[Spice-devel] [PATCH] server: correctly handle AUTH failed

[Marc-André Lureau]

The current code doesn't reply correctly SPICE_LINK_ERR_ in case of failure.
It also doesn't respect the protocol properly (the error string is not defined)

This patch fixes that case, and has been tested with spice-gtk master.
---
 server/reds.c |   24 ++++++++++++++----------
 1 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/server/reds.c b/server/reds.c
index 5fa50c1..76a2ff0 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1959,8 +1959,10 @@ static void reds_handle_auth_sasl_step(void *opaque)
                            datalen,
                            &serverout,
                            &serveroutlen);
-    if (err != SASL_OK &&
-        err != SASL_CONTINUE) {
+    if (err == SASL_BADAUTH || err == SASL_NOAUTHZ) {
+        red_printf("sasl auth failed %d (%s)",
+                   err, sasl_errdetail(sasl->conn));
+    } else if (err != SASL_OK && err != SASL_CONTINUE) {
         red_printf("sasl step failed %d (%s)",
                    err, sasl_errdetail(sasl->conn));
         goto authabort;
@@ -1992,6 +1994,8 @@ static void reds_handle_auth_sasl_step(void *opaque)
         obj->end = obj->now + sizeof(uint32_t);
         obj->done = reds_handle_auth_sasl_steplen;
         async_read_handler(0, 0, &link->asyc_read);
+    } else if (err == SASL_BADAUTH || err == SASL_NOAUTHZ) {
+        goto authreject;
     } else {
         int ssf;
 
@@ -2015,9 +2019,7 @@ static void reds_handle_auth_sasl_step(void *opaque)
     return;
 
 authreject:
-    sync_write_u32(link->stream, 1); /* Reject auth */
-    sync_write_u32(link->stream, sizeof("Authentication failed"));
-    sync_write(link->stream, "Authentication failed", sizeof("Authentication failed"));
+    reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
 
 authabort:
     reds_link_free(link);
@@ -2090,8 +2092,10 @@ static void reds_handle_auth_sasl_start(void *opaque)
                             datalen,
                             &serverout,
                             &serveroutlen);
-    if (err != SASL_OK &&
-        err != SASL_CONTINUE) {
+    if (err == SASL_BADAUTH || err == SASL_NOAUTHZ) {
+        red_printf("sasl auth or authz failed %d (%s)",
+                   err, sasl_errdetail(sasl->conn));
+    } else if (err != SASL_OK && err != SASL_CONTINUE) {
         red_printf("sasl start failed %d (%s)",
                    err, sasl_errdetail(sasl->conn));
         goto authabort;
@@ -2123,6 +2127,8 @@ static void reds_handle_auth_sasl_start(void *opaque)
         obj->end = obj->now + sizeof(uint32_t);
         obj->done = reds_handle_auth_sasl_steplen;
         async_read_handler(0, 0, &link->asyc_read);
+    } else if (err == SASL_BADAUTH || err == SASL_NOAUTHZ) {
+        goto authreject;
     } else {
         int ssf;
 
@@ -2146,9 +2152,7 @@ static void reds_handle_auth_sasl_start(void *opaque)
     return;
 
 authreject:
-    sync_write_u32(link->stream, 1); /* Reject auth */
-    sync_write_u32(link->stream, sizeof("Authentication failed"));
-    sync_write(link->stream, "Authentication failed", sizeof("Authentication failed"));
+    reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
 
 authabort:
     reds_link_free(link);
-- 
1.7.4