diff options
Diffstat (limited to 'src/lib/protocols/ssl.c')
| -rw-r--r-- | src/lib/protocols/ssl.c | 197 |
1 files changed, 118 insertions, 79 deletions
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 2ab93b949..adb0e9cf4 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -21,13 +21,16 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_api.h" - -/* #define CERTIFICATE_DEBUG 1 */ #ifdef NDPI_PROTOCOL_SSL +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSL + +#include "ndpi_api.h" + +/* #define CERTIFICATE_DEBUG 1 */ #define NDPI_MAX_SSL_REQUEST_SIZE 10000 /* Skype.c */ @@ -48,7 +51,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st if(packet->tcp != NULL) { switch(protocol) { - + case NDPI_PROTOCOL_SSL: case NDPI_PROTOCOL_SSL_NO_CERT: { @@ -58,7 +61,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st */ u_int16_t sport = ntohs(packet->tcp->source); u_int16_t dport = ntohs(packet->tcp->dest); - + if((sport == 465) || (dport == 465)) protocol = NDPI_PROTOCOL_MAIL_SMTPS; else if((sport == 993) || (dport == 993) @@ -70,13 +73,8 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st } break; } - - if((protocol == NDPI_PROTOCOL_SSL_NO_CERT) - && is_skype_flow(ndpi_struct, flow)) { - protocol = NDPI_PROTOCOL_SKYPE; - } } - + return protocol; } @@ -104,14 +102,14 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp ((ch) >= '{' && (ch) <= '~')) static void stripCertificateTrailer(char *buffer, int buffer_len) { - + int i, is_puny; - + // printf("->%s<-\n", buffer); - + for(i = 0; i < buffer_len; i++) { // printf("%c [%d]\n", buffer[i], buffer[i]); - + if((buffer[i] != '.') && (buffer[i] != '-') && (buffer[i] != '_') @@ -126,12 +124,12 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { /* check for punycode encoding */ is_puny = check_punycode_string(buffer, buffer_len); - + // not a punycode string - need more checks if(is_puny == 0) { - + if(i > 0) i--; - + while(i > 0) { if(!ndpi_isalpha(buffer[i])) { buffer[i] = '\0'; @@ -140,8 +138,8 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) { } else break; } - - for(i = buffer_len; i > 0; i--) { + + for(i = buffer_len; i > 0; i--) { if(buffer[i] == '.') break; else if(ndpi_isdigit(buffer[i])) buffer[i] = '\0', buffer_len = i; @@ -159,7 +157,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, { static u_int8_t id = 0; - printf("-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF); + NDPI_LOG_DBG2(ndpi_struct,"-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF); } #endif @@ -189,6 +187,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ for(i = 9; i < packet->payload_packet_len-3; i++) { if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c)) + || ((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x13)) || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) { u_int8_t server_len = packet->payload[i+3]; @@ -311,6 +310,46 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ } +int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + /* consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { + char certificate[64]; + int rc; + certificate[0] = '\0'; + rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + packet->ssl_certificate_num_checks++; + if (rc > 0) { + packet->ssl_certificate_detected++; + if (flow->protos.ssl.server_certificate[0] != '\0') + /* 0 means we're done processing extra packets (since we found what we wanted) */ + return 0; + } + /* Client hello, Server Hello, and certificate packets probably all checked in this case */ + if ((packet->ssl_certificate_num_checks >= 3) + && (flow->l4.tcp.seen_syn) + && (flow->l4.tcp.seen_syn_ack) + && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) + { + /* We're done processing extra packets since we've probably checked all possible cert packets */ + return 0; + } + } + /* 1 means keep looking for more packets */ + return 1; +} + +void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + /* 0 is the case for waiting for the server certificate */ + if (caseNum == 0) { + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; + } +} + int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -328,20 +367,24 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s if(rc > 0) { packet->ssl_certificate_detected++; #ifdef CERTIFICATE_DEBUG - printf("***** [SSL] %s\n", certificate); + NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif - u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, + u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, strlen(certificate), NDPI_PROTOCOL_SSL); - if(subproto != NDPI_PROTOCOL_UNKNOWN) { - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); - return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ - } - + /* If we've detected the subprotocol from client certificate but haven't had a chance + * to see the server certificate yet, set up extra packet processing to wait + * a few more packets. */ + if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { + sslInitExtraPacketProcessing(0, flow); + } + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, + ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); + return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ + } #ifdef NDPI_PROTOCOL_TOR - if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) - return(rc); + if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) + return(rc); #endif } @@ -350,12 +393,12 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) || (flow->protos.ssl.server_certificate[0] != '\0') - || (flow->protos.ssl.client_certificate[0] != '\0') - ) + /* || (flow->protos.ssl.client_certificate[0] != '\0') */ + ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); - } + } } - + } return(0); } @@ -363,14 +406,12 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { -#if defined(NDPI_PROTOCOL_MEEBO)|| defined(NDPI_PROTOCOL_TOR) || defined(NDPI_PROTOCOL_VPN_X) || defined(NDPI_PROTOCOL_UNENCRYPED_JABBER) || defined (NDPI_PROTOCOL_OSCAR) || defined (NDPI_PROTOCOL_ITUNES) || defined (NDPI_SERVICE_GMAIL) +#if defined(NDPI_PROTOCOL_TOR) || defined(NDPI_PROTOCOL_VPN_X) || defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) || defined (NDPI_PROTOCOL_OSCAR) || defined (NDPI_PROTOCOL_ITUNES) || defined (NDPI_PROTOCOL_GMAIL) struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; u_int32_t a; u_int32_t end; -#if defined(NDPI_PROTOCOL_UNENCRYPED_JABBER) - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER) != 0) +#if defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) goto check_for_ssl_payload; #endif #if defined(NDPI_PROTOCOL_OSCAR) @@ -382,13 +423,13 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct check_for_ssl_payload: end = packet->payload_packet_len - 20; for (a = 5; a < end; a++) { -#ifdef NDPI_PROTOCOL_UNENCRYPED_JABBER +#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER if(packet->payload[a] == 't') { if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "ssl jabber packet match\n"); if(NDPI_COMPARE_PROTOCOL_TO_BITMASK - (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER) != 0) { - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPED_JABBER); + (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { + NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); + ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); return; } } @@ -408,7 +449,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) || ((a + 32) < packet->payload_packet_len && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); if(flow->dst != NULL && packet->payload_packet_len > 75) { memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); @@ -425,7 +466,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct if((a + 21) < packet->payload_packet_len && (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); + NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); return; } @@ -436,14 +477,16 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct no_check_for_ssl_payload: #endif if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "found ssl connection.\n"); + NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); sslDetectProtocolFromCertificate(ndpi_struct, flow); if(!packet->ssl_certificate_detected && (!(flow->l4.tcp.ssl_seen_client_cert && flow->l4.tcp.ssl_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ + NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT); } else + NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } } @@ -453,10 +496,6 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; - if((packet->payload_packet_len >= 5) && (packet->payload[0] == 0x16) @@ -467,13 +506,13 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct || (packet->payload[2] == 0x03) )) { u_int32_t temp; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "search sslv3\n"); + NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); // SSLv3 Record if(packet->payload_packet_len >= 1300) { return 1; } temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { return 1; @@ -483,16 +522,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct /* the server hello may be split into small packets */ u_int32_t cert_start; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe SSLv3 server hello split into smaller packets\n"); /* lets hope at least the server hello and the start of the certificate block are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", + NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "found 0x0b at suspected start of certificate block\n"); return 2; } @@ -503,16 +542,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct * so temp contains only the length for the first ServerHello block */ u_int32_t cert_start; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", + NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "found 0x0b at suspected start of certificate block\n"); return 2; } @@ -526,7 +565,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp) { return 1; } @@ -537,7 +576,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp) { return 1; } @@ -548,7 +587,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(temp == packet->payload_packet_len) { return 1; } @@ -563,10 +602,6 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; - u_int8_t ret; if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -574,7 +609,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets * so go on checking for certificate patterns for a couple more packets */ - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "ssl flow but check another packet for patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -588,7 +623,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "search ssl\n"); + NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); { /* Check if this is whatsapp first (this proto runs over port 443) */ @@ -598,7 +633,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (packet->payload[4] == 0) && (packet->payload[2] <= 9) && (packet->payload[3] <= 9))) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); + return; + } else if((packet->payload_packet_len == 4) + && (packet->payload[0] == 'W') + && (packet->payload[1] == 'A')) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); return; } else { /* No whatsapp, let's try SSL */ @@ -608,12 +648,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "first ssl packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); // SSLv2 Record if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - packet->payload[1] == 2)) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n"); flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; return; } @@ -622,7 +662,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { // SSLv3 Record - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n"); flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; return; } @@ -635,23 +675,23 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "second ssl packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n"); // SSLv2 Record if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - 2) >= packet->payload[1]) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 server len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } ret = ndpi_search_sslv3_direction1(ndpi_struct, flow); if(ret == 1) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 server len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } else if(ret == 2) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -661,13 +701,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } } - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "exclude ssl\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } |