SXOVER: Should XoverSASL use KIP Service or KIP Core?
The xsasl-client
to xsasl-server
connection started failing with the introduction of more SASL than mere ANONYMOUS
. This may be due to a bad structure that was not detected with ANONYMOUS
alone. The probably only arises inside of SXOVER
, because other mechanisms fall back on the same behaviour as qsasl-client
and qsasl-server
.
The end points call xsasl_step_client()
and xsasl_step_server()
which in turn uses KIP Service for kipservice_tomap()
and kipservice_frommap()
operations.
Although KIP Service is indeed a way to bootstrap a key, this is not what SXOVER is about. Getting a shared key is only the start of the process, it is assumed to already exist. In other words, it should not be part of the xsasl_step_xxx()
procedures. (The failure, by the way, occurs due to the authentication for KIP Service; since it is a separate QuickSASL procedure it lacks identity/credential information for the client.)
The SXOVER
mechanism was designed with key mapping in mind as in KIP Core, not KIP Service. Including elements from KIP Service is surely possible, but it is another approach.
First design the desired solution, then implement it.