Merge pull request #244 from emanuele-f/starttls

Add STARTTLS detection

3 files changed, 22 insertions, 5 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 2806826f3..9a50b65fd 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -554,7 +554,7 @@ struct ndpi_flow_tcp_struct {
   u_int32_t mail_pop_stage:2;
 #endif
 #ifdef NDPI_PROTOCOL_MAIL_IMAP
-  u_int32_t mail_imap_stage:3;
+  u_int32_t mail_imap_stage:3, mail_imap_starttls:2;
 #endif
 #ifdef NDPI_PROTOCOL_SKYPE
   u_int8_t skype_packet_id;
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index c62c1d366..9d045226a 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -42,6 +42,15 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
   /* const u_int8_t *command = 0; */
 
   NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "search IMAP.\n");
+  
+  if (flow->l4.tcp.mail_imap_starttls == 2) {
+#ifdef NDPI_PROTOCOL_SSL
+    NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "starttls detected\n");
+    NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP);
+    NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL);
+    return;
+#endif
+  }
 
   if (packet->payload_packet_len >= 4 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) {
     // the DONE command appears without a tag
@@ -62,7 +71,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	  }
 	  if (!((packet->payload[i] >= 'a' && packet->payload[i] <= 'z') ||
 		(packet->payload[i] >= 'A' && packet->payload[i] <= 'Z') ||
-		(packet->payload[i] >= '0' && packet->payload[i] <= '9') || packet->payload[i] == '*')) {
+		(packet->payload[i] >= '0' && packet->payload[i] <= '9') || packet->payload[i] == '*' || packet->payload[i] == '.')) {
 	    goto imap_excluded;
 	  }
 	  i++;
@@ -99,6 +108,8 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	    && (packet->payload[command_start + 1] == 'K' || packet->payload[command_start + 1] == 'k')
 	    && packet->payload[command_start + 2] == ' ') {
 	  flow->l4.tcp.mail_imap_stage += 1;
+    if (flow->l4.tcp.mail_imap_starttls == 1)
+      flow->l4.tcp.mail_imap_starttls = 2;
 	  saw_command = 1;
 	} else if ((packet->payload[command_start] == 'U' || packet->payload[command_start] == 'u')
 		   && (packet->payload[command_start + 1] == 'I' || packet->payload[command_start + 1] == 'i')
@@ -131,8 +142,10 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	    && (packet->payload[command_start + 5] == 'T' || packet->payload[command_start + 5] == 't')
 	    && (packet->payload[command_start + 6] == 'L' || packet->payload[command_start + 6] == 'l')
 	    && (packet->payload[command_start + 7] == 'S' || packet->payload[command_start + 7] == 's')) {
-	  flow->l4.tcp.mail_imap_stage += 1;
-	  saw_command = 1;
+        flow->l4.tcp.mail_imap_stage += 1;
+        flow->l4.tcp.mail_imap_starttls = 1;
+        flow->detected_protocol_stack[0] = NDPI_PROTOCOL_MAIL_IMAPS;
+        saw_command = 1;
 	}
       }
       if ((command_start + 5) < packet->payload_packet_len) {
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index e730c06c5..4e2ce1bf1 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -64,7 +64,11 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp
 	  u_int16_t dport = ntohs(packet->tcp->dest);
 
 	  if((sport == 465) || (dport == 465))      protocol = NDPI_PROTOCOL_MAIL_SMTPS;
-	  else if((sport == 993) || (dport == 993)) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
+	  else if((sport == 993) || (dport == 993)
+#ifdef NDPI_PROTOCOL_MAIL_IMAP
+      || (flow->l4.tcp.mail_imap_starttls)
+#endif
+      ) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
 	  else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS;
 	}
 	break;