1 /*
2 * ndpi_utils.c
3 *
4 * Copyright (C) 2011-21 - ntop.org
5 *
6 * This file is part of nDPI, an open source deep packet inspection
7 * library based on the OpenDPI and PACE technology by ipoque GmbH
8 *
9 * nDPI is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * nDPI is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
21 *
22 */
23
24
25 #include <stdlib.h>
26 #include <errno.h>
27 #include <math.h>
28 #include <sys/types.h>
29
30
31 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN
32
33 #include "ndpi_config.h"
34 #include "ndpi_api.h"
35 #include "ndpi_includes.h"
36 #include "ndpi_encryption.h"
37
38 #include "ahocorasick.h"
39 #include "libcache.h"
40
41 #include <time.h>
42 #ifndef WIN32
43 #include <unistd.h>
44 #endif
45
46 #if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__ || defined __DragonFly__
47 #include <sys/endian.h>
48 #endif
49
50 #include "third_party/include/ndpi_patricia.h"
51 #include "third_party/include/libinjection.h"
52 #include "third_party/include/libinjection_sqli.h"
53 #include "third_party/include/libinjection_xss.h"
54 #include "third_party/include/rce_injection.h"
55
56 #define NDPI_CONST_GENERIC_PROTOCOL_NAME "GenericProtocol"
57
58 // #define MATCH_DEBUG 1
59
60 // #define DEBUG_REASSEMBLY
61
62 /* ****************************************** */
63
64 /* implementation of the punycode check function */
ndpi_check_punycode_string(char * buffer,int len)65 int ndpi_check_punycode_string(char * buffer , int len) {
66 int i = 0;
67
68 while(i++ < len) {
69 if((buffer[i] == 'x')
70 && (buffer[i+1] == 'n')
71 && (buffer[i+2] == '-')
72 && (buffer[i+3] == '-'))
73 // is a punycode string
74 return(1);
75 }
76
77 // not a punycode string
78 return 0;
79 }
80
81 /* ****************************************** */
82
83 /* ftp://ftp.cc.uoc.gr/mirrors/OpenBSD/src/lib/libc/stdlib/tsearch.c */
84 /* find or insert datum into search tree */
ndpi_tsearch(const void * vkey,void ** vrootp,int (* compar)(const void *,const void *))85 void * ndpi_tsearch(const void *vkey, void **vrootp,
86 int (*compar)(const void *, const void *))
87 {
88 ndpi_node *q;
89 char *key = (char *)vkey;
90 ndpi_node **rootp = (ndpi_node **)vrootp;
91
92 if(rootp == (ndpi_node **)0)
93 return ((void *)0);
94 while (*rootp != (ndpi_node *)0) { /* Knuth's T1: */
95 int r;
96
97 if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */
98 return ((*rootp)->key); /* we found it! */
99 rootp = (r < 0) ?
100 &(*rootp)->left : /* T3: follow left branch */
101 &(*rootp)->right; /* T4: follow right branch */
102 }
103 q = (ndpi_node *) ndpi_malloc(sizeof(ndpi_node)); /* T5: key not found */
104 if(q != (ndpi_node *)0) { /* make new node */
105 *rootp = q; /* link new node to old */
106 q->key = key; /* initialize new node */
107 q->left = q->right = (ndpi_node *)0;
108 }
109 return ((void *)q->key);
110 }
111
112 /* ****************************************** */
113
114 /* delete node with given key */
ndpi_tdelete(const void * vkey,void ** vrootp,int (* compar)(const void *,const void *))115 void * ndpi_tdelete(const void *vkey, void **vrootp,
116 int (*compar)(const void *, const void *))
117 {
118 ndpi_node **rootp = (ndpi_node **)vrootp;
119 char *key = (char *)vkey;
120 ndpi_node *q;
121 ndpi_node *r;
122 int cmp;
123
124 if(rootp == (ndpi_node **)0 || *rootp == (ndpi_node *)0)
125 return((void *)0);
126 while ((cmp = (*compar)(key, (*rootp)->key)) != 0) {
127 rootp = (cmp < 0) ?
128 &(*rootp)->left : /* follow left branch */
129 &(*rootp)->right; /* follow right branch */
130 if(*rootp == (ndpi_node *)0)
131 return ((void *)0); /* key not found */
132 }
133 r = (*rootp)->right; /* D1: */
134 if((q = (*rootp)->left) == (ndpi_node *)0) /* Left (ndpi_node *)0? */
135 q = r;
136 else if(r != (ndpi_node *)0) { /* Right link is null? */
137 if(r->left == (ndpi_node *)0) { /* D2: Find successor */
138 r->left = q;
139 q = r;
140 } else { /* D3: Find (ndpi_node *)0 link */
141 for(q = r->left; q->left != (ndpi_node *)0; q = r->left)
142 r = q;
143 r->left = q->right;
144 q->left = (*rootp)->left;
145 q->right = (*rootp)->right;
146 }
147 }
148 key = (*rootp)->key;
149 ndpi_free((ndpi_node *) *rootp); /* D4: Free node */
150 *rootp = q; /* link parent to new node */
151
152 /* Return the key to give the caller a chance to free custom data */
153 return(key);
154 }
155
156 /* ****************************************** */
157
158 /* Walk the nodes of a tree */
ndpi_trecurse(ndpi_node * root,void (* action)(const void *,ndpi_VISIT,int,void *),int level,void * user_data)159 static void ndpi_trecurse(ndpi_node *root, void (*action)(const void *, ndpi_VISIT, int, void*), int level, void *user_data)
160 {
161 if(root->left == (ndpi_node *)0 && root->right == (ndpi_node *)0)
162 (*action)(root, ndpi_leaf, level, user_data);
163 else {
164 (*action)(root, ndpi_preorder, level, user_data);
165 if(root->left != (ndpi_node *)0)
166 ndpi_trecurse(root->left, action, level + 1, user_data);
167 (*action)(root, ndpi_postorder, level, user_data);
168 if(root->right != (ndpi_node *)0)
169 ndpi_trecurse(root->right, action, level + 1, user_data);
170 (*action)(root, ndpi_endorder, level, user_data);
171 }
172 }
173
174 /* ****************************************** */
175
176 /* Walk the nodes of a tree */
ndpi_twalk(const void * vroot,void (* action)(const void *,ndpi_VISIT,int,void *),void * user_data)177 void ndpi_twalk(const void *vroot, void (*action)(const void *, ndpi_VISIT, int, void *), void *user_data)
178 {
179 ndpi_node *root = (ndpi_node *)vroot;
180
181 if(root != (ndpi_node *)0 && action != (void (*)(const void *, ndpi_VISIT, int, void*))0)
182 ndpi_trecurse(root, action, 0, user_data);
183 }
184
185 /* ****************************************** */
186
187 /* find a node, or return 0 */
ndpi_tfind(const void * vkey,void * vrootp,int (* compar)(const void *,const void *))188 void * ndpi_tfind(const void *vkey, void *vrootp,
189 int (*compar)(const void *, const void *))
190 {
191 char *key = (char *)vkey;
192 ndpi_node **rootp = (ndpi_node **)vrootp;
193
194 if(rootp == (ndpi_node **)0)
195 return ((ndpi_node *)0);
196 while (*rootp != (ndpi_node *)0) { /* T1: */
197 int r;
198 if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */
199 return (*rootp); /* key found */
200 rootp = (r < 0) ?
201 &(*rootp)->left : /* T3: follow left branch */
202 &(*rootp)->right; /* T4: follow right branch */
203 }
204 return (ndpi_node *)0;
205 }
206
207 /* ****************************************** */
208
209 /* Walk the nodes of a tree */
ndpi_tdestroy_recurse(ndpi_node * root,void (* free_action)(void *))210 static void ndpi_tdestroy_recurse(ndpi_node* root, void (*free_action)(void *))
211 {
212 if(root->left != NULL)
213 ndpi_tdestroy_recurse(root->left, free_action);
214 if(root->right != NULL)
215 ndpi_tdestroy_recurse(root->right, free_action);
216
217 (*free_action) ((void *) root->key);
218 ndpi_free(root);
219 }
220
ndpi_tdestroy(void * vrootp,void (* freefct)(void *))221 void ndpi_tdestroy(void *vrootp, void (*freefct)(void *))
222 {
223 ndpi_node *root = (ndpi_node *) vrootp;
224
225 if(root != NULL)
226 ndpi_tdestroy_recurse(root, freefct);
227 }
228
229 /* ****************************************** */
230
ndpi_net_match(u_int32_t ip_to_check,u_int32_t net,u_int32_t num_bits)231 u_int8_t ndpi_net_match(u_int32_t ip_to_check,
232 u_int32_t net,
233 u_int32_t num_bits) {
234 u_int32_t mask = 0;
235
236 num_bits &= 0x1F; /* Avoid overflows */
237
238 mask = ~(~mask >> num_bits);
239
240 return(((ip_to_check & mask) == (net & mask)) ? 1 : 0);
241 }
242
ndpi_ips_match(u_int32_t src,u_int32_t dst,u_int32_t net,u_int32_t num_bits)243 u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst,
244 u_int32_t net, u_int32_t num_bits)
245 {
246 return(ndpi_net_match(src, net, num_bits) || ndpi_net_match(dst, net, num_bits));
247 }
248
249 /* ****************************************** */
250
251 #if defined(WIN32) && !defined(__MINGW32__)
252 /* http://opensource.apple.com/source/Libc/Libc-186/string.subproj/strcasecmp.c */
253
254 /*
255 * This array is designed for mapping upper and lower case letter
256 * together for a case independent comparison. The mappings are
257 * based upon ascii character sequences.
258 */
259 static const u_char charmap[] = {
260 '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007',
261 '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017',
262 '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027',
263 '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037',
264 '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047',
265 '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057',
266 '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067',
267 '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077',
268 '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147',
269 '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157',
270 '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167',
271 '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137',
272 '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147',
273 '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157',
274 '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167',
275 '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177',
276 '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207',
277 '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217',
278 '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227',
279 '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237',
280 '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247',
281 '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257',
282 '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267',
283 '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277',
284 '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307',
285 '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317',
286 '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327',
287 '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337',
288 '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
289 '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
290 '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
291 '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377',
292 };
293
strcasecmp(const char * s1,const char * s2)294 int strcasecmp(const char *s1, const char *s2) {
295 register const u_char *cm = charmap,
296 *us1 = (const u_char *)s1,
297 *us2 = (const u_char *)s2;
298
299 while (cm[*us1] == cm[*us2++])
300 if(*us1++ == '\0')
301 return (0);
302 return (cm[*us1] - cm[*--us2]);
303 }
304
305 /* ****************************************** */
306
strncasecmp(const char * s1,const char * s2,size_t n)307 int strncasecmp(const char *s1, const char *s2, size_t n) {
308 if(n != 0) {
309 register const u_char *cm = charmap,
310 *us1 = (const u_char *)s1,
311 *us2 = (const u_char *)s2;
312
313 do {
314 if(cm[*us1] != cm[*us2++])
315 return (cm[*us1] - cm[*--us2]);
316 if(*us1++ == '\0')
317 break;
318 } while (--n != 0);
319 }
320 return (0);
321 }
322
323 #endif
324
325 /* **************************************** */
326
ndpi_is_safe_ssl_cipher(u_int32_t cipher)327 u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) {
328 /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */
329
330 switch(cipher) {
331 /* INSECURE */
332 case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE);
333 case TLS_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE);
334 case TLS_RSA_WITH_RC4_128_MD5: return(NDPI_CIPHER_INSECURE);
335
336 /* WEAK */
337 case TLS_RSA_WITH_AES_256_GCM_SHA384: return(NDPI_CIPHER_WEAK);
338 case TLS_RSA_WITH_AES_256_CBC_SHA256: return(NDPI_CIPHER_WEAK);
339 case TLS_RSA_WITH_AES_256_CBC_SHA: return(NDPI_CIPHER_WEAK);
340 case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: return(NDPI_CIPHER_WEAK);
341 case TLS_RSA_WITH_AES_128_GCM_SHA256: return(NDPI_CIPHER_WEAK);
342 case TLS_RSA_WITH_AES_128_CBC_SHA256: return(NDPI_CIPHER_WEAK);
343 case TLS_RSA_WITH_AES_128_CBC_SHA: return(NDPI_CIPHER_WEAK);
344 case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: return(NDPI_CIPHER_WEAK);
345 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK);
346 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK);
347 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK);
348 case TLS_RSA_WITH_SEED_CBC_SHA: return(NDPI_CIPHER_WEAK);
349 case TLS_RSA_WITH_IDEA_CBC_SHA: return(NDPI_CIPHER_WEAK);
350
351 default:
352 return(NDPI_CIPHER_SAFE);
353 }
354 }
355
356 /* ***************************************************** */
357
ndpi_cipher2str(u_int32_t cipher)358 const char* ndpi_cipher2str(u_int32_t cipher) {
359 switch(cipher) {
360 case TLS_NULL_WITH_NULL_NULL: return("TLS_NULL_WITH_NULL_NULL");
361 case TLS_RSA_EXPORT_WITH_RC4_40_MD5: return("TLS_RSA_EXPORT_WITH_RC4_40_MD5");
362 case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: return("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5");
363 case TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_RSA_EXPORT_WITH_DES40_CBC_SHA");
364 case TLS_RSA_WITH_NULL_MD5: return("TLS_RSA_WITH_NULL_MD5");
365 case TLS_RSA_WITH_NULL_SHA: return("TLS_RSA_WITH_NULL_SHA");
366 case TLS_RSA_WITH_NULL_SHA256: return("TLS_RSA_WITH_NULL_SHA256");
367 case TLS_RSA_WITH_RC4_128_MD5: return("TLS_RSA_WITH_RC4_128_MD5");
368 case TLS_RSA_WITH_RC4_128_SHA: return("TLS_RSA_WITH_RC4_128_SHA");
369 case TLS_RSA_WITH_IDEA_CBC_SHA: return("TLS_RSA_WITH_IDEA_CBC_SHA");
370 case TLS_RSA_WITH_DES_CBC_SHA: return("TLS_RSA_WITH_DES_CBC_SHA");
371 case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_RSA_WITH_3DES_EDE_CBC_SHA");
372 case TLS_RSA_WITH_AES_128_CBC_SHA: return("TLS_RSA_WITH_AES_128_CBC_SHA");
373 case TLS_RSA_WITH_AES_256_CBC_SHA: return("TLS_RSA_WITH_AES_256_CBC_SHA");
374 case TLS_RSA_WITH_AES_128_CBC_SHA256: return("TLS_RSA_WITH_AES_128_CBC_SHA256");
375 case TLS_RSA_WITH_AES_256_CBC_SHA256: return("TLS_RSA_WITH_AES_256_CBC_SHA256");
376 case TLS_RSA_WITH_AES_128_GCM_SHA256: return("TLS_RSA_WITH_AES_128_GCM_SHA256");
377 case TLS_RSA_WITH_AES_256_GCM_SHA384: return("TLS_RSA_WITH_AES_256_GCM_SHA384");
378 case TLS_RSA_WITH_AES_128_CCM: return("TLS_RSA_WITH_AES_128_CCM");
379 case TLS_RSA_WITH_AES_256_CCM: return("TLS_RSA_WITH_AES_256_CCM");
380 case TLS_RSA_WITH_AES_128_CCM_8: return("TLS_RSA_WITH_AES_128_CCM_8");
381 case TLS_RSA_WITH_AES_256_CCM_8: return("TLS_RSA_WITH_AES_256_CCM_8");
382 case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA");
383 case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA");
384 case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256");
385 case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256");
386 case TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256");
387 case TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384");
388 case TLS_RSA_WITH_SEED_CBC_SHA: return("TLS_RSA_WITH_SEED_CBC_SHA");
389 case TLS_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_RSA_WITH_ARIA_128_CBC_SHA256");
390 case TLS_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_RSA_WITH_ARIA_256_CBC_SHA384");
391 case TLS_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_RSA_WITH_ARIA_128_GCM_SHA256");
392 case TLS_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_RSA_WITH_ARIA_256_GCM_SHA384");
393 case TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA");
394 case TLS_DH_RSA_WITH_DES_CBC_SHA: return("TLS_DH_RSA_WITH_DES_CBC_SHA");
395 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA");
396 case TLS_DH_RSA_WITH_AES_128_CBC_SHA: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA");
397 case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA");
398 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA256");
399 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA256");
400 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: return("TLS_DH_RSA_WITH_AES_128_GCM_SHA256");
401 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: return("TLS_DH_RSA_WITH_AES_256_GCM_SHA384");
402 case TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA");
403 case TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA");
404 case TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256");
405 case TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256");
406 case TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256");
407 case TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384");
408 case TLS_DH_RSA_WITH_SEED_CBC_SHA: return("TLS_DH_RSA_WITH_SEED_CBC_SHA");
409 case TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256");
410 case TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384");
411 case TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256");
412 case TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384");
413 case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA");
414 case TLS_DHE_RSA_WITH_DES_CBC_SHA: return("TLS_DHE_RSA_WITH_DES_CBC_SHA");
415 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA");
416 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
417 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA");
418 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
419 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256");
420 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256");
421 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
422 case TLS_DHE_RSA_WITH_AES_128_CCM: return("TLS_DHE_RSA_WITH_AES_128_CCM");
423 case TLS_DHE_RSA_WITH_AES_256_CCM: return("TLS_DHE_RSA_WITH_AES_256_CCM");
424 case TLS_DHE_RSA_WITH_AES_128_CCM_8: return("TLS_DHE_RSA_WITH_AES_128_CCM_8");
425 case TLS_DHE_RSA_WITH_AES_256_CCM_8: return("TLS_DHE_RSA_WITH_AES_256_CCM_8");
426 case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA");
427 case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA");
428 case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256");
429 case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256");
430 case TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256");
431 case TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384");
432 case TLS_DHE_RSA_WITH_SEED_CBC_SHA: return("TLS_DHE_RSA_WITH_SEED_CBC_SHA");
433 case TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256");
434 case TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384");
435 case TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256");
436 case TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384");
437 case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
438 case TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA");
439 case TLS_DH_DSS_WITH_DES_CBC_SHA: return("TLS_DH_DSS_WITH_DES_CBC_SHA");
440 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA");
441 case TLS_DH_DSS_WITH_AES_128_CBC_SHA: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA");
442 case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA");
443 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA256");
444 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA256");
445 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: return("TLS_DH_DSS_WITH_AES_128_GCM_SHA256");
446 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: return("TLS_DH_DSS_WITH_AES_256_GCM_SHA384");
447 case TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA");
448 case TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA");
449 case TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256");
450 case TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256");
451 case TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256");
452 case TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384");
453 case TLS_DH_DSS_WITH_SEED_CBC_SHA: return("TLS_DH_DSS_WITH_SEED_CBC_SHA");
454 case TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256");
455 case TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384");
456 case TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256");
457 case TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384");
458 case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
459 case TLS_DHE_DSS_WITH_DES_CBC_SHA: return("TLS_DHE_DSS_WITH_DES_CBC_SHA");
460 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA");
461 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA");
462 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA");
463 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256");
464 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256");
465 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256");
466 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384");
467 case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA");
468 case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA");
469 case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256");
470 case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256");
471 case TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256");
472 case TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384");
473 case TLS_DHE_DSS_WITH_SEED_CBC_SHA: return("TLS_DHE_DSS_WITH_SEED_CBC_SHA");
474 case TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256");
475 case TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384");
476 case TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256");
477 case TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384");
478 case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: return("TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5");
479 case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA");
480 case TLS_DH_ANON_WITH_RC4_128_MD5: return("TLS_DH_ANON_WITH_RC4_128_MD5");
481 case TLS_DH_ANON_WITH_DES_CBC_SHA: return("TLS_DH_ANON_WITH_DES_CBC_SHA");
482 case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA");
483 case TLS_DH_ANON_WITH_AES_128_CBC_SHA: return("TLS_DH_ANON_WITH_AES_128_CBC_SHA");
484 case TLS_DH_ANON_WITH_AES_256_CBC_SHA: return("TLS_DH_ANON_WITH_AES_256_CBC_SHA");
485 case TLS_DH_ANON_WITH_AES_128_CBC_SHA256: return("TLS_DH_ANON_WITH_AES_128_CBC_SHA256");
486 case TLS_DH_ANON_WITH_AES_256_CBC_SHA256: return("TLS_DH_ANON_WITH_AES_256_CBC_SHA256");
487 case TLS_DH_ANON_WITH_AES_128_GCM_SHA256: return("TLS_DH_ANON_WITH_AES_128_GCM_SHA256");
488 case TLS_DH_ANON_WITH_AES_256_GCM_SHA384: return("TLS_DH_ANON_WITH_AES_256_GCM_SHA384");
489 case TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA");
490 case TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA");
491 case TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256");
492 case TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256");
493 case TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256");
494 case TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384");
495 case TLS_DH_ANON_WITH_SEED_CBC_SHA: return("TLS_DH_ANON_WITH_SEED_CBC_SHA");
496 case TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256");
497 case TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384");
498 case TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256");
499 case TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384");
500 case TLS_ECDH_RSA_WITH_NULL_SHA: return("TLS_ECDH_RSA_WITH_NULL_SHA");
501 case TLS_ECDH_RSA_WITH_RC4_128_SHA: return("TLS_ECDH_RSA_WITH_RC4_128_SHA");
502 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA");
503 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA");
504 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA");
505 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256");
506 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384");
507 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256");
508 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384");
509 case TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256");
510 case TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384");
511 case TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256");
512 case TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384");
513 case TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256");
514 case TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384");
515 case TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256");
516 case TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384");
517 case TLS_ECDHE_RSA_WITH_NULL_SHA: return("TLS_ECDHE_RSA_WITH_NULL_SHA");
518 case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return("TLS_ECDHE_RSA_WITH_RC4_128_SHA");
519 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA");
520 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
521 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
522 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
523 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
524 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
525 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384");
526 case TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256");
527 case TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384");
528 case TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256");
529 case TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384");
530 case TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256");
531 case TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384");
532 case TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256");
533 case TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384");
534 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
535 case TLS_ECDH_ECDSA_WITH_NULL_SHA: return("TLS_ECDH_ECDSA_WITH_NULL_SHA");
536 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA");
537 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA");
538 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA");
539 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
540 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256");
541 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384");
542 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
543 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384");
544 case TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256");
545 case TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384");
546 case TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256");
547 case TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384");
548 case TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256");
549 case TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384");
550 case TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256");
551 case TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384");
552 case TLS_ECDHE_ECDSA_WITH_NULL_SHA: return("TLS_ECDHE_ECDSA_WITH_NULL_SHA");
553 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: return("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA");
554 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA");
555 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA");
556 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA");
557 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256");
558 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384");
559 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256");
560 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
561 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: return("TLS_ECDHE_ECDSA_WITH_AES_128_CCM");
562 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM: return("TLS_ECDHE_ECDSA_WITH_AES_256_CCM");
563 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: return("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8");
564 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: return("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8");
565 case TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256");
566 case TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384");
567 case TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256");
568 case TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384");
569 case TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256");
570 case TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384");
571 case TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256");
572 case TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384");
573 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256");
574 case TLS_ECDH_ANON_WITH_NULL_SHA: return("TLS_ECDH_ANON_WITH_NULL_SHA");
575 case TLS_ECDH_ANON_WITH_RC4_128_SHA: return("TLS_ECDH_ANON_WITH_RC4_128_SHA");
576 case TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA");
577 case TLS_ECDH_ANON_WITH_AES_128_CBC_SHA: return("TLS_ECDH_ANON_WITH_AES_128_CBC_SHA");
578 case TLS_ECDH_ANON_WITH_AES_256_CBC_SHA: return("TLS_ECDH_ANON_WITH_AES_256_CBC_SHA");
579 case TLS_PSK_WITH_NULL_SHA: return("TLS_PSK_WITH_NULL_SHA");
580 case TLS_PSK_WITH_NULL_SHA256: return("TLS_PSK_WITH_NULL_SHA256");
581 case TLS_PSK_WITH_NULL_SHA384: return("TLS_PSK_WITH_NULL_SHA384");
582 case TLS_PSK_WITH_RC4_128_SHA: return("TLS_PSK_WITH_RC4_128_SHA");
583 case TLS_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_PSK_WITH_3DES_EDE_CBC_SHA");
584 case TLS_PSK_WITH_AES_128_CBC_SHA: return("TLS_PSK_WITH_AES_128_CBC_SHA");
585 case TLS_PSK_WITH_AES_256_CBC_SHA: return("TLS_PSK_WITH_AES_256_CBC_SHA");
586 case TLS_PSK_WITH_AES_128_CBC_SHA256: return("TLS_PSK_WITH_AES_128_CBC_SHA256");
587 case TLS_PSK_WITH_AES_256_CBC_SHA384: return("TLS_PSK_WITH_AES_256_CBC_SHA384");
588 case TLS_PSK_WITH_AES_128_GCM_SHA256: return("TLS_PSK_WITH_AES_128_GCM_SHA256");
589 case TLS_PSK_WITH_AES_256_GCM_SHA384: return("TLS_PSK_WITH_AES_256_GCM_SHA384");
590 case TLS_PSK_WITH_AES_128_CCM: return("TLS_PSK_WITH_AES_128_CCM");
591 case TLS_PSK_WITH_AES_256_CCM: return("TLS_PSK_WITH_AES_256_CCM");
592 case TLS_PSK_WITH_AES_128_CCM_8: return("TLS_PSK_WITH_AES_128_CCM_8");
593 case TLS_PSK_WITH_AES_256_CCM_8: return("TLS_PSK_WITH_AES_256_CCM_8");
594 case TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256");
595 case TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384");
596 case TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256");
597 case TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384");
598 case TLS_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_PSK_WITH_ARIA_128_CBC_SHA256");
599 case TLS_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_PSK_WITH_ARIA_256_CBC_SHA384");
600 case TLS_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_PSK_WITH_ARIA_128_GCM_SHA256");
601 case TLS_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_PSK_WITH_ARIA_256_GCM_SHA384");
602 case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_PSK_WITH_CHACHA20_POLY1305_SHA256");
603 case TLS_RSA_PSK_WITH_NULL_SHA: return("TLS_RSA_PSK_WITH_NULL_SHA");
604 case TLS_RSA_PSK_WITH_NULL_SHA256: return("TLS_RSA_PSK_WITH_NULL_SHA256");
605 case TLS_RSA_PSK_WITH_NULL_SHA384: return("TLS_RSA_PSK_WITH_NULL_SHA384");
606 case TLS_RSA_PSK_WITH_RC4_128_SHA: return("TLS_RSA_PSK_WITH_RC4_128_SHA");
607 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA");
608 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA");
609 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA");
610 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256");
611 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384");
612 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256");
613 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384");
614 case TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256");
615 case TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384");
616 case TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256");
617 case TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384");
618 case TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256");
619 case TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384");
620 case TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256");
621 case TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384");
622 case TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256");
623 case TLS_DHE_PSK_WITH_NULL_SHA: return("TLS_DHE_PSK_WITH_NULL_SHA");
624 case TLS_DHE_PSK_WITH_NULL_SHA256: return("TLS_DHE_PSK_WITH_NULL_SHA256");
625 case TLS_DHE_PSK_WITH_NULL_SHA384: return("TLS_DHE_PSK_WITH_NULL_SHA384");
626 case TLS_DHE_PSK_WITH_RC4_128_SHA: return("TLS_DHE_PSK_WITH_RC4_128_SHA");
627 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA");
628 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA");
629 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA");
630 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256");
631 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384");
632 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256");
633 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384");
634 case TLS_DHE_PSK_WITH_AES_128_CCM: return("TLS_DHE_PSK_WITH_AES_128_CCM");
635 case TLS_DHE_PSK_WITH_AES_256_CCM: return("TLS_DHE_PSK_WITH_AES_256_CCM");
636 case TLS_DHE_PSK_WITH_AES_128_CCM_8: return("TLS_DHE_PSK_WITH_AES_128_CCM_8");
637 case TLS_DHE_PSK_WITH_AES_256_CCM_8: return("TLS_DHE_PSK_WITH_AES_256_CCM_8");
638 case TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256");
639 case TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384");
640 case TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256");
641 case TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384");
642 case TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256");
643 case TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384");
644 case TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256");
645 case TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384");
646 case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256");
647 case TLS_ECDHE_PSK_WITH_NULL_SHA: return("TLS_ECDHE_PSK_WITH_NULL_SHA");
648 case TLS_ECDHE_PSK_WITH_NULL_SHA256: return("TLS_ECDHE_PSK_WITH_NULL_SHA256");
649 case TLS_ECDHE_PSK_WITH_NULL_SHA384: return("TLS_ECDHE_PSK_WITH_NULL_SHA384");
650 case TLS_ECDHE_PSK_WITH_RC4_128_SHA: return("TLS_ECDHE_PSK_WITH_RC4_128_SHA");
651 case TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA");
652 case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA");
653 case TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA");
654 case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256");
655 case TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384");
656 case TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256");
657 case TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384");
658 case TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256");
659 case TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256");
660 case TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256");
661 case TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384");
662 case TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256");
663 case TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384");
664 case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256");
665 case TLS_KRB5_EXPORT_WITH_RC4_40_MD5: return("TLS_KRB5_EXPORT_WITH_RC4_40_MD5");
666 case TLS_KRB5_EXPORT_WITH_RC4_40_SHA: return("TLS_KRB5_EXPORT_WITH_RC4_40_SHA");
667 case TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5");
668 case TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA");
669 case TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5");
670 case TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA");
671 case TLS_KRB5_WITH_RC4_128_MD5: return("TLS_KRB5_WITH_RC4_128_MD5");
672 case TLS_KRB5_WITH_RC4_128_SHA: return("TLS_KRB5_WITH_RC4_128_SHA");
673 case TLS_KRB5_WITH_IDEA_CBC_MD5: return("TLS_KRB5_WITH_IDEA_CBC_MD5");
674 case TLS_KRB5_WITH_IDEA_CBC_SHA: return("TLS_KRB5_WITH_IDEA_CBC_SHA");
675 case TLS_KRB5_WITH_DES_CBC_MD5: return("TLS_KRB5_WITH_DES_CBC_MD5");
676 case TLS_KRB5_WITH_DES_CBC_SHA: return("TLS_KRB5_WITH_DES_CBC_SHA");
677 case TLS_KRB5_WITH_3DES_EDE_CBC_MD5: return("TLS_KRB5_WITH_3DES_EDE_CBC_MD5");
678 case TLS_KRB5_WITH_3DES_EDE_CBC_SHA: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA");
679 case TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA");
680 case TLS_SRP_SHA_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_WITH_AES_128_CBC_SHA");
681 case TLS_SRP_SHA_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_WITH_AES_256_CBC_SHA");
682 case TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA");
683 case TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA");
684 case TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA");
685 case TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA");
686 case TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA");
687 case TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA");
688 case TLS_ECCPWD_WITH_AES_128_GCM_SHA256: return("TLS_ECCPWD_WITH_AES_128_GCM_SHA256");
689 case TLS_ECCPWD_WITH_AES_256_GCM_SHA384: return("TLS_ECCPWD_WITH_AES_256_GCM_SHA384");
690 case TLS_ECCPWD_WITH_AES_128_CCM_SHA256: return("TLS_ECCPWD_WITH_AES_128_CCM_SHA256");
691 case TLS_ECCPWD_WITH_AES_256_CCM_SHA384: return("TLS_ECCPWD_WITH_AES_256_CCM_SHA384");
692 case TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC: return("TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC");
693 case TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC: return("TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC");
694 case TLS_GOSTR341112_256_WITH_28147_CNT_IMIT: return("TLS_GOSTR341112_256_WITH_28147_CNT_IMIT");
695 case TLS_AES_128_GCM_SHA256: return("TLS_AES_128_GCM_SHA256");
696 case TLS_AES_256_GCM_SHA384: return("TLS_AES_256_GCM_SHA384");
697 case TLS_AES_128_CCM_SHA256: return("TLS_AES_128_CCM_SHA256");
698 case TLS_AES_128_CCM_8_SHA256: return("TLS_AES_128_CCM_8_SHA256");
699 case TLS_CHACHA20_POLY1305_SHA256: return("TLS_CHACHA20_POLY1305_SHA256");
700 case TLS_SM4_GCM_SM3: return("TLS_SM4_GCM_SM3");
701 case TLS_SM4_CCM_SM3: return("TLS_SM4_CCM_SM3");
702 case TLS_SHA256_SHA256: return("TLS_SHA256_SHA256");
703 case TLS_SHA384_SHA384: return("TLS_SHA384_SHA384");
704 case TLS_EMPTY_RENEGOTIATION_INFO_SCSV: return("TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
705 case TLS_FALLBACK_SCSV: return("TLS_FALLBACK_SCSV");
706 case TLS_CIPHER_GREASE_RESERVED_0: return("TLS_CIPHER_GREASE_RESERVED_0");
707 case TLS_CIPHER_GREASE_RESERVED_1: return("TLS_CIPHER_GREASE_RESERVED_1");
708 case TLS_CIPHER_GREASE_RESERVED_2: return("TLS_CIPHER_GREASE_RESERVED_2");
709 case TLS_CIPHER_GREASE_RESERVED_3: return("TLS_CIPHER_GREASE_RESERVED_3");
710 case TLS_CIPHER_GREASE_RESERVED_4: return("TLS_CIPHER_GREASE_RESERVED_4");
711 case TLS_CIPHER_GREASE_RESERVED_5: return("TLS_CIPHER_GREASE_RESERVED_5");
712 case TLS_CIPHER_GREASE_RESERVED_6: return("TLS_CIPHER_GREASE_RESERVED_6");
713 case TLS_CIPHER_GREASE_RESERVED_7: return("TLS_CIPHER_GREASE_RESERVED_7");
714 case TLS_CIPHER_GREASE_RESERVED_8: return("TLS_CIPHER_GREASE_RESERVED_8");
715 case TLS_CIPHER_GREASE_RESERVED_9: return("TLS_CIPHER_GREASE_RESERVED_9");
716 case TLS_CIPHER_GREASE_RESERVED_A: return("TLS_CIPHER_GREASE_RESERVED_A");
717 case TLS_CIPHER_GREASE_RESERVED_B: return("TLS_CIPHER_GREASE_RESERVED_B");
718 case TLS_CIPHER_GREASE_RESERVED_C: return("TLS_CIPHER_GREASE_RESERVED_C");
719 case TLS_CIPHER_GREASE_RESERVED_D: return("TLS_CIPHER_GREASE_RESERVED_D");
720 case TLS_CIPHER_GREASE_RESERVED_E: return("TLS_CIPHER_GREASE_RESERVED_E");
721 case TLS_CIPHER_GREASE_RESERVED_F: return("TLS_CIPHER_GREASE_RESERVED_F");
722
723 default:
724 {
725 static char buf[8];
726
727 snprintf(buf, sizeof(buf), "0X%04X", cipher);
728 return(buf);
729 }
730 }
731 }
732
733 /* ******************************************************************** */
734
ndpi_is_other_char(char c)735 static inline int ndpi_is_other_char(char c) {
736 return((c == '.')
737 || (c == ' ')
738 || (c == '@')
739 || (c == '/')
740 );
741 }
742
743 /* ******************************************************************** */
744
_ndpi_is_valid_char(char c)745 static int _ndpi_is_valid_char(char c) {
746 if(ispunct(c) && (!ndpi_is_other_char(c)))
747 return(0);
748 else
749 return(isdigit(c)
750 || isalpha(c)
751 || ndpi_is_other_char(c));
752 }
753 static char ndpi_is_valid_char_tbl[256],ndpi_is_valid_char_tbl_init=0;
754
_ndpi_is_valid_char_init(void)755 static void _ndpi_is_valid_char_init(void) {
756 int c;
757 for(c=0; c < 256; c++) ndpi_is_valid_char_tbl[c] = _ndpi_is_valid_char(c);
758 ndpi_is_valid_char_tbl_init = 1;
759 }
ndpi_is_valid_char(char c)760 static inline int ndpi_is_valid_char(char c) {
761 if(!ndpi_is_valid_char_tbl_init)
762 _ndpi_is_valid_char_init();
763 return ndpi_is_valid_char_tbl[(unsigned char)c];
764 }
765
766 /* ******************************************************************** */
767
ndpi_find_non_eng_bigrams(struct ndpi_detection_module_struct * ndpi_struct,char * str)768 static int ndpi_find_non_eng_bigrams(struct ndpi_detection_module_struct *ndpi_struct,
769 char *str) {
770 char s[3];
771
772 if((isdigit(str[0]) && isdigit(str[1]))
773 || ndpi_is_other_char(str[0])
774 || ndpi_is_other_char(str[1])
775 )
776 return(1);
777
778 s[0] = tolower(str[0]), s[1] = tolower(str[1]), s[2] = '\0';
779
780 return(ndpi_match_bigram(s));
781 }
782
783 /* ******************************************************************** */
784
785 /* #define PRINT_STRINGS 1 */
786
ndpi_has_human_readeable_string(struct ndpi_detection_module_struct * ndpi_struct,char * buffer,u_int buffer_size,u_int8_t min_string_match_len,char * outbuf,u_int outbuf_len)787 int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_struct,
788 char *buffer, u_int buffer_size,
789 u_int8_t min_string_match_len,
790 char *outbuf, u_int outbuf_len) {
791 u_int ret = 0, i = 0, do_cr = 0, len = 0, o_idx = 0, being_o_idx = 0;
792
793 if(buffer_size <= 0)
794 return(0);
795
796 outbuf_len--;
797 outbuf[outbuf_len] = '\0';
798
799 for(i=0; i<buffer_size-2; i++) {
800 if(ndpi_is_valid_char(buffer[i])
801 && ndpi_is_valid_char(buffer[i+1])
802 && ndpi_find_non_eng_bigrams(ndpi_struct, &buffer[i])) {
803 #ifdef PRINT_STRINGS
804 printf("%c%c", buffer[i], buffer[i+1]);
805 #endif
806 if(o_idx < outbuf_len) outbuf[o_idx++] = buffer[i];
807 if(o_idx < outbuf_len) outbuf[o_idx++] = buffer[i+1];
808 do_cr = 1, i += 1, len += 2;
809 } else {
810 if(ndpi_is_valid_char(buffer[i]) && do_cr) {
811 #ifdef PRINT_STRINGS
812 printf("%c", buffer[i]);
813 #endif
814 if(o_idx < outbuf_len) outbuf[o_idx++] = buffer[i];
815 len += 1;
816 }
817
818 // printf("->> %c%c\n", isprint(buffer[i]) ? buffer[i] : '.', isprint(buffer[i+1]) ? buffer[i+1] : '.');
819 if(do_cr) {
820 if(len > min_string_match_len)
821 ret = 1;
822 else {
823 o_idx = being_o_idx;
824 being_o_idx = o_idx;
825 outbuf[o_idx] = '\0';
826 }
827
828 #ifdef PRINT_STRINGS
829 printf(" [len: %u]%s\n", len, ret ? "<-- HIT" : "");
830 #endif
831
832 if(ret)
833 break;
834
835 do_cr = 0, len = 0;
836 }
837 }
838 }
839
840 #ifdef PRINT_STRINGS
841 printf("=======>> Found string: %u\n", ret);
842 #endif
843
844 return(ret);
845 }
846
847 /* ********************************** */
848
ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow,u_int16_t proto_id)849 static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const * const flow,
850 u_int16_t proto_id)
851 {
852 switch (proto_id)
853 {
854 case NDPI_PROTOCOL_DNS:
855 case NDPI_PROTOCOL_HTTP:
856 return (char const *)flow->host_server_name;
857 case NDPI_PROTOCOL_QUIC:
858 case NDPI_PROTOCOL_TLS:
859 if (flow->l4.tcp.tls.hello_processed != 0)
860 {
861 return flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
862 }
863 break;
864 }
865
866 return NULL;
867 }
868
ndpi_get_flow_info(struct ndpi_flow_struct const * const flow,ndpi_protocol const * const l7_protocol)869 const char* ndpi_get_flow_info(struct ndpi_flow_struct const * const flow,
870 ndpi_protocol const * const l7_protocol)
871 {
872 char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->app_protocol);
873
874 if (app_protocol_info != NULL)
875 {
876 return app_protocol_info;
877 }
878
879 return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->master_protocol);
880 }
881
882 /* ********************************** */
883
ndpi_ssl_version2str(struct ndpi_flow_struct * flow,u_int16_t version,u_int8_t * unknown_tls_version)884 char* ndpi_ssl_version2str(struct ndpi_flow_struct *flow,
885 u_int16_t version, u_int8_t *unknown_tls_version) {
886
887 if(unknown_tls_version)
888 *unknown_tls_version = 0;
889
890 switch(version) {
891 case 0x0300: return("SSLv3");
892 case 0x0301: return("TLSv1");
893 case 0x0302: return("TLSv1.1");
894 case 0x0303: return("TLSv1.2");
895 case 0x0304: return("TLSv1.3");
896 case 0XFB1A: return("TLSv1.3 (Fizz)"); /* https://engineering.fb.com/security/fizz/ */
897 case 0XFEFF: return("DTLSv1.0");
898 case 0XFEFD: return("DTLSv1.2");
899 case 0x0A0A:
900 case 0x1A1A:
901 case 0x2A2A:
902 case 0x3A3A:
903 case 0x4A4A:
904 case 0x5A5A:
905 case 0x6A6A:
906 case 0x7A7A:
907 case 0x8A8A:
908 case 0x9A9A:
909 case 0xAAAA:
910 case 0xBABA:
911 case 0xCACA:
912 case 0xDADA:
913 case 0xEAEA:
914 case 0xFAFA: return("GREASE");
915 }
916
917 if((version >= 0x7f00) && (version <= 0x7fff))
918 return("TLSv1.3 (draft)");
919
920 if(unknown_tls_version)
921 *unknown_tls_version = 1;
922
923 if(flow != NULL) {
924 snprintf(flow->protos.tls_quic_stun.tls_quic.ssl_version_str,
925 sizeof(flow->protos.tls_quic_stun.tls_quic.ssl_version_str), "TLS (%04X)", version);
926
927 return(flow->protos.tls_quic_stun.tls_quic.ssl_version_str);
928 } else
929 return("");
930 }
931
932 /* ***************************************************** */
933
ndpi_patchIPv6Address(char * str)934 void ndpi_patchIPv6Address(char *str) {
935 int i = 0, j = 0;
936
937 while(str[i] != '\0') {
938 if((str[i] == ':')
939 && (str[i+1] == '0')
940 && (str[i+2] == ':')) {
941 str[j++] = ':';
942 str[j++] = ':';
943 i += 3;
944 } else
945 str[j++] = str[i++];
946 }
947
948 if(str[j] != '\0') str[j] = '\0';
949 }
950
951 /* ********************************** */
952
ndpi_user_pwd_payload_copy(u_int8_t * dest,u_int dest_len,u_int offset,const u_int8_t * src,u_int src_len)953 void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len,
954 u_int offset,
955 const u_int8_t *src, u_int src_len) {
956 u_int i, j=0, k = dest_len-1;
957
958 for(i=offset; (i<src_len) && (j<=k); i++) {
959 if((j == k) || (src[i] < ' '))
960 break;
961
962 dest[j++] = src[i];
963 }
964
965 dest[j <=k ? j : k] = '\0';
966 }
967
968 /* ********************************** */
969 /* ********************************** */
970
971 /* http://web.mit.edu/freebsd/head/contrib/wpa/src/utils/base64.c */
972
973 static const unsigned char base64_table[65] =
974 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
975
976 /**
977 * base64_decode - Base64 decode
978 * @src: Data to be decoded
979 * @len: Length of the data to be decoded
980 * @out_len: Pointer to output length variable
981 * Returns: Allocated buffer of out_len bytes of decoded data,
982 * or %NULL on failure
983 *
984 * Caller is responsible for freeing the returned buffer.
985 */
ndpi_base64_decode(const u_char * src,size_t len,size_t * out_len)986 u_char* ndpi_base64_decode(const u_char *src, size_t len, size_t *out_len) {
987 u_char dtable[256], *out, *pos, block[4], tmp;
988 size_t i, count, olen;
989 int pad = 0;
990
991 memset(dtable, 0x80, 256);
992 for(i = 0; i < sizeof(base64_table) - 1; i++)
993 dtable[base64_table[i]] = (u_char) i;
994 dtable['='] = 0;
995
996 count = 0;
997 for(i = 0; i < len; i++) {
998 if(dtable[src[i]] != 0x80)
999 count++;
1000 }
1001
1002 if(count == 0 || count % 4)
1003 return NULL;
1004
1005 olen = count / 4 * 3;
1006 pos = out = ndpi_malloc(olen);
1007 if(out == NULL)
1008 return NULL;
1009
1010 count = 0;
1011 for(i = 0; i < len; i++) {
1012 tmp = dtable[src[i]];
1013 if(tmp == 0x80)
1014 continue;
1015
1016 if(src[i] == '=')
1017 pad++;
1018 block[count] = tmp;
1019 count++;
1020 if(count == 4) {
1021 *pos++ = (block[0] << 2) | (block[1] >> 4);
1022 *pos++ = (block[1] << 4) | (block[2] >> 2);
1023 *pos++ = (block[2] << 6) | block[3];
1024 count = 0;
1025 if(pad) {
1026 if(pad == 1)
1027 pos--;
1028 else if(pad == 2)
1029 pos -= 2;
1030 else {
1031 /* Invalid padding */
1032 ndpi_free(out);
1033 return NULL;
1034 }
1035 break;
1036 }
1037 }
1038 }
1039
1040 *out_len = pos - out;
1041
1042 return out;
1043 }
1044
1045 /* ********************************** */
1046
1047 /* NOTE: caller MUST free returned pointer */
ndpi_base64_encode(unsigned char const * bytes_to_encode,size_t in_len)1048 char* ndpi_base64_encode(unsigned char const* bytes_to_encode, size_t in_len) {
1049 size_t len = 0, ret_size;
1050 char *ret;
1051 int i = 0;
1052 unsigned char char_array_3[3];
1053 unsigned char char_array_4[4];
1054
1055 ret_size = ((in_len+2)/3)*4;
1056
1057 if((ret = (char*)ndpi_malloc(ret_size+1)) == NULL)
1058 return NULL;
1059
1060 while (in_len--) {
1061 char_array_3[i++] = *(bytes_to_encode++);
1062 if(i == 3) {
1063 char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
1064 char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
1065 char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
1066 char_array_4[3] = char_array_3[2] & 0x3f;
1067
1068 for(i = 0; i < 4; i++)
1069 ret[len++] = base64_table[char_array_4[i]];
1070 i = 0;
1071 }
1072 }
1073
1074 if(i) {
1075 for(int j = i; j < 3; j++)
1076 char_array_3[j] = '\0';
1077
1078 char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
1079 char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
1080 char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
1081 char_array_4[3] = char_array_3[2] & 0x3f;
1082
1083 for(int j = 0; (j < i + 1); j++)
1084 ret[len++] = base64_table[char_array_4[j]];
1085
1086 while((i++ < 3))
1087 ret[len++] = '=';
1088 }
1089
1090 ret[len++] = '\0';
1091
1092 return ret;
1093 }
1094
1095 /* ********************************** */
1096
ndpi_serialize_risk(ndpi_serializer * serializer,struct ndpi_flow_struct * flow)1097 void ndpi_serialize_risk(ndpi_serializer *serializer,
1098 struct ndpi_flow_struct *flow) {
1099 if(flow->risk != 0) {
1100 u_int32_t i;
1101
1102 ndpi_serialize_start_of_block(serializer, "flow_risk");
1103
1104 for(i = 0; i < NDPI_MAX_RISK; i++) {
1105 ndpi_risk_enum r = (ndpi_risk_enum)i;
1106
1107 if(NDPI_ISSET_BIT(flow->risk, r))
1108 ndpi_serialize_uint32_string(serializer, i, ndpi_risk2str(r));
1109 }
1110
1111 ndpi_serialize_end_of_block(serializer);
1112 }
1113 }
1114
1115 /* ********************************** */
1116 /* ********************************** */
1117
1118 /* NOTE: serializer must have been already initialized */
ndpi_dpi2json(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,ndpi_protocol l7_protocol,ndpi_serializer * serializer)1119 int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
1120 struct ndpi_flow_struct *flow,
1121 ndpi_protocol l7_protocol,
1122 ndpi_serializer *serializer) {
1123 char buf[64];
1124
1125 if(flow == NULL) return(-1);
1126
1127 ndpi_serialize_start_of_block(serializer, "ndpi");
1128 ndpi_serialize_risk(serializer, flow);
1129 ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf)));
1130 ndpi_protocol_breed_t breed =
1131 ndpi_get_proto_breed(ndpi_struct,
1132 (l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN ? l7_protocol.app_protocol : l7_protocol.master_protocol));
1133 ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(ndpi_struct, breed));
1134 if(l7_protocol.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
1135 ndpi_serialize_string_string(serializer, "category", ndpi_category_get_name(ndpi_struct, l7_protocol.category));
1136 ndpi_serialize_end_of_block(serializer);
1137
1138 switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) {
1139 case NDPI_PROTOCOL_DHCP:
1140 ndpi_serialize_start_of_block(serializer, "dhcp");
1141 ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint);
1142 ndpi_serialize_end_of_block(serializer);
1143 break;
1144
1145 case NDPI_PROTOCOL_BITTORRENT:
1146 {
1147 u_int i, j, n = 0;
1148 char bittorent_hash[sizeof(flow->protos.bittorrent.hash)*2+1];
1149
1150 for(i=0, j = 0; j < sizeof(bittorent_hash)-1; i++) {
1151 sprintf(&bittorent_hash[j], "%02x",
1152 flow->protos.bittorrent.hash[i]);
1153
1154 j += 2, n += flow->protos.bittorrent.hash[i];
1155 }
1156
1157 if(n == 0) bittorent_hash[0] = '\0';
1158
1159 ndpi_serialize_start_of_block(serializer, "bittorrent");
1160 ndpi_serialize_string_string(serializer, "hash", bittorent_hash);
1161 ndpi_serialize_end_of_block(serializer);
1162 }
1163 break;
1164
1165 case NDPI_PROTOCOL_DNS:
1166 ndpi_serialize_start_of_block(serializer, "dns");
1167 if(flow->host_server_name[0] != '\0')
1168 ndpi_serialize_string_string(serializer, "query", (const char*)flow->host_server_name);
1169 ndpi_serialize_string_uint32(serializer, "num_queries", flow->protos.dns.num_queries);
1170 ndpi_serialize_string_uint32(serializer, "num_answers", flow->protos.dns.num_answers);
1171 ndpi_serialize_string_uint32(serializer, "reply_code", flow->protos.dns.reply_code);
1172 ndpi_serialize_string_uint32(serializer, "query_type", flow->protos.dns.query_type);
1173 ndpi_serialize_string_uint32(serializer, "rsp_type", flow->protos.dns.rsp_type);
1174
1175 inet_ntop(AF_INET, &flow->protos.dns.rsp_addr, buf, sizeof(buf));
1176 ndpi_serialize_string_string(serializer, "rsp_addr", buf);
1177 ndpi_serialize_end_of_block(serializer);
1178 break;
1179
1180 case NDPI_PROTOCOL_MDNS:
1181 ndpi_serialize_start_of_block(serializer, "mdns");
1182 ndpi_serialize_string_string(serializer, "answer", (const char*)flow->host_server_name);
1183 ndpi_serialize_end_of_block(serializer);
1184 break;
1185
1186 case NDPI_PROTOCOL_UBNTAC2:
1187 ndpi_serialize_start_of_block(serializer, "ubntac2");
1188 ndpi_serialize_string_string(serializer, "version", flow->protos.ubntac2.version);
1189 ndpi_serialize_end_of_block(serializer);
1190 break;
1191
1192 case NDPI_PROTOCOL_KERBEROS:
1193 ndpi_serialize_start_of_block(serializer, "kerberos");
1194 ndpi_serialize_string_string(serializer, "hostname", flow->protos.kerberos.hostname);
1195 ndpi_serialize_string_string(serializer, "domain", flow->protos.kerberos.domain);
1196 ndpi_serialize_string_string(serializer, "username", flow->protos.kerberos.username);
1197 ndpi_serialize_end_of_block(serializer);
1198 break;
1199
1200 case NDPI_PROTOCOL_TELNET:
1201 ndpi_serialize_start_of_block(serializer, "telnet");
1202 ndpi_serialize_string_string(serializer, "username", flow->protos.telnet.username);
1203 ndpi_serialize_string_string(serializer, "password", flow->protos.telnet.password);
1204 ndpi_serialize_end_of_block(serializer);
1205 break;
1206
1207 case NDPI_PROTOCOL_HTTP:
1208 ndpi_serialize_start_of_block(serializer, "http");
1209 if(flow->host_server_name[0] != '\0')
1210 ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
1211 if(flow->http.url != NULL){
1212 ndpi_serialize_string_string(serializer, "url", flow->http.url);
1213 ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code);
1214 ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type);
1215 ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
1216 }
1217 ndpi_serialize_end_of_block(serializer);
1218 break;
1219
1220 case NDPI_PROTOCOL_QUIC:
1221 ndpi_serialize_start_of_block(serializer, "quic");
1222 if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')
1223 ndpi_serialize_string_string(serializer, "client_requested_server_name",
1224 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
1225 if(flow->http.user_agent)
1226 ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
1227 if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
1228 u_int8_t unknown_tls_version;
1229 char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
1230
1231 if(!unknown_tls_version)
1232 ndpi_serialize_string_string(serializer, "version", version);
1233 if(flow->protos.tls_quic_stun.tls_quic.alpn)
1234 ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
1235 ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
1236 if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
1237 ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
1238 }
1239 ndpi_serialize_end_of_block(serializer);
1240 break;
1241
1242 case NDPI_PROTOCOL_MAIL_IMAP:
1243 ndpi_serialize_start_of_block(serializer, "imap");
1244 ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
1245 ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
1246 ndpi_serialize_end_of_block(serializer);
1247 break;
1248
1249 case NDPI_PROTOCOL_MAIL_POP:
1250 ndpi_serialize_start_of_block(serializer, "pop");
1251 ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
1252 ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
1253 ndpi_serialize_end_of_block(serializer);
1254 break;
1255
1256 case NDPI_PROTOCOL_MAIL_SMTP:
1257 ndpi_serialize_start_of_block(serializer, "smtp");
1258 ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
1259 ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
1260 ndpi_serialize_end_of_block(serializer);
1261 break;
1262
1263 case NDPI_PROTOCOL_FTP_CONTROL:
1264 ndpi_serialize_start_of_block(serializer, "ftp");
1265 ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username);
1266 ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password);
1267 ndpi_serialize_string_uint32(serializer, "auth_failed", flow->protos.ftp_imap_pop_smtp.auth_failed);
1268 ndpi_serialize_end_of_block(serializer);
1269 break;
1270
1271 case NDPI_PROTOCOL_SSH:
1272 ndpi_serialize_start_of_block(serializer, "ssh");
1273 ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature);
1274 ndpi_serialize_string_string(serializer, "server_signature", flow->protos.ssh.server_signature);
1275 ndpi_serialize_string_string(serializer, "hassh_client", flow->protos.ssh.hassh_client);
1276 ndpi_serialize_string_string(serializer, "hassh_server", flow->protos.ssh.hassh_server);
1277 ndpi_serialize_end_of_block(serializer);
1278 break;
1279
1280 case NDPI_PROTOCOL_TLS:
1281 case NDPI_PROTOCOL_DTLS:
1282 if(flow->protos.tls_quic_stun.tls_quic.ssl_version) {
1283 char notBefore[32], notAfter[32];
1284 struct tm a, b, *before = NULL, *after = NULL;
1285 u_int i, off;
1286 u_int8_t unknown_tls_version;
1287 char *version = ndpi_ssl_version2str(flow, flow->protos.tls_quic_stun.tls_quic.ssl_version, &unknown_tls_version);
1288
1289 if(flow->protos.tls_quic_stun.tls_quic.notBefore)
1290 before = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notBefore, &a);
1291 if(flow->protos.tls_quic_stun.tls_quic.notAfter)
1292 after = gmtime_r((const time_t *)&flow->protos.tls_quic_stun.tls_quic.notAfter, &b);
1293
1294 if(!unknown_tls_version) {
1295 ndpi_serialize_start_of_block(serializer, "tls");
1296 ndpi_serialize_string_string(serializer, "version", version);
1297 ndpi_serialize_string_string(serializer, "client_requested_server_name",
1298 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
1299 if(flow->protos.tls_quic_stun.tls_quic.server_names)
1300 ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic_stun.tls_quic.server_names);
1301
1302 if(before) {
1303 strftime(notBefore, sizeof(notBefore), "%Y-%m-%d %H:%M:%S", before);
1304 ndpi_serialize_string_string(serializer, "notbefore", notBefore);
1305 }
1306
1307 if(after) {
1308 strftime(notAfter, sizeof(notAfter), "%Y-%m-%d %H:%M:%S", after);
1309 ndpi_serialize_string_string(serializer, "notafter", notAfter);
1310 }
1311 ndpi_serialize_string_string(serializer, "ja3", flow->protos.tls_quic_stun.tls_quic.ja3_client);
1312 ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic_stun.tls_quic.ja3_server);
1313 ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher);
1314 ndpi_serialize_string_string(serializer, "cipher", ndpi_cipher2str(flow->protos.tls_quic_stun.tls_quic.server_cipher));
1315
1316 if(flow->protos.tls_quic_stun.tls_quic.issuerDN)
1317 ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic_stun.tls_quic.issuerDN);
1318
1319 if(flow->protos.tls_quic_stun.tls_quic.subjectDN)
1320 ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic_stun.tls_quic.subjectDN);
1321
1322 if(flow->protos.tls_quic_stun.tls_quic.alpn)
1323 ndpi_serialize_string_string(serializer, "alpn", flow->protos.tls_quic_stun.tls_quic.alpn);
1324
1325 if(flow->protos.tls_quic_stun.tls_quic.tls_supported_versions)
1326 ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic_stun.tls_quic.tls_supported_versions);
1327
1328 if(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[0] != '\0') {
1329 for(i=0, off=0; i<20; i++) {
1330 int rc = snprintf(&buf[off], sizeof(buf)-off,"%s%02X", (i > 0) ? ":" : "",
1331 flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[i] & 0xFF);
1332
1333 if(rc <= 0) break; else off += rc;
1334 }
1335
1336 ndpi_serialize_string_string(serializer, "fingerprint", buf);
1337 }
1338
1339 ndpi_serialize_end_of_block(serializer);
1340 }
1341 }
1342 break;
1343 } /* switch */
1344
1345 return(0);
1346 }
1347
1348 /* ********************************** */
1349
1350 /* NOTE: serializer is initialized by the function */
ndpi_flow2json(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow,u_int8_t ip_version,u_int8_t l4_protocol,u_int16_t vlan_id,u_int32_t src_v4,u_int32_t dst_v4,struct ndpi_in6_addr * src_v6,struct ndpi_in6_addr * dst_v6,u_int16_t src_port,u_int16_t dst_port,ndpi_protocol l7_protocol,ndpi_serializer * serializer)1351 int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
1352 struct ndpi_flow_struct *flow,
1353 u_int8_t ip_version,
1354 u_int8_t l4_protocol, u_int16_t vlan_id,
1355 u_int32_t src_v4, u_int32_t dst_v4,
1356 struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6,
1357 u_int16_t src_port, u_int16_t dst_port,
1358 ndpi_protocol l7_protocol,
1359 ndpi_serializer *serializer) {
1360 char src_name[32], dst_name[32];
1361
1362 if(ndpi_init_serializer(serializer, ndpi_serialization_format_json) == -1)
1363 return(-1);
1364
1365 if(ip_version == 4) {
1366 inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name));
1367 inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name));
1368 } else {
1369 inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name));
1370 inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name));
1371 /* For consistency across platforms replace :0: with :: */
1372 ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name);
1373 }
1374
1375 ndpi_serialize_string_string(serializer, "src_ip", src_name);
1376 ndpi_serialize_string_string(serializer, "dest_ip", dst_name);
1377 if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", src_port);
1378 if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", dst_port);
1379
1380 switch(l4_protocol) {
1381 case IPPROTO_TCP:
1382 ndpi_serialize_string_string(serializer, "proto", "TCP");
1383 break;
1384
1385 case IPPROTO_UDP:
1386 ndpi_serialize_string_string(serializer, "proto", "UDP");
1387 break;
1388
1389 case IPPROTO_ICMP:
1390 ndpi_serialize_string_string(serializer, "proto", "ICMP");
1391 break;
1392
1393 default:
1394 ndpi_serialize_string_uint32(serializer, "proto", l4_protocol);
1395 break;
1396 }
1397
1398 return(ndpi_dpi2json(ndpi_struct, flow, l7_protocol, serializer));
1399 }
1400
1401 /* ********************************** */
1402
ndpi_tunnel2str(ndpi_packet_tunnel tt)1403 const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) {
1404 switch(tt) {
1405 case ndpi_no_tunnel:
1406 return("No-Tunnel");
1407 break;
1408
1409 case ndpi_gtp_tunnel:
1410 return("GTP");
1411 break;
1412
1413 case ndpi_capwap_tunnel:
1414 return("CAPWAP");
1415 break;
1416
1417 case ndpi_tzsp_tunnel:
1418 return("TZSP");
1419 break;
1420
1421 case ndpi_l2tp_tunnel:
1422 return("L2TP");
1423 break;
1424
1425 case ndpi_vxlan_tunnel:
1426 return("VXLAN");
1427 break;
1428 }
1429
1430 return("");
1431 }
1432
1433 /* ********************************** */
1434
1435 /*
1436 /dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E
1437 /dv/vulnerabilities/sqli/?id=1%27+and+1%3D1+union+select+null%2C+table_name+from+information_schema.tables%23&Submit=Submit
1438 */
1439
1440 /* https://www.rosettacode.org/wiki/URL_decoding#C */
ishex(int x)1441 static int ishex(int x) {
1442 return(x >= '0' && x <= '9') || (x >= 'a' && x <= 'f') || (x >= 'A' && x <= 'F');
1443 }
1444
1445 /* ********************************** */
1446
ndpi_url_decode(const char * s,char * out)1447 static int ndpi_url_decode(const char *s, char *out) {
1448 char *o;
1449 const char *end = s + strlen(s);
1450 int c;
1451
1452 for(o = out; s <= end; o++) {
1453 c = *s++;
1454 if(c == '+') c = ' ';
1455 else if(c == '%' && (!ishex(*s++)||
1456 !ishex(*s++)||
1457 !sscanf(s - 2, "%2x", (unsigned int*)&c)))
1458 return(-1);
1459
1460 if(out) *o = c;
1461 }
1462
1463 return(o - out);
1464 }
1465
1466 /* ********************************** */
1467
ndpi_is_sql_injection(char * query)1468 static int ndpi_is_sql_injection(char* query) {
1469 struct libinjection_sqli_state state;
1470
1471 size_t qlen = strlen(query);
1472 libinjection_sqli_init(&state, query, qlen, FLAG_NONE);
1473
1474 return libinjection_is_sqli(&state);
1475 }
1476
1477 /* ********************************** */
1478
ndpi_is_xss_injection(char * query)1479 static int ndpi_is_xss_injection(char* query) {
1480 size_t qlen = strlen(query);
1481 return libinjection_xss(query, qlen);
1482 }
1483
1484 /* ********************************** */
1485
1486 #ifdef HAVE_PCRE
1487
ndpi_compile_rce_regex()1488 static void ndpi_compile_rce_regex() {
1489 const char *pcreErrorStr;
1490 int pcreErrorOffset;
1491
1492 for(int i = 0; i < N_RCE_REGEX; i++) {
1493 comp_rx[i] = (struct pcre_struct*)ndpi_malloc(sizeof(struct pcre_struct));
1494
1495 comp_rx[i]->compiled = pcre_compile(rce_regex[i], 0, &pcreErrorStr,
1496 &pcreErrorOffset, NULL);
1497
1498 if(comp_rx[i]->compiled == NULL) {
1499 #ifdef DEBUG
1500 NDPI_LOG_ERR(ndpi_str, "ERROR: Could not compile '%s': %s\n", rce_regex[i],
1501 pcreErrorStr);
1502 #endif
1503
1504 continue;
1505 }
1506
1507 comp_rx[i]->optimized = pcre_study(comp_rx[i]->compiled, 0, &pcreErrorStr);
1508
1509 #ifdef DEBUG
1510 if(pcreErrorStr != NULL) {
1511 NDPI_LOG_ERR(ndpi_str, "ERROR: Could not study '%s': %s\n", rce_regex[i],
1512 pcreErrorStr);
1513 }
1514 #endif
1515 }
1516
1517 free((void *)pcreErrorStr);
1518 }
1519
ndpi_is_rce_injection(char * query)1520 static int ndpi_is_rce_injection(char* query) {
1521 if(!initialized_comp_rx) {
1522 ndpi_compile_rce_regex();
1523 initialized_comp_rx = 1;
1524 }
1525
1526 int pcreExecRet;
1527 int subStrVec[30];
1528
1529 for(int i = 0; i < N_RCE_REGEX; i++) {
1530 unsigned int length = strlen(query);
1531
1532 pcreExecRet = pcre_exec(comp_rx[i]->compiled,
1533 comp_rx[i]->optimized,
1534 query, length, 0, 0, subStrVec, 30);
1535
1536 if(pcreExecRet >= 0) {
1537 return 1;
1538 }
1539 #ifdef DEBUG
1540 else {
1541 switch(pcreExecRet) {
1542 case PCRE_ERROR_NOMATCH:
1543 NDPI_LOG_ERR(ndpi_str, "ERROR: String did not match the pattern\n");
1544 break;
1545 case PCRE_ERROR_NULL:
1546 NDPI_LOG_ERR(ndpi_str, "ERROR: Something was null\n");
1547 break;
1548 case PCRE_ERROR_BADOPTION:
1549 NDPI_LOG_ERR(ndpi_str, "ERROR: A bad option was passed\n");
1550 break;
1551 case PCRE_ERROR_BADMAGIC:
1552 NDPI_LOG_ERR(ndpi_str, "ERROR: Magic number bad (compiled re corrupt?)\n");
1553 break;
1554 case PCRE_ERROR_UNKNOWN_NODE:
1555 NDPI_LOG_ERR(ndpi_str, "ERROR: Something kooky in the compiled re\n");
1556 break;
1557 case PCRE_ERROR_NOMEMORY:
1558 NDPI_LOG_ERR(ndpi_str, "ERROR: Ran out of memory\n");
1559 break;
1560 default:
1561 NDPI_LOG_ERR(ndpi_str, "ERROR: Unknown error\n");
1562 break;
1563 }
1564 }
1565 #endif
1566 }
1567
1568 size_t ushlen = sizeof(ush_commands) / sizeof(ush_commands[0]);
1569
1570 for(int i = 0; i < ushlen; i++) {
1571 if(strstr(query, ush_commands[i]) != NULL) {
1572 return 1;
1573 }
1574 }
1575
1576 size_t pwshlen = sizeof(pwsh_commands) / sizeof(pwsh_commands[0]);
1577
1578 for(int i = 0; i < pwshlen; i++) {
1579 if(strstr(query, pwsh_commands[i]) != NULL) {
1580 return 1;
1581 }
1582 }
1583
1584 return 0;
1585 }
1586
1587 #endif
1588
1589 /* ********************************** */
1590
ndpi_validate_url(char * url)1591 ndpi_risk_enum ndpi_validate_url(char *url) {
1592 char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?');
1593 ndpi_risk_enum rc = NDPI_NO_RISK;
1594
1595 if(question_mark) {
1596 char *tmp;
1597
1598 orig_str = str = ndpi_strdup(&question_mark[1]); /* Skip ? */
1599
1600 if(!str) goto validate_rc;
1601
1602 str = strtok_r(str, "&", &tmp);
1603
1604 while(str != NULL) {
1605 char *value = strchr(str, '=');
1606 char *decoded;
1607
1608 if(!value)
1609 break;
1610 else
1611 value = &value[1];
1612
1613 if(value[0] != '\0') {
1614 if(!(decoded = (char*)ndpi_malloc(strlen(value)+1)))
1615 break;
1616
1617 if(ndpi_url_decode(value, decoded) < 0) {
1618 /* Invalid string */
1619 } else if(decoded[0] != '\0') {
1620 /* Valid string */
1621
1622 if(ndpi_is_xss_injection(decoded))
1623 rc = NDPI_URL_POSSIBLE_XSS;
1624 else if(ndpi_is_sql_injection(decoded))
1625 rc = NDPI_URL_POSSIBLE_SQL_INJECTION;
1626 #ifdef HAVE_PCRE
1627 else if(ndpi_is_rce_injection(decoded))
1628 rc = NDPI_URL_POSSIBLE_RCE_INJECTION;
1629 #endif
1630
1631 #ifdef URL_CHECK_DEBUG
1632 printf("=>> [rc: %u] %s\n", rc, decoded);
1633 #endif
1634 }
1635
1636 ndpi_free(decoded);
1637
1638 if(rc != NDPI_NO_RISK)
1639 break;
1640 }
1641
1642 str = strtok_r(NULL, "&", &tmp);
1643 }
1644 }
1645
1646 validate_rc:
1647 if(orig_str) ndpi_free(orig_str);
1648
1649 if(rc == NDPI_NO_RISK) {
1650 /* Let's do an extra check */
1651 if(strstr(url, "..")) {
1652 /* 127.0.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe */
1653 rc = NDPI_HTTP_SUSPICIOUS_URL;
1654 }
1655 }
1656
1657 return(rc);
1658 }
1659
1660 /* ******************************************************************** */
1661
ndpi_is_protocol_detected(struct ndpi_detection_module_struct * ndpi_str,ndpi_protocol proto)1662 u_int8_t ndpi_is_protocol_detected(struct ndpi_detection_module_struct *ndpi_str,
1663 ndpi_protocol proto) {
1664 if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN)
1665 || (proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)
1666 || (proto.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED))
1667 return(1);
1668 else
1669 return(0);
1670 }
1671
1672 /* ******************************************************************** */
1673
ndpi_risk2str(ndpi_risk_enum risk)1674 const char* ndpi_risk2str(ndpi_risk_enum risk) {
1675 static char buf[16];
1676
1677 switch(risk) {
1678 case NDPI_URL_POSSIBLE_XSS:
1679 return("XSS attack");
1680
1681 case NDPI_URL_POSSIBLE_SQL_INJECTION:
1682 return("SQL injection");
1683
1684 case NDPI_URL_POSSIBLE_RCE_INJECTION:
1685 return("RCE injection");
1686
1687 case NDPI_BINARY_APPLICATION_TRANSFER:
1688 return("Binary application transfer");
1689
1690 case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT:
1691 return("Known protocol on non standard port");
1692
1693 case NDPI_TLS_SELFSIGNED_CERTIFICATE:
1694 return("Self-signed Certificate");
1695
1696 case NDPI_TLS_OBSOLETE_VERSION:
1697 return("Obsolete TLS version (< 1.1)");
1698
1699 case NDPI_TLS_WEAK_CIPHER:
1700 return("Weak TLS cipher");
1701
1702 case NDPI_TLS_CERTIFICATE_EXPIRED:
1703 return("TLS Expired Certificate");
1704
1705 case NDPI_TLS_CERTIFICATE_MISMATCH:
1706 return("TLS Certificate Mismatch");
1707
1708 case NDPI_HTTP_SUSPICIOUS_USER_AGENT:
1709 return("HTTP Suspicious User-Agent");
1710
1711 case NDPI_HTTP_NUMERIC_IP_HOST:
1712 return("HTTP Numeric IP Address");
1713
1714 case NDPI_HTTP_SUSPICIOUS_URL:
1715 return("HTTP Suspicious URL");
1716
1717 case NDPI_HTTP_SUSPICIOUS_HEADER:
1718 return("HTTP Suspicious Header");
1719
1720 case NDPI_TLS_NOT_CARRYING_HTTPS:
1721 return("TLS (probably) not carrying HTTPS");
1722
1723 case NDPI_SUSPICIOUS_DGA_DOMAIN:
1724 return("Suspicious DGA domain name");
1725
1726 case NDPI_MALFORMED_PACKET:
1727 return("Malformed packet");
1728
1729 case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER:
1730 return("SSH Obsolete Client Version/Cipher");
1731
1732 case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER:
1733 return("SSH Obsolete Server Version/Cipher");
1734
1735 case NDPI_SMB_INSECURE_VERSION:
1736 return("SMB Insecure Version");
1737
1738 case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
1739 return("TLS Suspicious ESNI Usage");
1740
1741 case NDPI_UNSAFE_PROTOCOL:
1742 return("Unsafe Protocol");
1743
1744 case NDPI_DNS_SUSPICIOUS_TRAFFIC:
1745 return("Suspicious DNS traffic"); /* Exfiltration ? */
1746
1747 case NDPI_TLS_MISSING_SNI:
1748 return("SNI TLS extension was missing");
1749
1750 case NDPI_HTTP_SUSPICIOUS_CONTENT:
1751 return("HTTP suspicious content");
1752
1753 case NDPI_RISKY_ASN:
1754 return("Risky ASN");
1755
1756 case NDPI_RISKY_DOMAIN:
1757 return("Risky domain name");
1758
1759 case NDPI_MALICIOUS_JA3:
1760 return("Possibly Malicious JA3 Fingerprint");
1761
1762 case NDPI_MALICIOUS_SHA1_CERTIFICATE:
1763 return("Possibly Malicious SSL Cert. SHA1 Fingerprint");
1764
1765 case NDPI_DESKTOP_OR_FILE_SHARING_SESSION:
1766 return("Desktop/File Sharing Session");
1767
1768 case NDPI_TLS_UNCOMMON_ALPN:
1769 return("Uncommon TLS ALPN");
1770
1771 case NDPI_TLS_CERT_VALIDITY_TOO_LONG:
1772 return("TLS certificate validity longer than 13 months");
1773
1774 case NDPI_TLS_EXTENSION_SUSPICIOUS:
1775 return("TLS extension suspicious");
1776
1777 default:
1778 snprintf(buf, sizeof(buf), "%d", (int)risk);
1779 return(buf);
1780 }
1781 }
1782
1783 /* ******************************************************************** */
1784
ndpi_severity2str(ndpi_risk_severity s)1785 const char* ndpi_severity2str(ndpi_risk_severity s) {
1786 switch(s) {
1787 case NDPI_RISK_LOW:
1788 return("Low");
1789 break;
1790
1791 case NDPI_RISK_MEDIUM:
1792 return("Medium");
1793 break;
1794
1795 case NDPI_RISK_HIGH:
1796 return("High");
1797 break;
1798
1799 case NDPI_RISK_SEVERE:
1800 return("Severe");
1801 break;
1802 }
1803
1804 return("");
1805 }
1806
1807 /* ******************************************************************** */
1808
ndpi_risk2score(ndpi_risk risk,u_int16_t * client_score,u_int16_t * server_score)1809 u_int16_t ndpi_risk2score(ndpi_risk risk,
1810 u_int16_t *client_score,
1811 u_int16_t *server_score) {
1812 u_int16_t score = 0;
1813 u_int32_t i;
1814
1815 *client_score = *server_score = 0; /* Reset values */
1816
1817 if(risk == 0) return(0);
1818
1819 for(i = 0; i < NDPI_MAX_RISK; i++) {
1820 ndpi_risk_enum r = (ndpi_risk_enum)i;
1821
1822 if(NDPI_ISSET_BIT(risk, r)) {
1823 ndpi_risk_info *info = ndpi_risk2severity(r);
1824 u_int16_t val = 0, client_score_val;
1825
1826 switch(info->severity) {
1827 case NDPI_RISK_LOW:
1828 val = NDPI_SCORE_RISK_LOW;
1829 break;
1830
1831 case NDPI_RISK_MEDIUM:
1832 val = NDPI_SCORE_RISK_MEDIUM;
1833 break;
1834
1835 case NDPI_RISK_HIGH:
1836 val = NDPI_SCORE_RISK_HIGH;
1837 break;
1838
1839 case NDPI_RISK_SEVERE:
1840 val = NDPI_SCORE_RISK_SEVERE;
1841 break;
1842 }
1843
1844 score += val;
1845 client_score_val = (val * info->default_client_risk_pctg) / 100;
1846
1847 *client_score += client_score_val, *server_score += (val - client_score_val);
1848 }
1849 }
1850
1851 return(score);
1852 }
1853
1854 /* ******************************************************************** */
1855
ndpi_http_method2str(ndpi_http_method m)1856 const char* ndpi_http_method2str(ndpi_http_method m) {
1857 switch(m) {
1858 case NDPI_HTTP_METHOD_UNKNOWN: break;
1859 case NDPI_HTTP_METHOD_OPTIONS: return("OPTIONS");
1860 case NDPI_HTTP_METHOD_GET: return("GET");
1861 case NDPI_HTTP_METHOD_HEAD: return("HEAD");
1862 case NDPI_HTTP_METHOD_PATCH: return("PATCH");
1863 case NDPI_HTTP_METHOD_POST: return("POST");
1864 case NDPI_HTTP_METHOD_PUT: return("PUT");
1865 case NDPI_HTTP_METHOD_DELETE: return("DELETE");
1866 case NDPI_HTTP_METHOD_TRACE: return("TRACE");
1867 case NDPI_HTTP_METHOD_CONNECT: return("CONNECT");
1868 }
1869
1870 return("Unknown HTTP method");
1871 }
1872
1873 /* ******************************************************************** */
1874
ndpi_http_str2method(const char * method,u_int16_t method_len)1875 ndpi_http_method ndpi_http_str2method(const char* method, u_int16_t method_len) {
1876 if(!method || method_len < 3)
1877 return(NDPI_HTTP_METHOD_UNKNOWN);
1878
1879 switch(method[0]) {
1880 case 'O': return(NDPI_HTTP_METHOD_OPTIONS);
1881 case 'G': return(NDPI_HTTP_METHOD_GET);
1882 case 'H': return(NDPI_HTTP_METHOD_HEAD);
1883
1884 case 'P':
1885 switch(method[1]) {
1886 case 'A':return(NDPI_HTTP_METHOD_PATCH);
1887 case 'O':return(NDPI_HTTP_METHOD_POST);
1888 case 'U':return(NDPI_HTTP_METHOD_PUT);
1889 }
1890 break;
1891
1892 case 'D': return(NDPI_HTTP_METHOD_DELETE);
1893 case 'T': return(NDPI_HTTP_METHOD_TRACE);
1894 case 'C': return(NDPI_HTTP_METHOD_CONNECT);
1895 }
1896
1897 return(NDPI_HTTP_METHOD_UNKNOWN);
1898 }
1899
1900 /* ******************************************************************** */
1901
1902 #define ROR64(x,r) (((x)>>(r))|((x)<<(64-(r))))
1903
1904 /*
1905 'in_16_bytes_long` points to some 16 byte memory data to be hashed;
1906 two independent 64-bit linear congruential generators are applied
1907 results are mixed, scrambled and cast to 32-bit
1908 */
ndpi_quick_16_byte_hash(u_int8_t * in_16_bytes_long)1909 u_int32_t ndpi_quick_16_byte_hash(u_int8_t *in_16_bytes_long) {
1910 u_int64_t a = *(u_int64_t*)(in_16_bytes_long + 0);
1911 u_int64_t c = *(u_int64_t*)(in_16_bytes_long + 8);
1912
1913 // multipliers are taken from sprng.org, addends are prime
1914 a = a * 0x2c6fe96ee78b6955 + 0x9af64480a3486659;
1915 c = c * 0x369dea0f31a53f85 + 0xd0c6225445b76b5b;
1916
1917 // mix results
1918 a += c;
1919
1920 // final scramble
1921 a ^= ROR64(a, 13) ^ ROR64(a, 7);
1922
1923 // down-casting, also taking advantage of upper half
1924 a ^= a >> 32;
1925
1926 return((u_int32_t)a);
1927 }
1928
1929 /* ******************************************************************** */
1930
ndpi_hash_alloc(u_int32_t max_num_entries)1931 ndpi_str_hash* ndpi_hash_alloc(u_int32_t max_num_entries) {
1932 ndpi_str_hash *h = (ndpi_str_hash*)ndpi_malloc(sizeof(ndpi_str_hash));
1933
1934 if(!h) return(NULL);
1935 if(max_num_entries < 1024) max_num_entries = 1024;
1936 if(max_num_entries > 10000000) max_num_entries = 10000000;
1937
1938 h->max_num_entries = max_num_entries, h->num_buckets = max_num_entries/2;
1939 h->buckets = (struct ndpi_str_hash_info**)ndpi_calloc(sizeof(struct ndpi_str_hash_info*), h->num_buckets);
1940
1941 if(h->buckets == NULL) {
1942 ndpi_free(h);
1943 return(NULL);
1944 } else
1945 return(h);
1946 }
1947
1948 /* ******************************************************************** */
1949
ndpi_hash_free(ndpi_str_hash * h)1950 void ndpi_hash_free(ndpi_str_hash *h) {
1951 u_int32_t i;
1952
1953 for(i=0; i<h->num_buckets; i++) {
1954 struct ndpi_str_hash_info *head = h->buckets[i];
1955
1956 while(head != NULL) {
1957 struct ndpi_str_hash_info *next = head->next;
1958
1959 ndpi_free(head->key);
1960 ndpi_free(head);
1961 head = next;
1962 }
1963 }
1964
1965 ndpi_free(h->buckets);
1966 ndpi_free(h);
1967 }
1968
1969 /* ******************************************************************** */
1970
_ndpi_hash_function(ndpi_str_hash * h,char * key,u_int8_t key_len)1971 static u_int32_t _ndpi_hash_function(ndpi_str_hash *h, char *key, u_int8_t key_len) {
1972 u_int32_t hv = 0;
1973 u_int8_t i;
1974
1975 for(i=0; i<key_len; i++)
1976 hv += key[i]*(i+1);
1977
1978 return(hv % h->num_buckets);
1979 }
1980
1981 /* ******************************************************************** */
1982
_ndpi_hash_find_entry(ndpi_str_hash * h,u_int32_t hashval,char * key,u_int key_len,u_int8_t * value)1983 static int _ndpi_hash_find_entry(ndpi_str_hash *h, u_int32_t hashval, char *key, u_int key_len, u_int8_t *value) {
1984 struct ndpi_str_hash_info *head = h->buckets[hashval];
1985
1986 while(head != NULL) {
1987 if((head->key_len == key_len) && (memcmp(head->key, key, key_len) == 0)) {
1988 *value = head->value;
1989 return(0); /* Found */
1990 }
1991
1992 head = head-> next;
1993 }
1994
1995 return(-1); /* Not found */
1996 }
1997
1998 /* ******************************************************************** */
1999
ndpi_hash_find_entry(ndpi_str_hash * h,char * key,u_int key_len,u_int8_t * value)2000 int ndpi_hash_find_entry(ndpi_str_hash *h, char *key, u_int key_len, u_int8_t *value) {
2001 u_int32_t hv = _ndpi_hash_function(h, key, key_len);
2002
2003 return(_ndpi_hash_find_entry(h, hv, key, key_len, value));
2004 }
2005
2006 /* ******************************************************************** */
2007
ndpi_hash_add_entry(ndpi_str_hash * h,char * key,u_int8_t key_len,u_int8_t value)2008 int ndpi_hash_add_entry(ndpi_str_hash *h, char *key, u_int8_t key_len, u_int8_t value) {
2009 u_int32_t hv = _ndpi_hash_function(h, key, key_len);
2010 u_int8_t ret_value;
2011 int rc = _ndpi_hash_find_entry(h, hv, key, key_len, &ret_value);
2012
2013 if(rc == -1) {
2014 /* Not found */
2015 struct ndpi_str_hash_info *e = (struct ndpi_str_hash_info*)ndpi_malloc(sizeof(struct ndpi_str_hash_info));
2016
2017 if(e == NULL)
2018 return(-2);
2019
2020 if((e->key = (char*)ndpi_malloc(key_len)) == NULL)
2021 return(-3);
2022
2023 memcpy(e->key, key, key_len);
2024 e->key_len = key_len, e->value = value;
2025 e->next = h->buckets[hv];
2026 h->buckets[hv] = e;
2027
2028 return(0);
2029 } else
2030 return(0);
2031 }
2032
2033 /* ********************************************************************************* */
2034
ndpi_host_ip_risk_ptree_match(struct ndpi_detection_module_struct * ndpi_str,struct in_addr * pin)2035 static u_int64_t ndpi_host_ip_risk_ptree_match(struct ndpi_detection_module_struct *ndpi_str,
2036 struct in_addr *pin /* network byte order */) {
2037 ndpi_prefix_t prefix;
2038 ndpi_patricia_node_t *node;
2039
2040 /* Make sure all in network byte order otherwise compares wont work */
2041 ndpi_fill_prefix_v4(&prefix, pin, 32, ((ndpi_patricia_tree_t *) ndpi_str->protocols_ptree)->maxbits);
2042 node = ndpi_patricia_search_best(ndpi_str->ip_risk_mask_ptree, &prefix);
2043
2044 if(node)
2045 return(node->value.u.uv64);
2046 else
2047 return((u_int64_t)-1);
2048 }
2049
2050 /* ********************************************************************************* */
2051
ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct * ndpi_str,struct ndpi_flow_struct * flow)2052 static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str,
2053 struct ndpi_flow_struct *flow) {
2054 char *host;
2055
2056 if(flow->risk == 0) return; /* Nothing to do */
2057
2058 host = ndpi_get_flow_name(flow);
2059
2060 if((!flow->host_risk_mask_evaluated) && (!flow->ip_risk_mask_evaluated)) {
2061 flow->risk_mask = (u_int64_t)-1; /* No mask */
2062 }
2063
2064 if(!flow->host_risk_mask_evaluated) {
2065 if(host && (host[0] != '\0')) {
2066 /* Check host exception */
2067 ndpi_automa *automa = &ndpi_str->host_risk_mask_automa;
2068
2069 if(automa->ac_automa) {
2070 AC_TEXT_t ac_input_text;
2071 AC_REP_t match;
2072
2073 ac_input_text.astring = host, ac_input_text.length = strlen(host);
2074 ac_input_text.option = 0;
2075
2076 if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0)
2077 flow->risk_mask &= match.number64;
2078 }
2079
2080 /* Used to avoid double checks (e.g. in DNS req/rsp) */
2081 flow->host_risk_mask_evaluated = 1;
2082 }
2083 }
2084
2085 /* TODO: add IPv6 support */
2086 if(!flow->ip_risk_mask_evaluated) {
2087 if(flow->packet.iph) {
2088 struct ndpi_packet_struct *packet = &flow->packet;
2089 struct in_addr pin;
2090
2091 pin.s_addr = packet->iph->saddr;
2092 flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin);
2093
2094 pin.s_addr = packet->iph->daddr;
2095 flow->risk_mask &= ndpi_host_ip_risk_ptree_match(ndpi_str, &pin);
2096 }
2097
2098 flow->ip_risk_mask_evaluated = 1;
2099 }
2100
2101 flow->risk &= flow->risk_mask;
2102 }
2103
2104 /* ******************************************************************** */
2105
ndpi_set_risk(struct ndpi_detection_module_struct * ndpi_str,struct ndpi_flow_struct * flow,ndpi_risk_enum r)2106 void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
2107 struct ndpi_flow_struct *flow, ndpi_risk_enum r) {
2108 ndpi_risk v = 1ull << r;
2109
2110 // NDPI_SET_BIT(flow->risk, (u_int32_t)r);
2111 flow->risk |= v;
2112 ndpi_handle_risk_exceptions(ndpi_str, flow);
2113 }
2114
2115 /* ******************************************************************** */
2116
ndpi_is_printable_string(char const * const str,size_t len)2117 int ndpi_is_printable_string(char const * const str, size_t len) {
2118 for (size_t i = 0; i < len; ++i) {
2119 if (ndpi_isprint(str[i]) == 0) {
2120 return 0;
2121 }
2122 }
2123
2124 return 1;
2125 }
2126
2127 /* ******************************************************************** */
2128
ndpi_calculate_entropy(u_int8_t const * const buf,size_t len)2129 float ndpi_calculate_entropy(u_int8_t const * const buf, size_t len) {
2130 float entropy = 0.0f;
2131 u_int32_t byte_counters[256];
2132
2133 memset(byte_counters, 0, sizeof(byte_counters));
2134
2135 for (size_t i = 0; i < len; ++i) {
2136 if (buf[i] == i) {
2137 byte_counters[i]++;
2138 }
2139 }
2140
2141 for (size_t i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) {
2142 if (byte_counters[i] == 0) {
2143 continue;
2144 }
2145
2146 float p = 1.0f * byte_counters[i] / len;
2147 entropy -= p * log2f(p);
2148 }
2149
2150 entropy *= -1.0f;
2151 return entropy;
2152 }
2153
2154 /* ******************************************* */
2155
ndpi_get_flow_name(struct ndpi_flow_struct * flow)2156 char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) {
2157 if(!flow) goto no_flow_info;
2158
2159 if(flow->host_server_name[0] != '\0')
2160 return((char*)flow->host_server_name);
2161
2162 if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0')
2163 return(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
2164
2165 no_flow_info:
2166 return((char*)"");
2167 }
2168
2169 /* ******************************************* */
2170
load_common_alpns(struct ndpi_detection_module_struct * ndpi_str)2171 void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str) {
2172 /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
2173 const char* const common_alpns[] = {
2174 "http/0.9", "http/1.0", "http/1.1",
2175 "spdy/1", "spdy/2", "spdy/3", "spdy/3.1",
2176 "stun.turn", "stun.nat-discovery",
2177 "h2", "h2c", "h2-16", "h2-15", "h2-14", "h2-fb",
2178 "webrtc", "c-webrtc",
2179 "ftp", "imap", "pop3", "managesieve", "coap",
2180 "xmpp-client", "xmpp-server",
2181 "acme-tls/1",
2182 "mqtt", "dot", "ntske/1", "sunrpc",
2183 "h3",
2184 "smb",
2185 "irc",
2186
2187 /* QUIC ALPNs */
2188 "h3-T051", "h3-T050",
2189 "h3-32", "h3-30", "h3-29", "h3-28", "h3-27", "h3-24", "h3-22",
2190 "hq-30", "hq-29", "hq-28", "hq-27",
2191 "h3-fb-05", "h1q-fb",
2192 "doq-i00",
2193
2194 NULL /* end */
2195 };
2196 u_int i;
2197
2198 for(i=0; common_alpns[i] != NULL; i++) {
2199 AC_PATTERN_t ac_pattern;
2200
2201 memset(&ac_pattern, 0, sizeof(ac_pattern));
2202 ac_pattern.astring = ndpi_strdup((char*)common_alpns[i]);
2203 ac_pattern.length = strlen(common_alpns[i]);
2204
2205 if(ac_automata_add(ndpi_str->common_alpns_automa.ac_automa, &ac_pattern) != ACERR_SUCCESS)
2206 printf("%s(): unable to add %s\n", __FUNCTION__, common_alpns[i]);
2207 }
2208 }
2209
2210 /* ******************************************* */
2211
is_a_common_alpn(struct ndpi_detection_module_struct * ndpi_str,const char * alpn_to_check,u_int alpn_to_check_len)2212 u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,
2213 const char *alpn_to_check, u_int alpn_to_check_len) {
2214 ndpi_automa *automa = &ndpi_str->common_alpns_automa;
2215
2216 if(automa->ac_automa) {
2217 AC_TEXT_t ac_input_text;
2218 AC_REP_t match;
2219
2220 ac_input_text.astring = (char*)alpn_to_check, ac_input_text.length = alpn_to_check_len;
2221 ac_input_text.option = 0;
2222
2223 if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0)
2224 return(1);
2225 }
2226
2227 return(0);
2228 }
2229
2230 /* ******************************************* */
2231
ndpi_is_valid_protoId(u_int16_t protoId)2232 u_int8_t ndpi_is_valid_protoId(u_int16_t protoId) {
2233 return((protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS) ? 0 : 1);
2234 }
2235
2236 /* ******************************************* */
2237
ndpi_is_encrypted_proto(struct ndpi_detection_module_struct * ndpi_str,ndpi_protocol proto)2238 u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
2239 ndpi_protocol proto) {
2240
2241 if(ndpi_is_valid_protoId(proto.master_protocol) && ndpi_is_valid_protoId(proto.app_protocol)) {
2242 return((ndpi_str->proto_defaults[proto.master_protocol].isClearTextProto
2243 && ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto) ? 0 : 1);
2244 } else
2245 return(0);
2246 }
2247