From af4ef42fa5c2f51e2cac37e196f8f4426b2ba0db Mon Sep 17 00:00:00 2001 From: Havoc Pennington Date: Fri, 31 Jan 2003 01:31:00 +0000 Subject: 2003-01-30 Havoc Pennington * dbus/dbus-auth.c: rework to use only REJECTED, no MECHANISMS * doc/dbus-sasl-profile.txt: drop MECHANISMS and just use REJECTED, suggested by Mark McLoughlin --- doc/dbus-sasl-profile.txt | 50 ++++++++++++++++++++--------------------------- 1 file changed, 21 insertions(+), 29 deletions(-) (limited to 'doc/dbus-sasl-profile.txt') diff --git a/doc/dbus-sasl-profile.txt b/doc/dbus-sasl-profile.txt index c2e8cd77..be97a8df 100644 --- a/doc/dbus-sasl-profile.txt +++ b/doc/dbus-sasl-profile.txt @@ -42,9 +42,7 @@ Commands from the client to the server are as follows: From server to client are as follows: - MECHANISMS - - REJECTED + REJECTED OK @@ -52,7 +50,6 @@ From server to client are as follows: ERROR - Special credentials-passing nul byte === @@ -76,26 +73,23 @@ SASL mechanism EXTERNAL. AUTH Command === - If an AUTH command has no arguments, it is a request to list - available mechanisms. The server SHOULD respond with a MECHANISMS - command listing the mechanisms it understands. + If an AUTH command has no arguments, it is a request to list + available mechanisms. The server SHOULD respond with a REJECTED + command listing the mechanisms it understands. If an AUTH command specifies a mechanism, and the server supports said mechanism, the server SHOULD begin exchanging SASL challenge-response data with the client using DATA commands. If the server does not support the mechanism given in the AUTH - command, it SHOULD send a MECHANISMS command listing the mechanisms - it does support. A MECHANISMS command implies that any - authentication in progress was rejected, as if REJECTED were also - sent. A server MAY send a REJECTED command instead of a MECHANISMS - command, though this is unhelpful. + command, it SHOULD send a REJECTED command listing the mechanisms + it does support. If the [initial-response] argument is provided, it is intended for use with mechanisms that have no initial challenge (or an empty initial challenge), as if it were the argument to an initial DATA command. If the selected mechanism has an initial challenge, the - server should reject authentication (send MECHANISMS or REJECTED). + server should reject authentication by sending REJECTED. If authentication succeeds after exchanging DATA commands, an OK command should be sent to the client. @@ -111,10 +105,10 @@ AUTH Command CANCEL Command === - At any time up to sending the BEGIN command, the client may - send a CANCEL command. On receiving the CANCEL command, the - server MUST send a REJECTED or MECHANISMS command and abort the - current authentication exchange. + At any time up to sending the BEGIN command, the client may send a + CANCEL command. On receiving the CANCEL command, the server MUST + send a REJECTED command and abort the current authentication + exchange. DATA Command === @@ -134,14 +128,6 @@ BEGIN Command command from the client MUST be the first octet of the authenticated/encrypted stream of D-BUS messages. -MECHANISMS Command -=== - - The MECHANISMS command has a space-separated list of - available auth mechanisms as arguments. The MECHANISMS command - implies REJECTED if an authentication exchange is in progress; - the current exchange MUST be considered rejected. - REJECTED Command === @@ -150,6 +136,12 @@ REJECTED Command The client would normally try another mechanism, or try providing different responses to challenges. + Optionally, the REJECTED command has a space-separated list of + available auth mechanisms as arguments. If a server ever provides + a list of supported mechanisms, it MUST provide the same list + each time it sends a REJECTED message. Clients are free to + ignore all lists received after the first. + OK Command === @@ -193,7 +185,7 @@ Example of finding out mechanisms then picking one === C: AUTH - S: MECHANISMS KERBEROS_V4 SKEY + S: REJECTED KERBEROS_V4 SKEY C: AUTH SKEY bW9yZ2Fu S: DATA OTUgUWE1ODMwOA== C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== @@ -213,7 +205,7 @@ Example of server doesn't support initial auth mechanism === C: AUTH MAGIC_COOKIE BsAY3g4gBNo= - S: MECHANISMS KERBEROS_V4 SKEY + S: REJECTED KERBEROS_V4 SKEY C: AUTH SKEY bW9yZ2Fu S: DATA OTUgUWE1ODMwOA== C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== @@ -224,7 +216,7 @@ Example of wrong password or the like followed by successful retry === C: AUTH MAGIC_COOKIE BsAY3g4gBNo= - S: MECHANISMS KERBEROS_V4 SKEY + S: REJECTED KERBEROS_V4 SKEY C: AUTH SKEY bW9yZ2Fu S: DATA OTUgUWE1ODMwOA== C: DATA Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== @@ -239,7 +231,7 @@ Example of skey canceled and restarted === C: AUTH MAGIC_COOKIE BsAY3g4gBNo= - S: MECHANISMS KERBEROS_V4 SKEY + S: REJECTED KERBEROS_V4 SKEY C: AUTH SKEY bW9yZ2Fu S: DATA OTUgUWE1ODMwOA== C: CANCEL -- cgit