From 013212c67c2b9f9c227e1c0db0becea040af2b6b Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Sun, 31 Jul 2022 16:57:17 +0200
Subject: TLS: avoid useless extra dissection (#1690)

If we have seen Application Data blocks in both directions, it means we
are after the handshake. At that point, extra dissection is useless.

Useful feature with TLS mid-sessions, i.e. sessions without initial
packets.
---
 src/include/ndpi_typedefs.h | 1 +
 src/lib/protocols/tls.c     | 6 ++++++
 2 files changed, 7 insertions(+)

(limited to 'src')

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 24302075e..74df9e957 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -709,6 +709,7 @@ struct ndpi_flow_tcp_struct {
 
     /* NDPI_PROTOCOL_TLS */
     u_int8_t certificate_processed:1, fingerprint_set:1, _pad:6;
+    u_int8_t app_data_seen[2];
     u_int8_t num_tls_blocks;
     int16_t tls_application_blocks_len[NDPI_MAX_NUM_TLS_APPL_BLOCKS]; /* + = src->dst, - = dst->src */
   } tls;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 99c469766..53e79d161 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1052,6 +1052,12 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	    ndpi_int_tls_add_connection(ndpi_struct, flow);
 	  }
 
+	/* If we have seen Application Data blocks in both directions, it means
+	   we are after the handshake. Stop extra processing */
+	flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1;
+	if(flow->l4.tcp.tls.app_data_seen[!packet->packet_direction] == 1)
+	  flow->l4.tcp.tls.certificate_processed = 1;
+
 	if(flow->l4.tcp.tls.certificate_processed) {
 	  if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
 	    flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] =
-- 
cgit v1.2.3