[Spice-devel] [PATCH v2 spice-gtk 1/2] authentication: Handle failed SASL authentication separately

Christophe de Dinechin cdupontd at redhat.com
Mon Feb 20 17:00:23 UTC 2017


> On 19 Feb 2017, at 15:47, Snir Sheriber <ssheribe at redhat.com> wrote:
> 
> Remove handling with failures in the SASL authentication
> process to separate function
> ---
> src/spice-channel.c | 44 +++++++++++++++++++++++++++-----------------
> 1 file changed, 27 insertions(+), 17 deletions(-)
> 
> diff --git a/src/spice-channel.c b/src/spice-channel.c
> index af67931..cbf1291 100644
> --- a/src/spice-channel.c
> +++ b/src/spice-channel.c
> @@ -1113,28 +1113,38 @@ static int spice_channel_read(SpiceChannel *channel, void *data, size_t length)
>     return length;
> }
> 
> +#if HAVE_SASL
> /* coroutine context */
> -static void spice_channel_failed_authentication(SpiceChannel *channel,
> -                                                gboolean invalidPassword)
> +static void spice_channel_failed_sasl_authentication(SpiceChannel *channel)
> {
>     SpiceChannelPrivate *c = channel->priv;
> +    gint err_code; /* Affects the authentication window activated fileds */
> 
>     if (c->auth_needs_username && c->auth_needs_password)
> -        g_set_error_literal(&c->error,
> -                            SPICE_CLIENT_ERROR,
> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
> -                            _("Authentication failed: password and username are required"));
> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME;
>     else if (c->auth_needs_username)
> -        g_set_error_literal(&c->error,
> -                            SPICE_CLIENT_ERROR,
> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_USERNAME,
> -                            _("Authentication failed: username is required"));
> -    else if (c->auth_needs_password)
> -        g_set_error_literal(&c->error,
> -                            SPICE_CLIENT_ERROR,
> -                            SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
> -                            _("Authentication failed: password is required"));
> -    else if (invalidPassword)
> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_USERNAME;
> +    else
> +        err_code = SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD;
> +
> +    g_set_error_literal(&c->error,
> +                        SPICE_CLIENT_ERROR,
> +                        err_code,
> +                        _("SASL authentication failed"));

Per the recent discussion (Feb 14 with Christophe F), can’t we map common SASL errors to Spice messages? To me, it’s different if the problem is that I used a wrong password or if the server is down. The message as is seems quite terse.

Errors that seem be reportable (although not all of them seem relevant to Spice):

SASL_BADAUTH	Authentication failure.
SASL_NOAUTHZ	Authorization failure.
SASL_EXPIRED	The passphrase expired and must be reset.
SASL_DISABLED	Account disabled.
SASL_NOUSER	User not found.
SASL_BADVERS	Version mismatch with plug-in.
SASL_NOVERIFY	The user exists, but there is no verifier for the user.
SASL_WEAKPASS	The passphrase is too weak for security policy.
SASL_NOUSERPASS	User supplied passwords are not permitted.


Some that may need to be “translated” in Spicese if they ever get back to us:

SASL_TOOWEAK	The mechanism is too weak for this user.
SASL_ENCRYPT	Encryption is needed to use this mechanism.
SASL_TRANS		One time use of a plaintext password will enable requested mechanism for user.

Others should probably collected into a “default” in a switch statement, something like “Unexpected SASL error code <blah>”.


> +
> +    c->event = SPICE_CHANNEL_ERROR_AUTH;
> +
> +    c->has_error = TRUE; /* force disconnect */
> +}
> +#endif
> +
> +/* coroutine context */
> +static void spice_channel_failed_authentication(SpiceChannel *channel,
> +                                                gboolean invalidPassword)
> +{
> +    SpiceChannelPrivate *c = channel->priv;
> +
> +    if (invalidPassword)
>         g_set_error_literal(&c->error,
>                             SPICE_CLIENT_ERROR,
>                             SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
> @@ -1808,7 +1818,7 @@ error:
>     if (saslconn)
>         sasl_dispose(&saslconn);
> 
> -    spice_channel_failed_authentication(channel, FALSE);
> +    spice_channel_failed_sasl_authentication(channel);
>     ret = FALSE;
> 
> cleanup:
> -- 
> 2.9.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel



More information about the Spice-devel mailing list