brong
commented
23 years ago From: Larry Greenfield
the xxx in digestmd5.c is a symptom of the fact that the v1 code didn't deal well with client-send-first or server-send-last SASL profiles.
i vaguely recall a conversation with john myers (jgmyers@iplanet.com) and chris newman where john claimed that to deal with server-send-last problems (when a server can return data and success simultaneously, a la ACAP/LDAP) we needed a flag to sasl_{client,server}_new indicating that the protocol supported that. the middleware would then do the adjustment for protocols that didn't, and all mechanisms would happily assume that the protocol supported it.
so with server-send-last profiles, you get a
sasl_server_step(...) = SASL_OK, with serverout set to some string.
the client then does a step, even though it already got the protocol OK from the server, since it might have to verify mutual authentication. but this means that it always needs to step for those protocols, even if there wasn't a server-send-last string (otherwise an evil remote server would just omit sending the last string and we wouldn't catch it). but obviously some mechanisms just don't have server-send-last.
From: Larry Greenfield Bugzilla-Id: 525 Version: 2.0 Owner: Rob Siemborski