curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

extra zero-terminator in SASL Kerberos

From: Patrick Monnerat via curl-library <>
Date: Fri, 30 Apr 2021 14:10:36 +0200

While attempting to implement sasl in openldap, I'm facing with a
Kerberos problem.

In Curl_auth_create_gssapi_security_message(), a comment says:

/* Populate the message with the security layer, client supported receive
    message size and authorization identity including the 0x00 based
    terminator. Note: Despite RFC4752 Section 3.1 stating "The authorization
    identity is not terminated with the zero-valued (%x00) octet." it seems
    necessary to include it. */

This works as described, but the added zero-terminator fools the server
that includes it in the authorization identity.

Do we have details about why "it seems necessary to include it"? I
checked cyrus-sasl and libgsasl: they do not append this extra zero byte.

I also plan to replace the computed identity by the sasl_authzid. Any
objection ?

Received on 2021-04-30