From 06f1fb23e0d006d49a021e1e27d84a508a9c02e9 Mon Sep 17 00:00:00 2001
From: lns <matzeton@googlemail.com>
Date: Sun, 8 May 2022 19:09:55 +0200
Subject: Improved TLS application data detection.

 * #1532 did fx TLS appdata detection only partially
 * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload

Signed-off-by: lns <matzeton@googlemail.com>
---
 src/lib/protocols/tls.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 8324cb9ea..09ff86eb6 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -987,8 +987,9 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	if(block_len < 16384 /* Max TLS block size */)
 	  ndpi_looks_like_tls(ndpi_struct, flow);
 
-    if (packet->payload[1] == 0x03 && packet->payload[2] <= 4 &&
-        block_len == (u_int32_t)packet->payload_packet_len - 5)
+    if (flow->l4.tcp.tls.message.buffer[1] == 0x03 &&
+        flow->l4.tcp.tls.message.buffer[2] <= 0x04 &&
+        block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5)
     {
       ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
     }
-- 
cgit v1.2.3