diff options
| -rw-r--r-- | example/ndpi_util.c | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 21 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 40 |
3 files changed, 42 insertions, 24 deletions
diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 174312cb8..da7a87bdb 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -645,6 +645,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, return(nproto); } + /* The lines below are no longer necessary as this hsould be called automatically by ndpi_detection_process_packet */ +#if 0 /* Protocol already detected */ if(flow->detection_completed) { if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { @@ -669,7 +671,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, return(flow->detected_protocol); } - +#endif + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6561bf1b9..737124697 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4650,9 +4650,24 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->num_processed_pkts++; if(flow->server_id == NULL) flow->server_id = dst; /* Default */ - if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) - goto ret_protocols; - + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { + /* + With SSL we might want to dissect further packets to decode + the certificate type for instance + */ + if(flow->check_extra_packets + /* + && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) + || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_SSL)) + */ + ) { + ndpi_process_extra_packet(ndpi_struct, flow, packet, packetlen, current_tick_l, src, dst); + ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + return(ret); + } else + goto ret_protocols; + } + /* need at least 20 bytes for ip header */ if(packetlen < 20) { /* reset protocol which is normally done in init_packet_header */ diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 493ee7cbc..8c2753004 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -27,7 +27,7 @@ #include "ndpi_api.h" -// #define CERTIFICATE_DEBUG 1 + #define CERTIFICATE_DEBUG 1 #define NDPI_MAX_SSL_REQUEST_SIZE 10000 @@ -543,7 +543,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t i, cypher_offset = base_offset + session_id_len + 3; #ifdef CERTIFICATE_DEBUG - printf("SSL [client cypher_len: %u]\n", cypher_len); + printf("Client SSL [client cypher_len: %u]\n", cypher_len); #endif if((cypher_offset+cypher_len) <= total_len) { @@ -551,7 +551,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *id = (u_int16_t*)&packet->payload[cypher_offset+i]; #ifdef CERTIFICATE_DEBUG - printf("SSL [cypher suite: %u] [%u/%u]\n", ntohs(*id), i, cypher_len); + printf("Client SSL [cypher suite: %u] [%u/%u]\n", ntohs(*id), i, cypher_len); #endif if((*id == 0) || (packet->payload[cypher_offset+i] != packet->payload[cypher_offset+i+1])) { /* @@ -564,7 +564,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid cypher %u\n", ja3.num_cipher); + printf("Client SSL Invalid cypher %u\n", ja3.num_cipher); #endif } } @@ -574,7 +574,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid len %u vs %u\n", (cypher_offset+cypher_len), total_len); + printf("Client SSL Invalid len %u vs %u\n", (cypher_offset+cypher_len), total_len); #endif } @@ -591,7 +591,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, offset++; #ifdef CERTIFICATE_DEBUG - printf("SSL [compression_len: %u]\n", compression_len); + printf("Client SSL [compression_len: %u]\n", compression_len); #endif // offset += compression_len + 3; @@ -602,7 +602,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, offset += 2; #ifdef CERTIFICATE_DEBUG - printf("SSL [extensions_len: %u]\n", extensions_len); + printf("Client SSL [extensions_len: %u]\n", extensions_len); #endif if((extensions_len+offset) <= total_len) { @@ -621,7 +621,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, extension_offset += 2; #ifdef CERTIFICATE_DEBUG - printf("SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); + printf("Client SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); #endif if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) { @@ -632,7 +632,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid extensions %u\n", ja3.num_ssl_extension); + printf("Client SSL Invalid extensions %u\n", ja3.num_ssl_extension); #endif } } @@ -655,15 +655,15 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t i, s_offset = offset+extension_offset + 2; #ifdef CERTIFICATE_DEBUG - printf("SSL [EllipticCurve: len=%u]\n", extension_len); + printf("Client SSL [EllipticCurveGroups: len=%u]\n", extension_len); #endif - if((s_offset+extension_len-1) < total_len) { + if((s_offset+extension_len-2) <= total_len) { for(i=0; i<extension_len-2;) { u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); #ifdef CERTIFICATE_DEBUG - printf("SSL [EllipticCurve: %u]\n", s_group); + printf("Client SSL [EllipticCurve: %u]\n", s_group); #endif if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) { /* Skip GREASE */ @@ -672,7 +672,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve); #endif } } @@ -682,21 +682,21 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, } else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); + printf("Client SSL Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); #endif } } else if(extension_id == 11 /* ec_point_formats groups */) { u_int16_t i, s_offset = offset+extension_offset + 1; #ifdef CERTIFICATE_DEBUG - printf("SSL [EllipticCurveFormat: len=%u]\n", extension_len); + printf("Client SSL [EllipticCurveFormat: len=%u]\n", extension_len); #endif if((s_offset+extension_len) < total_len) { for(i=0; i<extension_len-1;i++) { u_int8_t s_group = packet->payload[s_offset+i]; #ifdef CERTIFICATE_DEBUG - printf("SSL [EllipticCurveFormat: %u]\n", s_group); + printf("Client SSL [EllipticCurveFormat: %u]\n", s_group); #endif if(ja3.num_elliptic_curve_point_format < MAX_NUM_JA3) @@ -704,14 +704,14 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); + printf("Client SSL Invalid num elliptic %u\n", ja3.num_elliptic_curve_point_format); #endif } } } else { invalid_ja3 = 1; #ifdef CERTIFICATE_DEBUG - printf("SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); + printf("Client SSL Invalid len %u vs %u\n", s_offset+extension_len, total_len); #endif } } @@ -719,7 +719,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, extension_offset += extension_len; #ifdef CERTIFICATE_DEBUG - printf("SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); + printf("Client SSL [extension_offset/len: %u/%u]\n", extension_offset, extension_len); #endif } /* while */ @@ -839,7 +839,7 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct, snprintf(flow->protos.stun_ssl.ssl.server_organization, sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer); #ifdef CERTIFICATE_DEBUG - printf("Certificate origanization: %s\n", flow->protos.stun_ssl.ssl.server_organization); + printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization); #endif } } |