Fixed some authentication errors

src/auth/AuthDbg.cpp

@@ -58,62 +58,53 @@ DebugServer::DebugServer(Firebird::IPluginConfig*)
 	: str(getPool())
 { }
 
-int FB_CARG DebugServer::authenticate(Firebird::IStatus* status, IServerBlock* sBlock,
+int FB_CARG DebugServer::authenticate(Firebird::IStatus* status, IServerBlock* sb,
                                IWriter* writerInterface)
 {
-	/***
 	try
 	{
-		Firebird::MasterInterfacePtr()->upgradeInterface(dpb, FB_AUTH_CLUMPLETS_VERSION, upInfo);
-		str.erase();
+#ifdef AUTH_VERBOSE
+		fprintf(stderr, "DebugServer::authenticate\n");
+#endif
+		unsigned int length;
+		const unsigned char* val = sb->getData(&length);
+#ifdef AUTH_VERBOSE
+		fprintf(stderr, "DebugServer::authenticate: get()=%.*s\n", length, val);
+#endif
 
-#ifdef AUTH_VERBOSE
-		fprintf(stderr, "DebugServer::startAuthentication: tA-tag=%d dpb=%p\n", tags->trustedAuth, dpb);
-#endif
-		if (tags->trustedAuth && dpb && dpb->find(tags->trustedAuth))
+		if (str.isEmpty())
 		{
-			unsigned int len;
-			const UCHAR* s = dpb->get(&len);
+			str.assign(val, length);
+
+			str += '_';
 #ifdef AUTH_VERBOSE
-			fprintf(stderr, "DebugServer::startAuthentication: get()=%.*s\n", len, s);
+			fprintf(stderr, "DebugServer::authenticate1: %s\n", str.c_str());
 #endif
-			str.assign(s, len);
+			sb->putData(status, str.length(), str.c_str());
+			if (!status->isSuccess())
+			{
+				return AUTH_FAILED;
+			}
+
+			return AUTH_MORE_DATA;
 		}
 
-		str += '_';
+		str.assign(val, length);
 #ifdef AUTH_VERBOSE
-		fprintf(stderr, "DebugServer::startAuthentication: %s\n", str.c_str());
+		fprintf(stderr, "DebugServer::authenticate2: %s\n", str.c_str());
 #endif
-		return AUTH_MORE_DATA;
-	}
-	catch (const Firebird::Exception& ex)
-	{
-		ex.stuffException(status);
-	}
-	***/
-	return AUTH_FAILED;
-}
+		writerInterface->add(str.c_str());
+		str.erase();
 
-/***
-int FB_CARG DebugServer::contAuthentication(Firebird::IStatus* status, const unsigned char* data,
-											   unsigned int size, IWriter* writerInterface)
-{
-	try
-	{
-#ifdef AUTH_VERBOSE
-		fprintf(stderr, "DebugServer::contAuthentication: %.*s\n", size, data);
-#endif
-		Firebird::MasterInterfacePtr()->upgradeInterface(writerInterface, FB_AUTH_WRITER_VERSION, upInfo);
-		writerInterface->add(Firebird::string((const char*) data, size).c_str());
 		return AUTH_SUCCESS;
 	}
 	catch (const Firebird::Exception& ex)
 	{
 		ex.stuffException(status);
-		return AUTH_FAILED;
 	}
+
+	return AUTH_FAILED;
 }
-***/
 
 int FB_CARG DebugServer::release()
 {
@@ -130,58 +121,53 @@ DebugClient::DebugClient(Firebird::IPluginConfig*)
 	: str(getPool())
 { }
 
-int FB_CARG DebugClient::authenticate(Firebird::IStatus* status, IClientBlock* cBlock)
+int FB_CARG DebugClient::authenticate(Firebird::IStatus* status, IClientBlock* cb)
 {
-	/***
 	try
 	{
-		str = "HAND";
-#ifdef AUTH_VERBOSE
-		fprintf(stderr, "DebugClient::startAuthentication: %s\n", str.c_str());
-#endif
-		if (dpb && tags->trustedAuth)
+		if (str != "HAND")
 		{
-			Firebird::MasterInterfacePtr()->upgradeInterface(dpb, FB_AUTH_CLUMPLETS_VERSION, upInfo);
-			dpb->add(tags->trustedAuth, str.c_str(), str.length());
-#ifdef AUTH_VERBOSE
-			fprintf(stderr, "DebugClient::startAuthentication: DPB filled\n");
-#endif
-			return AUTH_SUCCESS;
+			str = "HAND";
 		}
-		return AUTH_MORE_DATA;
+		else
+		{
+			unsigned int length;
+			const unsigned char* v = cb->getData(&length);
+			str.assign(v, length);
+
+#ifdef AUTH_VERBOSE
+			fprintf(stderr, "DebugClient::authenticate2: from srv=%s\n", str.c_str());
+#endif
+
+			const char* env = getenv("ISC_DEBUG_AUTH");
+			if (env && env[0] && str.length() > 0 && str[str.length() - 1] == '_')
+				str = env;
+			else
+				str += "SHAKE";
+		}
+
+#ifdef AUTH_VERBOSE
+		fprintf(stderr, "DebugClient::authenticate: sending %s\n", str.c_str());
+#endif
+		cb->putData(status, str.length(), str.c_str());
+		if (! status->isSuccess())
+		{
+			return AUTH_FAILED;
+		}
+
+#ifdef AUTH_VERBOSE
+		fprintf(stderr, "DebugClient::authenticate: data filled\n");
+#endif
+		return AUTH_SUCCESS;
 	}
 	catch (const Firebird::Exception& ex)
 	{
 		ex.stuffException(status);
 	}
-	***/
+
 	return AUTH_FAILED;
 }
 
-/***
-int FB_CARG DebugClient::contAuthentication(Firebird::IStatus* status, const unsigned char* data, unsigned int size)
-{
-	try
-	{
-#ifdef AUTH_VERBOSE
-		fprintf(stderr, "DebugClient::contAuthentication: %.*s\n", size, data);
-#endif
-		str.assign(data, size);
-		const char* env = getenv("ISC_DEBUG_AUTH");
-		if (env && env[0] && str.length() > 0 && str[str.length() - 1] == '_')
-			str = env;
-		else
-			str += "SHAKE";
-		return AUTH_CONTINUE;
-	}
-	catch (const Firebird::Exception& ex)
-	{
-		ex.stuffException(status);
-		return AUTH_FAILED;
-	}
-}
-***/
-
 int FB_CARG DebugClient::release()
 {
 	if (--refCounter == 0)

src/auth/SecureRemotePassword/client/SrpClient.cpp

@@ -64,7 +64,7 @@ int SrpClient::authenticate(IStatus* status, IClientBlock* cb)
 
 		if (!client)
 		{
-			HANDSHAKE_DEBUG(fprintf(stderr, "Cln SRP1: %s %s\n", cb->getLogin(), cb->getPassword()));
+			HANDSHAKE_DEBUG(fprintf(stderr, "Client: SRP1: login=%s password=%s\n", cb->getLogin(), cb->getPassword()));
 			if (!(cb->getLogin() && cb->getPassword()))
 			{
 				return AUTH_CONTINUE;
@@ -77,7 +77,7 @@ int SrpClient::authenticate(IStatus* status, IClientBlock* cb)
 			return status->isSuccess() ? AUTH_MORE_DATA : AUTH_FAILED;
 		}
 
-		HANDSHAKE_DEBUG(fprintf(stderr, "Cln SRP2\n"));
+		HANDSHAKE_DEBUG(fprintf(stderr, "Client: SRP2\n"));
 		unsigned int length;
 		const unsigned char* saltAndKey = cb->getData(&length);
 		if (length > (RemotePassword::SRP_SALT_SIZE + RemotePassword::SRP_KEY_SIZE + 2) * 2)

src/auth/SecureRemotePassword/server/SrpServer.cpp

@@ -102,7 +102,8 @@ int SrpServer::authenticate(IStatus* status, IServerBlock* sb, IWriter* writerIn
 
 			if (!clientPubKey.hasData())
 			{
-				return AUTH_CONTINUE;
+				HANDSHAKE_DEBUG(fprintf(stderr, "Srv SRP: empty pubkey AUTH_MORE_DATA\n"));
+				return AUTH_MORE_DATA;
 			}
 
 			// read salt and verifier from database

src/auth/SecureRemotePassword/srp.h

@@ -67,8 +67,11 @@ public:
 	{
 		Firebird::UCharBuffer bytes;
 		data.getBytes(bytes);
-		unsigned int n = (bytes[0] == 0) ? 1u : 0;
-		process(bytes.getCount() - n, bytes.begin() + n);
+		if (bytes.getCount())
+		{
+			unsigned int n = (bytes[0] == 0) ? 1u : 0;
+			process(bytes.getCount() - n, bytes.begin() + n);
+		}
 	}
 };
 

src/auth/SecurityDatabase/LegacyClient.cpp

@@ -37,6 +37,7 @@ namespace Auth {
 
 int SecurityDatabaseClient::authenticate(Firebird::IStatus* status, IClientBlock* cb)
 {
+	// fprintf(stderr, "Clnt: Legacy: lgn=%s pswd=%s\n", cb->getLogin(), cb->getPassword());
 	if (!(cb->getLogin() && cb->getPassword()))
 	{
 		return AUTH_CONTINUE;

src/remote/client/interface.cpp

@@ -5296,17 +5296,21 @@ static void add_working_directory(ClumpletWriter& dpb, const PathName& node_name
 }
 
 
-static void authenticateStep0(ClntAuthBlock& wire)
+static void authenticateStep0(ClntAuthBlock& cBlock)
 {
-	for (LocalStatus s; wire.plugins.hasData(); wire.plugins.next())
+	for (LocalStatus s; cBlock.plugins.hasData(); cBlock.plugins.next())
 	{
-		switch(wire.plugins.plugin()->authenticate(&s, &wire))
+		HANDSHAKE_DEBUG(fprintf(stderr, "Cli: authenticateStep0(%s)\n", cBlock.plugins.name()));
+		switch(cBlock.plugins.plugin()->authenticate(&s, &cBlock))
 		{
 		case Auth::AUTH_SUCCESS:
 		case Auth::AUTH_MORE_DATA:
 			return;
 		case Auth::AUTH_FAILED:
-			gds__log_status("Authentication, client plugin:", s.get());
+			if (s.get()[1] != FB_SUCCESS)
+			{
+				gds__log_status("Authentication, client plugin:", s.get());
+			}
 			(Arg::Gds(isc_login)
 #ifdef DEV_BUILD
 								 << Arg::StatusVector(s.get())
@@ -6169,6 +6173,7 @@ static void authFillParametersBlock(ClntAuthBlock& cBlock, ClumpletWriter& dpb,
 		{
 			// OK to use plugin
 			cBlock.resetDataFromPlugin();
+			HANDSHAKE_DEBUG(fprintf(stderr, "Cli: authFillParametersBlock(%s)\n", cBlock.plugins.name()));
 			int authRc = cBlock.plugins.plugin()->authenticate(&s, &cBlock);
 
 			switch (authRc)
@@ -6179,6 +6184,10 @@ static void authFillParametersBlock(ClntAuthBlock& cBlock, ClumpletWriter& dpb,
 				cleanDpb(dpb, tags);
 				cBlock.extractDataFromPluginTo(dpb, tags, port->port_protocol);
 				return;
+
+			case Auth::AUTH_CONTINUE:
+				continue;
+
 			case Auth::AUTH_FAILED:
 				HANDSHAKE_DEBUG(fprintf(stderr, "FPB: plugin %s FAILED\n", cBlock.plugins.name()));
 				(Arg::Gds(isc_login) << Arg::StatusVector(s.get())).raise();
@@ -6305,6 +6314,7 @@ static void authReceiveResponse(ClntAuthBlock& cBlock, rem_port* port, Rdb* rdb,
 		}
 
 		cBlock.storeDataForPlugin(d->cstr_length, d->cstr_address);
+		HANDSHAKE_DEBUG(fprintf(stderr, "Cli: receiveResponse: authenticate(%s)\n", cBlock.plugins.name()));
 		if (cBlock.plugins.plugin()->authenticate(&s, &cBlock) == Auth::AUTH_FAILED)
 		{
 			break;
@@ -7455,7 +7465,8 @@ static void cleanDpb(Firebird::ClumpletWriter& dpb, const ParametersSet* tags)
 
 ClntAuthBlock::ClntAuthBlock(const Firebird::PathName* fileName, Firebird::ClumpletReader* dpb,
 							 const ParametersSet* tags)
-	: pluginList(getPool()), userName(getPool()), password(getPool()),
+	: pluginList(getPool()), serverPluginList(getPool()),
+	  userName(getPool()), password(getPool()),
 	  dataForPlugin(getPool()), dataFromPlugin(getPool()),
 	  cryptKeys(getPool()), dpbConfig(getPool()), hasCryptKey(false),
 	  plugins(PluginType::AuthClient, FB_AUTH_CLIENT_VERSION, upInfo),

src/remote/inet.cpp

@@ -621,6 +621,7 @@ rem_port* INET_analyze(ClntAuthBlock* cBlock,
 									   packet->p_acpd.p_acpt_data.cstr_address);
 			cBlock->authComplete = packet->p_acpd.p_acpt_authenticated;
 			port->addServerKeys(&packet->p_acpd.p_acpt_keys);
+			cBlock->resetClnt(&file_name, &packet->p_acpd.p_acpt_keys);
 		}
 		break;
 

src/remote/os/win32/wnet.cpp

@@ -208,6 +208,8 @@ rem_port* WNET_analyze(ClntAuthBlock* cBlock,
 			cBlock->storeDataForPlugin(packet->p_acpd.p_acpt_data.cstr_length,
 									   packet->p_acpd.p_acpt_data.cstr_address);
 			cBlock->authComplete = packet->p_acpd.p_acpt_authenticated;
+			port->addServerKeys(&packet->p_acpd.p_acpt_keys);
+			cBlock->resetClnt(&file_name, &packet->p_acpd.p_acpt_keys);
 		}
 		break;
 

src/remote/os/win32/xnet.cpp

@@ -293,6 +293,7 @@ rem_port* XNET_analyze(ClntAuthBlock* cBlock,
 			cBlock->storeDataForPlugin(packet->p_acpd.p_acpt_data.cstr_length,
 									   packet->p_acpd.p_acpt_data.cstr_address);
 			cBlock->authComplete = packet->p_acpd.p_acpt_authenticated;
+			cBlock->resetClnt(&file_name, &packet->p_acpd.p_acpt_keys);
 		}
 		break;
 

src/remote/remote.cpp

@@ -1021,6 +1021,7 @@ void ClntAuthBlock::extractDataFromPluginTo(Firebird::ClumpletWriter& user_id)
 	// Add user login name
 	if (userName.hasData())
 	{
+		HANDSHAKE_DEBUG(fprintf(stderr, "extractDataFromPluginTo: userName=%s\n", userName.c_str()));
 		user_id.insertString(CNCT_login, userName);
 	}
 
@@ -1028,6 +1029,7 @@ void ClntAuthBlock::extractDataFromPluginTo(Firebird::ClumpletWriter& user_id)
 	Firebird::PathName pluginName = getPluginName();
 	if (pluginName.hasData())
 	{
+		HANDSHAKE_DEBUG(fprintf(stderr, "extractDataFromPluginTo: pluginName=%s\n", pluginName.c_str()));
 		user_id.insertPath(CNCT_plugin_name, pluginName);
 	}
 
@@ -1063,15 +1065,69 @@ void ClntAuthBlock::extractDataFromPluginTo(Firebird::ClumpletWriter& user_id)
 	}
 }
 
-void ClntAuthBlock::resetClnt(const Firebird::PathName* fileName)
+void ClntAuthBlock::resetClnt(const Firebird::PathName* fileName, const CSTRING* listStr)
 {
+	if (listStr)
+	{
+		if (dataForPlugin.hasData())
+		{
+			// We should not change plugins iterator now
+			return;
+		}
+
+		Firebird::ClumpletReader srvList(Firebird::ClumpletReader::UnTagged,
+										 listStr->cstr_address, listStr->cstr_length);
+
+		if (srvList.find(TAG_KNOWN_PLUGINS))
+		{
+			srvList.getPath(serverPluginList);
+		}
+	}
+
 	dataForPlugin.clear();
 	dataFromPlugin.clear();
 	authComplete = false;
 	firstTime = true;
 	config = REMOTE_get_config(fileName, &dpbConfig);
 	pluginList = config->getPlugins(Firebird::PluginType::AuthClient);
-	plugins.set(pluginList.c_str());
+
+	Firebird::PathName final;
+	if (serverPluginList.hasData())
+	{
+		Remote::ParsedList onClient, fromServer, merged;
+		REMOTE_parseList(onClient, pluginList);
+		REMOTE_parseList(fromServer, serverPluginList);
+
+		for (unsigned c = 0; c < onClient.getCount(); ++c)
+		{
+			// do not expect too long lists, therefore use double loop
+			for (unsigned s = 0; s < fromServer.getCount(); ++s)
+			{
+				if (onClient[c] == fromServer[s])
+				{
+					merged.push(onClient[c]);
+				}
+			}
+		}
+
+		if (merged.getCount() == 0)
+		{
+			HANDSHAKE_DEBUG(fprintf(stderr, "No matching plugins on client\n"));
+			(Firebird::Arg::Gds(isc_login)
+#ifdef DEV_BUILD
+								<< Firebird::Arg::Gds(isc_random) << "No matching plugins on client"
+#endif
+								).raise();
+		}
+
+		REMOTE_makeList(final, merged);
+	}
+	else
+	{
+		final = pluginList;
+	}
+
+	plugins.set(final.c_str());
 }
 
 Firebird::RefPtr<Config>* ClntAuthBlock::getConfig()
@@ -1243,6 +1299,11 @@ void rem_port::addServerKeys(CSTRING* passedStr)
 
 	for (newKeys.rewind(); !newKeys.isEof(); newKeys.moveNext())
 	{
+		if (newKeys.getClumpTag() == TAG_KNOWN_PLUGINS)
+		{
+			continue;
+		}
+
 		KnownServerKey key;
 		fb_assert(newKeys.getClumpTag() == TAG_KEY_TYPE);
 		newKeys.getPath(key.type);

src/remote/remote.h

@@ -635,6 +635,7 @@ class ClntAuthBlock : public Firebird::StdPlugin<Auth::IClientBlock, FB_AUTH_CLI
 {
 private:
 	Firebird::PathName pluginList;				// To be passed to server
+	Firebird::PathName serverPluginList;		// Received from server
 	Firebird::string userName, password;		// Used by plugin, taken from DPB
 	// These two are legacy encrypted password, trusted auth data and so on - what plugin needs
 	Firebird::UCharBuffer dataForPlugin, dataFromPlugin;
@@ -665,7 +666,7 @@ public:
 	void extractDataFromPluginTo(P_AUTH_CONT* to);
 	void loadClnt(Firebird::ClumpletWriter& dpb, const ParametersSet*);
 	void extractDataFromPluginTo(Firebird::ClumpletWriter& user_id);
-	void resetClnt(const Firebird::PathName* fileName);
+	void resetClnt(const Firebird::PathName* fileName, const CSTRING* listStr = NULL);
 	bool checkPluginName(Firebird::PathName& nameToCheck);
 	void saveServiceDataTo(rem_port*);
 	void loadServiceDataFrom(rem_port*);
@@ -737,7 +738,7 @@ public:
 	void createPluginsItr();
 	void setDataForPlugin(const p_auth_continue* data);
 	void reset();
-	bool extractNewKeys(CSTRING* to);
+	bool extractNewKeys(CSTRING* to, bool flagPlugList = false);
 
 	// Auth::IServerBlock implementation
 	int FB_CARG release();
@@ -771,9 +772,10 @@ private:
 	KnownServerKey& operator=(const KnownServerKey&);
 };
 
-// Tags for server keys clumplet, passed from server to client
+// Tags for clumplets, passed from server to client
 const UCHAR TAG_KEY_TYPE		= 0;
 const UCHAR TAG_KEY_PLUGINS		= 1;
+const UCHAR TAG_KNOWN_PLUGINS	= 2;
 
 // port_flags
 const USHORT PORT_symmetric		= 0x0001;	// Server/client architectures are symmetic

src/remote/server/server.cpp

@@ -427,7 +427,7 @@ public:
 
 			case Auth::AUTH_FAILED:
 				HANDSHAKE_DEBUG(fprintf(stderr, "No luck today...\n"));
-				isc_print_status(st.get());
+				HANDSHAKE_DEBUG(isc_print_status(st.get()));
 				authServer = NULL;
 				working = false;
 				break;
@@ -1542,6 +1542,7 @@ static bool accept_connection(rem_port* port, P_CNCT* connect, PACKET* send)
 	// We are going to try authentication handshake
 	LocalStatus status;
 	bool returnData = false;
+	//bool returnPlugList = false;
 	if (accepted && version >= PROTOCOL_VERSION13)
 	{
 		HANDSHAKE_DEBUG(fprintf(stderr, "accept connection creates port_srv_auth_block\n"));
@@ -1587,10 +1588,13 @@ static bool accept_connection(rem_port* port, P_CNCT* connect, PACKET* send)
 					case Auth::AUTH_CONTINUE:
 						// try next plugin
 						continue;
+						// First try failed - extractNewKeys will send to client list of known plugins
+						//returnPlugList = true;
+						//break;
 
 					case Auth::AUTH_MORE_DATA:
-						port->port_srv_auth_block->extractDataFromPluginTo(&send->p_acpd.p_acpt_data);
 						port->port_srv_auth_block->extractPluginName(&send->p_acpd.p_acpt_plugin);
+						port->port_srv_auth_block->extractDataFromPluginTo(&send->p_acpd.p_acpt_data);
 						returnData = true;
 						break;
 
@@ -1610,10 +1614,6 @@ static bool accept_connection(rem_port* port, P_CNCT* connect, PACKET* send)
 					}
 					break;
 				}
-				if (!plugins->hasData())
-				{
-					accepted = false;
-				}
 			}
 		}
 	}
@@ -1628,7 +1628,9 @@ static bool accept_connection(rem_port* port, P_CNCT* connect, PACKET* send)
 		return false;
 	}
 
-	if (version >= PROTOCOL_VERSION13 && port->port_srv_auth_block->extractNewKeys(&send->p_acpd.p_acpt_keys))
+	// extractNewKeys() will also send to client list of known plugins
+	if (version >= PROTOCOL_VERSION13 &&
+		port->port_srv_auth_block->extractNewKeys(&send->p_acpd.p_acpt_keys, returnData))
 	{
 		returnData = true;
 	}
@@ -6359,6 +6361,10 @@ const char* SrvAuthBlock::getLogin()
 const unsigned char* SrvAuthBlock::getData(unsigned int* length)
 {
 	*length = (ULONG) dataForPlugin.getCount();
+	if (*length && pluginName != plugins->name())
+	{
+		*length = 0;
+	}
 	return *length ? dataForPlugin.begin() : NULL;
 }
 
@@ -6483,7 +6489,7 @@ void SrvAuthBlock::reset()
 	plugins = NULL;
 }
 
-bool SrvAuthBlock::extractNewKeys(CSTRING* to)
+bool SrvAuthBlock::extractNewKeys(CSTRING* to, bool flagPluginsList)
 {
 	lastExtractedKeys.reset();
 	for (unsigned n = 0; n < newKeys.getCount(); ++n)
@@ -6496,6 +6502,12 @@ bool SrvAuthBlock::extractNewKeys(CSTRING* to)
 			lastExtractedKeys.insertPath(TAG_KEY_PLUGINS, plugins);
 		}
 	}
+
+	if (flagPluginsList && dataFromPlugin.getCount() == 0)
+	{
+		lastExtractedKeys.insertPath(TAG_KNOWN_PLUGINS, pluginList);
+	}
+
 	to->cstr_length = (ULONG) lastExtractedKeys.getBufferLength();
 	to->cstr_address = const_cast<UCHAR*>(lastExtractedKeys.getBuffer());
 	to->cstr_allocated = 0;