Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • G GLib
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 884
    • Issues 884
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 44
    • Merge requests 44
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOME
  • GLib
  • Merge requests
  • !2682

gdbusauth: fix retry mechanism for failed authentication attempts

  • Review changes

  • Download
  • Email patches
  • Plain diff
Open Leif Middelschulte requested to merge leiflm/glib:feature/handle_auth_rejection into main May 23, 2022
  • Overview 2
  • Commits 1
  • Pipelines 1
  • Changes 1

A server might not return REJECTED am1, am2, but REJECTED to indicate a failure of the current authentication attempt.

According to the documentation of the AUTH-command:

If the [initial-response] argument is provided, it is intended for use with mechanisms that have no initial challenge (or an empty initial challenge), as if it were the argument to an initial DATA command. If the selected mechanism has an initial challenge and [initial-response] was provided, the server should reject authentication by sending REJECTED.

Prior to this patch, the client would simply give up, unauthenticated:

GDBus-debug:Auth: CLIENT: initiating
GDBus-debug:Auth: CLIENT: didn't send any credentials
GDBus-debug:Auth: CLIENT: writing 'AUTH\r\n'
GDBus-debug:Auth: CLIENT: WaitingForReject
GDBus-debug:Auth: CLIENT: WaitingForReject, read 'REJECTED EXTERNAL ANONYMOUS'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'EXTERNAL'
GDBus-debug:Auth: CLIENT: writing 'AUTH EXTERNAL 31303030\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'REJECTED'
GDBus-debug:Auth: CLIENT: Done, authenticated=0

With this patch, however, the client will attempt another method (i.e. ANONYMOUS) and eventually succeed to authenticate:

GDBus-debug:Auth: CLIENT: initiating
GDBus-debug:Auth: CLIENT: didn't send any credentials
GDBus-debug:Auth: CLIENT: writing 'AUTH\r\n'
GDBus-debug:Auth: CLIENT: WaitingForReject
GDBus-debug:Auth: CLIENT: WaitingForReject, read 'REJECTED EXTERNAL ANONYMOUS'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'EXTERNAL'
GDBus-debug:Auth: CLIENT: writing 'AUTH EXTERNAL 31303030\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'REJECTED'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'ANONYMOUS'
GDBus-debug:Auth: CLIENT: writing 'AUTH ANONYMOUS 474442757320302e31\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'OK 84f107a259a3a8264ce0f6ff628b4fc5'
GDBus-debug:Auth: CLIENT: writing 'BEGIN\r\n'
GDBus-debug:Auth: CLIENT: Done, authenticated=1

Note that to test this patch and get the output above, I slightly changed glib's client code to explicitly send an invalid AUTH EXTERNAL request. Glib's client code skips EXTERNAL unless prior credentials exchange occurred. But this would only hide the actual bug.

Edited May 24, 2022 by Philip Withnall
Assignee
Assign to
Reviewer
Request review from
Time tracking
Source branch: feature/handle_auth_rejection