Fix MS Teams detection with heuristic (#1972)

When we reconcile a TLS session to Teams, we need to keep TLs as master.
This way:
* we keep exporting all the TLS metadata
* we avoid some memory leaks (of these metadata themeselves)

src/lib/ndpi_main.c

@@ -5983,9 +5983,12 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl
 
 static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi_str,
 				       struct ndpi_flow_struct *flow) {
-  if((flow->l4_proto == IPPROTO_UDP) && (ndpi_str->packet.udp != NULL)) {
-    u_int16_t sport = ntohs(ndpi_str->packet.udp->source);
-    u_int16_t dport = ntohs(ndpi_str->packet.udp->dest);
+
+  /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup(), via ndpi_reconcile_protocols() */
+
+  if(flow->l4_proto == IPPROTO_UDP) {
+    u_int16_t sport = ntohs(flow->c_port);
+    u_int16_t dport = ntohs(flow->s_port);
     u_int8_t  s_match = ((sport >= 3478) && (sport <= 3481)) ? 1 : 0;
     u_int8_t  d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0;
 
@@ -6080,7 +6083,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 			     &dummy, 0 /* Don't remove it as it can be used for other connections */,
 			     ndpi_get_current_time(flow))) {
 	ndpi_int_change_protocol(ndpi_str, flow,
-				 NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
+				 NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_TLS,
 				 NDPI_CONFIDENCE_DPI_PARTIAL);
       }      
     }

tests/cfgs/default/result/sites.pcapng.out

@@ -10,7 +10,7 @@ LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/12/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
-LRU cache tls_cert:   0/8/0 (insert/search/found)
+LRU cache tls_cert:   0/6/0 (insert/search/found)
 LRU cache mining:     0/4/0 (insert/search/found)
 LRU cache msteams:    1/1/1 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
@@ -84,7 +84,7 @@ JA3 Host Stats:
 	6	TCP 192.168.12.169:39248 <-> 23.12.104.83:443 [proto: 91.280/TLS.AccuWeather][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][16 pkts/1964 bytes <-> 14 pkts/6598 bytes][Goodput ratio: 47/86][1.75 sec][Hostname/SNI: api.accuweather.com][(Advertised) ALPNs: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.541 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 125/170 1421/1444 375/427][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 123/471 583/1514 140/534][TLSv1.3][JA3C: 9b02ebd3a43b62d825e1ac605b621dc8][JA3S: 15af977ce25de452b96affa2addb1036][Safari][Cipher: TLS_AES_256_GCM_SHA384][Plen Bins: 16,0,8,0,0,0,0,0,16,8,0,8,0,0,0,0,8,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,16,0,0]
 	7	TCP 192.168.1.128:56836 <-> 13.107.42.13:443 [proto: 91.221/TLS.MS_OneDrive][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 8][cat: Cloud/13][3 pkts/857 bytes <-> 7 pkts/6562 bytes][Goodput ratio: 79/94][0.08 sec][Hostname/SNI: onedrive.live.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.769 (Download)][IAT c2s/s2c min/avg/max/stddev: 22/0 28/9 33/33 6/13][Pkt Len c2s/s2c min/avg/max/stddev: 74/60 286/937 571/1514 209/673][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][ServerNames: onedrive.com,p.sfx.ms,*.live.com,*.live.net,*.skydrive.live.com,*.onedrive.live.com,*.onedrive.com,d.sfx-df.ms,*.odwebb.svc.ms,*.odwebp.svc.ms,*.odwebdf.svc.ms,*.odwebpl.svc.ms][JA3S: a66ea560599a2f5c89eec8c3a0d69cee][Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02][Subject: CN=onedrive.com][Certificate SHA-1: 77:7F:F2:95:29:A7:E3:CC:0F:BF:2F:BA:2E:6F:2A:38:62:8B:48:4D][Firefox][Validity: 2022-02-01 00:13:15 - 2023-02-01 00:13:15][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 12,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,51,0,0]
 	8	TCP 192.168.1.128:46724 <-> 199.232.82.109:443 [proto: 91.267/TLS.Vimeo][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 10][cat: Streaming/17][13 pkts/1452 bytes <-> 12 pkts/5804 bytes][Goodput ratio: 42/86][52.80 sec][Hostname/SNI: f.vimeocdn.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.600 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5278/5835 46637/46651 13906/15427][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 112/484 583/1410 138/567][TLSv1.2][JA3C: cd08e31494f9531f560d64c695473da9][ServerNames: *.vimeocdn.com][JA3S: 16c0b3e6a7b8173c16d944cfeaeee9cf][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2020][Subject: CN=*.vimeocdn.com][Certificate SHA-1: 3A:0F:CF:EC:3C:13:25:E2:E1:4D:C6:52:A6:4D:8D:96:10:1E:8E:37][Chrome][Validity: 2021-05-18 18:45:52 - 2022-06-19 18:45:51][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 12,0,12,0,0,0,0,0,12,0,0,0,0,0,0,0,12,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,38,0,0,0,0,0]
-	9	TCP 192.168.1.128:33102 <-> 13.81.118.91:443 [proto: 125.212/Skype_Teams.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 7][cat: Cloud/13][3 pkts/857 bytes <-> 6 pkts/6226 bytes][Goodput ratio: 79/95][0.11 sec][Hostname/SNI: onedrive.com][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 37/0 40/16 42/41 2/19][Pkt Len c2s/s2c min/avg/max/stddev: 74/66 286/1038 571/1514 209/673][PLAIN TEXT (onedrive.com)][Plen Bins: 0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0]
+	9	TCP 192.168.1.128:33102 <-> 13.81.118.91:443 [proto: 91.212/TLS.Microsoft][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 7][cat: Cloud/13][3 pkts/857 bytes <-> 6 pkts/6226 bytes][Goodput ratio: 79/95][0.11 sec][Hostname/SNI: onedrive.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 37/0 40/16 42/41 2/19][Pkt Len c2s/s2c min/avg/max/stddev: 74/66 286/1038 571/1514 209/673][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][ServerNames: onedrive.com,p.sfx.ms,*.live.com,*.live.net,*.skydrive.live.com,*.onedrive.live.com,*.onedrive.com,d.sfx-df.ms,*.odwebb.svc.ms,*.odwebp.svc.ms,*.odwebdf.svc.ms,*.odwebpl.svc.ms][JA3S: 67bfe5d15ae567fb35fd7837f0116eec][Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01][Subject: CN=onedrive.com][Certificate SHA-1: 50:2F:33:10:92:AC:27:7B:17:BE:82:68:3B:E2:29:AD:97:41:B7:BB][Firefox][Validity: 2021-08-13 07:38:24 - 2022-08-13 07:38:24][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,57,0,0]
 	10	TCP 192.168.1.128:42580 <-> 2.17.141.128:443 [proto: 91.258/TLS.Activision][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: Game/8][3 pkts/849 bytes <-> 6 pkts/5606 bytes][Goodput ratio: 76/93][0.06 sec][Hostname/SNI: www.activision.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.737 (Download)][IAT c2s/s2c min/avg/max/stddev: 20/0 24/9 27/24 4/10][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 283/934 583/1514 218/562][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][ServerNames: www.benefitsforeveryworld.com,worldseriesofwarzone.com,treyarch.com,toysforbob.com,spyrothedragon.com,sledgehammergames.com,skylanders.com,sierragames.com,sekirothegame.com,ravensoftware.com,preview.demonware.net,infinityward.com,highmoonstudios.com,highmoon.com,guitarhero.com,europeanwarzoneseries.com,demonware.net,crashbandicoot.com,cdn.gh5.ps3.guitarhero.com,callofdutyleague.com,callofdutyendowment.org,callofdutyendowment.com,callofduty.com,benefitsforeveryworld.com,activisionretail.com,activisionblizzardmedia.com,activisionblizzard.com,activision.com,*.worldseriesofwarzone.com,*.treyarch.com,*.toysforbob.com,*.support.activision.com,*.spyrothedragon.com,*.sledgehammergames.com,*.skylanders.com,*.sierragames.com,*.sekirothegame.com,*.ravensoftware.com,*.infinityward.com,*.highmoonstudios.com,*.highmoon.com,*.guitarhero.com,*.europeanwarzoneseries.com,*.demonware.net,*.crashbandicoot.com,*.callofdutyleague.com,*.callofdutyendowment.org,*.callofdutyendowment.com,*.callofduty.com,*.activisionretail.com,*.activisionblizzardmedia.com,*.activisionblizzard.com,*.activision.com][JA3S: 35af4c8cd9495354f7d701ce8ad7fd2d][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=Santa Monica, O=Activision Publishing, Inc., CN=activision.com][Certificate SHA-1: F7:39:B4:E7:27:83:D4:55:8B:13:77:16:D5:8A:3E:77:FB:2A:4F:41][Firefox][Validity: 2021-12-07 00:00:00 - 2022-12-07 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,0,14,0,0,0,0,14,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,28,0,0]
 	11	TCP 192.168.1.128:48654 <-> 13.107.42.14:443 [proto: 91.233/TLS.LinkedIn][IP: 276/Azure][Encrypted][Confidence: DPI][DPI packets: 7][cat: SocialNetwork/6][3 pkts/857 bytes <-> 6 pkts/5137 bytes][Goodput ratio: 79/93][0.09 sec][Hostname/SNI: www.linkedin.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.714 (Download)][IAT c2s/s2c min/avg/max/stddev: 27/0 30/12 34/35 4/15][Pkt Len c2s/s2c min/avg/max/stddev: 74/66 286/856 571/1514 209/665][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][ServerNames: www.linkedin.com,linkedin.com,rum5.perf.linkedin.com,exp4.www.linkedin.com,exp3.www.linkedin.com,exp2.www.linkedin.com,exp1.www.linkedin.com,rum2.perf.linkedin.com,rum4.perf.linkedin.com,rum6.perf.linkedin.com,rum17.perf.linkedin.com,rum8.perf.linkedin.com,rum9.perf.linkedin.com,afd.perf.linkedin.com,rum14.perf.linkedin.com,rum18.perf.linkedin.com,rum19.perf.linkedin.com,exp5.www.linkedin.com,realtime.www.linkedin.com,px.ads.linkedin.com,px4.ads.linkedin.com,dc.ads.linkedin.com,lnkd.in,px.jobs.linkedin.com][JA3S: a66ea560599a2f5c89eec8c3a0d69cee][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=Sunnyvale, O=LinkedIn Corporation, CN=www.linkedin.com][Certificate SHA-1: CE:D8:A5:BE:BD:4B:EF:E9:22:C8:0D:55:A6:7A:A6:4A:B8:03:4A:53][Firefox][Validity: 2022-03-01 00:00:00 - 2022-09-01 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,0,14,0,14,0,0,0,0,0,14,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0]
 	12	TCP 192.168.1.128:43412 <-> 151.101.193.73:443 [proto: 91.246/TLS.Bloomberg][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Cloud/13][3 pkts/816 bytes <-> 6 pkts/5140 bytes][Goodput ratio: 75/92][0.04 sec][Hostname/SNI: www.bloomberg.com][(Advertised) ALPNs: h2;http/1.1][(Negotiated) ALPN: h2][TLS Supported Versions: TLSv1.3;TLSv1.2][bytes ratio: -0.726 (Download)][IAT c2s/s2c min/avg/max/stddev: 10/0 15/6 20/20 5/8][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 272/857 583/1406 223/565][TLSv1.2][JA3C: 579ccef312d18482fc42e2b822ca2430][ServerNames: www.bloomberg.com,api.businessweek.com,api.bwbx.io,assets.bwbx.io,byzantium.bloomberg.com,cdn-mobapi.bloomberg.com,cdn-videos.bloomberg.com,cdn.gotraffic.net,charts.bloomberg.com,embeds.bloomberg.com,fastly.bloomberg.tv,feeds.bloomberg.com,fonts.gotraffic.net,staging-assets.bwbx.io,nav.bloomberg.com,sponsored.bloomberg.com,spotlight.bloomberg.com,tictoc.video,www.bbthat.com,www.bloomberg.co.jp,www.bloomberg.co.jp.shared.bloomberga.com,www.bloomberg.com.shared.bloomberga.com,www.bloombergview.com,www.citylab.com,www.citylab.com.shared.bloomberga.com,www.quicktake.video,www.tictoc.video,cdn-api.cmobile.bloomberg.com][JA3S: 16c0b3e6a7b8173c16d944cfeaeee9cf][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=New York, L=New York, O=Bloomberg LP, CN=www.bloomberg.com][Certificate SHA-1: 88:4A:85:34:1D:E6:C0:BE:5E:C6:14:BB:BA:94:A3:55:92:BA:95:82][Firefox][Validity: 2022-02-22 00:00:00 - 2023-03-24 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,14,0,0,0,0,0,14,0,0,0,0,0,14,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,42,0,0,0,0,0,0]