cyrus-sasl-2.1.22: Problems with sasl_decode64

Ken Murchison murch at andrew.cmu.edu
Fri Sep 8 09:57:07 EDT 2006 

Sebastian Kemper wrote:
> Hello list,
> 
> I'm a mutt user and I use cyrus-sasl with mutt for SASL auth. It was
> working fine until I upgraded to cyrus-sasl-2.1.22 (from 2.1.21). Now I
> get "SASL authentication failed!" all the time.
> 
> I ran mutt in debug mode and this is what I got out of it:
> 
> ---------- cyrus-sasl-2.1.21 ----------
> Mutt 1.5.11 started at Thu Sep  7 19:39:13 2006
> .
> Debugging at level 2.
> 
> < +OK GMX POP3 StreamProxy ready
> <_random_numbers_._random_numbers_ at mp_random_numbers_>
> 
>>CAPA^M
> 
> < -ERR Unknown command.
> 
>>AUTH^M
> 
> < +OK List of supported authentication methods follows
> pop_authenticate: Trying method cram-md5
> local ip: xxx.xxx.xxx.xxx;4632, remote ip:yyy.yyy.yyy.yyy;995
> External SSF: 256
> External authentication name: _random_numbers_
> 
>>AUTH CRAM-MD5^M
> 
> < + _random_characters_+
> mutt_sasl_cb_authname: getting authname for pop.gmx.net:995
> mutt_sasl_cb_pass: getting password for _random_numbers_ at pop.gmx.net:995
> 
>>_random_characters_=^M
> 
> < +OK mailbox has 0 messages (0 octets)
> 
>>STAT^M
> 
> < +OK 0 0
> 
>>STAT^M
> 
> < +OK 0 0
> 
>>QUIT^M
> 
> < +OK bye
> 
> -----------------------------------------------------------------------
> 
> ---------- cyrus-sasl-2.1.22 ----------
> Mutt 1.5.11 started at Thu Sep  7 18:41:43 2006
> .
> Debugging at level 2.
> 
> < +OK GMX POP3 StreamProxy ready
> <_random_numbers_._random_numbers_ at mp_random_numbers_>
> 
>>CAPA^M
> 
> < -ERR Unknown command.
> 
>>AUTH^M
> 
> < +OK List of supported authentication methods follows
> pop_authenticate: Trying method cram-md5
> local ip: xxx.xxx.xxx.xxx;3405, remote ip:yyy.yyy.yyy.yyy;995
> External SSF: 256
> External authentication name: _random_numbers_
> 
>>AUTH CRAM-MD5^M
> 
> < + _random_characters_+
> pop_auth_sasl: error base64-decoding server response.
> 
>>*^M
> 
> < -ERR Authentication failed.
> SASL Authentifizierung fehlgeschlagen.
> 
> -----------------------------------------------------------------------
> 
> I grepped the mutt source for "error base64-decoding server response"
> and found this reference in pop_auth.c:
> 
> -----------------------------------------------------------------------
> 
> if (!mutt_strncmp (inbuf, "+ ", 2)
>   && sasl_decode64 (inbuf, strlen (inbuf), buf, LONG_STRING-1,&len) != SASL_OK)
> {
>   dprint (1, (debugfile, "pop_auth_sasl: error base64-decoding server response.\n"));
>   goto bail;
> }
> 
> -----------------------------------------------------------------------
> 
> I checked the NEWS file of cyrus-sasl-2.1.22 and it mentiones "Various
> sasl_decode64() fixes" since 2.1.21. I looked at the source in
> lib/saslutil.c and I could see a lot of changes but I couldn't really make
> sense of it.
> 
> Can you guys see what's wrong?

The changes to sasl_decode64() were mainly to decode partial blocks of 
Base64 data, but as a side-effect, it now ONLY accepts Base64 data and 
NOT any protocol bits such as the leading "+ " or the trailing "\r\n".

So, an application needs to remove these protocol bits before passsing 
the data to sasl_decode64().  A quick and dirty fix for Mutt would be 
the following:

if (!mutt_strncmp (inbuf, "+ ", 2)
   && sasl_decode64 (inbuf+2, strlen (inbuf)-4, buf, LONG_STRING-1,&len) 
!= SASL_OK)


However, it would be safer to check for the "\r\n" before trimming it.

-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University

More information about the Cyrus-sasl mailing list