 +116,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+6] == 0x00) && (payload[offset+7] == 0x00)) { /* Either skype for business or "normal" skype with multiparty call */ - flow->protos.stun.is_skype = 1; + flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } break; @@ -129,7 +129,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+6] == 0x00) && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) ) { - flow->protos.stun.is_skype = 1; + flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } break; @@ -145,7 +145,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * goto udp_stun_found; } - if((flow->protos.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { + if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ } else @@ -153,9 +153,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * udp_stun_found: if(can_this_be_whatsapp_voice) { - flow->protos.stun.num_udp_pkts++; + flow->protos.stun_ssl.stun.num_udp_pkts++; - return((flow->protos.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); + return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); } else { /* We cannot immediately say that this is STUN as there are other protocols @@ -187,11 +187,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload_packet_len - 2, &is_whatsapp) == NDPI_IS_STUN) { if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if(flow->protos.stun.is_skype) { + if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); - if((flow->protos.stun.num_processed_pkts >= 8) || (flow->protos.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) + ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, @@ -207,11 +207,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload_packet_len, &is_whatsapp) == NDPI_IS_STUN) { if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if(flow->protos.stun.is_skype) { + if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); - if((flow->protos.stun.num_processed_pkts >= 8) || (flow->protos.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) + ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, @@ -221,7 +221,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n return; } - if(flow->protos.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS) + if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); if(flow->packet_counter > 0) { diff --git a/src/lib/third_party/include/actypes.h b/src/lib/third_party/include/actypes.h index 1900ae9a0..807e5026a 100644 --- a/src/lib/third_party/include/actypes.h +++ b/src/lib/third_party/include/actypes.h @@ -125,7 +125,7 @@ typedef enum * continue searching, otherwise it will return from ac_automata_search() * to your calling function. **/ -typedef int (*MATCH_CALBACK_f)(AC_MATCH_t *, void *); +typedef int (*MATCH_CALBACK_f)(AC_MATCH_t *, AC_TEXT_t *, void *); /* AC_PATTRN_MAX_LENGTH: * Maximum acceptable pattern length in AC_PATTERN_t.length diff --git a/src/lib/third_party/src/ahocorasick.c b/src/lib/third_party/src/ahocorasick.c index ce064033f..fd6541dd7 100644 --- a/src/lib/third_party/src/ahocorasick.c +++ b/src/lib/third_party/src/ahocorasick.c @@ -189,16 +189,15 @@ int ac_automata_search (AC_AUTOMATA_t * thiz, AC_TEXT_t * txt, void * param) position++; } - if(curr->final && next) + if(curr->final && next) { /* We check 'next' to find out if we came here after a alphabet * transition or due to a fail. in second case we should not report * matching because it was reported in previous node */ - { thiz->match.position = position + thiz->base_position; thiz->match.match_num = curr->matched_patterns_num; thiz->match.patterns = curr->matched_patterns; /* we found a match! do call-back */ - if (thiz->match_callback(&thiz->match, param)) + if (thiz->match_callback(&thiz->match, txt, param)) return 1; } } |