On Thu, Nov 21, 2013 at 04:45:32PM -0700, Eric Blake wrote: > On 11/21/2013 10:56 AM, Christophe Fergeau wrote: > > With some authentication mechanism (PLAIN for example), sasl_client_start() > > can return SASL_OK, which translates to virNetSASLSessionClientStart() > > returning VIR_NET_SASL_COMPLETE. > > cyrus-sasl documentation is a bit vague as to what to do in such situation, > > but upstream clarified this a bit in > > http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=10104 > > > > When we got VIR_NET_SASL_COMPLETE after virNetSASLSessionClientStart() and > > if the remote also tells us that authentication is complete, then we should > > end the authentication procedure rather than forcing a call to > > virNetSASLSessionClientStep(). Without this patch, when trying to use SASL > > PLAIN, I get: > > error :authentication failed : Failed to step SASL negotiation: -1 > > (SASL(-1): generic failure: Unable to find a callback: 32775) > > > > This patch is based on a spice-gtk patch by Dietmar Maurer. > > --- > > src/remote/remote_driver.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c > > index 7181949..e15eeaf 100644 > > --- a/src/remote/remote_driver.c > > +++ b/src/remote/remote_driver.c > > @@ -4125,6 +4125,9 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv, > > * Even if the server has completed, the client must *always* do at least one step > > * in this loop to verify the server isn't lying about something. Mutual auth */ > > This code comment is now stale. Can you touch it up? I've changed it to: /* Loop-the-loop... * Even if the server has completed, the client must loop until sasl_client_start() or * sasl_client_step() return SASL_OK to verify the server isn't lying * about something. Mutual auth * */ Christophe
Attachment:
pgp6Hr2UztgOi.pgp
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list