From 44beeaa648a1d434692721dd65a04ecb3f75dace Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 20 Jul 2006 18:43:20 +0000 Subject: implement "auth-ip-acl=" in the native and esound protocols git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1125 fefdeb5f-60dc-0310-8127-8f9354f1896f --- src/Makefile.am | 6 +++--- src/modules/module-protocol-stub.c | 17 +++++++++++++-- src/pulsecore/iochannel.c | 6 ++++++ src/pulsecore/iochannel.h | 2 ++ src/pulsecore/protocol-esound.c | 41 +++++++++++++++++++++++++++++------ src/pulsecore/protocol-native.c | 44 +++++++++++++++++++++++++++++++------- 6 files changed, 96 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/Makefile.am b/src/Makefile.am index ec1678c7..428e4521 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -513,7 +513,7 @@ pulsecoreinclude_HEADERS = \ lib_LTLIBRARIES += libpulsecore.la -# Some public stuff is used even in the core. +# Some public stuff is used even in the core libpulsecore_la_SOURCES = \ pulse/channelmap.c pulse/channelmap.h \ pulse/error.c pulse/error.h \ @@ -733,7 +733,7 @@ libprotocol_http_la_LIBADD = $(AM_LIBADD) libsocket-server.la libioline.la libpu libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h libprotocol_native_la_LDFLAGS = -avoid-version -libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la +libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la libipacl.la libtagstruct_la_SOURCES = pulsecore/tagstruct.c pulsecore/tagstruct.h libtagstruct_la_LDFLAGS = -avoid-version @@ -741,7 +741,7 @@ libtagstruct_la_LIBADD = $(AM_LIBADD) libpulsecore.la $(WINSOCK_LIBS) libprotocol_esound_la_SOURCES = pulsecore/protocol-esound.c pulsecore/protocol-esound.h pulsecore/esound.h libprotocol_esound_la_LDFLAGS = -avoid-version -libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la +libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la libipacl.la libauthkey_la_SOURCES = pulsecore/authkey.c pulsecore/authkey.h libauthkey_la_LDFLAGS = -avoid-version diff --git a/src/modules/module-protocol-stub.c b/src/modules/module-protocol-stub.c index 36d7db89..d1f5fa15 100644 --- a/src/modules/module-protocol-stub.c +++ b/src/modules/module-protocol-stub.c @@ -129,8 +129,11 @@ #endif #if defined(HAVE_CREDS) && !defined(USE_TCP_SOCKETS) - #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable=" + #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable", #define AUTH_USAGE "auth-group= auth-group-enable= " + #elif defined(USE_TCP_SOCKETS) + #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl", + #define AUTH_USAGE "auth-ip-acl= " #else #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON #define AUTH_USAGE @@ -149,17 +152,27 @@ #define TCPWRAP_SERVICE "esound" #define IPV4_PORT ESD_DEFAULT_PORT #define UNIX_SOCKET ESD_UNIX_SOCKET_NAME - #define MODULE_ARGUMENTS "sink", "source", "auth-anonymous", "cookie", + #define MODULE_ARGUMENTS_COMMON "sink", "source", "auth-anonymous", "cookie", #ifdef USE_TCP_SOCKETS #include "module-esound-protocol-tcp-symdef.h" #else #include "module-esound-protocol-unix-symdef.h" #endif + + #if defined(USE_TCP_SOCKETS) + #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl", + #define AUTH_USAGE "auth-ip-acl= " + #else + #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON + #define AUTH_USAGE + #endif + PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION) PA_MODULE_USAGE("sink= " "source= " "auth-anonymous= " "cookie= " + AUTH_USAGE SOCKET_USAGE) #else #error "Broken build system" diff --git a/src/pulsecore/iochannel.c b/src/pulsecore/iochannel.c index b50293bf..af732c26 100644 --- a/src/pulsecore/iochannel.c +++ b/src/pulsecore/iochannel.c @@ -408,3 +408,9 @@ pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io) { return io->mainloop; } + +int pa_iochannel_get_recv_fd(pa_iochannel *io) { + assert(io); + + return io->ifd; +} diff --git a/src/pulsecore/iochannel.h b/src/pulsecore/iochannel.h index 1f9ab0d4..0e6d6d3a 100644 --- a/src/pulsecore/iochannel.h +++ b/src/pulsecore/iochannel.h @@ -79,4 +79,6 @@ int pa_iochannel_socket_set_sndbuf(pa_iochannel*io, size_t l); pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io); +int pa_iochannel_get_recv_fd(pa_iochannel *io); + #endif diff --git a/src/pulsecore/protocol-esound.c b/src/pulsecore/protocol-esound.c index 5daa32fe..0fa2c7f1 100644 --- a/src/pulsecore/protocol-esound.c +++ b/src/pulsecore/protocol-esound.c @@ -49,6 +49,7 @@ #include #include #include +#include #include "endianmacros.h" @@ -116,6 +117,7 @@ struct pa_protocol_esound { char *sink_name, *source_name; unsigned n_player; uint8_t esd_key[ESD_KEY_LEN]; + pa_ip_acl *auth_ip_acl; }; typedef struct proto_handler { @@ -1162,7 +1164,7 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata) c->client->kill = client_kill_cb; c->client->userdata = c; - c->authorized = p->public; + c->authorized = !!p->public; c->swap_byte_order = 0; c->dead = 0; @@ -1191,6 +1193,11 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata) c->original_name = NULL; + if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) { + pa_log_info(__FILE__": Client authenticated by IP ACL."); + c->authorized = 1; + } + if (!c->authorized) { struct timeval tv; pa_gettimeofday(&tv); @@ -1211,20 +1218,32 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata) pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *server, pa_module *m, pa_modargs *ma) { pa_protocol_esound *p; int public = 0; - assert(core && server && ma); + const char *acl; + + assert(core); + assert(server); + assert(m); + assert(ma); p = pa_xnew(pa_protocol_esound, 1); if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) { pa_log(__FILE__": auth-anonymous= expects a boolean argument."); - return NULL; + goto fail; } - if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0) { - pa_xfree(p); - return NULL; - } + if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0) + goto fail; + if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) { + + if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) { + pa_log(__FILE__": Failed to parse IP ACL '%s'", acl); + goto fail; + } + } else + p->auth_ip_acl = NULL; + p->module = m; p->public = public; p->server = server; @@ -1238,6 +1257,10 @@ pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *serve p->n_player = 0; return p; + +fail: + pa_xfree(p); + return NULL; } void pa_protocol_esound_free(pa_protocol_esound *p) { @@ -1249,5 +1272,9 @@ void pa_protocol_esound_free(pa_protocol_esound *p) { pa_idxset_free(p->connections, NULL, NULL); pa_socket_server_unref(p->server); + + if (p->auth_ip_acl) + pa_ip_acl_free(p->auth_ip_acl); + pa_xfree(p); } diff --git a/src/pulsecore/protocol-native.c b/src/pulsecore/protocol-native.c index 2775d774..f1959dd7 100644 --- a/src/pulsecore/protocol-native.c +++ b/src/pulsecore/protocol-native.c @@ -57,6 +57,7 @@ #include #include #include +#include #include "protocol-native.h" @@ -139,6 +140,7 @@ struct pa_protocol_native { #ifdef HAVE_CREDS char *auth_group; #endif + pa_ip_acl *auth_ip_acl; }; static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk); @@ -942,7 +944,7 @@ static void command_auth(PA_GCC_UNUSED pa_pdispatch *pd, PA_GCC_UNUSED uint32_t } #endif - if (memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0) + if (!success && memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0) success = 1; if (!success) { @@ -2239,8 +2241,13 @@ static void on_connection(PA_GCC_UNUSED pa_socket_server*s, pa_iochannel *io, vo c = pa_xmalloc(sizeof(struct connection)); - c->authorized =!! p->public; + c->authorized = !!p->public; + if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) { + pa_log_info(__FILE__": Client authenticated by IP ACL."); + c->authorized = 1; + } + if (!c->authorized) { struct timeval tv; pa_gettimeofday(&tv); @@ -2319,7 +2326,10 @@ static int load_key(pa_protocol_native*p, const char*fn) { static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_modargs *ma) { pa_protocol_native *p; int public = 0; - assert(c && ma); + const char *acl; + + assert(c); + assert(ma); if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) { pa_log(__FILE__": auth-anonymous= expects a boolean argument."); @@ -2331,7 +2341,8 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo p->module = m; p->public = public; p->server = NULL; - + p->auth_ip_acl = NULL; + #ifdef HAVE_CREDS { int a = 1; @@ -2345,16 +2356,30 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo pa_log_info(__FILE__": Allowing access to group '%s'.", p->auth_group); } #endif - - if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) { - pa_xfree(p); - return NULL; + + + if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) { + + if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) { + pa_log(__FILE__": Failed to parse IP ACL '%s'", acl); + goto fail; + } } + if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) + goto fail; + p->connections = pa_idxset_new(NULL, NULL); assert(p->connections); return p; + +fail: + pa_xfree(p->auth_group); + if (p->auth_ip_acl) + pa_ip_acl_free(p->auth_ip_acl); + pa_xfree(p); + return NULL; } pa_protocol_native* pa_protocol_native_new(pa_core *core, pa_socket_server *server, pa_module *m, pa_modargs *ma) { @@ -2405,6 +2430,9 @@ void pa_protocol_native_free(pa_protocol_native *p) { if (p->auth_cookie_in_property) pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME); + if (p->auth_ip_acl) + pa_ip_acl_free(p->auth_ip_acl); + #ifdef HAVE_CREDS pa_xfree(p->auth_group); #endif -- cgit