-.TH POST %manext8% "July 8, 2014" "%nmhversion%"
+.TH POST %manext8% "August 14, 2016" "%nmhversion%"
.\"
.\" %nmhwarning%
.\"
Encrypted data is labelled with `(sasl-encrypted)' and `(sasl-decrypted)' when
viewing the SMTP transaction with the
.B \-snoop
-switch. The
+switch.
+Base64-encoded data is wrapped with ` b64<>'.
+(Beware that the SMTP transaction may contain authentication information either
+in plaintext or easily decoded base64.)
+The
.B \-saslmaxssf
switch can be used to select the maximum value of the Security Strength Factor.
This is an integer value and the exact meaning of this value depends on the
`(tls-decrypted)' when viewing the SMTP transction with the
.B \-snoop
switch.
+Base64-encoded data is wrapped with `b64<>'.
+(Beware that the SMTP transaction may contain authentication information either
+in plaintext or easily decoded base64.)
The
.B \-notls
switch will disable all attempts to negotiate TLS.
static FILE *sm_rfp = NULL;
static FILE *sm_wfp = NULL;
+static int next_line_encoded = 0;
+
#ifdef CYRUS_SASL
/*
* Some globals needed by SASL
static int sm_rerror (int);
static void alrmser (int);
static char *EHLOset (char *);
+static char *prepare_for_display (const char *, int *);
static int sm_fwrite(char *, int);
static int sm_fputs(char *);
static int sm_fputc(int);
}
if (sm_debug) {
+ char *decoded_buffer =
+ prepare_for_display (buffer, &next_line_encoded);
+
if (sasl_ssf)
printf("(sasl-encrypted) ");
if (tls_active)
printf("(tls-encrypted) ");
- printf ("=> %s\n", buffer);
+ printf ("=> %s\n", decoded_buffer);
+ free (decoded_buffer);
fflush (stdout);
}
for (more = FALSE; sm_rrecord ((char *) (bp = (unsigned char *) buffer),
&bc) != NOTOK ; ) {
if (sm_debug) {
+ char *decoded_buffer =
+ prepare_for_display (buffer, &next_line_encoded);
+
if (sasl_ssf > 0)
printf("(sasl-decrypted) ");
if (tls_active)
printf("(tls-decrypted) ");
- printf ("<= %s\n", buffer);
+ printf ("<= %s\n", decoded_buffer);
+ free (decoded_buffer);
fflush (stdout);
}
return 0;
}
+
+
+/*
+ * Detects, using heuristics, if an SMTP server or client response string
+ * contains a base64-encoded portion. If it does, decodes it and replaces
+ * any non-printable characters with a hex representation. Caller is
+ * responsible for free'ing return value. If the decode fails, a copy of
+ * the input string is returned.
+ */
+static
+char *
+prepare_for_display (const char *string, int *next_line_encoded) {
+ const char *start = NULL;
+ const char *decoded;
+ size_t decoded_len;
+ int prefix_len = -1;
+
+ if (strncmp (string, "AUTH XOAUTH2 ", 13) == 0) {
+ /* Entire XOAUTH2 line. */
+ prefix_len = 13;
+ *next_line_encoded = 0;
+ } else if (strncmp (string, "AUTH LOGIN ", 11) == 0) {
+ /* AUTH LOGIN followed by login name.
+ For AUTH LOGIN not followed by the name, the response to the 334
+ server request will be handled by the code below. */
+ prefix_len = 11;
+ *next_line_encoded = 0;
+ } else if (strncmp (string, "AUTH PLAIN ", 11) == 0) {
+ /* AUTH PLAIN followed by authorization/authentication string, e.g.,
+ the display output will be:
+ AUTH PLAIN b64<test@example.com[0x00]test@example.com[0x00]my_password>
+ For AUTH PLAIN not followed by the string, the response to the 334
+ will be handled by the code below. */
+ prefix_len = 11;
+ *next_line_encoded = 0;
+ } else if (strncmp (string, "334 ", 4) == 0) {
+ /* 334 is the server's request for user or password. */
+ prefix_len = 4;
+ /* The next (client response) line must be base64 encoded. */
+ *next_line_encoded = 1;
+ } else if (*next_line_encoded) {
+ /* "next" line now refers to this line, which is a base64-encoded
+ client response. */
+ prefix_len = 0;
+ *next_line_encoded = 0;
+ } else {
+ *next_line_encoded = 0;
+ }
+
+ if (prefix_len > -1) {
+ start = string + prefix_len;
+ }
+
+ if (start && decodeBase64 (start, &decoded, &decoded_len, 1, NULL) == OK) {
+ char *hexified;
+ char *prefix = mh_xmalloc(prefix_len + 1);
+ char *display_string;
+
+ /* prefix is the beginning portion, which isn't base64 encoded. */
+ snprintf (prefix, prefix_len + 1, "%*s", prefix_len, string);
+ hexify ((const unsigned char *) decoded, decoded_len, &hexified);
+ /* Wrap the decoded portion in "b64<>". */
+ display_string = concat (prefix, "b64<", hexified, ">", NULL);
+ free (hexified);
+ free (prefix);
+ free ((char *) decoded);
+
+ return display_string;
+ } else {
+ return getcpy (string);
+ }
+}
return OK;
}
+
+
+/*
+ * Prepare an unsigned char array for display by replacing non-printable
+ * ASCII bytes with their hex representation. Assumes ASCII input. output
+ * is allocated by the function and must be freed by the caller.
+ */
+void
+hexify (const unsigned char *input, size_t len, char **output) {
+ /* Start with a charstring capacity that's arbitrarily larger than len. */
+ const charstring_t tmp = charstring_create (2 * len);
+ const unsigned char *cp = input;
+ size_t i;
+
+ for (i = 0; i < len; ++i, ++cp) {
+ if (isprint(*cp)) {
+ charstring_push_back (tmp, (const char) *cp);
+ } else {
+ char s[16];
+ const int num = snprintf(s, sizeof s, "[0x%02x]", *cp);
+
+ if (num <= 0 || (unsigned int) num >= sizeof s) {
+ advise (NULL, "hexify failed to write nonprintable character, needed %d bytes", num + 1);
+ } else {
+ charstring_append_cstring (tmp, s);
+ }
+ }
+ }
+
+ *output = charstring_buffer_copy (tmp);
+ charstring_free (tmp);
+}
projects / nmh / commitdiff