Improve SASL snoop output

Generate more information in the netsec layer when -snoop is enabled.
Specifically, enumerate the supported SASL mechanisms by the client and
server and explain which layer is using encryption.

diff --git a/sbr/netsec.c b/sbr/netsec.c
index 5efc4129060b411499a0ec2194f67a5452d6effd..75be76a3f183e6592d361121edb2f605c6e5dfa6 100644 (file)
--- a/sbr/netsec.c
+++ b/sbr/netsec.c
@@ -1191,6 +1191,22 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
     int rc;
 #endif /* CYRUS_SASL || OAUTH_SUPPORT */
 
+    /*
+     * Output some SASL information if snoop is turned on
+     */
+
+    if (nsc->ns_snoop) {
+       fprintf(stderr, "SASL mechanisms supported by server: %s\n", mechlist);
+
+       if (nsc->sasl_mech) {
+               fprintf(stderr, "User has requested SASL mechanism: %s\n",
+                       nsc->sasl_mech);
+       } else {
+               fprintf(stderr, "No SASL mech selected, will pick "
+                       "the best mech supported by SASL library\n");
+       }
+    }
+
     /*
      * If we've been passed a requested mechanism, check our mechanism
      * list from the protocol.  If it's not supported, return an error.
@@ -1229,6 +1245,10 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
         * error message.
         */
 
+       if (nsc->ns_snoop) {
+               fprintf(stderr, "Using internal XOAUTH2 mechanism\n");
+       }
+
        if (! nsc->oauth_service) {
            netsec_err(errstr, "Internal error: OAuth2 service name not given");
            return NOTOK;
@@ -1291,6 +1311,21 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
      * messages.
      */
 
+    if (nsc->ns_snoop) {
+       const char *client_mechlist;
+
+       rc = sasl_listmech(nsc->sasl_conn, NULL, NULL, " ", NULL,
+                          &client_mechlist, NULL, NULL);
+
+       if (rc != SASL_OK) {
+               fprintf(stderr, "Unable to get client mechlist: %s\n",
+                       sasl_errstring(rc, NULL, NULL));
+       } else {
+               fprintf(stderr, "Client supported SASL mechanisms: %s\n",
+                       client_mechlist);
+       }
+    }
+
     ZERO(&secprops);
     secprops.maxbufsize = SASL_MAXRECVBUF;
 
@@ -1304,6 +1339,12 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
 #endif /* TLS_SUPPORT */
                UINT_MAX;
 
+#ifdef TLS_SUPPORT
+    if (nsc->ns_snoop && nsc->tls_active)
+       fprintf(stderr, "SASL security layers disabled due to the use "
+               "of TLS\n");
+#endif /* TLS_SUPPORT */
+
     rc = sasl_setprop(nsc->sasl_conn, SASL_SEC_PROPS, &secprops);
 
     if (rc != SASL_OK) {
@@ -1330,6 +1371,9 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
 
     nsc->sasl_chosen_mech = getcpy(chosen_mech);
 
+    if (nsc->ns_snoop)
+       fprintf(stderr, "Chosen sasl mechanism: %s\n", chosen_mech);
+
     if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0,
                           nsc->sasl_proto_context, errstr) != OK)
        return NOTOK;
@@ -1404,6 +1448,10 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
     nsc->sasl_ssf = *ssf;
 
     if (nsc->sasl_ssf > 0) {
+       if (nsc->ns_snoop)
+           fprintf(stderr, "SASL security layer negotiated, SASL will "
+                   "perform encryption\n");
+
        rc = sasl_getprop(nsc->sasl_conn, SASL_MAXOUTBUF,
                          (const void **) &outbufmax);
 
@@ -1456,6 +1504,15 @@ netsec_negotiate_sasl(netsec_context *nsc, const char *mechlist, char **errstr)
        }
 
        nsc->sasl_seclayer = 1;
+    } else if (nsc->ns_snoop) {
+       fprintf(stderr, "SASL Security layer NOT negotiated, SASL will NOT "
+               "perform encryption\n");
+#ifdef TLS_SUPPORT
+       if (nsc->tls_active) {
+           fprintf(stderr, "Encryption will be handled by TLS\n");
+       } else
+#endif /* TLS_SUPPORT */
+           fprintf(stderr, "Connection will NOT be encrypted, use caution\n");
     }
 
     return OK;