Bug#433305: libsasl2-modules-otp: Performing SASL negotiation: invalid parameter supplied

Hadmut Danisch hadmut at danisch.de
Mon Jul 16 08:23:53 UTC 2007 

Package: libsasl2-modules-otp
Version: 2.1.22.dfsg1-13
Severity: normal

Hi,

I was just playing a little bit with the sasl-sample-server and
sasl-sample-client programs that come with the
debian packages for sasl2.  Running both programs in separate xterm
windows and 'sending' their messages vice versa with mouse cut and paste
works as expected, e.g. for DIGEST-MD5. The sasl-sample-client then asks
for a password.

But when I choose OTP (which is offered by the server), then the client
aborts, and I currently don't see why:


% sasl-sample-client -m OTP
Waiting for mechanism list from server...
S: QU5PTllNT1VTIE9UUCBDUkFNLU1ENSBESUdFU1QtTUQ1IExPR0lOIFBMQUlOIE5UTE0=
recieved 50 byte message
Forcing use of mechanism OTP
Choosing best mechanism from: OTP
Using mechanism OTP
Preparing initial.
Sending initial response...
C: T1RQAGhhZG11dABoYWRtdXQ=
Waiting for server reply...
S: b3RwLW1kNSA0OTggYW42OTQzIGV4dA==
recieved 22 byte message
sasl-sample-client: Performing SASL negotiation: invalid parameter supplied



You should be able to run this just example with the client side.

So the message
S: b3RwLW1kNSA0OTggYW42OTQzIGV4dA==
causes a problem. Decoding it looks like this:

% decode64 b3RwLW1kNSA0OTggYW42OTQzIGV4dA== |xxd
0000000: 6f74 702d 6d64 3520 3439 3820 616e 3639  otp-md5 498 an69
0000010: 3433 2065 7874                           43 ext

which is

otp-md5 498 an6943 ext

498 and the seed an6943 are correct. But what's wrong with this string
and why does the client abort?



regards


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-k7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsasl2-modules-otp depends on:
ii  libc6                    2.6-2           GNU C Library: Shared libraries
ii  libsasl2-modules         2.1.22.dfsg1-13 Pluggable Authentication Modules f
ii  libssl0.9.8              0.9.8e-5        SSL shared libraries

libsasl2-modules-otp recommends no packages.

-- no debconf information

More information about the Pkg-cyrus-sasl2-debian-devel mailing list