1 /* GDBus - GLib D-Bus Library
3 * Copyright (C) 2008-2010 Red Hat, Inc.
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, write to the
17 * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
18 * Boston, MA 02111-1307, USA.
20 * Author: David Zeuthen <davidz@redhat.com>
25 #include "gdbusauth.h"
27 #include "gdbusauthmechanismanon.h"
28 #include "gdbusauthmechanismexternal.h"
29 #include "gdbusauthmechanismsha1.h"
30 #include "gdbusauthobserver.h"
32 #include "gdbuserror.h"
33 #include "gdbusutils.h"
34 #include "gioenumtypes.h"
35 #include "gcredentials.h"
36 #include "gdbusprivate.h"
37 #include "giostream.h"
38 #include "gdatainputstream.h"
39 #include "gdataoutputstream.h"
42 #include "gnetworking.h"
43 #include "gunixconnection.h"
44 #include "gunixcredentialsmessage.h"
51 debug_print (const gchar
*message
, ...)
53 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
60 _g_dbus_debug_print_lock ();
62 va_start (var_args
, message
);
63 s
= g_strdup_vprintf (message
, var_args
);
66 str
= g_string_new (NULL
);
67 for (n
= 0; s
[n
] != '\0'; n
++)
69 if (G_UNLIKELY (s
[n
] == '\r'))
70 g_string_append (str
, "\\r");
71 else if (G_UNLIKELY (s
[n
] == '\n'))
72 g_string_append (str
, "\\n");
74 g_string_append_c (str
, s
[n
]);
76 g_print ("GDBus-debug:Auth: %s\n", str
->str
);
77 g_string_free (str
, TRUE
);
80 _g_dbus_debug_print_unlock ();
91 static void mechanism_free (Mechanism
*m
);
93 struct _GDBusAuthPrivate
97 /* A list of available Mechanism, sorted according to priority */
98 GList
*available_mechanisms
;
107 G_DEFINE_TYPE_WITH_PRIVATE (GDBusAuth
, _g_dbus_auth
, G_TYPE_OBJECT
)
109 /* ---------------------------------------------------------------------------------------------------- */
112 _g_dbus_auth_finalize (GObject
*object
)
114 GDBusAuth
*auth
= G_DBUS_AUTH (object
);
116 if (auth
->priv
->stream
!= NULL
)
117 g_object_unref (auth
->priv
->stream
);
118 g_list_free_full (auth
->priv
->available_mechanisms
, (GDestroyNotify
) mechanism_free
);
120 if (G_OBJECT_CLASS (_g_dbus_auth_parent_class
)->finalize
!= NULL
)
121 G_OBJECT_CLASS (_g_dbus_auth_parent_class
)->finalize (object
);
125 _g_dbus_auth_get_property (GObject
*object
,
130 GDBusAuth
*auth
= G_DBUS_AUTH (object
);
135 g_value_set_object (value
, auth
->priv
->stream
);
139 G_OBJECT_WARN_INVALID_PROPERTY_ID (object
, prop_id
, pspec
);
145 _g_dbus_auth_set_property (GObject
*object
,
150 GDBusAuth
*auth
= G_DBUS_AUTH (object
);
155 auth
->priv
->stream
= g_value_dup_object (value
);
159 G_OBJECT_WARN_INVALID_PROPERTY_ID (object
, prop_id
, pspec
);
165 _g_dbus_auth_class_init (GDBusAuthClass
*klass
)
167 GObjectClass
*gobject_class
;
169 gobject_class
= G_OBJECT_CLASS (klass
);
170 gobject_class
->get_property
= _g_dbus_auth_get_property
;
171 gobject_class
->set_property
= _g_dbus_auth_set_property
;
172 gobject_class
->finalize
= _g_dbus_auth_finalize
;
174 g_object_class_install_property (gobject_class
,
176 g_param_spec_object ("stream",
178 P_("The underlying GIOStream used for I/O"),
182 G_PARAM_CONSTRUCT_ONLY
|
183 G_PARAM_STATIC_NAME
|
184 G_PARAM_STATIC_BLURB
|
185 G_PARAM_STATIC_NICK
));
189 mechanism_free (Mechanism
*m
)
195 add_mechanism (GDBusAuth
*auth
,
196 GDBusAuthObserver
*observer
,
197 GType mechanism_type
)
201 name
= _g_dbus_auth_mechanism_get_name (mechanism_type
);
202 if (observer
== NULL
|| g_dbus_auth_observer_allow_mechanism (observer
, name
))
205 m
= g_new0 (Mechanism
, 1);
207 m
->priority
= _g_dbus_auth_mechanism_get_priority (mechanism_type
);
208 m
->gtype
= mechanism_type
;
209 auth
->priv
->available_mechanisms
= g_list_prepend (auth
->priv
->available_mechanisms
, m
);
214 mech_compare_func (Mechanism
*a
, Mechanism
*b
)
217 /* ensure deterministic order */
218 ret
= b
->priority
- a
->priority
;
220 ret
= g_strcmp0 (b
->name
, a
->name
);
225 _g_dbus_auth_init (GDBusAuth
*auth
)
227 auth
->priv
= _g_dbus_auth_get_instance_private (auth
);
231 _g_dbus_auth_add_mechs (GDBusAuth
*auth
,
232 GDBusAuthObserver
*observer
)
234 /* TODO: trawl extension points */
235 add_mechanism (auth
, observer
, G_TYPE_DBUS_AUTH_MECHANISM_ANON
);
236 add_mechanism (auth
, observer
, G_TYPE_DBUS_AUTH_MECHANISM_SHA1
);
237 add_mechanism (auth
, observer
, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL
);
239 auth
->priv
->available_mechanisms
= g_list_sort (auth
->priv
->available_mechanisms
,
240 (GCompareFunc
) mech_compare_func
);
244 find_mech_by_name (GDBusAuth
*auth
,
252 for (l
= auth
->priv
->available_mechanisms
; l
!= NULL
; l
= l
->next
)
254 Mechanism
*m
= l
->data
;
255 if (g_strcmp0 (name
, m
->name
) == 0)
267 _g_dbus_auth_new (GIOStream
*stream
)
269 return g_object_new (G_TYPE_DBUS_AUTH
,
274 /* ---------------------------------------------------------------------------------------------------- */
275 /* like g_data_input_stream_read_line() but sets error if there's no content to read */
277 _my_g_data_input_stream_read_line (GDataInputStream
*dis
,
278 gsize
*out_line_length
,
279 GCancellable
*cancellable
,
284 g_return_val_if_fail (error
== NULL
|| *error
== NULL
, NULL
);
286 ret
= g_data_input_stream_read_line (dis
,
290 if (ret
== NULL
&& error
!= NULL
&& *error
== NULL
)
292 g_set_error_literal (error
,
295 _("Unexpected lack of content trying to read a line"));
301 /* This function is to avoid situations like this
303 * BEGIN\r\nl\0\0\1...
305 * e.g. where we read into the first D-Bus message while waiting for
306 * the final line from the client (TODO: file bug against gio for
310 _my_g_input_stream_read_line_safe (GInputStream
*i
,
311 gsize
*out_line_length
,
312 GCancellable
*cancellable
,
318 gboolean last_was_cr
;
320 str
= g_string_new (NULL
);
325 num_read
= g_input_stream_read (i
,
334 if (error
!= NULL
&& *error
== NULL
)
336 g_set_error_literal (error
,
339 _("Unexpected lack of content trying to (safely) read a line"));
344 g_string_append_c (str
, (gint
) c
);
349 g_assert (str
->len
>= 2);
350 g_string_set_size (str
, str
->len
- 2);
354 last_was_cr
= (c
== 0x0d);
358 if (out_line_length
!= NULL
)
359 *out_line_length
= str
->len
;
360 return g_string_free (str
, FALSE
);
363 g_assert (error
== NULL
|| *error
!= NULL
);
364 g_string_free (str
, TRUE
);
368 /* ---------------------------------------------------------------------------------------------------- */
371 append_nibble (GString
*s
, gint val
)
373 g_string_append_c (s
, val
>= 10 ? ('a' + val
- 10) : ('0' + val
));
377 hexdecode (const gchar
*str
,
386 s
= g_string_new (NULL
);
388 for (n
= 0; str
[n
] != '\0'; n
+= 2)
394 upper_nibble
= g_ascii_xdigit_value (str
[n
]);
395 lower_nibble
= g_ascii_xdigit_value (str
[n
+ 1]);
396 if (upper_nibble
== -1 || lower_nibble
== -1)
401 "Error hexdecoding string '%s' around position %d",
405 value
= (upper_nibble
<<4) | lower_nibble
;
406 g_string_append_c (s
, value
);
409 ret
= g_string_free (s
, FALSE
);
414 g_string_free (s
, TRUE
);
420 hexencode (const gchar
*str
)
425 s
= g_string_new (NULL
);
426 for (n
= 0; str
[n
] != '\0'; n
++)
432 val
= ((const guchar
*) str
)[n
];
433 upper_nibble
= val
>> 4;
434 lower_nibble
= val
& 0x0f;
436 append_nibble (s
, upper_nibble
);
437 append_nibble (s
, lower_nibble
);
440 return g_string_free (s
, FALSE
);
443 /* ---------------------------------------------------------------------------------------------------- */
445 static GDBusAuthMechanism
*
446 client_choose_mech_and_send_initial_response (GDBusAuth
*auth
,
447 GCredentials
*credentials_that_were_sent
,
448 const gchar
* const *supported_auth_mechs
,
449 GPtrArray
*attempted_auth_mechs
,
450 GDataOutputStream
*dos
,
451 GCancellable
*cancellable
,
454 GDBusAuthMechanism
*mech
;
455 GType auth_mech_to_use_gtype
;
458 gchar
*initial_response
;
459 gsize initial_response_len
;
466 debug_print ("CLIENT: Trying to choose mechanism");
468 /* find an authentication mechanism to try, if any */
469 auth_mech_to_use_gtype
= (GType
) 0;
470 for (n
= 0; supported_auth_mechs
[n
] != NULL
; n
++)
472 gboolean attempted_already
;
473 attempted_already
= FALSE
;
474 for (m
= 0; m
< attempted_auth_mechs
->len
; m
++)
476 if (g_strcmp0 (supported_auth_mechs
[n
], attempted_auth_mechs
->pdata
[m
]) == 0)
478 attempted_already
= TRUE
;
482 if (!attempted_already
)
484 auth_mech_to_use_gtype
= find_mech_by_name (auth
, supported_auth_mechs
[n
]);
485 if (auth_mech_to_use_gtype
!= (GType
) 0)
490 if (auth_mech_to_use_gtype
== (GType
) 0)
496 debug_print ("CLIENT: Exhausted all available mechanisms");
498 available
= g_strjoinv (", ", (gchar
**) supported_auth_mechs
);
500 tried_str
= g_string_new (NULL
);
501 for (n
= 0; n
< attempted_auth_mechs
->len
; n
++)
504 g_string_append (tried_str
, ", ");
505 g_string_append (tried_str
, attempted_auth_mechs
->pdata
[n
]);
510 _("Exhausted all available authentication mechanisms (tried: %s) (available: %s)"),
513 g_string_free (tried_str
, TRUE
);
518 /* OK, decided on a mechanism - let's do this thing */
519 mech
= g_object_new (auth_mech_to_use_gtype
,
520 "stream", auth
->priv
->stream
,
521 "credentials", credentials_that_were_sent
,
523 debug_print ("CLIENT: Trying mechanism '%s'", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
));
524 g_ptr_array_add (attempted_auth_mechs
, (gpointer
) _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
));
526 /* the auth mechanism may not be supported
527 * (for example, EXTERNAL only works if credentials were exchanged)
529 if (!_g_dbus_auth_mechanism_is_supported (mech
))
531 debug_print ("CLIENT: Mechanism '%s' says it is not supported", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
));
532 g_object_unref (mech
);
537 initial_response_len
= -1;
538 initial_response
= _g_dbus_auth_mechanism_client_initiate (mech
,
539 &initial_response_len
);
541 g_printerr ("using auth mechanism with name '%s' of type '%s' with initial response '%s'\n",
542 _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
),
543 g_type_name (G_TYPE_FROM_INSTANCE (mech
)),
546 if (initial_response
!= NULL
)
548 //g_printerr ("initial_response = '%s'\n", initial_response);
549 encoded
= hexencode (initial_response
);
550 s
= g_strdup_printf ("AUTH %s %s\r\n",
551 _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
),
553 g_free (initial_response
);
558 s
= g_strdup_printf ("AUTH %s\r\n", _g_dbus_auth_mechanism_get_name (auth_mech_to_use_gtype
));
560 debug_print ("CLIENT: writing '%s'", s
);
561 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
563 g_object_unref (mech
);
575 /* ---------------------------------------------------------------------------------------------------- */
579 CLIENT_STATE_WAITING_FOR_DATA
,
580 CLIENT_STATE_WAITING_FOR_OK
,
581 CLIENT_STATE_WAITING_FOR_REJECT
,
582 CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD
586 _g_dbus_auth_run_client (GDBusAuth
*auth
,
587 GDBusAuthObserver
*observer
,
588 GDBusCapabilityFlags offered_capabilities
,
589 GDBusCapabilityFlags
*out_negotiated_capabilities
,
590 GCancellable
*cancellable
,
594 GDataInputStream
*dis
;
595 GDataOutputStream
*dos
;
596 GCredentials
*credentials
;
600 gchar
**supported_auth_mechs
;
601 GPtrArray
*attempted_auth_mechs
;
602 GDBusAuthMechanism
*mech
;
604 GDBusCapabilityFlags negotiated_capabilities
;
606 debug_print ("CLIENT: initiating");
608 _g_dbus_auth_add_mechs (auth
, observer
);
611 supported_auth_mechs
= NULL
;
612 attempted_auth_mechs
= g_ptr_array_new ();
614 negotiated_capabilities
= 0;
617 dis
= G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth
->priv
->stream
)));
618 dos
= G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth
->priv
->stream
)));
619 g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis
), FALSE
);
620 g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos
), FALSE
);
622 g_data_input_stream_set_newline_type (dis
, G_DATA_STREAM_NEWLINE_TYPE_CR_LF
);
625 if (G_IS_UNIX_CONNECTION (auth
->priv
->stream
))
627 credentials
= g_credentials_new ();
628 if (!g_unix_connection_send_credentials (G_UNIX_CONNECTION (auth
->priv
->stream
),
635 if (!g_data_output_stream_put_byte (dos
, '\0', cancellable
, error
))
639 if (!g_data_output_stream_put_byte (dos
, '\0', cancellable
, error
))
643 if (credentials
!= NULL
)
645 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
647 s
= g_credentials_to_string (credentials
);
648 debug_print ("CLIENT: sent credentials '%s'", s
);
654 debug_print ("CLIENT: didn't send any credentials");
657 /* TODO: to reduce roundtrips, try to pick an auth mechanism to start with */
659 /* Get list of supported authentication mechanisms */
661 debug_print ("CLIENT: writing '%s'", s
);
662 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
664 state
= CLIENT_STATE_WAITING_FOR_REJECT
;
670 case CLIENT_STATE_WAITING_FOR_REJECT
:
671 debug_print ("CLIENT: WaitingForReject");
672 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
675 debug_print ("CLIENT: WaitingForReject, read '%s'", line
);
678 if (!g_str_has_prefix (line
, "REJECTED "))
683 "In WaitingForReject: Expected 'REJECTED am1 am2 ... amN', got '%s'",
688 if (supported_auth_mechs
== NULL
)
690 supported_auth_mechs
= g_strsplit (line
+ sizeof ("REJECTED ") - 1, " ", 0);
692 for (n
= 0; supported_auth_mechs
!= NULL
&& supported_auth_mechs
[n
] != NULL
; n
++)
693 g_printerr ("supported_auth_mechs[%d] = '%s'\n", n
, supported_auth_mechs
[n
]);
697 mech
= client_choose_mech_and_send_initial_response (auth
,
699 (const gchar
* const *) supported_auth_mechs
,
700 attempted_auth_mechs
,
706 if (_g_dbus_auth_mechanism_client_get_state (mech
) == G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA
)
707 state
= CLIENT_STATE_WAITING_FOR_DATA
;
709 state
= CLIENT_STATE_WAITING_FOR_OK
;
712 case CLIENT_STATE_WAITING_FOR_OK
:
713 debug_print ("CLIENT: WaitingForOK");
714 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
717 debug_print ("CLIENT: WaitingForOK, read '%s'", line
);
718 if (g_str_has_prefix (line
, "OK "))
720 if (!g_dbus_is_guid (line
+ 3))
725 "Invalid OK response '%s'",
730 ret_guid
= g_strdup (line
+ 3);
733 if (offered_capabilities
& G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING
)
735 s
= "NEGOTIATE_UNIX_FD\r\n";
736 debug_print ("CLIENT: writing '%s'", s
);
737 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
739 state
= CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD
;
744 debug_print ("CLIENT: writing '%s'", s
);
745 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
747 /* and we're done! */
751 else if (g_str_has_prefix (line
, "REJECTED "))
753 goto choose_mechanism
;
757 /* TODO: handle other valid responses */
761 "In WaitingForOk: unexpected response '%s'",
768 case CLIENT_STATE_WAITING_FOR_AGREE_UNIX_FD
:
769 debug_print ("CLIENT: WaitingForAgreeUnixFD");
770 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
773 debug_print ("CLIENT: WaitingForAgreeUnixFD, read='%s'", line
);
774 if (g_strcmp0 (line
, "AGREE_UNIX_FD") == 0)
777 negotiated_capabilities
|= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING
;
779 debug_print ("CLIENT: writing '%s'", s
);
780 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
782 /* and we're done! */
785 else if (g_str_has_prefix (line
, "ERROR") && (line
[5] == 0 || g_ascii_isspace (line
[5])))
787 //g_strstrip (line + 5); g_debug ("bah, no unix_fd: '%s'", line + 5);
790 debug_print ("CLIENT: writing '%s'", s
);
791 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
793 /* and we're done! */
798 /* TODO: handle other valid responses */
802 "In WaitingForAgreeUnixFd: unexpected response '%s'",
809 case CLIENT_STATE_WAITING_FOR_DATA
:
810 debug_print ("CLIENT: WaitingForData");
811 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
814 debug_print ("CLIENT: WaitingForData, read='%s'", line
);
815 if (g_str_has_prefix (line
, "DATA "))
819 gsize decoded_data_len
= 0;
821 encoded
= g_strdup (line
+ 5);
823 g_strstrip (encoded
);
824 decoded_data
= hexdecode (encoded
, &decoded_data_len
, error
);
826 if (decoded_data
== NULL
)
828 g_prefix_error (error
, "DATA response is malformed: ");
829 /* invalid encoding, disconnect! */
832 _g_dbus_auth_mechanism_client_data_receive (mech
, decoded_data
, decoded_data_len
);
833 g_free (decoded_data
);
835 if (_g_dbus_auth_mechanism_client_get_state (mech
) == G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND
)
840 data
= _g_dbus_auth_mechanism_client_data_send (mech
, &data_len
);
841 encoded_data
= hexencode (data
);
842 s
= g_strdup_printf ("DATA %s\r\n", encoded_data
);
843 g_free (encoded_data
);
845 debug_print ("CLIENT: writing '%s'", s
);
846 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
853 state
= CLIENT_STATE_WAITING_FOR_OK
;
855 else if (g_str_has_prefix (line
, "REJECTED "))
857 /* could be the chosen authentication method just doesn't work. Try
860 goto choose_mechanism
;
867 "In WaitingForData: unexpected response '%s'",
875 g_assert_not_reached ();
879 }; /* main authentication client loop */
883 g_object_unref (mech
);
884 g_ptr_array_unref (attempted_auth_mechs
);
885 g_strfreev (supported_auth_mechs
);
886 g_object_unref (dis
);
887 g_object_unref (dos
);
889 /* ensure return value is NULL if error is set */
890 if (error
!= NULL
&& *error
!= NULL
)
896 if (ret_guid
!= NULL
)
898 if (out_negotiated_capabilities
!= NULL
)
899 *out_negotiated_capabilities
= negotiated_capabilities
;
902 if (credentials
!= NULL
)
903 g_object_unref (credentials
);
905 debug_print ("CLIENT: Done, authenticated=%d", ret_guid
!= NULL
);
910 /* ---------------------------------------------------------------------------------------------------- */
913 get_auth_mechanisms (GDBusAuth
*auth
,
914 gboolean allow_anonymous
,
917 const gchar
*separator
)
923 str
= g_string_new (prefix
);
925 for (l
= auth
->priv
->available_mechanisms
; l
!= NULL
; l
= l
->next
)
927 Mechanism
*m
= l
->data
;
929 if (!allow_anonymous
&& g_strcmp0 (m
->name
, "ANONYMOUS") == 0)
933 g_string_append (str
, separator
);
934 g_string_append (str
, m
->name
);
938 g_string_append (str
, suffix
);
939 return g_string_free (str
, FALSE
);
945 SERVER_STATE_WAITING_FOR_AUTH
,
946 SERVER_STATE_WAITING_FOR_DATA
,
947 SERVER_STATE_WAITING_FOR_BEGIN
951 _g_dbus_auth_run_server (GDBusAuth
*auth
,
952 GDBusAuthObserver
*observer
,
954 gboolean allow_anonymous
,
955 GDBusCapabilityFlags offered_capabilities
,
956 GDBusCapabilityFlags
*out_negotiated_capabilities
,
957 GCredentials
**out_received_credentials
,
958 GCancellable
*cancellable
,
963 GDataInputStream
*dis
;
964 GDataOutputStream
*dos
;
969 GDBusAuthMechanism
*mech
;
971 GDBusCapabilityFlags negotiated_capabilities
;
972 GCredentials
*credentials
;
974 debug_print ("SERVER: initiating");
976 _g_dbus_auth_add_mechs (auth
, observer
);
982 negotiated_capabilities
= 0;
985 if (!g_dbus_is_guid (guid
))
990 "The given guid '%s' is not valid",
995 dis
= G_DATA_INPUT_STREAM (g_data_input_stream_new (g_io_stream_get_input_stream (auth
->priv
->stream
)));
996 dos
= G_DATA_OUTPUT_STREAM (g_data_output_stream_new (g_io_stream_get_output_stream (auth
->priv
->stream
)));
997 g_filter_input_stream_set_close_base_stream (G_FILTER_INPUT_STREAM (dis
), FALSE
);
998 g_filter_output_stream_set_close_base_stream (G_FILTER_OUTPUT_STREAM (dos
), FALSE
);
1000 g_data_input_stream_set_newline_type (dis
, G_DATA_STREAM_NEWLINE_TYPE_CR_LF
);
1002 /* first read the NUL-byte (TODO: read credentials if using a unix domain socket) */
1004 if (G_IS_UNIX_CONNECTION (auth
->priv
->stream
))
1007 credentials
= g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth
->priv
->stream
),
1010 if (credentials
== NULL
&& !g_error_matches (local_error
, G_IO_ERROR
, G_IO_ERROR_NOT_SUPPORTED
))
1012 g_propagate_error (error
, local_error
);
1019 byte
= g_data_input_stream_read_byte (dis
, cancellable
, &local_error
);
1020 byte
= byte
; /* To avoid -Wunused-but-set-variable */
1021 if (local_error
!= NULL
)
1023 g_propagate_error (error
, local_error
);
1029 byte
= g_data_input_stream_read_byte (dis
, cancellable
, &local_error
);
1030 byte
= byte
; /* To avoid -Wunused-but-set-variable */
1031 if (local_error
!= NULL
)
1033 g_propagate_error (error
, local_error
);
1037 if (credentials
!= NULL
)
1039 if (G_UNLIKELY (_g_dbus_debug_authentication ()))
1041 s
= g_credentials_to_string (credentials
);
1042 debug_print ("SERVER: received credentials '%s'", s
);
1048 debug_print ("SERVER: didn't receive any credentials");
1051 state
= SERVER_STATE_WAITING_FOR_AUTH
;
1056 case SERVER_STATE_WAITING_FOR_AUTH
:
1057 debug_print ("SERVER: WaitingForAuth");
1058 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
1059 debug_print ("SERVER: WaitingForAuth, read '%s'", line
);
1062 if (g_strcmp0 (line
, "AUTH") == 0)
1064 s
= get_auth_mechanisms (auth
, allow_anonymous
, "REJECTED ", "\r\n", " ");
1065 debug_print ("SERVER: writing '%s'", s
);
1066 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1074 else if (g_str_has_prefix (line
, "AUTH "))
1077 const gchar
*encoded
;
1078 const gchar
*mech_name
;
1079 GType auth_mech_to_use_gtype
;
1081 tokens
= g_strsplit (line
, " ", 0);
1084 switch (g_strv_length (tokens
))
1087 /* no initial response */
1088 mech_name
= tokens
[1];
1093 /* initial response */
1094 mech_name
= tokens
[1];
1095 encoded
= tokens
[2];
1102 "Unexpected line '%s' while in WaitingForAuth state",
1104 g_strfreev (tokens
);
1108 /* TODO: record that the client has attempted to use this mechanism */
1109 //g_debug ("client is trying '%s'", mech_name);
1111 auth_mech_to_use_gtype
= find_mech_by_name (auth
, mech_name
);
1112 if ((auth_mech_to_use_gtype
== (GType
) 0) ||
1113 (!allow_anonymous
&& g_strcmp0 (mech_name
, "ANONYMOUS") == 0))
1115 /* We don't support this auth mechanism */
1116 g_strfreev (tokens
);
1117 s
= get_auth_mechanisms (auth
, allow_anonymous
, "REJECTED ", "\r\n", " ");
1118 debug_print ("SERVER: writing '%s'", s
);
1119 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1126 /* stay in WAITING FOR AUTH */
1127 state
= SERVER_STATE_WAITING_FOR_AUTH
;
1131 gchar
*initial_response
;
1132 gsize initial_response_len
;
1134 mech
= g_object_new (auth_mech_to_use_gtype
,
1135 "stream", auth
->priv
->stream
,
1136 "credentials", credentials
,
1139 initial_response
= NULL
;
1140 initial_response_len
= 0;
1141 if (encoded
!= NULL
)
1143 initial_response
= hexdecode (encoded
, &initial_response_len
, error
);
1144 if (initial_response
== NULL
)
1146 g_prefix_error (error
, "Initial response is malformed: ");
1147 /* invalid encoding, disconnect! */
1148 g_strfreev (tokens
);
1153 _g_dbus_auth_mechanism_server_initiate (mech
,
1155 initial_response_len
);
1156 g_free (initial_response
);
1157 g_strfreev (tokens
);
1160 switch (_g_dbus_auth_mechanism_server_get_state (mech
))
1162 case G_DBUS_AUTH_MECHANISM_STATE_ACCEPTED
:
1163 if (observer
!= NULL
&&
1164 !g_dbus_auth_observer_authorize_authenticated_peer (observer
,
1169 g_set_error_literal (error
,
1172 _("Cancelled via GDBusAuthObserver::authorize-authenticated-peer"));
1177 s
= g_strdup_printf ("OK %s\r\n", guid
);
1178 debug_print ("SERVER: writing '%s'", s
);
1179 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1185 state
= SERVER_STATE_WAITING_FOR_BEGIN
;
1189 case G_DBUS_AUTH_MECHANISM_STATE_REJECTED
:
1190 s
= get_auth_mechanisms (auth
, allow_anonymous
, "REJECTED ", "\r\n", " ");
1191 debug_print ("SERVER: writing '%s'", s
);
1192 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1198 state
= SERVER_STATE_WAITING_FOR_AUTH
;
1201 case G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA
:
1202 state
= SERVER_STATE_WAITING_FOR_DATA
;
1205 case G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND
:
1209 gchar
*encoded_data
;
1210 data
= _g_dbus_auth_mechanism_server_data_send (mech
, &data_len
);
1211 encoded_data
= hexencode (data
);
1212 s
= g_strdup_printf ("DATA %s\r\n", encoded_data
);
1213 g_free (encoded_data
);
1215 debug_print ("SERVER: writing '%s'", s
);
1216 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1228 g_assert_not_reached ();
1238 "Unexpected line '%s' while in WaitingForAuth state",
1245 case SERVER_STATE_WAITING_FOR_DATA
:
1246 debug_print ("SERVER: WaitingForData");
1247 line
= _my_g_data_input_stream_read_line (dis
, &line_length
, cancellable
, error
);
1248 debug_print ("SERVER: WaitingForData, read '%s'", line
);
1251 if (g_str_has_prefix (line
, "DATA "))
1254 gchar
*decoded_data
;
1255 gsize decoded_data_len
= 0;
1257 encoded
= g_strdup (line
+ 5);
1259 g_strstrip (encoded
);
1260 decoded_data
= hexdecode (encoded
, &decoded_data_len
, error
);
1262 if (decoded_data
== NULL
)
1264 g_prefix_error (error
, "DATA response is malformed: ");
1265 /* invalid encoding, disconnect! */
1268 _g_dbus_auth_mechanism_server_data_receive (mech
, decoded_data
, decoded_data_len
);
1269 g_free (decoded_data
);
1270 /* oh man, this goto-crap is so ugly.. really need to rewrite the state machine */
1278 "Unexpected line '%s' while in WaitingForData state",
1284 case SERVER_STATE_WAITING_FOR_BEGIN
:
1285 debug_print ("SERVER: WaitingForBegin");
1286 /* Use extremely slow (but reliable) line reader - this basically
1287 * does a recvfrom() system call per character
1289 * (the problem with using GDataInputStream's read_line is that because of
1290 * buffering it might start reading into the first D-Bus message that
1291 * appears after "BEGIN\r\n"....)
1293 line
= _my_g_input_stream_read_line_safe (g_io_stream_get_input_stream (auth
->priv
->stream
),
1297 debug_print ("SERVER: WaitingForBegin, read '%s'", line
);
1300 if (g_strcmp0 (line
, "BEGIN") == 0)
1307 else if (g_strcmp0 (line
, "NEGOTIATE_UNIX_FD") == 0)
1310 if (offered_capabilities
& G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING
)
1312 negotiated_capabilities
|= G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING
;
1313 s
= "AGREE_UNIX_FD\r\n";
1314 debug_print ("SERVER: writing '%s'", s
);
1315 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1320 s
= "ERROR \"fd passing not offered\"\r\n";
1321 debug_print ("SERVER: writing '%s'", s
);
1322 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1328 g_debug ("Unexpected line '%s' while in WaitingForBegin state", line
);
1330 s
= "ERROR \"Unknown Command\"\r\n";
1331 debug_print ("SERVER: writing '%s'", s
);
1332 if (!g_data_output_stream_put_string (dos
, s
, cancellable
, error
))
1338 g_assert_not_reached ();
1344 g_set_error_literal (error
,
1347 "Not implemented (server)");
1351 g_object_unref (mech
);
1353 g_object_unref (dis
);
1355 g_object_unref (dos
);
1357 /* ensure return value is FALSE if error is set */
1358 if (error
!= NULL
&& *error
!= NULL
)
1365 if (out_negotiated_capabilities
!= NULL
)
1366 *out_negotiated_capabilities
= negotiated_capabilities
;
1367 if (out_received_credentials
!= NULL
)
1368 *out_received_credentials
= credentials
!= NULL
? g_object_ref (credentials
) : NULL
;
1371 if (credentials
!= NULL
)
1372 g_object_unref (credentials
);
1374 debug_print ("SERVER: Done, authenticated=%d", ret
);
1379 /* ---------------------------------------------------------------------------------------------------- */