1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* dbus-auth.c Authentication
4 * Copyright (C) 2002, 2003, 2004 Red Hat Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
25 #include "dbus-auth.h"
26 #include "dbus-string.h"
27 #include "dbus-list.h"
28 #include "dbus-internals.h"
29 #include "dbus-keyring.h"
31 #include "dbus-protocol.h"
32 #include "dbus-credentials.h"
35 * @defgroup DBusAuth Authentication
36 * @ingroup DBusInternals
37 * @brief DBusAuth object
39 * DBusAuth manages the authentication negotiation when a connection
40 * is first established, and also manages any encryption used over a
43 * @todo some SASL profiles require sending the empty string as a
44 * challenge/response, but we don't currently allow that in our
47 * @todo right now sometimes both ends will block waiting for input
48 * from the other end, e.g. if there's an error during
51 * @todo the cookie keyring needs to be cached globally not just
52 * per-auth (which raises threadsafety issues too)
54 * @todo grep FIXME in dbus-auth.c
58 * @defgroup DBusAuthInternals Authentication implementation details
59 * @ingroup DBusInternals
60 * @brief DBusAuth implementation details
62 * Private details of authentication code.
68 * This function appends an initial client response to the given string
70 typedef dbus_bool_t (* DBusInitialResponseFunction) (DBusAuth *auth,
71 DBusString *response);
74 * This function processes a block of data received from the peer.
75 * i.e. handles a DATA command.
77 typedef dbus_bool_t (* DBusAuthDataFunction) (DBusAuth *auth,
78 const DBusString *data);
81 * This function encodes a block of data from the peer.
83 typedef dbus_bool_t (* DBusAuthEncodeFunction) (DBusAuth *auth,
84 const DBusString *data,
88 * This function decodes a block of data from the peer.
90 typedef dbus_bool_t (* DBusAuthDecodeFunction) (DBusAuth *auth,
91 const DBusString *data,
95 * This function is called when the mechanism is abandoned.
97 typedef void (* DBusAuthShutdownFunction) (DBusAuth *auth);
100 * Virtual table representing a particular auth mechanism.
104 const char *mechanism; /**< Name of the mechanism */
105 DBusAuthDataFunction server_data_func; /**< Function on server side for DATA */
106 DBusAuthEncodeFunction server_encode_func; /**< Function on server side to encode */
107 DBusAuthDecodeFunction server_decode_func; /**< Function on server side to decode */
108 DBusAuthShutdownFunction server_shutdown_func; /**< Function on server side to shut down */
109 DBusInitialResponseFunction client_initial_response_func; /**< Function on client side to handle initial response */
110 DBusAuthDataFunction client_data_func; /**< Function on client side for DATA */
111 DBusAuthEncodeFunction client_encode_func; /**< Function on client side for encode */
112 DBusAuthDecodeFunction client_decode_func; /**< Function on client side for decode */
113 DBusAuthShutdownFunction client_shutdown_func; /**< Function on client side for shutdown */
114 } DBusAuthMechanismHandler;
117 * Enumeration for the known authentication commands.
120 DBUS_AUTH_COMMAND_AUTH,
121 DBUS_AUTH_COMMAND_CANCEL,
122 DBUS_AUTH_COMMAND_DATA,
123 DBUS_AUTH_COMMAND_BEGIN,
124 DBUS_AUTH_COMMAND_REJECTED,
125 DBUS_AUTH_COMMAND_OK,
126 DBUS_AUTH_COMMAND_ERROR,
127 DBUS_AUTH_COMMAND_UNKNOWN,
128 DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD,
129 DBUS_AUTH_COMMAND_AGREE_UNIX_FD
133 * Auth state function, determines the reaction to incoming events for
134 * a particular state. Returns whether we had enough memory to
135 * complete the operation.
137 typedef dbus_bool_t (* DBusAuthStateFunction) (DBusAuth *auth,
138 DBusAuthCommand command,
139 const DBusString *args);
142 * Information about a auth state.
146 const char *name; /**< Name of the state */
147 DBusAuthStateFunction handler; /**< State function for this state */
151 * Internal members of DBusAuth.
155 int refcount; /**< reference count */
156 const char *side; /**< Client or server */
158 DBusString incoming; /**< Incoming data buffer */
159 DBusString outgoing; /**< Outgoing data buffer */
161 const DBusAuthStateData *state; /**< Current protocol state */
163 const DBusAuthMechanismHandler *mech; /**< Current auth mechanism */
165 DBusString identity; /**< Current identity we're authorizing
169 DBusCredentials *credentials; /**< Credentials read from socket
172 DBusCredentials *authorized_identity; /**< Credentials that are authorized */
174 DBusCredentials *desired_identity; /**< Identity client has requested */
176 DBusString context; /**< Cookie scope */
177 DBusKeyring *keyring; /**< Keyring for cookie mechanism. */
178 int cookie_id; /**< ID of cookie to use */
179 DBusString challenge; /**< Challenge sent to client */
181 char **allowed_mechs; /**< Mechanisms we're allowed to use,
182 * or #NULL if we can use any
185 unsigned int needed_memory : 1; /**< We needed memory to continue since last
186 * successful getting something done
188 unsigned int already_got_mechanisms : 1; /**< Client already got mech list */
189 unsigned int already_asked_for_initial_response : 1; /**< Already sent a blank challenge to get an initial response */
190 unsigned int buffer_outstanding : 1; /**< Buffer is "checked out" for reading data into */
192 unsigned int unix_fd_possible : 1; /**< This side could do unix fd passing */
193 unsigned int unix_fd_negotiated : 1; /**< Unix fd was successfully negotiated */
197 * "Subclass" of DBusAuth for client side
201 DBusAuth base; /**< Parent class */
203 DBusList *mechs_to_try; /**< Mechanisms we got from the server that we're going to try using */
205 DBusString guid_from_server; /**< GUID received from server */
210 * "Subclass" of DBusAuth for server side.
214 DBusAuth base; /**< Parent class */
216 int failures; /**< Number of times client has been rejected */
217 int max_failures; /**< Number of times we reject before disconnect */
219 DBusString guid; /**< Our globally unique ID in hex encoding */
223 static void goto_state (DBusAuth *auth,
224 const DBusAuthStateData *new_state);
225 static dbus_bool_t send_auth (DBusAuth *auth,
226 const DBusAuthMechanismHandler *mech);
227 static dbus_bool_t send_data (DBusAuth *auth,
229 static dbus_bool_t send_rejected (DBusAuth *auth);
230 static dbus_bool_t send_error (DBusAuth *auth,
231 const char *message);
232 static dbus_bool_t send_ok (DBusAuth *auth);
233 static dbus_bool_t send_begin (DBusAuth *auth);
234 static dbus_bool_t send_cancel (DBusAuth *auth);
235 static dbus_bool_t send_negotiate_unix_fd (DBusAuth *auth);
236 static dbus_bool_t send_agree_unix_fd (DBusAuth *auth);
242 static dbus_bool_t handle_server_state_waiting_for_auth (DBusAuth *auth,
243 DBusAuthCommand command,
244 const DBusString *args);
245 static dbus_bool_t handle_server_state_waiting_for_data (DBusAuth *auth,
246 DBusAuthCommand command,
247 const DBusString *args);
248 static dbus_bool_t handle_server_state_waiting_for_begin (DBusAuth *auth,
249 DBusAuthCommand command,
250 const DBusString *args);
252 static const DBusAuthStateData server_state_waiting_for_auth = {
253 "WaitingForAuth", handle_server_state_waiting_for_auth
255 static const DBusAuthStateData server_state_waiting_for_data = {
256 "WaitingForData", handle_server_state_waiting_for_data
258 static const DBusAuthStateData server_state_waiting_for_begin = {
259 "WaitingForBegin", handle_server_state_waiting_for_begin
266 static dbus_bool_t handle_client_state_waiting_for_data (DBusAuth *auth,
267 DBusAuthCommand command,
268 const DBusString *args);
269 static dbus_bool_t handle_client_state_waiting_for_ok (DBusAuth *auth,
270 DBusAuthCommand command,
271 const DBusString *args);
272 static dbus_bool_t handle_client_state_waiting_for_reject (DBusAuth *auth,
273 DBusAuthCommand command,
274 const DBusString *args);
275 static dbus_bool_t handle_client_state_waiting_for_agree_unix_fd (DBusAuth *auth,
276 DBusAuthCommand command,
277 const DBusString *args);
279 static const DBusAuthStateData client_state_need_send_auth = {
282 static const DBusAuthStateData client_state_waiting_for_data = {
283 "WaitingForData", handle_client_state_waiting_for_data
285 /* The WaitingForOK state doesn't appear to be used.
286 * See https://bugs.freedesktop.org/show_bug.cgi?id=97298 */
288 static const DBusAuthStateData client_state_waiting_for_ok = {
289 "WaitingForOK", handle_client_state_waiting_for_ok
291 static const DBusAuthStateData client_state_waiting_for_reject = {
292 "WaitingForReject", handle_client_state_waiting_for_reject
294 static const DBusAuthStateData client_state_waiting_for_agree_unix_fd = {
295 "WaitingForAgreeUnixFD", handle_client_state_waiting_for_agree_unix_fd
299 * Common terminal states. Terminal states have handler == NULL.
302 static const DBusAuthStateData common_state_authenticated = {
303 "Authenticated", NULL
306 static const DBusAuthStateData common_state_need_disconnect = {
307 "NeedDisconnect", NULL
310 static const char auth_side_client[] = "client";
311 static const char auth_side_server[] = "server";
313 * @param auth the auth conversation
314 * @returns #TRUE if the conversation is the server side
316 #define DBUS_AUTH_IS_SERVER(auth) ((auth)->side == auth_side_server)
318 * @param auth the auth conversation
319 * @returns #TRUE if the conversation is the client side
321 #define DBUS_AUTH_IS_CLIENT(auth) ((auth)->side == auth_side_client)
323 * @param auth the auth conversation
324 * @returns auth cast to DBusAuthClient
326 #define DBUS_AUTH_CLIENT(auth) ((DBusAuthClient*)(auth))
328 * @param auth the auth conversation
329 * @returns auth cast to DBusAuthServer
331 #define DBUS_AUTH_SERVER(auth) ((DBusAuthServer*)(auth))
334 * The name of the auth ("client" or "server")
335 * @param auth the auth conversation
338 #define DBUS_AUTH_NAME(auth) ((auth)->side)
341 _dbus_auth_new (int size)
345 auth = dbus_malloc0 (size);
351 auth->keyring = NULL;
352 auth->cookie_id = -1;
354 /* note that we don't use the max string length feature,
355 * because you can't use that feature if you're going to
356 * try to recover from out-of-memory (it creates
357 * what looks like unrecoverable inability to alloc
358 * more space in the string). But we do handle
359 * overlong buffers in _dbus_auth_do_work().
362 if (!_dbus_string_init (&auth->incoming))
365 if (!_dbus_string_init (&auth->outgoing))
368 if (!_dbus_string_init (&auth->identity))
371 if (!_dbus_string_init (&auth->context))
374 if (!_dbus_string_init (&auth->challenge))
377 /* default context if none is specified */
378 if (!_dbus_string_append (&auth->context, "org_freedesktop_general"))
381 auth->credentials = _dbus_credentials_new ();
382 if (auth->credentials == NULL)
385 auth->authorized_identity = _dbus_credentials_new ();
386 if (auth->authorized_identity == NULL)
389 auth->desired_identity = _dbus_credentials_new ();
390 if (auth->desired_identity == NULL)
397 _dbus_credentials_unref (auth->desired_identity);
400 _dbus_credentials_unref (auth->authorized_identity);
402 _dbus_credentials_unref (auth->credentials);
404 /* last alloc was an append to context, which is freed already below */ ;
406 _dbus_string_free (&auth->challenge);
408 _dbus_string_free (&auth->context);
410 _dbus_string_free (&auth->identity);
412 _dbus_string_free (&auth->outgoing);
414 _dbus_string_free (&auth->incoming);
421 shutdown_mech (DBusAuth *auth)
423 /* Cancel any auth */
424 auth->already_asked_for_initial_response = FALSE;
425 _dbus_string_set_length (&auth->identity, 0);
427 _dbus_credentials_clear (auth->authorized_identity);
428 _dbus_credentials_clear (auth->desired_identity);
430 if (auth->mech != NULL)
432 _dbus_verbose ("%s: Shutting down mechanism %s\n",
433 DBUS_AUTH_NAME (auth), auth->mech->mechanism);
435 if (DBUS_AUTH_IS_CLIENT (auth))
436 (* auth->mech->client_shutdown_func) (auth);
438 (* auth->mech->server_shutdown_func) (auth);
445 * DBUS_COOKIE_SHA1 mechanism
448 /* Returns TRUE but with an empty string hash if the
449 * cookie_id isn't known. As with all this code
450 * TRUE just means we had enough memory.
453 sha1_compute_hash (DBusAuth *auth,
455 const DBusString *server_challenge,
456 const DBusString *client_challenge,
463 _dbus_assert (auth->keyring != NULL);
467 if (!_dbus_string_init (&cookie))
470 if (!_dbus_keyring_get_hex_key (auth->keyring, cookie_id,
474 if (_dbus_string_get_length (&cookie) == 0)
480 if (!_dbus_string_init (&to_hash))
483 if (!_dbus_string_copy (server_challenge, 0,
484 &to_hash, _dbus_string_get_length (&to_hash)))
487 if (!_dbus_string_append (&to_hash, ":"))
490 if (!_dbus_string_copy (client_challenge, 0,
491 &to_hash, _dbus_string_get_length (&to_hash)))
494 if (!_dbus_string_append (&to_hash, ":"))
497 if (!_dbus_string_copy (&cookie, 0,
498 &to_hash, _dbus_string_get_length (&to_hash)))
501 if (!_dbus_sha_compute (&to_hash, hash))
507 _dbus_string_zero (&to_hash);
508 _dbus_string_free (&to_hash);
510 _dbus_string_zero (&cookie);
511 _dbus_string_free (&cookie);
515 /** http://www.ietf.org/rfc/rfc2831.txt suggests at least 64 bits of
516 * entropy, we use 128. This is the number of bytes in the random
519 #define N_CHALLENGE_BYTES (128/8)
522 sha1_handle_first_client_response (DBusAuth *auth,
523 const DBusString *data)
525 /* We haven't sent a challenge yet, we're expecting a desired
526 * username from the client.
530 dbus_bool_t retval = FALSE;
531 DBusError error = DBUS_ERROR_INIT;
532 DBusCredentials *myself = NULL;
534 _dbus_string_set_length (&auth->challenge, 0);
536 if (_dbus_string_get_length (data) > 0)
538 if (_dbus_string_get_length (&auth->identity) > 0)
540 /* Tried to send two auth identities, wtf */
541 _dbus_verbose ("%s: client tried to send auth identity, but we already have one\n",
542 DBUS_AUTH_NAME (auth));
543 return send_rejected (auth);
547 /* this is our auth identity */
548 if (!_dbus_string_copy (data, 0, &auth->identity, 0))
553 if (!_dbus_credentials_add_from_user (auth->desired_identity, data))
555 _dbus_verbose ("%s: Did not get a valid username from client\n",
556 DBUS_AUTH_NAME (auth));
557 return send_rejected (auth);
560 if (!_dbus_string_init (&tmp))
563 if (!_dbus_string_init (&tmp2))
565 _dbus_string_free (&tmp);
569 myself = _dbus_credentials_new_from_current_process ();
574 if (!_dbus_credentials_same_user (myself, auth->desired_identity))
577 * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
578 * client is anyone other than the user owning the process
579 * containing the DBusServer: we probably aren't allowed to write
580 * to other users' home directories. Even if we can (for example
581 * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
582 * must not, because the other user controls their home directory,
583 * and could carry out symlink attacks to make us read from or
584 * write to unintended locations. It's difficult to avoid symlink
585 * attacks in a portable way, so we just don't try. This isn't a
586 * regression, because DBUS_COOKIE_SHA1 never worked for other
589 _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
590 "but that doesn't match this process",
591 DBUS_AUTH_NAME (auth),
592 _dbus_string_get_const_data (data));
593 retval = send_rejected (auth);
597 /* we cache the keyring for speed, so here we drop it if it's the
598 * wrong one. FIXME caching the keyring here is useless since we use
599 * a different DBusAuth for every connection.
602 !_dbus_keyring_is_for_credentials (auth->keyring,
603 auth->desired_identity))
605 _dbus_keyring_unref (auth->keyring);
606 auth->keyring = NULL;
609 if (auth->keyring == NULL)
611 auth->keyring = _dbus_keyring_new_for_credentials (auth->desired_identity,
615 if (auth->keyring == NULL)
617 if (dbus_error_has_name (&error,
618 DBUS_ERROR_NO_MEMORY))
620 dbus_error_free (&error);
625 _DBUS_ASSERT_ERROR_IS_SET (&error);
626 _dbus_verbose ("%s: Error loading keyring: %s\n",
627 DBUS_AUTH_NAME (auth), error.message);
628 if (send_rejected (auth))
629 retval = TRUE; /* retval is only about mem */
630 dbus_error_free (&error);
636 _dbus_assert (!dbus_error_is_set (&error));
640 _dbus_assert (auth->keyring != NULL);
642 auth->cookie_id = _dbus_keyring_get_best_key (auth->keyring, &error);
643 if (auth->cookie_id < 0)
645 _DBUS_ASSERT_ERROR_IS_SET (&error);
646 _dbus_verbose ("%s: Could not get a cookie ID to send to client: %s\n",
647 DBUS_AUTH_NAME (auth), error.message);
648 if (send_rejected (auth))
650 dbus_error_free (&error);
655 _dbus_assert (!dbus_error_is_set (&error));
658 if (!_dbus_string_copy (&auth->context, 0,
659 &tmp2, _dbus_string_get_length (&tmp2)))
662 if (!_dbus_string_append (&tmp2, " "))
665 if (!_dbus_string_append_int (&tmp2, auth->cookie_id))
668 if (!_dbus_string_append (&tmp2, " "))
671 if (!_dbus_generate_random_bytes (&tmp, N_CHALLENGE_BYTES, &error))
673 if (dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY))
675 dbus_error_free (&error);
680 _DBUS_ASSERT_ERROR_IS_SET (&error);
681 _dbus_verbose ("%s: Error generating challenge: %s\n",
682 DBUS_AUTH_NAME (auth), error.message);
683 if (send_rejected (auth))
684 retval = TRUE; /* retval is only about mem */
686 dbus_error_free (&error);
691 _dbus_string_set_length (&auth->challenge, 0);
692 if (!_dbus_string_hex_encode (&tmp, 0, &auth->challenge, 0))
695 if (!_dbus_string_hex_encode (&tmp, 0, &tmp2,
696 _dbus_string_get_length (&tmp2)))
699 if (!send_data (auth, &tmp2))
702 goto_state (auth, &server_state_waiting_for_data);
706 _dbus_string_zero (&tmp);
707 _dbus_string_free (&tmp);
708 _dbus_string_zero (&tmp2);
709 _dbus_string_free (&tmp2);
712 _dbus_credentials_unref (myself);
718 sha1_handle_second_client_response (DBusAuth *auth,
719 const DBusString *data)
721 /* We are expecting a response which is the hex-encoded client
722 * challenge, space, then SHA-1 hash of the concatenation of our
723 * challenge, ":", client challenge, ":", secret key, all
727 DBusString client_challenge;
728 DBusString client_hash;
730 DBusString correct_hash;
734 if (!_dbus_string_find_blank (data, 0, &i))
736 _dbus_verbose ("%s: no space separator in client response\n",
737 DBUS_AUTH_NAME (auth));
738 return send_rejected (auth);
741 if (!_dbus_string_init (&client_challenge))
744 if (!_dbus_string_init (&client_hash))
747 if (!_dbus_string_copy_len (data, 0, i, &client_challenge,
751 _dbus_string_skip_blank (data, i, &i);
753 if (!_dbus_string_copy_len (data, i,
754 _dbus_string_get_length (data) - i,
759 if (_dbus_string_get_length (&client_challenge) == 0 ||
760 _dbus_string_get_length (&client_hash) == 0)
762 _dbus_verbose ("%s: zero-length client challenge or hash\n",
763 DBUS_AUTH_NAME (auth));
764 if (send_rejected (auth))
769 if (!_dbus_string_init (&correct_hash))
772 if (!sha1_compute_hash (auth, auth->cookie_id,
778 /* if cookie_id was invalid, then we get an empty hash */
779 if (_dbus_string_get_length (&correct_hash) == 0)
781 if (send_rejected (auth))
786 if (!_dbus_string_equal (&client_hash, &correct_hash))
788 if (send_rejected (auth))
793 if (!_dbus_credentials_add_credentials (auth->authorized_identity,
794 auth->desired_identity))
797 /* Copy process ID from the socket credentials if it's there
799 if (!_dbus_credentials_add_credential (auth->authorized_identity,
800 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
807 _dbus_verbose ("%s: authenticated client using DBUS_COOKIE_SHA1\n",
808 DBUS_AUTH_NAME (auth));
813 _dbus_string_zero (&correct_hash);
814 _dbus_string_free (&correct_hash);
816 _dbus_string_zero (&client_hash);
817 _dbus_string_free (&client_hash);
819 _dbus_string_free (&client_challenge);
825 handle_server_data_cookie_sha1_mech (DBusAuth *auth,
826 const DBusString *data)
828 if (auth->cookie_id < 0)
829 return sha1_handle_first_client_response (auth, data);
831 return sha1_handle_second_client_response (auth, data);
835 handle_server_shutdown_cookie_sha1_mech (DBusAuth *auth)
837 auth->cookie_id = -1;
838 _dbus_string_set_length (&auth->challenge, 0);
842 handle_client_initial_response_cookie_sha1_mech (DBusAuth *auth,
843 DBusString *response)
850 if (!_dbus_string_init (&username))
853 if (!_dbus_append_user_from_current_process (&username))
856 if (!_dbus_string_hex_encode (&username, 0,
858 _dbus_string_get_length (response)))
864 _dbus_string_free (&username);
870 handle_client_data_cookie_sha1_mech (DBusAuth *auth,
871 const DBusString *data)
873 /* The data we get from the server should be the cookie context
874 * name, the cookie ID, and the server challenge, separated by
875 * spaces. We send back our challenge string and the correct hash.
877 dbus_bool_t retval = FALSE;
879 DBusString cookie_id_str;
880 DBusString server_challenge;
881 DBusString client_challenge;
882 DBusString correct_hash;
886 DBusError error = DBUS_ERROR_INIT;
888 if (!_dbus_string_find_blank (data, 0, &i))
890 if (send_error (auth,
891 "Server did not send context/ID/challenge properly"))
896 if (!_dbus_string_init (&context))
899 if (!_dbus_string_copy_len (data, 0, i,
903 _dbus_string_skip_blank (data, i, &i);
904 if (!_dbus_string_find_blank (data, i, &j))
906 if (send_error (auth,
907 "Server did not send context/ID/challenge properly"))
912 if (!_dbus_string_init (&cookie_id_str))
915 if (!_dbus_string_copy_len (data, i, j - i,
919 if (!_dbus_string_init (&server_challenge))
923 _dbus_string_skip_blank (data, i, &i);
924 j = _dbus_string_get_length (data);
926 if (!_dbus_string_copy_len (data, i, j - i,
927 &server_challenge, 0))
930 if (!_dbus_keyring_validate_context (&context))
932 if (send_error (auth, "Server sent invalid cookie context"))
937 if (!_dbus_string_parse_int (&cookie_id_str, 0, &val, NULL))
939 if (send_error (auth, "Could not parse cookie ID as an integer"))
944 if (_dbus_string_get_length (&server_challenge) == 0)
946 if (send_error (auth, "Empty server challenge string"))
951 if (auth->keyring == NULL)
953 auth->keyring = _dbus_keyring_new_for_credentials (NULL,
957 if (auth->keyring == NULL)
959 if (dbus_error_has_name (&error,
960 DBUS_ERROR_NO_MEMORY))
962 dbus_error_free (&error);
967 _DBUS_ASSERT_ERROR_IS_SET (&error);
969 _dbus_verbose ("%s: Error loading keyring: %s\n",
970 DBUS_AUTH_NAME (auth), error.message);
972 if (send_error (auth, "Could not load cookie file"))
973 retval = TRUE; /* retval is only about mem */
975 dbus_error_free (&error);
981 _dbus_assert (!dbus_error_is_set (&error));
985 _dbus_assert (auth->keyring != NULL);
987 if (!_dbus_string_init (&tmp))
990 if (!_dbus_generate_random_bytes (&tmp, N_CHALLENGE_BYTES, &error))
992 if (dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY))
994 dbus_error_free (&error);
999 _DBUS_ASSERT_ERROR_IS_SET (&error);
1001 _dbus_verbose ("%s: Failed to generate challenge: %s\n",
1002 DBUS_AUTH_NAME (auth), error.message);
1004 if (send_error (auth, "Failed to generate challenge"))
1005 retval = TRUE; /* retval is only about mem */
1007 dbus_error_free (&error);
1012 if (!_dbus_string_init (&client_challenge))
1015 if (!_dbus_string_hex_encode (&tmp, 0, &client_challenge, 0))
1018 if (!_dbus_string_init (&correct_hash))
1021 if (!sha1_compute_hash (auth, val,
1027 if (_dbus_string_get_length (&correct_hash) == 0)
1029 /* couldn't find the cookie ID or something */
1030 if (send_error (auth, "Don't have the requested cookie ID"))
1035 _dbus_string_set_length (&tmp, 0);
1037 if (!_dbus_string_copy (&client_challenge, 0, &tmp,
1038 _dbus_string_get_length (&tmp)))
1041 if (!_dbus_string_append (&tmp, " "))
1044 if (!_dbus_string_copy (&correct_hash, 0, &tmp,
1045 _dbus_string_get_length (&tmp)))
1048 if (!send_data (auth, &tmp))
1054 _dbus_string_zero (&correct_hash);
1055 _dbus_string_free (&correct_hash);
1057 _dbus_string_free (&client_challenge);
1059 _dbus_string_zero (&tmp);
1060 _dbus_string_free (&tmp);
1062 _dbus_string_free (&server_challenge);
1064 _dbus_string_free (&cookie_id_str);
1066 _dbus_string_free (&context);
1072 handle_client_shutdown_cookie_sha1_mech (DBusAuth *auth)
1074 auth->cookie_id = -1;
1075 _dbus_string_set_length (&auth->challenge, 0);
1079 * EXTERNAL mechanism
1083 handle_server_data_external_mech (DBusAuth *auth,
1084 const DBusString *data)
1086 if (_dbus_credentials_are_anonymous (auth->credentials))
1088 _dbus_verbose ("%s: no credentials, mechanism EXTERNAL can't authenticate\n",
1089 DBUS_AUTH_NAME (auth));
1090 return send_rejected (auth);
1093 if (_dbus_string_get_length (data) > 0)
1095 if (_dbus_string_get_length (&auth->identity) > 0)
1097 /* Tried to send two auth identities, wtf */
1098 _dbus_verbose ("%s: client tried to send auth identity, but we already have one\n",
1099 DBUS_AUTH_NAME (auth));
1100 return send_rejected (auth);
1104 /* this is our auth identity */
1105 if (!_dbus_string_copy (data, 0, &auth->identity, 0))
1110 /* Poke client for an auth identity, if none given */
1111 if (_dbus_string_get_length (&auth->identity) == 0 &&
1112 !auth->already_asked_for_initial_response)
1114 if (send_data (auth, NULL))
1116 _dbus_verbose ("%s: sending empty challenge asking client for auth identity\n",
1117 DBUS_AUTH_NAME (auth));
1118 auth->already_asked_for_initial_response = TRUE;
1119 goto_state (auth, &server_state_waiting_for_data);
1126 _dbus_credentials_clear (auth->desired_identity);
1128 /* If auth->identity is still empty here, then client
1129 * responded with an empty string after we poked it for
1130 * an initial response. This means to try to auth the
1131 * identity provided in the credentials.
1133 if (_dbus_string_get_length (&auth->identity) == 0)
1135 if (!_dbus_credentials_add_credentials (auth->desired_identity,
1138 return FALSE; /* OOM */
1143 if (!_dbus_credentials_add_from_user (auth->desired_identity,
1146 _dbus_verbose ("%s: could not get credentials from uid string\n",
1147 DBUS_AUTH_NAME (auth));
1148 return send_rejected (auth);
1152 if (_dbus_credentials_are_anonymous (auth->desired_identity))
1154 _dbus_verbose ("%s: desired user %s is no good\n",
1155 DBUS_AUTH_NAME (auth),
1156 _dbus_string_get_const_data (&auth->identity));
1157 return send_rejected (auth);
1160 if (_dbus_credentials_are_superset (auth->credentials,
1161 auth->desired_identity))
1163 /* client has authenticated */
1164 if (!_dbus_credentials_add_credentials (auth->authorized_identity,
1165 auth->desired_identity))
1168 /* also copy misc process info from the socket credentials
1170 if (!_dbus_credentials_add_credential (auth->authorized_identity,
1171 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1175 if (!_dbus_credentials_add_credential (auth->authorized_identity,
1176 DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
1180 if (!_dbus_credentials_add_credential (auth->authorized_identity,
1181 DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
1185 if (!send_ok (auth))
1188 _dbus_verbose ("%s: authenticated client based on socket credentials\n",
1189 DBUS_AUTH_NAME (auth));
1195 _dbus_verbose ("%s: desired identity not found in socket credentials\n",
1196 DBUS_AUTH_NAME (auth));
1197 return send_rejected (auth);
1202 handle_server_shutdown_external_mech (DBusAuth *auth)
1208 handle_client_initial_response_external_mech (DBusAuth *auth,
1209 DBusString *response)
1211 /* We always append our UID as an initial response, so the server
1212 * doesn't have to send back an empty challenge to check whether we
1213 * want to specify an identity. i.e. this avoids a round trip that
1214 * the spec for the EXTERNAL mechanism otherwise requires.
1216 DBusString plaintext;
1218 if (!_dbus_string_init (&plaintext))
1221 if (!_dbus_append_user_from_current_process (&plaintext))
1224 if (!_dbus_string_hex_encode (&plaintext, 0,
1226 _dbus_string_get_length (response)))
1229 _dbus_string_free (&plaintext);
1234 _dbus_string_free (&plaintext);
1239 handle_client_data_external_mech (DBusAuth *auth,
1240 const DBusString *data)
1247 handle_client_shutdown_external_mech (DBusAuth *auth)
1253 * ANONYMOUS mechanism
1257 handle_server_data_anonymous_mech (DBusAuth *auth,
1258 const DBusString *data)
1260 if (_dbus_string_get_length (data) > 0)
1262 /* Client is allowed to send "trace" data, the only defined
1263 * meaning is that if it contains '@' it is an email address,
1264 * and otherwise it is anything else, and it's supposed to be
1267 if (!_dbus_string_validate_utf8 (data, 0, _dbus_string_get_length (data)))
1269 _dbus_verbose ("%s: Received invalid UTF-8 trace data from ANONYMOUS client\n",
1270 DBUS_AUTH_NAME (auth));
1271 return send_rejected (auth);
1274 _dbus_verbose ("%s: ANONYMOUS client sent trace string: '%s'\n",
1275 DBUS_AUTH_NAME (auth),
1276 _dbus_string_get_const_data (data));
1279 /* We want to be anonymous (clear in case some other protocol got midway through I guess) */
1280 _dbus_credentials_clear (auth->desired_identity);
1282 /* Copy process ID from the socket credentials
1284 if (!_dbus_credentials_add_credential (auth->authorized_identity,
1285 DBUS_CREDENTIAL_UNIX_PROCESS_ID,
1289 /* Anonymous is always allowed */
1290 if (!send_ok (auth))
1293 _dbus_verbose ("%s: authenticated client as anonymous\n",
1294 DBUS_AUTH_NAME (auth));
1300 handle_server_shutdown_anonymous_mech (DBusAuth *auth)
1306 handle_client_initial_response_anonymous_mech (DBusAuth *auth,
1307 DBusString *response)
1309 /* Our initial response is a "trace" string which must be valid UTF-8
1310 * and must be an email address if it contains '@'.
1311 * We just send the dbus implementation info, like a user-agent or
1312 * something, because... why not. There's nothing guaranteed here
1313 * though, we could change it later.
1315 DBusString plaintext;
1317 if (!_dbus_string_init (&plaintext))
1320 if (!_dbus_string_append (&plaintext,
1321 "libdbus " DBUS_VERSION_STRING))
1324 if (!_dbus_string_hex_encode (&plaintext, 0,
1326 _dbus_string_get_length (response)))
1329 _dbus_string_free (&plaintext);
1334 _dbus_string_free (&plaintext);
1339 handle_client_data_anonymous_mech (DBusAuth *auth,
1340 const DBusString *data)
1347 handle_client_shutdown_anonymous_mech (DBusAuth *auth)
1352 /* Put mechanisms here in order of preference.
1353 * Right now we have:
1355 * - EXTERNAL checks socket credentials (or in the future, other info from the OS)
1356 * - DBUS_COOKIE_SHA1 uses a cookie in the home directory, like xauth or ICE
1357 * - ANONYMOUS checks nothing but doesn't auth the person as a user
1359 * We might ideally add a mechanism to chain to Cyrus SASL so we can
1360 * use its mechanisms as well.
1363 static const DBusAuthMechanismHandler
1364 all_mechanisms[] = {
1366 handle_server_data_external_mech,
1368 handle_server_shutdown_external_mech,
1369 handle_client_initial_response_external_mech,
1370 handle_client_data_external_mech,
1372 handle_client_shutdown_external_mech },
1373 { "DBUS_COOKIE_SHA1",
1374 handle_server_data_cookie_sha1_mech,
1376 handle_server_shutdown_cookie_sha1_mech,
1377 handle_client_initial_response_cookie_sha1_mech,
1378 handle_client_data_cookie_sha1_mech,
1380 handle_client_shutdown_cookie_sha1_mech },
1382 handle_server_data_anonymous_mech,
1384 handle_server_shutdown_anonymous_mech,
1385 handle_client_initial_response_anonymous_mech,
1386 handle_client_data_anonymous_mech,
1388 handle_client_shutdown_anonymous_mech },
1392 static const DBusAuthMechanismHandler*
1393 find_mech (const DBusString *name,
1394 char **allowed_mechs)
1398 if (allowed_mechs != NULL &&
1399 !_dbus_string_array_contains ((const char**) allowed_mechs,
1400 _dbus_string_get_const_data (name)))
1404 while (all_mechanisms[i].mechanism != NULL)
1406 if (_dbus_string_equal_c_str (name,
1407 all_mechanisms[i].mechanism))
1409 return &all_mechanisms[i];
1418 send_auth (DBusAuth *auth, const DBusAuthMechanismHandler *mech)
1420 DBusString auth_command;
1422 if (!_dbus_string_init (&auth_command))
1425 if (!_dbus_string_append (&auth_command,
1428 _dbus_string_free (&auth_command);
1432 if (!_dbus_string_append (&auth_command,
1435 _dbus_string_free (&auth_command);
1439 if (mech->client_initial_response_func != NULL)
1441 if (!_dbus_string_append (&auth_command, " "))
1443 _dbus_string_free (&auth_command);
1447 if (!(* mech->client_initial_response_func) (auth, &auth_command))
1449 _dbus_string_free (&auth_command);
1454 if (!_dbus_string_append (&auth_command,
1457 _dbus_string_free (&auth_command);
1461 if (!_dbus_string_copy (&auth_command, 0,
1463 _dbus_string_get_length (&auth->outgoing)))
1465 _dbus_string_free (&auth_command);
1469 _dbus_string_free (&auth_command);
1470 shutdown_mech (auth);
1472 goto_state (auth, &client_state_waiting_for_data);
1478 send_data (DBusAuth *auth, DBusString *data)
1482 if (data == NULL || _dbus_string_get_length (data) == 0)
1483 return _dbus_string_append (&auth->outgoing, "DATA\r\n");
1486 old_len = _dbus_string_get_length (&auth->outgoing);
1487 if (!_dbus_string_append (&auth->outgoing, "DATA "))
1490 if (!_dbus_string_hex_encode (data, 0, &auth->outgoing,
1491 _dbus_string_get_length (&auth->outgoing)))
1494 if (!_dbus_string_append (&auth->outgoing, "\r\n"))
1500 _dbus_string_set_length (&auth->outgoing, old_len);
1507 send_rejected (DBusAuth *auth)
1510 DBusAuthServer *server_auth;
1513 if (!_dbus_string_init (&command))
1516 if (!_dbus_string_append (&command,
1520 for (i = 0; all_mechanisms[i].mechanism != NULL; i++)
1522 /* skip mechanisms that aren't allowed */
1523 if (auth->allowed_mechs != NULL &&
1524 !_dbus_string_array_contains ((const char**)auth->allowed_mechs,
1525 all_mechanisms[i].mechanism))
1528 if (!_dbus_string_append (&command,
1532 if (!_dbus_string_append (&command,
1533 all_mechanisms[i].mechanism))
1537 if (!_dbus_string_append (&command, "\r\n"))
1540 if (!_dbus_string_copy (&command, 0, &auth->outgoing,
1541 _dbus_string_get_length (&auth->outgoing)))
1544 shutdown_mech (auth);
1546 _dbus_assert (DBUS_AUTH_IS_SERVER (auth));
1547 server_auth = DBUS_AUTH_SERVER (auth);
1548 server_auth->failures += 1;
1550 if (server_auth->failures >= server_auth->max_failures)
1551 goto_state (auth, &common_state_need_disconnect);
1553 goto_state (auth, &server_state_waiting_for_auth);
1555 _dbus_string_free (&command);
1560 _dbus_string_free (&command);
1565 send_error (DBusAuth *auth, const char *message)
1567 return _dbus_string_append_printf (&auth->outgoing,
1568 "ERROR \"%s\"\r\n", message);
1572 send_ok (DBusAuth *auth)
1576 orig_len = _dbus_string_get_length (&auth->outgoing);
1578 if (_dbus_string_append (&auth->outgoing, "OK ") &&
1579 _dbus_string_copy (& DBUS_AUTH_SERVER (auth)->guid,
1582 _dbus_string_get_length (&auth->outgoing)) &&
1583 _dbus_string_append (&auth->outgoing, "\r\n"))
1585 goto_state (auth, &server_state_waiting_for_begin);
1590 _dbus_string_set_length (&auth->outgoing, orig_len);
1596 send_begin (DBusAuth *auth)
1599 if (!_dbus_string_append (&auth->outgoing,
1603 goto_state (auth, &common_state_authenticated);
1608 process_ok(DBusAuth *auth,
1609 const DBusString *args_from_ok) {
1613 /* "args_from_ok" should be the GUID, whitespace already pulled off the front */
1614 _dbus_assert (_dbus_string_get_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server) == 0);
1616 /* We decode the hex string to binary, using guid_from_server as scratch... */
1619 if (!_dbus_string_hex_decode (args_from_ok, 0, &end_of_hex,
1620 & DBUS_AUTH_CLIENT (auth)->guid_from_server, 0))
1623 /* now clear out the scratch */
1624 _dbus_string_set_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server, 0);
1626 if (end_of_hex != _dbus_string_get_length (args_from_ok) ||
1629 _dbus_verbose ("Bad GUID from server, parsed %d bytes and had %d bytes from server\n",
1630 end_of_hex, _dbus_string_get_length (args_from_ok));
1631 goto_state (auth, &common_state_need_disconnect);
1635 if (!_dbus_string_copy (args_from_ok, 0, &DBUS_AUTH_CLIENT (auth)->guid_from_server, 0)) {
1636 _dbus_string_set_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server, 0);
1640 _dbus_verbose ("Got GUID '%s' from the server\n",
1641 _dbus_string_get_const_data (& DBUS_AUTH_CLIENT (auth)->guid_from_server));
1643 if (auth->unix_fd_possible)
1644 return send_negotiate_unix_fd(auth);
1646 _dbus_verbose("Not negotiating unix fd passing, since not possible\n");
1647 return send_begin (auth);
1651 send_cancel (DBusAuth *auth)
1653 if (_dbus_string_append (&auth->outgoing, "CANCEL\r\n"))
1655 goto_state (auth, &client_state_waiting_for_reject);
1663 process_data (DBusAuth *auth,
1664 const DBusString *args,
1665 DBusAuthDataFunction data_func)
1670 if (!_dbus_string_init (&decoded))
1673 if (!_dbus_string_hex_decode (args, 0, &end, &decoded, 0))
1675 _dbus_string_free (&decoded);
1679 if (_dbus_string_get_length (args) != end)
1681 _dbus_string_free (&decoded);
1682 if (!send_error (auth, "Invalid hex encoding"))
1688 #ifdef DBUS_ENABLE_VERBOSE_MODE
1689 if (_dbus_string_validate_ascii (&decoded, 0,
1690 _dbus_string_get_length (&decoded)))
1691 _dbus_verbose ("%s: data: '%s'\n",
1692 DBUS_AUTH_NAME (auth),
1693 _dbus_string_get_const_data (&decoded));
1696 if (!(* data_func) (auth, &decoded))
1698 _dbus_string_free (&decoded);
1702 _dbus_string_free (&decoded);
1707 send_negotiate_unix_fd (DBusAuth *auth)
1709 if (!_dbus_string_append (&auth->outgoing,
1710 "NEGOTIATE_UNIX_FD\r\n"))
1713 goto_state (auth, &client_state_waiting_for_agree_unix_fd);
1718 send_agree_unix_fd (DBusAuth *auth)
1720 _dbus_assert(auth->unix_fd_possible);
1722 auth->unix_fd_negotiated = TRUE;
1723 _dbus_verbose("Agreed to UNIX FD passing\n");
1725 if (!_dbus_string_append (&auth->outgoing,
1726 "AGREE_UNIX_FD\r\n"))
1729 goto_state (auth, &server_state_waiting_for_begin);
1734 handle_auth (DBusAuth *auth, const DBusString *args)
1736 if (_dbus_string_get_length (args) == 0)
1738 /* No args to the auth, send mechanisms */
1739 if (!send_rejected (auth))
1748 DBusString hex_response;
1750 _dbus_string_find_blank (args, 0, &i);
1752 if (!_dbus_string_init (&mech))
1755 if (!_dbus_string_init (&hex_response))
1757 _dbus_string_free (&mech);
1761 if (!_dbus_string_copy_len (args, 0, i, &mech, 0))
1764 _dbus_string_skip_blank (args, i, &i);
1765 if (!_dbus_string_copy (args, i, &hex_response, 0))
1768 auth->mech = find_mech (&mech, auth->allowed_mechs);
1769 if (auth->mech != NULL)
1771 _dbus_verbose ("%s: Trying mechanism %s\n",
1772 DBUS_AUTH_NAME (auth),
1773 auth->mech->mechanism);
1775 if (!process_data (auth, &hex_response,
1776 auth->mech->server_data_func))
1781 /* Unsupported mechanism */
1782 _dbus_verbose ("%s: Unsupported mechanism %s\n",
1783 DBUS_AUTH_NAME (auth),
1784 _dbus_string_get_const_data (&mech));
1786 if (!send_rejected (auth))
1790 _dbus_string_free (&mech);
1791 _dbus_string_free (&hex_response);
1797 _dbus_string_free (&mech);
1798 _dbus_string_free (&hex_response);
1804 handle_server_state_waiting_for_auth (DBusAuth *auth,
1805 DBusAuthCommand command,
1806 const DBusString *args)
1810 case DBUS_AUTH_COMMAND_AUTH:
1811 return handle_auth (auth, args);
1813 case DBUS_AUTH_COMMAND_CANCEL:
1814 case DBUS_AUTH_COMMAND_DATA:
1815 return send_error (auth, "Not currently in an auth conversation");
1817 case DBUS_AUTH_COMMAND_BEGIN:
1818 goto_state (auth, &common_state_need_disconnect);
1821 case DBUS_AUTH_COMMAND_ERROR:
1822 return send_rejected (auth);
1824 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1825 return send_error (auth, "Need to authenticate first");
1827 case DBUS_AUTH_COMMAND_REJECTED:
1828 case DBUS_AUTH_COMMAND_OK:
1829 case DBUS_AUTH_COMMAND_UNKNOWN:
1830 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1832 return send_error (auth, "Unknown command");
1837 handle_server_state_waiting_for_data (DBusAuth *auth,
1838 DBusAuthCommand command,
1839 const DBusString *args)
1843 case DBUS_AUTH_COMMAND_AUTH:
1844 return send_error (auth, "Sent AUTH while another AUTH in progress");
1846 case DBUS_AUTH_COMMAND_CANCEL:
1847 case DBUS_AUTH_COMMAND_ERROR:
1848 return send_rejected (auth);
1850 case DBUS_AUTH_COMMAND_DATA:
1851 return process_data (auth, args, auth->mech->server_data_func);
1853 case DBUS_AUTH_COMMAND_BEGIN:
1854 goto_state (auth, &common_state_need_disconnect);
1857 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1858 return send_error (auth, "Need to authenticate first");
1860 case DBUS_AUTH_COMMAND_REJECTED:
1861 case DBUS_AUTH_COMMAND_OK:
1862 case DBUS_AUTH_COMMAND_UNKNOWN:
1863 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1865 return send_error (auth, "Unknown command");
1870 handle_server_state_waiting_for_begin (DBusAuth *auth,
1871 DBusAuthCommand command,
1872 const DBusString *args)
1876 case DBUS_AUTH_COMMAND_AUTH:
1877 return send_error (auth, "Sent AUTH while expecting BEGIN");
1879 case DBUS_AUTH_COMMAND_DATA:
1880 return send_error (auth, "Sent DATA while expecting BEGIN");
1882 case DBUS_AUTH_COMMAND_BEGIN:
1883 goto_state (auth, &common_state_authenticated);
1886 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
1887 if (auth->unix_fd_possible)
1888 return send_agree_unix_fd(auth);
1890 return send_error(auth, "Unix FD passing not supported, not authenticated or otherwise not possible");
1892 case DBUS_AUTH_COMMAND_REJECTED:
1893 case DBUS_AUTH_COMMAND_OK:
1894 case DBUS_AUTH_COMMAND_UNKNOWN:
1895 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
1897 return send_error (auth, "Unknown command");
1899 case DBUS_AUTH_COMMAND_CANCEL:
1900 case DBUS_AUTH_COMMAND_ERROR:
1901 return send_rejected (auth);
1905 /* return FALSE if no memory, TRUE if all OK */
1907 get_word (const DBusString *str,
1913 _dbus_string_skip_blank (str, *start, start);
1914 _dbus_string_find_blank (str, *start, &i);
1918 if (!_dbus_string_copy_len (str, *start, i - *start, word, 0))
1928 record_mechanisms (DBusAuth *auth,
1929 const DBusString *args)
1934 if (auth->already_got_mechanisms)
1937 len = _dbus_string_get_length (args);
1943 const DBusAuthMechanismHandler *mech;
1945 if (!_dbus_string_init (&m))
1948 if (!get_word (args, &next, &m))
1950 _dbus_string_free (&m);
1954 mech = find_mech (&m, auth->allowed_mechs);
1958 /* FIXME right now we try mechanisms in the order
1959 * the server lists them; should we do them in
1960 * some more deterministic order?
1962 * Probably in all_mechanisms order, our order of
1963 * preference. Of course when the server is us,
1964 * it lists things in that order anyhow.
1967 if (mech != &all_mechanisms[0])
1969 _dbus_verbose ("%s: Adding mechanism %s to list we will try\n",
1970 DBUS_AUTH_NAME (auth), mech->mechanism);
1972 if (!_dbus_list_append (& DBUS_AUTH_CLIENT (auth)->mechs_to_try,
1975 _dbus_string_free (&m);
1981 _dbus_verbose ("%s: Already tried mechanism %s; not adding to list we will try\n",
1982 DBUS_AUTH_NAME (auth), mech->mechanism);
1987 _dbus_verbose ("%s: Server offered mechanism \"%s\" that we don't know how to use\n",
1988 DBUS_AUTH_NAME (auth),
1989 _dbus_string_get_const_data (&m));
1992 _dbus_string_free (&m);
1995 auth->already_got_mechanisms = TRUE;
2000 _dbus_list_clear (& DBUS_AUTH_CLIENT (auth)->mechs_to_try);
2006 process_rejected (DBusAuth *auth, const DBusString *args)
2008 const DBusAuthMechanismHandler *mech;
2009 DBusAuthClient *client;
2011 client = DBUS_AUTH_CLIENT (auth);
2013 if (!auth->already_got_mechanisms)
2015 if (!record_mechanisms (auth, args))
2019 if (DBUS_AUTH_CLIENT (auth)->mechs_to_try != NULL)
2021 mech = client->mechs_to_try->data;
2023 if (!send_auth (auth, mech))
2026 _dbus_list_pop_first (&client->mechs_to_try);
2028 _dbus_verbose ("%s: Trying mechanism %s\n",
2029 DBUS_AUTH_NAME (auth),
2035 _dbus_verbose ("%s: Disconnecting because we are out of mechanisms to try using\n",
2036 DBUS_AUTH_NAME (auth));
2037 goto_state (auth, &common_state_need_disconnect);
2045 handle_client_state_waiting_for_data (DBusAuth *auth,
2046 DBusAuthCommand command,
2047 const DBusString *args)
2049 _dbus_assert (auth->mech != NULL);
2053 case DBUS_AUTH_COMMAND_DATA:
2054 return process_data (auth, args, auth->mech->client_data_func);
2056 case DBUS_AUTH_COMMAND_REJECTED:
2057 return process_rejected (auth, args);
2059 case DBUS_AUTH_COMMAND_OK:
2060 return process_ok(auth, args);
2062 case DBUS_AUTH_COMMAND_ERROR:
2063 return send_cancel (auth);
2065 case DBUS_AUTH_COMMAND_AUTH:
2066 case DBUS_AUTH_COMMAND_CANCEL:
2067 case DBUS_AUTH_COMMAND_BEGIN:
2068 case DBUS_AUTH_COMMAND_UNKNOWN:
2069 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2070 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2072 return send_error (auth, "Unknown command");
2077 handle_client_state_waiting_for_ok (DBusAuth *auth,
2078 DBusAuthCommand command,
2079 const DBusString *args)
2083 case DBUS_AUTH_COMMAND_REJECTED:
2084 return process_rejected (auth, args);
2086 case DBUS_AUTH_COMMAND_OK:
2087 return process_ok(auth, args);
2089 case DBUS_AUTH_COMMAND_DATA:
2090 case DBUS_AUTH_COMMAND_ERROR:
2091 return send_cancel (auth);
2093 case DBUS_AUTH_COMMAND_AUTH:
2094 case DBUS_AUTH_COMMAND_CANCEL:
2095 case DBUS_AUTH_COMMAND_BEGIN:
2096 case DBUS_AUTH_COMMAND_UNKNOWN:
2097 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2098 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2100 return send_error (auth, "Unknown command");
2105 handle_client_state_waiting_for_reject (DBusAuth *auth,
2106 DBusAuthCommand command,
2107 const DBusString *args)
2111 case DBUS_AUTH_COMMAND_REJECTED:
2112 return process_rejected (auth, args);
2114 case DBUS_AUTH_COMMAND_AUTH:
2115 case DBUS_AUTH_COMMAND_CANCEL:
2116 case DBUS_AUTH_COMMAND_DATA:
2117 case DBUS_AUTH_COMMAND_BEGIN:
2118 case DBUS_AUTH_COMMAND_OK:
2119 case DBUS_AUTH_COMMAND_ERROR:
2120 case DBUS_AUTH_COMMAND_UNKNOWN:
2121 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2122 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2124 goto_state (auth, &common_state_need_disconnect);
2130 handle_client_state_waiting_for_agree_unix_fd(DBusAuth *auth,
2131 DBusAuthCommand command,
2132 const DBusString *args)
2136 case DBUS_AUTH_COMMAND_AGREE_UNIX_FD:
2137 _dbus_assert(auth->unix_fd_possible);
2138 auth->unix_fd_negotiated = TRUE;
2139 _dbus_verbose("Successfully negotiated UNIX FD passing\n");
2140 return send_begin (auth);
2142 case DBUS_AUTH_COMMAND_ERROR:
2143 _dbus_assert(auth->unix_fd_possible);
2144 auth->unix_fd_negotiated = FALSE;
2145 _dbus_verbose("Failed to negotiate UNIX FD passing\n");
2146 return send_begin (auth);
2148 case DBUS_AUTH_COMMAND_OK:
2149 case DBUS_AUTH_COMMAND_DATA:
2150 case DBUS_AUTH_COMMAND_REJECTED:
2151 case DBUS_AUTH_COMMAND_AUTH:
2152 case DBUS_AUTH_COMMAND_CANCEL:
2153 case DBUS_AUTH_COMMAND_BEGIN:
2154 case DBUS_AUTH_COMMAND_UNKNOWN:
2155 case DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD:
2157 return send_error (auth, "Unknown command");
2162 * Mapping from command name to enum
2165 const char *name; /**< Name of the command */
2166 DBusAuthCommand command; /**< Corresponding enum */
2167 } DBusAuthCommandName;
2169 static const DBusAuthCommandName auth_command_names[] = {
2170 { "AUTH", DBUS_AUTH_COMMAND_AUTH },
2171 { "CANCEL", DBUS_AUTH_COMMAND_CANCEL },
2172 { "DATA", DBUS_AUTH_COMMAND_DATA },
2173 { "BEGIN", DBUS_AUTH_COMMAND_BEGIN },
2174 { "REJECTED", DBUS_AUTH_COMMAND_REJECTED },
2175 { "OK", DBUS_AUTH_COMMAND_OK },
2176 { "ERROR", DBUS_AUTH_COMMAND_ERROR },
2177 { "NEGOTIATE_UNIX_FD", DBUS_AUTH_COMMAND_NEGOTIATE_UNIX_FD },
2178 { "AGREE_UNIX_FD", DBUS_AUTH_COMMAND_AGREE_UNIX_FD }
2181 static DBusAuthCommand
2182 lookup_command_from_name (DBusString *command)
2186 for (i = 0; i < _DBUS_N_ELEMENTS (auth_command_names); i++)
2188 if (_dbus_string_equal_c_str (command,
2189 auth_command_names[i].name))
2190 return auth_command_names[i].command;
2193 return DBUS_AUTH_COMMAND_UNKNOWN;
2197 goto_state (DBusAuth *auth,
2198 const DBusAuthStateData *state)
2200 _dbus_verbose ("%s: going from state %s to state %s\n",
2201 DBUS_AUTH_NAME (auth),
2205 auth->state = state;
2208 /* returns whether to call it again right away */
2210 process_command (DBusAuth *auth)
2212 DBusAuthCommand command;
2219 /* _dbus_verbose ("%s: trying process_command()\n"); */
2224 if (!_dbus_string_find (&auth->incoming, 0, "\r\n", &eol))
2227 if (!_dbus_string_init (&line))
2229 auth->needed_memory = TRUE;
2233 if (!_dbus_string_init (&args))
2235 _dbus_string_free (&line);
2236 auth->needed_memory = TRUE;
2240 if (!_dbus_string_copy_len (&auth->incoming, 0, eol, &line, 0))
2243 if (!_dbus_string_validate_ascii (&line, 0,
2244 _dbus_string_get_length (&line)))
2246 _dbus_verbose ("%s: Command contained non-ASCII chars or embedded nul\n",
2247 DBUS_AUTH_NAME (auth));
2248 if (!send_error (auth, "Command contained non-ASCII"))
2254 _dbus_verbose ("%s: got command \"%s\"\n",
2255 DBUS_AUTH_NAME (auth),
2256 _dbus_string_get_const_data (&line));
2258 _dbus_string_find_blank (&line, 0, &i);
2259 _dbus_string_skip_blank (&line, i, &j);
2262 _dbus_string_delete (&line, i, j - i);
2264 if (!_dbus_string_move (&line, i, &args, 0))
2267 /* FIXME 1.0 we should probably validate that only the allowed
2268 * chars are in the command name
2271 command = lookup_command_from_name (&line);
2272 if (!(* auth->state->handler) (auth, command, &args))
2277 /* We've succeeded in processing the whole command so drop it out
2278 * of the incoming buffer and return TRUE to try another command.
2281 _dbus_string_delete (&auth->incoming, 0, eol);
2284 _dbus_string_delete (&auth->incoming, 0, 2);
2289 _dbus_string_free (&args);
2290 _dbus_string_free (&line);
2293 auth->needed_memory = TRUE;
2295 auth->needed_memory = FALSE;
2304 * @addtogroup DBusAuth
2309 * Creates a new auth conversation object for the server side.
2310 * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
2311 * for full details on what this object does.
2313 * @returns the new object or #NULL if no memory
2316 _dbus_auth_server_new (const DBusString *guid)
2319 DBusAuthServer *server_auth;
2320 DBusString guid_copy;
2322 if (!_dbus_string_init (&guid_copy))
2325 if (!_dbus_string_copy (guid, 0, &guid_copy, 0))
2327 _dbus_string_free (&guid_copy);
2331 auth = _dbus_auth_new (sizeof (DBusAuthServer));
2334 _dbus_string_free (&guid_copy);
2338 auth->side = auth_side_server;
2339 auth->state = &server_state_waiting_for_auth;
2341 server_auth = DBUS_AUTH_SERVER (auth);
2343 server_auth->guid = guid_copy;
2345 /* perhaps this should be per-mechanism with a lower
2348 server_auth->failures = 0;
2349 server_auth->max_failures = 6;
2355 * Creates a new auth conversation object for the client side.
2356 * See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-protocol
2357 * for full details on what this object does.
2359 * @returns the new object or #NULL if no memory
2362 _dbus_auth_client_new (void)
2365 DBusString guid_str;
2367 if (!_dbus_string_init (&guid_str))
2370 auth = _dbus_auth_new (sizeof (DBusAuthClient));
2373 _dbus_string_free (&guid_str);
2377 DBUS_AUTH_CLIENT (auth)->guid_from_server = guid_str;
2379 auth->side = auth_side_client;
2380 auth->state = &client_state_need_send_auth;
2382 /* Start the auth conversation by sending AUTH for our default
2384 if (!send_auth (auth, &all_mechanisms[0]))
2386 _dbus_auth_unref (auth);
2394 * Creates a new auth conversation object for the client side.
2395 * In fact it only initialize structures and sets authenticated state
2396 * and leaves authentication to different transport-dependent
2399 * @returns the new object or #NULL if no memory
2402 _dbus_auth_client_new_authenticated (void)
2405 DBusString guid_str;
2407 if (!_dbus_string_init (&guid_str))
2410 auth = _dbus_auth_new (sizeof (DBusAuthClient));
2413 _dbus_string_free (&guid_str);
2417 DBUS_AUTH_CLIENT (auth)->guid_from_server = guid_str;
2419 auth->side = auth_side_client;
2420 auth->state = &common_state_authenticated;
2421 auth->unix_fd_negotiated = TRUE;
2427 * Increments the refcount of an auth object.
2429 * @param auth the auth conversation
2430 * @returns the auth conversation
2433 _dbus_auth_ref (DBusAuth *auth)
2435 _dbus_assert (auth != NULL);
2437 auth->refcount += 1;
2443 * Decrements the refcount of an auth object.
2445 * @param auth the auth conversation
2448 _dbus_auth_unref (DBusAuth *auth)
2450 _dbus_assert (auth != NULL);
2451 _dbus_assert (auth->refcount > 0);
2453 auth->refcount -= 1;
2454 if (auth->refcount == 0)
2456 shutdown_mech (auth);
2458 if (DBUS_AUTH_IS_CLIENT (auth))
2460 _dbus_string_free (& DBUS_AUTH_CLIENT (auth)->guid_from_server);
2461 _dbus_list_clear (& DBUS_AUTH_CLIENT (auth)->mechs_to_try);
2465 _dbus_assert (DBUS_AUTH_IS_SERVER (auth));
2467 _dbus_string_free (& DBUS_AUTH_SERVER (auth)->guid);
2471 _dbus_keyring_unref (auth->keyring);
2473 _dbus_string_free (&auth->context);
2474 _dbus_string_free (&auth->challenge);
2475 _dbus_string_free (&auth->identity);
2476 _dbus_string_free (&auth->incoming);
2477 _dbus_string_free (&auth->outgoing);
2479 dbus_free_string_array (auth->allowed_mechs);
2481 _dbus_credentials_unref (auth->credentials);
2482 _dbus_credentials_unref (auth->authorized_identity);
2483 _dbus_credentials_unref (auth->desired_identity);
2490 * Sets an array of authentication mechanism names
2491 * that we are willing to use.
2493 * @param auth the auth conversation
2494 * @param mechanisms #NULL-terminated array of mechanism names
2495 * @returns #FALSE if no memory
2498 _dbus_auth_set_mechanisms (DBusAuth *auth,
2499 const char **mechanisms)
2503 if (mechanisms != NULL)
2505 copy = _dbus_dup_string_array (mechanisms);
2512 dbus_free_string_array (auth->allowed_mechs);
2514 auth->allowed_mechs = copy;
2520 * @param auth the auth conversation object
2521 * @returns #TRUE if we're in a final state
2523 #define DBUS_AUTH_IN_END_STATE(auth) ((auth)->state->handler == NULL)
2526 * Analyzes buffered input and moves the auth conversation forward,
2527 * returning the new state of the auth conversation.
2529 * @param auth the auth conversation
2530 * @returns the new state
2533 _dbus_auth_do_work (DBusAuth *auth)
2535 auth->needed_memory = FALSE;
2537 /* Max amount we'll buffer up before deciding someone's on crack */
2538 #define MAX_BUFFER (16 * _DBUS_ONE_KILOBYTE)
2542 if (DBUS_AUTH_IN_END_STATE (auth))
2545 if (_dbus_string_get_length (&auth->incoming) > MAX_BUFFER ||
2546 _dbus_string_get_length (&auth->outgoing) > MAX_BUFFER)
2548 goto_state (auth, &common_state_need_disconnect);
2549 _dbus_verbose ("%s: Disconnecting due to excessive data buffered in auth phase\n",
2550 DBUS_AUTH_NAME (auth));
2554 while (process_command (auth));
2556 if (auth->needed_memory)
2557 return DBUS_AUTH_STATE_WAITING_FOR_MEMORY;
2558 else if (_dbus_string_get_length (&auth->outgoing) > 0)
2559 return DBUS_AUTH_STATE_HAVE_BYTES_TO_SEND;
2560 else if (auth->state == &common_state_need_disconnect)
2561 return DBUS_AUTH_STATE_NEED_DISCONNECT;
2562 else if (auth->state == &common_state_authenticated)
2563 return DBUS_AUTH_STATE_AUTHENTICATED;
2564 else return DBUS_AUTH_STATE_WAITING_FOR_INPUT;
2568 * Gets bytes that need to be sent to the peer we're conversing with.
2569 * After writing some bytes, _dbus_auth_bytes_sent() must be called
2570 * to notify the auth object that they were written.
2572 * @param auth the auth conversation
2573 * @param str return location for a ref to the buffer to send
2574 * @returns #FALSE if nothing to send
2577 _dbus_auth_get_bytes_to_send (DBusAuth *auth,
2578 const DBusString **str)
2580 _dbus_assert (auth != NULL);
2581 _dbus_assert (str != NULL);
2585 if (_dbus_string_get_length (&auth->outgoing) == 0)
2588 *str = &auth->outgoing;
2594 * Notifies the auth conversation object that
2595 * the given number of bytes of the outgoing buffer
2596 * have been written out.
2598 * @param auth the auth conversation
2599 * @param bytes_sent number of bytes written out
2602 _dbus_auth_bytes_sent (DBusAuth *auth,
2605 _dbus_verbose ("%s: Sent %d bytes of: %s\n",
2606 DBUS_AUTH_NAME (auth),
2608 _dbus_string_get_const_data (&auth->outgoing));
2610 _dbus_string_delete (&auth->outgoing,
2615 * Get a buffer to be used for reading bytes from the peer we're conversing
2616 * with. Bytes should be appended to this buffer.
2618 * @param auth the auth conversation
2619 * @param buffer return location for buffer to append bytes to
2622 _dbus_auth_get_buffer (DBusAuth *auth,
2623 DBusString **buffer)
2625 _dbus_assert (auth != NULL);
2626 _dbus_assert (!auth->buffer_outstanding);
2628 *buffer = &auth->incoming;
2630 auth->buffer_outstanding = TRUE;
2634 * Returns a buffer with new data read into it.
2636 * @param auth the auth conversation
2637 * @param buffer the buffer being returned
2640 _dbus_auth_return_buffer (DBusAuth *auth,
2643 _dbus_assert (buffer == &auth->incoming);
2644 _dbus_assert (auth->buffer_outstanding);
2646 auth->buffer_outstanding = FALSE;
2650 * Returns leftover bytes that were not used as part of the auth
2651 * conversation. These bytes will be part of the message stream
2652 * instead. This function may not be called until authentication has
2655 * @param auth the auth conversation
2656 * @param str return location for pointer to string of unused bytes
2659 _dbus_auth_get_unused_bytes (DBusAuth *auth,
2660 const DBusString **str)
2662 if (!DBUS_AUTH_IN_END_STATE (auth))
2665 *str = &auth->incoming;
2670 * Gets rid of unused bytes returned by _dbus_auth_get_unused_bytes()
2671 * after we've gotten them and successfully moved them elsewhere.
2673 * @param auth the auth conversation
2676 _dbus_auth_delete_unused_bytes (DBusAuth *auth)
2678 if (!DBUS_AUTH_IN_END_STATE (auth))
2681 _dbus_string_set_length (&auth->incoming, 0);
2685 * Called post-authentication, indicates whether we need to encode
2686 * the message stream with _dbus_auth_encode_data() prior to
2687 * sending it to the peer.
2689 * @param auth the auth conversation
2690 * @returns #TRUE if we need to encode the stream
2693 _dbus_auth_needs_encoding (DBusAuth *auth)
2695 if (auth->state != &common_state_authenticated)
2698 if (auth->mech != NULL)
2700 if (DBUS_AUTH_IS_CLIENT (auth))
2701 return auth->mech->client_encode_func != NULL;
2703 return auth->mech->server_encode_func != NULL;
2710 * Called post-authentication, encodes a block of bytes for sending to
2711 * the peer. If no encoding was negotiated, just copies the bytes
2712 * (you can avoid this by checking _dbus_auth_needs_encoding()).
2714 * @param auth the auth conversation
2715 * @param plaintext the plain text data
2716 * @param encoded initialized string to where encoded data is appended
2717 * @returns #TRUE if we had enough memory and successfully encoded
2720 _dbus_auth_encode_data (DBusAuth *auth,
2721 const DBusString *plaintext,
2722 DBusString *encoded)
2724 _dbus_assert (plaintext != encoded);
2726 if (auth->state != &common_state_authenticated)
2729 if (_dbus_auth_needs_encoding (auth))
2731 if (DBUS_AUTH_IS_CLIENT (auth))
2732 return (* auth->mech->client_encode_func) (auth, plaintext, encoded);
2734 return (* auth->mech->server_encode_func) (auth, plaintext, encoded);
2738 return _dbus_string_copy (plaintext, 0, encoded,
2739 _dbus_string_get_length (encoded));
2744 * Called post-authentication, indicates whether we need to decode
2745 * the message stream with _dbus_auth_decode_data() after
2746 * receiving it from the peer.
2748 * @param auth the auth conversation
2749 * @returns #TRUE if we need to encode the stream
2752 _dbus_auth_needs_decoding (DBusAuth *auth)
2754 if (auth->state != &common_state_authenticated)
2757 if (auth->mech != NULL)
2759 if (DBUS_AUTH_IS_CLIENT (auth))
2760 return auth->mech->client_decode_func != NULL;
2762 return auth->mech->server_decode_func != NULL;
2770 * Called post-authentication, decodes a block of bytes received from
2771 * the peer. If no encoding was negotiated, just copies the bytes (you
2772 * can avoid this by checking _dbus_auth_needs_decoding()).
2774 * @todo 1.0? We need to be able to distinguish "out of memory" error
2775 * from "the data is hosed" error.
2777 * @param auth the auth conversation
2778 * @param encoded the encoded data
2779 * @param plaintext initialized string where decoded data is appended
2780 * @returns #TRUE if we had enough memory and successfully decoded
2783 _dbus_auth_decode_data (DBusAuth *auth,
2784 const DBusString *encoded,
2785 DBusString *plaintext)
2787 _dbus_assert (plaintext != encoded);
2789 if (auth->state != &common_state_authenticated)
2792 if (_dbus_auth_needs_decoding (auth))
2794 if (DBUS_AUTH_IS_CLIENT (auth))
2795 return (* auth->mech->client_decode_func) (auth, encoded, plaintext);
2797 return (* auth->mech->server_decode_func) (auth, encoded, plaintext);
2801 return _dbus_string_copy (encoded, 0, plaintext,
2802 _dbus_string_get_length (plaintext));
2807 * Sets credentials received via reliable means from the operating
2810 * @param auth the auth conversation
2811 * @param credentials the credentials received
2812 * @returns #FALSE on OOM
2815 _dbus_auth_set_credentials (DBusAuth *auth,
2816 DBusCredentials *credentials)
2818 _dbus_credentials_clear (auth->credentials);
2819 return _dbus_credentials_add_credentials (auth->credentials,
2824 * Gets the identity we authorized the client as. Apps may have
2825 * different policies as to what identities they allow.
2827 * Returned credentials are not a copy and should not be modified
2829 * @param auth the auth conversation
2830 * @returns the credentials we've authorized BY REFERENCE do not modify
2833 _dbus_auth_get_identity (DBusAuth *auth)
2835 if (auth->state == &common_state_authenticated)
2837 return auth->authorized_identity;
2841 /* FIXME instead of this, keep an empty credential around that
2842 * doesn't require allocation or something
2844 /* return empty credentials */
2845 _dbus_assert (_dbus_credentials_are_empty (auth->authorized_identity));
2846 return auth->authorized_identity;
2851 * Gets the GUID from the server if we've authenticated; gets
2853 * @param auth the auth object
2854 * @returns the GUID in ASCII hex format
2857 _dbus_auth_get_guid_from_server (DBusAuth *auth)
2859 _dbus_assert (DBUS_AUTH_IS_CLIENT (auth));
2861 if (auth->state == &common_state_authenticated)
2862 return _dbus_string_get_const_data (& DBUS_AUTH_CLIENT (auth)->guid_from_server);
2868 * Sets the "authentication context" which scopes cookies
2869 * with the DBUS_COOKIE_SHA1 auth mechanism for example.
2871 * @param auth the auth conversation
2872 * @param context the context
2873 * @returns #FALSE if no memory
2876 _dbus_auth_set_context (DBusAuth *auth,
2877 const DBusString *context)
2879 return _dbus_string_replace_len (context, 0, _dbus_string_get_length (context),
2880 &auth->context, 0, _dbus_string_get_length (context));
2884 * Sets whether unix fd passing is potentially on the transport and
2885 * hence shall be negotiated.
2887 * @param auth the auth conversation
2888 * @param b TRUE when unix fd passing shall be negotiated, otherwise FALSE
2891 _dbus_auth_set_unix_fd_possible(DBusAuth *auth, dbus_bool_t b)
2893 auth->unix_fd_possible = b;
2897 * Queries whether unix fd passing was successfully negotiated.
2899 * @param auth the auth conversion
2900 * @returns #TRUE when unix fd passing was negotiated.
2903 _dbus_auth_get_unix_fd_negotiated(DBusAuth *auth)
2905 return auth->unix_fd_negotiated;
2909 * Queries whether the given auth mechanism is supported.
2911 * @param auth the auth mechanism to query for
2912 * @returns #TRUE when auth mechanism is supported
2915 _dbus_auth_is_supported_mechanism (DBusString *name)
2917 _dbus_assert (name != NULL);
2919 return find_mech (name, NULL) != NULL;
2923 * Return a human-readable string containing all supported auth mechanisms.
2925 * @param string to hold the supported auth mechanisms
2926 * @returns #FALSE on oom
2929 _dbus_auth_dump_supported_mechanisms (DBusString *buffer)
2932 _dbus_assert (buffer != NULL);
2934 for (i = 0; all_mechanisms[i].mechanism != NULL; i++)
2938 if (!_dbus_string_append (buffer, ", "))
2941 if (!_dbus_string_append (buffer, all_mechanisms[i].mechanism))
2949 /* tests in dbus-auth-util.c */