Possible bug when restarting authentication on the client-side

Vlad Georgescu vgeorgescu at gmail.com
Sat Jun 10 09:10:33 EDT 2006


I am currently working on implementing support for Cyrus SASL v2 in Subversion.

Because Subversion caches client credentials on disk, it is necessary
to support restarting the authentication exchange (if authentication
fails with the stored credentials, prompt the user and try again).

This is what I found in sasl.h:

 * Basic client model:
 *  1. client calls sasl_client_init() at startup to load plug-ins
 *  2. when connection formed, call sasl_client_new()
 *  3. once list of supported mechanisms received from server, client
 *     calls sasl_client_start().  goto 4a
 *  4. client calls sasl_client_step()
 * [4a. If SASL_INTERACT, fill in prompts and goto 4
 *      -- doesn't happen if callbacks provided]
 *  4b. If SASL error, goto 7 or 3
 *  4c. If SASL_OK, continue or goto 6 if last server response was success
 *  5. send message to server, wait for response
 *  5a. On data or success with server response, goto 4
 *  5b. On failure goto 7 or 3
 *  5c. On success with no server response continue
 *  6. continue with application protocol until connection closes
 *     call sasl_getprop/sasl_encode/sasl_decode() if using security layer
 *  7. call sasl_dispose(), may return to step 2
 *  8. call sasl_done() when program terminates

I'm at step 5b (authentication failure) and want to go to step 3
(start a new authentication exchange). The call to sasl_client_start()
is successful, but the first call to sasl_client_step() returns
SASL_FAIL. The log message says "attempting client step after
doneflag". It would appear that sasl_client_start() doesn't initialise

I came up with the following simple patch seems to fix this issue:

--- cyrus-sasl-2.1.22/lib/client.c	2006-05-17 19:46:13.000000000 +0300
+++ cyrus-sasl-mine/lib/client.c	2006-06-10 14:31:31.000000000 +0300
@@ -428,6 +428,8 @@
     sasl_ssf_t bestssf = 0, minssf = 0;
     int result;

+    memset(&conn->oparams, 0, sizeof(sasl_out_params_t));
     if(_sasl_client_active==0) return SASL_NOTINIT;

     if (!conn) return SASL_BADPARAM;

Is this indeed a bug in SASL? Or am I doing something wrong?


More information about the Cyrus-sasl mailing list