Re: Cyrus SASL 2.1.25 Released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Julien ÉLIE wrote:

Hi Ken,

Thanks for this new release.

Major fixes in Cyrus SASL 2.1.25:

* Fixed a crash caused by aborted SASL authentication
and initiation of another one using the same SASL context.

Is it related to the use of "*" by a client?

In some variants of authentication the problem was caused by "*", yes.

I remembered having changed how INN handles SASL negotiations because the SASL server did not work well after an authentication failure.

  http://inn.eyrie.org/trac/changeset/8045
    Restart the SASL server after authentication failure.
    -> run sasl_dispose() followed by sasl_server_new() after the
       client sends "*" or the authentication failed.

Does it mean that this patch is no longer necessary with Cyrus SASL 2.1.25?

I think this patch should stay and it is safe.

Also, is this bug now fixed?

  http://inn.eyrie.org/trac/changeset/8044
    It appears that sasl_decode64() returns SASL_CONTINUE instead of
    SASL_BADPROT when there is a base64-encoding error.

sasl_decode64 can return a number of error codes (SASL_BUFOVER is another one) and relying that it will always returns SASL_BADPROT is a bad coding practice, IMHO. Everything != SASL_OK should be treated with the exception of SASL_CONTINUE. SASL_CONTINUE is only returned when there is an incomplete base64 string. Whether this is an error or not, it depends on the application. I.e. if there is no more data coming, then it is an error.




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux