diff options
| -rw-r--r-- | example/ndpiReader.c | 6 | ||||
| -rw-r--r-- | example/reader_util.c | 41 | ||||
| -rw-r--r-- | src/include/ndpi_define.h.in | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 56 |
6 files changed, 68 insertions, 45 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b0d1a9122..c525346fa 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1949,6 +1949,10 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { ndpi_load_categories_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _customCategoryFilePath); ndpi_finalize_initalization(ndpi_thread_info[thread_id].workflow->ndpi_struct); + +#ifdef USE_TLS_LEN + ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); +#endif } /* *********************************************** */ @@ -2460,7 +2464,7 @@ static void printFlowsStats() { if(verbose > 1) { #ifndef DIRECTION_BINS struct ndpi_bin *bins = (struct ndpi_bin*)ndpi_malloc(sizeof(struct ndpi_bin)*num_flows); - u_int16_t *cluster_ids = (u_int16_t*)ndpi_malloc(sizeof(u_int16_t)*num_flows);; + u_int16_t *cluster_ids = (u_int16_t*)ndpi_malloc(sizeof(u_int16_t)*num_flows); #endif for(i=0; i<num_flows; i++) { diff --git a/example/reader_util.c b/example/reader_util.c index e26e8625d..7e68a378d 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -79,7 +79,7 @@ #define PLEN_MAX 1504 #define PLEN_BIN_LEN 32 -#define PLEN_NUM_BINS 47 /* 47*32 = 1504 */ +#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ #define MAX_NUM_BIN_PKTS 256 #include "ndpi_main.h" @@ -1021,6 +1021,20 @@ void correct_csv_data_field(char* data) { /* ****************************************************** */ +u_int8_t plen2slot(u_int16_t plen) { + /* + Slots [32 bytes lenght] + 0..31, 32..63 ... + */ + + if(plen > PLEN_MAX) + return(PLEN_NUM_BINS-1); + else + return(plen/PLEN_BIN_LEN); +} + +/* ****************************************************** */ + void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow, FILE * csv_fp) { u_int i; @@ -1194,6 +1208,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl snprintf(flow->info, sizeof(flow->info), "ALPN: %s", flow->ndpi_flow->protos.stun_ssl.ssl.alpn); } + +#ifdef USE_TLS_LEN + /* For TLS we use TLS block lenght instead of payload lenght */ + ndpi_reset_bin(&flow->payload_len_bin); + + for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) { + u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); + printf("%u\n", len); + ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); + } +#endif } if(flow->detection_completed && (!flow->check_extra_packets)) { @@ -1258,20 +1283,6 @@ void update_tcp_flags_count(struct ndpi_flow_info* flow, struct ndpi_tcphdr* tcp } /* ****************************************************** */ - -u_int8_t plen2slot(u_int16_t plen) { - /* - Slots [32 bytes lenght] - 0..31, 32..63 ... - */ - - if(plen > PLEN_MAX) - return(PLEN_NUM_BINS-1); - else - return(plen/PLEN_BIN_LEN); -} - -/* ****************************************************** */ /** Function to process the packet: determine the flow of a packet and try to decode it diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index 9c1c0c169..990f84bf4 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -353,7 +353,7 @@ #define NDPI_OPTIMAL_HLL_NUM_BUCKETS 16 -#define NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS 32 +#define NDPI_MAX_NUM_TLS_APPL_BLOCKS 8 #ifdef __APPLE__ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 58d7b4885..55fa370c9 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -670,7 +670,7 @@ struct ndpi_flow_tcp_struct { u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, fingerprint_set:1, _pad:4; u_int8_t sha1_certificate_fingerprint[20], num_tls_blocks; - u_int16_t tls_blocks_len[NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS]; + int16_t tls_application_blocks_len[NDPI_MAX_NUM_TLS_APPL_BLOCKS]; /* + = src->dst, - = dst->src */ } tls; /* NDPI_PROTOCOL_POSTGRES */ @@ -947,6 +947,7 @@ typedef enum { typedef enum { ndpi_pref_direction_detect_disable = 0, + ndpi_pref_enable_tls_block_dissection } ndpi_detection_preference; /* ntop extensions */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 3ca766772..db84efa00 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -596,6 +596,10 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str ndpi_str->direction_detect_disable = (u_int8_t) value; break; + case ndpi_pref_enable_tls_block_dissection: + ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS; + break; + default: return(-1); } @@ -6370,6 +6374,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp case NDPI_PROTOCOL_TLS: if((!flow->l4.tcp.tls.certificate_processed) || (flow->l4.tcp.tls.num_tls_blocks <= ndpi_str->num_tls_blocks_to_follow)) { + // printf("*** %u/%u\n", flow->l4.tcp.tls.num_tls_blocks, ndpi_str->num_tls_blocks_to_follow); return(1); /* TODO: add check for TLS 1.3 */ } break; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 20ac8c542..9085774f4 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -593,9 +593,13 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, } if(flow->l4.tcp.tls.num_tls_blocks >= ndpi_struct->num_tls_blocks_to_follow) { - flow->extra_packets_func = NULL; /* We're good now */ +#ifdef DEBUG_TLS_BLOCKS + printf("*** [TLS Block] Enough blocks dissected\n"); +#endif + + flow->extra_packets_func = NULL; /* We're good now */ } - + return(1); } @@ -649,10 +653,11 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, while(!something_went_wrong) { u_int16_t len, p_len; const u_int8_t *p; - + u_int8_t content_type; + if(flow->l4.tcp.tls.message.buffer_used < 5) return(1); /* Keep working */ - + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; if(len > flow->l4.tcp.tls.message.buffer_used) { @@ -677,10 +682,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS Mem] Processing %u bytes message\n", len); #endif + content_type = flow->l4.tcp.tls.message.buffer[0]; + /* Overwriting packet payload */ p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ - if((len > 9) && (!flow->l4.tcp.tls.certificate_processed)) { + if((len > 9) + && (content_type != 0x17 /* Application Data */) + && (!flow->l4.tcp.tls.certificate_processed)) { /* Split the element in blocks */ u_int16_t processed = 5; @@ -701,32 +710,20 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, break; } -#ifdef DEBUG_TLS_MEMORY - printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n", - packet->payload_packet_len, - packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]); -#endif - - processTLSBlock(ndpi_struct, flow); - if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) - flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = packet->payload_packet_len; - -#ifdef DEBUG_TLS_BLOCKS - printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n", - packet->payload_packet_len, flow->l4.tcp.tls.num_tls_blocks); -#endif - processed += packet->payload_packet_len; } } else { /* Process element as a whole */ - if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) - flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = len-5; - + if(content_type == 0x17 /* Application Data */) { + if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) + flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = + (packet->packet_direction == 0) ? (len-5) : -(len-5); + #ifdef DEBUG_TLS_BLOCKS - printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n", - len-5, flow->l4.tcp.tls.num_tls_blocks); + printf("*** [TLS Block] [len: %u][num_tls_blocks: %u/%u]\n", + len-5, flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->num_tls_blocks_to_follow); #endif + } } packet->payload = p, packet->payload_packet_len = p_len; /* Restore */ @@ -744,7 +741,12 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, #endif } - if(something_went_wrong) { + if(something_went_wrong + || (flow->l4.tcp.tls.num_tls_blocks == ndpi_struct->num_tls_blocks_to_follow) + ) { +#ifdef DEBUG_TLS_BLOCKS + printf("*** [TLS Block] No more blocks\n"); +#endif flow->check_extra_packets = 0; flow->extra_packets_func = NULL; return(0); /* That's all */ @@ -809,7 +811,7 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd flow->check_extra_packets = 1; /* At most 12 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*2); + flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*4); flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; } |