From 06f1fb23e0d006d49a021e1e27d84a508a9c02e9 Mon Sep 17 00:00:00 2001 From: lns Date: Sun, 8 May 2022 19:09:55 +0200 Subject: Improved TLS application data detection. * #1532 did fx TLS appdata detection only partially * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload Signed-off-by: lns --- src/lib/protocols/tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 8324cb9ea..09ff86eb6 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -987,8 +987,9 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(block_len < 16384 /* Max TLS block size */) ndpi_looks_like_tls(ndpi_struct, flow); - if (packet->payload[1] == 0x03 && packet->payload[2] <= 4 && - block_len == (u_int32_t)packet->payload_packet_len - 5) + if (flow->l4.tcp.tls.message.buffer[1] == 0x03 && + flow->l4.tcp.tls.message.buffer[2] <= 0x04 && + block_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5) { ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); } -- cgit v1.2.3