source: roaraudio/libroar/auth.c @ 5311:778a3e7b2b66

Last change on this file since 5311:778a3e7b2b66 was 5295:5914c84e72be, checked in by phi, 12 years ago

converted message (protocol) rutunes to use roar_mm_*() (Closes: #129)

File size: 13.4 KB
Line 
1//auth.c:
2
3/*
4 *      Copyright (C) Philipp 'ph3-der-loewe' Schafft - 2008-2011
5 *
6 *  This file is part of libroar a part of RoarAudio,
7 *  a cross-platform sound system for both, home and professional use.
8 *  See README for details.
9 *
10 *  This file is free software; you can redistribute it and/or modify
11 *  it under the terms of the GNU General Public License version 3
12 *  as published by the Free Software Foundation.
13 *
14 *  libroar is distributed in the hope that it will be useful,
15 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 *  GNU General Public License for more details.
18 *
19 *  You should have received a copy of the GNU General Public License
20 *  along with this software; see the file COPYING.  If not, write to
21 *  the Free Software Foundation, 51 Franklin Street, Fifth Floor,
22 *  Boston, MA 02110-1301, USA.
23 *
24 *  NOTE for everyone want's to change something and send patches:
25 *  read README and HACKING! There a addition information on
26 *  the license of this document you need to read before you send
27 *  any patches.
28 *
29 *  NOTE for uses of non-GPL (LGPL,...) software using libesd, libartsc
30 *  or libpulse*:
31 *  The libs libroaresd, libroararts and libroarpulse link this lib
32 *  and are therefore GPL. Because of this it may be illegal to use
33 *  them with any software that uses libesd, libartsc or libpulse*.
34 */
35
36#include "libroar.h"
37
38/* How auth works:
39 * 0) set stage to zero
40 * 1) get server address and local node name (from uname())
41 * 2) look up authfile/authdb/authservice for the server+local address + stage.
42 *    if no data was found send NONE-Auth.
43 * 3) send data to server
44 * 4) read answer from server
45 * 5) if stage of server response is non-zero increment stage to server stage+1
46 *    and repeat from step 2)
47 * 6) check if we got an OK or an ERROR, return correct value
48 */
49
50/* The protocol:
51 * Auth request:
52 * Byte 0: auth type
53 * Byte 1: stage
54 * Byte 2: reserved (must be zero)
55 * Byte 3: reserved (must be zero)
56 * Byte 4-end: auth type depending data.
57 *
58 * If no data is to be send bytes 2 and 3 can be omitted.
59 * If no data is to be send and stage is zero bytes 1, 2 and 3 can be omitted.
60 *
61 * Auth response:
62 * The same as the auth request.
63 * if the server sends an zero size message back it means the server accepted our connection
64 * and no additional stage is needed.
65 * if the message type is OK the server accepted our auth.
66 * if the message type is ERROR the server rejected us. we may try other auth methods.
67 * if the server accepted our data and the stage is non-zero we need to continue with the next
68 * stage of the auth.
69 * if the server rejected us the auth type value of the response is a suggested next auth type
70 * we should try if possible. This may help the client to find a working auth type.
71 */
72
73/* The protocol by auth type:
74 *
75 * --- NONE:
76 * No data is send, the server accepts the connect or rejects it depending on some
77 * magic within the server. we do not care about this.
78 * The data block is not used.
79 *
80 * --- COOKIE:
81 * We send cookies for all stages the server ask us to provide a cookie.
82 * if a cookie is wrong the server rejects us or asks us for another.
83 * The cookie is send as binary data in the data block.
84 *
85 * --- TRUST:
86 * We ask the server to auth us based on our UID/GID/PID.
87 * The server may reject this because we are not allowed or because it is not
88 * supported by the transport.
89 * If we get rejected we may try to continue with IDENT then RHOST before we use NONE.
90 * The data block is not used.
91 *
92 * --- PASSWORD:
93 * This is technically the same as COOKIE just that the cookie is limited to
94 * printable ASCII chars and that the user should be asked to provide the password.
95 * This may be done via a GUI popup window.
96 *
97 * --- SYSUSER:
98 * We provide a Username + Password for a system user.
99 * The data block contains of two main parts:
100 * The first part is a one byte long subtype.
101 * The value must be 0x01 for username+password.
102 * future versions may define other types.
103 * the second part is the actual data block.
104 * for username+password it is splited into two fields, both terminated with \0.
105 * the first is the username the last one the password as clear text.
106 * Example: char data[] = "\001MyUser\0MyPassword\0";
107 *
108 * --- OPENPGP_SIGN:
109 *
110 * --- OPENPGP_ENCRYPT:
111 *
112 * --- OPENPGP_AUTH:
113 *
114 * --- KERBEROS:
115 * We use Kerberos to auth.
116 *
117 * --- RHOST:
118 * The server is asked to auth us based on our source address.
119 * The data block is not used.
120 *
121 * --- XAUTH:
122 * We send an X11 Cookie.
123 *
124 * --- IDENT:
125 * The server is asked to auth us based on our source address using the IDENT protocol.
126 * The data block is not used.
127 *
128 */
129
130static int roar_auth_ask_server (struct roar_connection * con, struct roar_auth_message * authmes) {
131 struct roar_error_frame error_frame;
132 struct roar_message     mes;
133 char                  * header = mes.data;
134 int                     ret;
135 char                  * data = NULL;
136
137 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type);
138
139 roar_err_init(&error_frame);
140 memset(&mes, 0, sizeof(struct roar_message)); // make valgrind happy!
141
142 mes.cmd     = ROAR_CMD_AUTH;
143 mes.stream  = -1;
144 mes.datalen =  4 + authmes->len;
145
146 if ( mes.datalen > sizeof(mes.data) ) {
147  data = roar_mm_malloc(mes.datalen);
148  if ( data == NULL )
149   return -1;
150
151  header   = data;
152 }
153
154 header[0] = authmes->type;
155 header[1] = authmes->stage;
156 header[2] = authmes->reserved.c[0];
157 header[3] = authmes->reserved.c[1];
158
159 if ( authmes->len ) {
160  if ( data == NULL ) {
161   memcpy(mes.data + 4, authmes->data, authmes->len);
162  } else {
163   memcpy(data + 4, authmes->data, authmes->len);
164  }
165 }
166
167 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type);
168
169 if ( (ret = roar_req2(con, &mes, &data, &error_frame)) == -1 ) {
170  authmes->type = -1;
171  ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = -1 // next: -1", con, authmes, authmes->type);
172  return -1;
173 }
174
175 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}): mes->cmd=%i", con, authmes, authmes->type, mes.cmd);
176
177 if ( data != NULL ) {
178  header = data;
179 } else {
180  header = mes.data;
181 }
182
183 if ( mes.cmd == ROAR_CMD_ERROR )
184  ret = -1;
185
186 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}): error_frame.data=%p",
187           con, authmes, authmes->type, error_frame.data);
188
189 if ( mes.cmd == ROAR_CMD_ERROR && error_frame.data != NULL ) {
190  header = error_frame.data;
191  mes.datalen = error_frame.datalen;
192 }
193
194 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p{.type=%i}) = ?", con, authmes, authmes->type);
195
196 if ( mes.datalen < 4 ) {
197  memset(header+mes.datalen, 0, 4-mes.datalen);
198  authmes->type          = -1;
199 } else {
200  authmes->type          = header[0];
201 }
202
203 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = ?", con, authmes);
204
205 authmes->stage         = header[1];
206 authmes->reserved.c[0] = header[2];
207 authmes->reserved.c[1] = header[3];
208
209 if ( data != NULL )
210  roar_mm_free(data);
211
212 ROAR_DBG("roar_auth_ask_server(con=%p, authmes=%p) = %i // next: %i", con, authmes, ret, authmes->type);
213 return ret;
214}
215
216static void roar_auth_mes_init(struct roar_auth_message * authmes, int type) {
217 memset(authmes, 0, sizeof(struct roar_auth_message));
218
219 authmes->type  = type;
220 authmes->stage = 0;
221 authmes->data  = NULL;
222 authmes->len   = 0;
223}
224
225
226static int try_password (struct roar_connection * con, int * next) {
227 struct roar_message mes;
228 struct roar_auth_message authmes;
229 char * pw;
230
231 // TODO: add support for *next.
232
233 roar_auth_mes_init(&authmes, ROAR_AUTH_T_PASSWORD);
234
235 if ( roar_passwd_simple_ask_pw(&pw, "Password for RoarAudio Server?", NULL) == -1 ) {
236  return -1;
237 }
238
239 authmes.len = strlen(pw);
240
241 if ( roar_auth_init_mes(&mes, &authmes) == -1 ) {
242  roar_mm_free(pw);
243  return -1;
244 }
245
246 // do not use strcpy() because that would copy \0, too.
247 memcpy(authmes.data, pw, authmes.len);
248
249 roar_mm_free(pw);
250
251 if ( roar_req(con, &mes, NULL) == -1 )
252  return -1;
253
254 if ( mes.cmd != ROAR_CMD_OK )
255  return -1;
256
257 if ( roar_auth_from_mes(&authmes, &mes, NULL) == -1 )
258  return -1;
259
260 if ( authmes.stage == 0 )
261  return 0;
262
263 return -1;
264}
265
266static int try_cookie (struct roar_connection * con, int * next) {
267 struct roar_libroar_config * config = roar_libroar_get_config();
268 struct roar_auth_message authmes;
269 struct roar_authfile * authfile;
270 struct roar_authfile_key * key;
271 int idx;
272 int done = 0;
273
274 roar_auth_mes_init(&authmes, ROAR_AUTH_T_COOKIE);
275
276 if ( (authfile = roar_authfile_open(ROAR_AUTHFILE_TYPE_AUTO, config->authfile, 0, ROAR_AUTHFILE_VERSION_AUTO)) == NULL )
277  return -1;
278
279 for (idx = 0; !done; idx++) {
280  if ( (key = roar_authfile_lookup_key(authfile, ROAR_AUTH_T_COOKIE, idx, NULL)) == NULL )
281   break;
282
283  authmes.data = key->data;
284  authmes.len  = key->len;
285
286  if ( roar_auth_ask_server(con, &authmes) != -1 )
287   done = 1;
288
289  roar_authfile_key_unref(key);
290 }
291
292 roar_authfile_close(authfile);
293
294 return done ? 0 : -1;
295}
296
297#define _EOL ROAR_AUTH_T_AUTO
298int roar_auth   (struct roar_connection * con) {
299 struct roar_auth_message authmes;
300 int ret;
301 int i;
302 int cur, next;
303 int done;
304 int ltt[] = {
305              ROAR_AUTH_T_TRUST,
306              ROAR_AUTH_T_IDENT,
307              ROAR_AUTH_T_RHOST,
308//              ROAR_AUTH_T_PASSWORD,
309              ROAR_AUTH_T_COOKIE,
310              ROAR_AUTH_T_NONE,
311              ROAR_AUTH_T_PASSWORD, // (re-)try password if there is no guest access.
312              _EOL
313             };
314
315 for (i = 0; ltt[i] != _EOL; i++) {
316  next = ltt[i];
317  ROAR_DBG("roar_auth(con=%p): next from ltt: %s(%i)", con, roar_autht2str(next), next);
318
319  while (next != -1) {
320   done = 1;
321
322   cur  = next;
323   next = -1;
324
325   ROAR_DBG("roar_auth(con=%p): cur=%s(%i)", con, roar_autht2str(cur), cur);
326
327   switch (cur) {
328    case ROAR_AUTH_T_PASSWORD:
329      if ( (ret = try_password(con, &next)) == -1 )
330       done = 0;
331      break;
332    case ROAR_AUTH_T_TRUST:
333    case ROAR_AUTH_T_IDENT:
334    case ROAR_AUTH_T_RHOST:
335    case ROAR_AUTH_T_NONE:
336      roar_auth_mes_init(&authmes, cur);
337      if ( (ret = roar_auth_ask_server(con, &authmes)) == -1 )
338       done = 0;
339
340      next = authmes.type;
341     break;
342    case ROAR_AUTH_T_COOKIE:
343      if ( (ret = try_cookie(con, &next)) == -1 )
344       done = 0;
345      break;
346     break;
347    default: /* Bad error! */
348      return -1;
349     break;
350   }
351
352   if ( authmes.stage != 0 )
353    done = 0;
354
355   ROAR_DBG("roar_auth(con=%p): done=%i, next=%i", con, done, next);
356
357   if ( done ) {
358    ROAR_DBG("roar_auth(con=%p) = 0", con);
359    return 0;
360   }
361  }
362 }
363
364 ROAR_DBG("roar_auth(con=%p) = -1", con);
365 return -1;
366}
367
368
369int roar_auth_from_mes(struct roar_auth_message * ames, struct roar_message * mes, void * data) {
370 void * ibuf;
371 char header[4] = {0, 0, 0, 0};
372
373 if ( ames == NULL || mes == NULL ) {
374  roar_err_set(ROAR_ERROR_FAULT);
375  return -1;
376 }
377
378 if ( data != NULL ) {
379  ibuf = data;
380 } else {
381  ibuf = mes->data;
382 }
383
384 memset(ames, 0, sizeof(struct roar_auth_message));
385
386 memcpy(header, ibuf, mes->datalen < 4 ? mes->datalen : 4);
387
388 ames->type          = header[0];
389 ames->stage         = header[1];
390 ames->reserved.c[0] = header[2];
391 ames->reserved.c[1] = header[3];
392
393 if ( mes->datalen > 4 ) {
394  ames->data = ibuf + 4;
395  ames->len  = mes->datalen - 4;
396 } else {
397  ames->data = NULL;
398  ames->len  = 0;
399 }
400
401 return 0;
402}
403
404int roar_auth_to_mes(struct roar_message * mes, void ** data, struct roar_auth_message * ames) {
405 char * obuf;
406
407 if ( mes == NULL || ames == NULL ) {
408  roar_err_set(ROAR_ERROR_FAULT);
409  return -1;
410 }
411
412 if ( data != NULL )
413  *data = NULL;
414
415 memset(mes, 0, sizeof(struct roar_message));
416
417 mes->cmd = ROAR_CMD_AUTH;
418
419 if ( (ames->len + 4) > sizeof(mes->data) ) {
420  *data = roar_mm_malloc(ames->len + 4);
421  if ( *data == NULL )
422   return -1;
423  obuf = *data;
424 } else {
425  obuf = mes->data;
426 }
427
428 obuf[0] = ames->type;
429 obuf[1] = ames->stage;
430 obuf[2] = ames->reserved.c[0];
431 obuf[3] = ames->reserved.c[1];
432
433 memcpy(obuf + 8, ames->data, ames->len);
434
435 mes->datalen = ames->len + 4;
436
437 return 0;
438}
439
440int roar_auth_init_mes(struct roar_message * mes, struct roar_auth_message * ames) {
441 if ( mes == NULL || ames == NULL )
442  return -1;
443
444 if ( (ames->len + 4) > sizeof(mes->data) )
445  return -1;
446
447 memset(mes, 0, sizeof(struct roar_message));
448
449 mes->cmd = ROAR_CMD_AUTH;
450
451 mes->data[0] = ames->type;
452 mes->data[1] = ames->stage;
453 mes->data[2] = ames->reserved.c[0];
454 mes->data[3] = ames->reserved.c[1];
455
456 ames->data = &(mes->data[4]);
457
458 mes->datalen = ames->len + 4;
459
460 return 0;
461}
462
463
464
465// String functions:
466static struct {
467 int    type;
468 const char * name;
469} _g_authts[] = {
470// grep ^'#define ROAR_AUTH_T_' auth.h | while read d t d; do n=$(cut -d_ -f4 <<<$t | tr A-Z a-z); printf ' {%-28s %-10s},\n' $t, \"$n\"; done
471 {ROAR_AUTH_T_NONE,            "none"    },
472 {ROAR_AUTH_T_COOKIE,          "cookie"  },
473 {ROAR_AUTH_T_TRUST,           "trust"   },
474 {ROAR_AUTH_T_PASSWORD,        "password"},
475 {ROAR_AUTH_T_SYSUSER,         "sysuser" },
476 {ROAR_AUTH_T_OPENPGP_SIGN,    "openpgp" },
477 {ROAR_AUTH_T_OPENPGP_ENCRYPT, "openpgp" },
478 {ROAR_AUTH_T_OPENPGP_AUTH,    "openpgp" },
479 {ROAR_AUTH_T_KERBEROS,        "kerberos"},
480 {ROAR_AUTH_T_RHOST,           "rhost"   },
481 {ROAR_AUTH_T_XAUTH,           "xauth"   },
482 {ROAR_AUTH_T_IDENT,           "ident"   },
483 {-1, NULL}
484};
485
486int    roar_str2autht(const char * str) {
487 int i;
488
489 for (i = 0; _g_authts[i].name != NULL; i++)
490  if ( !strcasecmp(_g_authts[i].name, str) )
491   return _g_authts[i].type;
492
493 return -1;
494}
495
496const char * roar_autht2str(const int auth) {
497 int i;
498
499 for (i = 0; _g_authts[i].name != NULL; i++)
500  if ( _g_authts[i].type == auth )
501   return _g_authts[i].name;
502
503 return "(UNKNOWN)";
504}
505
506//ll
Note: See TracBrowser for help on using the repository browser.