Skip to content

gdbusauth: fix retry mechanism for failed authentication attempts

Leif Middelschulte requested to merge leiflm/glib:feature/handle_auth_rejection into main

A server might not return REJECTED am1, am2, but REJECTED to indicate a failure of the current authentication attempt.

According to the documentation of the AUTH-command:

If the [initial-response] argument is provided, it is intended for use with mechanisms that have no initial challenge (or an empty initial challenge), as if it were the argument to an initial DATA command. If the selected mechanism has an initial challenge and [initial-response] was provided, the server should reject authentication by sending REJECTED.

Prior to this patch, the client would simply give up, unauthenticated:

GDBus-debug:Auth: CLIENT: initiating
GDBus-debug:Auth: CLIENT: didn't send any credentials
GDBus-debug:Auth: CLIENT: writing 'AUTH\r\n'
GDBus-debug:Auth: CLIENT: WaitingForReject
GDBus-debug:Auth: CLIENT: WaitingForReject, read 'REJECTED EXTERNAL ANONYMOUS'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'EXTERNAL'
GDBus-debug:Auth: CLIENT: writing 'AUTH EXTERNAL 31303030\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'REJECTED'
GDBus-debug:Auth: CLIENT: Done, authenticated=0

With this patch, however, the client will attempt another method (i.e. ANONYMOUS) and eventually succeed to authenticate:

GDBus-debug:Auth: CLIENT: initiating
GDBus-debug:Auth: CLIENT: didn't send any credentials
GDBus-debug:Auth: CLIENT: writing 'AUTH\r\n'
GDBus-debug:Auth: CLIENT: WaitingForReject
GDBus-debug:Auth: CLIENT: WaitingForReject, read 'REJECTED EXTERNAL ANONYMOUS'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'EXTERNAL'
GDBus-debug:Auth: CLIENT: writing 'AUTH EXTERNAL 31303030\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'REJECTED'
GDBus-debug:Auth: CLIENT: Trying to choose mechanism
GDBus-debug:Auth: CLIENT: Trying mechanism 'ANONYMOUS'
GDBus-debug:Auth: CLIENT: writing 'AUTH ANONYMOUS 474442757320302e31\r\n'
GDBus-debug:Auth: CLIENT: WaitingForOK
GDBus-debug:Auth: CLIENT: WaitingForOK, read 'OK 84f107a259a3a8264ce0f6ff628b4fc5'
GDBus-debug:Auth: CLIENT: writing 'BEGIN\r\n'
GDBus-debug:Auth: CLIENT: Done, authenticated=1

Note that to test this patch and get the output above, I slightly changed glib's client code to explicitly send an invalid AUTH EXTERNAL request. Glib's client code skips EXTERNAL unless prior credentials exchange occurred. But this would only hide the actual bug.

Edited by Philip Withnall

Merge request reports