summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
56a4338)
Generate more information in the netsec layer when -snoop is enabled.
Specifically, enumerate the supported SASL mechanisms by the client and
server and explain which layer is using encryption.
int rc;
#endif /* CYRUS_SASL || OAUTH_SUPPORT */
int rc;
#endif /* CYRUS_SASL || OAUTH_SUPPORT */
+ /*
+ * Output some SASL information if snoop is turned on
+ */
+
+ if (nsc->ns_snoop) {
+ fprintf(stderr, "SASL mechanisms supported by server: %s\n", mechlist);
+
+ if (nsc->sasl_mech) {
+ fprintf(stderr, "User has requested SASL mechanism: %s\n",
+ nsc->sasl_mech);
+ } else {
+ fprintf(stderr, "No SASL mech selected, will pick "
+ "the best mech supported by SASL library\n");
+ }
+ }
+
/*
* If we've been passed a requested mechanism, check our mechanism
* list from the protocol. If it's not supported, return an error.
/*
* If we've been passed a requested mechanism, check our mechanism
* list from the protocol. If it's not supported, return an error.
+ if (nsc->ns_snoop) {
+ fprintf(stderr, "Using internal XOAUTH2 mechanism\n");
+ }
+
if (! nsc->oauth_service) {
netsec_err(errstr, "Internal error: OAuth2 service name not given");
return NOTOK;
if (! nsc->oauth_service) {
netsec_err(errstr, "Internal error: OAuth2 service name not given");
return NOTOK;
+ if (nsc->ns_snoop) {
+ const char *client_mechlist;
+
+ rc = sasl_listmech(nsc->sasl_conn, NULL, NULL, " ", NULL,
+ &client_mechlist, NULL, NULL);
+
+ if (rc != SASL_OK) {
+ fprintf(stderr, "Unable to get client mechlist: %s\n",
+ sasl_errstring(rc, NULL, NULL));
+ } else {
+ fprintf(stderr, "Client supported SASL mechanisms: %s\n",
+ client_mechlist);
+ }
+ }
+
ZERO(&secprops);
secprops.maxbufsize = SASL_MAXRECVBUF;
ZERO(&secprops);
secprops.maxbufsize = SASL_MAXRECVBUF;
#endif /* TLS_SUPPORT */
UINT_MAX;
#endif /* TLS_SUPPORT */
UINT_MAX;
+#ifdef TLS_SUPPORT
+ if (nsc->ns_snoop && nsc->tls_active)
+ fprintf(stderr, "SASL security layers disabled due to the use "
+ "of TLS\n");
+#endif /* TLS_SUPPORT */
+
rc = sasl_setprop(nsc->sasl_conn, SASL_SEC_PROPS, &secprops);
if (rc != SASL_OK) {
rc = sasl_setprop(nsc->sasl_conn, SASL_SEC_PROPS, &secprops);
if (rc != SASL_OK) {
nsc->sasl_chosen_mech = getcpy(chosen_mech);
nsc->sasl_chosen_mech = getcpy(chosen_mech);
+ if (nsc->ns_snoop)
+ fprintf(stderr, "Chosen sasl mechanism: %s\n", chosen_mech);
+
if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0,
nsc->sasl_proto_context, errstr) != OK)
return NOTOK;
if (nsc->sasl_proto_cb(NETSEC_SASL_START, saslbuf, saslbuflen, NULL, 0,
nsc->sasl_proto_context, errstr) != OK)
return NOTOK;
nsc->sasl_ssf = *ssf;
if (nsc->sasl_ssf > 0) {
nsc->sasl_ssf = *ssf;
if (nsc->sasl_ssf > 0) {
+ if (nsc->ns_snoop)
+ fprintf(stderr, "SASL security layer negotiated, SASL will "
+ "perform encryption\n");
+
rc = sasl_getprop(nsc->sasl_conn, SASL_MAXOUTBUF,
(const void **) &outbufmax);
rc = sasl_getprop(nsc->sasl_conn, SASL_MAXOUTBUF,
(const void **) &outbufmax);
}
nsc->sasl_seclayer = 1;
}
nsc->sasl_seclayer = 1;
+ } else if (nsc->ns_snoop) {
+ fprintf(stderr, "SASL Security layer NOT negotiated, SASL will NOT "
+ "perform encryption\n");
+#ifdef TLS_SUPPORT
+ if (nsc->tls_active) {
+ fprintf(stderr, "Encryption will be handled by TLS\n");
+ } else
+#endif /* TLS_SUPPORT */
+ fprintf(stderr, "Connection will NOT be encrypted, use caution\n");
projects / nmh / commitdiff