From 82d07eb351c1a4dc25326148e6fc390f9c065d34 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Tue, 5 Jul 2022 13:11:41 +0200
Subject: Detect SMTPs w/ STARTTLS as TLS and dissect client/server hello.
 Fixes #1630.

 * FTP needs to get updated as well as it has similiar STARTTLS semantics -> follow-up

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/lib/ndpi_main.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/lib/ndpi_main.c')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 481d1fbbc..47385de70 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8034,7 +8034,9 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
   switch(proto) {
   case NDPI_PROTOCOL_TLS:
   case NDPI_PROTOCOL_DTLS:
-    if(flow->l4.tcp.tls.certificate_processed) return(0);
+    if(flow->l4.tcp.tls.certificate_processed ||
+       (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 &&
+        flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 1)) return(0);
 
     if(flow->l4.tcp.tls.num_tls_blocks <= ndpi_str->num_tls_blocks_to_follow) {
       // printf("*** %u/%u\n", flow->l4.tcp.tls.num_tls_blocks, ndpi_str->num_tls_blocks_to_follow);
@@ -8058,8 +8060,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
   case NDPI_PROTOCOL_MAIL_IMAP:
   case NDPI_PROTOCOL_MAIL_SMTP:
     if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' &&
-       flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0 &&
-       flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0)
+       (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 ||
+        flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0))
       return(1);
     break;
 
-- 
cgit v1.2.3