Re: DO and authentication
Re: DO and authentication
- Subject: Re: DO and authentication
- From: Chris Kane <email@hidden>
- Date: Fri, 4 Jan 2002 17:36:07 -0800
On Thursday, January 3, 2002, at 06:32 PM, Charles Srstka wrote:
[...] I'm still wondering what is a good way to verify the identity of
the client. Perhaps I'm just being paranoid, but I just want to make
sure some other app doesn't start using my tool while I am running it,
and doing nasty stuff with root access. By searching the archives and
elsewhere, I've found information on how to authenticate messages, but
I have not found anything on a good method to verify the identity of
the message sender.
As said in other replies, you can the security token of the client from
Mach, and so verify, for example, that the client is at least running as
root (and so, it's at least as privileged as your server). That may not
be sufficient -- you may want to limit who can communicate with your
server to those tasks you've authorized to do so (because you wrote them
and/or have given them some secret). The security token doesn't tell
you WHO the client is.
This was discussed on the OmniGroup list a few weeks ago. My reply is
appended below. If you authenticate DO messages as they come in, you
can come closer to guaranteeing that messages are coming from authorized
sources.
Chris Kane
Cocoa Frameworks, Apple
Begin forwarded message:
From: Chris Kane <email@hidden>
Date: Wed Nov 28, 2001 03:48:57 PM US/Pacific
To: email@hidden (mikevannorsdel)
Cc: Mac OS X-Dev <email@hidden>
Subject: authenticating incoming messages over DO
On Wednesday, November 28, 2001, at 01:04 , mikevannorsdel wrote:
What I'm worried about is an impostor client sending data and messages
to the server. I'm wondering if there are built-in methods for
authenticating clients or being able to get info on clients, like pid
or paths, who sent the message.
No. Your clients should either: (1) add custom authentication info to
the message that your server can verify, or (2) give DO authentication
info for each message, which DO will verify in the server.
There is the Authenticator Foundation example in the Dev stuff. I was
just cleaning that up a couple weeks ago and I've appended the new file
(there's only one file in the project now). I'm not going to include
the whole project, which is trivial otherwise, so this doesn't have to
be a MIME message for those that don't like them. Just create a new
Foundation Tool project in PB and copy/paste the code below into main.m.
This example uses a very trivial bit of authentication data, which
doesn't include any information about the identity of the client. It's
up to you to make the authentication delegate methods as bulletproof as
you wish.
Chris Kane
Cocoa Frameworks, Apple
/*
IMPORTANT: This Apple software is supplied to you by Apple Computer,
Inc. ("Apple") in
consideration of your agreement to the following terms, and your use,
installation,
modification or redistribution of this Apple software constitutes
acceptance of these
terms. If you do not agree with these terms, please do not use,
install, modify or
redistribute this Apple software.
In consideration of your agreement to abide by the following terms,
and subject to these
terms, Apple grants you a personal, non-exclusive license, under
Apple�s copyrights in
this original Apple software (the "Apple Software"), to use,
reproduce, modify and
redistribute the Apple Software, with or without modifications, in
source and/or binary
forms; provided that if you redistribute the Apple Software in its
entirety and without
modifications, you must retain this notice and the following text and
disclaimers in all
such redistributions of the Apple Software. Neither the name,
trademarks, service marks
or logos of Apple Computer, Inc. may be used to endorse or promote
products derived from
the Apple Software without specific prior written permission from
Apple. Except as expressly
stated in this notice, no other rights or licenses, express or
implied, are granted by Apple
herein, including but not limited to any patent rights that may be
infringed by your
derivative works or by other works in which the Apple Software may be
incorporated.
The Apple Software is provided by Apple on an "AS IS" basis. APPLE
MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE
APPLE SOFTWARE OR ITS
USE AND OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS.
IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT,
INCIDENTAL OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ARISING IN ANY WAY
OUT OF THE USE,
REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE,
HOWEVER CAUSED AND
WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT
LIABILITY OR
OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
*/
// This example shows how to do authentication of messages over
Distributed Objects.
#import <Foundation/Foundation.h>
#include <stdio.h>
#define CONNECTION_NAME @"authentication test"
@interface Authenticator : NSObject
// An instance of this class will act as the NSConnection delegates.
// NSConnection delegates can do things in addition to authenticate
// messages, but we're just interested in authentication here.
- (NSData *)authenticationDataForComponents:(NSArray *)components;
// Computes and returns an NSData containing arbitrary
authentication
// information. In effect this is a "signature" for the components
array.
- (BOOL)authenticateComponents:(NSArray *)components withData:(NSData
*)signature;
// Verifies the authentication information in the NSData is valid
and
// matches the message components.
@end
int main(int argc, const char *argv[]) {
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
if (argc < 2) {
fprintf(stderr, "usage: %s server // to run as
server\n", argv[0]);
fprintf(stderr, "usage: %s client // to run as
client\n", argv[0]);
fprintf(stderr, "usage: One of the two arguments must be
specified.\n");
exit(1);
}
if (0 == strcmp(argv[1], "server")) {
// Create a generic NSConnection to use to vend an object over
DO.
NSConnection *conn = [[NSConnection alloc] init];
// Create a generic object to vend over DO; usually this is an
object
// that actually has something interesting to do as a "server".
NSObject *object = [[NSObject alloc] init];
// Create an Authenticator object to authenticate messages that
come
// in to the server. The client and server need to use the same
// authentication logic, but would not need to use the same
class.
Authenticator *authenticator = [[Authenticator alloc] init];
// Configure the connection
[conn setDelegate:authenticator];
[conn setRootObject:object];
// Set the name of the root object
if (![conn registerName:CONNECTION_NAME]) {
fprintf(stderr, "%s server: could not register server. Is
one already running?\n", argv[0]);
exit(1);
}
fprintf(stderr, "%s server: started\n", argv[0]);
// Have the run loop run forever, servicing incoming messages
[[NSRunLoop currentRunLoop] run];
// Cleanup objects; not really necessary in this case
[authenticator release];
[object release];
[conn release];
} else if (0 == strcmp(argv[1], "client")) {
// Create an Authenticator object to authenticate messages going
// to the server. The client and server need to use the same
// authentication logic, but would not need to use the same
class.
Authenticator *authenticator = [[Authenticator alloc] init];
NSDistantObject *proxy;
// Lookup the server connection
NSConnection *conn = [NSConnection
connectionWithRegisteredName:CONNECTION_NAME host:nil];
if (!conn) {
fprintf(stderr, "%s server: could not find server. You
need to start one on this machine first.\n", argv[0]);
exit(1);
}
// Set the authenticator as the NSConnection delegate; all
// further messages, including the first one to lookup the root
// proxy, will go through the authenticator.
[conn setDelegate:authenticator];
proxy = [conn rootProxy];
if (!proxy) {
fprintf(stderr, "%s server: could not get proxy. This
should not happen.\n", argv[0]);
exit(1);
}
// Since this is an example, we don't really care what the
"served"
// object really does, just that we can message it. Since it
is just
// an NSObject, send it some NSObject messages. If these aren't
// authenticated successfully, an
NSFailedAuthenticationException
// exception is raised.
NSLog(@"description: %@", [proxy description]);
NSLog(@"isKindOfClass NSObject? %@", [proxy
isKindOfClass:[NSObject self]] ? @"YES" : @"NO");
NSLog(@"Done. Messages sent successfully.");
} else {
fprintf(stderr, "Unknown argument '%s'. Must be 'client' or
'server'.\n", argv[1]);
exit(1);
}
[pool release];
return 0;
}
@implementation Authenticator
- (BOOL)connection:(NSConnection *)ancestor
shouldMakeNewConnection:(NSConnection *)conn {
// A non-authentication related delegate method. Make sure all
// child (per-client) connections get the same delegate.
[conn setDelegate:[ancestor delegate]];
return YES;
}
- (NSData *)authenticationDataForComponents:(NSArray *)components {
unsigned int idx1, idx2;
unsigned char checksum = 0;
// Compute authentication data for the components in the
// given array. There are two types of components, NSPorts
// and NSDatas. You should ignore a component of a type
// which you don't understand.
// Here, we compute a trivial 1 byte checksum over all the
// bytes in the NSData objects in the array.
for (idx1 = 0; idx1 < [components count]; idx1++) {
id item = [components objectAtIndex:idx1];
if ([item isKindOfClass:[NSData class]]) {
const unsigned char *bytes = [item bytes];
unsigned int length = [item length];
for (idx2 = 0; idx2 < length; idx2++) {
checksum ^= bytes[idx2];
}
}
}
// Put the checksum byte in an NSData and return it. This is
// the authentication data for the message components.
return [NSData dataWithBytes:&checksum length:1];
}
- (BOOL)authenticateComponents:(NSArray *)components withData:(NSData
*)signature {
// Verify the authentication data against the components. A good
// authenticator would have a way of verifying the signature without
// recomputing it. We don't, in this example, so just recompute.
NSData *recomputedSignature = [self
authenticationDataForComponents:components];
// If the two NSDatas are not equal, authentication failure!
if (![recomputedSignature isEqual:signature]) {
NSLog(@"received signature %@ doesn't match computed
signature %@", signature, recomputedSignature);
return NO;
}
return YES;
}
@end