[0] | 1 | //auth.c: |
---|
| 2 | |
---|
[690] | 3 | /* |
---|
[3221] | 4 | * Copyright (C) Philipp 'ph3-der-loewe' Schafft - 2008-2010 |
---|
[690] | 5 | * |
---|
| 6 | * This file is part of libroar a part of RoarAudio, |
---|
| 7 | * a cross-platform sound system for both, home and professional use. |
---|
| 8 | * See README for details. |
---|
| 9 | * |
---|
| 10 | * This file is free software; you can redistribute it and/or modify |
---|
| 11 | * it under the terms of the GNU General Public License version 3 |
---|
| 12 | * as published by the Free Software Foundation. |
---|
| 13 | * |
---|
| 14 | * libroar is distributed in the hope that it will be useful, |
---|
| 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 17 | * GNU General Public License for more details. |
---|
| 18 | * |
---|
| 19 | * You should have received a copy of the GNU General Public License |
---|
| 20 | * along with this software; see the file COPYING. If not, write to |
---|
[3517] | 21 | * the Free Software Foundation, 51 Franklin Street, Fifth Floor, |
---|
| 22 | * Boston, MA 02110-1301, USA. |
---|
[690] | 23 | * |
---|
| 24 | * NOTE for everyone want's to change something and send patches: |
---|
| 25 | * read README and HACKING! There a addition information on |
---|
| 26 | * the license of this document you need to read before you send |
---|
| 27 | * any patches. |
---|
| 28 | * |
---|
| 29 | * NOTE for uses of non-GPL (LGPL,...) software using libesd, libartsc |
---|
| 30 | * or libpulse*: |
---|
| 31 | * The libs libroaresd, libroararts and libroarpulse link this lib |
---|
[3740] | 32 | * and are therefore GPL. Because of this it may be illegal to use |
---|
[690] | 33 | * them with any software that uses libesd, libartsc or libpulse*. |
---|
| 34 | */ |
---|
| 35 | |
---|
[0] | 36 | #include "libroar.h" |
---|
| 37 | |
---|
[3220] | 38 | /* How auth works: |
---|
| 39 | * 0) set stage to zero |
---|
| 40 | * 1) get server address and local node name (from uname()) |
---|
| 41 | * 2) look up authfile/authdb/authservice for the server+local address + stage. |
---|
| 42 | * if no data was found send NONE-Auth. |
---|
| 43 | * 3) send data to server |
---|
| 44 | * 4) read answer from server |
---|
| 45 | * 5) if stage of server response is non-zero increment stage to server stage+1 |
---|
| 46 | * and repeat from step 2) |
---|
[3740] | 47 | * 6) check if we got an OK or an ERROR, return correct value |
---|
[3220] | 48 | */ |
---|
| 49 | |
---|
| 50 | /* The protocol: |
---|
| 51 | * Auth request: |
---|
| 52 | * Byte 0: auth type |
---|
| 53 | * Byte 1: stage |
---|
| 54 | * Byte 2: reserved (must be zero) |
---|
| 55 | * Byte 3: reserved (must be zero) |
---|
| 56 | * Byte 4-end: auth type depending data. |
---|
| 57 | * |
---|
| 58 | * If no data is to be send bytes 2 and 3 can be omitted. |
---|
| 59 | * If no data is to be send and stage is zero bytes 1, 2 and 3 can be omitted. |
---|
| 60 | * |
---|
| 61 | * Auth response: |
---|
| 62 | * The same as the auth request. |
---|
[3227] | 63 | * if the server sends an zero size message back it means the server accepted our connection |
---|
| 64 | * and no additional stage is needed. |
---|
[3220] | 65 | * if the message type is OK the server accepted our auth. |
---|
[3740] | 66 | * if the message type is ERROR the server rejected us. we may try other auth methods. |
---|
[3220] | 67 | * if the server accepted our data and the stage is non-zero we need to continue with the next |
---|
| 68 | * stage of the auth. |
---|
| 69 | * if the server rejected us the auth type value of the response is a suggested next auth type |
---|
| 70 | * we should try if possible. This may help the client to find a working auth type. |
---|
| 71 | */ |
---|
| 72 | |
---|
| 73 | /* The protocol by auth type: |
---|
| 74 | * |
---|
| 75 | * --- NONE: |
---|
| 76 | * No data is send, the server accepts the connect or rejects it depending on some |
---|
| 77 | * magic within the server. we do not care about this. |
---|
| 78 | * The data block is not used. |
---|
| 79 | * |
---|
| 80 | * --- COOKIE: |
---|
| 81 | * We send cookies for all stages the server ask us to provide a cookie. |
---|
[3740] | 82 | * if a cookie is wrong the server rejects us or asks us for another. |
---|
[3220] | 83 | * The cookie is send as binary data in the data block. |
---|
| 84 | * |
---|
| 85 | * --- TRUST: |
---|
[3740] | 86 | * We ask the server to auth us based on our UID/GID/PID. |
---|
| 87 | * The server may reject this because we are not allowed or because it is not |
---|
[3220] | 88 | * supported by the transport. |
---|
| 89 | * If we get rejected we may try to continue with IDENT then RHOST before we use NONE. |
---|
| 90 | * The data block is not used. |
---|
| 91 | * |
---|
| 92 | * --- PASSWORD: |
---|
[3740] | 93 | * This is technically the same as COOKIE just that the cookie is limited to |
---|
[3220] | 94 | * printable ASCII chars and that the user should be asked to provide the password. |
---|
| 95 | * This may be done via a GUI popup window. |
---|
| 96 | * |
---|
| 97 | * --- SYSUSER: |
---|
| 98 | * We provide a Username + Password for a system user. |
---|
| 99 | * The data block contains of two main parts: |
---|
| 100 | * The first part is a one byte long subtype. |
---|
| 101 | * The value must be 0x01 for username+password. |
---|
[3740] | 102 | * future versions may define other types. |
---|
| 103 | * the second part is the actual data block. |
---|
[3220] | 104 | * for username+password it is splited into two fields, both terminated with \0. |
---|
| 105 | * the first is the username the last one the password as clear text. |
---|
| 106 | * Example: char data[] = "\001MyUser\0MyPassword\0"; |
---|
| 107 | * |
---|
| 108 | * --- OPENPGP_SIGN: |
---|
| 109 | * |
---|
| 110 | * --- OPENPGP_ENCRYPT: |
---|
| 111 | * |
---|
| 112 | * --- OPENPGP_AUTH: |
---|
| 113 | * |
---|
| 114 | * --- KERBEROS: |
---|
| 115 | * We use Kerberos to auth. |
---|
| 116 | * |
---|
| 117 | * --- RHOST: |
---|
| 118 | * The server is asked to auth us based on our source address. |
---|
| 119 | * The data block is not used. |
---|
| 120 | * |
---|
| 121 | * --- XAUTH: |
---|
| 122 | * We send an X11 Cookie. |
---|
| 123 | * |
---|
| 124 | * --- IDENT: |
---|
| 125 | * The server is asked to auth us based on our source address using the IDENT protocol. |
---|
| 126 | * The data block is not used. |
---|
| 127 | * |
---|
| 128 | */ |
---|
| 129 | |
---|
[3227] | 130 | static int roar_auth_ask_server (struct roar_connection * con, struct roar_auth_message * authmes) { |
---|
| 131 | struct roar_message mes; |
---|
| 132 | char * header = mes.data; |
---|
| 133 | int ret; |
---|
[0] | 134 | |
---|
[131] | 135 | memset(&mes, 0, sizeof(struct roar_message)); // make valgrind happy! |
---|
| 136 | |
---|
[0] | 137 | mes.cmd = ROAR_CMD_AUTH; |
---|
[3227] | 138 | mes.datalen = 4; |
---|
| 139 | |
---|
| 140 | header[0] = authmes->type; |
---|
| 141 | header[1] = authmes->stage; |
---|
| 142 | header[2] = authmes->reserved.c[0]; |
---|
| 143 | header[3] = authmes->reserved.c[1]; |
---|
| 144 | |
---|
| 145 | if ( (ret = roar_req(con, &mes, NULL)) == -1 ) |
---|
| 146 | return -1; |
---|
| 147 | |
---|
[4473] | 148 | if ( mes.cmd != ROAR_CMD_OK ) |
---|
| 149 | return -1; |
---|
| 150 | |
---|
[3227] | 151 | if ( mes.datalen < 4 ) { |
---|
| 152 | memset(header+mes.datalen, 0, 4-mes.datalen); |
---|
| 153 | } |
---|
| 154 | |
---|
| 155 | authmes->type = header[0]; |
---|
| 156 | authmes->stage = header[1]; |
---|
| 157 | authmes->reserved.c[0] = header[2]; |
---|
| 158 | authmes->reserved.c[1] = header[3]; |
---|
| 159 | |
---|
| 160 | return 0; |
---|
| 161 | } |
---|
[0] | 162 | |
---|
[3227] | 163 | static void roar_auth_mes_init(struct roar_auth_message * authmes, int type) { |
---|
| 164 | memset(authmes, 0, sizeof(struct roar_auth_message)); |
---|
| 165 | |
---|
| 166 | authmes->type = type; |
---|
| 167 | authmes->stage = 0; |
---|
| 168 | authmes->data = NULL; |
---|
| 169 | authmes->len = 0; |
---|
| 170 | } |
---|
| 171 | |
---|
[4475] | 172 | |
---|
| 173 | static int try_password (struct roar_connection * con) { |
---|
| 174 | struct roar_message mes; |
---|
| 175 | struct roar_auth_message authmes; |
---|
| 176 | char * pw; |
---|
| 177 | |
---|
| 178 | roar_auth_mes_init(&authmes, ROAR_AUTH_T_PASSWORD); |
---|
| 179 | |
---|
| 180 | if ( roar_passwd_simple_ask_pw(&pw, "Password for RoarAudio Server?", NULL) == -1 ) { |
---|
| 181 | return -1; |
---|
| 182 | } |
---|
| 183 | |
---|
| 184 | authmes.len = strlen(pw); |
---|
| 185 | |
---|
| 186 | if ( roar_auth_init_mes(&mes, &authmes) == -1 ) { |
---|
| 187 | roar_mm_free(pw); |
---|
| 188 | return -1; |
---|
| 189 | } |
---|
| 190 | |
---|
| 191 | // do not use strcpy() because that would copy \0, too. |
---|
| 192 | memcpy(authmes.data, pw, authmes.len); |
---|
| 193 | |
---|
| 194 | roar_mm_free(pw); |
---|
| 195 | |
---|
| 196 | if ( roar_req(con, &mes, NULL) == -1 ) |
---|
| 197 | return -1; |
---|
| 198 | |
---|
| 199 | if ( mes.cmd != ROAR_CMD_OK ) |
---|
| 200 | return -1; |
---|
| 201 | |
---|
| 202 | if ( roar_auth_from_mes(&authmes, &mes, NULL) == -1 ) |
---|
| 203 | return -1; |
---|
| 204 | |
---|
| 205 | if ( authmes.stage == 0 ) |
---|
| 206 | return 0; |
---|
| 207 | |
---|
| 208 | return -1; |
---|
| 209 | } |
---|
| 210 | |
---|
[3228] | 211 | #define _EOL ROAR_AUTH_T_AUTO |
---|
[3227] | 212 | int roar_auth (struct roar_connection * con) { |
---|
| 213 | struct roar_auth_message authmes; |
---|
| 214 | int ret; |
---|
[3228] | 215 | int i; |
---|
| 216 | int ltt[] = { |
---|
| 217 | ROAR_AUTH_T_TRUST, |
---|
| 218 | ROAR_AUTH_T_IDENT, |
---|
| 219 | ROAR_AUTH_T_RHOST, |
---|
[4486] | 220 | // ROAR_AUTH_T_PASSWORD, |
---|
[3228] | 221 | ROAR_AUTH_T_NONE, |
---|
| 222 | _EOL |
---|
| 223 | }; |
---|
[3227] | 224 | |
---|
[3228] | 225 | for (i = 0; ltt[i] != _EOL; i++) { |
---|
[4475] | 226 | switch (ltt[i]) { |
---|
| 227 | case ROAR_AUTH_T_PASSWORD: |
---|
| 228 | if ( (ret = try_password(con)) == -1 ) |
---|
| 229 | continue; |
---|
| 230 | break; |
---|
| 231 | case ROAR_AUTH_T_TRUST: |
---|
| 232 | case ROAR_AUTH_T_IDENT: |
---|
| 233 | case ROAR_AUTH_T_RHOST: |
---|
| 234 | case ROAR_AUTH_T_NONE: |
---|
| 235 | roar_auth_mes_init(&authmes, ltt[i]); |
---|
| 236 | if ( (ret = roar_auth_ask_server(con, &authmes)) == -1 ) |
---|
| 237 | continue; |
---|
| 238 | break; |
---|
| 239 | default: /* Bad error! */ |
---|
| 240 | return -1; |
---|
| 241 | break; |
---|
| 242 | } |
---|
[3227] | 243 | |
---|
[3228] | 244 | if ( authmes.stage != 0 ) |
---|
| 245 | continue; |
---|
[3227] | 246 | |
---|
[3228] | 247 | return 0; |
---|
| 248 | } |
---|
| 249 | |
---|
| 250 | return -1; |
---|
[0] | 251 | } |
---|
| 252 | |
---|
[4470] | 253 | |
---|
| 254 | int roar_auth_from_mes(struct roar_auth_message * ames, struct roar_message * mes, void * data) { |
---|
| 255 | void * ibuf; |
---|
| 256 | char header[4] = {0, 0, 0, 0}; |
---|
| 257 | |
---|
| 258 | if ( ames == NULL || mes == NULL ) |
---|
| 259 | return -1; |
---|
| 260 | |
---|
[4471] | 261 | if ( data != NULL ) { |
---|
[4470] | 262 | ibuf = data; |
---|
| 263 | } else { |
---|
| 264 | ibuf = mes->data; |
---|
| 265 | } |
---|
| 266 | |
---|
| 267 | memset(ames, 0, sizeof(struct roar_auth_message)); |
---|
| 268 | |
---|
| 269 | memcpy(header, ibuf, mes->datalen < 4 ? mes->datalen : 4); |
---|
| 270 | |
---|
| 271 | ames->type = header[0]; |
---|
| 272 | ames->stage = header[1]; |
---|
| 273 | ames->reserved.c[0] = header[2]; |
---|
| 274 | ames->reserved.c[1] = header[3]; |
---|
| 275 | |
---|
| 276 | if ( mes->datalen > 4 ) { |
---|
| 277 | ames->data = ibuf + 4; |
---|
| 278 | ames->len = mes->datalen - 4; |
---|
| 279 | } else { |
---|
| 280 | ames->data = NULL; |
---|
| 281 | ames->len = 0; |
---|
| 282 | } |
---|
| 283 | |
---|
| 284 | return 0; |
---|
| 285 | } |
---|
| 286 | |
---|
| 287 | int roar_auth_to_mes(struct roar_message * mes, void ** data, struct roar_auth_message * ames) { |
---|
| 288 | char * obuf; |
---|
| 289 | |
---|
| 290 | if ( mes == NULL || ames == NULL ) |
---|
| 291 | return -1; |
---|
| 292 | |
---|
| 293 | if ( data != NULL ) |
---|
| 294 | *data = NULL; |
---|
| 295 | |
---|
| 296 | memset(mes, 0, sizeof(struct roar_message)); |
---|
| 297 | |
---|
[4475] | 298 | mes->cmd = ROAR_CMD_AUTH; |
---|
| 299 | |
---|
[4470] | 300 | if ( (ames->len + 4) > sizeof(mes->data) ) { |
---|
| 301 | *data = malloc(ames->len + 4); |
---|
| 302 | if ( *data == NULL ) |
---|
| 303 | return -1; |
---|
| 304 | obuf = *data; |
---|
| 305 | } else { |
---|
| 306 | obuf = mes->data; |
---|
| 307 | } |
---|
| 308 | |
---|
| 309 | obuf[0] = ames->type; |
---|
| 310 | obuf[1] = ames->stage; |
---|
| 311 | obuf[2] = ames->reserved.c[0]; |
---|
| 312 | obuf[3] = ames->reserved.c[1]; |
---|
| 313 | |
---|
| 314 | memcpy(obuf + 8, ames->data, ames->len); |
---|
| 315 | |
---|
| 316 | mes->datalen = ames->len + 4; |
---|
| 317 | |
---|
| 318 | return 0; |
---|
| 319 | } |
---|
| 320 | |
---|
| 321 | int roar_auth_init_mes(struct roar_message * mes, struct roar_auth_message * ames) { |
---|
| 322 | if ( mes == NULL || ames == NULL ) |
---|
| 323 | return -1; |
---|
| 324 | |
---|
| 325 | if ( (ames->len + 4) > sizeof(mes->data) ) |
---|
| 326 | return -1; |
---|
| 327 | |
---|
| 328 | memset(mes, 0, sizeof(struct roar_message)); |
---|
| 329 | |
---|
[4475] | 330 | mes->cmd = ROAR_CMD_AUTH; |
---|
| 331 | |
---|
[4470] | 332 | mes->data[0] = ames->type; |
---|
| 333 | mes->data[1] = ames->stage; |
---|
| 334 | mes->data[2] = ames->reserved.c[0]; |
---|
| 335 | mes->data[3] = ames->reserved.c[1]; |
---|
| 336 | |
---|
| 337 | ames->data = &(mes->data[4]); |
---|
| 338 | |
---|
| 339 | mes->datalen = ames->len + 4; |
---|
| 340 | |
---|
| 341 | return 0; |
---|
| 342 | } |
---|
| 343 | |
---|
| 344 | |
---|
| 345 | |
---|
[3225] | 346 | // String functions: |
---|
| 347 | static struct { |
---|
| 348 | int type; |
---|
[4296] | 349 | const char * name; |
---|
[3225] | 350 | } _g_authts[] = { |
---|
| 351 | // grep ^'#define ROAR_AUTH_T_' auth.h | while read d t d; do n=$(cut -d_ -f4 <<<$t | tr A-Z a-z); printf ' {%-28s %-10s},\n' $t, \"$n\"; done |
---|
| 352 | {ROAR_AUTH_T_NONE, "none" }, |
---|
| 353 | {ROAR_AUTH_T_COOKIE, "cookie" }, |
---|
| 354 | {ROAR_AUTH_T_TRUST, "trust" }, |
---|
| 355 | {ROAR_AUTH_T_PASSWORD, "password"}, |
---|
| 356 | {ROAR_AUTH_T_SYSUSER, "sysuser" }, |
---|
| 357 | {ROAR_AUTH_T_OPENPGP_SIGN, "openpgp" }, |
---|
| 358 | {ROAR_AUTH_T_OPENPGP_ENCRYPT, "openpgp" }, |
---|
| 359 | {ROAR_AUTH_T_OPENPGP_AUTH, "openpgp" }, |
---|
| 360 | {ROAR_AUTH_T_KERBEROS, "kerberos"}, |
---|
| 361 | {ROAR_AUTH_T_RHOST, "rhost" }, |
---|
| 362 | {ROAR_AUTH_T_XAUTH, "xauth" }, |
---|
| 363 | {ROAR_AUTH_T_IDENT, "ident" }, |
---|
| 364 | {-1, NULL} |
---|
| 365 | }; |
---|
| 366 | |
---|
[4296] | 367 | int roar_str2autht(const char * str) { |
---|
[3225] | 368 | int i; |
---|
| 369 | |
---|
| 370 | for (i = 0; _g_authts[i].name != NULL; i++) |
---|
| 371 | if ( !strcasecmp(_g_authts[i].name, str) ) |
---|
| 372 | return _g_authts[i].type; |
---|
| 373 | |
---|
| 374 | return -1; |
---|
| 375 | } |
---|
| 376 | |
---|
[4296] | 377 | const char * roar_autht2str(const int auth) { |
---|
[3225] | 378 | int i; |
---|
| 379 | |
---|
| 380 | for (i = 0; _g_authts[i].name != NULL; i++) |
---|
| 381 | if ( _g_authts[i].type == auth ) |
---|
| 382 | return _g_authts[i].name; |
---|
| 383 | |
---|
| 384 | return "(UNKNOWN)"; |
---|
| 385 | } |
---|
| 386 | |
---|
[0] | 387 | //ll |
---|