diff options
| -rw-r--r-- | example/ndpi_util.c | 4 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 18 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 12 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 20 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 30 |
5 files changed, 44 insertions, 40 deletions
diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 52cbc6f9b..977a246ec 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -561,9 +561,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", - flow->ndpi_flow->protos.ssl.client_certificate); + flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", - flow->ndpi_flow->protos.ssl.server_certificate); + flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); } } diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 9f96d8e9a..77440b5c7 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1054,8 +1054,16 @@ struct ndpi_flow_struct { } ntp; struct { - char client_certificate[48], server_certificate[48]; - } ssl; + struct { + char client_certificate[48], server_certificate[48]; + } ssl; + + struct { + u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; + } stun; + + /* We can have STUN over SSL thus they need to live together */ + } stun_ssl; struct { char client_signature[48], server_signature[48]; @@ -1085,11 +1093,7 @@ struct ndpi_flow_struct { char fingerprint[48]; char class_ident[48]; } dhcp; - - struct { - u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; - } stun; - } protos; + } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6505463ee..aaa1109e9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3791,7 +3791,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN) goto check_stun_export; - else if(flow->protos.ssl.client_certificate[0] != '\0') { + else if(flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); } else { if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) @@ -3830,9 +3830,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) { check_stun_export: - if(flow->protos.stun.num_processed_pkts > 0) { - if(flow->protos.stun.num_processed_pkts >= 8) { - u_int16_t proto = (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT; + if(flow->protos.stun_ssl.stun.num_processed_pkts > 0) { + if(flow->protos.stun_ssl.stun.num_processed_pkts >= 8) { + u_int16_t proto = (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT; ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_SKYPE); } else @@ -4096,9 +4096,9 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc } } - if(flow->protos.ssl.server_certificate[0] != '\0') { + if(flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') { unsigned long id; - int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.ssl.server_certificate, &id); + int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_ssl.ssl.server_certificate, &id); if(rc == 0) { ret->category = (ndpi_protocol_category_t)id; diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 7719eded9..5c65b83c1 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -42,8 +42,8 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st { struct ndpi_packet_struct *packet = &flow->packet; - if((flow->protos.ssl.client_certificate[0] != '\0') - || (flow->protos.ssl.server_certificate[0] != '\0') + if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') + || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') || (flow->host_server_name[0] != '\0')) protocol = NDPI_PROTOCOL_SSL; else @@ -227,8 +227,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, if(num_dots >= 2) { if(!ndpi_struct->disable_metadata_export) { stripCertificateTrailer(buffer, buffer_len); - snprintf(flow->protos.ssl.server_certificate, - sizeof(flow->protos.ssl.server_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.server_certificate, + sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); } return(1 /* Server Certificate */); } @@ -292,8 +292,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, stripCertificateTrailer(buffer, buffer_len); if(!ndpi_struct->disable_metadata_export) { - snprintf(flow->protos.ssl.client_certificate, - sizeof(flow->protos.ssl.client_certificate), "%s", buffer); + snprintf(flow->protos.stun_ssl.ssl.client_certificate, + sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); } /* We're happy now */ @@ -326,7 +326,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi packet->ssl_certificate_num_checks++; if (rc > 0) { packet->ssl_certificate_detected++; - if (flow->protos.ssl.server_certificate[0] != '\0') + if (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') /* 0 means we're done processing extra packets (since we found what we wanted) */ return 0; } @@ -379,7 +379,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s /* If we've detected the subprotocol from client certificate but haven't had a chance * to see the server certificate yet, set up extra packet processing to wait * a few more packets. */ - if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { + if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0')) { sslInitExtraPacketProcessing(0, flow); } ndpi_set_detected_protocol(ndpi_struct, flow, subproto, @@ -396,8 +396,8 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) - || (flow->protos.ssl.server_certificate[0] != '\0') - /* || (flow->protos.ssl.client_certificate[0] != '\0') */ + || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + /* || (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') */ ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 80ae4a144..8f374ff59 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -57,10 +57,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * struct stun_packet_header *h = (struct stun_packet_header*)payload; u_int8_t can_this_be_whatsapp_voice = 1; - flow->protos.stun.num_processed_pkts++; + flow->protos.stun_ssl.stun.num_processed_pkts++; if(payload_length < sizeof(struct stun_packet_header)) { - if(flow->protos.stun.num_udp_pkts > 0) { + if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ } else @@ -76,7 +76,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * msg_type = ntohs(h->msg_type) & 0x3EEF, msg_len = ntohs(h->msg_len); if(ntohs(h->msg_type) == 0x01 /* Binding Request */) - flow->protos.stun.num_binding_requests++; + flow->protos.stun_ssl.stun.num_binding_requests++; if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) return(NDPI_IS_NOT_STUN); @@ -116,7 +116,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+6] == 0x00) && (payload[offset+7] == 0x00)) { /* Either skype for business or "normal" skype with multiparty call */ - flow->protos.stun.is_skype = 1; + flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } break; @@ -129,7 +129,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+6] == 0x00) && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) ) { - flow->protos.stun.is_skype = 1; + flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } break; @@ -145,7 +145,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * goto udp_stun_found; } - if((flow->protos.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { + if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ } else @@ -153,9 +153,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * udp_stun_found: if(can_this_be_whatsapp_voice) { - flow->protos.stun.num_udp_pkts++; + flow->protos.stun_ssl.stun.num_udp_pkts++; - return((flow->protos.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); + return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); } else { /* We cannot immediately say that this is STUN as there are other protocols @@ -187,11 +187,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload_packet_len - 2, &is_whatsapp) == NDPI_IS_STUN) { if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if(flow->protos.stun.is_skype) { + if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); - if((flow->protos.stun.num_processed_pkts >= 8) || (flow->protos.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) + ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, @@ -207,11 +207,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload_packet_len, &is_whatsapp) == NDPI_IS_STUN) { if(flow->guessed_protocol_id == 0) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if(flow->protos.stun.is_skype) { + if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); - if((flow->protos.stun.num_processed_pkts >= 8) || (flow->protos.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) + ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, @@ -221,7 +221,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n return; } - if(flow->protos.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS) + if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); if(flow->packet_counter > 0) { |