X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/cb7874fcb45549b99e4847affe4a2bd20e20e648..cd6d67151dfb691ea6f5ce3eef3562ab93a8847b:/sbr/netsec.c diff --git a/sbr/netsec.c b/sbr/netsec.c index f66a2124..788b23bf 100644 --- a/sbr/netsec.c +++ b/sbr/netsec.c @@ -108,17 +108,26 @@ static int checkascii(const unsigned char *byte, size_t len); /* * How this code works, in general. * - * _If_ we are using no encryption or SASL encryption, then we buffer the - * network data through ns_inbuffer and ns_outbuffer. That should be - * relatively self-explanatory. + * _If_ we are using no encryption then we buffer the network data + * through ns_inbuffer and ns_outbuffer. That should be relatively + * self-explanatory. * - * If we are using SSL for encryption, then use a buffering BIO for output - * (that's just easier). Still do buffering for reads; when we need more - * data we call the BIO_read() function to fill our local buffer. + * If we use encryption, then ns_inbuffer and ns_outbuffer contain the + * cleartext data. When it comes time to send the encrypted data on the + * (either from a flush or the buffer is full) we either use BIO_write() + * for TLS or sasl_encode() (followed by a write() for Cyrus-SASL. For + * reads we either use BIO_read() (TLS) or do a network read into a + * temporary buffer and use sasl_decode() (Cyrus-SASL). Note that if + * negotiate TLS then we disable SASL encryption. * - * For SASL, we make use of (for now) the Cyrus-SASL library. For some - * mechanisms, we implement those mechanisms directly since the Cyrus SASL - * library doesn't support them (like OAuth). + * We used to use a buffering BIO for the reads/writes for TLS, but it + * ended up being complicated to special-case the buffering for everything + * except TLS, so the buffering is now unified, no matter which encryption + * method is being used (even none). + * + * For SASL authentication, we make use of (for now) the Cyrus-SASL + * library. For some mechanisms, we implement those mechanisms directly + * since the Cyrus SASL library doesn't support them (like OAuth). */ /* @@ -128,8 +137,9 @@ static int checkascii(const unsigned char *byte, size_t len); netsec_context * netsec_init(void) { - netsec_context *nsc = mh_xmalloc(sizeof(*nsc)); + netsec_context *nsc; + NEW(nsc); nsc->ns_readfd = -1; nsc->ns_writefd = -1; nsc->ns_snoop = 0; @@ -992,7 +1002,7 @@ netsec_set_sasl_params(netsec_context *nsc, const char *hostname, return NOTOK; } - nsc->sasl_hostname = getcpy(hostname); + nsc->sasl_hostname = mh_xstrdup(hostname); #else /* CYRUS_SASL */ NMH_UNUSED(hostname); NMH_UNUSED(service); @@ -1007,7 +1017,7 @@ netsec_set_sasl_params(netsec_context *nsc, const char *hostname, if (mechanism) { char *p; - nsc->sasl_mech = getcpy(mechanism); + nsc->sasl_mech = mh_xstrdup(mechanism); for (p = nsc->sasl_mech; *p; p++) if (isascii((unsigned char) *p)) /* Just in case */ @@ -1043,7 +1053,7 @@ int netsec_get_user(void *context, int id, const char **result, */ if (nsc->sasl_creds == NULL) { - nsc->sasl_creds = mh_xmalloc(sizeof(*nsc->sasl_creds)); + NEW(nsc->sasl_creds); nsc->sasl_creds->user = NULL; nsc->sasl_creds->password = NULL; } @@ -1083,7 +1093,7 @@ netsec_get_password(sasl_conn_t *conn, void *context, int id, return SASL_BADPARAM; if (nsc->sasl_creds == NULL) { - nsc->sasl_creds = mh_xmalloc(sizeof(*nsc->sasl_creds)); + NEW(nsc->sasl_creds); nsc->sasl_creds->user = NULL; nsc->sasl_creds->password = NULL; } @@ -1190,7 +1200,7 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr) return NOTOK; } - nsc->sasl_chosen_mech = getcpy(nsc->sasl_mech); + nsc->sasl_chosen_mech = mh_xstrdup(nsc->sasl_mech); if (mh_oauth_do_xoauth(nsc->ns_userid, nsc->oauth_service, &xoauth_client_res, &xoauth_client_res_len,