config: remove ndpi_set_detection_preferences()

IvanNardi · IvanNardi · commit db7589d892e2 · 2024-01-09T21:16:46.000+01:00
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
@@ -6,13 +6,15 @@ TODO
 | Protocol     | Parameter                                 | Default value | Min value | Max value | Description | Notes  |
 | ------       | ------                                    | ------        | ------    | ------    | ------      | ------ |
 | NULL         | "packets_limit_per_flow"                  | 32            | 0         | 255       | The upper limit on the number of packets per flow that will be subject to DPI, after which classification will be considered complete (0 = no limit) |
+| NULL         | "flow.direction_detection.enable"         | 1             | NULL      | NULL      | Enable/disable internal detection of packet direction (client to server or server to client) |
 | NULL         | "flow_risk_lists.load"                    | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used to check any flow risks |
 | NULL         | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1             | NULL      | NULL      | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
 | NULL         | "flow_risk.anonymous_subscriber.list.protonvpn.load"          | 1             | NULL      | NULL      | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk  |
 | NULL         | "flow_risk.crawler_bot.list.load"         | 1             | NULL      | NULL      | Enable/disable loading of internal IP address list used to check `NDPI_HTTP_CRAWLER_BOT` flow risk |
 | NULL         | "filename.config"                         | NULL          | NULL      | NULL      | Name of the file containing a list of configuration knobs itself (one per line)!. Useful to configure nDPI via text file instead of via API |
 | NULL         | "lru.$CACHE_NAME.size"                    | See description | 0         | 16777215  | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "32768" for the bittorrent cache, "512" for the zoom cache and "1024" for all the other caches |
 | NULL         | "lru.$CACHE_NAME.ttl"                     | See description | 0         | 16777215  | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "120" for the ookla cache, "60" for the msteams and stun_zoom caches and "0" for all the other caches |
+| "tls"        | "application_blocks_tracking.enable"      | 0             | NULL      | NULL      | Enable/disable processing of TLS Application Blocks (post handshake) to extract statistical information about the flow |
 | "tls"        | "metadata.sha1_fingerprint.enable"        | 1             | NULL      | NULL      | Enable/disable computation and export of SHA1 fingerprint for TLS flows. Note that if it is disable, the flow risk `NDPI_MALICIOUS_SHA1_CERTIFICATE` is not checked |
 | "smtp"       | "tls_dissection.enable"                   | 1             | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext SMTP flows (because of opportunistic TLS, via STARTTLS msg) |
 | "imap"       | "tls_dissection.enable"                   | 1             | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext IMAP flows (because of opportunistic TLS, via STARTTLS msg) |
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -2781,14 +2781,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
 	      cfgs[i].proto, cfgs[i].param, cfgs[i].value, rc);
   }
 
+  if(enable_doh_dot_detection)
+    ndpi_set_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "tls", "application_blocks_tracking.enable", "1");
+
   ret = ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct);
   if(ret != 0) {
     fprintf(stderr, "Error ndpi_finalize_initialization: %d\n", ret);
     exit(-1);
   }
-
-  if(enable_doh_dot_detection)
-    ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1);
 }
 
 /* *********************************************** */
diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -57,6 +57,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_set_user_data(ndpi_info_mod, (void *)0xabcdabcd); /* Twice to trigger overwriting */
   ndpi_get_user_data(ndpi_info_mod);
 
+  /* ndpi_set_config: try to keep the soame order of the definitions in ndpi_main.c.
+     + 1 to trigger unvalid parameter error */
+
   ndpi_set_tls_cert_expire_days(ndpi_info_mod, fuzzed_data.ConsumeIntegral<u_int8_t>());
 
   if(fuzzed_data.ConsumeBool())
@@ -76,15 +79,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   /* TODO: stub for geo stuff */
   ndpi_load_geoip(ndpi_info_mod, NULL, NULL);
 
-  if(fuzzed_data.ConsumeBool())
-    ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_direction_detect_disable,
-                                   fuzzed_data.ConsumeBool());
-  if(fuzzed_data.ConsumeBool())
-    ndpi_set_detection_preferences(ndpi_info_mod, ndpi_pref_enable_tls_block_dissection,
-                                   0 /* unused */);
-
-  ndpi_set_detection_preferences(ndpi_info_mod, static_cast<ndpi_detection_preference>(0xFF), 0xFF); /* Invalid preference */
-
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "application_blocks_tracking.enable", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
@@ -138,6 +137,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "packets_limit_per_flow", cfg_value);
   }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, NULL, "flow.direction_detection.enable", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
@@ -72,7 +72,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     NDPI_BITMASK_SET_ALL(all);
     ndpi_set_protocol_detection_bitmask2(workflow->ndpi_struct, &all);
 
-    ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 0 /* unused */);
+    ndpi_set_config(workflow->ndpi_struct, "tls", "application_blocks_tracking.enable", "1");
 
     memset(workflow->stats.protocol_counter, 0,
 	   sizeof(workflow->stats.protocol_counter));
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
@@ -1035,9 +1035,6 @@ extern "C" {
   int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_struct,
 				     char *name_or_ip, u_int name_len,
 				     ndpi_protocol_category_t *id);
-  int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod,
-				     ndpi_detection_preference pref,
-				     int value);
 
   u_int16_t ndpi_map_user_proto_id_to_ndpi_id(struct ndpi_detection_module_struct *ndpi_str,
 					      u_int16_t user_proto_id);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -1071,11 +1071,6 @@ typedef enum {
   NDPI_PROTOCOL_ANY_CATEGORY /* Used to handle wildcards */
 } ndpi_protocol_category_t;
 
-typedef enum {
-   ndpi_pref_direction_detect_disable = 0,
-   ndpi_pref_enable_tls_block_dissection, /* nDPI considers only those blocks past the certificate exchange */
-} ndpi_detection_preference;
-
 /* ntop extensions */
 typedef struct ndpi_proto_defaults {
   char *protoName;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -960,34 +960,6 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
 
 /* ******************************************************************** */
 
-int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str, ndpi_detection_preference pref,
-                                   int value) {
-  if(!ndpi_str)
-    return -1;
-
-  switch(pref) {
-  case ndpi_pref_direction_detect_disable:
-    ndpi_str->direction_detect_disable = (u_int8_t) value;
-    break;
-
-  case ndpi_pref_enable_tls_block_dissection:
-    /*
-      If this option is enabled only the TLS Application data blocks past the
-      certificate negotiation are considered
-    */
-    ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS;
-    ndpi_str->skip_tls_blocks_until_change_cipher = 1;
-    break;
-
-  default:
-    return(-1);
-  }
-
-  return(0);
-}
-
-/* ******************************************************************** */
-
 static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) {
   u_int i;
 
@@ -3651,6 +3623,11 @@ int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str)
 
   ndpi_str->ac_automa_finalized = 1;
 
+  if(ndpi_str->cfg.tls_app_blocks_tracking_enabled) {
+    ndpi_str->num_tls_blocks_to_follow = NDPI_MAX_NUM_TLS_APPL_BLOCKS;
+    ndpi_str->skip_tls_blocks_until_change_cipher = 1;
+  }
+
   ndpi_str->finalized = 1;
 
   return 0;
@@ -4049,6 +4026,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
 	    ndpi_free(ndpi_str->callback_buffer);
     if(ndpi_str->callback_buffer_tcp_payload)
 	    ndpi_free(ndpi_str->callback_buffer_tcp_payload);
+
     ndpi_free(ndpi_str);
   }
 
@@ -6592,7 +6570,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
 
     packet->tcp_retransmission = 0, packet->packet_direction = 0;
 
-    if(ndpi_str->direction_detect_disable) {
+    if(!ndpi_str->cfg.direction_detect_enabled) {
       packet->packet_direction = flow->packet_direction;
     } else {
       if(iph != NULL && ntohl(iph->saddr) < ntohl(iph->daddr))
@@ -6617,7 +6595,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
       else if(flags == (TH_FIN | TH_PUSH | TH_URG))
 	ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan");
 
-      if(!ndpi_str->direction_detect_disable &&
+      if(ndpi_str->cfg.direction_detect_enabled &&
          (tcph->source != tcph->dest))
 	packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0;
 
@@ -6698,7 +6676,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
 	flow->next_tcp_seq_nr[1] = 0;
       }
     } else if(udph != NULL) {
-      if(!ndpi_str->direction_detect_disable &&
+      if(ndpi_str->cfg.direction_detect_enabled &&
          (udph->source != udph->dest))
 	packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0;
     }
@@ -10788,6 +10766,7 @@ static const struct cfg_param {
 } cfg_params[] = {
   /* Per-protocol parameters */
 
+  { "tls",           "application_blocks_tracking.enable",      "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled) },
   { "tls",           "metadata.sha1_fingerprint.enable",        "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled) },
 
   { "smtp",          "tls_dissection.enable",                   "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(smtp_opportunistic_tls_enabled) },
@@ -10807,6 +10786,7 @@ static const struct cfg_param {
   /* Global parameters */
 
   { NULL,            "packets_limit_per_flow",                  "32", "0", "255", CFG_PARAM_INT, __OFF(max_packets_to_process) },
+  { NULL,            "flow.direction_detection.enable",         "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(direction_detect_enabled) },
 
   { NULL,            "flow_risk_lists.load",                    "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled)},
 
diff --git a/src/lib/ndpi_private.h b/src/lib/ndpi_private.h
@@ -126,6 +126,7 @@ typedef struct {
 
 struct ndpi_detection_module_config_struct {
   int max_packets_to_process;
+  int direction_detect_enabled;
 
   char filename_config[CFG_MAX_LEN];
 
@@ -150,6 +151,7 @@ struct ndpi_detection_module_config_struct {
 
   /* Protocols */
 
+  int tls_app_blocks_tracking_enabled;
   int tls_sha1_fingerprint_enabled;
 
   int smtp_opportunistic_tls_enabled;

Original file line number	Diff line number	Diff line change
`@@ -2781,14 +2781,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {`
`2781`	`2781`	`cfgs[i].proto, cfgs[i].param, cfgs[i].value, rc);`
`2782`	`2782`	`}`
`2783`	`2783`
	`2784`	`+ if(enable_doh_dot_detection)`
	`2785`	`+ ndpi_set_config(ndpi_thread_info[thread_id].workflow->ndpi_struct, "tls", "application_blocks_tracking.enable", "1");`
	`2786`	`+`
`2784`	`2787`	`ret = ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct);`
`2785`	`2788`	`if(ret != 0) {`
`2786`	`2789`	`fprintf(stderr, "Error ndpi_finalize_initialization: %d\n", ret);`
`2787`	`2790`	`exit(-1);`
`2788`	`2791`	`}`
`2789`		`-`
`2790`		`- if(enable_doh_dot_detection)`
`2791`		`- ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1);`
`2792`	`2792`	`}`
`2793`	`2793`
`2794`	`2794`	`/* *********************************************** */`