Multiple-Mechanism Sample Code?

Dave Cridland dave at cridland.net
Wed Jan 3 18:03:27 EST 2007 

On Wed Jan  3 02:09:31 2007, Henry B. Hotz wrote:
> The SASL API is already pretty complex for what it does IMO.  (Why  
> isn't there a call that does both sasl_client_init() and  
> sasl_client_new()?  Why does every app need 10++ lines in front of  
> sasl_{client,server}_new() to do two getnameinfo()'s and two  
> snprintf's, instead of just handing over the sockaddr's?  Why. . . 
> ?   Obviously, I'm still getting familiar with things.)
> 
> 
I can answer some of that. sasl_client_init() does one-time 
initialization, whereas sasl_client_new() does per-connection 
initialization.


> Unless you can tell me that there is a properly-documented API for 
> an  ACAP library that's deployed on as many platforms (including 
> Java) as  SASL already is, *AND* that it's no harder to 
> write/modify an  application to use ACAP than it is to use SASL, 
> then I'm not  interested.  Sorry.  You're welcome to try to 
> convince me, but it  sounds off-topic for this list.
> 
> 
ACAP is merely an example of a protocol that got the SASL profile 
right, not a replacement for SASL. It does the full range of 
signalling required, so you know what to do on failure, and it also 
handles both initial responses and data on success, to drop the 
round-trip count.


> In my current experiments Cyrus SASL doesn't appear to work when 
> you  call sasl_client_start() with the second mechanism to try.  
> There are  a lot of variables here, and a better-than-even chance 
> the problem is  in my code, not the library.  Once I have something 
> properly working  I'll revisit this issue.  I gather you're 
> claiming that ACAP solves  this (and other) problems.  See above.
> 
> 
No, sasl_client_new() is once per connection. sasl_client_start() is 
once per authentication attempt. <sasl/sasl.h> has some useful 
documentation, look for "Basic client model".

> On Dec 19, 2006, at 1:23 AM, Dave Cridland wrote:
> 
>> On Mon Dec 18 22:12:03 2006, Alexey Melnikov wrote:
>>> Henry B. Hotz wrote:
>>>> The published sample code seems to only try the first mechanism  
>>>> and  then quit.  I'm told the "correct" way to do SASL is to try 
>>>>  all the  mechanisms (or at least all the ones supported) and  
>>>> don't quit until  you've tried them all.  Is there any example  
>>>> code that illustrates this?
>>> (I wanted to point you to Cyrus imtest, but it doesn't do that).
>>> In general, I think a well written SASL client should behave as  
>>> follows:
>>> It should sort SASL mechanisms that both client and server 
>>> support  by their "strength" or features recognized by the 
>>> client. For SASL  mechanisms with equal strength the order used 
>>> by the server can be  used.
>>> The client starts iterating through the ordered list, starting  
>>> from the strongest mechanism. It tries the mechanism. If  
>>> authentication succeeds - success. If not, the client may retry  
>>> the mechanism (e.g. if the server returned an indication that the 
>>>  password is incorrect) several times, say 3 times. After that 
>>> the  client should move on to the next strongest SASL mechanism 
>>> and so on.
>>> There are of course some complications. Some SASL mechanisms that 
>>>  can potentially be stronger can end up being weaker, because of  
>>> the options that the server supports.
>> There are more complications than that - some protocols give you a 
>>  fairly wide set of protocol-level data about why a SASL exchange  
>> failed, others don't. For example, IMAP will give you a pretty  
>> simple "NO" for any failure at all, whereas ACAP will tell you  
>> rather more, such as AUTH-TOO-WEAK, ENCRYPT-NEEDED, TRANSITION- 
>> NEEDED, etc, which can be used by the client to figure out what 
>> the  next action should be.
> 
> Working examples?  I'm modifying the PostgreSQL protocol as needed. 
>   Adding SASL data to existing messages is easy.  Adding an  
> AuthenticationContinue message isn't very hard either because they  
> have a protocol manual that's quite nice.
> 
> 
Right, so for the protocol, look at how ACAP does it.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Cyrus-sasl mailing list