help-gsasl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GSASL_CB_TLS_EXPORTER leads to a failure with non-PLUS SCRAM methods


From: defanor
Subject: GSASL_CB_TLS_EXPORTER leads to a failure with non-PLUS SCRAM methods
Date: Wed, 28 Aug 2024 17:30:45 +0300
User-agent: mu4e 1.8.13; emacs 28.2

Hello,

I noticed that GSASL reads the GSASL_CB_TLS_EXPORTER property even when
a non-"PLUS" SCRAM method is used, and if it is provided, the
authentication process fails at once. This does seem wrong: I think it
would be nicer if it did not fail when unnecessary information is
provided, and if it did not ask for that (e.g., via a callback), either.

Sample code to reproduce this behaviour:

---- gsasl-test.c ----
#include <gsasl.h>

int main() {
  int rc;
  Gsasl *ctx = NULL;
  rc = gsasl_init (&ctx);
  if (rc != GSASL_OK) {
    printf ("Init error (%d): %s\n", rc, gsasl_strerror (rc));
  }
  Gsasl_session *session;
  rc = gsasl_client_start (ctx, "SCRAM-SHA-1", &session);
  if (rc != GSASL_OK) {
    printf ("Start error (%d): %s\n", rc, gsasl_strerror (rc));
  }

  rc = gsasl_property_set (session, GSASL_AUTHID, "foo");
  if (rc != GSASL_OK) {
    printf ("Property set error (%d): %s\n", rc, gsasl_strerror (rc));
  }

  rc = gsasl_property_set (session, GSASL_CB_TLS_EXPORTER,
                           "YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=");
  if (rc != GSASL_OK) {
    printf ("Property set error (%d): %s\n", rc, gsasl_strerror (rc));
  }

  rc = gsasl_property_set (session, GSASL_PASSWORD, "foo");
  if (rc != GSASL_OK) {
    printf ("Property set error (%d): %s\n", rc, gsasl_strerror (rc));
  }

  char *buf;
  rc = gsasl_step64(session, "", &buf);
  if (rc != GSASL_OK) {
    printf ("Authentication error (%d): %s\n", rc, gsasl_strerror (rc));
  }
  gsasl_finish (session);
  gsasl_done (ctx);
}
---- end of gsasl-test.c ----

That prints "Authentication error (31): Error authenticating user" here,
with gsasl 2.2.0-1. Replacing "SCRAM-SHA-1" with "SCRAM-SHA-1-PLUS", or
not setting GSASL_CB_TLS_EXPORTER, proceeds without an error, asking for
more data.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]