Segfaults with SASL

Julien ÉLIE julien at trigofacile.com
Sun Sep 21 16:17:09 UTC 2008 

> Very weird behaviour by the way of the SASL implementation.

It appears that sasl_decode64() returns SASL_CONTINUE instead of SASL_BADPROT
when there is a base64-encoding error!  At least with my SASL libraries...
Well, I shall fix it with:

-           r = sasl_decode64(clientin, strlen(clientin),
-                             base64, BASE64_BUF_SIZE, &clientinlen);
-           clientin = base64;
+           /* Decode the response.  On error, SASL_CONTINUE should not be
+             * given.  Use SASL_BADPROT instead, in order to indicate
+             * a base64-encoding error. */
+            r1 = sasl_decode64(clientin, strlen(clientin),
+                               base64, BASE64_BUF_SIZE, &clientinlen);
+            clientin = base64;
+            r = (r1 == SASL_CONTINUE ? SASL_BADPROT : r1);


Another thing is that "=" is not converted to an empty string "" when a client
answers.  It was only done for the initial response.
Now also fixed.

And nnrpd now also calls sasl_done() when the client exits in order to properly
close the SASL connection object.


With the new behaviour of sasl_decode64(), the result is far better.
No segfault at all now :)
But I still reckon there is a problem in SASL libraries which do not
deal well with the input of sasl_* functions...


The only weird thing I have now, and I do not understand what is going on,
is the following sequence:

AUTHINFO SASL DIGEST-MD5
383 bm9uY2[...]U9IkxJT=
*
481 Client cancelled authentication
MODE
501 Syntax is:  MODE READER
AUTHINFO SASL DIGEST-MD5
481 authentication failure
AUTHINFO SASL DIGEST-MD5
383 bm9uY2[...]U9IkxJT=

I cannot send twice in the row AUTHINFO SASL...
The MODE command is there only to show that we are not inside the SASL function.


Any idea about that remaining issue with SASL?

The last thing I see is that the SASL server needs to be renewed.  That is
to say if the authentication fails, we have to dispose of the connection
and start a fresh new SASL server, waiting for a connection.
(But I do not see why the second attempt if the connection is not disposed,
will work in our case.)
Do you think it is the right use of SASL?

-- 
Julien ÉLIE

« Et nunc reges, intelligite, erudimini, qui iudicatis terram. »
  (Livre des Psaumes cité par Bossuet)

More information about the inn-workers mailing list