8 files changed, 96 insertions, 57 deletions
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index edac6f53b..9c1c0c169 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -353,6 +353,8 @@
 
 #define NDPI_OPTIMAL_HLL_NUM_BUCKETS           16
 
+#define NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS      32
+
 #ifdef __APPLE__
 
 #include <libkern/OSByteOrder.h>
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 824e2585f..58d7b4885 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -78,6 +78,7 @@ typedef enum {
   NDPI_MALFORMED_PACKET,
   NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER,
   NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER,
+  NDPI_SMB_INSECURE_VERSION,
   
   /* Leave this as last member */
   NDPI_MAX_RISK
@@ -668,7 +669,8 @@ struct ndpi_flow_tcp_struct {
     /* NDPI_PROTOCOL_TLS */
     u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1,
 	fingerprint_set:1, _pad:4;
-    u_int8_t sha1_certificate_fingerprint[20];
+    u_int8_t sha1_certificate_fingerprint[20], num_tls_blocks;
+    u_int16_t tls_blocks_len[NDPI_MAX_NUM_DISSECTED_TLS_BLOCKS];
   } tls;
   
   /* NDPI_PROTOCOL_POSTGRES */
@@ -1005,7 +1007,8 @@ struct ndpi_detection_module_struct {
 
   u_int32_t current_ts;
   u_int32_t ticks_per_second;
-
+  u_int16_t num_tls_blocks_to_follow;
+  
 #ifdef NDPI_ENABLE_DEBUG_MESSAGES
   void *user_data;
 #endif
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b497bbaf8..3ca766772 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6368,8 +6368,10 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
 
   switch(proto) {
   case NDPI_PROTOCOL_TLS:
-    if(!flow->l4.tcp.tls.certificate_processed)
+    if((!flow->l4.tcp.tls.certificate_processed)
+       || (flow->l4.tcp.tls.num_tls_blocks <= ndpi_str->num_tls_blocks_to_follow)) {
       return(1); /* TODO: add check for TLS 1.3 */
+    }
     break;
 
   case NDPI_PROTOCOL_HTTP:
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 2fb3a5d9e..347e65d52 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1530,6 +1530,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER:
     return("SSH Obsolete Server Version/Cipher");
     
+  case NDPI_SMB_INSECURE_VERSION:
+    return("SMB Insecure Version");
+    
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c
index 5e03baf50..09a468950 100644
--- a/src/lib/protocols/iax.c
+++ b/src/lib/protocols/iax.c
@@ -65,17 +65,18 @@ static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_stru
       ndpi_int_iax_add_connection(ndpi_struct, flow);
       return;
     }
+
     packet_len = 12;
-    for (i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) {
+    for(i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) {
+      if (packet_len >= packet->payload_packet_len)
+	break;      
+
       packet_len = packet_len + 2 + packet->payload[packet_len + 1];
-      if (packet_len == packet->payload_packet_len) {
+      if(packet_len == packet->payload_packet_len) {
 	NDPI_LOG_INFO(ndpi_struct, "found IAX\n");
 	ndpi_int_iax_add_connection(ndpi_struct, flow);
 	return;
       }
-      if (packet_len > packet->payload_packet_len) {
-	break;
-      }
     }
 
   }
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index a7873685c..445b33ee6 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -124,31 +124,34 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct,
 	     && (packet->payload[i+3] == 0)) {
 	    u_int32_t offset = (*((u_int32_t*)&packet->payload[i+4]));
 	    u_int32_t prev_offset = (*((u_int32_t*)&packet->payload[i-4]));
-	    int len = offset-prev_offset;
-	    int sni_offset = i+prev_offset+1;
 
-	    while((sni_offset < udp_len) && (packet->payload[sni_offset] == '-'))
-	      sni_offset++;
-
-	    if(len > 0 && (sni_offset+len) < udp_len) {
-	      int max_len = sizeof(flow->host_server_name)-1, j = 0;
-	      ndpi_protocol_match_result ret_match;
+	    if(offset > prev_offset) {
+	      u_int32_t len = offset-prev_offset;
+	      u_int32_t sni_offset = i+prev_offset+1;
 	      
-	      if(len > max_len) len = max_len;
+	      while((sni_offset < udp_len) && (packet->payload[sni_offset] == '-'))
+		sni_offset++;
 	      
-	      while((len > 0) && (sni_offset < udp_len)) {
-		flow->host_server_name[j++] = packet->payload[sni_offset];
-		sni_offset++, len--;
+	      if(len > 0 && (sni_offset+len) < udp_len) {
+		u_int32_t max_len = sizeof(flow->host_server_name)-1, j = 0;
+		ndpi_protocol_match_result ret_match;
+		
+		if(len > max_len) len = max_len;
+		
+		while((len > 0) && (sni_offset < udp_len)) {
+		  flow->host_server_name[j++] = packet->payload[sni_offset];
+		  sni_offset++, len--;
+		}
+		
+		ndpi_match_host_subprotocol(ndpi_struct, flow, 
+					    (char *)flow->host_server_name,
+					    strlen((const char*)flow->host_server_name),
+					    &ret_match,
+					    NDPI_PROTOCOL_QUIC);	      
 	      }
 	      
-	      ndpi_match_host_subprotocol(ndpi_struct, flow, 
-					  (char *)flow->host_server_name,
-					  strlen((const char*)flow->host_server_name),
-					  &ret_match,
-					  NDPI_PROTOCOL_QUIC);	      
+	      break;
 	    }
-
-	    break;
 	  }
 	}
       }
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index a70072853..9a56ead93 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -44,8 +44,9 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
       NDPI_LOG_INFO(ndpi_struct, "found SMB\n");
 
       if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
-	if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
+	if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {	  
 	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS);
+	  NDPI_SET_BIT(flow->risk, NDPI_SMB_INSECURE_VERSION);
 	}
       } else
 	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ed0823547..20ac8c542 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -35,7 +35,7 @@ extern int processClientServerHello(struct ndpi_detection_module_struct *ndpi_st
 
 // #define DEBUG_TLS_MEMORY       1
 // #define DEBUG_TLS              1
-
+// #define DEBUG_TLS_BLOCKS          1
 // #define DEBUG_CERTIFICATE_HASH
 
 /* #define DEBUG_FINGERPRINT      1 */
@@ -512,14 +512,14 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
     NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
     return(-1); /* Invalid length */
   }
-  
+
   certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6];
 
   if((packet->payload[4] != 0x0) || ((certificates_length+3) != length)) {
     NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
     return(-2); /* Invalid length */
   }
-  
+
   if(!flow->l4.tcp.tls.srv_cert_fingerprint_ctx) {
     if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL)
       return(-3); /* Not enough memory */
@@ -592,7 +592,10 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
     certificates_offset += certificate_len;
   }
 
-  flow->extra_packets_func = NULL; /* We're good now */
+  if(flow->l4.tcp.tls.num_tls_blocks >= ndpi_struct->num_tls_blocks_to_follow) {
+    flow->extra_packets_func = NULL; /* We're good now */
+  }
+
   return(1);
 }
 
@@ -634,7 +637,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
   u_int8_t something_went_wrong = 0;
 
 #ifdef DEBUG_TLS_MEMORY
-  printf("[TLS Mem] ndpi_search_tls_tcp() [payload_packet_len: %u]\n",
+  printf("[TLS Mem] ndpi_search_tls_tcp() Processing new packet [payload_packet_len: %u]\n",
 	 packet->payload_packet_len);
 #endif
 
@@ -677,34 +680,53 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     /* Overwriting packet payload */
     p = packet->payload, p_len = packet->payload_packet_len; /* Backup */
 
-    /* Split the element in blocks */
-    u_int16_t processed = 5;
+    if((len > 9) && (!flow->l4.tcp.tls.certificate_processed)) {
+      /* Split the element in blocks */
+      u_int16_t processed = 5;
 
-    while((processed+4) < len) {
-      const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed];
-      u_int32_t block_len   = (block[1] << 16) + (block[2] << 8) + block[3];
+      while((processed+4) <= len) {
+	const u_int8_t *block = (const u_int8_t *)&flow->l4.tcp.tls.message.buffer[processed];
+	u_int32_t block_len   = (block[1] << 16) + (block[2] << 8) + block[3];
 
-      if((block_len == 0) || (block_len > len) || ((block[1] != 0x0))) {
-	something_went_wrong = 1;
-	break;
-      }
+	if(/* (block_len == 0) || */ /* Note blocks can have zero lenght */
+	   (block_len > len) || ((block[1] != 0x0))) {
+	  something_went_wrong = 1;
+	  break;
+	}
 
-      packet->payload = block, packet->payload_packet_len = ndpi_min(block_len+4, flow->l4.tcp.tls.message.buffer_used);
+	packet->payload = block, packet->payload_packet_len = ndpi_min(block_len+4, flow->l4.tcp.tls.message.buffer_used);
 
-      if((processed+packet->payload_packet_len) > len) {
-	something_went_wrong = 1;
-	break;
-      }
+	if((processed+packet->payload_packet_len) > len) {
+	  something_went_wrong = 1;
+	  break;
+	}
 
 #ifdef DEBUG_TLS_MEMORY
-      printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n",
-	     packet->payload_packet_len,
-	     packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]);
+	printf("*** [TLS Mem] Processing %u bytes block [%02X %02X %02X %02X %02X]\n",
+	       packet->payload_packet_len,
+	       packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload[4]);
 #endif
 
+	processTLSBlock(ndpi_struct, flow);
+	if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
+	  flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = packet->payload_packet_len;
+
+#ifdef DEBUG_TLS_BLOCKS
+	printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n",
+	       packet->payload_packet_len, flow->l4.tcp.tls.num_tls_blocks);
+#endif
 
-      processTLSBlock(ndpi_struct, flow);
-      processed += packet->payload_packet_len;
+	processed += packet->payload_packet_len;
+      }
+    } else {
+      /* Process element as a whole */
+      if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
+	flow->l4.tcp.tls.tls_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = len-5;
+      
+#ifdef DEBUG_TLS_BLOCKS
+      printf("*** [TLS Block] [len: %u][num_tls_blocks: %u]\n",
+	     len-5, flow->l4.tcp.tls.num_tls_blocks);
+#endif
     }
 
     packet->payload = p, packet->payload_packet_len = p_len; /* Restore */
@@ -723,7 +745,8 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
   }
 
   if(something_went_wrong) {
-    flow->check_extra_packets = 0, flow->extra_packets_func = NULL;
+    flow->check_extra_packets = 0;
+    flow->extra_packets_func = NULL;
     return(0); /* That's all */
   } else
     return(1);
@@ -781,11 +804,12 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* **************************************** */
 
-static void tlsInitExtraPacketProcessing(struct ndpi_flow_struct *flow) {
+static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *ndpi_struct,
+					 struct ndpi_flow_struct *flow) {
   flow->check_extra_packets = 1;
 
   /* At most 12 packets should almost always be enough to find the server certificate if it's there */
-  flow->max_extra_packets_to_check = 12;
+  flow->max_extra_packets_to_check = 12 + (ndpi_struct->num_tls_blocks_to_follow*2);
   flow->extra_packets_func = (flow->packet.udp != NULL) ? ndpi_search_tls_udp : ndpi_search_tls_tcp;
 }
 
@@ -800,7 +824,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
   if((flow->detected_protocol_stack[0] == protocol)
      || (flow->detected_protocol_stack[1] == protocol)) {
     if(!flow->check_extra_packets)
-      tlsInitExtraPacketProcessing(flow);
+      tlsInitExtraPacketProcessing(ndpi_struct, flow);
     return;
   }
 
@@ -810,7 +834,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
     protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
 
   ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS);
-  tlsInitExtraPacketProcessing(flow);
+  tlsInitExtraPacketProcessing(ndpi_struct, flow);
 }
 
 /* **************************************** */