From a8ffcd8bb0273d59600c6310a80b81206096c113 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Wed, 24 Nov 2021 10:46:48 +0100
Subject: Rework how hostname/SNI info is saved (#1330)

Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).

This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
 1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
 2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.

Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.

Hostnames/SNIs are always converted to lowercase.

Attention was given so as to be sure that unit-tests outputs are not
affected by this change.

Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
---
 src/include/ndpi_main.h     |  3 +++
 src/include/ndpi_typedefs.h | 11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

(limited to 'src/include')

diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 66fb5ea1b..190bdc45a 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -155,6 +155,9 @@ extern "C" {
   void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
   u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
 			    const char *alpn_to_check, u_int alpn_to_check_len);    
+
+  char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 3d6e0dd65..c6e79a951 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1193,8 +1193,14 @@ struct ndpi_flow_struct {
   /* Place textual flow info here */
   char flow_extra_info[16];
 
-  /* HTTP host or DNS query */
-  u_char host_server_name[240];
+  /* General purpose field used to save mainly hostname/SNI information.
+   * In details it used for: DNS and NETBIOS name, HTTP and DHCP hostname,
+   * WHOIS request, TLS/QUIC server name and STUN realm.
+   *
+   * Please, think *very* hard before increasing its size!
+   */
+  char host_server_name[80];
+
   u_int8_t initial_binary_bytes[8], initial_binary_bytes_len;
   u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:5;
   ndpi_risk risk_mask; /* Stores the flow risk mask for flow peers */
@@ -1262,7 +1268,6 @@ struct ndpi_flow_struct {
     struct {
       char ssl_version_str[12];
       u_int16_t ssl_version, server_names_len;
-      char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */
       char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN;
       u_int32_t notBefore, notAfter;
       char ja3_client[33], ja3_server[33];
-- 
cgit v1.2.3