[Spice-devel] Report invalid password as a special auth error

Submitted by Cedric Bosdonnat on May 22, 2015, 4:12 p.m.

Details

Message ID 1432311155-21497-1-git-send-email-cbosdonnat@suse.com
State New
Headers show

Not browsing as part of any series.

Commit Message

Cedric Bosdonnat May 22, 2015, 4:12 p.m.
Provide a special authentication error message for too long passwords.
---
 Note: this patch needs a pending one for spice-common. submodule will
 need to be updated.

 gtk/spice-channel.c | 18 ++++++++++++++----
 gtk/spice-client.h  |  2 ++
 2 files changed, 16 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index 4e7d8b7..fbe3ab1 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1051,7 +1051,8 @@  static void spice_channel_send_spice_ticket(SpiceChannel *channel)
 }
 
 /* coroutine context */
-static void spice_channel_failed_authentication(SpiceChannel *channel)
+static void spice_channel_failed_authentication(SpiceChannel *channel,
+                                                gboolean invalidPassword)
 {
     SpiceChannelPrivate *c = channel->priv;
 
@@ -1060,6 +1061,11 @@  static void spice_channel_failed_authentication(SpiceChannel *channel)
                             SPICE_CLIENT_ERROR,
                             SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
                             _("Authentication failed: password and username are required"));
+    else if (invalidPassword)
+        g_set_error_literal(&c->error,
+                            SPICE_CLIENT_ERROR,
+                            SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD,
+                            _("Authentication failed: password is too long"));
     else
         g_set_error_literal(&c->error,
                             SPICE_CLIENT_ERROR,
@@ -1086,9 +1092,13 @@  static gboolean spice_channel_recv_auth(SpiceChannel *channel)
         return FALSE;
     }
 
-    if (link_res != SPICE_LINK_ERR_OK) {
+    if (link_res == SPICE_LINK_ERR_INVALID_PASSWORD) {
+        CHANNEL_DEBUG(channel, "link result: invalid password");
+        spice_channel_failed_authentication(channel, TRUE);
+        return FALSE;
+    } if (link_res != SPICE_LINK_ERR_OK) {
         CHANNEL_DEBUG(channel, "link result: reply %d", link_res);
-        spice_channel_failed_authentication(channel);
+        spice_channel_failed_authentication(channel, FALSE);
         return FALSE;
     }
 
@@ -1662,7 +1672,7 @@  error:
     if (saslconn)
         sasl_dispose(&saslconn);
 
-    spice_channel_failed_authentication(channel);
+    spice_channel_failed_authentication(channel, FALSE);
     ret = FALSE;
 
 cleanup:
diff --git a/gtk/spice-client.h b/gtk/spice-client.h
index c2474d1..58d1f76 100644
--- a/gtk/spice-client.h
+++ b/gtk/spice-client.h
@@ -60,6 +60,7 @@  G_BEGIN_DECLS
  * @SPICE_CLIENT_USB_DEVICE_LOST: usb device disconnected (fatal IO error)
  * @SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD: password is required
  * @SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME: password and username are required
+ * @SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD: password is too long
  *
  * Error codes returned by spice-client API.
  */
@@ -70,6 +71,7 @@  typedef enum
     SPICE_CLIENT_USB_DEVICE_LOST,
     SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
     SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
+    SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD,
 } SpiceClientError;
 
 GQuark spice_client_error_quark(void);

Comments

Hey,

I think you should report an error somehow in
spice_channel_send_spice_ticket() if SpiceSession::password is too
long.

Christophe

On Fri, May 22, 2015 at 06:12:35PM +0200, C├ędric Bosdonnat wrote:
> Provide a special authentication error message for too long passwords.
> ---
>  Note: this patch needs a pending one for spice-common. submodule will
>  need to be updated.
> 
>  gtk/spice-channel.c | 18 ++++++++++++++----
>  gtk/spice-client.h  |  2 ++
>  2 files changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
> index 4e7d8b7..fbe3ab1 100644
> --- a/gtk/spice-channel.c
> +++ b/gtk/spice-channel.c
> @@ -1051,7 +1051,8 @@ static void spice_channel_send_spice_ticket(SpiceChannel *channel)
>  }
>  
>  /* coroutine context */
> -static void spice_channel_failed_authentication(SpiceChannel *channel)
> +static void spice_channel_failed_authentication(SpiceChannel *channel,
> +                                                gboolean invalidPassword)
>  {
>      SpiceChannelPrivate *c = channel->priv;
>  
> @@ -1060,6 +1061,11 @@ static void spice_channel_failed_authentication(SpiceChannel *channel)
>                              SPICE_CLIENT_ERROR,
>                              SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
>                              _("Authentication failed: password and username are required"));
> +    else if (invalidPassword)
> +        g_set_error_literal(&c->error,
> +                            SPICE_CLIENT_ERROR,
> +                            SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD,
> +                            _("Authentication failed: password is too long"));
>      else
>          g_set_error_literal(&c->error,
>                              SPICE_CLIENT_ERROR,
> @@ -1086,9 +1092,13 @@ static gboolean spice_channel_recv_auth(SpiceChannel *channel)
>          return FALSE;
>      }
>  
> -    if (link_res != SPICE_LINK_ERR_OK) {
> +    if (link_res == SPICE_LINK_ERR_INVALID_PASSWORD) {
> +        CHANNEL_DEBUG(channel, "link result: invalid password");
> +        spice_channel_failed_authentication(channel, TRUE);
> +        return FALSE;
> +    } if (link_res != SPICE_LINK_ERR_OK) {
>          CHANNEL_DEBUG(channel, "link result: reply %d", link_res);
> -        spice_channel_failed_authentication(channel);
> +        spice_channel_failed_authentication(channel, FALSE);
>          return FALSE;
>      }
>  
> @@ -1662,7 +1672,7 @@ error:
>      if (saslconn)
>          sasl_dispose(&saslconn);
>  
> -    spice_channel_failed_authentication(channel);
> +    spice_channel_failed_authentication(channel, FALSE);
>      ret = FALSE;
>  
>  cleanup:
> diff --git a/gtk/spice-client.h b/gtk/spice-client.h
> index c2474d1..58d1f76 100644
> --- a/gtk/spice-client.h
> +++ b/gtk/spice-client.h
> @@ -60,6 +60,7 @@ G_BEGIN_DECLS
>   * @SPICE_CLIENT_USB_DEVICE_LOST: usb device disconnected (fatal IO error)
>   * @SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD: password is required
>   * @SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME: password and username are required
> + * @SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD: password is too long
>   *
>   * Error codes returned by spice-client API.
>   */
> @@ -70,6 +71,7 @@ typedef enum
>      SPICE_CLIENT_USB_DEVICE_LOST,
>      SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD,
>      SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME,
> +    SPICE_CLIENT_ERROR_AUTH_INVALID_PASSWORD,
>  } SpiceClientError;
>  
>  GQuark spice_client_error_quark(void);
> -- 
> 2.1.4
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
On Tue, May 26, 2015 at 04:14:02PM +0200, Christophe Fergeau wrote:
> Hey,
> 
> I think you should report an error somehow in
> spice_channel_send_spice_ticket() if SpiceSession::password is too
> long.

Hmm looking at this some more, things seem messy :(
The on-wire encrypted password seems to have a max length (see
reds_get_spice_ticket() in server/reds.c).
spice_channel_send_spice_ticket() in spice-gtk also has a comment saying
/* The use of RSA encryption limit the potential maximum password
   length.
   For RSA_PKCS1_OAEP_PADDING it is RSA_size(rsa) - 41.
 */
so some 'password too long' check would be nice to have before sending
too much data on the wire on the spice-gtk side.

Christophe