touch-packages team mailing list archive

Thread
Date

[Bug 1015819] Re: sb_sasl_generic_pkt_length: received illegal packet length when using ldapsearch and sasl with ssl or tls

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Michael Osipov <1015819@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 May 2015 20:10:49 -0000
Reply-to: Bug 1015819 <1015819@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Here is a follow on the comment above:

I have changes the GSSAPI mech plugin source code:

diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 2fd1b3b..39302cd 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -1583,20 +1583,9 @@ static int gssapi_client_mech_step(void *conn_context,
        }

        /* Setup req_flags properly */
-       req_flags = GSS_C_INTEG_FLAG;
-       if (params->props.max_ssf > params->external_ssf) {
-           /* We are requesting a security layer */
-           req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
-           /* Any SSF bigger than 1 is confidentiality. */
-           /* Let's check if the client of the API requires confidentiality,
-              and it wasn't already provided by an external layer */
-           if (params->props.max_ssf - params->external_ssf > 1) {
-               /* We want to try for privacy */
-               req_flags |= GSS_C_CONF_FLAG;
-           }
-       }
-
-       if (params->props.security_flags & SASL_SEC_PASS_CREDENTIALS) {
+       req_flags = GSS_C_MUTUAL_FLAG;
+
+    if (params->props.security_flags & SASL_SEC_PASS_CREDENTIALS) {
            req_flags = req_flags |  GSS_C_DELEG_FLAG;
        }

And reran ldapsearch with -ZZ (STARTTLS) and whom, it did work. I tried
without TLS too. Everything is shiny in Wireshark. TLS encrypted data,
fully opaque, unencrypted data, fully browsable.

This code definitively requires polish as long as the SASL RFC is not
violated. I am willing to provide a quality patch for that.
Unfortunately, I have another patch pending on the Cyrus SASL mailing
list w/o any response at the moment. Maybe someone could step up:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-
sasl&msg=10230

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1015819

Title:
  sb_sasl_generic_pkt_length: received illegal packet length when using
  ldapsearch and sasl with ssl or tls

Status in cyrus-sasl2 package in Ubuntu:
  Confirmed

Bug description:
  [Status]

  This bug needs a developer to reproduce the problem and locate the
  root cause.

  [Workaround]

  Unknown.

  [Missing]

  Exact steps to reproduce.

  [Description]

  Not sure if this is a problem with openldap or cyrus-sasl2 at this
  point.

  Using sasl binding only works with ldapsearch when not using ssl or
  tls.  If either ssl or tls is used I see this ouput from -d 1 from
  ldapsearch:

  sb_sasl_generic_pkt_length: received illegal packet length of 813957120 bytes
  sasl_generic_read: want=16, got=16
    0000:  00 7e 02 01 00 78 84 00  00 00 5d 0a 01 02 04 00   .~...x....].....
  sb_sasl_cyrus_decode: failed to decode packet: generic failure
  sb_sasl_generic_read: failed to decode packet
  ldap_read: want=8 error=Input/output error

  # numResponses: 0
  ldap_result: Can't contact LDAP server (-1)
  tls_write: want=165 error=Connection reset by peer
  tls_write: want=165 error=Bad file descriptor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1015819/+subscriptions