sd-bus: fix SASL reply to empty AUTH

The correct way to reply to "AUTH <protocol>" without any payload is to
send "DATA" rather than "OK". The "DATA" reply triggers the client to
respond with the requested payload.

In fact, adding the data as hex-encoded argument like
"AUTH <protocol> <hex-data>" is an optimization that skips the "DATA"
roundtrip. The standard way to perform an authentication is to send the
"DATA" line.

This commit fixes sd-bus to properly send the "DATA" line. Surprisingly
no existing implementation depends on this, as they all pass the data
directly as argument to "AUTH". This will not work if we want to pass
an empty argument, though.

Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>

diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index 8ee925014230b177071edcf12edfa37a602b86d8..fd85960a41dd73da88138f8fa686f88e1f9b5643 100644 (file)
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -395,7 +395,10 @@ static int bus_socket_auth_verify_server(sd_bus *b) {
                                 r = bus_socket_auth_write(b, "REJECTED\r\n");
                         else {
                                 b->auth = BUS_AUTH_ANONYMOUS;
-                                r = bus_socket_auth_write_ok(b);
+                                if (l <= strlen("AUTH ANONYMOUS"))
+                                        r = bus_socket_auth_write(b, "DATA\r\n");
+                                else
+                                        r = bus_socket_auth_write_ok(b);
                         }
 
                 } else if (line_begins(line, l, "AUTH EXTERNAL")) {
@@ -409,7 +412,10 @@ static int bus_socket_auth_verify_server(sd_bus *b) {
                                 r = bus_socket_auth_write(b, "REJECTED\r\n");
                         else {
                                 b->auth = BUS_AUTH_EXTERNAL;
-                                r = bus_socket_auth_write_ok(b);
+                                if (l <= strlen("AUTH EXTERNAL"))
+                                        r = bus_socket_auth_write(b, "DATA\r\n");
+                                else
+                                        r = bus_socket_auth_write_ok(b);
                         }
 
                 } else if (line_begins(line, l, "AUTH"))