25 #include "dbus-auth.h"
26 #include "dbus-string.h"
27 #include "dbus-list.h"
28 #include "dbus-internals.h"
29 #include "dbus-keyring.h"
31 #include "dbus-protocol.h"
32 #include "dbus-credentials.h"
120 DBUS_AUTH_COMMAND_AUTH,
121 DBUS_AUTH_COMMAND_CANCEL,
122 DBUS_AUTH_COMMAND_DATA,
123 DBUS_AUTH_COMMAND_BEGIN,
124 DBUS_AUTH_COMMAND_REJECTED,
125 DBUS_AUTH_COMMAND_OK,
126 DBUS_AUTH_COMMAND_ERROR,
127 DBUS_AUTH_COMMAND_UNKNOWN,
128 DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD,
129 DBUS_AUTH_COMMAND_AGREE_UNIX_FD
223 static void goto_state (
DBusAuth *auth,
231 const char *message);
253 "WaitingForAuth", handle_server_state_waiting_for_auth
256 "WaitingForData", handle_server_state_waiting_for_data
259 "WaitingForBegin", handle_server_state_waiting_for_begin
283 "WaitingForData", handle_client_state_waiting_for_data
286 "WaitingForOK", handle_client_state_waiting_for_ok
289 "WaitingForReject", handle_client_state_waiting_for_reject
292 "WaitingForAgreeUnixFD", handle_client_state_waiting_for_agree_unix_fd
300 "Authenticated",
NULL
304 "NeedDisconnect",
NULL
307 static const char auth_side_client[] =
"client";
308 static const char auth_side_server[] =
"server";
313 #define DBUS_AUTH_IS_SERVER(auth) ((auth)->side == auth_side_server)
318 #define DBUS_AUTH_IS_CLIENT(auth) ((auth)->side == auth_side_client)
323 #define DBUS_AUTH_CLIENT(auth) ((DBusAuthClient*)(auth))
328 #define DBUS_AUTH_SERVER(auth) ((DBusAuthServer*)(auth))
335 #define DBUS_AUTH_NAME(auth) ((auth)->side)
338 _dbus_auth_new (
int size)
429 _dbus_verbose (
"%s: Shutting down mechanism %s\n",
516 #define N_CHALLENGE_BYTES (128/8)
519 sha1_handle_first_client_response (
DBusAuth *auth,
539 _dbus_verbose (
"%s: client tried to send auth identity, but we already have one\n",
541 return send_rejected (auth);
553 _dbus_verbose (
"%s: Did not get a valid username from client\n",
555 return send_rejected (auth);
596 _DBUS_ASSERT_ERROR_IS_SET (&error);
597 _dbus_verbose (
"%s: Error loading keyring: %s\n",
599 if (send_rejected (auth))
617 _DBUS_ASSERT_ERROR_IS_SET (&error);
618 _dbus_verbose (
"%s: Could not get a cookie ID to send to client: %s\n",
620 if (send_rejected (auth))
654 if (!send_data (auth, &tmp2))
657 goto_state (auth, &server_state_waiting_for_data);
670 sha1_handle_second_client_response (
DBusAuth *auth,
688 _dbus_verbose (
"%s: no space separator in client response\n",
690 return send_rejected (auth);
714 _dbus_verbose (
"%s: zero-length client challenge or hash\n",
716 if (send_rejected (auth))
724 if (!sha1_compute_hash (auth, auth->
cookie_id,
733 if (send_rejected (auth))
740 if (send_rejected (auth))
752 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
759 _dbus_verbose (
"%s: authenticated client using DBUS_COOKIE_SHA1\n",
777 handle_server_data_cookie_sha1_mech (
DBusAuth *auth,
781 return sha1_handle_first_client_response (auth, data);
783 return sha1_handle_second_client_response (auth, data);
787 handle_server_shutdown_cookie_sha1_mech (
DBusAuth *auth)
794 handle_client_initial_response_cookie_sha1_mech (
DBusAuth *auth,
822 handle_client_data_cookie_sha1_mech (
DBusAuth *auth,
843 if (send_error (auth,
844 "Server did not send context/ID/challenge properly"))
859 if (send_error (auth,
860 "Server did not send context/ID/challenge properly"))
880 &server_challenge, 0))
885 if (send_error (auth,
"Server sent invalid cookie context"))
892 if (send_error (auth,
"Could not parse cookie ID as an integer"))
899 if (send_error (auth,
"Empty server challenge string"))
923 _DBUS_ASSERT_ERROR_IS_SET (&error);
925 _dbus_verbose (
"%s: Error loading keyring: %s\n",
928 if (send_error (auth,
"Could not load cookie file"))
958 if (!sha1_compute_hash (auth, val,
967 if (send_error (auth,
"Don't have the requested cookie ID"))
985 if (!send_data (auth, &tmp))
1009 handle_client_shutdown_cookie_sha1_mech (
DBusAuth *auth)
1020 handle_server_data_external_mech (
DBusAuth *auth,
1025 _dbus_verbose (
"%s: no credentials, mechanism EXTERNAL can't authenticate\n",
1027 return send_rejected (auth);
1035 _dbus_verbose (
"%s: client tried to send auth identity, but we already have one\n",
1037 return send_rejected (auth);
1051 if (send_data (auth,
NULL))
1053 _dbus_verbose (
"%s: sending empty challenge asking client for auth identity\n",
1056 goto_state (auth, &server_state_waiting_for_data);
1083 _dbus_verbose (
"%s: could not get credentials from uid string\n",
1085 return send_rejected (auth);
1091 _dbus_verbose (
"%s: desired user %s is no good\n",
1094 return send_rejected (auth);
1108 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1115 DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
1119 if (!send_ok (auth))
1122 _dbus_verbose (
"%s: authenticated client based on socket credentials\n",
1129 _dbus_verbose (
"%s: desired identity not found in socket credentials\n",
1131 return send_rejected (auth);
1136 handle_server_shutdown_external_mech (
DBusAuth *auth)
1142 handle_client_initial_response_external_mech (
DBusAuth *auth,
1173 handle_client_data_external_mech (
DBusAuth *auth,
1181 handle_client_shutdown_external_mech (
DBusAuth *auth)
1191 handle_server_data_anonymous_mech (
DBusAuth *auth,
1203 _dbus_verbose (
"%s: Received invalid UTF-8 trace data from ANONYMOUS client\n",
1205 return send_rejected (auth);
1208 _dbus_verbose (
"%s: ANONYMOUS client sent trace string: '%s'\n",
1219 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1224 if (!send_ok (auth))
1227 _dbus_verbose (
"%s: authenticated client as anonymous\n",
1234 handle_server_shutdown_anonymous_mech (
DBusAuth *auth)
1240 handle_client_initial_response_anonymous_mech (
DBusAuth *auth,
1273 handle_client_data_anonymous_mech (
DBusAuth *auth,
1281 handle_client_shutdown_anonymous_mech (
DBusAuth *auth)
1298 all_mechanisms[] = {
1300 handle_server_data_external_mech,
1302 handle_server_shutdown_external_mech,
1303 handle_client_initial_response_external_mech,
1304 handle_client_data_external_mech,
1306 handle_client_shutdown_external_mech },
1307 {
"DBUS_COOKIE_SHA1",
1308 handle_server_data_cookie_sha1_mech,
1310 handle_server_shutdown_cookie_sha1_mech,
1311 handle_client_initial_response_cookie_sha1_mech,
1312 handle_client_data_cookie_sha1_mech,
1314 handle_client_shutdown_cookie_sha1_mech },
1316 handle_server_data_anonymous_mech,
1318 handle_server_shutdown_anonymous_mech,
1319 handle_client_initial_response_anonymous_mech,
1320 handle_client_data_anonymous_mech,
1322 handle_client_shutdown_anonymous_mech },
1328 char **allowed_mechs)
1332 if (allowed_mechs !=
NULL &&
1338 while (all_mechanisms[i].mechanism !=
NULL)
1341 all_mechanisms[i].mechanism))
1343 return &all_mechanisms[i];
1404 shutdown_mech (auth);
1406 goto_state (auth, &client_state_waiting_for_data);
1455 while (all_mechanisms[i].mechanism !=
NULL)
1462 all_mechanisms[i].mechanism))
1475 shutdown_mech (auth);
1482 goto_state (auth, &common_state_need_disconnect);
1484 goto_state (auth, &server_state_waiting_for_auth);
1496 send_error (
DBusAuth *auth,
const char *message)
1499 "ERROR \"%s\"\r\n", message);
1516 goto_state (auth, &server_state_waiting_for_begin);
1534 goto_state (auth, &common_state_authenticated);
1560 _dbus_verbose (
"Bad GUID from server, parsed %d bytes and had %d bytes from server\n",
1562 goto_state (auth, &common_state_need_disconnect);
1571 _dbus_verbose (
"Got GUID '%s' from the server\n",
1575 return send_negotiate_unix_fd(auth);
1577 _dbus_verbose(
"Not negotiating unix fd passing, since not possible\n");
1578 return send_begin (auth);
1586 goto_state (auth, &client_state_waiting_for_reject);
1613 if (!send_error (auth,
"Invalid hex encoding"))
1619 #ifdef DBUS_ENABLE_VERBOSE_MODE
1622 _dbus_verbose (
"%s: data: '%s'\n",
1627 if (!(* data_func) (auth, &decoded))
1638 send_negotiate_unix_fd (
DBusAuth *auth)
1641 "NEGOTIATE_UNIX_FD\r\n"))
1644 goto_state (auth, &client_state_waiting_for_agree_unix_fd);
1649 send_agree_unix_fd (
DBusAuth *auth)
1654 _dbus_verbose(
"Agreed to UNIX FD passing\n");
1657 "AGREE_UNIX_FD\r\n"))
1660 goto_state (auth, &server_state_waiting_for_begin);
1670 if (!send_rejected (auth))
1702 _dbus_verbose (
"%s: Trying mechanism %s\n",
1706 if (!process_data (auth, &hex_response,
1713 _dbus_verbose (
"%s: Unsupported mechanism %s\n",
1717 if (!send_rejected (auth))
1735 handle_server_state_waiting_for_auth (
DBusAuth *auth,
1741 case DBUS_AUTH_COMMAND_AUTH:
1742 return handle_auth (auth, args);
1744 case DBUS_AUTH_COMMAND_CANCEL:
1745 case DBUS_AUTH_COMMAND_DATA:
1746 return send_error (auth,
"Not currently in an auth conversation");
1748 case DBUS_AUTH_COMMAND_BEGIN:
1749 goto_state (auth, &common_state_need_disconnect);
1752 case DBUS_AUTH_COMMAND_ERROR:
1753 return send_rejected (auth);
1755 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1756 return send_error (auth,
"Need to authenticate first");
1758 case DBUS_AUTH_COMMAND_REJECTED:
1759 case DBUS_AUTH_COMMAND_OK:
1760 case DBUS_AUTH_COMMAND_UNKNOWN:
1761 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1763 return send_error (auth,
"Unknown command");
1768 handle_server_state_waiting_for_data (
DBusAuth *auth,
1774 case DBUS_AUTH_COMMAND_AUTH:
1775 return send_error (auth,
"Sent AUTH while another AUTH in progress");
1777 case DBUS_AUTH_COMMAND_CANCEL:
1778 case DBUS_AUTH_COMMAND_ERROR:
1779 return send_rejected (auth);
1781 case DBUS_AUTH_COMMAND_DATA:
1784 case DBUS_AUTH_COMMAND_BEGIN:
1785 goto_state (auth, &common_state_need_disconnect);
1788 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1789 return send_error (auth,
"Need to authenticate first");
1791 case DBUS_AUTH_COMMAND_REJECTED:
1792 case DBUS_AUTH_COMMAND_OK:
1793 case DBUS_AUTH_COMMAND_UNKNOWN:
1794 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1796 return send_error (auth,
"Unknown command");
1801 handle_server_state_waiting_for_begin (
DBusAuth *auth,
1807 case DBUS_AUTH_COMMAND_AUTH:
1808 return send_error (auth,
"Sent AUTH while expecting BEGIN");
1810 case DBUS_AUTH_COMMAND_DATA:
1811 return send_error (auth,
"Sent DATA while expecting BEGIN");
1813 case DBUS_AUTH_COMMAND_BEGIN:
1814 goto_state (auth, &common_state_authenticated);
1817 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1819 return send_agree_unix_fd(auth);
1821 return send_error(auth,
"Unix FD passing not supported, not authenticated or otherwise not possible");
1823 case DBUS_AUTH_COMMAND_REJECTED:
1824 case DBUS_AUTH_COMMAND_OK:
1825 case DBUS_AUTH_COMMAND_UNKNOWN:
1826 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1828 return send_error (auth,
"Unknown command");
1830 case DBUS_AUTH_COMMAND_CANCEL:
1831 case DBUS_AUTH_COMMAND_ERROR:
1832 return send_rejected (auth);
1879 if (!get_word (args, &next, &m))
1898 if (mech != &all_mechanisms[0])
1900 _dbus_verbose (
"%s: Adding mechanism %s to list we will try\n",
1912 _dbus_verbose (
"%s: Already tried mechanism %s; not adding to list we will try\n",
1918 _dbus_verbose (
"%s: Server offered mechanism \"%s\" that we don't know how to use\n",
1946 if (!record_mechanisms (auth, args))
1954 if (!send_auth (auth, mech))
1959 _dbus_verbose (
"%s: Trying mechanism %s\n",
1966 _dbus_verbose (
"%s: Disconnecting because we are out of mechanisms to try using\n",
1968 goto_state (auth, &common_state_need_disconnect);
1976 handle_client_state_waiting_for_data (
DBusAuth *auth,
1984 case DBUS_AUTH_COMMAND_DATA:
1987 case DBUS_AUTH_COMMAND_REJECTED:
1988 return process_rejected (auth, args);
1990 case DBUS_AUTH_COMMAND_OK:
1991 return process_ok(auth, args);
1993 case DBUS_AUTH_COMMAND_ERROR:
1994 return send_cancel (auth);
1996 case DBUS_AUTH_COMMAND_AUTH:
1997 case DBUS_AUTH_COMMAND_CANCEL:
1998 case DBUS_AUTH_COMMAND_BEGIN:
1999 case DBUS_AUTH_COMMAND_UNKNOWN:
2000 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2001 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2003 return send_error (auth,
"Unknown command");
2008 handle_client_state_waiting_for_ok (
DBusAuth *auth,
2014 case DBUS_AUTH_COMMAND_REJECTED:
2015 return process_rejected (auth, args);
2017 case DBUS_AUTH_COMMAND_OK:
2018 return process_ok(auth, args);
2020 case DBUS_AUTH_COMMAND_DATA:
2021 case DBUS_AUTH_COMMAND_ERROR:
2022 return send_cancel (auth);
2024 case DBUS_AUTH_COMMAND_AUTH:
2025 case DBUS_AUTH_COMMAND_CANCEL:
2026 case DBUS_AUTH_COMMAND_BEGIN:
2027 case DBUS_AUTH_COMMAND_UNKNOWN:
2028 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2029 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2031 return send_error (auth,
"Unknown command");
2036 handle_client_state_waiting_for_reject (
DBusAuth *auth,
2042 case DBUS_AUTH_COMMAND_REJECTED:
2043 return process_rejected (auth, args);
2045 case DBUS_AUTH_COMMAND_AUTH:
2046 case DBUS_AUTH_COMMAND_CANCEL:
2047 case DBUS_AUTH_COMMAND_DATA:
2048 case DBUS_AUTH_COMMAND_BEGIN:
2049 case DBUS_AUTH_COMMAND_OK:
2050 case DBUS_AUTH_COMMAND_ERROR:
2051 case DBUS_AUTH_COMMAND_UNKNOWN:
2052 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2053 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2055 goto_state (auth, &common_state_need_disconnect);
2061 handle_client_state_waiting_for_agree_unix_fd(
DBusAuth *auth,
2067 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2070 _dbus_verbose(
"Sucessfully negotiated UNIX FD passing\n");
2071 return send_begin (auth);
2073 case DBUS_AUTH_COMMAND_ERROR:
2076 _dbus_verbose(
"Failed to negotiate UNIX FD passing\n");
2077 return send_begin (auth);
2079 case DBUS_AUTH_COMMAND_OK:
2080 case DBUS_AUTH_COMMAND_DATA:
2081 case DBUS_AUTH_COMMAND_REJECTED:
2082 case DBUS_AUTH_COMMAND_AUTH:
2083 case DBUS_AUTH_COMMAND_CANCEL:
2084 case DBUS_AUTH_COMMAND_BEGIN:
2085 case DBUS_AUTH_COMMAND_UNKNOWN:
2086 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2088 return send_error (auth,
"Unknown command");
2101 {
"AUTH", DBUS_AUTH_COMMAND_AUTH },
2102 {
"CANCEL", DBUS_AUTH_COMMAND_CANCEL },
2103 {
"DATA", DBUS_AUTH_COMMAND_DATA },
2104 {
"BEGIN", DBUS_AUTH_COMMAND_BEGIN },
2105 {
"REJECTED", DBUS_AUTH_COMMAND_REJECTED },
2106 {
"OK", DBUS_AUTH_COMMAND_OK },
2107 {
"ERROR", DBUS_AUTH_COMMAND_ERROR },
2108 {
"NEGOTIATE_UNIX_FD", DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD },
2109 {
"AGREE_UNIX_FD", DBUS_AUTH_COMMAND_AGREE_UNIX_FD }
2113 lookup_command_from_name (
DBusString *command)
2120 auth_command_names[i].name))
2121 return auth_command_names[i].command;
2124 return DBUS_AUTH_COMMAND_UNKNOWN;
2131 _dbus_verbose (
"%s: going from state %s to state %s\n",
2136 auth->
state = state;
2177 _dbus_verbose (
"%s: Command contained non-ASCII chars or embedded nul\n",
2179 if (!send_error (auth,
"Command contained non-ASCII"))
2185 _dbus_verbose (
"%s: got command \"%s\"\n",
2202 command = lookup_command_from_name (&line);
2269 auth->
side = auth_side_server;
2270 auth->
state = &server_state_waiting_for_auth;
2274 server_auth->
guid = guid_copy;
2310 auth->
side = auth_side_client;
2311 auth->
state = &client_state_need_send_auth;
2315 if (!send_auth (auth, &all_mechanisms[0]))
2354 shutdown_mech (auth);
2397 const char **mechanisms)
2401 if (mechanisms !=
NULL)
2421 #define DBUS_AUTH_IN_END_STATE(auth) ((auth)->state->handler == NULL)
2436 #define MAX_BUFFER (16 * _DBUS_ONE_KILOBYTE)
2446 goto_state (auth, &common_state_need_disconnect);
2447 _dbus_verbose (
"%s: Disconnecting due to excessive data buffered in auth phase\n",
2452 while (process_command (auth));
2455 return DBUS_AUTH_STATE_WAITING_FOR_MEMORY;
2457 return DBUS_AUTH_STATE_HAVE_BYTES_TO_SEND;
2458 else if (auth->
state == &common_state_need_disconnect)
2459 return DBUS_AUTH_STATE_NEED_DISCONNECT;
2460 else if (auth->
state == &common_state_authenticated)
2461 return DBUS_AUTH_STATE_AUTHENTICATED;
2462 else return DBUS_AUTH_STATE_WAITING_FOR_INPUT;
2503 _dbus_verbose (
"%s: Sent %d bytes of: %s\n",
2595 if (auth->
state != &common_state_authenticated)
2626 if (auth->
state != &common_state_authenticated)
2654 if (auth->
state != &common_state_authenticated)
2689 if (auth->
state != &common_state_authenticated)
2735 if (auth->
state == &common_state_authenticated)
2761 if (auth->
state == &common_state_authenticated)