gdbusauth: Failure during authentication caused by empty server challenge not being handled in CLIENT_STATE_WAITING_FOR_DATA
Submitted by Stewart Brodie
Link to original bug (#756569)
Description
Created attachment 313265 Proposed patch to allow empty DATA commands to be matched
Whilst carrying out the authentication protocol, _g_dbus_auth_run_client() fails to recognise empty server challenges received whilst it is in the state CLIENT_STATE_WAITING_FOR_DATA (waiting for a challenge) at or around line 813 (in gdbusauth.c in glib-2.46.0), leading to authentication failure. A similar issue arises in the server-side code at or around line 1249.
Specifically, the code tries to prefix match "DATA " (note the trailing space), which can fail in some authentication mechanisms where the server sends an empty challenge of just "DATA".
The DBus specification at http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol is, at best, unclear whether the space is mandatory (and other commands seem to be sent without the trailing space)
Whilst it appears that gdbusauth.c's code always puts the space in there in outgoing DATA messages, other DBus implementations do not: notably, dbus-1.8.20 (and other versions) send just "DATA\r\n" when there is a zero-length server challenge.
Code that handles ERROR messages is more careful to match: g_str_has_prefix (line, "ERROR") && (line[5] == 0 || g_ascii_isspace (line[5])))
This would seem an appropriate way to handle DATA messages too, with additional care required to g_strdup() the correct substring to handle the spaceless message. The same change applies to both the client and server code.
Although this is a primarily an interoperability problem, it is currently blocking various bits of software on my system from communicating with dbus-daemon.
The attached patch is sufficient to resolve this issue.
Attachment 313265, "Proposed patch to allow empty DATA commands to be matched":
gdbusauth.c-data-state-patch.patch
Version: 2.46.x