1 | //auth.c: |
---|
2 | |
---|
3 | /* |
---|
4 | * Copyright (C) Philipp 'ph3-der-loewe' Schafft - 2008-2012 |
---|
5 | * |
---|
6 | * This file is part of libroar a part of RoarAudio, |
---|
7 | * a cross-platform sound system for both, home and professional use. |
---|
8 | * See README for details. |
---|
9 | * |
---|
10 | * This file is free software; you can redistribute it and/or modify |
---|
11 | * it under the terms of the GNU General Public License version 3 |
---|
12 | * as published by the Free Software Foundation. |
---|
13 | * |
---|
14 | * libroar is distributed in the hope that it will be useful, |
---|
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
17 | * GNU General Public License for more details. |
---|
18 | * |
---|
19 | * You should have received a copy of the GNU General Public License |
---|
20 | * along with this software; see the file COPYING. If not, write to |
---|
21 | * the Free Software Foundation, 51 Franklin Street, Fifth Floor, |
---|
22 | * Boston, MA 02110-1301, USA. |
---|
23 | * |
---|
24 | * NOTE for everyone want's to change something and send patches: |
---|
25 | * read README and HACKING! There a addition information on |
---|
26 | * the license of this document you need to read before you send |
---|
27 | * any patches. |
---|
28 | * |
---|
29 | * NOTE for uses of non-GPL (LGPL,...) software using libesd, libartsc |
---|
30 | * or libpulse*: |
---|
31 | * The libs libroaresd, libroararts and libroarpulse link this lib |
---|
32 | * and are therefore GPL. Because of this it may be illegal to use |
---|
33 | * them with any software that uses libesd, libartsc or libpulse*. |
---|
34 | */ |
---|
35 | |
---|
36 | #include "libroar.h" |
---|
37 | |
---|
38 | /* How auth works: |
---|
39 | * 0) set stage to zero |
---|
40 | * 1) get server address and local node name (from uname()) |
---|
41 | * 2) look up authfile/authdb/authservice for the server+local address + stage. |
---|
42 | * if no data was found send NONE-Auth. |
---|
43 | * 3) send data to server |
---|
44 | * 4) read answer from server |
---|
45 | * 5) if stage of server response is non-zero increment stage to server stage+1 |
---|
46 | * and repeat from step 2) |
---|
47 | * 6) check if we got an OK or an ERROR, return correct value |
---|
48 | */ |
---|
49 | |
---|
50 | /* The protocol: |
---|
51 | * Auth request: |
---|
52 | * Byte 0: auth type |
---|
53 | * Byte 1: stage |
---|
54 | * Byte 2: reserved (must be zero) |
---|
55 | * Byte 3: reserved (must be zero) |
---|
56 | * Byte 4-end: auth type depending data. |
---|
57 | * |
---|
58 | * If no data is to be send bytes 2 and 3 can be omitted. |
---|
59 | * If no data is to be send and stage is zero bytes 1, 2 and 3 can be omitted. |
---|
60 | * |
---|
61 | * Auth response: |
---|
62 | * The same as the auth request. |
---|
63 | * if the server sends an zero size message back it means the server accepted our connection |
---|
64 | * and no additional stage is needed. |
---|
65 | * if the message type is OK the server accepted our auth. |
---|
66 | * if the message type is ERROR the server rejected us. we may try other auth methods. |
---|
67 | * if the server accepted our data and the stage is non-zero we need to continue with the next |
---|
68 | * stage of the auth. |
---|
69 | * if the server rejected us the auth type value of the response is a suggested next auth type |
---|
70 | * we should try if possible. This may help the client to find a working auth type. |
---|
71 | */ |
---|
72 | |
---|
73 | /* The protocol by auth type: |
---|
74 | * |
---|
75 | * --- NONE: |
---|
76 | * No data is send, the server accepts the connect or rejects it depending on some |
---|
77 | * magic within the server. we do not care about this. |
---|
78 | * The data block is not used. |
---|
79 | * |
---|
80 | * --- COOKIE: |
---|
81 | * We send cookies for all stages the server ask us to provide a cookie. |
---|
82 | * if a cookie is wrong the server rejects us or asks us for another. |
---|
83 | * The cookie is send as binary data in the data block. |
---|
84 | * |
---|
85 | * --- TRUST: |
---|
86 | * We ask the server to auth us based on our UID/GID/PID. |
---|
87 | * The server may reject this because we are not allowed or because it is not |
---|
88 | * supported by the transport. |
---|
89 | * If we get rejected we may try to continue with IDENT then RHOST before we use NONE. |
---|
90 | * The data block is not used. |
---|
91 | * |
---|
92 | * --- PASSWORD: |
---|
93 | * This is technically the same as COOKIE just that the cookie is limited to |
---|
94 | * printable ASCII chars and that the user should be asked to provide the password. |
---|
95 | * This may be done via a GUI popup window. |
---|
96 | * |
---|
97 | * --- SYSUSER: |
---|
98 | * We provide a Username + Password for a system user. |
---|
99 | * The data block contains of two main parts: |
---|
100 | * The first part is a one byte long subtype. |
---|
101 | * The value must be 0x01 for username+password. |
---|
102 | * future versions may define other types. |
---|
103 | * the second part is the actual data block. |
---|
104 | * for username+password it is splited into two fields, both terminated with \0. |
---|
105 | * the first is the username the last one the password as clear text. |
---|
106 | * Example: char data[] = "\001MyUser\0MyPassword\0"; |
---|
107 | * |
---|
108 | * --- OPENPGP_SIGN: |
---|
109 | * |
---|
110 | * --- OPENPGP_ENCRYPT: |
---|
111 | * |
---|
112 | * --- OPENPGP_AUTH: |
---|
113 | * |
---|
114 | * --- KERBEROS: |
---|
115 | * We use Kerberos to auth. |
---|
116 | * |
---|
117 | * --- RHOST: |
---|
118 | * The server is asked to auth us based on our source address. |
---|
119 | * The data block is not used. |
---|
120 | * |
---|
121 | * --- XAUTH: |
---|
122 | * We send an X11 Cookie. |
---|
123 | * |
---|
124 | * --- IDENT: |
---|
125 | * The server is asked to auth us based on our source address using the IDENT protocol. |
---|
126 | * The data block is not used. |
---|
127 | * |
---|
128 | */ |
---|
129 | |
---|
130 | static int roar_auth_ask_server (struct roar_connection * con, struct roar_auth_message * authmes) { |
---|
131 | struct roar_error_frame error_frame; |
---|
132 | struct roar_message mes; |
---|
133 | char * header = mes.data; |
---|
134 | int ret; |
---|
135 | char * data = NULL; |
---|
136 | |
---|
137 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type); |
---|
138 | |
---|
139 | roar_err_init(&error_frame); |
---|
140 | memset(&mes, 0, sizeof(struct roar_message)); // make valgrind happy! |
---|
141 | |
---|
142 | mes.cmd = ROAR_CMD_AUTH; |
---|
143 | mes.stream = -1; |
---|
144 | mes.datalen = 4 + authmes->len; |
---|
145 | |
---|
146 | if ( mes.datalen > sizeof(mes.data) ) { |
---|
147 | data = roar_mm_malloc(mes.datalen); |
---|
148 | if ( data == NULL ) |
---|
149 | return -1; |
---|
150 | |
---|
151 | header = data; |
---|
152 | } |
---|
153 | |
---|
154 | header[0] = authmes->type; |
---|
155 | header[1] = authmes->stage; |
---|
156 | header[2] = authmes->reserved.c[0]; |
---|
157 | header[3] = authmes->reserved.c[1]; |
---|
158 | |
---|
159 | if ( authmes->len ) { |
---|
160 | if ( data == NULL ) { |
---|
161 | memcpy(mes.data + 4, authmes->data, authmes->len); |
---|
162 | } else { |
---|
163 | memcpy(data + 4, authmes->data, authmes->len); |
---|
164 | } |
---|
165 | } |
---|
166 | |
---|
167 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type); |
---|
168 | |
---|
169 | if ( (ret = roar_req2(con, &mes, &data, &error_frame)) == -1 ) { |
---|
170 | authmes->type = -1; |
---|
171 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = -1 // next: -1", con, authmes, authmes->type); |
---|
172 | return -1; |
---|
173 | } |
---|
174 | |
---|
175 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}): mes->cmd=%i", con, authmes, authmes->type, mes.cmd); |
---|
176 | |
---|
177 | if ( data != NULL ) { |
---|
178 | header = data; |
---|
179 | } else { |
---|
180 | header = mes.data; |
---|
181 | } |
---|
182 | |
---|
183 | if ( mes.cmd == ROAR_CMD_ERROR ) |
---|
184 | ret = -1; |
---|
185 | |
---|
186 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}): error_frame.data=%p", |
---|
187 | con, authmes, authmes->type, error_frame.data); |
---|
188 | |
---|
189 | if ( mes.cmd == ROAR_CMD_ERROR && error_frame.data != NULL ) { |
---|
190 | header = error_frame.data; |
---|
191 | mes.datalen = error_frame.datalen; |
---|
192 | } |
---|
193 | |
---|
194 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type); |
---|
195 | |
---|
196 | if ( mes.datalen < 4 ) { |
---|
197 | memset(header+mes.datalen, 0, 4-mes.datalen); |
---|
198 | authmes->type = -1; |
---|
199 | } else { |
---|
200 | authmes->type = header[0]; |
---|
201 | } |
---|
202 | |
---|
203 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = ?", con, authmes); |
---|
204 | |
---|
205 | authmes->stage = header[1]; |
---|
206 | authmes->reserved.c[0] = header[2]; |
---|
207 | authmes->reserved.c[1] = header[3]; |
---|
208 | |
---|
209 | if ( data != NULL ) |
---|
210 | roar_mm_free(data); |
---|
211 | |
---|
212 | ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = %i // next: %i", con, authmes, ret, authmes->type); |
---|
213 | return ret; |
---|
214 | } |
---|
215 | |
---|
216 | static void roar_auth_mes_init(struct roar_auth_message * authmes, int type) { |
---|
217 | memset(authmes, 0, sizeof(struct roar_auth_message)); |
---|
218 | |
---|
219 | authmes->type = type; |
---|
220 | authmes->stage = 0; |
---|
221 | authmes->data = NULL; |
---|
222 | authmes->len = 0; |
---|
223 | } |
---|
224 | |
---|
225 | |
---|
226 | static int try_password (struct roar_connection * con, int * next) { |
---|
227 | struct roar_message mes; |
---|
228 | struct roar_auth_message authmes; |
---|
229 | char * pw; |
---|
230 | |
---|
231 | // TODO: add support for *next. |
---|
232 | |
---|
233 | roar_auth_mes_init(&authmes, ROAR_AUTH_T_PASSWORD); |
---|
234 | |
---|
235 | if ( roar_passwd_simple_ask_pw(&pw, "Password for RoarAudio Server?", NULL) == -1 ) { |
---|
236 | return -1; |
---|
237 | } |
---|
238 | |
---|
239 | authmes.len = strlen(pw); |
---|
240 | |
---|
241 | if ( roar_auth_init_mes(&mes, &authmes) == -1 ) { |
---|
242 | roar_mm_free(pw); |
---|
243 | return -1; |
---|
244 | } |
---|
245 | |
---|
246 | // do not use strcpy() because that would copy \0, too. |
---|
247 | memcpy(authmes.data, pw, authmes.len); |
---|
248 | |
---|
249 | roar_mm_free(pw); |
---|
250 | |
---|
251 | if ( roar_req(con, &mes, NULL) == -1 ) |
---|
252 | return -1; |
---|
253 | |
---|
254 | if ( mes.cmd != ROAR_CMD_OK ) |
---|
255 | return -1; |
---|
256 | |
---|
257 | if ( roar_auth_from_mes(&authmes, &mes, NULL) == -1 ) |
---|
258 | return -1; |
---|
259 | |
---|
260 | if ( authmes.stage == 0 ) |
---|
261 | return 0; |
---|
262 | |
---|
263 | return -1; |
---|
264 | } |
---|
265 | |
---|
266 | static int try_cookie (struct roar_connection * con, int * next) { |
---|
267 | struct roar_libroar_config * config = roar_libroar_get_config(); |
---|
268 | struct roar_auth_message authmes; |
---|
269 | struct roar_authfile * authfile; |
---|
270 | struct roar_authfile_key * key; |
---|
271 | int idx; |
---|
272 | int done = 0; |
---|
273 | |
---|
274 | roar_auth_mes_init(&authmes, ROAR_AUTH_T_COOKIE); |
---|
275 | |
---|
276 | if ( (authfile = roar_authfile_open(ROAR_AUTHFILE_TYPE_AUTO, config->authfile, 0, ROAR_AUTHFILE_VERSION_AUTO)) == NULL ) |
---|
277 | return -1; |
---|
278 | |
---|
279 | for (idx = 0; !done; idx++) { |
---|
280 | if ( (key = roar_authfile_lookup_key(authfile, ROAR_AUTH_T_COOKIE, idx, NULL)) == NULL ) |
---|
281 | break; |
---|
282 | |
---|
283 | authmes.data = key->data; |
---|
284 | authmes.len = key->len; |
---|
285 | |
---|
286 | if ( roar_auth_ask_server(con, &authmes) != -1 ) |
---|
287 | done = 1; |
---|
288 | |
---|
289 | roar_authfile_key_unref(key); |
---|
290 | } |
---|
291 | |
---|
292 | roar_authfile_close(authfile); |
---|
293 | |
---|
294 | return done ? 0 : -1; |
---|
295 | } |
---|
296 | |
---|
297 | #define _EOL ROAR_AUTH_T_AUTO |
---|
298 | int roar_auth (struct roar_connection * con) { |
---|
299 | struct roar_auth_message authmes; |
---|
300 | int ret; |
---|
301 | int i; |
---|
302 | int cur, next; |
---|
303 | int done; |
---|
304 | int ltt[] = { |
---|
305 | ROAR_AUTH_T_TRUST, |
---|
306 | ROAR_AUTH_T_IDENT, |
---|
307 | ROAR_AUTH_T_RHOST, |
---|
308 | // ROAR_AUTH_T_PASSWORD, |
---|
309 | ROAR_AUTH_T_COOKIE, |
---|
310 | ROAR_AUTH_T_NONE, |
---|
311 | ROAR_AUTH_T_PASSWORD, // (re-)try password if there is no guest access. |
---|
312 | _EOL |
---|
313 | }; |
---|
314 | |
---|
315 | for (i = 0; ltt[i] != _EOL; i++) { |
---|
316 | next = ltt[i]; |
---|
317 | ROAR_DBG("roar_auth(con=%p): next from ltt: %s(%i)", con, roar_autht2str(next), next); |
---|
318 | |
---|
319 | while (next != -1) { |
---|
320 | done = 1; |
---|
321 | |
---|
322 | cur = next; |
---|
323 | next = -1; |
---|
324 | |
---|
325 | ROAR_DBG("roar_auth(con=%p): cur=%s(%i)", con, roar_autht2str(cur), cur); |
---|
326 | |
---|
327 | switch (cur) { |
---|
328 | case ROAR_AUTH_T_PASSWORD: |
---|
329 | if ( (ret = try_password(con, &next)) == -1 ) |
---|
330 | done = 0; |
---|
331 | break; |
---|
332 | case ROAR_AUTH_T_TRUST: |
---|
333 | case ROAR_AUTH_T_IDENT: |
---|
334 | case ROAR_AUTH_T_RHOST: |
---|
335 | case ROAR_AUTH_T_NONE: |
---|
336 | roar_auth_mes_init(&authmes, cur); |
---|
337 | if ( (ret = roar_auth_ask_server(con, &authmes)) == -1 ) |
---|
338 | done = 0; |
---|
339 | |
---|
340 | next = authmes.type; |
---|
341 | break; |
---|
342 | case ROAR_AUTH_T_COOKIE: |
---|
343 | if ( (ret = try_cookie(con, &next)) == -1 ) |
---|
344 | done = 0; |
---|
345 | break; |
---|
346 | break; |
---|
347 | default: /* Bad error! */ |
---|
348 | return -1; |
---|
349 | break; |
---|
350 | } |
---|
351 | |
---|
352 | if ( authmes.stage != 0 ) |
---|
353 | done = 0; |
---|
354 | |
---|
355 | ROAR_DBG("roar_auth(con=%p): done=%i, next=%i", con, done, next); |
---|
356 | |
---|
357 | if ( done ) { |
---|
358 | ROAR_DBG("roar_auth(con=%p) = 0", con); |
---|
359 | return 0; |
---|
360 | } |
---|
361 | } |
---|
362 | } |
---|
363 | |
---|
364 | ROAR_DBG("roar_auth(con=%p) = -1", con); |
---|
365 | return -1; |
---|
366 | } |
---|
367 | |
---|
368 | |
---|
369 | int roar_auth_from_mes(struct roar_auth_message * ames, struct roar_message * mes, void * data) { |
---|
370 | void * ibuf; |
---|
371 | char header[4] = {0, 0, 0, 0}; |
---|
372 | |
---|
373 | if ( ames == NULL || mes == NULL ) { |
---|
374 | roar_err_set(ROAR_ERROR_FAULT); |
---|
375 | return -1; |
---|
376 | } |
---|
377 | |
---|
378 | if ( data != NULL ) { |
---|
379 | ibuf = data; |
---|
380 | } else { |
---|
381 | ibuf = mes->data; |
---|
382 | } |
---|
383 | |
---|
384 | memset(ames, 0, sizeof(struct roar_auth_message)); |
---|
385 | |
---|
386 | memcpy(header, ibuf, mes->datalen < 4 ? mes->datalen : 4); |
---|
387 | |
---|
388 | ames->type = header[0]; |
---|
389 | ames->stage = header[1]; |
---|
390 | ames->reserved.c[0] = header[2]; |
---|
391 | ames->reserved.c[1] = header[3]; |
---|
392 | |
---|
393 | if ( mes->datalen > 4 ) { |
---|
394 | ames->data = ibuf + 4; |
---|
395 | ames->len = mes->datalen - 4; |
---|
396 | } else { |
---|
397 | ames->data = NULL; |
---|
398 | ames->len = 0; |
---|
399 | } |
---|
400 | |
---|
401 | return 0; |
---|
402 | } |
---|
403 | |
---|
404 | int roar_auth_to_mes(struct roar_message * mes, void ** data, struct roar_auth_message * ames) { |
---|
405 | char * obuf; |
---|
406 | |
---|
407 | if ( mes == NULL || ames == NULL ) { |
---|
408 | roar_err_set(ROAR_ERROR_FAULT); |
---|
409 | return -1; |
---|
410 | } |
---|
411 | |
---|
412 | if ( data != NULL ) |
---|
413 | *data = NULL; |
---|
414 | |
---|
415 | memset(mes, 0, sizeof(struct roar_message)); |
---|
416 | |
---|
417 | mes->cmd = ROAR_CMD_AUTH; |
---|
418 | |
---|
419 | if ( (ames->len + 4) > sizeof(mes->data) ) { |
---|
420 | *data = roar_mm_malloc(ames->len + 4); |
---|
421 | if ( *data == NULL ) |
---|
422 | return -1; |
---|
423 | obuf = *data; |
---|
424 | } else { |
---|
425 | obuf = mes->data; |
---|
426 | } |
---|
427 | |
---|
428 | obuf[0] = ames->type; |
---|
429 | obuf[1] = ames->stage; |
---|
430 | obuf[2] = ames->reserved.c[0]; |
---|
431 | obuf[3] = ames->reserved.c[1]; |
---|
432 | |
---|
433 | memcpy(obuf + 8, ames->data, ames->len); |
---|
434 | |
---|
435 | mes->datalen = ames->len + 4; |
---|
436 | |
---|
437 | return 0; |
---|
438 | } |
---|
439 | |
---|
440 | int roar_auth_init_mes(struct roar_message * mes, struct roar_auth_message * ames) { |
---|
441 | if ( mes == NULL || ames == NULL ) |
---|
442 | return -1; |
---|
443 | |
---|
444 | if ( (ames->len + 4) > sizeof(mes->data) ) |
---|
445 | return -1; |
---|
446 | |
---|
447 | memset(mes, 0, sizeof(struct roar_message)); |
---|
448 | |
---|
449 | mes->cmd = ROAR_CMD_AUTH; |
---|
450 | |
---|
451 | mes->data[0] = ames->type; |
---|
452 | mes->data[1] = ames->stage; |
---|
453 | mes->data[2] = ames->reserved.c[0]; |
---|
454 | mes->data[3] = ames->reserved.c[1]; |
---|
455 | |
---|
456 | ames->data = &(mes->data[4]); |
---|
457 | |
---|
458 | mes->datalen = ames->len + 4; |
---|
459 | |
---|
460 | return 0; |
---|
461 | } |
---|
462 | |
---|
463 | |
---|
464 | |
---|
465 | // String functions: |
---|
466 | static struct { |
---|
467 | int type; |
---|
468 | const char * name; |
---|
469 | } _g_authts[] = { |
---|
470 | // grep ^'#define ROAR_AUTH_T_' auth.h | while read d t d; do n=$(cut -d_ -f4 <<<$t | tr A-Z a-z); printf ' {%-28s %-10s},\n' $t, \"$n\"; done |
---|
471 | {ROAR_AUTH_T_NONE, "none" }, |
---|
472 | {ROAR_AUTH_T_COOKIE, "cookie" }, |
---|
473 | {ROAR_AUTH_T_TRUST, "trust" }, |
---|
474 | {ROAR_AUTH_T_PASSWORD, "password"}, |
---|
475 | {ROAR_AUTH_T_SYSUSER, "sysuser" }, |
---|
476 | {ROAR_AUTH_T_OPENPGP_SIGN, "openpgp" }, |
---|
477 | {ROAR_AUTH_T_OPENPGP_ENCRYPT, "openpgp" }, |
---|
478 | {ROAR_AUTH_T_OPENPGP_AUTH, "openpgp" }, |
---|
479 | {ROAR_AUTH_T_KERBEROS, "kerberos"}, |
---|
480 | {ROAR_AUTH_T_RHOST, "rhost" }, |
---|
481 | {ROAR_AUTH_T_XAUTH, "xauth" }, |
---|
482 | {ROAR_AUTH_T_IDENT, "ident" }, |
---|
483 | {-1, NULL} |
---|
484 | }; |
---|
485 | |
---|
486 | int roar_str2autht(const char * str) { |
---|
487 | int i; |
---|
488 | |
---|
489 | for (i = 0; _g_authts[i].name != NULL; i++) |
---|
490 | if ( !strcasecmp(_g_authts[i].name, str) ) |
---|
491 | return _g_authts[i].type; |
---|
492 | |
---|
493 | return -1; |
---|
494 | } |
---|
495 | |
---|
496 | const char * roar_autht2str(const int auth) { |
---|
497 | int i; |
---|
498 | |
---|
499 | for (i = 0; _g_authts[i].name != NULL; i++) |
---|
500 | if ( _g_authts[i].type == auth ) |
---|
501 | return _g_authts[i].name; |
---|
502 | |
---|
503 | return "(UNKNOWN)"; |
---|
504 | } |
---|
505 | |
---|
506 | //ll |
---|