25 #include "dbus-auth.h"
26 #include "dbus-string.h"
27 #include "dbus-list.h"
28 #include "dbus-internals.h"
29 #include "dbus-keyring.h"
31 #include "dbus-protocol.h"
32 #include "dbus-credentials.h"
120 DBUS_AUTH_COMMAND_AUTH,
121 DBUS_AUTH_COMMAND_CANCEL,
122 DBUS_AUTH_COMMAND_DATA,
123 DBUS_AUTH_COMMAND_BEGIN,
124 DBUS_AUTH_COMMAND_REJECTED,
125 DBUS_AUTH_COMMAND_OK,
126 DBUS_AUTH_COMMAND_ERROR,
127 DBUS_AUTH_COMMAND_UNKNOWN,
128 DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD,
129 DBUS_AUTH_COMMAND_AGREE_UNIX_FD
223 static void goto_state (
DBusAuth *auth,
231 const char *message);
253 "WaitingForAuth", handle_server_state_waiting_for_auth
256 "WaitingForData", handle_server_state_waiting_for_data
259 "WaitingForBegin", handle_server_state_waiting_for_begin
283 "WaitingForData", handle_client_state_waiting_for_data
289 "WaitingForOK", handle_client_state_waiting_for_ok
292 "WaitingForReject", handle_client_state_waiting_for_reject
295 "WaitingForAgreeUnixFD", handle_client_state_waiting_for_agree_unix_fd
303 "Authenticated",
NULL
307 "NeedDisconnect",
NULL
310 static const char auth_side_client[] =
"client";
311 static const char auth_side_server[] =
"server";
316 #define DBUS_AUTH_IS_SERVER(auth) ((auth)->side == auth_side_server)
321 #define DBUS_AUTH_IS_CLIENT(auth) ((auth)->side == auth_side_client)
326 #define DBUS_AUTH_CLIENT(auth) ((DBusAuthClient*)(auth))
331 #define DBUS_AUTH_SERVER(auth) ((DBusAuthServer*)(auth))
338 #define DBUS_AUTH_NAME(auth) ((auth)->side)
341 _dbus_auth_new (
int size)
432 _dbus_verbose (
"%s: Shutting down mechanism %s\n",
519 #define N_CHALLENGE_BYTES (128/8)
522 sha1_handle_first_client_response (
DBusAuth *auth,
541 _dbus_verbose (
"%s: client tried to send auth identity, but we already have one\n",
543 return send_rejected (auth);
555 _dbus_verbose (
"%s: Did not get a valid username from client\n",
557 return send_rejected (auth);
589 _dbus_verbose (
"%s: client tried to authenticate as \"%s\", "
590 "but that doesn't match this process",
593 retval = send_rejected (auth);
625 _DBUS_ASSERT_ERROR_IS_SET (&error);
626 _dbus_verbose (
"%s: Error loading keyring: %s\n",
628 if (send_rejected (auth))
645 _DBUS_ASSERT_ERROR_IS_SET (&error);
646 _dbus_verbose (
"%s: Could not get a cookie ID to send to client: %s\n",
648 if (send_rejected (auth))
680 _DBUS_ASSERT_ERROR_IS_SET (&error);
681 _dbus_verbose (
"%s: Error generating challenge: %s\n",
683 if (send_rejected (auth))
699 if (!send_data (auth, &tmp2))
702 goto_state (auth, &server_state_waiting_for_data);
718 sha1_handle_second_client_response (
DBusAuth *auth,
736 _dbus_verbose (
"%s: no space separator in client response\n",
738 return send_rejected (auth);
762 _dbus_verbose (
"%s: zero-length client challenge or hash\n",
764 if (send_rejected (auth))
772 if (!sha1_compute_hash (auth, auth->
cookie_id,
781 if (send_rejected (auth))
788 if (send_rejected (auth))
800 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
807 _dbus_verbose (
"%s: authenticated client using DBUS_COOKIE_SHA1\n",
825 handle_server_data_cookie_sha1_mech (
DBusAuth *auth,
829 return sha1_handle_first_client_response (auth, data);
831 return sha1_handle_second_client_response (auth, data);
835 handle_server_shutdown_cookie_sha1_mech (
DBusAuth *auth)
842 handle_client_initial_response_cookie_sha1_mech (
DBusAuth *auth,
870 handle_client_data_cookie_sha1_mech (
DBusAuth *auth,
890 if (send_error (auth,
891 "Server did not send context/ID/challenge properly"))
906 if (send_error (auth,
907 "Server did not send context/ID/challenge properly"))
927 &server_challenge, 0))
932 if (send_error (auth,
"Server sent invalid cookie context"))
939 if (send_error (auth,
"Could not parse cookie ID as an integer"))
946 if (send_error (auth,
"Empty server challenge string"))
967 _DBUS_ASSERT_ERROR_IS_SET (&error);
969 _dbus_verbose (
"%s: Error loading keyring: %s\n",
972 if (send_error (auth,
"Could not load cookie file"))
999 _DBUS_ASSERT_ERROR_IS_SET (&error);
1001 _dbus_verbose (
"%s: Failed to generate challenge: %s\n",
1004 if (send_error (auth,
"Failed to generate challenge"))
1021 if (!sha1_compute_hash (auth, val,
1030 if (send_error (auth,
"Don't have the requested cookie ID"))
1048 if (!send_data (auth, &tmp))
1072 handle_client_shutdown_cookie_sha1_mech (
DBusAuth *auth)
1083 handle_server_data_external_mech (
DBusAuth *auth,
1088 _dbus_verbose (
"%s: no credentials, mechanism EXTERNAL can't authenticate\n",
1090 return send_rejected (auth);
1098 _dbus_verbose (
"%s: client tried to send auth identity, but we already have one\n",
1100 return send_rejected (auth);
1114 if (send_data (auth,
NULL))
1116 _dbus_verbose (
"%s: sending empty challenge asking client for auth identity\n",
1119 goto_state (auth, &server_state_waiting_for_data);
1146 _dbus_verbose (
"%s: could not get credentials from uid string\n",
1148 return send_rejected (auth);
1154 _dbus_verbose (
"%s: desired user %s is no good\n",
1157 return send_rejected (auth);
1171 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1176 DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
1181 DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
1185 if (!send_ok (auth))
1188 _dbus_verbose (
"%s: authenticated client based on socket credentials\n",
1195 _dbus_verbose (
"%s: desired identity not found in socket credentials\n",
1197 return send_rejected (auth);
1202 handle_server_shutdown_external_mech (
DBusAuth *auth)
1208 handle_client_initial_response_external_mech (
DBusAuth *auth,
1239 handle_client_data_external_mech (
DBusAuth *auth,
1247 handle_client_shutdown_external_mech (
DBusAuth *auth)
1257 handle_server_data_anonymous_mech (
DBusAuth *auth,
1269 _dbus_verbose (
"%s: Received invalid UTF-8 trace data from ANONYMOUS client\n",
1271 return send_rejected (auth);
1274 _dbus_verbose (
"%s: ANONYMOUS client sent trace string: '%s'\n",
1285 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1290 if (!send_ok (auth))
1293 _dbus_verbose (
"%s: authenticated client as anonymous\n",
1300 handle_server_shutdown_anonymous_mech (
DBusAuth *auth)
1306 handle_client_initial_response_anonymous_mech (
DBusAuth *auth,
1339 handle_client_data_anonymous_mech (
DBusAuth *auth,
1347 handle_client_shutdown_anonymous_mech (
DBusAuth *auth)
1364 all_mechanisms[] = {
1366 handle_server_data_external_mech,
1368 handle_server_shutdown_external_mech,
1369 handle_client_initial_response_external_mech,
1370 handle_client_data_external_mech,
1372 handle_client_shutdown_external_mech },
1373 {
"DBUS_COOKIE_SHA1",
1374 handle_server_data_cookie_sha1_mech,
1376 handle_server_shutdown_cookie_sha1_mech,
1377 handle_client_initial_response_cookie_sha1_mech,
1378 handle_client_data_cookie_sha1_mech,
1380 handle_client_shutdown_cookie_sha1_mech },
1382 handle_server_data_anonymous_mech,
1384 handle_server_shutdown_anonymous_mech,
1385 handle_client_initial_response_anonymous_mech,
1386 handle_client_data_anonymous_mech,
1388 handle_client_shutdown_anonymous_mech },
1394 char **allowed_mechs)
1398 if (allowed_mechs !=
NULL &&
1404 while (all_mechanisms[i].mechanism !=
NULL)
1407 all_mechanisms[i].mechanism))
1409 return &all_mechanisms[i];
1470 shutdown_mech (auth);
1472 goto_state (auth, &client_state_waiting_for_data);
1533 all_mechanisms[i].mechanism))
1544 shutdown_mech (auth);
1551 goto_state (auth, &common_state_need_disconnect);
1553 goto_state (auth, &server_state_waiting_for_auth);
1565 send_error (
DBusAuth *auth,
const char *message)
1568 "ERROR \"%s\"\r\n", message);
1585 goto_state (auth, &server_state_waiting_for_begin);
1603 goto_state (auth, &common_state_authenticated);
1629 _dbus_verbose (
"Bad GUID from server, parsed %d bytes and had %d bytes from server\n",
1631 goto_state (auth, &common_state_need_disconnect);
1640 _dbus_verbose (
"Got GUID '%s' from the server\n",
1644 return send_negotiate_unix_fd(auth);
1646 _dbus_verbose(
"Not negotiating unix fd passing, since not possible\n");
1647 return send_begin (auth);
1655 goto_state (auth, &client_state_waiting_for_reject);
1682 if (!send_error (auth,
"Invalid hex encoding"))
1688 #ifdef DBUS_ENABLE_VERBOSE_MODE
1691 _dbus_verbose (
"%s: data: '%s'\n",
1696 if (!(* data_func) (auth, &decoded))
1707 send_negotiate_unix_fd (
DBusAuth *auth)
1710 "NEGOTIATE_UNIX_FD\r\n"))
1713 goto_state (auth, &client_state_waiting_for_agree_unix_fd);
1718 send_agree_unix_fd (
DBusAuth *auth)
1723 _dbus_verbose(
"Agreed to UNIX FD passing\n");
1726 "AGREE_UNIX_FD\r\n"))
1729 goto_state (auth, &server_state_waiting_for_begin);
1739 if (!send_rejected (auth))
1771 _dbus_verbose (
"%s: Trying mechanism %s\n",
1775 if (!process_data (auth, &hex_response,
1782 _dbus_verbose (
"%s: Unsupported mechanism %s\n",
1786 if (!send_rejected (auth))
1804 handle_server_state_waiting_for_auth (
DBusAuth *auth,
1810 case DBUS_AUTH_COMMAND_AUTH:
1811 return handle_auth (auth, args);
1813 case DBUS_AUTH_COMMAND_CANCEL:
1814 case DBUS_AUTH_COMMAND_DATA:
1815 return send_error (auth,
"Not currently in an auth conversation");
1817 case DBUS_AUTH_COMMAND_BEGIN:
1818 goto_state (auth, &common_state_need_disconnect);
1821 case DBUS_AUTH_COMMAND_ERROR:
1822 return send_rejected (auth);
1824 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1825 return send_error (auth,
"Need to authenticate first");
1827 case DBUS_AUTH_COMMAND_REJECTED:
1828 case DBUS_AUTH_COMMAND_OK:
1829 case DBUS_AUTH_COMMAND_UNKNOWN:
1830 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1832 return send_error (auth,
"Unknown command");
1837 handle_server_state_waiting_for_data (
DBusAuth *auth,
1843 case DBUS_AUTH_COMMAND_AUTH:
1844 return send_error (auth,
"Sent AUTH while another AUTH in progress");
1846 case DBUS_AUTH_COMMAND_CANCEL:
1847 case DBUS_AUTH_COMMAND_ERROR:
1848 return send_rejected (auth);
1850 case DBUS_AUTH_COMMAND_DATA:
1853 case DBUS_AUTH_COMMAND_BEGIN:
1854 goto_state (auth, &common_state_need_disconnect);
1857 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1858 return send_error (auth,
"Need to authenticate first");
1860 case DBUS_AUTH_COMMAND_REJECTED:
1861 case DBUS_AUTH_COMMAND_OK:
1862 case DBUS_AUTH_COMMAND_UNKNOWN:
1863 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1865 return send_error (auth,
"Unknown command");
1870 handle_server_state_waiting_for_begin (
DBusAuth *auth,
1876 case DBUS_AUTH_COMMAND_AUTH:
1877 return send_error (auth,
"Sent AUTH while expecting BEGIN");
1879 case DBUS_AUTH_COMMAND_DATA:
1880 return send_error (auth,
"Sent DATA while expecting BEGIN");
1882 case DBUS_AUTH_COMMAND_BEGIN:
1883 goto_state (auth, &common_state_authenticated);
1886 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1888 return send_agree_unix_fd(auth);
1890 return send_error(auth,
"Unix FD passing not supported, not authenticated or otherwise not possible");
1892 case DBUS_AUTH_COMMAND_REJECTED:
1893 case DBUS_AUTH_COMMAND_OK:
1894 case DBUS_AUTH_COMMAND_UNKNOWN:
1895 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1897 return send_error (auth,
"Unknown command");
1899 case DBUS_AUTH_COMMAND_CANCEL:
1900 case DBUS_AUTH_COMMAND_ERROR:
1901 return send_rejected (auth);
1948 if (!get_word (args, &next, &m))
1967 if (mech != &all_mechanisms[0])
1969 _dbus_verbose (
"%s: Adding mechanism %s to list we will try\n",
1981 _dbus_verbose (
"%s: Already tried mechanism %s; not adding to list we will try\n",
1987 _dbus_verbose (
"%s: Server offered mechanism \"%s\" that we don't know how to use\n",
2015 if (!record_mechanisms (auth, args))
2023 if (!send_auth (auth, mech))
2028 _dbus_verbose (
"%s: Trying mechanism %s\n",
2035 _dbus_verbose (
"%s: Disconnecting because we are out of mechanisms to try using\n",
2037 goto_state (auth, &common_state_need_disconnect);
2045 handle_client_state_waiting_for_data (
DBusAuth *auth,
2053 case DBUS_AUTH_COMMAND_DATA:
2056 case DBUS_AUTH_COMMAND_REJECTED:
2057 return process_rejected (auth, args);
2059 case DBUS_AUTH_COMMAND_OK:
2060 return process_ok(auth, args);
2062 case DBUS_AUTH_COMMAND_ERROR:
2063 return send_cancel (auth);
2065 case DBUS_AUTH_COMMAND_AUTH:
2066 case DBUS_AUTH_COMMAND_CANCEL:
2067 case DBUS_AUTH_COMMAND_BEGIN:
2068 case DBUS_AUTH_COMMAND_UNKNOWN:
2069 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2070 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2072 return send_error (auth,
"Unknown command");
2077 handle_client_state_waiting_for_ok (
DBusAuth *auth,
2083 case DBUS_AUTH_COMMAND_REJECTED:
2084 return process_rejected (auth, args);
2086 case DBUS_AUTH_COMMAND_OK:
2087 return process_ok(auth, args);
2089 case DBUS_AUTH_COMMAND_DATA:
2090 case DBUS_AUTH_COMMAND_ERROR:
2091 return send_cancel (auth);
2093 case DBUS_AUTH_COMMAND_AUTH:
2094 case DBUS_AUTH_COMMAND_CANCEL:
2095 case DBUS_AUTH_COMMAND_BEGIN:
2096 case DBUS_AUTH_COMMAND_UNKNOWN:
2097 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2098 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2100 return send_error (auth,
"Unknown command");
2105 handle_client_state_waiting_for_reject (
DBusAuth *auth,
2111 case DBUS_AUTH_COMMAND_REJECTED:
2112 return process_rejected (auth, args);
2114 case DBUS_AUTH_COMMAND_AUTH:
2115 case DBUS_AUTH_COMMAND_CANCEL:
2116 case DBUS_AUTH_COMMAND_DATA:
2117 case DBUS_AUTH_COMMAND_BEGIN:
2118 case DBUS_AUTH_COMMAND_OK:
2119 case DBUS_AUTH_COMMAND_ERROR:
2120 case DBUS_AUTH_COMMAND_UNKNOWN:
2121 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2122 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2124 goto_state (auth, &common_state_need_disconnect);
2130 handle_client_state_waiting_for_agree_unix_fd(
DBusAuth *auth,
2136 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2139 _dbus_verbose(
"Successfully negotiated UNIX FD passing\n");
2140 return send_begin (auth);
2142 case DBUS_AUTH_COMMAND_ERROR:
2145 _dbus_verbose(
"Failed to negotiate UNIX FD passing\n");
2146 return send_begin (auth);
2148 case DBUS_AUTH_COMMAND_OK:
2149 case DBUS_AUTH_COMMAND_DATA:
2150 case DBUS_AUTH_COMMAND_REJECTED:
2151 case DBUS_AUTH_COMMAND_AUTH:
2152 case DBUS_AUTH_COMMAND_CANCEL:
2153 case DBUS_AUTH_COMMAND_BEGIN:
2154 case DBUS_AUTH_COMMAND_UNKNOWN:
2155 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2157 return send_error (auth,
"Unknown command");
2170 {
"AUTH", DBUS_AUTH_COMMAND_AUTH },
2171 {
"CANCEL", DBUS_AUTH_COMMAND_CANCEL },
2172 {
"DATA", DBUS_AUTH_COMMAND_DATA },
2173 {
"BEGIN", DBUS_AUTH_COMMAND_BEGIN },
2174 {
"REJECTED", DBUS_AUTH_COMMAND_REJECTED },
2175 {
"OK", DBUS_AUTH_COMMAND_OK },
2176 {
"ERROR", DBUS_AUTH_COMMAND_ERROR },
2177 {
"NEGOTIATE_UNIX_FD", DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD },
2178 {
"AGREE_UNIX_FD", DBUS_AUTH_COMMAND_AGREE_UNIX_FD }
2182 lookup_command_from_name (
DBusString *command)
2189 auth_command_names[i].name))
2190 return auth_command_names[i].command;
2193 return DBUS_AUTH_COMMAND_UNKNOWN;
2200 _dbus_verbose (
"%s: going from state %s to state %s\n",
2205 auth->
state = state;
2246 _dbus_verbose (
"%s: Command contained non-ASCII chars or embedded nul\n",
2248 if (!send_error (auth,
"Command contained non-ASCII"))
2254 _dbus_verbose (
"%s: got command \"%s\"\n",
2271 command = lookup_command_from_name (&line);
2338 auth->
side = auth_side_server;
2339 auth->
state = &server_state_waiting_for_auth;
2343 server_auth->
guid = guid_copy;
2379 auth->
side = auth_side_client;
2380 auth->
state = &client_state_need_send_auth;
2384 if (!send_auth (auth, &all_mechanisms[0]))
2423 shutdown_mech (auth);
2466 const char **mechanisms)
2470 if (mechanisms !=
NULL)
2490 #define DBUS_AUTH_IN_END_STATE(auth) ((auth)->state->handler == NULL)
2505 #define MAX_BUFFER (16 * _DBUS_ONE_KILOBYTE)
2515 goto_state (auth, &common_state_need_disconnect);
2516 _dbus_verbose (
"%s: Disconnecting due to excessive data buffered in auth phase\n",
2521 while (process_command (auth));
2524 return DBUS_AUTH_STATE_WAITING_FOR_MEMORY;
2526 return DBUS_AUTH_STATE_HAVE_BYTES_TO_SEND;
2527 else if (auth->
state == &common_state_need_disconnect)
2528 return DBUS_AUTH_STATE_NEED_DISCONNECT;
2529 else if (auth->
state == &common_state_authenticated)
2530 return DBUS_AUTH_STATE_AUTHENTICATED;
2531 else return DBUS_AUTH_STATE_WAITING_FOR_INPUT;
2572 _dbus_verbose (
"%s: Sent %d bytes of: %s\n",
2662 if (auth->
state != &common_state_authenticated)
2693 if (auth->
state != &common_state_authenticated)
2721 if (auth->
state != &common_state_authenticated)
2756 if (auth->
state != &common_state_authenticated)
2802 if (auth->
state == &common_state_authenticated)
2828 if (auth->
state == &common_state_authenticated)
2886 return find_mech (name,
NULL) !=
NULL;