Package: libsasl2-modules-otp
Version: 2.1.22.dfsg1-13
Severity: normal
Hi,
I was just playing a little bit with the sasl-sample-server and
sasl-sample-client programs that come with the
debian packages for sasl2. Running both programs in separate xterm
windows and 'sending' their messages vice versa with mouse cut and paste
works as expected, e.g. for DIGEST-MD5. The sasl-sample-client then asks
for a password.
But when I choose OTP (which is offered by the server), then the client
aborts, and I currently don't see why:
% sasl-sample-client -m OTP
Waiting for mechanism list from server...
S: QU5PTllNT1VTIE9UUCBDUkFNLU1ENSBESUdFU1QtTUQ1IExPR0lOIFBMQUlOIE5UTE0=
recieved 50 byte message
Forcing use of mechanism OTP
Choosing best mechanism from: OTP
Using mechanism OTP
Preparing initial.
Sending initial response...
C: T1RQAGhhZG11dABoYWRtdXQ=
Waiting for server reply...
S: b3RwLW1kNSA0OTggYW42OTQzIGV4dA==
recieved 22 byte message
sasl-sample-client: Performing SASL negotiation: invalid parameter supplied
You should be able to run this just example with the client side.
So the message
S: b3RwLW1kNSA0OTggYW42OTQzIGV4dA==
causes a problem. Decoding it looks like this:
% decode64 b3RwLW1kNSA0OTggYW42OTQzIGV4dA== |xxd
0000000: 6f74 702d 6d64 3520 3439 3820 616e 3639 otp-md5 498 an69
0000010: 3433 2065 7874 43 ext
which is
otp-md5 498 an6943 ext
498 and the seed an6943 are correct. But what's wrong with this string
and why does the client abort?
regards
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-2-k7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsasl2-modules-otp depends on:
ii libc6 2.6-2 GNU C Library: Shared libraries
ii libsasl2-modules 2.1.22.dfsg1-13 Pluggable Authentication Modules f
ii libssl0.9.8 0.9.8e-5 SSL shared libraries
libsasl2-modules-otp recommends no packages.
-- no debconf information
tags 433305 confirmed
thanks
Ok, I have now confirmed that this indeed happens.
Furthermore, the failure originates from lib/client.c line 639. Strange.
That line returns SASL_BADPARAM if the conn parameter evaluates to false
-- meaning that the sasl_conn_t pointer conn doesn't point to a valid
memory address. But some brief testing indicates that the conn pointer
is valid when sasl-sample-client calls sasl_client_step()...
For some reason, my gdb is broken and it can't handle
sasl-sample-client, so further debugging will have to wait until I can
get gdb to work or think of something else to try.
In the meantime, anyone can of course work on this. I wrote some bits on
http://wiki.debian.org/PkgCyrusSASL to describe how to set up OTP with
OPIE, which is what I tested with.
Cheers,
--
Fabian Fagerholm <[email protected]>
After some more digging, it seems that the cause of this has to do with
prompting the user for the response to the server challenge, and the
error is not where I said it was in the last bug log entry.
It seems that sasl-sample-client is not written to support this kind of
prompting at all. I haven't looked too deeply, but that seems to be the
case.
--
Fabian Fagerholm <[email protected]>
Acknowledgement sent
to Bastian Germann <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <[email protected]>.
(Mon, 18 Apr 2022 18:33:03 GMT) (full text, mbox, link).
Control: severity -1 wishlist
Control: tags -1 wontfix
On Sun, 13 Apr 2008 12:33:04 +0300 Fabian Fagerholm <[email protected]> wrote:
> It seems that sasl-sample-client is not written to support this kind of
> prompting at all. I haven't looked too deeply, but that seems to be the
> case.
Right. These are just simple test programs to get an idea on how to implement each side of the protocol.
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.