aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_api.h8
-rw-r--r--src/include/ndpi_protocol_ids.h4
-rw-r--r--src/include/ndpi_protocols.h2
-rw-r--r--src/include/ndpi_typedefs.h28
-rw-r--r--src/lib/ndpi_main.c48
-rw-r--r--src/lib/ndpi_utils.c18
-rw-r--r--src/lib/protocols/directconnect.c32
-rw-r--r--src/lib/protocols/mail_imap.c2
-rw-r--r--src/lib/protocols/msn.c12
-rw-r--r--src/lib/protocols/oscar.c2
-rw-r--r--src/lib/protocols/rtp.c2
-rw-r--r--src/lib/protocols/stun.c34
-rw-r--r--src/lib/protocols/tls.c (renamed from src/lib/protocols/ssl.c)401
-rw-r--r--src/lib/protocols/tor.c2
-rw-r--r--src/lib/protocols/yahoo.c2
15 files changed, 340 insertions, 257 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index a3d7d1bcd..b9f3aa682 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -681,12 +681,12 @@ extern "C" {
*
* @par ndpi_struct = the detection module
* @par flow = the detected flow
- * @par certificate = the ssl certificate
+ * @par certificate = the tls certificate
* @return 1 if the flow is TOR;
* 0 else
*
*/
- int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
+ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, char *certificate);
/* Wrappers functions */
@@ -807,7 +807,7 @@ extern "C" {
u_int16_t src_port, u_int16_t dst_port, u_int8_t icmp_type, u_int8_t icmp_code,
u_char *hash_buf, u_int8_t hash_buf_len);
- u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher);
+ u_int8_t ndpi_is_safe_tls_cipher(u_int32_t cipher);
const char* ndpi_cipher2str(u_int32_t cipher);
u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
@@ -815,7 +815,7 @@ extern "C" {
char *buffer, u_int buffer_size,
u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */
char *outbuf, u_int outbuf_len);
- char* ndpi_ssl_version2str(u_int16_t version);
+ char* ndpi_tls_version2str(u_int16_t version);
/* Serializer */
int ndpi_init_serializer(ndpi_serializer *serializer, ndpi_serialization_format fmt);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 4a1aa5f7f..a7e496a2d 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -98,7 +98,7 @@ typedef enum {
NDPI_PROTOCOL_QQLIVE = 61,
NDPI_PROTOCOL_THUNDER = 62,
NDPI_PROTOCOL_SOULSEEK = 63,
- NDPI_PROTOCOL_SSL_NO_CERT = 64,
+ NDPI_PROTOCOL_TLS_NO_CERT = 64,
NDPI_PROTOCOL_IRC = 65,
NDPI_PROTOCOL_AYIYA = 66,
NDPI_PROTOCOL_UNENCRYPTED_JABBER = 67,
@@ -125,7 +125,7 @@ typedef enum {
NDPI_PROTOCOL_RDP = 88,
NDPI_PROTOCOL_VNC = 89,
NDPI_PROTOCOL_PCANYWHERE = 90,
- NDPI_PROTOCOL_SSL = 91,
+ NDPI_PROTOCOL_TLS = 91,
NDPI_PROTOCOL_SSH = 92,
NDPI_PROTOCOL_USENET = 93,
NDPI_PROTOCOL_MGCP = 94,
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 01afada71..67cf6d4de 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -311,7 +311,7 @@ void init_soulseek_dissector(struct ndpi_detection_module_struct *ndpi_struct, u
void init_socks_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_spotify_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_ssh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
-void init_ssl_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_starcraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_stealthnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_steam_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index eb9130585..305e3d032 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -466,7 +466,7 @@ struct ndpi_id_struct {
/* NDPI_PROTOCOL_DIRECTCONNECT */
u_int16_t detected_directconnect_port;
u_int16_t detected_directconnect_udp_port;
- u_int16_t detected_directconnect_ssl_port;
+ u_int16_t detected_directconnect_tls_port;
/* NDPI_PROTOCOL_BITTORRENT */
#define NDPI_BT_PORTS 8
@@ -492,7 +492,7 @@ struct ndpi_id_struct {
u_int8_t irc_number_of_port;
/* NDPI_PROTOCOL_OSCAR */
- u_int8_t oscar_ssl_session_id[33];
+ u_int8_t oscar_tls_session_id[33];
/* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
u_int8_t jabber_voice_stun_used_ports;
@@ -573,7 +573,7 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_MSN */
u_int32_t msn_stage:3;
- u_int32_t msn_ssl_ft:2;
+ u_int32_t msn_tls_ft:2;
/* NDPI_PROTOCOL_SSH */
u_int32_t ssh_stage:3;
@@ -584,11 +584,11 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_TELNET */
u_int32_t telnet_stage:2; // 0 - 2
- /* NDPI_PROTOCOL_SSL */
- u_int8_t ssl_seen_client_cert:1,
- ssl_seen_server_cert:1,
- ssl_seen_certificate:1,
- ssl_stage:2; // 0 - 5
+ /* NDPI_PROTOCOL_TLS */
+ u_int8_t tls_seen_client_cert:1,
+ tls_seen_server_cert:1,
+ tls_seen_certificate:1,
+ tls_stage:2; // 0 - 5
/* NDPI_PROTOCOL_POSTGRES */
u_int32_t postgres_stage:3;
@@ -771,7 +771,7 @@ struct ndpi_packet_struct {
u_int8_t tcp_retransmission;
u_int8_t l4_protocol;
- u_int8_t ssl_certificate_detected:4, ssl_certificate_num_checks:4;
+ u_int8_t tls_certificate_detected:4, tls_certificate_num_checks:4;
u_int8_t packet_lines_parsed_complete:1,
packet_direction:1,
empty_line_position_set:1;
@@ -1146,19 +1146,19 @@ struct ndpi_flow_struct {
struct {
struct {
- u_int16_t ssl_version;
+ u_int16_t tls_version;
char client_certificate[64], server_certificate[64], server_organization[64];
char ja3_client[33], ja3_server[33];
u_int16_t server_cipher;
ndpi_cipher_weakness server_unsafe_cipher;
- } ssl;
+ } tls;
struct {
u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype;
} stun;
- /* We can have STUN over SSL thus they need to live together */
- } stun_ssl;
+ /* We can have STUN over TLS thus they need to live together */
+ } stun_tls;
struct {
char client_signature[48], server_signature[48];
@@ -1232,7 +1232,7 @@ struct ndpi_flow_struct {
u_int8_t thunder_stage:2; // 0 - 3
/* NDPI_PROTOCOL_OSCAR */
- u_int8_t oscar_ssl_voice_stage:3, oscar_video_voice:1;
+ u_int8_t oscar_tls_voice_stage:3, oscar_video_voice:1;
/* NDPI_PROTOCOL_FLORENSIA */
u_int8_t florensia_stage:1;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index c59201c9a..b039f585e 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1097,10 +1097,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- custom_master[0] = NDPI_PROTOCOL_SSL, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSL_NO_CERT,
+ custom_master[0] = NDPI_PROTOCOL_TLS, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TLS_NO_CERT,
1 /* can_have_a_subprotocol */, custom_master,
- no_master, "SSL_No_Cert", NDPI_PROTOCOL_CATEGORY_WEB,
+ no_master, "TLS_No_Cert", NDPI_PROTOCOL_CATEGORY_WEB,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_IRC,
@@ -1241,10 +1241,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- custom_master[0] = NDPI_PROTOCOL_SSL_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_SSL,
+ custom_master[0] = NDPI_PROTOCOL_TLS_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN;
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_TLS,
1 /* can_have_a_subprotocol */, no_master,
- custom_master, "SSL", NDPI_PROTOCOL_CATEGORY_WEB,
+ custom_master, "TLS", NDPI_PROTOCOL_CATEGORY_WEB,
ndpi_build_default_ports(ports_a, 443, 3001 /* ntop */, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSH,
@@ -2811,8 +2811,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* STARCRAFT */
init_starcraft_dissector(ndpi_struct, &a, detection_bitmask);
- /* SSL */
- init_ssl_dissector(ndpi_struct, &a, detection_bitmask);
+ /* TLS */
+ init_tls_dissector(ndpi_struct, &a, detection_bitmask);
/* STUN */
init_stun_dissector(ndpi_struct, &a, detection_bitmask);
@@ -4023,9 +4023,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
goto check_stun_export;
- else if((flow->l4.tcp.ssl_seen_client_cert == 1)
- && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN);
+ else if((flow->l4.tcp.tls_seen_client_cert == 1)
+ && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN);
} else {
ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_struct, flow);
@@ -4038,8 +4038,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
&& (flow->packet.l4_protocol == IPPROTO_TCP)
- && (flow->l4.tcp.ssl_stage > 1))
- flow->guessed_protocol_id = NDPI_PROTOCOL_SSL_NO_CERT;
+ && (flow->l4.tcp.tls_stage > 1))
+ flow->guessed_protocol_id = NDPI_PROTOCOL_TLS_NO_CERT;
guessed_protocol_id = flow->guessed_protocol_id, guessed_host_protocol_id = flow->guessed_host_protocol_id;
@@ -4061,8 +4061,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
|| (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
if((guessed_protocol_id == 0)
- && (flow->protos.stun_ssl.stun.num_binding_requests > 0)
- && (flow->protos.stun_ssl.stun.num_processed_pkts > 0))
+ && (flow->protos.stun_tls.stun.num_binding_requests > 0)
+ && (flow->protos.stun_tls.stun.num_processed_pkts > 0))
guessed_protocol_id = NDPI_PROTOCOL_STUN;
@@ -4095,9 +4095,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)
&& (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
check_stun_export:
- if(flow->protos.stun_ssl.stun.num_processed_pkts || flow->protos.stun_ssl.stun.num_udp_pkts) {
- // if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
- if(flow->protos.stun_ssl.stun.num_processed_pkts && flow->protos.stun_ssl.stun.is_skype) {
+ if(flow->protos.stun_tls.stun.num_processed_pkts || flow->protos.stun_tls.stun.num_udp_pkts) {
+ // if(/* (flow->protos.stun_tls.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
+ if(flow->protos.stun_tls.stun.num_processed_pkts && flow->protos.stun_tls.stun.is_skype) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else
ndpi_set_detected_protocol(ndpi_struct, flow,
@@ -4411,9 +4411,9 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc
}
}
- if((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
+ if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) {
unsigned long id;
- int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_ssl.ssl.client_certificate, &id);
+ int rc = ndpi_match_custom_category(ndpi_struct, (char *)flow->protos.stun_tls.tls.client_certificate, &id);
if(rc == 0) {
flow->category = ret->category = (ndpi_protocol_category_t)id;
@@ -4457,8 +4457,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
*/
if(flow->check_extra_packets
/*
- && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)
- || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_SSL))
+ && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)
+ || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS))
*/
) {
ndpi_process_extra_packet(ndpi_struct, flow, packet, packetlen, current_tick_l, src, dst);
@@ -4599,7 +4599,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
ret.master_protocol = NDPI_PROTOCOL_HTTP;
break;
case 443:
- ret.master_protocol = NDPI_PROTOCOL_SSL; /* QUIC could also match */
+ ret.master_protocol = NDPI_PROTOCOL_TLS; /* QUIC could also match */
break;
}
@@ -5589,7 +5589,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
else {
ret.app_protocol = rc;
- if(rc == NDPI_PROTOCOL_SSL)
+ if(rc == NDPI_PROTOCOL_TLS)
goto check_guessed_skype;
else {
ret.category = ndpi_get_proto_category(ndpi_struct, ret);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 654b9c730..af43f2bef 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -303,7 +303,7 @@ int strncasecmp(const char *s1, const char *s2, size_t n) {
/* **************************************** */
-u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) {
+u_int8_t ndpi_is_safe_tls_cipher(u_int32_t cipher) {
/* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */
/* INSECURE */
switch(cipher) {
@@ -360,9 +360,9 @@ const char* ndpi_cipher2str(u_int32_t cipher) {
case 0x000019: return("TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA");
case 0x00001a: return("TLS_DH_anon_WITH_DES_CBC_SHA");
case 0x00001b: return("TLS_DH_anon_WITH_3DES_EDE_CBC_SHA");
- case 0x00001c: return("SSL_FORTEZZA_KEA_WITH_NULL_SHA");
- case 0x00001d: return("SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA");
- /* case 0x00001e: return("SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"); */
+ case 0x00001c: return("TLS_FORTEZZA_KEA_WITH_NULL_SHA");
+ case 0x00001d: return("TLS_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA");
+ /* case 0x00001e: return("TLS_FORTEZZA_KEA_WITH_RC4_128_SHA"); */
case 0x00001E: return("TLS_KRB5_WITH_DES_CBC_SHA");
case 0x00001F: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA");
case 0x000020: return("TLS_KRB5_WITH_RC4_128_SHA");
@@ -576,10 +576,10 @@ const char* ndpi_cipher2str(u_int32_t cipher) {
case 0x00E41D: return("TLS_DHE_PSK_WITH_SALSA20_SHA1");
case 0x00E41E: return("TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1");
case 0x00E41F: return("TLS_DHE_RSA_WITH_SALSA20_SHA1");
- case 0x00fefe: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA");
- case 0x00feff: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA");
- case 0x00ffe0: return("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA");
- case 0x00ffe1: return("SSL_RSA_FIPS_WITH_DES_CBC_SHA");
+ case 0x00fefe: return("TLS_RSA_FIPS_WITH_DES_CBC_SHA");
+ case 0x00feff: return("TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA");
+ case 0x00ffe0: return("TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA");
+ case 0x00ffe1: return("TLS_RSA_FIPS_WITH_DES_CBC_SHA");
case 0x010080: return("SSL2_RC4_128_WITH_MD5");
case 0x020080: return("SSL2_RC4_128_EXPORT40_WITH_MD5");
case 0x030080: return("SSL2_RC2_128_CBC_WITH_MD5");
@@ -709,7 +709,7 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st
/* ********************************** */
-char* ndpi_ssl_version2str(u_int16_t version) {
+char* ndpi_tls_version2str(u_int16_t version) {
static char v[8];
switch(version) {
diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c
index 19582724d..969af69fc 100644
--- a/src/lib/protocols/directconnect.c
+++ b/src/lib/protocols/directconnect.c
@@ -130,13 +130,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) {
if (packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) {
- u_int16_t ssl_port = 0;
- ssl_port = parse_binf_message(ndpi_struct, &packet->payload[4], packet->payload_packet_len - 4);
- if (dst != NULL && ssl_port) {
- dst->detected_directconnect_ssl_port = ssl_port;
+ u_int16_t tls_port = 0;
+ tls_port = parse_binf_message(ndpi_struct, &packet->payload[4], packet->payload_packet_len - 4);
+ if (dst != NULL && tls_port) {
+ dst->detected_directconnect_tls_port = tls_port;
}
- if (src != NULL && ssl_port) {
- src->detected_directconnect_ssl_port = ssl_port;
+ if (src != NULL && tls_port) {
+ src->detected_directconnect_tls_port = tls_port;
}
@@ -145,14 +145,14 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
&& memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) {
u_int16_t bytes_read = 0;
if (dst != NULL) {
- dst->detected_directconnect_ssl_port =
+ dst->detected_directconnect_tls_port =
ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
- NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port));
+ NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_tls_port));
}
if (src != NULL) {
- src->detected_directconnect_ssl_port =
+ src->detected_directconnect_tls_port =
ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read);
- NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port));
+ NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_tls_port));
}
@@ -175,16 +175,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
return;
}
}
- if (src->detected_directconnect_ssl_port == packet->tcp->dest) {
+ if (src->detected_directconnect_tls_port == packet->tcp->dest) {
if ((u_int32_t)
(packet->tick_timestamp -
src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
src->directconnect_last_safe_access_time = packet->tick_timestamp;
- NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port));
+ NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_tls_port));
ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
- src->detected_directconnect_ssl_port = 0;
+ src->detected_directconnect_tls_port = 0;
NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n");
return;
}
@@ -207,16 +207,16 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n
return;
}
}
- if (dst->detected_directconnect_ssl_port == packet->tcp->dest) {
+ if (dst->detected_directconnect_tls_port == packet->tcp->dest) {
if ((u_int32_t)
(packet->tick_timestamp -
dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) {
dst->directconnect_last_safe_access_time = packet->tick_timestamp;
- NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port));
+ NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_tls_port));
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
- dst->detected_directconnect_ssl_port = 0;
+ dst->detected_directconnect_tls_port = 0;
NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n");
return;
}
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index 65341cdc8..69d135943 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -48,7 +48,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
if (flow->l4.tcp.mail_imap_starttls == 2) {
NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP);
- NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL);
+ NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TLS);
return;
}
diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c
index 8ab45ad32..26d7557b1 100644
--- a/src/lib/protocols/msn.c
+++ b/src/lib/protocols/msn.c
@@ -62,7 +62,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
u_int16_t plen;
u_int16_t status = 0;
- if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
+ if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
NDPI_LOG_DBG2(ndpi_struct, "msn ssl ft test\n");
@@ -80,12 +80,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
if(flow->packet_counter >= 5 && flow->packet_counter <= 10
&& (get_u_int32_t(packet->payload, 0) == htonl(0x18000000)
&& get_u_int32_t(packet->payload, 4) == 0x00000000)) {
- flow->l4.tcp.msn_ssl_ft++;
+ flow->l4.tcp.msn_tls_ft++;
NDPI_LOG_DBG2(ndpi_struct,
"increased msn ft ssl stage to: %u at packet nr: %u\n",
- flow->l4.tcp.msn_ssl_ft,
+ flow->l4.tcp.msn_tls_ft,
flow->packet_counter);
- if (flow->l4.tcp.msn_ssl_ft == 2) {
+ if (flow->l4.tcp.msn_tls_ft == 2) {
NDPI_LOG_INFO(ndpi_struct,
"found MSN File Transfer, ifdef ssl 2.\n");
ndpi_int_msn_add_connection(ndpi_struct, flow);
@@ -103,7 +103,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
*/
/* now we have a look at the first packet only. */
if(flow->packet_counter == 1
- || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)
+ || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)
&& flow->packet_counter <= 3)
) {
@@ -497,7 +497,7 @@ void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct nd
// need to do the ceck when protocol == http too (POST /gateway ...)
if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN
|| packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP
- || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL
+ || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS
|| packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN
)
ndpi_search_msn_tcp(ndpi_struct, flow);
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index 010a620e9..1a848ea12 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -774,7 +774,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n");
ndpi_int_oscar_add_connection(ndpi_struct, flow);
if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) {
- flow->oscar_ssl_voice_stage = 1;
+ flow->oscar_tls_voice_stage = 1;
}
return;
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index 90b73ab1e..6583b727a 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -78,7 +78,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
const u_int8_t * payload, const u_int16_t payload_len) {
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
- if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) {
+ if((payload_len < 2) || flow->protos.stun_tls.stun.num_binding_requests) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index bcf957340..a35ab1ad7 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -105,7 +105,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(payload_length < sizeof(struct stun_packet_header)) {
/* This looks like an invlid packet */
- if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
+ if(flow->protos.stun_tls.stun.num_udp_pkts > 0) {
*is_whatsapp = 1;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
@@ -125,7 +125,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
if(msg_type == 0x01 /* Binding Request */) {
- flow->protos.stun_ssl.stun.num_binding_requests++;
+ flow->protos.stun_tls.stun.num_binding_requests++;
if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
}
@@ -136,11 +136,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN);
}
- flow->protos.stun_ssl.stun.num_udp_pkts++;
+ flow->protos.stun_tls.stun.num_udp_pkts++;
/*
printf("[msg_type: %04X][payload_length: %u][num_binding_request: %u]\n",
- msg_type, payload_length, flow->protos.stun_ssl.stun.num_binding_requests);
+ msg_type, payload_length, flow->protos.stun_tls.stun.num_binding_requests);
*/
if(((payload[0] == 0x80)
@@ -150,7 +150,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else if((payload[0] == 0x90)
&& (((msg_len+11) == payload_length) /* WhatsApp Video */
- || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
+ || (flow->protos.stun_tls.stun.num_binding_requests >= 4))) {
*is_whatsapp = 2;
return(NDPI_IS_STUN); /* This is WhatsApp Video */
}
@@ -211,7 +211,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
&& (payload[offset+6] == 0x00)
&& (payload[offset+7] == 0x00)) {
/* Either skype for business or "normal" skype with multiparty call */
- flow->protos.stun_ssl.stun.is_skype = 1;
+ flow->protos.stun_tls.stun.is_skype = 1;
return(NDPI_IS_STUN);
}
break;
@@ -226,7 +226,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
case 0x8095:
case 0x0800:
/* printf("====>>>> %04X\n", attribute); */
- flow->protos.stun_ssl.stun.is_skype = 1;
+ flow->protos.stun_tls.stun.is_skype = 1;
return(NDPI_IS_STUN);
break;
@@ -238,7 +238,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
&& (payload[offset+6] == 0x00)
&& ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))
) {
- flow->protos.stun_ssl.stun.is_skype = 1;
+ flow->protos.stun_tls.stun.is_skype = 1;
return(NDPI_IS_STUN);
}
break;
@@ -266,7 +266,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
}
- if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
+ if((flow->protos.stun_tls.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
*is_whatsapp = 1;
return(NDPI_IS_STUN); /* This is WhatsApp Voice */
} else
@@ -276,7 +276,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(can_this_be_whatsapp_voice) {
struct ndpi_packet_struct *packet = &flow->packet;
- flow->protos.stun_ssl.stun.num_processed_pkts++;
+ flow->protos.stun_tls.stun.num_processed_pkts++;
#ifdef DEBUG_STUN
printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n");
#endif
@@ -287,7 +287,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else
flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE;
- return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN);
+ return((flow->protos.stun_tls.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN);
} else {
/*
We cannot immediately say that this is STUN as there are other protocols
@@ -330,10 +330,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
} else if(is_duo) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
return;
- } else if(flow->protos.stun_ssl.stun.is_skype) {
+ } else if(flow->protos.stun_tls.stun.is_skype) {
NDPI_LOG_INFO(ndpi_struct, "found Skype\n");
- if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))
+ if((flow->protos.stun_tls.stun.num_processed_pkts >= 8) || (flow->protos.stun_tls.stun.num_binding_requests >= 4))
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else {
NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */
@@ -358,11 +358,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
} else if(is_duo) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN);
return;
- } else if(flow->protos.stun_ssl.stun.is_skype) {
+ } else if(flow->protos.stun_tls.stun.is_skype) {
NDPI_LOG_INFO(ndpi_struct, "Found Skype\n");
- /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */
- if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))
+ /* flow->protos.stun_tls.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */
+ if((flow->protos.stun_tls.stun.num_processed_pkts >= 8) || (flow->protos.stun_tls.stun.num_binding_requests >= 4))
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
} else {
NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n");
@@ -375,7 +375,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
+ if(flow->protos.stun_tls.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
if(flow->packet_counter > 0) {
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/tls.c
index b8a3a643a..188d0bc9a 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/tls.c
@@ -1,7 +1,7 @@
/*
- * ssl.c
+ * tls.c - SSL/TLS/DTLS dissector
*
- * Copyright (C) 2016-18 - ntop.org
+ * Copyright (C) 2016-19 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -23,13 +23,13 @@
#include "ndpi_protocol_ids.h"
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSL
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TLS
#include "ndpi_api.h"
/* #define CERTIFICATE_DEBUG 1 */
-#define NDPI_MAX_SSL_REQUEST_SIZE 10000
+#define NDPI_MAX_TLS_REQUEST_SIZE 10000
/* Skype.c */
extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
@@ -233,24 +233,23 @@ static void MD5Final(unsigned char digest[16], MD5_CTX *ctx) {
/* **************************************** */
-static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow, u_int32_t protocol)
-{
+static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow, u_int32_t protocol) {
struct ndpi_packet_struct *packet = &flow->packet;
- if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_client[0] != '\0'))
- || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.ja3_server[0] != '\0'))
+ if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.ja3_client[0] != '\0'))
+ || ((flow->l4.tcp.tls_seen_server_cert == 1) && (flow->protos.stun_tls.tls.ja3_server[0] != '\0'))
// || (flow->host_server_name[0] != '\0')
)
- protocol = NDPI_PROTOCOL_SSL;
+ protocol = NDPI_PROTOCOL_TLS;
else
- protocol = NDPI_PROTOCOL_SSL_NO_CERT;
+ protocol = NDPI_PROTOCOL_TLS_NO_CERT;
if(packet->tcp != NULL) {
switch(protocol) {
- case NDPI_PROTOCOL_SSL:
- case NDPI_PROTOCOL_SSL_NO_CERT:
+ case NDPI_PROTOCOL_TLS:
+ case NDPI_PROTOCOL_TLS_NO_CERT:
{
/*
In case of SSL there are probably sub-protocols
@@ -273,18 +272,21 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st
return protocol;
}
-static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow, u_int32_t protocol)
-{
- if((protocol != NDPI_PROTOCOL_SSL)
- && (protocol != NDPI_PROTOCOL_SSL_NO_CERT)) {
+/* **************************************** */
+
+static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow, u_int32_t protocol) {
+ if((protocol != NDPI_PROTOCOL_TLS)
+ && (protocol != NDPI_PROTOCOL_TLS_NO_CERT)) {
ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN);
} else {
- protocol = ndpi_ssl_refine_master_protocol(ndpi_struct, flow, protocol);
+ protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol);
ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN);
}
}
+/* **************************************** */
+
/* Can't call libc functions from kernel space, define some stub instead */
#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z'))
@@ -296,8 +298,9 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp
((ch) >= '[' && (ch) <= '`') || \
((ch) >= '{' && (ch) <= '~'))
-static void stripCertificateTrailer(char *buffer, int buffer_len) {
+/* **************************************** */
+static void stripCertificateTrailer(char *buffer, int buffer_len) {
int i, is_puny;
// printf("->%s<-\n", buffer);
@@ -346,43 +349,53 @@ static void stripCertificateTrailer(char *buffer, int buffer_len) {
buffer[i] = tolower(buffer[i]);
}
+/* **************************************** */
+
/* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */
#define JA3_STR_LEN 1024
#define MAX_NUM_JA3 128
struct ja3_info {
- u_int16_t ssl_version;
+ u_int16_t tls_version;
u_int16_t num_cipher, cipher[MAX_NUM_JA3];
- u_int16_t num_ssl_extension, ssl_extension[MAX_NUM_JA3];
+ u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
};
/* **************************************** */
-/* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */
-int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
+int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
char *buffer, int buffer_len) {
struct ndpi_packet_struct *packet = &flow->packet;
struct ja3_info ja3;
int i;
u_int8_t invalid_ja3 = 0;
- u_int16_t pkt_ssl_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len;
+ u_int16_t pkt_tls_version = (packet->payload[1] << 8) + packet->payload[2], ja3_str_len;
char ja3_str[JA3_STR_LEN];
MD5_CTX ctx;
u_char md5_hash[16];
- flow->protos.stun_ssl.ssl.ssl_version = pkt_ssl_version;
+ if(packet->udp) {
+ /* Check if this is DTLS or return */
+ if((packet->payload[1] != 0xfe)
+ || ((packet->payload[2] != 0xff) && (packet->payload[2] != 0xfd))) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return(0);
+ }
+ }
+
+ flow->protos.stun_tls.tls.tls_version = pkt_tls_version;
memset(&ja3, 0, sizeof(ja3));
#ifdef CERTIFICATE_DEBUG
{
- u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4];
+ u_int16_t tls_len = (packet->payload[3] << 8) + packet->payload[4];
- printf("SSL Record [version: %u][len: %u]\n", pkt_ssl_version, ssl_len);
+ printf("SSL Record [version: 0x%04X][len: %u]\n", pkt_tls_version, tls_len);
}
#endif
@@ -391,9 +404,21 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
Patches courtesy of Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
*/
if(packet->payload[0] == 0x16 /* Handshake */) {
- u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
- u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
+ u_int16_t total_len;
+ u_int8_t handshake_protocol, header_len;
+
+ if(packet->tcp) {
+ header_len = 5; /* SSL Header */
+ handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
+ total_len = (packet->payload[3] << 8) + packet->payload[4];
+ } else {
+ header_len = 13; /* DTLS header */
+ handshake_protocol = packet->payload[13];
+ total_len = ntohs(*((u_int16_t*)&packet->payload[11]));
+ }
+ total_len += header_len;
+
memset(buffer, 0, buffer_len);
/* Truncate total len, search at least in incomplete packet */
@@ -402,38 +427,49 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
/* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */
if(total_len > 4) {
+ u_int16_t base_offset = packet->tcp ? 43 : 59;
+
#ifdef CERTIFICATE_DEBUG
printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol);
#endif
if((handshake_protocol == 0x02)
- || (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) {
+ || (handshake_protocol == 0x0b) /* Server Hello and Certificate message types are interesting for us */) {
u_int num_found = 0;
- u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9]));
+ u_int16_t tls_version;
int i;
+
+ if(packet->tcp)
+ tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4]));
+ else
+ tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12]));
- ja3.ssl_version = ssl_version;
+ ja3.tls_version = tls_version;
if(handshake_protocol == 0x02) {
- u_int16_t offset = 43, extension_len, j;
- u_int8_t session_id_len = packet->payload[43];
+ u_int16_t offset = base_offset, extension_len, j;
+ u_int8_t session_id_len = packet->payload[offset];
#ifdef CERTIFICATE_DEBUG
- printf("SSL Server Hello [version: 0x%04X]\n", ssl_version);
+ printf("SSL Server Hello [version: 0x%04X]\n", tls_version);
#endif
/*
The server hello decides about the SSL version of this flow
https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3
*/
- flow->protos.stun_ssl.ssl.ssl_version = ssl_version;
-
- if(ssl_version < 0x7F15 /* TLS 1.3 lacks of session id */)
- offset += session_id_len+1;
+ flow->protos.stun_tls.tls.tls_version = tls_version;
+ if(packet->udp)
+ offset += 1;
+ else {
+ if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */)
+ offset += session_id_len+1;
+ }
+
ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
- flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0]);
- flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
+ flow->protos.stun_tls.tls.server_unsafe_cipher = ndpi_is_safe_tls_cipher(ja3.cipher[0]);
+ flow->protos.stun_tls.tls.server_cipher = ja3.cipher[0];
#ifdef CERTIFICATE_DEBUG
printf("SSL [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja3.cipher[0]);
@@ -455,17 +491,17 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
id = ntohs(*((u_int16_t*)&packet->payload[offset]));
len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
- if(ja3.num_ssl_extension < MAX_NUM_JA3)
- ja3.ssl_extension[ja3.num_ssl_extension++] = id;
+ if(ja3.num_tls_extension < MAX_NUM_JA3)
+ ja3.tls_extension[ja3.num_tls_extension++] = id;
#ifdef CERTIFICATE_DEBUG
- printf("SSL [server][extension_id: %u]\n", id);
+ printf("SSL [server][extension_id: %u/0x%04X]\n", id, id);
#endif
i += 4 + len, offset += 4 + len;
}
- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version);
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version);
for(i=0; i<ja3.num_cipher; i++)
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
@@ -474,8 +510,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
/* ********** */
- for(i=0; i<ja3.num_ssl_extension; i++)
- ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.ssl_extension[i]);
+ for(i=0; i<ja3.num_tls_extension; i++)
+ ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
#ifdef CERTIFICATE_DEBUG
printf("SSL [server] %s\n", ja3_str);
@@ -490,16 +526,16 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++)
- j += snprintf(&flow->protos.stun_ssl.ssl.ja3_server[j],
- sizeof(flow->protos.stun_ssl.ssl.ja3_server)-j, "%02x", md5_hash[i]);
+ j += snprintf(&flow->protos.stun_tls.tls.ja3_server[j],
+ sizeof(flow->protos.stun_tls.tls.ja3_server)-j, "%02x", md5_hash[i]);
#ifdef CERTIFICATE_DEBUG
- printf("[JA3] Server: %s \n", flow->protos.stun_ssl.ssl.ja3_server);
+ printf("[JA3] Server: %s \n", flow->protos.stun_tls.tls.ja3_server);
#endif
- flow->l4.tcp.ssl_seen_server_cert = 1;
+ flow->l4.tcp.tls_seen_server_cert = 1;
} else
- flow->l4.tcp.ssl_seen_certificate = 1;
+ flow->l4.tcp.tls_seen_certificate = 1;
/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
for(i = 9; i < packet->payload_packet_len-3; i++) {
@@ -544,8 +580,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
if(num_dots >= 1) {
if(!ndpi_struct->disable_metadata_export) {
stripCertificateTrailer(buffer, buffer_len);
- snprintf(flow->protos.stun_ssl.ssl.server_certificate,
- sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
+ snprintf(flow->protos.stun_tls.tls.server_certificate,
+ sizeof(flow->protos.stun_tls.tls.server_certificate), "%s", buffer);
}
return(1 /* Server Certificate */);
@@ -554,20 +590,38 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
}
} else if(handshake_protocol == 0x01 /* Client Hello */) {
- u_int offset, base_offset = 43;
+ u_int offset;
- if(base_offset + 2 <= packet->payload_packet_len) {
- u_int16_t session_id_len = packet->payload[base_offset];
- u_int16_t ssl_version = ntohs(*((u_int16_t*)&packet->payload[9]));
+#ifdef CERTIFICATE_DEBUG
+ printf("[base_offset: %u][payload_packet_len: %u]\n", base_offset, packet->payload_packet_len);
+#endif
- ja3.ssl_version = ssl_version;
+ if(base_offset + 2 <= packet->payload_packet_len) {
+ u_int16_t session_id_len;
+ u_int16_t tls_version;
+ if(packet->tcp)
+ tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+4]));
+ else
+ tls_version = ntohs(*((u_int16_t*)&packet->payload[header_len+12]));
+
+ session_id_len = packet->payload[base_offset];
+
+ ja3.tls_version = tls_version;
+
if((session_id_len+base_offset+2) <= total_len) {
- u_int16_t cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8);
- u_int16_t cipher_offset = base_offset + session_id_len + 3;
+ u_int16_t cipher_len, cipher_offset;
+
+ if(packet->tcp) {
+ cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8);
+ cipher_offset = base_offset + session_id_len + 3;
+ } else {
+ cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+2]));
+ cipher_offset = base_offset+4;
+ }
#ifdef CERTIFICATE_DEBUG
- printf("Client SSL [client cipher_len: %u]\n", cipher_len);
+ printf("Client SSL [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version);
#endif
if((cipher_offset+cipher_len) <= total_len) {
@@ -575,7 +629,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t *id = (u_int16_t*)&packet->payload[cipher_offset+i];
#ifdef CERTIFICATE_DEBUG
- printf("Client SSL [cipher suite: %u] [%u/%u]\n", ntohs(*id), i, cipher_len);
+ printf("Client SSL [cipher suite: %u/0x%04X] [%u/%u]\n", ntohs(*id), ntohs(*id), i, cipher_len);
#endif
if((*id == 0) || (packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1])) {
/*
@@ -604,13 +658,13 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
offset = base_offset + session_id_len + cipher_len + 2;
- flow->l4.tcp.ssl_seen_client_cert = 1;
+ flow->l4.tcp.tls_seen_client_cert = 1;
if(offset < total_len) {
u_int16_t compression_len;
u_int16_t extensions_len;
- offset++;
+ offset += packet->tcp ? 1 : 2;
compression_len = packet->payload[offset];
offset++;
@@ -651,12 +705,12 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) {
/* Skip GREASE */
- if(ja3.num_ssl_extension < MAX_NUM_JA3)
- ja3.ssl_extension[ja3.num_ssl_extension++] = extension_id;
+ if(ja3.num_tls_extension < MAX_NUM_JA3)
+ ja3.tls_extension[ja3.num_tls_extension++] = extension_id;
else {
invalid_ja3 = 1;
#ifdef CERTIFICATE_DEBUG
- printf("Client SSL Invalid extensions %u\n", ja3.num_ssl_extension);
+ printf("Client SSL Invalid extensions %u\n", ja3.num_tls_extension);
#endif
}
}
@@ -672,8 +726,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
stripCertificateTrailer(buffer, buffer_len);
if(!ndpi_struct->disable_metadata_export) {
- snprintf(flow->protos.stun_ssl.ssl.client_certificate,
- sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer);
+ snprintf(flow->protos.stun_tls.tls.client_certificate,
+ sizeof(flow->protos.stun_tls.tls.client_certificate), "%s", buffer);
}
} else if(extension_id == 10 /* supported groups */) {
u_int16_t s_offset = offset+extension_offset + 2;
@@ -687,7 +741,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i]));
#ifdef CERTIFICATE_DEBUG
- printf("Client SSL [EllipticCurve: %u]\n", s_group);
+ printf("Client SSL [EllipticCurve: %u/0x%04X]\n", s_group, s_group);
#endif
if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1])) {
/* Skip GREASE */
@@ -748,7 +802,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
} /* while */
if(!invalid_ja3) {
- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.ssl_version);
+ ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_version);
for(i=0; i<ja3.num_cipher; i++) {
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
@@ -759,9 +813,9 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
/* ********** */
- for(i=0; i<ja3.num_ssl_extension; i++)
+ for(i=0; i<ja3.num_tls_extension; i++)
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
- (i > 0) ? "-" : "", ja3.ssl_extension[i]);
+ (i > 0) ? "-" : "", ja3.tls_extension[i]);
ja3_str_len += snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
@@ -786,11 +840,11 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
MD5Final(md5_hash, &ctx);
for(i=0, j=0; i<16; i++)
- j += snprintf(&flow->protos.stun_ssl.ssl.ja3_client[j],
- sizeof(flow->protos.stun_ssl.ssl.ja3_client)-j, "%02x", md5_hash[i]);
+ j += snprintf(&flow->protos.stun_tls.tls.ja3_client[j],
+ sizeof(flow->protos.stun_tls.tls.ja3_client)-j, "%02x", md5_hash[i]);
#ifdef CERTIFICATE_DEBUG
- printf("[JA3] Client: %s \n", flow->protos.stun_ssl.ssl.ja3_client);
+ printf("[JA3] Client: %s \n", flow->protos.stun_tls.tls.ja3_client);
#endif
}
@@ -807,6 +861,8 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
return(0); /* Not found */
}
+/* **************************************** */
+
void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
char *buffer, int buffer_len) {
@@ -860,18 +916,20 @@ void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
}
if(is_printable == 1) {
- snprintf(flow->protos.stun_ssl.ssl.server_organization,
- sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
+ snprintf(flow->protos.stun_tls.tls.server_organization,
+ sizeof(flow->protos.stun_tls.tls.server_organization), "%s", buffer);
#ifdef CERTIFICATE_DEBUG
- printf("Certificate organization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
+ printf("Certificate organization: %s\n", flow->protos.stun_tls.tls.server_organization);
#endif
}
}
}
}
+/* **************************************** */
-int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
/* consider only specific SSL packets (handshake) */
@@ -880,8 +938,8 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
int rc;
certificate[0] = '\0';
- rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate));
- packet->ssl_certificate_num_checks++;
+ rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate));
+ packet->tls_certificate_num_checks++;
if(rc > 0) {
char organization[64];
@@ -890,14 +948,14 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
organization[0] = '\0';
getSSLorganization(ndpi_struct, flow, organization, sizeof(organization));
- packet->ssl_certificate_detected++;
- if((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+ packet->tls_certificate_detected++;
+ if((flow->l4.tcp.tls_seen_server_cert == 1) && (flow->protos.stun_tls.tls.server_certificate[0] != '\0'))
/* 0 means we're done processing extra packets (since we found what we wanted) */
return 0;
}
/* Client hello, Server Hello, and certificate packets probably all checked in this case */
- if((packet->ssl_certificate_num_checks >= 3)
+ if((packet->tls_certificate_num_checks >= 3)
&& (flow->l4.tcp.seen_syn)
&& (flow->l4.tcp.seen_syn_ack)
&& (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */)
@@ -906,10 +964,13 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
return 0;
}
}
+
/* 1 means keep looking for more packets */
return 1;
}
+/* **************************************** */
+
void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) {
flow->check_extra_packets = 1;
/* 0 is the case for waiting for the server certificate */
@@ -920,22 +981,25 @@ void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) {
}
}
-int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+/* **************************************** */
+
+int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
if((packet->payload_packet_len > 9)
&& (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) {
if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)
- || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)) {
+ || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS)) {
char certificate[64];
int rc;
certificate[0] = '\0';
- rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate));
- packet->ssl_certificate_num_checks++;
+ rc = getTLScertificate(ndpi_struct, flow, certificate, sizeof(certificate));
+ packet->tls_certificate_num_checks++;
if(rc > 0) {
- packet->ssl_certificate_detected++;
+ packet->tls_certificate_detected++;
#ifdef CERTIFICATE_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate);
#endif
@@ -943,58 +1007,59 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
strlen(certificate),
&ret_match,
- NDPI_PROTOCOL_SSL);
+ NDPI_PROTOCOL_TLS);
if(subproto != NDPI_PROTOCOL_UNKNOWN) {
/* If we've detected the subprotocol from client certificate but haven't had a chance
* to see the server certificate yet, set up extra packet processing to wait
* a few more packets. */
- if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0'))
- && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
+ if(((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0'))
+ && ((flow->l4.tcp.tls_seen_server_cert != 1) && (flow->protos.stun_tls.tls.server_certificate[0] == '\0'))) {
sslInitExtraPacketProcessing(0, flow);
}
ndpi_set_detected_protocol(ndpi_struct, flow, subproto,
- ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL));
+ ndpi_tls_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS));
return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */
}
- if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0)
+ if(ndpi_is_tls_tor(ndpi_struct, flow, certificate) != 0)
return(rc);
}
- if(((packet->ssl_certificate_num_checks >= 3)
+ if(((packet->tls_certificate_num_checks >= 3)
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */)
- || ((flow->l4.tcp.ssl_seen_certificate == 1)
- && (flow->l4.tcp.ssl_seen_server_cert == 1)
- && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
- /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */
+ || ((flow->l4.tcp.tls_seen_certificate == 1)
+ && (flow->l4.tcp.tls_seen_server_cert == 1)
+ && (flow->protos.stun_tls.tls.server_certificate[0] != '\0'))
+ /* || ((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_tls.tls.client_certificate[0] != '\0')) */
) {
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
}
}
}
return(0);
}
-static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+/* **************************************** */
+
+static void tls_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct
+ *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int32_t a;
u_int32_t end;
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0)
- goto check_for_ssl_payload;
+ goto check_for_tls_payload;
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0)
- goto check_for_ssl_payload;
+ goto check_for_tls_payload;
else
- goto no_check_for_ssl_payload;
+ goto no_check_for_tls_payload;
- check_for_ssl_payload:
+ check_for_tls_payload:
end = packet->payload_packet_len - 20;
for (a = 5; a < end; a++) {
@@ -1003,7 +1068,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK
(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) {
NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n");
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER);
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER);
return;
}
}
@@ -1025,12 +1090,12 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio
NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n");
if(flow->dst != NULL && packet->payload_packet_len > 75) {
- memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32);
- flow->dst->oscar_ssl_session_id[32] = '\0';
+ memcpy(flow->dst->oscar_tls_session_id, &packet->payload[44], 32);
+ flow->dst->oscar_tls_session_id[32] = '\0';
flow->dst->oscar_last_safe_access_time = packet->tick_timestamp;
}
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR);
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR);
return;
}
}
@@ -1040,31 +1105,32 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detectio
(memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0
|| memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) {
NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n");
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR);
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR);
return;
}
}
}
- no_check_for_ssl_payload:
+ no_check_for_tls_payload:
if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n");
- sslDetectProtocolFromCertificate(ndpi_struct, flow);
+ tlsDetectProtocolFromCertificate(ndpi_struct, flow);
- if(!packet->ssl_certificate_detected
- && (!(flow->l4.tcp.ssl_seen_client_cert && flow->l4.tcp.ssl_seen_server_cert))) {
+ if(!packet->tls_certificate_detected
+ && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) {
/* SSL without certificate (Skype, Ultrasurf?) */
NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n");
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT);
- } else if(packet->ssl_certificate_num_checks >= 3) {
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS_NO_CERT);
+ } else if(packet->tls_certificate_num_checks >= 3) {
NDPI_LOG_INFO(ndpi_struct, "found ssl\n");
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
}
}
}
+/* **************************************** */
-static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct *ndpi_struct,
+static u_int8_t ndpi_search_tlsv3_direction1(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
@@ -1129,7 +1195,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16)
&& packet->payload[temp + 1] == 0x03) {
u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5;
- if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) {
+ if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) {
return 1;
}
temp += temp2;
@@ -1140,7 +1206,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
if(packet->payload_packet_len >= temp + 5 &&
packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) {
temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5;
- if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) {
+ if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) {
return 1;
}
temp += temp2;
@@ -1151,7 +1217,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
if(packet->payload_packet_len >= temp + 5 &&
packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) {
temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5;
- if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) {
+ if(temp + temp2 > NDPI_MAX_TLS_REQUEST_SIZE) {
return 1;
}
temp += temp2;
@@ -1167,20 +1233,34 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
return 0;
}
-void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+/* **************************************** */
+
+void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int8_t ret;
- if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
- if(flow->l4.tcp.ssl_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) {
+ if(packet->udp != NULL) {
+ /* DTLS dissector */
+ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow);
+
+ if(rc) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS;
+
+ if(flow->l4.tcp.tls_seen_server_cert)
+ ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+ return;
+ }
+
+ if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
+ if(flow->l4.tcp.tls_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) {
/* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets
* so go on checking for certificate patterns for a couple more packets
*/
NDPI_LOG_DBG2(ndpi_struct,
"ssl flow but check another packet for patterns\n");
- ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
- if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
+ tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
+
+ if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
/* still ssl so check another packet */
return;
} else {
@@ -1188,11 +1268,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
return;
}
}
+
return;
}
NDPI_LOG_DBG(ndpi_struct, "search ssl\n");
-
+
/* Check if this is whatsapp first (this proto runs over port 443) */
if((packet->payload_packet_len > 5)
&& ((packet->payload[0] == 'W')
@@ -1209,18 +1290,18 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
return;
} else {
/* No whatsapp, let's try SSL */
- if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
+ if(tlsDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
return;
- }
-
- if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) {
+ }
+
+ if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n");
// SSLv2 Record
if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03
&& (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02)
&& (packet->payload_packet_len - packet->payload[1] == 2)) {
NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n");
- flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
+ flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
return;
}
@@ -1229,7 +1310,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
&& (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) {
// SSLv3 Record
NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n");
- flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
+ flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
return;
}
@@ -1237,42 +1318,42 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03
&& (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 ||
packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) {
- if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) {
- NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n");
- flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
- return;
- }
+ if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) {
+ NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n");
+ flow->l4.tcp.tls_stage = 1 + packet->packet_direction;
+ return;
+ }
}
}
-
+
if(packet->payload_packet_len > 40 &&
- flow->l4.tcp.ssl_stage == 1 + packet->packet_direction
+ flow->l4.tcp.tls_stage == 1 + packet->packet_direction
&& flow->packet_direction_counter[packet->packet_direction] < 5) {
return;
}
- if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) {
+ if(packet->payload_packet_len > 40 && flow->l4.tcp.tls_stage == 2 - packet->packet_direction) {
NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n");
// SSLv2 Record
if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03
&& (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02)
&& (packet->payload_packet_len - 2) >= packet->payload[1]) {
NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n");
- ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
+ tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
return;
}
- ret = ndpi_search_sslv3_direction1(ndpi_struct, flow);
+ ret = ndpi_search_tlsv3_direction1(ndpi_struct, flow);
if(ret == 1) {
NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n");
- ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
+ tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
return;
} else if(ret == 2) {
NDPI_LOG_DBG2(ndpi_struct,
"sslv3 server len match with split packet -> check some more packets for SSL patterns\n");
- ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
- if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
- flow->l4.tcp.ssl_stage = 3;
+ tls_mark_and_payload_search_for_other_protocols(ndpi_struct, flow);
+ if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
+ flow->l4.tcp.tls_stage = 3;
}
return;
}
@@ -1284,16 +1365,18 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
return;
}
+/* **************************************** */
-void init_ssl_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("SSL", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_SSL,
- ndpi_search_ssl_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
+void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+ u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
+ ndpi_set_bitmask_protocol_detection("TLS", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_TLS,
+ ndpi_search_tls_tcp_udp,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index 1a5d4097e..fb8d1bd2c 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -18,7 +18,7 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct
}
-int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
+int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, char *certificate) {
int prev_num = 0, numbers_found = 0, num_found = 0, i, len, num_impossible = 0;
char dummy[48], *dot, *name;
diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c
index 3be953939..972466dc8 100644
--- a/src/lib/protocols/yahoo.c
+++ b/src/lib/protocols/yahoo.c
@@ -367,7 +367,7 @@ void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct
if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN
|| packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP
- || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
+ || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS) {
/* search over TCP */
ndpi_search_yahoo_tcp(ndpi_struct, flow);
}
Powered by cgit, Themed by Ted Yin.