Re: SCRAM-SHA-1 support in GSASL

[Simon Josefsson]

Lothar May <address@hidden> writes:

> Hi,
>
> 2009/11/6 Simon Josefsson <address@hidden>:
>> I have now checked that gsasl built from git sources build under MS VS
>> for me.  I had to apply several other changes.  I also disable all the
>> obsolete GNU SASL APIs, I hope nobody were using those when building as
>> a VS project.
>
> Great, thanks! I've also updated to the latest version of gsasl. Is
> SCRAM compatible to the first release in 1.2?

It should be -- except that versions earlier than 1.4.2 have bugs that
may lead to crashes.  There is a fix in master for SCRAM which you may
want too.  I'm thinking of releasing v1.4.3 with that fix in it, but I'm
trying to get to v1.6.0 that would introduce GS2-KRB5 support too.
GS2-KRB5 is working now, but I need to polish some details.

> I've been very busy lately but now I went back to finishing our next
> release. There is still some problem I don't quite understand:
> If the user name contains utf8 characters, it is rejected by gsasl. I
> have no idea why this is the case. The error code is
> GSASL_SASLPREP_ERROR as far as I recall. I also tried, without
> success, to prepare the string separately. Currently I hack around
> this issue by converting all strings to base64 first, like this:
>
>               char *base64User = NULL;
>               gsasl_base64_to(userName.c_str(), userName.length(), 
> &base64User, NULL);
>               gsasl_property_set(m_authSession, GSASL_AUTHID, base64User);
>               gsasl_free(base64User);
>
> Oh well... Does anyone know how I can use a user name containing utf8
> characters without prior conversion?

If you use non-ascii strings, you need to build Libidn and link GNU SASL
to it as well -- GNU SASL will reject any non-ascii strings when Libidn
is not enabled.  You could hack around this in lib/src/saslprep.c if you
want, but (of course) then you aren't fully SCRAM standards compliant.

/Simon