aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_typedefs.h4
-rw-r--r--src/lib/ndpi_main.c40
-rw-r--r--src/lib/ndpi_utils.c70
-rw-r--r--src/lib/protocols/quic.c24
-rw-r--r--src/lib/protocols/rtp.c2
-rw-r--r--src/lib/protocols/stun.c18
-rw-r--r--src/lib/protocols/tls.c124
7 files changed, 141 insertions, 141 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 7a1d0d9bd..35811c633 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1269,14 +1269,14 @@ struct ndpi_flow_struct {
char *esni;
} encrypted_sni;
ndpi_cipher_weakness server_unsafe_cipher;
- } ssl;
+ } tls_quic;
struct {
u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests;
} stun;
/* We can have STUN over SSL/TLS thus they need to live together */
- } stun_ssl;
+ } tls_quic_stun;
struct {
char client_signature[48], server_signature[48];
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index e4616b4cb..d8c137227 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4132,7 +4132,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
}
else if((flow->l4.tcp.tls.hello_processed == 1) &&
- (flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')) {
+ (flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')) {
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
} else if(enable_guess) {
@@ -4157,8 +4157,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
flow->guessed_protocol_id = guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) || (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
- if((guessed_protocol_id == 0) && (flow->protos.stun_ssl.stun.num_binding_requests > 0) &&
- (flow->protos.stun_ssl.stun.num_processed_pkts > 0))
+ if((guessed_protocol_id == 0) && (flow->protos.tls_quic_stun.stun.num_binding_requests > 0) &&
+ (flow->protos.tls_quic_stun.stun.num_processed_pkts > 0))
guessed_protocol_id = NDPI_PROTOCOL_STUN;
if(flow->host_server_name[0] != '\0') {
@@ -4198,8 +4198,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) &&
(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
check_stun_export:
- if(flow->protos.stun_ssl.stun.num_processed_pkts || flow->protos.stun_ssl.stun.num_udp_pkts) {
- // if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
+ if(flow->protos.tls_quic_stun.stun.num_processed_pkts || flow->protos.tls_quic_stun.stun.num_udp_pkts) {
+ // if(/* (flow->protos.tls_quic_stun.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_STUN);
}
@@ -4455,10 +4455,10 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
}
if(flow->l4.tcp.tls.hello_processed == 1 &&
- flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
u_int32_t id;
- int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.stun_ssl.ssl.client_requested_server_name,
- strlen(flow->protos.stun_ssl.ssl.client_requested_server_name), &id);
+ int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+ strlen(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name), &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t) id;
@@ -6332,23 +6332,23 @@ void ndpi_free_flow_data(struct ndpi_flow_struct *flow) {
ndpi_free(flow->kerberos_buf.pktbuf);
if(is_quic || flow_is_proto(flow, NDPI_PROTOCOL_TLS)) {
- if(flow->protos.stun_ssl.ssl.server_names)
- ndpi_free(flow->protos.stun_ssl.ssl.server_names);
+ if(flow->protos.tls_quic_stun.tls_quic.server_names)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.server_names);
- if(flow->protos.stun_ssl.ssl.alpn)
- ndpi_free(flow->protos.stun_ssl.ssl.alpn);
+ if(flow->protos.tls_quic_stun.tls_quic.alpn)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.alpn);
- if(flow->protos.stun_ssl.ssl.tls_supported_versions)
- ndpi_free(flow->protos.stun_ssl.ssl.tls_supported_versions);
+ if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
- if(flow->protos.stun_ssl.ssl.issuerDN)
- ndpi_free(flow->protos.stun_ssl.ssl.issuerDN);
+ if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.issuerDN);
- if(flow->protos.stun_ssl.ssl.subjectDN)
- ndpi_free(flow->protos.stun_ssl.ssl.subjectDN);
+ if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.subjectDN);
- if(flow->protos.stun_ssl.ssl.encrypted_sni.esni)
- ndpi_free(flow->protos.stun_ssl.ssl.encrypted_sni.esni);
+ if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni)
+ ndpi_free(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni);
}
if(flow->l4_proto == IPPROTO_TCP) {
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 294be770a..3b3e31514 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -919,10 +919,10 @@ char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow,
*unknown_tls_version = 1;
if(flow != NULL) {
- snprintf(flow->protos.stun_ssl.ssl.ssl_version_str,
- sizeof(flow->protos.stun_ssl.ssl.ssl_version_str), "TLS (%04X)", version);
+ snprintf(flow->protos.tls_quic_stun.tls_quic.ssl_version_str,
+ sizeof(flow->protos.tls_quic_stun.tls_quic.ssl_version_str), "TLS (%04X)", version);
- return(flow->protos.stun_ssl.ssl.ssl_version_str);
+ return(flow->protos.tls_quic_stun.tls_quic.ssl_version_str);
} else
return("");
}
@@ -1213,22 +1213,22 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_QUIC:
ndpi_serialize_start_of_block(serializer, "quic");
- if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0')
+ if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')
ndpi_serialize_string_string(serializer, "client_requested_server_name",
- flow->protos.stun_ssl.ssl.client_requested_server_name);
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
if(flow->http.user_agent)
ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
- if(flow->protos.stun_ssl.ssl.ssl_version) {
+ if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
u_int8_t unknown_tls_version;
- char *version = ndpi_ssl_version2str(flow, flow->protos.stun_ssl.ssl.ssl_version, &unknown_tls_version);
+ char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
if(!unknown_tls_version)
ndpi_serialize_string_string(serializer, "version", version);
- if(flow->protos.stun_ssl.ssl.alpn)
- ndpi_serialize_string_string(serializer, "alpn", flow->protos.stun_ssl.ssl.alpn);
- ndpi_serialize_string_string(serializer, "ja3", flow->protos.stun_ssl.ssl.ja3_client);
- if(flow->protos.stun_ssl.ssl.tls_supported_versions)
- ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.stun_ssl.ssl.tls_supported_versions);
+ if(flow->protos.tls_quic_stun.tls_quic.alpn)
+ ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
+ ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
+ if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
+ ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
}
ndpi_serialize_end_of_block(serializer);
break;
@@ -1272,25 +1272,25 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
break;
case NDPI_PROTOCOL_TLS:
- if(flow->protos.stun_ssl.ssl.ssl_version) {
+ if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
char notBefore[32], notAfter[32];
struct tm a, b, *before = NULL, *after = NULL;
u_int i, off;
u_int8_t unknown_tls_version;
- char *version = ndpi_ssl_version2str(flow, flow->protos.stun_ssl.ssl.ssl_version, &unknown_tls_version);
+ char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
- if(flow->protos.stun_ssl.ssl.notBefore)
- before = gmtime_r((const time_t *)&flow->protos.stun_ssl.ssl.notBefore, &a);
- if(flow->protos.stun_ssl.ssl.notAfter)
- after = gmtime_r((const time_t *)&flow->protos.stun_ssl.ssl.notAfter, &b);
+ if(flow->protos.tls_quic_stun.tls_quic.notBefore)
+ before = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notBefore, &a);
+ if(flow->protos.tls_quic_stun.tls_quic.notAfter)
+ after = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notAfter, &b);
if(!unknown_tls_version) {
ndpi_serialize_start_of_block(serializer, "tls");
ndpi_serialize_string_string(serializer, "version", version);
ndpi_serialize_string_string(serializer, "client_requested_server_name",
- flow->protos.stun_ssl.ssl.client_requested_server_name);
- if(flow->protos.stun_ssl.ssl.server_names)
- ndpi_serialize_string_string(serializer, "server_names", flow->protos.stun_ssl.ssl.server_names);
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+ if(flow->protos.tls_quic_stun.tls_quic.server_names)
+ ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic_stun.tls_quic.server_names);
if(before) {
strftime(notBefore, sizeof(notBefore), "%Y-%m-%d %H:%M:%S", before);
@@ -1301,27 +1301,27 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
strftime(notAfter, sizeof(notAfter), "%Y-%m-%d %H:%M:%S", after);
ndpi_serialize_string_string(serializer, "notafter", notAfter);
}
- ndpi_serialize_string_string(serializer, "ja3", flow->protos.stun_ssl.ssl.ja3_client);
- ndpi_serialize_string_string(serializer, "ja3s", flow->protos.stun_ssl.ssl.ja3_server);
- ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.stun_ssl.ssl.server_unsafe_cipher);
- ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.stun_ssl.ssl.server_cipher));
+ ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
+ ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic_stun.tls_quic.ja3_server);
+ ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher);
+ ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.tls_quic_stun.tls_quic.server_cipher));
- if(flow->protos.stun_ssl.ssl.issuerDN)
- ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.stun_ssl.ssl.issuerDN);
+ if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
+ ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic_stun.tls_quic.issuerDN);
- if(flow->protos.stun_ssl.ssl.subjectDN)
- ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.stun_ssl.ssl.subjectDN);
+ if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
+ ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic_stun.tls_quic.subjectDN);
- if(flow->protos.stun_ssl.ssl.alpn)
- ndpi_serialize_string_string(serializer, "alpn", flow->protos.stun_ssl.ssl.alpn);
+ if(flow->protos.tls_quic_stun.tls_quic.alpn)
+ ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
- if(flow->protos.stun_ssl.ssl.tls_supported_versions)
- ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.stun_ssl.ssl.tls_supported_versions);
+ if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
+ ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
- if(flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint[0] != '\0') {
+ if(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[0] != '\0') {
for(i=0, off=0; i<20; i++) {
int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "",
- flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint[i] & 0xFF);
+ flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[i] & 0xFF);
if(rc <= 0) break; else off += rc;
}
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index dac402de5..655d90aa5 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1190,12 +1190,12 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
this way we lose JA3S and negotiated ciphers...
Negotiated version is only present in the ServerHello message too, but
fortunately, QUIC always uses TLS version 1.3 */
- flow->protos.stun_ssl.ssl.ssl_version = 0x0304;
+ flow->protos.tls_quic_stun.tls_quic.ssl_version = 0x0304;
/* DNS-over-QUIC: ALPN is "doq" or "doq-XXX" (for drafts versions) */
- if(flow->protos.stun_ssl.ssl.alpn &&
- strncmp(flow->protos.stun_ssl.ssl.alpn, "doq", 3) == 0) {
- NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.stun_ssl.ssl.alpn);
+ if(flow->protos.tls_quic_stun.tls_quic.alpn &&
+ strncmp(flow->protos.tls_quic_stun.tls_quic.alpn, "doq", 3) == 0) {
+ NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.tls_quic_stun.tls_quic.alpn);
ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_QUIC);
}
}
@@ -1239,22 +1239,22 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
#endif
if((memcmp(tag, "SNI\0", 4) == 0) &&
(tag_offset_start + prev_offset + len < crypto_data_len)) {
- sni_len = MIN(len, sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name) - 1);
- memcpy(flow->protos.stun_ssl.ssl.client_requested_server_name,
+ sni_len = MIN(len, sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name) - 1);
+ memcpy(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
&crypto_data[tag_offset_start + prev_offset], sni_len);
- flow->protos.stun_ssl.ssl.client_requested_server_name[sni_len] = '\0';
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[sni_len] = '\0';
NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n",
- flow->protos.stun_ssl.ssl.client_requested_server_name);
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
ndpi_match_host_subprotocol(ndpi_struct, flow,
- (char *)flow->protos.stun_ssl.ssl.client_requested_server_name,
- strlen((const char*)flow->protos.stun_ssl.ssl.client_requested_server_name),
+ (char *)flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+ strlen((const char*)flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
&ret_match, NDPI_PROTOCOL_QUIC);
flow->l4.tcp.tls.hello_processed = 1; /* Allow matching of custom categories */
ndpi_check_dga_name(ndpi_struct, flow,
- flow->protos.stun_ssl.ssl.client_requested_server_name, 1);
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1);
sni_found = 1;
if (ua_found)
@@ -1281,7 +1281,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "Something went wrong in tags iteration\n");
/* Add check for missing SNI */
- if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] == '\0') {
+ if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') {
/* This is a bit suspicious */
NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
}
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index be689b286..067ab4d92 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -80,7 +80,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
- if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) {
+ if((payload_len < 2) || flow->protos.tls_quic_stun.stun.num_binding_requests) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index cf7a4d0a4..f89239f7a 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -161,7 +161,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else if(payload_length < sizeof(struct stun_packet_header)) {
/* This looks like an invalid packet */
- if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
+ if(flow->protos.tls_quic_stun.stun.num_udp_pkts > 0) {
// flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN);
} else
@@ -257,7 +257,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
if(msg_type == 0x01 /* Binding Request */) {
- flow->protos.stun_ssl.stun.num_binding_requests++;
+ flow->protos.tls_quic_stun.stun.num_binding_requests++;
if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
@@ -265,7 +265,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
if(!msg_len) {
- /* flow->protos.stun_ssl.stun.num_udp_pkts++; */
+ /* flow->protos.tls_quic_stun.stun.num_udp_pkts++; */
return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
}
}
@@ -275,13 +275,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
}
- flow->protos.stun_ssl.stun.num_udp_pkts++;
+ flow->protos.tls_quic_stun.stun.num_udp_pkts++;
if((payload[0] == 0x80 && payload_length < 512 && ((msg_len+20) <= payload_length))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
} else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) ||
- (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
+ (flow->protos.tls_quic_stun.stun.num_binding_requests >= 4))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
}
@@ -460,14 +460,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
}
- if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
+ if((flow->protos.tls_quic_stun.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN);
} else
return(NDPI_IS_NOT_STUN);
udp_stun_found:
- flow->protos.stun_ssl.stun.num_processed_pkts++;
+ flow->protos.tls_quic_stun.stun.num_processed_pkts++;
struct ndpi_packet_struct *packet = &flow->packet;
@@ -480,7 +480,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
- rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
+ rc = (flow->protos.tls_quic_stun.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
return rc;
}
@@ -530,7 +530,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
+ if(flow->protos.tls_quic_stun.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
if(flow->packet_counter > 0) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 344a85d6b..0197b0a23 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -349,8 +349,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf);
#endif
- if(rdn_len && (flow->protos.stun_ssl.ssl.issuerDN == NULL))
- flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf);
+ if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.issuerDN == NULL))
+ flow->protos.tls_quic_stun.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
rdn_len = 0; /* Reset buffer */
}
@@ -375,10 +375,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* 141021000000Z */
if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
- flow->protos.stun_ssl.ssl.notBefore = timegm(&utc);
+ flow->protos.tls_quic_stun.tls_quic.notBefore = timegm(&utc);
#ifdef DEBUG_TLS
printf("[CERTIFICATE] notBefore %u [%s]\n",
- flow->protos.stun_ssl.ssl.notBefore, utcDate);
+ flow->protos.tls_quic_stun.tls_quic.notBefore, utcDate);
#endif
}
}
@@ -409,17 +409,17 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* 141021000000Z */
if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) {
- flow->protos.stun_ssl.ssl.notAfter = timegm(&utc);
+ flow->protos.tls_quic_stun.tls_quic.notAfter = timegm(&utc);
#ifdef DEBUG_TLS
printf("[CERTIFICATE] notAfter %u [%s]\n",
- flow->protos.stun_ssl.ssl.notAfter, utcDate);
+ flow->protos.tls_quic_stun.tls_quic.notAfter, utcDate);
#endif
}
}
- if((time_sec < flow->protos.stun_ssl.ssl.notBefore)
- || (time_sec > flow->protos.stun_ssl.ssl.notAfter))
+ if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
+ || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
}
}
@@ -464,34 +464,34 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
#if DEBUG_TLS
printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
- flow->protos.stun_ssl.ssl.client_requested_server_name, len,
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, len,
packet->payload_packet_len-i-len);
#endif
if(matched_name == 0) {
- if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] == '\0')
+ if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0')
matched_name = 1; /* No SNI */
- else if((dNSName[0] == '*') && strstr(flow->protos.stun_ssl.ssl.client_requested_server_name, &dNSName[1]))
+ else if((dNSName[0] == '*') && strstr(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, &dNSName[1]))
matched_name = 1;
- else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0)
+ else if(strcmp(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, dNSName) == 0)
matched_name = 1;
}
- if(flow->protos.stun_ssl.ssl.server_names == NULL)
- flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName),
- flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName);
+ if(flow->protos.tls_quic_stun.tls_quic.server_names == NULL)
+ flow->protos.tls_quic_stun.tls_quic.server_names = ndpi_strdup(dNSName),
+ flow->protos.tls_quic_stun.tls_quic.server_names_len = strlen(dNSName);
else {
u_int16_t dNSName_len = strlen(dNSName);
- u_int16_t newstr_len = flow->protos.stun_ssl.ssl.server_names_len + dNSName_len + 1;
- char *newstr = (char*)ndpi_realloc(flow->protos.stun_ssl.ssl.server_names,
- flow->protos.stun_ssl.ssl.server_names_len+1, newstr_len+1);
+ u_int16_t newstr_len = flow->protos.tls_quic_stun.tls_quic.server_names_len + dNSName_len + 1;
+ char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic_stun.tls_quic.server_names,
+ flow->protos.tls_quic_stun.tls_quic.server_names_len+1, newstr_len+1);
if(newstr) {
- flow->protos.stun_ssl.ssl.server_names = newstr;
- flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len] = ',';
- strncpy(&flow->protos.stun_ssl.ssl.server_names[flow->protos.stun_ssl.ssl.server_names_len+1],
+ flow->protos.tls_quic_stun.tls_quic.server_names = newstr;
+ flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len] = ',';
+ strncpy(&flow->protos.tls_quic_stun.tls_quic.server_names[flow->protos.tls_quic_stun.tls_quic.server_names_len+1],
dNSName, dNSName_len+1);
- flow->protos.stun_ssl.ssl.server_names[newstr_len] = '\0';
- flow->protos.stun_ssl.ssl.server_names_len = newstr_len;
+ flow->protos.tls_quic_stun.tls_quic.server_names[newstr_len] = '\0';
+ flow->protos.tls_quic_stun.tls_quic.server_names_len = newstr_len;
}
}
@@ -519,11 +519,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
- if(rdn_len && (flow->protos.stun_ssl.ssl.subjectDN == NULL))
- flow->protos.stun_ssl.ssl.subjectDN = ndpi_strdup(rdnSeqBuf);
+ if(rdn_len && (flow->protos.tls_quic_stun.tls_quic.subjectDN == NULL))
+ flow->protos.tls_quic_stun.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
- if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN
- && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN)))
+ if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
+ && (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
#if DEBUG_TLS
@@ -608,7 +608,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
&packet->payload[certificates_offset],
certificate_len);
- SHA1Final(flow->protos.stun_ssl.ssl.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
+ SHA1Final(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx);
flow->l4.tcp.tls.fingerprint_set = 1;
@@ -656,11 +656,11 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("*** TLS [version: %02X][%s Hello]\n",
- flow->protos.stun_ssl.ssl.ssl_version,
+ flow->protos.tls_quic_stun.tls_quic.ssl_version,
(packet->payload[0] == 0x01) ? "Client" : "Server");
#endif
- if((flow->protos.stun_ssl.ssl.ssl_version >= 0x0304 /* TLS 1.3 */)
+ if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */)
&& (packet->payload[0] == 0x02 /* Server Hello */)) {
flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */
}
@@ -971,8 +971,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#endif
tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset]));
- flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version;
- if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */
+ flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.tls_handshake_version = tls_version;
+ if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */
NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
if(handshake_type == 0x02 /* Server Hello */) {
@@ -997,10 +997,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
return(0); /* Not found */
ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
- if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
+ if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER);
- flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
+ flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.cipher[0];
#ifdef DEBUG_TLS
printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
@@ -1042,7 +1042,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("TLS [server] [TLS version: 0x%04X]\n", tls_version);
#endif
- flow->protos.stun_ssl.ssl.ssl_version = tls_version;
+ flow->protos.tls_quic_stun.tls_quic.ssl_version = tls_version;
}
}
@@ -1081,13 +1081,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++) {
- int rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j],
- sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]);
+ int rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_server[j],
+ sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_server)-j, "%02x", md5_hash[i]);
if(rc <= 0) break; else j += rc;
}
#ifdef DEBUG_TLS
- printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server);
+ printf("[JA3] Server: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_server);
#endif
} else if(handshake_type == 0x01 /* Client Hello */) {
u_int16_t cipher_len, cipher_offset;
@@ -1212,8 +1212,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
cleanupServerName(buffer, sizeof(buffer));
- snprintf(flow->protos.stun_ssl.ssl.client_requested_server_name,
- sizeof(flow->protos.stun_ssl.ssl.client_requested_server_name),
+ snprintf(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name,
+ sizeof(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name),
"%s", buffer);
#ifdef DEBUG_TLS
printf("[TLS] SNI: [%s]\n", buffer);
@@ -1227,7 +1227,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
}
ndpi_check_dga_name(ndpi_struct, flow,
- flow->protos.stun_ssl.ssl.client_requested_server_name, 1);
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1);
} else {
#ifdef DEBUG_TLS
printf("[TLS] Extensions server len too short: %u vs %u\n",
@@ -1339,8 +1339,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("Client SSL [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
#endif
- if(flow->protos.stun_ssl.ssl.alpn == NULL)
- flow->protos.stun_ssl.ssl.alpn = ndpi_strdup(alpn_str);
+ if(flow->protos.tls_quic_stun.tls_quic.alpn == NULL)
+ flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
} else if(extension_id == 43 /* supported versions */) {
u_int16_t s_offset = offset+extension_offset;
u_int8_t version_len = packet->payload[s_offset];
@@ -1377,8 +1377,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
version_str_len += rc;
}
}
- if(flow->protos.stun_ssl.ssl.tls_supported_versions == NULL)
- flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str);
+ if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions == NULL)
+ flow->protos.tls_quic_stun.tls_quic.tls_supported_versions = ndpi_strdup(version_str);
}
} else if(extension_id == 65486 /* encrypted server name */) {
/*
@@ -1389,7 +1389,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t initial_offset = e_offset;
u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
- flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite;
+ flow->protos.tls_quic_stun.tls_quic.encrypted_sni.cipher_suite = cipher_suite;
e_offset += 2; /* Cipher suite len */
@@ -1411,17 +1411,17 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
#endif
- if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) {
- flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
+ if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) {
+ flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
- if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) {
+ if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni) {
u_int16_t i, off;
for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
- int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
+ int rc = sprintf(&flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
if(rc <= 0) {
- flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0';
+ flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni[off] = '\0';
break;
} else
off += rc;
@@ -1547,33 +1547,33 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++) {
- rc = snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j],
- sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x",
+ rc = snprintf(&flow->protos.tls_quic_stun.tls_quic.ja3_client[j],
+ sizeof(flow->protos.tls_quic_stun.tls_quic.ja3_client)-j, "%02x",
md5_hash[i]);
if(rc > 0) j += rc; else break;
}
#ifdef DEBUG_TLS
- printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client);
+ printf("[JA3] Client: %s \n", flow->protos.tls_quic_stun.tls_quic.ja3_client);
#endif
}
/* Before returning to the caller we need to make a final check */
- if((flow->protos.stun_ssl.ssl.ssl_version >= 0x0303) /* >= TLSv1.2 */
- && (flow->protos.stun_ssl.ssl.alpn == NULL) /* No ALPN */) {
+ if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
+ && (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
}
/* Suspicious Domain Fronting:
https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
- if(flow->protos.stun_ssl.ssl.encrypted_sni.esni &&
- flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') {
+ if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
+ flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
}
/* Add check for missing SNI */
- if((flow->protos.stun_ssl.ssl.client_requested_server_name[0] == 0)
- && (flow->protos.stun_ssl.ssl.ssl_version >= 0x0302) /* TLSv1.1 */
- && (flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) /* No ESNI */
+ if((flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == 0)
+ && (flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */
+ && (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
) {
/* This is a bit suspicious */
NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
@@ -1612,7 +1612,7 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st
__FUNCTION__,
flow->guessed_host_protocol_id,
packet->payload_packet_len,
- flow->protos.stun_ssl.ssl.ssl_version);
+ flow->protos.tls_quic_stun.tls_quic.ssl_version);
#endif
if(packet->udp != NULL)
Powered by cgit, Themed by Ted Yin.