config: configure libgcrypt via the new configuration API

ntop · Dec 8, 2023 · 22db593 · 22db593
1 parent a455dc1
commit 22db593
Show file tree

Hide file tree

Showing 18 changed files with 40 additions and 55 deletions.
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
@@ -12,6 +12,7 @@ TODO
 | NULL         | "fully_encrypted_heuristic.enable"        | 1             | NULL      | NULL      | Enable/disable an heuristic to detect fully encrypted sessions, i.e. flows where every bytes of the payload is encrypted in an attempt to “look like nothing”. This heuristic only analyzes the first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf |
 | NULL         | "lru.$CACHE_NAME.size"                    | See description | 0         | 16777215  | Set the size (in number of elements) of the specified LRU cache (0 = the cache is disabled). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "32768" for the bittorrent cache, "512" for the zoom cache and "1024" for all the other caches |
 | NULL         | "lru.$CACHE_NAME.ttl"                     | See description | 0         | 16777215  | Set the TTL (in seconds) for the elements of the specified LRU cache (0 = the elements never explicitly expire). The keyword "$CACHE_NAME" is a placeholder for the cache name and the possible values are: ookla, bittorrent, zoom, stun, tls_cert, mining, msteams, stun_zoom. The default value is "120" for the ookla cache, "60" for the msteams and stun_zoom caches and "0" for all the other caches |
+| NULL         | "libgcrypt.init"                          | 1             | NULL      | NULL      | Enable/disable initialization of libgcrypt. When using the external libgcrypt (instead of the internal crypto code) the libgcrypt runtime must be initialized. If, for whatever reasons, the application alread does it, nDPI must be told to skip it |
 | NULL         | "asn_lists.load"                          | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used for (sub)classification and based on BGP information |
 | NULL         | "ip_lists.load"                           | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used for (sub)classification |
 | NULL         | "flow_risk_lists.load"                    | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used to check any flow risks |

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -110,7 +110,6 @@ int nDPI_LogLevel = 0;
 char *_debug_protocols = NULL;
 char *_disabled_protocols = NULL;
 static u_int8_t stats_flag = 0;
-ndpi_init_prefs init_prefs = ndpi_no_prefs;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 24 /* 8 is enough for most protocols, Signal and SnapchatCall require more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
 static u_int32_t pcap_analysis_duration = (u_int32_t)-1;
@@ -334,7 +333,7 @@ void ndpiCheckHostStringMatch(char *testChar) {
   if(!testChar)
     return;
 
-  ndpi_str = ndpi_init_detection_module(init_prefs);
+  ndpi_str = ndpi_init_detection_module();
   ndpi_finalize_initialization(ndpi_str);
 
   testRes =  ndpi_match_string_subprotocol(ndpi_str,
@@ -377,7 +376,7 @@ static void ndpiCheckIPMatch(char *testChar) {
   if(!testChar)
     return;
 
-  ndpi_str = ndpi_init_detection_module(init_prefs);
+  ndpi_str = ndpi_init_detection_module();
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
 
@@ -602,7 +601,7 @@ static void help(u_int long_help) {
          max_num_reported_top_payloads, max_num_tcp_dissected_pkts, max_num_udp_dissected_pkts);
 
   NDPI_PROTOCOL_BITMASK all;
-  ndpi_info_mod = ndpi_init_detection_module(init_prefs);
+  ndpi_info_mod = ndpi_init_detection_module();
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all);
 
@@ -765,7 +764,7 @@ void extcap_config() {
   ndpi_proto_defaults_t *proto_defaults;
 #endif
 
-  ndpi_info_mod = ndpi_init_detection_module(init_prefs);
+  ndpi_info_mod = ndpi_init_detection_module();
 #if 0
   ndpi_num_supported_protocols = ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod);
   proto_defaults = ndpi_get_proto_defaults(ndpi_info_mod);
@@ -4649,7 +4648,7 @@ static void dgaUnitTest() {
   };
   int debug = 0, i;
   NDPI_PROTOCOL_BITMASK all;
-  struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(init_prefs);
+  struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module();
 
   assert(ndpi_str != NULL);
 
@@ -5563,7 +5562,7 @@ int main(int argc, char **argv) {
     ac_automata_enable_debug(1);
   parseOptions(argc, argv);
 
-  ndpi_info_mod = ndpi_init_detection_module(init_prefs);
+  ndpi_info_mod = ndpi_init_detection_module();
 
   if(ndpi_info_mod == NULL) return -1;
 

diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c
@@ -188,8 +188,7 @@ static struct nDPI_workflow * init_workflow(char const * const file_or_device)
     printf("pcap_setfilter error: '%s'\n", pcap_geterr(workflow->pcap_handle));
   }  
 
-  ndpi_init_prefs init_prefs = ndpi_no_prefs;
-  workflow->ndpi_struct = ndpi_init_detection_module(init_prefs);
+  workflow->ndpi_struct = ndpi_init_detection_module();
   if (workflow->ndpi_struct == NULL) {
     free_workflow(&workflow);
     return NULL;

diff --git a/example/reader_util.c b/example/reader_util.c
@@ -79,7 +79,6 @@ extern u_int8_t max_num_udp_dissected_pkts /* 24 */, max_num_tcp_dissected_pkts
 static u_int32_t flow_id = 0;
 
 u_int8_t enable_doh_dot_detection = 0;
-extern ndpi_init_prefs init_prefs;
 
 extern int malloc_size_stats;
 extern struct ndpi_bin malloc_bins;
@@ -410,7 +409,7 @@ int parse_proto_name_list(char *str, NDPI_PROTOCOL_BITMASK *bitmask, int inverte
   else
    op = 0; /* Default action: remove from the bitmask */
   /* Use a temporary module with all protocols enabled */
-  module = ndpi_init_detection_module(0);
+  module = ndpi_init_detection_module();
   if(!module)
     return 1;
   NDPI_BITMASK_SET_ALL(all);
@@ -466,7 +465,7 @@ struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * pref
 #endif
 
   /* TODO: just needed here to init ndpi ndpi_malloc wrapper */
-  module = ndpi_init_detection_module(init_prefs);
+  module = ndpi_init_detection_module();
 
   if(module == NULL) {
     LOG(NDPI_LOG_ERROR, "global structure initialization failed\n");

diff --git a/fuzz/fuzz_common_code.c b/fuzz/fuzz_common_code.c
@@ -36,12 +36,11 @@ void fuzz_set_alloc_callbacks_and_seed(int seed)
 
 void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod)
 {
-  ndpi_init_prefs prefs = ndpi_no_prefs;
   NDPI_PROTOCOL_BITMASK all;
   NDPI_PROTOCOL_BITMASK debug_bitmask;
 
   if(*ndpi_info_mod == NULL) {
-    *ndpi_info_mod = ndpi_init_detection_module(prefs);
+    *ndpi_info_mod = ndpi_init_detection_module();
     NDPI_BITMASK_SET_ALL(all);
     ndpi_set_protocol_detection_bitmask2(*ndpi_info_mod, &all);
 

diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -30,8 +30,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   char log_ts[32];
 
 
-  if(fuzzed_data.remaining_bytes() < 4 + /* ndpi_init_detection_module() */
-				     NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS +
+  if(fuzzed_data.remaining_bytes() < NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS +
 				     6 + /* files */
 				     1 + 3 + 1 + 3 + /* Monitoring */
 				     2 + /* Pid */
@@ -45,7 +44,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   /* To allow memory allocation failures */
   fuzz_set_alloc_callbacks_and_seed(size);
 
-  ndpi_info_mod = ndpi_init_detection_module(fuzzed_data.ConsumeIntegral<u_int32_t>());
+  ndpi_info_mod = ndpi_init_detection_module();
 
   set_ndpi_debug_function(ndpi_info_mod, NULL);
 

diff --git a/fuzz/fuzz_filecfg_categories.c b/fuzz/fuzz_filecfg_categories.c
@@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   /* To allow memory allocation failures */
   fuzz_set_alloc_callbacks_and_seed(size);
 
-  ndpi_struct = ndpi_init_detection_module(0);
+  ndpi_struct = ndpi_init_detection_module();
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all);
 

diff --git a/fuzz/fuzz_filecfg_protocols.c b/fuzz/fuzz_filecfg_protocols.c
@@ -10,7 +10,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   /* To allow memory allocation failures */
   fuzz_set_alloc_callbacks_and_seed(size);
 
-  ndpi_struct = ndpi_init_detection_module(0);
+  ndpi_struct = ndpi_init_detection_module();
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_struct, &all);
 

diff --git a/fuzz/fuzz_ndpi_reader.c b/fuzz/fuzz_ndpi_reader.c
@@ -18,7 +18,6 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 1;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
-ndpi_init_prefs init_prefs = ndpi_no_prefs;
 int enable_malloc_bins = 1;
 int malloc_size_stats = 0;
 int max_malloc_bins = 14;

diff --git a/fuzz/fuzz_readerutils_parseprotolist.cpp b/fuzz/fuzz_readerutils_parseprotolist.cpp
@@ -13,7 +13,6 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 0;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
-ndpi_init_prefs init_prefs = ndpi_no_prefs; /* unused */
 int enable_malloc_bins = 0;
 int malloc_size_stats = 0;
 int max_malloc_bins = 14;

diff --git a/fuzz/fuzz_readerutils_workflow.cpp b/fuzz/fuzz_readerutils_workflow.cpp
@@ -15,7 +15,6 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
 u_int8_t enable_flow_stats = 0;
 u_int8_t human_readeable_string_len = 5;
 u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
-ndpi_init_prefs init_prefs = ndpi_no_prefs;
 int enable_malloc_bins = 0;
 int malloc_size_stats = 0;
 int max_malloc_bins = 14;

diff --git a/python/ndpi/ndpi.py b/python/ndpi/ndpi.py
@@ -32,7 +32,7 @@ class NDPI(object):
                  "_detection_module")
 
     def __init__(self):
-        self._detection_module = lib.ndpi_init_detection_module(0)
+        self._detection_module = lib.ndpi_init_detection_module()
         if self._detection_module == ffi.NULL:
             raise MemoryError("Unable to instantiate NDPI object")
         lib.ndpi_py_setup_detection_module(self._detection_module)

diff --git a/python/ndpi/ndpi_build.py b/python/ndpi/ndpi_build.py
@@ -49,7 +49,7 @@
 NDPI_APIS = """
 u_int16_t ndpi_get_api_version(void);
 char* ndpi_revision(void);
-struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs prefs);
+struct ndpi_detection_module_struct *ndpi_init_detection_module();
 void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_struct);
 void ndpi_flow_free(void *ptr);
 ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct,

diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
@@ -211,11 +211,10 @@ extern "C" {
    * indipendent detection contexts) but all these calls MUST NOT run
    * in parallel
    *
-   * @par prefs = load preferences
    * @return  the initialized detection module
    *
    */
-  struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs prefs);
+  struct ndpi_detection_module_struct *ndpi_init_detection_module(void);
 
   /**
    * Completes the initialization (2nd step)

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -1168,7 +1168,7 @@ struct ndpi_detection_module_config_struct {
      See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */
   int fully_encrypted_heuristic;
   int track_payload_enabled;
-
+  int libgcrypt_init;
 
   /* LRU caches */
 
@@ -1584,13 +1584,6 @@ typedef struct {
   u_int16_t value;
 } ndpi_network6;
 
-typedef u_int32_t ndpi_init_prefs;
-
-typedef enum {
-    ndpi_no_prefs                  = 0,
-    ndpi_dont_init_libgcrypt       = (1 << 1),
-} ndpi_prefs;
-
 typedef struct {
   u_int32_t protocol_id;
   ndpi_protocol_category_t protocol_category;

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -3009,7 +3009,7 @@ static void free_ptree_data(void *data) {
 
 /* ******************************************************************** */
 
-struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs prefs) {
+struct ndpi_detection_module_struct *ndpi_init_detection_module(void) {
   struct ndpi_detection_module_struct *ndpi_str = ndpi_malloc(sizeof(struct ndpi_detection_module_struct));
   int i;
 
@@ -3034,22 +3034,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   NDPI_BITMASK_RESET(ndpi_str->debug_bitmask);
 #endif /* NDPI_ENABLE_DEBUG_MESSAGES */
 
-  if(!(prefs & ndpi_dont_init_libgcrypt)) {
-    if(!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
-      const char *gcrypt_ver = gcry_check_version(NULL);
-      if(!gcrypt_ver) {
-        NDPI_LOG_ERR(ndpi_str, "Error initializing libgcrypt\n");
-        ndpi_free(ndpi_str);
-        return NULL;
-      }
-      NDPI_LOG_DBG(ndpi_str, "Libgcrypt %s\n", gcrypt_ver);
-      /* Tell Libgcrypt that initialization has completed. */
-      gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
-    }
-  } else {
-    NDPI_LOG_DBG(ndpi_str, "Libgcrypt initialization skipped\n");
-  }
-
   if((ndpi_str->protocols_ptree = ndpi_patricia_new(32 /* IPv4 */)) == NULL ||
      (ndpi_str->protocols_ptree6 = ndpi_patricia_new(128 /* IPv6 */)) == NULL) {
     NDPI_LOG_ERR(ndpi_str, "[NDPI] Error allocating tree\n");
@@ -3249,6 +3233,20 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str)
   if(!ndpi_str)
     return;
 
+  if(ndpi_str->cfg.libgcrypt_init) {
+    if(!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) {
+      const char *gcrypt_ver = gcry_check_version(NULL);
+      if(!gcrypt_ver) {
+        NDPI_LOG_ERR(ndpi_str, "Error initializing libgcrypt\n");
+      }
+      NDPI_LOG_DBG(ndpi_str, "Libgcrypt %s\n", gcrypt_ver);
+      /* Tell Libgcrypt that initialization has completed. */
+      gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+    }
+  } else {
+    NDPI_LOG_DBG(ndpi_str, "Libgcrypt initialization skipped\n");
+  }
+
   if(ndpi_str->cfg.ip_lists_enabled) {
     if(ndpi_str->cfg.ip_list_amazonaws_enabled) {
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_amazon_aws_protocol_list);
@@ -9068,7 +9066,7 @@ void ndpi_generate_options(u_int opt, FILE *options_out) {
   u_int i;
 
   if (!options_out) return;
-  ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
+  ndpi_str = ndpi_init_detection_module();
   if (!ndpi_str) return;
 
   NDPI_BITMASK_SET_ALL(all);
@@ -10407,6 +10405,7 @@ static const struct cfg_param {
   { NULL,            "flow.track_payload.enable",               "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(track_payload_enabled) },
   { NULL,            "tcp_ack_payload_heuristic.enable",        "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_ack_paylod_heuristic) },
   { NULL,            "fully_encrypted_heuristic.enable",        "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fully_encrypted_heuristic) },
+  { NULL,            "libgcrypt.init",                          "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(libgcrypt_init) },
 
   { NULL,            "asn_lists.load",                          "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(asn_lists_enabled) },
   { NULL,            "ip_lists.load",                           "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(ip_lists_enabled) },

diff --git a/tests/dga/dga_evaluate.c b/tests/dga/dga_evaluate.c
@@ -48,7 +48,8 @@ static void ndpi_dbg_fn(u_int32_t protocol,
 {
   assert(protocol == NDPI_PROTOCOL_UNKNOWN);
   assert(module_struct != NULL);
-  assert(log_level == NDPI_LOG_DEBUG_EXTRA);
+  /* While this program always logs at NDPI_LOG_DEBUG_EXTRA level, the
+     initialization of the library may log at any level */
 
   (void)file;
   (void)func;
@@ -91,7 +92,7 @@ int main(int argc, char **argv) {
 
   /* Initialize nDPI detection module*/
   NDPI_PROTOCOL_BITMASK all;
-  struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
+  struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module();
   assert(ndpi_str != NULL);
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);

diff --git a/tests/unit/unit.c b/tests/unit/unit.c
@@ -373,7 +373,7 @@ int main(int argc, char **argv) {
     return -1;
   }
 
-  ndpi_info_mod = ndpi_init_detection_module(ndpi_no_prefs);
+  ndpi_info_mod = ndpi_init_detection_module();
 
   if (ndpi_info_mod == NULL)
     return -1;