aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_define.h.in2
-rw-r--r--src/include/ndpi_typedefs.h7
-rw-r--r--src/lib/ndpi_main.c4
-rw-r--r--src/lib/ndpi_utils.c3
-rw-r--r--src/lib/protocols/iax.c11
-rw-r--r--src/lib/protocols/quic.c41
-rw-r--r--src/lib/protocols/smb.c3
-rw-r--r--src/lib/protocols/tls.c82
8 files changed, 96 insertions, 57 deletions
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index edac6f53b..9c1c0c169 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -353,6 +353,8 @@
#define NDPI_OPTIMAL_HLL_NUM_BUCKETS 16
+#define NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS 32
+
#ifdef __APPLE__
#include <libkern/OSByteOrder.h>
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 824e2585f..58d7b4885 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -78,6 +78,7 @@ typedef enum {
NDPI_MALFORMED_PACKET,
NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
+ NDPI_SMB_INSECURE_VERSION,
/* Leave this as last member */
NDPI_MAX_RISK
@@ -668,7 +669,8 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_TLS */
u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1,
fingerprint_set:1, _pad:4;
- u_int8_t sha1_certificate_fingerprint[20];
+ u_int8_t sha1_certificate_fingerprint[20], num_tls_blocks;
+ u_int16_t tls_blocks_len[NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS];
} tls;
/* NDPI_PROTOCOL_POSTGRES */
@@ -1005,7 +1007,8 @@ struct ndpi_detection_module_struct {
u_int32_t current_ts;
u_int32_t ticks_per_second;
-
+ u_int16_t num_tls_blocks_to_follow;
+
#ifdef NDPI_ENABLE_DEBUG_MESSAGES
void *user_data;
#endif
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b497bbaf8..3ca766772 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6368,8 +6368,10 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
switch(proto) {
case NDPI_PROTOCOL_TLS:
- if(!flow->l4.tcp.tls.certificate_processed)
+ if((!flow->l4.tcp.tls.certificate_processed)
+ || (flow->l4.tcp.tls.num_tls_blocks <= ndpi_str->num_tls_blocks_to_follow)) {
return(1); /* TODO: add check for TLS 1.3 */
+ }
break;
case NDPI_PROTOCOL_HTTP:
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 2fb3a5d9e..347e65d52 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1530,6 +1530,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER:
return("SSH Obsolete Server Version/Cipher");
+ case NDPI_SMB_INSECURE_VERSION:
+ return("SMB Insecure Version");
+
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
return(buf);
diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c
index 5e03baf50..09a468950 100644
--- a/src/lib/protocols/iax.c
+++ b/src/lib/protocols/iax.c
@@ -65,17 +65,18 @@ static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_stru
ndpi_int_iax_add_connection(ndpi_struct, flow);
return;
}
+
packet_len = 12;
- for (i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) {
+ for(i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) {
+ if (packet_len >= packet->payload_packet_len)
+ break;
+
packet_len = packet_len + 2 + packet->payload[packet_len + 1];
- if (packet_len == packet->payload_packet_len) {
+ if(packet_len == packet->payload_packet_len) {
NDPI_LOG_INFO(ndpi_struct, "found IAX\n");
ndpi_int_iax_add_connection(ndpi_struct, flow);
return;
}
- if (packet_len > packet->payload_packet_len) {
- break;
- }
}
}
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index a7873685c..445b33ee6 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -124,31 +124,34 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload[i+3] == 0)) {
u_int32_t offset = (*((u_int32_t*)&packet->payload[i+4]));
u_int32_t prev_offset = (*((u_int32_t*)&packet->payload[i-4]));
- int len = offset-prev_offset;
- int sni_offset = i+prev_offset+1;
- while((sni_offset < udp_len) && (packet->payload[sni_offset] == '-'))
- sni_offset++;
-
- if(len > 0 && (sni_offset+len) < udp_len) {
- int max_len = sizeof(flow->host_server_name)-1, j = 0;
- ndpi_protocol_match_result ret_match;
+ if(offset > prev_offset) {
+ u_int32_t len = offset-prev_offset;
+ u_int32_t sni_offset = i+prev_offset+1;
- if(len > max_len) len = max_len;
+ while((sni_offset < udp_len) && (packet->payload[sni_offset] == '-'))
+ sni_offset++;
- while((len > 0) && (sni_offset < udp_len)) {
- flow->host_server_name[j++] = packet->payload[sni_offset];
- sni_offset++, len--;
+ if(len > 0 && (sni_offset+len) < udp_len) {
+ u_int32_t max_len = sizeof(flow->host_server_name)-1, j = 0;
+ ndpi_protocol_match_result ret_match;
+
+ if(len > max_len) len = max_len;
+
+ while((len > 0) && (sni_offset < udp_len)) {
+ flow->host_server_name[j++] = packet->payload[sni_offset];
+ sni_offset++, len--;
+ }
+
+ ndpi_match_host_subprotocol(ndpi_struct, flow,
+ (char *)flow->host_server_name,
+ strlen((const char*)flow->host_server_name),
+ &ret_match,
+ NDPI_PROTOCOL_QUIC);
}
- ndpi_match_host_subprotocol(ndpi_struct, flow,
- (char *)flow->host_server_name,
- strlen((const char*)flow->host_server_name),
- &ret_match,
- NDPI_PROTOCOL_QUIC);
+ break;
}
-
- break;
}
}
}
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index a70072853..9a56ead93 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -44,8 +44,9 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
NDPI_LOG_INFO(ndpi_struct, "found SMB\n");
if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
- if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
+ if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS);
+ NDPI_SET_BIT(flow->risk, NDPI_SMB_INSECURE_VERSION);
}
} else
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ed0823547..20ac8c542 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -35,7 +35,7 @@ extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_st
// #define DEBUG_TLS_MEMORY 1
// #define DEBUG_TLS 1
-
+// #define DEBUG_TLS_BLOCKS 1
// #define DEBUG_CERTIFICATE_HASH
/* #define DEBUG_FINGERPRINT 1 */
@@ -512,14 +512,14 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
return(-1); /* Invalid length */
}
-
+
certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6];
if((packet->payload[4] != 0x0) || ((certificates_length+3) != length)) {
NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
return(-2); /* Invalid length */
}
-
+
if(!flow->l4.tcp.tls.srv_cert_fingerprint_ctx) {
if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL)
return(-3); /* Not enough memory */
@@ -592,7 +592,10 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
certificates_offset += certificate_len;
}
- flow->extra_packets_func = NULL; /* We're good now */
+ if(flow->l4.tcp.tls.num_tls_blocks >= ndpi_struct->num_tls_blocks_to_follow) {
+ flow->extra_packets_func = NULL; /* We're good now */
+ }
+
return(1);
}
@@ -634,7 +637,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t something_went_wrong = 0;
#ifdef DEBUG_TLS_MEMORY
- printf("[TLS Mem] ndpi_search_tls_tcp() [payload_packet_len: %u]\n",
+ printf("[TLS Mem] ndpi_search_tls_tcp() Processing new packet [payload_packet_len: %u]\n",
packet->payload_packet_len);
#endif
@@ -677,34 +680,53 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
/* Overwriting packet payload */
p = packet->payload, p_len = packet->payload_packet_len; /* Backup */
- /* Split the element in blocks */
- u_int16_t processed = 5;
+ if((len > 9) && (!flow->l4.tcp.tls.certificate_processed)) {
+ /* Split the element in blocks */
+ u_int16_t processed = 5;
- while((processed+4) < len) {
- const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed];
- u_int32_t block_len = (block[1] << 16) + (block[2] << 8) + block[3];
+ while((processed+4) <= len) {
+ const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed];
+ u_int32_t block_len = (block[1] << 16) + (block[2] << 8) + block[3];
- if((block_len == 0) || (block_len > len) || ((block[1] != 0x0))) {
- something_went_wrong = 1;
- break;
- }
+ if(/* (block_len == 0) || */ /* Note blocks can have zero lenght */
+ (block_len > len) || ((block[1] != 0x0))) {
+ something_went_wrong = 1;
+ break;
+ }
- packet->payload = block, packet->payload_packet_len = ndpi_min(block_len+4, flow->l4.tcp.tls.message.buffer_used);
+ packet->payload = block, packet->payload_packet_len = ndpi_min(block_len+4, flow->l4.tcp.tls.message.buffer_used);
- if((processed+packet->payload_packet_len) > len) {
- something_went_wrong = 1;
- break;
- }
+ if((processed+packet->payload_packet_len) > len) {
+ something_went_wrong = 1;
+ break;
+ }
#ifdef DEBUG_TLS_MEMORY
- printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n",
- packet->payload_packet_len,
- packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]);
+ printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n",
+ packet->payload_packet_len,
+ packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]);
#endif
+ processTLSBlock(ndpi_struct, flow);
+ if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
+ flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = packet->payload_packet_len;
+
+#ifdef DEBUG_TLS_BLOCKS
+ printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n",
+ packet->payload_packet_len, flow->l4.tcp.tls.num_tls_blocks);
+#endif
- processTLSBlock(ndpi_struct, flow);
- processed += packet->payload_packet_len;
+ processed += packet->payload_packet_len;
+ }
+ } else {
+ /* Process element as a whole */
+ if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
+ flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = len-5;
+
+#ifdef DEBUG_TLS_BLOCKS
+ printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n",
+ len-5, flow->l4.tcp.tls.num_tls_blocks);
+#endif
}
packet->payload = p, packet->payload_packet_len = p_len; /* Restore */
@@ -723,7 +745,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
}
if(something_went_wrong) {
- flow->check_extra_packets = 0, flow->extra_packets_func = NULL;
+ flow->check_extra_packets = 0;
+ flow->extra_packets_func = NULL;
return(0); /* That's all */
} else
return(1);
@@ -781,11 +804,12 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
/* **************************************** */
-static void tlsInitExtraPacketProcessing(struct ndpi_flow_struct *flow) {
+static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
flow->check_extra_packets = 1;
/* At most 12 packets should almost always be enough to find the server certificate if it's there */
- flow->max_extra_packets_to_check = 12;
+ flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*2);
flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp;
}
@@ -800,7 +824,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
if((flow->detected_protocol_stack[0] == protocol)
|| (flow->detected_protocol_stack[1] == protocol)) {
if(!flow->check_extra_packets)
- tlsInitExtraPacketProcessing(flow);
+ tlsInitExtraPacketProcessing(ndpi_struct, flow);
return;
}
@@ -810,7 +834,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS);
- tlsInitExtraPacketProcessing(flow);
+ tlsInitExtraPacketProcessing(ndpi_struct, flow);
}
/* **************************************** */