diff options
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 40 |
1 files changed, 23 insertions, 17 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 2270b05ab..aac8798b3 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -105,7 +105,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; // protocol = NDPI_PROTOCOL_TLS; @@ -138,7 +138,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int avail_bytes; /* TCP */ @@ -284,11 +284,13 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { /* Subprotocol not yet set */ - if(ndpi_struct->tls_cert_cache && flow->packet.iph && flow->packet.tcp) { - u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest; + if(ndpi_struct->tls_cert_cache && packet->iph && packet->tcp) { + u_int32_t key = packet->iph->daddr + packet->tcp->dest; u_int16_t cached_proto; if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, @@ -311,7 +313,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t p_offset, u_int16_t certificate_len) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t num_found = 0, i; char buffer[64] = { '\0' }, rdnSeqBuf[2048]; u_int rdn_len = 0; @@ -431,7 +433,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi offset += 2; if((offset+len) < packet->payload_packet_len) { - u_int32_t time_sec = flow->packet.current_time_ms / 1000; + u_int32_t time_sec = packet->current_time_ms / 1000; #ifdef DEBUG_TLS u_int j; @@ -601,8 +603,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(ndpi_struct->tls_cert_cache == NULL) ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024); - if(ndpi_struct->tls_cert_cache && flow->packet.iph) { - u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest; + if(ndpi_struct->tls_cert_cache && packet->iph) { + u_int32_t key = packet->iph->daddr + packet->tcp->dest; ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id); } @@ -624,7 +626,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; int is_dtls = packet->udp ? 1 : 0; u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; u_int32_t certificates_offset = 7 + (is_dtls ? 8 : 0); @@ -749,7 +751,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; int ret; #ifdef DEBUG_TL @@ -812,7 +814,7 @@ static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t something_went_wrong = 0; #ifdef DEBUG_TLS_MEMORY @@ -971,7 +973,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t handshake_len; u_int16_t p_len, processed; const u_int8_t *p; @@ -1069,11 +1071,13 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + flow->check_extra_packets = 1; /* At most 12 packets should almost always be enough to find the server certificate if it's there */ flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*4); - flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; + flow->extra_packets_func = (packet->udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp; } /* **************************************** */ @@ -1108,11 +1112,13 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + #if DEBUG_TLS printf("[TLS] %s()\n", __FUNCTION__); #endif - if((flow->packet.udp != NULL) && (protocol == NDPI_PROTOCOL_TLS)) + if((packet->udp != NULL) && (protocol == NDPI_PROTOCOL_TLS)) protocol = NDPI_PROTOCOL_DTLS; if((flow->detected_protocol_stack[0] == protocol) @@ -1138,7 +1144,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct * const flow, int is_dtls, u_int16_t extension_id, u_int16_t extension_len, u_int16_t extension_payload_offset) { - struct ndpi_packet_struct const * const packet = &flow->packet; + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; if (extension_payload_offset + extension_len > packet->payload_packet_len) { @@ -1206,7 +1212,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, uint32_t quic_version) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; union ja3_info ja3; u_int8_t invalid_ja3 = 0; u_int16_t tls_version, ja3_str_len; @@ -2266,7 +2272,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; #ifdef DEBUG_TLS printf("==>> %s() %u [len: %u][version: %u]\n", |