aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/mail_imap.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols/mail_imap.c')
-rw-r--r--src/lib/protocols/mail_imap.c65
1 files changed, 32 insertions, 33 deletions
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index 7646b9e82..b3c087ea2 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -47,7 +47,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG(ndpi_struct, "search IMAP_IMAP\n");
#ifdef IMAP_DEBUG
- printf("%s() [%s]\n", __FUNCTION__, packet->payload);
+ printf("%s() [%.*s]\n", __FUNCTION__, packet->payload_packet_len, packet->payload);
#endif
if(flow->l4.tcp.mail_imap_starttls == 2) {
@@ -66,8 +66,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
flow->l4.tcp.mail_imap_stage += 1;
saw_command = 1;
} else {
-
- if(flow->l4.tcp.mail_imap_stage < 4) {
+ if(flow->l4.tcp.mail_imap_stage < 5) {
// search for the first space character (end of the tag)
while (i < 20 && i < packet->payload_packet_len) {
if(i > 0 && packet->payload[i] == ' ') {
@@ -121,6 +120,13 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload[command_start + 2] == 'D' || packet->payload[command_start + 2] == 'd')) {
flow->l4.tcp.mail_imap_stage += 1;
saw_command = 1;
+ } else if((packet->payload[command_start] == 'N' || packet->payload[command_start] == 'n')
+ && (packet->payload[command_start + 1] == 'O' || packet->payload[command_start + 1] == 'o')
+ && packet->payload[command_start + 2] == ' ') {
+ flow->l4.tcp.mail_imap_stage += 1;
+ if(flow->l4.tcp.mail_imap_starttls == 1)
+ flow->l4.tcp.mail_imap_starttls = 2;
+ saw_command = 1;
}
}
if((command_start + 10) < packet->payload_packet_len) {
@@ -159,40 +165,29 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload[command_start + 2] == 'G' || packet->payload[command_start + 2] == 'g')
&& (packet->payload[command_start + 3] == 'I' || packet->payload[command_start + 3] == 'i')
&& (packet->payload[command_start + 4] == 'N' || packet->payload[command_start + 4] == 'n')) {
- /* xxxx LOGIN "username" "password" */
- char str[256], *item;
- u_int len = packet->payload_packet_len >= sizeof(str) ? sizeof(str)-1 : packet->payload_packet_len;
+ /* xxxx LOGIN "username" "password"
+ xxxx LOGIN username password */
+ char str[256], *user, *saveptr;
+ u_int len = ndpi_min(packet->payload_packet_len - (command_start + 5), (int)sizeof(str) - 1);
- ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
-
- strncpy(str, (const char*)packet->payload, len);
+ strncpy(str, (const char*)packet->payload + command_start + 5, len);
str[len] = '\0';
- item = strchr(str, '"');
- if(item) {
- char *column;
-
- item++;
- column = strchr(item, '"');
+ user = strtok_r(str, " \"\r\n", &saveptr);
+ if(user) {
+ char *pwd;
- if(column) {
- column[0] = '\0';
- snprintf(flow->protos.ftp_imap_pop_smtp.username,
- sizeof(flow->protos.ftp_imap_pop_smtp.username),
- "%s", item);
+ snprintf(flow->protos.ftp_imap_pop_smtp.username,
+ sizeof(flow->protos.ftp_imap_pop_smtp.username),
+ "%s", user);
- column = strchr(&column[1], '"');
- if(column) {
- item = &column[1];
- column = strchr(item, '"');
+ ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
- if(column) {
- column[0] = '\0';
- snprintf(flow->protos.ftp_imap_pop_smtp.password,
- sizeof(flow->protos.ftp_imap_pop_smtp.password),
- "%s", item);
- }
- }
+ pwd = strtok_r(NULL, " \"\r\n", &saveptr);
+ if(pwd) {
+ snprintf(flow->protos.ftp_imap_pop_smtp.password,
+ sizeof(flow->protos.ftp_imap_pop_smtp.password),
+ "%s", pwd);
}
}
@@ -242,6 +237,10 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload[command_start + 10] == 'T' || packet->payload[command_start + 10] == 't')
&& (packet->payload[command_start + 11] == 'E' || packet->payload[command_start + 11] == 'e')) {
flow->l4.tcp.mail_imap_stage += 1;
+ /* Authenticate phase may have multiple messages. Ignore them since they are
+ somehow encrypted anyway. */
+ flow->l4.tcp.mail_imap_starttls = 2;
+ flow->detected_protocol_stack[0] = NDPI_PROTOCOL_MAIL_IMAPS;
saw_command = 1;
}
}
@@ -320,7 +319,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
if((flow->l4.tcp.mail_imap_stage == 3)
|| (flow->l4.tcp.mail_imap_stage == 5)
|| (flow->l4.tcp.mail_imap_stage == 7)
- ) {
+ ) {
if((flow->protos.ftp_imap_pop_smtp.username[0] != '\0')
|| (flow->l4.tcp.mail_imap_stage >= 7)) {
NDPI_LOG_INFO(ndpi_struct, "found MAIL_IMAP\n");
@@ -344,7 +343,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
// skip over possible authentication hashes etc. that cannot be identified as imap commands or responses
// if the packet count is low enough and at least one command or response was seen before
if((packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a)
- && flow->packet_counter < 6 && flow->l4.tcp.mail_imap_stage >= 1) {
+ && flow->packet_counter < 8 && flow->l4.tcp.mail_imap_stage >= 1) {
NDPI_LOG_DBG2(ndpi_struct,
"no imap command or response but packet count < 6 and imap stage >= 1 -> skip\n");
return;
Powered by cgit, Themed by Ted Yin.