[Spice-devel] [patch 1/1] fix SASL for mechanism using WANT_CLIENT_FIRST
Christophe Fergeau
cfergeau at redhat.com
Wed Oct 23 14:50:27 CEST 2013
Hey,
On Tue, Oct 22, 2013 at 11:07:56AM +0200, dietmar at proxmox.com wrote:
> Current code works with DIGEST-MD5, but not with PLAIN.
>
> Signed-off-by: Dietmar Maurer <dietmar at proxmox.com>
>
> Index: new/gtk/spice-channel.c
> ===================================================================
> --- new.orig/gtk/spice-channel.c 2013-10-22 09:04:23.000000000 +0200
> +++ new/gtk/spice-channel.c 2013-10-22 09:40:10.000000000 +0200
> @@ -1508,7 +1511,7 @@
>
> /* NB, distinction of NULL vs "" is *critical* in SASL */
> if (clientout) {
> - len += clientoutlen + 1;
> + len = clientoutlen + 1;
> spice_channel_write(channel, &len, sizeof(guint32));
> spice_channel_write(channel, clientout, len);
> } else {
Yeah, I had noticed this as well, but could not find a case where it would
prevent auth from working, ACK on this bit if this helps you.
> @@ -1550,6 +1553,9 @@
> * Even if the server has completed, the client must *always* do at least one step
> * in this loop to verify the server isn't lying about something. Mutual auth */
> for (;;) {
> + if (complete && err == SASL_OK)
> + break;
> +
This bit makes me much more uncomfortable, especially this is touching
security-sensitive code. Things are not working without it?
If you have a working sasl plain config for spice, I'd be interested in it
as I could not get that to work for testing :((
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131023/621b255c/attachment.pgp>
More information about the Spice-devel
mailing list