2010-05-06 20:13:59 +02:00
|
|
|
/* GDBus - GLib D-Bus Library
|
|
|
|
*
|
2010-05-09 19:14:55 +02:00
|
|
|
* Copyright (C) 2008-2010 Red Hat, Inc.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
2022-05-18 10:12:45 +02:00
|
|
|
* SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
*
|
2010-05-06 20:13:59 +02:00
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2017-05-27 18:21:30 +02:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General
|
2014-01-23 12:58:29 +01:00
|
|
|
* Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
2010-05-06 20:13:59 +02:00
|
|
|
*
|
|
|
|
* Author: David Zeuthen <davidz@redhat.com>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
|
|
#include "gdbusauth.h"
|
2010-05-14 14:38:07 +02:00
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
#include "gdbusauthmechanismanon.h"
|
|
|
|
#include "gdbusauthmechanismexternal.h"
|
|
|
|
#include "gdbusauthmechanismsha1.h"
|
|
|
|
#include "gdbusauthobserver.h"
|
|
|
|
|
|
|
|
#include "gdbuserror.h"
|
|
|
|
#include "gdbusutils.h"
|
|
|
|
#include "gioenumtypes.h"
|
|
|
|
#include "gcredentials.h"
|
GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.
The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.
This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.
In particular, GNOME/glib#1831 indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:
client server
connect
accept
send '\0' <- race -> set SO_PASSCRED = 1
receive '\0'
If the server wins the race:
client server
connect
accept
set SO_PASSCRED = 1
send '\0'
receive '\0'
then everything is fine. However, if the client wins the race:
client server
connect
accept
send '\0'
set SO_PASSCRED = 1
receive '\0'
then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.
In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.
In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-14 09:47:39 +02:00
|
|
|
#include "gcredentialsprivate.h"
|
2010-05-06 20:13:59 +02:00
|
|
|
#include "gdbusprivate.h"
|
2010-05-20 16:51:00 +02:00
|
|
|
#include "giostream.h"
|
|
|
|
#include "gdatainputstream.h"
|
|
|
|
#include "gdataoutputstream.h"
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2010-11-11 15:57:25 +01:00
|
|
|
#include "gnetworking.h"
|
2010-05-14 14:38:07 +02:00
|
|
|
#include "gunixconnection.h"
|
2010-05-06 20:13:59 +02:00
|
|
|
#include "gunixcredentialsmessage.h"
|
|
|
|
|
2010-05-06 22:34:23 +02:00
|
|
|
#include "glibintl.h"
|
|
|
|
|
2013-01-13 17:05:14 +01:00
|
|
|
G_GNUC_PRINTF(1, 2)
|
2010-05-06 20:13:59 +02:00
|
|
|
static void
|
|
|
|
debug_print (const gchar *message, ...)
|
|
|
|
{
|
|
|
|
if (G_UNLIKELY (_g_dbus_debug_authentication ()))
|
|
|
|
{
|
|
|
|
gchar *s;
|
|
|
|
GString *str;
|
|
|
|
va_list var_args;
|
|
|
|
guint n;
|
|
|
|
|
2010-07-02 15:40:59 +02:00
|
|
|
_g_dbus_debug_print_lock ();
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
va_start (var_args, message);
|
|
|
|
s = g_strdup_vprintf (message, var_args);
|
|
|
|
va_end (var_args);
|
|
|
|
|
|
|
|
str = g_string_new (NULL);
|
|
|
|
for (n = 0; s[n] != '\0'; n++)
|
|
|
|
{
|
|
|
|
if (G_UNLIKELY (s[n] == '\r'))
|
|
|
|
g_string_append (str, "\\r");
|
|
|
|
else if (G_UNLIKELY (s[n] == '\n'))
|
|
|
|
g_string_append (str, "\\n");
|
|
|
|
else
|
|
|
|
g_string_append_c (str, s[n]);
|
|
|
|
}
|
|
|
|
g_print ("GDBus-debug:Auth: %s\n", str->str);
|
|
|
|
g_string_free (str, TRUE);
|
|
|
|
g_free (s);
|
2010-07-02 15:40:59 +02:00
|
|
|
|
|
|
|
_g_dbus_debug_print_unlock ();
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
{
|
|
|
|
const gchar *name;
|
|
|
|
gint priority;
|
|
|
|
GType gtype;
|
|
|
|
} Mechanism;
|
|
|
|
|
|
|
|
static void mechanism_free (Mechanism *m);
|
|
|
|
|
|
|
|
struct _GDBusAuthPrivate
|
|
|
|
{
|
|
|
|
GIOStream *stream;
|
|
|
|
|
|
|
|
/* A list of available Mechanism, sorted according to priority */
|
|
|
|
GList *available_mechanisms;
|
|
|
|
};
|
|
|
|
|
|
|
|
enum
|
|
|
|
{
|
|
|
|
PROP_0,
|
|
|
|
PROP_STREAM
|
|
|
|
};
|
|
|
|
|
2013-06-11 01:29:58 +02:00
|
|
|
G_DEFINE_TYPE_WITH_PRIVATE (GDBusAuth, _g_dbus_auth, G_TYPE_OBJECT)
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_finalize (GObject *object)
|
|
|
|
{
|
|
|
|
GDBusAuth *auth = G_DBUS_AUTH (object);
|
|
|
|
|
|
|
|
if (auth->priv->stream != NULL)
|
|
|
|
g_object_unref (auth->priv->stream);
|
2012-01-02 16:30:11 +01:00
|
|
|
g_list_free_full (auth->priv->available_mechanisms, (GDestroyNotify) mechanism_free);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
if (G_OBJECT_CLASS (_g_dbus_auth_parent_class)->finalize != NULL)
|
|
|
|
G_OBJECT_CLASS (_g_dbus_auth_parent_class)->finalize (object);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_get_property (GObject *object,
|
|
|
|
guint prop_id,
|
|
|
|
GValue *value,
|
|
|
|
GParamSpec *pspec)
|
|
|
|
{
|
|
|
|
GDBusAuth *auth = G_DBUS_AUTH (object);
|
|
|
|
|
|
|
|
switch (prop_id)
|
|
|
|
{
|
|
|
|
case PROP_STREAM:
|
|
|
|
g_value_set_object (value, auth->priv->stream);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_set_property (GObject *object,
|
|
|
|
guint prop_id,
|
|
|
|
const GValue *value,
|
|
|
|
GParamSpec *pspec)
|
|
|
|
{
|
|
|
|
GDBusAuth *auth = G_DBUS_AUTH (object);
|
|
|
|
|
|
|
|
switch (prop_id)
|
|
|
|
{
|
|
|
|
case PROP_STREAM:
|
|
|
|
auth->priv->stream = g_value_dup_object (value);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_class_init (GDBusAuthClass *klass)
|
|
|
|
{
|
|
|
|
GObjectClass *gobject_class;
|
|
|
|
|
|
|
|
gobject_class = G_OBJECT_CLASS (klass);
|
|
|
|
gobject_class->get_property = _g_dbus_auth_get_property;
|
|
|
|
gobject_class->set_property = _g_dbus_auth_set_property;
|
|
|
|
gobject_class->finalize = _g_dbus_auth_finalize;
|
|
|
|
|
|
|
|
g_object_class_install_property (gobject_class,
|
|
|
|
PROP_STREAM,
|
2023-04-28 01:59:26 +02:00
|
|
|
g_param_spec_object ("stream", NULL, NULL,
|
2010-05-06 20:13:59 +02:00
|
|
|
G_TYPE_IO_STREAM,
|
|
|
|
G_PARAM_READABLE |
|
|
|
|
G_PARAM_WRITABLE |
|
|
|
|
G_PARAM_CONSTRUCT_ONLY |
|
|
|
|
G_PARAM_STATIC_NAME |
|
|
|
|
G_PARAM_STATIC_BLURB |
|
|
|
|
G_PARAM_STATIC_NICK));
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
mechanism_free (Mechanism *m)
|
|
|
|
{
|
|
|
|
g_free (m);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2012-04-12 05:30:48 +02:00
|
|
|
add_mechanism (GDBusAuth *auth,
|
|
|
|
GDBusAuthObserver *observer,
|
|
|
|
GType mechanism_type)
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
2012-04-12 05:30:48 +02:00
|
|
|
const gchar *name;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2012-04-12 05:30:48 +02:00
|
|
|
name = _g_dbus_auth_mechanism_get_name (mechanism_type);
|
2012-04-14 18:40:57 +02:00
|
|
|
if (observer == NULL || g_dbus_auth_observer_allow_mechanism (observer, name))
|
2012-04-12 05:30:48 +02:00
|
|
|
{
|
|
|
|
Mechanism *m;
|
|
|
|
m = g_new0 (Mechanism, 1);
|
|
|
|
m->name = name;
|
|
|
|
m->priority = _g_dbus_auth_mechanism_get_priority (mechanism_type);
|
|
|
|
m->gtype = mechanism_type;
|
|
|
|
auth->priv->available_mechanisms = g_list_prepend (auth->priv->available_mechanisms, m);
|
|
|
|
}
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static gint
|
|
|
|
mech_compare_func (Mechanism *a, Mechanism *b)
|
|
|
|
{
|
|
|
|
gint ret;
|
|
|
|
/* ensure deterministic order */
|
|
|
|
ret = b->priority - a->priority;
|
|
|
|
if (ret == 0)
|
|
|
|
ret = g_strcmp0 (b->name, a->name);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_init (GDBusAuth *auth)
|
|
|
|
{
|
2013-06-24 16:43:04 +02:00
|
|
|
auth->priv = _g_dbus_auth_get_instance_private (auth);
|
2012-04-12 05:30:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
_g_dbus_auth_add_mechs (GDBusAuth *auth,
|
|
|
|
GDBusAuthObserver *observer)
|
|
|
|
{
|
2010-05-06 20:13:59 +02:00
|
|
|
/* TODO: trawl extension points */
|
2012-04-12 05:30:48 +02:00
|
|
|
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_ANON);
|
|
|
|
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_SHA1);
|
|
|
|
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
auth->priv->available_mechanisms = g_list_sort (auth->priv->available_mechanisms,
|
|
|
|
(GCompareFunc) mech_compare_func);
|
|
|
|
}
|
|
|
|
|
|
|
|
static GType
|
|
|
|
find_mech_by_name (GDBusAuth *auth,
|
|
|
|
const gchar *name)
|
|
|
|
{
|
|
|
|
GType ret;
|
|
|
|
GList *l;
|
|
|
|
|
|
|
|
ret = (GType) 0;
|
|
|
|
|
|
|
|
for (l = auth->priv->available_mechanisms; l != NULL; l = l->next)
|
|
|
|
{
|
|
|
|
Mechanism *m = l->data;
|
|
|
|
if (g_strcmp0 (name, m->name) == 0)
|
|
|
|
{
|
|
|
|
ret = m->gtype;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
GDBusAuth *
|
|
|
|
_g_dbus_auth_new (GIOStream *stream)
|
|
|
|
{
|
|
|
|
return g_object_new (G_TYPE_DBUS_AUTH,
|
|
|
|
"stream", stream,
|
|
|
|
NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
/* like g_data_input_stream_read_line() but sets error if there's no content to read */
|
|
|
|
static gchar *
|
|
|
|
_my_g_data_input_stream_read_line (GDataInputStream *dis,
|
|
|
|
gsize *out_line_length,
|
|
|
|
GCancellable *cancellable,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
gchar *ret;
|
|
|
|
|
|
|
|
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
|
|
|
|
|
|
|
|
ret = g_data_input_stream_read_line (dis,
|
|
|
|
out_line_length,
|
|
|
|
cancellable,
|
|
|
|
error);
|
|
|
|
if (ret == NULL && error != NULL && *error == NULL)
|
|
|
|
{
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
_("Unexpected lack of content trying to read a line"));
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This function is to avoid situations like this
|
|
|
|
*
|
|
|
|
* BEGIN\r\nl\0\0\1...
|
|
|
|
*
|
|
|
|
* e.g. where we read into the first D-Bus message while waiting for
|
|
|
|
* the final line from the client (TODO: file bug against gio for
|
|
|
|
* this)
|
|
|
|
*/
|
|
|
|
static gchar *
|
|
|
|
_my_g_input_stream_read_line_safe (GInputStream *i,
|
|
|
|
gsize *out_line_length,
|
|
|
|
GCancellable *cancellable,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
GString *str;
|
|
|
|
gchar c;
|
|
|
|
gssize num_read;
|
|
|
|
gboolean last_was_cr;
|
|
|
|
|
|
|
|
str = g_string_new (NULL);
|
|
|
|
|
|
|
|
last_was_cr = FALSE;
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
num_read = g_input_stream_read (i,
|
|
|
|
&c,
|
|
|
|
1,
|
|
|
|
cancellable,
|
|
|
|
error);
|
|
|
|
if (num_read == -1)
|
|
|
|
goto fail;
|
|
|
|
if (num_read == 0)
|
|
|
|
{
|
|
|
|
if (error != NULL && *error == NULL)
|
|
|
|
{
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
_("Unexpected lack of content trying to (safely) read a line"));
|
|
|
|
}
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
g_string_append_c (str, (gint) c);
|
|
|
|
if (last_was_cr)
|
|
|
|
{
|
|
|
|
if (c == 0x0a)
|
|
|
|
{
|
|
|
|
g_assert (str->len >= 2);
|
|
|
|
g_string_set_size (str, str->len - 2);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
last_was_cr = (c == 0x0d);
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
if (out_line_length != NULL)
|
|
|
|
*out_line_length = str->len;
|
|
|
|
return g_string_free (str, FALSE);
|
|
|
|
|
|
|
|
fail:
|
|
|
|
g_assert (error == NULL || *error != NULL);
|
|
|
|
g_string_free (str, TRUE);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
static gchar *
|
|
|
|
hexdecode (const gchar *str,
|
|
|
|
gsize *out_len,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
gchar *ret;
|
|
|
|
GString *s;
|
|
|
|
guint n;
|
|
|
|
|
|
|
|
ret = NULL;
|
|
|
|
s = g_string_new (NULL);
|
|
|
|
|
|
|
|
for (n = 0; str[n] != '\0'; n += 2)
|
|
|
|
{
|
|
|
|
gint upper_nibble;
|
|
|
|
gint lower_nibble;
|
|
|
|
guint value;
|
|
|
|
|
|
|
|
upper_nibble = g_ascii_xdigit_value (str[n]);
|
|
|
|
lower_nibble = g_ascii_xdigit_value (str[n + 1]);
|
|
|
|
if (upper_nibble == -1 || lower_nibble == -1)
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"Error hexdecoding string '%s' around position %d",
|
2010-05-06 20:13:59 +02:00
|
|
|
str, n);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
value = (upper_nibble<<4) | lower_nibble;
|
|
|
|
g_string_append_c (s, value);
|
|
|
|
}
|
|
|
|
|
2018-03-08 10:35:15 +01:00
|
|
|
*out_len = s->len;
|
2010-05-06 20:13:59 +02:00
|
|
|
ret = g_string_free (s, FALSE);
|
|
|
|
s = NULL;
|
|
|
|
|
|
|
|
out:
|
|
|
|
if (s != NULL)
|
2018-03-08 10:35:15 +01:00
|
|
|
{
|
|
|
|
*out_len = 0;
|
|
|
|
g_string_free (s, TRUE);
|
|
|
|
}
|
|
|
|
return ret;
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
static GDBusAuthMechanism *
|
|
|
|
client_choose_mech_and_send_initial_response (GDBusAuth *auth,
|
|
|
|
GCredentials *credentials_that_were_sent,
|
gdbusauthmechanismexternal: Optionally send empty authorization identity
When using a GDBus client in a non-trivial user namespace, the result of
geteuid() can differ from the uid in the namespace where the server is
running. This would result in connection attempts being rejected, because
the identity that the client claims to have does not match the identity
that the server derives from its credentials.
RFC 4422 allows us to send an empty authorization identity, which means we
want to authenticate as whatever identity the server can derive from our
out-of-band credentials. In particular, this resolves the authentication
failure when crossing between different Linux user namespaces.
Because D-Bus does not have a way to represent an empty initial response
as distinct from the absence of an initial response, we cannot use the
initial-response optimization (RFC 4422 §4.3.a) in this case, and must
fall back to waiting for the server to send a challenge.
Unfortunately, GDBus versions older than glib!2826 did not implement
the server side of this protocol correctly, and would respond to the
missing initial response in a way that breaks the SASL state machine
(expecting a response without sending a challenge), causing client and
server to deadlock with each waiting for the other to respond. Until
fixed versions of GDBus are widespread, we can't rely on having a server
that can cope with this, so gate it behind a flag, which can be set for
connections that are known to cross non-trivial namespace boundaries.
Originally inspired by
<https://github.com/systemd/systemd/commit/1ed4723d38cd0d1423c8fe650f90fa86007ddf55>,
and based on earlier work by Giuseppe Scrivano (in which the
cross-namespace behaviour was unconditional, rather than gated by a
flag).
Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-07-24 14:02:51 +02:00
|
|
|
GDBusConnectionFlags conn_flags,
|
2010-05-06 20:13:59 +02:00
|
|
|
const gchar* const *supported_auth_mechs,
|
|
|
|
GPtrArray *attempted_auth_mechs,
|
|
|
|
GDataOutputStream *dos,
|
|
|
|
GCancellable *cancellable,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
GDBusAuthMechanism *mech;
|
|
|
|
GType auth_mech_to_use_gtype;
|
|
|
|
guint n;
|
|
|
|
guint m;
|
|
|
|
gchar *initial_response;
|
|
|
|
gsize initial_response_len;
|
|
|
|
gchar *encoded;
|
|
|
|
gchar *s;
|
|
|
|
|
|
|
|
again:
|
|
|
|
mech = NULL;
|
|
|
|
|
|
|
|
debug_print ("CLIENT: Trying to choose mechanism");
|
|
|
|
|
|
|
|
/* find an authentication mechanism to try, if any */
|
|
|
|
auth_mech_to_use_gtype = (GType) 0;
|
|
|
|
for (n = 0; supported_auth_mechs[n] != NULL; n++)
|
|
|
|
{
|
|
|
|
gboolean attempted_already;
|
|
|
|
attempted_already = FALSE;
|
|
|
|
for (m = 0; m < attempted_auth_mechs->len; m++)
|
|
|
|
{
|
|
|
|
if (g_strcmp0 (supported_auth_mechs[n], attempted_auth_mechs->pdata[m]) == 0)
|
|
|
|
{
|
|
|
|
attempted_already = TRUE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!attempted_already)
|
|
|
|
{
|
|
|
|
auth_mech_to_use_gtype = find_mech_by_name (auth, supported_auth_mechs[n]);
|
|
|
|
if (auth_mech_to_use_gtype != (GType) 0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (auth_mech_to_use_gtype == (GType) 0)
|
|
|
|
{
|
|
|
|
gchar *available;
|
|
|
|
GString *tried_str;
|
|
|
|
|
|
|
|
debug_print ("CLIENT: Exhausted all available mechanisms");
|
|
|
|
|
|
|
|
available = g_strjoinv (", ", (gchar **) supported_auth_mechs);
|
|
|
|
|
|
|
|
tried_str = g_string_new (NULL);
|
|
|
|
for (n = 0; n < attempted_auth_mechs->len; n++)
|
|
|
|
{
|
|
|
|
if (n > 0)
|
|
|
|
g_string_append (tried_str, ", ");
|
|
|
|
g_string_append (tried_str, attempted_auth_mechs->pdata[n]);
|
|
|
|
}
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
_("Exhausted all available authentication mechanisms (tried: %s) (available: %s)"),
|
|
|
|
tried_str->str,
|
|
|
|
available);
|
|
|
|
g_string_free (tried_str, TRUE);
|
|
|
|
g_free (available);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* OK, decided on a mechanism - let's do this thing */
|
|
|
|
mech = g_object_new (auth_mech_to_use_gtype,
|
|
|
|
"stream", auth->priv->stream,
|
|
|
|
"credentials", credentials_that_were_sent,
|
|
|
|
NULL);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: Trying mechanism '%s'", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
|
2010-05-06 20:13:59 +02:00
|
|
|
g_ptr_array_add (attempted_auth_mechs, (gpointer) _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
|
|
|
|
|
|
|
|
/* the auth mechanism may not be supported
|
|
|
|
* (for example, EXTERNAL only works if credentials were exchanged)
|
|
|
|
*/
|
|
|
|
if (!_g_dbus_auth_mechanism_is_supported (mech))
|
|
|
|
{
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: Mechanism '%s' says it is not supported", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
|
2010-05-06 20:13:59 +02:00
|
|
|
g_object_unref (mech);
|
|
|
|
mech = NULL;
|
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
|
2018-03-08 11:07:31 +01:00
|
|
|
initial_response_len = 0;
|
2010-05-06 20:13:59 +02:00
|
|
|
initial_response = _g_dbus_auth_mechanism_client_initiate (mech,
|
gdbusauthmechanismexternal: Optionally send empty authorization identity
When using a GDBus client in a non-trivial user namespace, the result of
geteuid() can differ from the uid in the namespace where the server is
running. This would result in connection attempts being rejected, because
the identity that the client claims to have does not match the identity
that the server derives from its credentials.
RFC 4422 allows us to send an empty authorization identity, which means we
want to authenticate as whatever identity the server can derive from our
out-of-band credentials. In particular, this resolves the authentication
failure when crossing between different Linux user namespaces.
Because D-Bus does not have a way to represent an empty initial response
as distinct from the absence of an initial response, we cannot use the
initial-response optimization (RFC 4422 §4.3.a) in this case, and must
fall back to waiting for the server to send a challenge.
Unfortunately, GDBus versions older than glib!2826 did not implement
the server side of this protocol correctly, and would respond to the
missing initial response in a way that breaks the SASL state machine
(expecting a response without sending a challenge), causing client and
server to deadlock with each waiting for the other to respond. Until
fixed versions of GDBus are widespread, we can't rely on having a server
that can cope with this, so gate it behind a flag, which can be set for
connections that are known to cross non-trivial namespace boundaries.
Originally inspired by
<https://github.com/systemd/systemd/commit/1ed4723d38cd0d1423c8fe650f90fa86007ddf55>,
and based on earlier work by Giuseppe Scrivano (in which the
cross-namespace behaviour was unconditional, rather than gated by a
flag).
Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-07-24 14:02:51 +02:00
|
|
|
conn_flags,
|
2010-05-06 20:13:59 +02:00
|
|
|
&initial_response_len);
|
|
|
|
#if 0
|
2013-05-20 22:54:48 +02:00
|
|
|
g_printerr ("using auth mechanism with name '%s' of type '%s' with initial response '%s'\n",
|
2010-05-06 20:13:59 +02:00
|
|
|
_g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype),
|
|
|
|
g_type_name (G_TYPE_FROM_INSTANCE (mech)),
|
|
|
|
initial_response);
|
|
|
|
#endif
|
|
|
|
if (initial_response != NULL)
|
|
|
|
{
|
2013-05-20 22:54:48 +02:00
|
|
|
//g_printerr ("initial_response = '%s'\n", initial_response);
|
2018-03-09 10:05:22 +01:00
|
|
|
encoded = _g_dbus_hexencode (initial_response, initial_response_len);
|
2010-05-06 20:13:59 +02:00
|
|
|
s = g_strdup_printf ("AUTH %s %s\r\n",
|
|
|
|
_g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype),
|
|
|
|
encoded);
|
|
|
|
g_free (initial_response);
|
|
|
|
g_free (encoded);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
s = g_strdup_printf ("AUTH %s\r\n", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype));
|
|
|
|
}
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_object_unref (mech);
|
|
|
|
mech = NULL;
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
|
|
|
|
out:
|
|
|
|
return mech;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
typedef enum
|
|
|
|
{
|
|
|
|
CLIENT_STATE_WAITING_FOR_DATA,
|
|
|
|
CLIENT_STATE_WAITING_FOR_OK,
|
|
|
|
CLIENT_STATE_WAITING_FOR_REJECT,
|
|
|
|
CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD
|
|
|
|
} ClientState;
|
|
|
|
|
|
|
|
gchar *
|
|
|
|
_g_dbus_auth_run_client (GDBusAuth *auth,
|
2012-04-12 05:30:48 +02:00
|
|
|
GDBusAuthObserver *observer,
|
gdbusauthmechanismexternal: Optionally send empty authorization identity
When using a GDBus client in a non-trivial user namespace, the result of
geteuid() can differ from the uid in the namespace where the server is
running. This would result in connection attempts being rejected, because
the identity that the client claims to have does not match the identity
that the server derives from its credentials.
RFC 4422 allows us to send an empty authorization identity, which means we
want to authenticate as whatever identity the server can derive from our
out-of-band credentials. In particular, this resolves the authentication
failure when crossing between different Linux user namespaces.
Because D-Bus does not have a way to represent an empty initial response
as distinct from the absence of an initial response, we cannot use the
initial-response optimization (RFC 4422 §4.3.a) in this case, and must
fall back to waiting for the server to send a challenge.
Unfortunately, GDBus versions older than glib!2826 did not implement
the server side of this protocol correctly, and would respond to the
missing initial response in a way that breaks the SASL state machine
(expecting a response without sending a challenge), causing client and
server to deadlock with each waiting for the other to respond. Until
fixed versions of GDBus are widespread, we can't rely on having a server
that can cope with this, so gate it behind a flag, which can be set for
connections that are known to cross non-trivial namespace boundaries.
Originally inspired by
<https://github.com/systemd/systemd/commit/1ed4723d38cd0d1423c8fe650f90fa86007ddf55>,
and based on earlier work by Giuseppe Scrivano (in which the
cross-namespace behaviour was unconditional, rather than gated by a
flag).
Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-07-24 14:02:51 +02:00
|
|
|
GDBusConnectionFlags conn_flags,
|
2010-05-06 20:13:59 +02:00
|
|
|
GDBusCapabilityFlags offered_capabilities,
|
|
|
|
GDBusCapabilityFlags *out_negotiated_capabilities,
|
|
|
|
GCancellable *cancellable,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
gchar *s;
|
|
|
|
GDataInputStream *dis;
|
|
|
|
GDataOutputStream *dos;
|
|
|
|
GCredentials *credentials;
|
|
|
|
gchar *ret_guid;
|
|
|
|
gchar *line;
|
|
|
|
gsize line_length;
|
|
|
|
gchar **supported_auth_mechs;
|
|
|
|
GPtrArray *attempted_auth_mechs;
|
|
|
|
GDBusAuthMechanism *mech;
|
|
|
|
ClientState state;
|
|
|
|
GDBusCapabilityFlags negotiated_capabilities;
|
|
|
|
|
2022-07-24 14:36:50 +02:00
|
|
|
g_return_val_if_fail ((conn_flags & G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT), NULL);
|
|
|
|
g_return_val_if_fail (!(conn_flags & G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_SERVER), NULL);
|
gdbusauthmechanismexternal: Optionally send empty authorization identity
When using a GDBus client in a non-trivial user namespace, the result of
geteuid() can differ from the uid in the namespace where the server is
running. This would result in connection attempts being rejected, because
the identity that the client claims to have does not match the identity
that the server derives from its credentials.
RFC 4422 allows us to send an empty authorization identity, which means we
want to authenticate as whatever identity the server can derive from our
out-of-band credentials. In particular, this resolves the authentication
failure when crossing between different Linux user namespaces.
Because D-Bus does not have a way to represent an empty initial response
as distinct from the absence of an initial response, we cannot use the
initial-response optimization (RFC 4422 §4.3.a) in this case, and must
fall back to waiting for the server to send a challenge.
Unfortunately, GDBus versions older than glib!2826 did not implement
the server side of this protocol correctly, and would respond to the
missing initial response in a way that breaks the SASL state machine
(expecting a response without sending a challenge), causing client and
server to deadlock with each waiting for the other to respond. Until
fixed versions of GDBus are widespread, we can't rely on having a server
that can cope with this, so gate it behind a flag, which can be set for
connections that are known to cross non-trivial namespace boundaries.
Originally inspired by
<https://github.com/systemd/systemd/commit/1ed4723d38cd0d1423c8fe650f90fa86007ddf55>,
and based on earlier work by Giuseppe Scrivano (in which the
cross-namespace behaviour was unconditional, rather than gated by a
flag).
Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-07-24 14:02:51 +02:00
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
debug_print ("CLIENT: initiating");
|
|
|
|
|
2012-04-12 05:30:48 +02:00
|
|
|
_g_dbus_auth_add_mechs (auth, observer);
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
ret_guid = NULL;
|
|
|
|
supported_auth_mechs = NULL;
|
|
|
|
attempted_auth_mechs = g_ptr_array_new ();
|
|
|
|
mech = NULL;
|
|
|
|
negotiated_capabilities = 0;
|
|
|
|
credentials = NULL;
|
|
|
|
|
|
|
|
dis = G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth->priv->stream)));
|
|
|
|
dos = G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth->priv->stream)));
|
2010-06-30 22:36:47 +02:00
|
|
|
g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis), FALSE);
|
|
|
|
g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos), FALSE);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
|
|
|
|
|
|
|
|
#ifdef G_OS_UNIX
|
2011-05-27 15:51:08 +02:00
|
|
|
if (G_IS_UNIX_CONNECTION (auth->priv->stream))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
2010-05-09 16:02:56 +02:00
|
|
|
credentials = g_credentials_new ();
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_unix_connection_send_credentials (G_UNIX_CONNECTION (auth->priv->stream),
|
|
|
|
cancellable,
|
|
|
|
error))
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
if (!g_data_output_stream_put_byte (dos, '\0', cancellable, error))
|
|
|
|
goto out;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
if (credentials != NULL)
|
|
|
|
{
|
|
|
|
if (G_UNLIKELY (_g_dbus_debug_authentication ()))
|
|
|
|
{
|
|
|
|
s = g_credentials_to_string (credentials);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: sent credentials '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (s);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
debug_print ("CLIENT: didn't send any credentials");
|
|
|
|
}
|
|
|
|
|
2010-05-13 20:25:29 +02:00
|
|
|
/* TODO: to reduce roundtrips, try to pick an auth mechanism to start with */
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/* Get list of supported authentication mechanisms */
|
|
|
|
s = "AUTH\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
state = CLIENT_STATE_WAITING_FOR_REJECT;
|
|
|
|
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
switch (state)
|
|
|
|
{
|
|
|
|
case CLIENT_STATE_WAITING_FOR_REJECT:
|
|
|
|
debug_print ("CLIENT: WaitingForReject");
|
|
|
|
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
|
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
|
|
|
debug_print ("CLIENT: WaitingForReject, read '%s'", line);
|
2011-04-14 00:40:47 +02:00
|
|
|
|
|
|
|
choose_mechanism:
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_str_has_prefix (line, "REJECTED "))
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"In WaitingForReject: Expected 'REJECTED am1 am2 ... amN', got '%s'",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (supported_auth_mechs == NULL)
|
|
|
|
{
|
|
|
|
supported_auth_mechs = g_strsplit (line + sizeof ("REJECTED ") - 1, " ", 0);
|
|
|
|
#if 0
|
|
|
|
for (n = 0; supported_auth_mechs != NULL && supported_auth_mechs[n] != NULL; n++)
|
2013-05-20 22:54:48 +02:00
|
|
|
g_printerr ("supported_auth_mechs[%d] = '%s'\n", n, supported_auth_mechs[n]);
|
2010-05-06 20:13:59 +02:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
g_free (line);
|
|
|
|
mech = client_choose_mech_and_send_initial_response (auth,
|
|
|
|
credentials,
|
gdbusauthmechanismexternal: Optionally send empty authorization identity
When using a GDBus client in a non-trivial user namespace, the result of
geteuid() can differ from the uid in the namespace where the server is
running. This would result in connection attempts being rejected, because
the identity that the client claims to have does not match the identity
that the server derives from its credentials.
RFC 4422 allows us to send an empty authorization identity, which means we
want to authenticate as whatever identity the server can derive from our
out-of-band credentials. In particular, this resolves the authentication
failure when crossing between different Linux user namespaces.
Because D-Bus does not have a way to represent an empty initial response
as distinct from the absence of an initial response, we cannot use the
initial-response optimization (RFC 4422 §4.3.a) in this case, and must
fall back to waiting for the server to send a challenge.
Unfortunately, GDBus versions older than glib!2826 did not implement
the server side of this protocol correctly, and would respond to the
missing initial response in a way that breaks the SASL state machine
(expecting a response without sending a challenge), causing client and
server to deadlock with each waiting for the other to respond. Until
fixed versions of GDBus are widespread, we can't rely on having a server
that can cope with this, so gate it behind a flag, which can be set for
connections that are known to cross non-trivial namespace boundaries.
Originally inspired by
<https://github.com/systemd/systemd/commit/1ed4723d38cd0d1423c8fe650f90fa86007ddf55>,
and based on earlier work by Giuseppe Scrivano (in which the
cross-namespace behaviour was unconditional, rather than gated by a
flag).
Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
Signed-off-by: Simon McVittie <smcv@collabora.com>
2022-07-24 14:02:51 +02:00
|
|
|
conn_flags,
|
2010-05-06 20:13:59 +02:00
|
|
|
(const gchar* const *) supported_auth_mechs,
|
|
|
|
attempted_auth_mechs,
|
|
|
|
dos,
|
|
|
|
cancellable,
|
|
|
|
error);
|
|
|
|
if (mech == NULL)
|
|
|
|
goto out;
|
|
|
|
if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA)
|
|
|
|
state = CLIENT_STATE_WAITING_FOR_DATA;
|
|
|
|
else
|
|
|
|
state = CLIENT_STATE_WAITING_FOR_OK;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CLIENT_STATE_WAITING_FOR_OK:
|
|
|
|
debug_print ("CLIENT: WaitingForOK");
|
|
|
|
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
|
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: WaitingForOK, read '%s'", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (g_str_has_prefix (line, "OK "))
|
|
|
|
{
|
|
|
|
if (!g_dbus_is_guid (line + 3))
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"Invalid OK response '%s'",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
ret_guid = g_strdup (line + 3);
|
|
|
|
g_free (line);
|
|
|
|
|
|
|
|
if (offered_capabilities & G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING)
|
|
|
|
{
|
|
|
|
s = "NEGOTIATE_UNIX_FD\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
state = CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
s = "BEGIN\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
/* and we're done! */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (g_str_has_prefix (line, "REJECTED "))
|
|
|
|
{
|
2011-04-14 00:40:47 +02:00
|
|
|
goto choose_mechanism;
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* TODO: handle other valid responses */
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"In WaitingForOk: unexpected response '%s'",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD:
|
|
|
|
debug_print ("CLIENT: WaitingForAgreeUnixFD");
|
|
|
|
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
|
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: WaitingForAgreeUnixFD, read='%s'", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (g_strcmp0 (line, "AGREE_UNIX_FD") == 0)
|
|
|
|
{
|
2010-08-30 16:14:39 +02:00
|
|
|
g_free (line);
|
2010-05-06 20:13:59 +02:00
|
|
|
negotiated_capabilities |= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
|
|
|
|
s = "BEGIN\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
/* and we're done! */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else if (g_str_has_prefix (line, "ERROR") && (line[5] == 0 || g_ascii_isspace (line[5])))
|
|
|
|
{
|
2013-05-20 22:54:48 +02:00
|
|
|
//g_strstrip (line + 5); g_debug ("bah, no unix_fd: '%s'", line + 5);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (line);
|
|
|
|
s = "BEGIN\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
/* and we're done! */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* TODO: handle other valid responses */
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"In WaitingForAgreeUnixFd: unexpected response '%s'",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case CLIENT_STATE_WAITING_FOR_DATA:
|
|
|
|
debug_print ("CLIENT: WaitingForData");
|
|
|
|
line = _my_g_data_input_stream_read_line (dis, &line_length, cancellable, error);
|
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: WaitingForData, read='%s'", line);
|
2020-09-14 16:28:10 +02:00
|
|
|
if (g_str_equal (line, "DATA") || g_str_has_prefix (line, "DATA "))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
gchar *encoded;
|
|
|
|
gchar *decoded_data;
|
2010-10-08 16:33:04 +02:00
|
|
|
gsize decoded_data_len = 0;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2020-09-14 16:28:10 +02:00
|
|
|
encoded = g_strdup (line + 4);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (line);
|
|
|
|
g_strstrip (encoded);
|
|
|
|
decoded_data = hexdecode (encoded, &decoded_data_len, error);
|
|
|
|
g_free (encoded);
|
|
|
|
if (decoded_data == NULL)
|
|
|
|
{
|
|
|
|
g_prefix_error (error, "DATA response is malformed: ");
|
|
|
|
/* invalid encoding, disconnect! */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
_g_dbus_auth_mechanism_client_data_receive (mech, decoded_data, decoded_data_len);
|
|
|
|
g_free (decoded_data);
|
|
|
|
|
|
|
|
if (_g_dbus_auth_mechanism_client_get_state (mech) == G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND)
|
|
|
|
{
|
|
|
|
gchar *data;
|
|
|
|
gsize data_len;
|
2022-07-18 18:14:44 +02:00
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
data = _g_dbus_auth_mechanism_client_data_send (mech, &data_len);
|
2022-07-18 18:14:44 +02:00
|
|
|
|
|
|
|
if (data_len == 0)
|
|
|
|
{
|
|
|
|
s = g_strdup ("DATA\r\n");
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
gchar *encoded_data = _g_dbus_hexencode (data, data_len);
|
|
|
|
|
|
|
|
s = g_strdup_printf ("DATA %s\r\n", encoded_data);
|
|
|
|
g_free (encoded_data);
|
|
|
|
}
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (data);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("CLIENT: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
}
|
|
|
|
state = CLIENT_STATE_WAITING_FOR_OK;
|
|
|
|
}
|
2011-04-14 00:40:47 +02:00
|
|
|
else if (g_str_has_prefix (line, "REJECTED "))
|
|
|
|
{
|
|
|
|
/* could be the chosen authentication method just doesn't work. Try
|
|
|
|
* another one...
|
|
|
|
*/
|
|
|
|
goto choose_mechanism;
|
|
|
|
}
|
2010-05-06 20:13:59 +02:00
|
|
|
else
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"In WaitingForData: unexpected response '%s'",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached ();
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
}; /* main authentication client loop */
|
|
|
|
|
|
|
|
out:
|
|
|
|
if (mech != NULL)
|
|
|
|
g_object_unref (mech);
|
|
|
|
g_ptr_array_unref (attempted_auth_mechs);
|
|
|
|
g_strfreev (supported_auth_mechs);
|
2010-06-30 22:36:47 +02:00
|
|
|
g_object_unref (dis);
|
|
|
|
g_object_unref (dos);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/* ensure return value is NULL if error is set */
|
|
|
|
if (error != NULL && *error != NULL)
|
|
|
|
{
|
|
|
|
g_free (ret_guid);
|
|
|
|
ret_guid = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ret_guid != NULL)
|
|
|
|
{
|
|
|
|
if (out_negotiated_capabilities != NULL)
|
|
|
|
*out_negotiated_capabilities = negotiated_capabilities;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (credentials != NULL)
|
|
|
|
g_object_unref (credentials);
|
|
|
|
|
|
|
|
debug_print ("CLIENT: Done, authenticated=%d", ret_guid != NULL);
|
|
|
|
|
|
|
|
return ret_guid;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
static gchar *
|
|
|
|
get_auth_mechanisms (GDBusAuth *auth,
|
|
|
|
gboolean allow_anonymous,
|
|
|
|
const gchar *prefix,
|
|
|
|
const gchar *suffix,
|
|
|
|
const gchar *separator)
|
|
|
|
{
|
|
|
|
GList *l;
|
|
|
|
GString *str;
|
|
|
|
gboolean need_sep;
|
|
|
|
|
|
|
|
str = g_string_new (prefix);
|
|
|
|
need_sep = FALSE;
|
|
|
|
for (l = auth->priv->available_mechanisms; l != NULL; l = l->next)
|
|
|
|
{
|
|
|
|
Mechanism *m = l->data;
|
|
|
|
|
|
|
|
if (!allow_anonymous && g_strcmp0 (m->name, "ANONYMOUS") == 0)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (need_sep)
|
|
|
|
g_string_append (str, separator);
|
|
|
|
g_string_append (str, m->name);
|
|
|
|
need_sep = TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
g_string_append (str, suffix);
|
|
|
|
return g_string_free (str, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
typedef enum
|
|
|
|
{
|
|
|
|
SERVER_STATE_WAITING_FOR_AUTH,
|
|
|
|
SERVER_STATE_WAITING_FOR_DATA,
|
|
|
|
SERVER_STATE_WAITING_FOR_BEGIN
|
|
|
|
} ServerState;
|
|
|
|
|
|
|
|
gboolean
|
|
|
|
_g_dbus_auth_run_server (GDBusAuth *auth,
|
|
|
|
GDBusAuthObserver *observer,
|
|
|
|
const gchar *guid,
|
|
|
|
gboolean allow_anonymous,
|
2020-12-15 14:00:28 +01:00
|
|
|
gboolean require_same_user,
|
2010-05-06 20:13:59 +02:00
|
|
|
GDBusCapabilityFlags offered_capabilities,
|
|
|
|
GDBusCapabilityFlags *out_negotiated_capabilities,
|
|
|
|
GCredentials **out_received_credentials,
|
|
|
|
GCancellable *cancellable,
|
|
|
|
GError **error)
|
|
|
|
{
|
|
|
|
gboolean ret;
|
|
|
|
ServerState state;
|
|
|
|
GDataOutputStream *dos;
|
|
|
|
GError *local_error;
|
|
|
|
gchar *line;
|
|
|
|
gsize line_length;
|
|
|
|
GDBusAuthMechanism *mech;
|
|
|
|
gchar *s;
|
|
|
|
GDBusCapabilityFlags negotiated_capabilities;
|
|
|
|
GCredentials *credentials;
|
2020-12-15 14:00:28 +01:00
|
|
|
GCredentials *own_credentials = NULL;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
debug_print ("SERVER: initiating");
|
|
|
|
|
2012-04-12 05:30:48 +02:00
|
|
|
_g_dbus_auth_add_mechs (auth, observer);
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
ret = FALSE;
|
|
|
|
dos = NULL;
|
|
|
|
mech = NULL;
|
|
|
|
negotiated_capabilities = 0;
|
|
|
|
credentials = NULL;
|
|
|
|
|
|
|
|
if (!g_dbus_is_guid (guid))
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2021-06-10 13:37:11 +02:00
|
|
|
"The given GUID '%s' is not valid",
|
2010-05-06 20:13:59 +02:00
|
|
|
guid);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2023-02-13 13:12:52 +01:00
|
|
|
/* We use an extremely slow (but reliable) line reader for input
|
|
|
|
* instead of something buffered - this basically does a recvfrom()
|
|
|
|
* system call per character
|
|
|
|
*
|
|
|
|
* (the problem with using GDataInputStream's read_line is that
|
|
|
|
* because of buffering it might start reading into the first D-Bus
|
|
|
|
* message that appears after "BEGIN\r\n"....)
|
|
|
|
*/
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
dos = G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth->priv->stream)));
|
2010-06-30 22:36:47 +02:00
|
|
|
g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos), FALSE);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.
The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.
This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.
In particular, GNOME/glib#1831 indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:
client server
connect
accept
send '\0' <- race -> set SO_PASSCRED = 1
receive '\0'
If the server wins the race:
client server
connect
accept
set SO_PASSCRED = 1
send '\0'
receive '\0'
then everything is fine. However, if the client wins the race:
client server
connect
accept
send '\0'
set SO_PASSCRED = 1
receive '\0'
then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.
In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.
In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-14 09:47:39 +02:00
|
|
|
/* read the NUL-byte, possibly with credentials attached */
|
|
|
|
#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING
|
|
|
|
if (G_IS_SOCKET_CONNECTION (auth->priv->stream))
|
|
|
|
{
|
|
|
|
GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream));
|
|
|
|
|
|
|
|
local_error = NULL;
|
|
|
|
credentials = g_socket_get_credentials (sock, &local_error);
|
|
|
|
|
|
|
|
if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
|
|
|
|
{
|
|
|
|
g_propagate_error (error, local_error);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Clear the error indicator, so we can retry with
|
|
|
|
* g_unix_connection_receive_credentials() if necessary */
|
|
|
|
g_clear_error (&local_error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
local_error = NULL;
|
|
|
|
credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream),
|
|
|
|
cancellable,
|
|
|
|
&local_error);
|
2011-05-27 15:51:08 +02:00
|
|
|
if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
g_propagate_error (error, local_error);
|
|
|
|
goto out;
|
|
|
|
}
|
2021-03-31 21:12:39 +02:00
|
|
|
g_clear_error (&local_error);
|
2010-05-06 20:13:59 +02:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2023-02-13 13:12:52 +01:00
|
|
|
gchar c;
|
|
|
|
gssize num_read;
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
local_error = NULL;
|
2023-02-13 13:12:52 +01:00
|
|
|
num_read = g_input_stream_read (g_io_stream_get_input_stream (auth->priv->stream),
|
|
|
|
&c, 1,
|
|
|
|
cancellable, &local_error);
|
|
|
|
if (num_read != 1 || local_error != NULL)
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
2023-02-13 13:12:52 +01:00
|
|
|
if (local_error == NULL)
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
_ ("Unexpected lack of content trying to read a byte"));
|
|
|
|
else
|
|
|
|
g_propagate_error (error, local_error);
|
2010-05-06 20:13:59 +02:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
2022-04-07 21:26:47 +02:00
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
if (credentials != NULL)
|
|
|
|
{
|
|
|
|
if (G_UNLIKELY (_g_dbus_debug_authentication ()))
|
|
|
|
{
|
|
|
|
s = g_credentials_to_string (credentials);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: received credentials '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (s);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
debug_print ("SERVER: didn't receive any credentials");
|
|
|
|
}
|
|
|
|
|
2020-12-15 14:00:28 +01:00
|
|
|
own_credentials = g_credentials_new ();
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
state = SERVER_STATE_WAITING_FOR_AUTH;
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
switch (state)
|
|
|
|
{
|
|
|
|
case SERVER_STATE_WAITING_FOR_AUTH:
|
|
|
|
debug_print ("SERVER: WaitingForAuth");
|
2023-02-13 13:12:52 +01:00
|
|
|
line = _my_g_input_stream_read_line_safe (g_io_stream_get_input_stream (auth->priv->stream),
|
|
|
|
&line_length,
|
|
|
|
cancellable,
|
|
|
|
error);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: WaitingForAuth, read '%s'", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
|
|
|
if (g_strcmp0 (line, "AUTH") == 0)
|
|
|
|
{
|
|
|
|
s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
2015-08-04 12:29:20 +02:00
|
|
|
g_free (line);
|
2010-05-06 20:13:59 +02:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
g_free (line);
|
|
|
|
}
|
|
|
|
else if (g_str_has_prefix (line, "AUTH "))
|
|
|
|
{
|
|
|
|
gchar **tokens;
|
|
|
|
const gchar *encoded;
|
|
|
|
const gchar *mech_name;
|
|
|
|
GType auth_mech_to_use_gtype;
|
|
|
|
|
|
|
|
tokens = g_strsplit (line, " ", 0);
|
|
|
|
|
|
|
|
switch (g_strv_length (tokens))
|
|
|
|
{
|
|
|
|
case 2:
|
|
|
|
/* no initial response */
|
|
|
|
mech_name = tokens[1];
|
|
|
|
encoded = NULL;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 3:
|
|
|
|
/* initial response */
|
|
|
|
mech_name = tokens[1];
|
|
|
|
encoded = tokens[2];
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"Unexpected line '%s' while in WaitingForAuth state",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_strfreev (tokens);
|
2015-08-04 12:29:20 +02:00
|
|
|
g_free (line);
|
2010-05-06 20:13:59 +02:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2015-08-04 12:29:20 +02:00
|
|
|
g_free (line);
|
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
/* TODO: record that the client has attempted to use this mechanism */
|
2013-05-20 22:54:48 +02:00
|
|
|
//g_debug ("client is trying '%s'", mech_name);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
auth_mech_to_use_gtype = find_mech_by_name (auth, mech_name);
|
|
|
|
if ((auth_mech_to_use_gtype == (GType) 0) ||
|
|
|
|
(!allow_anonymous && g_strcmp0 (mech_name, "ANONYMOUS") == 0))
|
|
|
|
{
|
|
|
|
/* We don't support this auth mechanism */
|
|
|
|
g_strfreev (tokens);
|
|
|
|
s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
|
|
|
|
/* stay in WAITING FOR AUTH */
|
|
|
|
state = SERVER_STATE_WAITING_FOR_AUTH;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
gchar *initial_response;
|
|
|
|
gsize initial_response_len;
|
|
|
|
|
2017-02-21 02:20:52 +01:00
|
|
|
g_clear_object (&mech);
|
2010-05-06 20:13:59 +02:00
|
|
|
mech = g_object_new (auth_mech_to_use_gtype,
|
|
|
|
"stream", auth->priv->stream,
|
|
|
|
"credentials", credentials,
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
initial_response = NULL;
|
|
|
|
initial_response_len = 0;
|
|
|
|
if (encoded != NULL)
|
|
|
|
{
|
|
|
|
initial_response = hexdecode (encoded, &initial_response_len, error);
|
|
|
|
if (initial_response == NULL)
|
|
|
|
{
|
|
|
|
g_prefix_error (error, "Initial response is malformed: ");
|
|
|
|
/* invalid encoding, disconnect! */
|
|
|
|
g_strfreev (tokens);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
_g_dbus_auth_mechanism_server_initiate (mech,
|
|
|
|
initial_response,
|
|
|
|
initial_response_len);
|
|
|
|
g_free (initial_response);
|
|
|
|
g_strfreev (tokens);
|
|
|
|
|
|
|
|
change_state:
|
|
|
|
switch (_g_dbus_auth_mechanism_server_get_state (mech))
|
|
|
|
{
|
|
|
|
case G_DBUS_AUTH_MECHANISM_STATE_ACCEPTED:
|
2020-12-15 14:00:28 +01:00
|
|
|
if (require_same_user &&
|
|
|
|
(credentials == NULL ||
|
|
|
|
!g_credentials_is_same_user (credentials, own_credentials, NULL)))
|
|
|
|
{
|
|
|
|
/* disconnect */
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
_("User IDs must be the same for peer and server"));
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else if (observer != NULL &&
|
|
|
|
!g_dbus_auth_observer_authorize_authenticated_peer (observer,
|
|
|
|
auth->priv->stream,
|
|
|
|
credentials))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
/* disconnect */
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2010-05-13 22:20:31 +02:00
|
|
|
_("Cancelled via GDBusAuthObserver::authorize-authenticated-peer"));
|
2010-05-06 20:13:59 +02:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
s = g_strdup_printf ("OK %s\r\n", guid);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
state = SERVER_STATE_WAITING_FOR_BEGIN;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case G_DBUS_AUTH_MECHANISM_STATE_REJECTED:
|
|
|
|
s = get_auth_mechanisms (auth, allow_anonymous, "REJECTED ", "\r\n", " ");
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
g_free (s);
|
|
|
|
state = SERVER_STATE_WAITING_FOR_AUTH;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA:
|
|
|
|
state = SERVER_STATE_WAITING_FOR_DATA;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND:
|
|
|
|
{
|
|
|
|
gchar *data;
|
|
|
|
gsize data_len;
|
2016-11-29 13:12:47 +01:00
|
|
|
|
2010-05-06 20:13:59 +02:00
|
|
|
data = _g_dbus_auth_mechanism_server_data_send (mech, &data_len);
|
2022-07-18 18:14:44 +02:00
|
|
|
|
2016-11-29 13:12:47 +01:00
|
|
|
if (data != NULL)
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
2022-07-18 18:14:44 +02:00
|
|
|
if (data_len == 0)
|
|
|
|
{
|
|
|
|
s = g_strdup ("DATA\r\n");
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
gchar *encoded_data = _g_dbus_hexencode (data, data_len);
|
|
|
|
|
|
|
|
s = g_strdup_printf ("DATA %s\r\n", encoded_data);
|
|
|
|
g_free (encoded_data);
|
|
|
|
}
|
2016-11-29 13:12:47 +01:00
|
|
|
|
|
|
|
g_free (data);
|
|
|
|
|
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
{
|
|
|
|
g_free (s);
|
|
|
|
goto out;
|
|
|
|
}
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (s);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
goto change_state;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
/* TODO */
|
|
|
|
g_assert_not_reached ();
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"Unexpected line '%s' while in WaitingForAuth state",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case SERVER_STATE_WAITING_FOR_DATA:
|
|
|
|
debug_print ("SERVER: WaitingForData");
|
2023-02-13 13:12:52 +01:00
|
|
|
line = _my_g_input_stream_read_line_safe (g_io_stream_get_input_stream (auth->priv->stream),
|
|
|
|
&line_length,
|
|
|
|
cancellable,
|
|
|
|
error);
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: WaitingForData, read '%s'", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
2020-09-14 16:28:10 +02:00
|
|
|
if (g_str_equal (line, "DATA") || g_str_has_prefix (line, "DATA "))
|
2010-05-06 20:13:59 +02:00
|
|
|
{
|
|
|
|
gchar *encoded;
|
|
|
|
gchar *decoded_data;
|
2010-10-08 16:33:04 +02:00
|
|
|
gsize decoded_data_len = 0;
|
2010-05-06 20:13:59 +02:00
|
|
|
|
2020-09-14 16:28:10 +02:00
|
|
|
encoded = g_strdup (line + 4);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (line);
|
|
|
|
g_strstrip (encoded);
|
|
|
|
decoded_data = hexdecode (encoded, &decoded_data_len, error);
|
|
|
|
g_free (encoded);
|
|
|
|
if (decoded_data == NULL)
|
|
|
|
{
|
|
|
|
g_prefix_error (error, "DATA response is malformed: ");
|
|
|
|
/* invalid encoding, disconnect! */
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
_g_dbus_auth_mechanism_server_data_receive (mech, decoded_data, decoded_data_len);
|
|
|
|
g_free (decoded_data);
|
|
|
|
/* oh man, this goto-crap is so ugly.. really need to rewrite the state machine */
|
|
|
|
goto change_state;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
g_set_error (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
2013-05-20 22:54:48 +02:00
|
|
|
"Unexpected line '%s' while in WaitingForData state",
|
2010-05-06 20:13:59 +02:00
|
|
|
line);
|
|
|
|
g_free (line);
|
|
|
|
}
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
case SERVER_STATE_WAITING_FOR_BEGIN:
|
|
|
|
debug_print ("SERVER: WaitingForBegin");
|
|
|
|
line = _my_g_input_stream_read_line_safe (g_io_stream_get_input_stream (auth->priv->stream),
|
|
|
|
&line_length,
|
|
|
|
cancellable,
|
|
|
|
error);
|
|
|
|
if (line == NULL)
|
|
|
|
goto out;
|
2019-01-29 09:50:46 +01:00
|
|
|
debug_print ("SERVER: WaitingForBegin, read '%s'", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (g_strcmp0 (line, "BEGIN") == 0)
|
|
|
|
{
|
|
|
|
/* YAY, done! */
|
|
|
|
ret = TRUE;
|
|
|
|
g_free (line);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else if (g_strcmp0 (line, "NEGOTIATE_UNIX_FD") == 0)
|
|
|
|
{
|
2010-05-14 18:21:01 +02:00
|
|
|
g_free (line);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (offered_capabilities & G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING)
|
|
|
|
{
|
|
|
|
negotiated_capabilities |= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING;
|
|
|
|
s = "AGREE_UNIX_FD\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
s = "ERROR \"fd passing not offered\"\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2013-05-20 22:54:48 +02:00
|
|
|
g_debug ("Unexpected line '%s' while in WaitingForBegin state", line);
|
2010-05-06 20:13:59 +02:00
|
|
|
g_free (line);
|
|
|
|
s = "ERROR \"Unknown Command\"\r\n";
|
2013-05-20 22:54:48 +02:00
|
|
|
debug_print ("SERVER: writing '%s'", s);
|
2010-05-06 20:13:59 +02:00
|
|
|
if (!g_data_output_stream_put_string (dos, s, cancellable, error))
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached ();
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
g_set_error_literal (error,
|
|
|
|
G_IO_ERROR,
|
|
|
|
G_IO_ERROR_FAILED,
|
|
|
|
"Not implemented (server)");
|
|
|
|
|
|
|
|
out:
|
2020-12-15 13:58:21 +01:00
|
|
|
g_clear_object (&mech);
|
|
|
|
g_clear_object (&dos);
|
2020-12-15 14:00:28 +01:00
|
|
|
g_clear_object (&own_credentials);
|
2010-05-06 20:13:59 +02:00
|
|
|
|
|
|
|
/* ensure return value is FALSE if error is set */
|
|
|
|
if (error != NULL && *error != NULL)
|
|
|
|
{
|
|
|
|
ret = FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
{
|
|
|
|
if (out_negotiated_capabilities != NULL)
|
|
|
|
*out_negotiated_capabilities = negotiated_capabilities;
|
|
|
|
if (out_received_credentials != NULL)
|
|
|
|
*out_received_credentials = credentials != NULL ? g_object_ref (credentials) : NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (credentials != NULL)
|
|
|
|
g_object_unref (credentials);
|
|
|
|
|
|
|
|
debug_print ("SERVER: Done, authenticated=%d", ret);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------------- */
|