Question about sasl_client_start() and SASL_OK

Alexey Melnikov alexey.melnikov at isode.com
Fri Nov 15 13:21:48 EST 2013 

On 04/11/2013 09:01, Christophe Fergeau wrote:
> Hey,
Hi,
> I'm currently working on an application making use of cyrus-sasl for
> authentication (spice-gtk[1] for the client side, and spice-server[2] for the
> server side).
> Code is working nicely when using digest-md5, but we got a report about
> auth failing with plain [3]. The proposed patch checks for
> sasl_client_start() returning SASL_OK (which happens with plain), and
> handles this similarly to what we do when sasl_client_step() returns
> SASL_OK.
> Doing this makes sense to me, but the documentation about this is not very
> clear, so I prefer to ask on the mailing list first if this is indeed what
> should be done.
>
> If I look at sasl_client_start() man page, it says:
> "RETURN VALUE
>         sasl_client_start returns an integer which corresponds to one of the following
>         codes.  SASL_CONTINUE indicates success and that there are more steps needed in
>         the authentication. All other return codes indicate errors and should either be
>         handled or the authentication session should be quit."
> If I follow this strictly, then SASL_OK should be considered an error,
> which is probably not what is intended (?).
>
> sasl/sasl.h says:
>   * Basic client model:
>   *  1. client calls sasl_client_init() at startup to load plug-ins
>   *  2. when connection formed, call sasl_client_new()
>   *  3. once list of supported mechanisms received from server, client
>   *     calls sasl_client_start().  goto 4a
>   *  4. client calls sasl_client_step()
>   * [4a. If SASL_INTERACT, fill in prompts and goto 4
>   *      -- doesn't happen if callbacks provided]
>   *  4b. If SASL error, goto 7 or 3
>   *  4c. If SASL_OK, continue or goto 6 if last server response was success
>
> ie SASL_OK would be a valid return value from sasl_client_start() (by going 1,
> 2, 3, 4a, 4c)
>
> Then, if I look at the documentation [5] it does:
> do {
>        result=sasl_client_start(conn,
>                                 mechlist,
>                                 &client_interact,
>                                 &out,
>                                 &outlen,
>                                 &mechusing);
>
>        if (result==SASL_INTERACT)
>        {
>           [deal with the interactions. See interactions section below]
>        }
> } while (result==SASL_INTERACT); /* the mechanism may ask us to fill
>                                      in things many times. result is
>                                      SASL_CONTINUE on success */
> if (result!=SASL_CONTINUE) [failure]
>
> so SASL_OK would be treated as a failure here.
>
>
> Finally, looking at the sample-client.c code from cyrus-sasl [6]:
>
> result = sasl_client_start(...)
> if (result != SASL_OK && result != SASL_CONTINUE) {
>        printf("error was %s\n", sasl_errdetail(conn));
>        saslfail(result, "Starting SASL negotiation", NULL);
> }
>
> so SASL_OK is not an error there.
Correct.
> I assume I should be handling sasl_client_start() returning SASL_OK and that
> this should not be an error, but a confirmation about that would be very nice!
> It would be even better if the documentation could get fixed ;) I can
> submit a patch if needed once this is clarified.
Please do :-).
> Thanks in advance for any answer!
>
> Christophe
>
>
> [1] http://cgit.freedesktop.org/spice/spice-gtk/tree/gtk/spice-channel.c#n1277
> [2] http://cgit.freedesktop.org/spice/spice/tree/server/reds.c#n2142
> [3] http://lists.freedesktop.org/archives/spice-devel/2013-October/015122.html
> [4] http://lists.freedesktop.org/archives/spice-devel/attachments/20131022/410110a9/attachment.ksh
> [5] http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.25/programming.php#client_code
>

More information about the Cyrus-sasl mailing list