6 files changed, 118 insertions, 18 deletions

diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 9640d3d8b..ed94c5bf3 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1071,7 +1071,10 @@ extern "C" {
   void ndpi_free_bin(struct ndpi_bin *b);
   void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id); 
   void ndpi_normalize_bin(struct ndpi_bin *b);
+  char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len);
+  float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first);
   
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index f69c81946..874cee20c 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -54,7 +54,7 @@ $(NDPI_LIB_SHARED): $(OBJECTS)
 	$(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS)
 
 clean:
-	/bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo $(NDPI_LIB_SHARED)
+	/bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo libndpi.so*
 
 distclean: clean
 	/bin/rm -f Makefile
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c
index e1f37cc8d..4ca3ac25a 100644
--- a/src/lib/ndpi_analyze.c
+++ b/src/lib/ndpi_analyze.c
@@ -125,6 +125,12 @@ float ndpi_data_variance(struct ndpi_analyze_struct *s) {
 
 /* ********************************************************************************* */
 
+/*
+  See the link below for "Population and sample standard deviation review"
+  https://www.khanacademy.org/math/statistics-probability/summarizing-quantitative-data/variance-standard-deviation-sample/a/population-and-sample-standard-deviation-review
+  
+  In nDPI we use an approximate stddev calculation to avoid storing all data in memory
+*/
 /* Compute the standard deviation on all values */
 float ndpi_data_stddev(struct ndpi_analyze_struct *s) {
   return(sqrt(ndpi_data_variance(s)));
@@ -260,6 +266,8 @@ int ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int8_t num_bins)
   return(0);
 }
 
+/* ********************************************************************************* */
+
 void ndpi_free_bin(struct ndpi_bin *b) {
   switch(b->family) {
   case ndpi_bin_family8:
@@ -274,6 +282,8 @@ void ndpi_free_bin(struct ndpi_bin *b) {
   }
 }
 
+/* ********************************************************************************* */
+
 void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) {
   if(slot_id >= b->num_bins) slot_id = 0;
 
@@ -292,6 +302,8 @@ void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) {
   }
 }
 
+/* ********************************************************************************* */
+
 /*
   Each bin slot is transformed in a % with respect to the value total
  */
@@ -316,3 +328,87 @@ void ndpi_normalize_bin(struct ndpi_bin *b) {
   }
 }
 
+/* ********************************************************************************* */
+
+char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len) {
+  u_int8_t i;
+  u_int len = 0;
+
+  if(!out_buf) return(out_buf); else out_buf[0] = '\0';
+  
+  if(normalize_first)
+    ndpi_normalize_bin(b);
+  
+  switch(b->family) {
+  case ndpi_bin_family8:
+    for(i=0; i<b->num_bins; i++) {
+      int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins8[i]);
+
+      if(rc < 0) break;
+      len += rc;
+    }
+    break;
+    
+  case ndpi_bin_family16:
+    for(i=0; i<b->num_bins; i++) {
+      int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins16[i]);
+
+      if(rc < 0) break;
+      len += rc;
+    }
+    break;
+    
+  case ndpi_bin_family32:
+    for(i=0; i<b->num_bins; i++) {
+      int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins32[i]);
+      
+      if(rc < 0) break;
+      len += rc;
+    }
+    break;
+  }
+  
+  return(out_buf);
+}
+
+/* ********************************************************************************* */
+
+/* 
+   Determines how similar are two bins
+
+   0 = Very differet
+   ... (gray zone)
+   1 = Alike
+
+   See https://en.wikipedia.org/wiki/Cosine_similarity for more details
+*/
+float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first) {
+  u_int8_t i;
+  u_int32_t sumxx = 0, sumxy = 0, sumyy = 0;
+    
+  if((b1->num_incs == 0) || (b2->num_incs == 0)
+     || (b1->family != b2->family) || (b1->num_bins != b2->num_bins))
+    return(0);
+
+  if(normalize_first)
+    ndpi_normalize_bin(b1), ndpi_normalize_bin(b2);
+  
+  switch(b1->family) {
+  case ndpi_bin_family8:
+    for(i=0; i<b1->num_bins; i++)
+      sumxx += b1->u.bins8[i] * b1->u.bins8[i], sumyy += b2->u.bins8[i] * b2->u.bins8[i], sumxy += b1->u.bins8[i] * b2->u.bins8[i];
+    break;
+  case ndpi_bin_family16:
+    for(i=0; i<b1->num_bins; i++)
+      sumxx += b1->u.bins16[i] * b1->u.bins16[i], sumyy += b2->u.bins16[i] * b2->u.bins16[i], sumxy += b1->u.bins16[i] * b2->u.bins16[i];
+    break;
+  case ndpi_bin_family32:
+    for(i=0; i<b1->num_bins; i++)
+      sumxx += b1->u.bins32[i] * b1->u.bins32[i], sumyy += b2->u.bins32[i] * b2->u.bins32[i], sumxy += b1->u.bins32[i] * b2->u.bins32[i];
+    break;
+  }
+
+  return((float)sumxy / sqrt((float)(sumxx * sumyy)));
+}
+  
+/* ********************************************************************************* */
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 82a77183a..4ad5c5598 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -909,7 +909,7 @@ static ndpi_network host_protocol_list[] = {
 
 
   /* Teamviewer 159.122.189.32-63 */
-  { 0x9F7ABD30 /* 159.122.189.32 */, 21, NDPI_PROTOCOL_TEAMVIEWER },
+  { 0x9F7ABD20 /* 159.122.189.32 */, 27, NDPI_PROTOCOL_TEAMVIEWER },
 
 #if 0
   /*
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 957e3b763..7715f0460 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -275,7 +275,7 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd
   if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS)
     return(0);
 
-  switch (protoId) {
+  switch(protoId) {
     /* All dissectors that have calls to ndpi_match_host_subprotocol() */
   case NDPI_PROTOCOL_DNS:
     return(1);
@@ -588,7 +588,7 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
 
 int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str, ndpi_detection_preference pref,
                                    int value) {
-  switch (pref) {
+  switch(pref) {
   case ndpi_pref_direction_detect_disable:
     ndpi_str->direction_detect_disable = (u_int8_t) value;
     break;
@@ -2028,7 +2028,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str)
   for (i = 0; i < 4; i++) {
     ndpi_automa *automa;
 
-    switch (i) {
+    switch(i) {
     case 0:
       automa = &ndpi_str->host_automa;
       break;
@@ -2376,7 +2376,7 @@ static ndpi_default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_
   as they have been excluded
 */
 u_int8_t is_udp_guessable_protocol(u_int16_t l7_guessed_proto) {
-  switch (l7_guessed_proto) {
+  switch(l7_guessed_proto) {
   case NDPI_PROTOCOL_QUIC:
   case NDPI_PROTOCOL_SNMP:
   case NDPI_PROTOCOL_NETFLOW:
@@ -2412,7 +2412,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
   } else {
     /* No TCP/UDP */
 
-    switch (proto) {
+    switch(proto) {
     case NDPI_IPSEC_PROTOCOL_ESP:
     case NDPI_IPSEC_PROTOCOL_AH:
       return(NDPI_PROTOCOL_IP_IPSEC);
@@ -2421,7 +2421,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
       return(NDPI_PROTOCOL_IP_GRE);
       break;
     case NDPI_ICMP_PROTOCOL_TYPE:
-      {
+      if(flow) {
 	/* Run some basic consistency tests */
 
 	if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2454,7 +2454,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
       return(NDPI_PROTOCOL_IP_IP_IN_IP);
       break;
     case NDPI_ICMPV6_PROTOCOL_TYPE:
-      {
+      if(flow) {
 	/* Run some basic consistency tests */
 
 	if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr))
@@ -2518,7 +2518,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule,
     at[0] = 0, proto = &at[1];
 
   for (i = 0; proto[i] != '\0'; i++) {
-    switch (proto[i]) {
+    switch(proto[i]) {
     case '/':
     case '&':
     case '^':
@@ -5711,7 +5711,7 @@ char *ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_str,
 /* ****************************************************** */
 
 int ndpi_is_custom_category(ndpi_protocol_category_t category) {
-  switch (category) {
+  switch(category) {
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_2:
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_3:
@@ -5734,7 +5734,7 @@ void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_str,
   if(!name)
     return;
 
-  switch (category) {
+  switch(category) {
   case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
     snprintf(ndpi_str->custom_category_labels[0], CUSTOM_CATEGORY_LABEL_LEN, "%s", name);
     break;
@@ -5775,7 +5775,7 @@ const char *ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_str
   }
 
   if((category >= NDPI_PROTOCOL_CATEGORY_CUSTOM_1) && (category <= NDPI_PROTOCOL_CATEGORY_CUSTOM_5)) {
-    switch (category) {
+    switch(category) {
     case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
       return(ndpi_str->custom_category_labels[0]);
     case NDPI_PROTOCOL_CATEGORY_CUSTOM_2:
@@ -5841,7 +5841,7 @@ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct *
 
 char *ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str,
 				ndpi_protocol_breed_t breed_id) {
-  switch (breed_id) {
+  switch(breed_id) {
   case NDPI_PROTOCOL_SAFE:
     return("Safe");
     break;
@@ -6009,7 +6009,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_
   if((previous_proto == NDPI_PROTOCOL_UNKNOWN) || (previous_proto == new_proto))
     return(0);
 
-  switch (previous_proto) {
+  switch(previous_proto) {
   case NDPI_PROTOCOL_WHATSAPP_CALL:
   case NDPI_PROTOCOL_WHATSAPP_FILES:
     if(new_proto == NDPI_PROTOCOL_WHATSAPP)
@@ -6353,7 +6353,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
 	 proto);
 #endif
 
-  switch (proto) {
+  switch(proto) {
   case NDPI_PROTOCOL_TLS:
     if(!flow->l4.tcp.tls.certificate_processed)
       return(1); /* TODO: add check for TLS 1.3 */
@@ -6394,7 +6394,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
 /* ******************************************************************** */
 
 const char *ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
-  switch (proto) {
+  switch(proto) {
   case ndpi_l4_proto_unknown:
     return("");
     break;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 007931e19..830232554 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1298,7 +1298,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
 		    e_offset += 2;
 
-		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
+		    if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 &&
+		        e_offset+e_sni_len < packet->payload_packet_len) {
 #ifdef DEBUG_ENCRYPTED_SNI
 		      printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
 #endif