Mercurial > pidgin.yaz
comparison libpurple/protocols/jabber/auth.c @ 15374:5fe8042783c1
Rename gtk/ and libgaim/ to pidgin/ and libpurple/
author | Sean Egan <seanegan@gmail.com> |
---|---|
date | Sat, 20 Jan 2007 02:32:10 +0000 |
parents | |
children | 51dd9ae01585 |
comparison
equal
deleted
inserted
replaced
15373:f79e0f4df793 | 15374:5fe8042783c1 |
---|---|
1 /* | |
2 * gaim - Jabber Protocol Plugin | |
3 * | |
4 * Copyright (C) 2003, Nathan Walp <faceprint@faceprint.com> | |
5 * | |
6 * This program is free software; you can redistribute it and/or modify | |
7 * it under the terms of the GNU General Public License as published by | |
8 * the Free Software Foundation; either version 2 of the License, or | |
9 * (at your option) any later version. | |
10 * | |
11 * This program is distributed in the hope that it will be useful, | |
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 * GNU General Public License for more details. | |
15 * | |
16 * You should have received a copy of the GNU General Public License | |
17 * along with this program; if not, write to the Free Software | |
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
19 * | |
20 */ | |
21 #include "internal.h" | |
22 | |
23 #include "jutil.h" | |
24 #include "auth.h" | |
25 #include "xmlnode.h" | |
26 #include "jabber.h" | |
27 #include "iq.h" | |
28 | |
29 #include "debug.h" | |
30 #include "util.h" | |
31 #include "cipher.h" | |
32 #include "sslconn.h" | |
33 #include "request.h" | |
34 | |
35 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, | |
36 gpointer data); | |
37 | |
38 gboolean | |
39 jabber_process_starttls(JabberStream *js, xmlnode *packet) | |
40 { | |
41 xmlnode *starttls; | |
42 | |
43 if((starttls = xmlnode_get_child(packet, "starttls"))) { | |
44 if(gaim_ssl_is_supported()) { | |
45 jabber_send_raw(js, | |
46 "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>", -1); | |
47 return TRUE; | |
48 } else if(xmlnode_get_child(starttls, "required")) { | |
49 gaim_connection_error(js->gc, _("Server requires TLS/SSL for login. No TLS/SSL support found.")); | |
50 return TRUE; | |
51 } | |
52 } | |
53 | |
54 return FALSE; | |
55 } | |
56 | |
57 static void finish_plaintext_authentication(JabberStream *js) | |
58 { | |
59 if(js->auth_type == JABBER_AUTH_PLAIN) { | |
60 xmlnode *auth; | |
61 GString *response; | |
62 gchar *enc_out; | |
63 | |
64 auth = xmlnode_new("auth"); | |
65 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl"); | |
66 | |
67 xmlnode_set_attrib(auth, "xmlns:ga", "http://www.google.com/talk/protocol/auth"); | |
68 xmlnode_set_attrib(auth, "ga:client-uses-full-bind-result", "true"); | |
69 | |
70 response = g_string_new(""); | |
71 response = g_string_append_len(response, "\0", 1); | |
72 response = g_string_append(response, js->user->node); | |
73 response = g_string_append_len(response, "\0", 1); | |
74 response = g_string_append(response, | |
75 gaim_connection_get_password(js->gc)); | |
76 | |
77 enc_out = gaim_base64_encode((guchar *)response->str, response->len); | |
78 | |
79 xmlnode_set_attrib(auth, "mechanism", "PLAIN"); | |
80 xmlnode_insert_data(auth, enc_out, -1); | |
81 g_free(enc_out); | |
82 g_string_free(response, TRUE); | |
83 | |
84 jabber_send(js, auth); | |
85 xmlnode_free(auth); | |
86 } else if(js->auth_type == JABBER_AUTH_IQ_AUTH) { | |
87 JabberIq *iq; | |
88 xmlnode *query, *x; | |
89 | |
90 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth"); | |
91 query = xmlnode_get_child(iq->node, "query"); | |
92 x = xmlnode_new_child(query, "username"); | |
93 xmlnode_insert_data(x, js->user->node, -1); | |
94 x = xmlnode_new_child(query, "resource"); | |
95 xmlnode_insert_data(x, js->user->resource, -1); | |
96 x = xmlnode_new_child(query, "password"); | |
97 xmlnode_insert_data(x, gaim_connection_get_password(js->gc), -1); | |
98 jabber_iq_set_callback(iq, auth_old_result_cb, NULL); | |
99 jabber_iq_send(iq); | |
100 } | |
101 } | |
102 | |
103 static void allow_plaintext_auth(GaimAccount *account) | |
104 { | |
105 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE); | |
106 | |
107 finish_plaintext_authentication(account->gc->proto_data); | |
108 } | |
109 | |
110 static void disallow_plaintext_auth(GaimAccount *account) | |
111 { | |
112 gaim_connection_error(account->gc, _("Server requires plaintext authentication over an unencrypted stream")); | |
113 } | |
114 | |
115 #ifdef HAVE_CYRUS_SASL | |
116 | |
117 static void jabber_auth_start_cyrus(JabberStream *); | |
118 | |
119 /* Callbacks for Cyrus SASL */ | |
120 | |
121 static int jabber_sasl_cb_realm(void *ctx, int id, const char **avail, const char **result) | |
122 { | |
123 JabberStream *js = (JabberStream *)ctx; | |
124 | |
125 if (id != SASL_CB_GETREALM || !result) return SASL_BADPARAM; | |
126 | |
127 *result = js->user->domain; | |
128 | |
129 return SASL_OK; | |
130 } | |
131 | |
132 static int jabber_sasl_cb_simple(void *ctx, int id, const char **res, unsigned *len) | |
133 { | |
134 JabberStream *js = (JabberStream *)ctx; | |
135 | |
136 switch(id) { | |
137 case SASL_CB_AUTHNAME: | |
138 *res = js->user->node; | |
139 break; | |
140 case SASL_CB_USER: | |
141 *res = ""; | |
142 break; | |
143 default: | |
144 return SASL_BADPARAM; | |
145 } | |
146 if (len) *len = strlen((char *)*res); | |
147 return SASL_OK; | |
148 } | |
149 | |
150 static int jabber_sasl_cb_secret(sasl_conn_t *conn, void *ctx, int id, sasl_secret_t **secret) | |
151 { | |
152 JabberStream *js = (JabberStream *)ctx; | |
153 const char *pw = gaim_account_get_password(js->gc->account); | |
154 size_t len; | |
155 static sasl_secret_t *x = NULL; | |
156 | |
157 if (!conn || !secret || id != SASL_CB_PASS) | |
158 return SASL_BADPARAM; | |
159 | |
160 len = strlen(pw); | |
161 x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len); | |
162 | |
163 if (!x) | |
164 return SASL_NOMEM; | |
165 | |
166 x->len = len; | |
167 strcpy((char*)x->data, pw); | |
168 | |
169 *secret = x; | |
170 return SASL_OK; | |
171 } | |
172 | |
173 static void allow_cyrus_plaintext_auth(GaimAccount *account) | |
174 { | |
175 gaim_account_set_bool(account, "auth_plain_in_clear", TRUE); | |
176 | |
177 jabber_auth_start_cyrus(account->gc->proto_data); | |
178 } | |
179 | |
180 static void jabber_auth_start_cyrus(JabberStream *js) | |
181 { | |
182 const char *clientout = NULL, *mech = NULL; | |
183 char *enc_out; | |
184 unsigned coutlen = 0; | |
185 xmlnode *auth; | |
186 sasl_security_properties_t secprops; | |
187 gboolean again; | |
188 gboolean plaintext = TRUE; | |
189 | |
190 /* Set up security properties and options */ | |
191 secprops.min_ssf = 0; | |
192 secprops.security_flags = SASL_SEC_NOANONYMOUS; | |
193 | |
194 if (!js->gsc) { | |
195 secprops.max_ssf = -1; | |
196 secprops.maxbufsize = 4096; | |
197 plaintext = gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE); | |
198 if (!plaintext) | |
199 secprops.security_flags |= SASL_SEC_NOPLAINTEXT; | |
200 } else { | |
201 secprops.max_ssf = 0; | |
202 secprops.maxbufsize = 0; | |
203 plaintext = TRUE; | |
204 } | |
205 secprops.property_names = 0; | |
206 secprops.property_values = 0; | |
207 | |
208 do { | |
209 again = FALSE; | |
210 /* Use the user's domain for compatibility with the old | |
211 * DIGESTMD5 code. Note that this may cause problems where | |
212 * the user's domain doesn't match the FQDN of the jabber | |
213 * service | |
214 */ | |
215 | |
216 js->sasl_state = sasl_client_new("xmpp", js->user->domain, NULL, NULL, js->sasl_cb, 0, &js->sasl); | |
217 if (js->sasl_state==SASL_OK) { | |
218 sasl_setprop(js->sasl, SASL_SEC_PROPS, &secprops); | |
219 gaim_debug_info("sasl", "Mechs found: %s\n", js->sasl_mechs->str); | |
220 js->sasl_state = sasl_client_start(js->sasl, js->sasl_mechs->str, NULL, &clientout, &coutlen, &mech); | |
221 } | |
222 switch (js->sasl_state) { | |
223 /* Success */ | |
224 case SASL_OK: | |
225 case SASL_CONTINUE: | |
226 break; | |
227 case SASL_NOMECH: | |
228 /* No mechanisms do what we want. See if we can add | |
229 * plaintext ones to the list. */ | |
230 | |
231 if (!gaim_account_get_password(js->gc->account)) { | |
232 gaim_connection_error(js->gc, _("Server couldn't authenticate you without a password")); | |
233 return; | |
234 } else if (!plaintext) { | |
235 gaim_request_yes_no(js->gc, _("Plaintext Authentication"), | |
236 _("Plaintext Authentication"), | |
237 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"), | |
238 2, js->gc->account, | |
239 allow_cyrus_plaintext_auth, | |
240 disallow_plaintext_auth); | |
241 return; | |
242 } else { | |
243 gaim_connection_error(js->gc, _("Server does not use any supported authentication method")); | |
244 return; | |
245 } | |
246 /* not reached */ | |
247 break; | |
248 | |
249 /* Fatal errors. Give up and go home */ | |
250 case SASL_BADPARAM: | |
251 case SASL_NOMEM: | |
252 break; | |
253 | |
254 /* For everything else, fail the mechanism and try again */ | |
255 default: | |
256 gaim_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state); | |
257 | |
258 /* | |
259 * DAA: is this right? | |
260 * The manpage says that "mech" will contain the chosen mechanism on success. | |
261 * Presumably, if we get here that isn't the case and we shouldn't try again? | |
262 * I suspect that this never happens. | |
263 */ | |
264 if (mech && strlen(mech) > 0) { | |
265 char *pos; | |
266 if ((pos = strstr(js->sasl_mechs->str, mech))) { | |
267 g_string_erase(js->sasl_mechs, pos-js->sasl_mechs->str, strlen(mech)); | |
268 } | |
269 again = TRUE; | |
270 } | |
271 | |
272 sasl_dispose(&js->sasl); | |
273 } | |
274 } while (again); | |
275 | |
276 if (js->sasl_state == SASL_CONTINUE || js->sasl_state == SASL_OK) { | |
277 auth = xmlnode_new("auth"); | |
278 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl"); | |
279 xmlnode_set_attrib(auth, "mechanism", mech); | |
280 if (clientout) { | |
281 if (coutlen == 0) { | |
282 xmlnode_insert_data(auth, "=", -1); | |
283 } else { | |
284 enc_out = gaim_base64_encode((unsigned char*)clientout, coutlen); | |
285 xmlnode_insert_data(auth, enc_out, -1); | |
286 g_free(enc_out); | |
287 } | |
288 } | |
289 jabber_send(js, auth); | |
290 xmlnode_free(auth); | |
291 } else { | |
292 gaim_connection_error(js->gc, "SASL authentication failed\n"); | |
293 } | |
294 } | |
295 | |
296 static int | |
297 jabber_sasl_cb_log(void *context, int level, const char *message) | |
298 { | |
299 if(level <= SASL_LOG_TRACE) | |
300 gaim_debug_info("sasl", "%s\n", message); | |
301 | |
302 return SASL_OK; | |
303 } | |
304 | |
305 #endif | |
306 | |
307 void | |
308 jabber_auth_start(JabberStream *js, xmlnode *packet) | |
309 { | |
310 #ifdef HAVE_CYRUS_SASL | |
311 int id; | |
312 #else | |
313 gboolean digest_md5 = FALSE, plain=FALSE; | |
314 #endif | |
315 | |
316 xmlnode *mechs, *mechnode; | |
317 | |
318 | |
319 if(js->registration) { | |
320 jabber_register_start(js); | |
321 return; | |
322 } | |
323 | |
324 mechs = xmlnode_get_child(packet, "mechanisms"); | |
325 | |
326 if(!mechs) { | |
327 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
328 return; | |
329 } | |
330 | |
331 #ifdef HAVE_CYRUS_SASL | |
332 js->sasl_mechs = g_string_new(""); | |
333 #endif | |
334 | |
335 for(mechnode = xmlnode_get_child(mechs, "mechanism"); mechnode; | |
336 mechnode = xmlnode_get_next_twin(mechnode)) | |
337 { | |
338 char *mech_name = xmlnode_get_data(mechnode); | |
339 #ifdef HAVE_CYRUS_SASL | |
340 g_string_append(js->sasl_mechs, mech_name); | |
341 g_string_append_c(js->sasl_mechs, ' '); | |
342 #else | |
343 if(mech_name && !strcmp(mech_name, "DIGEST-MD5")) | |
344 digest_md5 = TRUE; | |
345 else if(mech_name && !strcmp(mech_name, "PLAIN")) | |
346 plain = TRUE; | |
347 #endif | |
348 g_free(mech_name); | |
349 } | |
350 | |
351 #ifdef HAVE_CYRUS_SASL | |
352 js->auth_type = JABBER_AUTH_CYRUS; | |
353 | |
354 /* Set up our callbacks structure */ | |
355 js->sasl_cb = g_new0(sasl_callback_t,6); | |
356 | |
357 id = 0; | |
358 js->sasl_cb[id].id = SASL_CB_GETREALM; | |
359 js->sasl_cb[id].proc = jabber_sasl_cb_realm; | |
360 js->sasl_cb[id].context = (void *)js; | |
361 id++; | |
362 | |
363 js->sasl_cb[id].id = SASL_CB_AUTHNAME; | |
364 js->sasl_cb[id].proc = jabber_sasl_cb_simple; | |
365 js->sasl_cb[id].context = (void *)js; | |
366 id++; | |
367 | |
368 js->sasl_cb[id].id = SASL_CB_USER; | |
369 js->sasl_cb[id].proc = jabber_sasl_cb_simple; | |
370 js->sasl_cb[id].context = (void *)js; | |
371 id++; | |
372 | |
373 if (gaim_account_get_password(js->gc->account)) { | |
374 js->sasl_cb[id].id = SASL_CB_PASS; | |
375 js->sasl_cb[id].proc = jabber_sasl_cb_secret; | |
376 js->sasl_cb[id].context = (void *)js; | |
377 id++; | |
378 } | |
379 | |
380 js->sasl_cb[id].id = SASL_CB_LOG; | |
381 js->sasl_cb[id].proc = jabber_sasl_cb_log; | |
382 js->sasl_cb[id].context = (void*)js; | |
383 id++; | |
384 | |
385 js->sasl_cb[id].id = SASL_CB_LIST_END; | |
386 | |
387 jabber_auth_start_cyrus(js); | |
388 #else | |
389 | |
390 if(digest_md5) { | |
391 xmlnode *auth; | |
392 | |
393 js->auth_type = JABBER_AUTH_DIGEST_MD5; | |
394 auth = xmlnode_new("auth"); | |
395 xmlnode_set_namespace(auth, "urn:ietf:params:xml:ns:xmpp-sasl"); | |
396 xmlnode_set_attrib(auth, "mechanism", "DIGEST-MD5"); | |
397 | |
398 jabber_send(js, auth); | |
399 xmlnode_free(auth); | |
400 } else if(plain) { | |
401 js->auth_type = JABBER_AUTH_PLAIN; | |
402 | |
403 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, "auth_plain_in_clear", FALSE)) { | |
404 gaim_request_yes_no(js->gc, _("Plaintext Authentication"), | |
405 _("Plaintext Authentication"), | |
406 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"), | |
407 2, js->gc->account, allow_plaintext_auth, | |
408 disallow_plaintext_auth); | |
409 return; | |
410 } | |
411 finish_plaintext_authentication(js); | |
412 } else { | |
413 gaim_connection_error(js->gc, | |
414 _("Server does not use any supported authentication method")); | |
415 } | |
416 #endif | |
417 } | |
418 | |
419 static void auth_old_result_cb(JabberStream *js, xmlnode *packet, gpointer data) | |
420 { | |
421 const char *type = xmlnode_get_attrib(packet, "type"); | |
422 | |
423 if(type && !strcmp(type, "result")) { | |
424 jabber_stream_set_state(js, JABBER_STREAM_CONNECTED); | |
425 } else { | |
426 char *msg = jabber_parse_error(js, packet); | |
427 xmlnode *error; | |
428 const char *err_code; | |
429 | |
430 if((error = xmlnode_get_child(packet, "error")) && | |
431 (err_code = xmlnode_get_attrib(error, "code")) && | |
432 !strcmp(err_code, "401")) { | |
433 js->gc->wants_to_die = TRUE; | |
434 } | |
435 | |
436 gaim_connection_error(js->gc, msg); | |
437 g_free(msg); | |
438 } | |
439 } | |
440 | |
441 static void auth_old_cb(JabberStream *js, xmlnode *packet, gpointer data) | |
442 { | |
443 JabberIq *iq; | |
444 xmlnode *query, *x; | |
445 const char *type = xmlnode_get_attrib(packet, "type"); | |
446 const char *pw = gaim_connection_get_password(js->gc); | |
447 | |
448 if(!type) { | |
449 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
450 return; | |
451 } else if(!strcmp(type, "error")) { | |
452 char *msg = jabber_parse_error(js, packet); | |
453 gaim_connection_error(js->gc, msg); | |
454 g_free(msg); | |
455 } else if(!strcmp(type, "result")) { | |
456 query = xmlnode_get_child(packet, "query"); | |
457 if(js->stream_id && xmlnode_get_child(query, "digest")) { | |
458 unsigned char hashval[20]; | |
459 char *s, h[41], *p; | |
460 int i; | |
461 | |
462 iq = jabber_iq_new_query(js, JABBER_IQ_SET, "jabber:iq:auth"); | |
463 query = xmlnode_get_child(iq->node, "query"); | |
464 x = xmlnode_new_child(query, "username"); | |
465 xmlnode_insert_data(x, js->user->node, -1); | |
466 x = xmlnode_new_child(query, "resource"); | |
467 xmlnode_insert_data(x, js->user->resource, -1); | |
468 | |
469 x = xmlnode_new_child(query, "digest"); | |
470 s = g_strdup_printf("%s%s", js->stream_id, pw); | |
471 | |
472 gaim_cipher_digest_region("sha1", (guchar *)s, strlen(s), | |
473 sizeof(hashval), hashval, NULL); | |
474 | |
475 p = h; | |
476 for(i=0; i<20; i++, p+=2) | |
477 snprintf(p, 3, "%02x", hashval[i]); | |
478 xmlnode_insert_data(x, h, -1); | |
479 g_free(s); | |
480 jabber_iq_set_callback(iq, auth_old_result_cb, NULL); | |
481 jabber_iq_send(iq); | |
482 | |
483 } else if(xmlnode_get_child(query, "password")) { | |
484 if(js->gsc == NULL && !gaim_account_get_bool(js->gc->account, | |
485 "auth_plain_in_clear", FALSE)) { | |
486 gaim_request_yes_no(js->gc, _("Plaintext Authentication"), | |
487 _("Plaintext Authentication"), | |
488 _("This server requires plaintext authentication over an unencrypted connection. Allow this and continue authentication?"), | |
489 2, js->gc->account, allow_plaintext_auth, | |
490 disallow_plaintext_auth); | |
491 return; | |
492 } | |
493 finish_plaintext_authentication(js); | |
494 } else { | |
495 gaim_connection_error(js->gc, | |
496 _("Server does not use any supported authentication method")); | |
497 return; | |
498 } | |
499 } | |
500 } | |
501 | |
502 void jabber_auth_start_old(JabberStream *js) | |
503 { | |
504 JabberIq *iq; | |
505 xmlnode *query, *username; | |
506 | |
507 iq = jabber_iq_new_query(js, JABBER_IQ_GET, "jabber:iq:auth"); | |
508 | |
509 query = xmlnode_get_child(iq->node, "query"); | |
510 username = xmlnode_new_child(query, "username"); | |
511 xmlnode_insert_data(username, js->user->node, -1); | |
512 | |
513 jabber_iq_set_callback(iq, auth_old_cb, NULL); | |
514 | |
515 jabber_iq_send(iq); | |
516 } | |
517 | |
518 static GHashTable* parse_challenge(const char *challenge) | |
519 { | |
520 GHashTable *ret = g_hash_table_new_full(g_str_hash, g_str_equal, | |
521 g_free, g_free); | |
522 char **pairs; | |
523 int i; | |
524 | |
525 pairs = g_strsplit(challenge, ",", -1); | |
526 | |
527 for(i=0; pairs[i]; i++) { | |
528 char **keyval = g_strsplit(pairs[i], "=", 2); | |
529 if(keyval[0] && keyval[1]) { | |
530 if(keyval[1][0] == '"' && keyval[1][strlen(keyval[1])-1] == '"') | |
531 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strndup(keyval[1]+1, strlen(keyval[1])-2)); | |
532 else | |
533 g_hash_table_replace(ret, g_strdup(keyval[0]), g_strdup(keyval[1])); | |
534 } | |
535 g_strfreev(keyval); | |
536 } | |
537 | |
538 g_strfreev(pairs); | |
539 | |
540 return ret; | |
541 } | |
542 | |
543 static char * | |
544 generate_response_value(JabberID *jid, const char *passwd, const char *nonce, | |
545 const char *cnonce, const char *a2, const char *realm) | |
546 { | |
547 GaimCipher *cipher; | |
548 GaimCipherContext *context; | |
549 guchar result[16]; | |
550 size_t a1len; | |
551 | |
552 gchar *a1, *convnode=NULL, *convpasswd = NULL, *ha1, *ha2, *kd, *x, *z; | |
553 | |
554 if((convnode = g_convert(jid->node, strlen(jid->node), "iso-8859-1", "utf-8", | |
555 NULL, NULL, NULL)) == NULL) { | |
556 convnode = g_strdup(jid->node); | |
557 } | |
558 if(passwd && ((convpasswd = g_convert(passwd, strlen(passwd), "iso-8859-1", | |
559 "utf-8", NULL, NULL, NULL)) == NULL)) { | |
560 convpasswd = g_strdup(passwd); | |
561 } | |
562 | |
563 cipher = gaim_ciphers_find_cipher("md5"); | |
564 context = gaim_cipher_context_new(cipher, NULL); | |
565 | |
566 x = g_strdup_printf("%s:%s:%s", convnode, realm, convpasswd ? convpasswd : ""); | |
567 gaim_cipher_context_append(context, (const guchar *)x, strlen(x)); | |
568 gaim_cipher_context_digest(context, sizeof(result), result, NULL); | |
569 | |
570 a1 = g_strdup_printf("xxxxxxxxxxxxxxxx:%s:%s", nonce, cnonce); | |
571 a1len = strlen(a1); | |
572 g_memmove(a1, result, 16); | |
573 | |
574 gaim_cipher_context_reset(context, NULL); | |
575 gaim_cipher_context_append(context, (const guchar *)a1, a1len); | |
576 gaim_cipher_context_digest(context, sizeof(result), result, NULL); | |
577 | |
578 ha1 = gaim_base16_encode(result, 16); | |
579 | |
580 gaim_cipher_context_reset(context, NULL); | |
581 gaim_cipher_context_append(context, (const guchar *)a2, strlen(a2)); | |
582 gaim_cipher_context_digest(context, sizeof(result), result, NULL); | |
583 | |
584 ha2 = gaim_base16_encode(result, 16); | |
585 | |
586 kd = g_strdup_printf("%s:%s:00000001:%s:auth:%s", ha1, nonce, cnonce, ha2); | |
587 | |
588 gaim_cipher_context_reset(context, NULL); | |
589 gaim_cipher_context_append(context, (const guchar *)kd, strlen(kd)); | |
590 gaim_cipher_context_digest(context, sizeof(result), result, NULL); | |
591 gaim_cipher_context_destroy(context); | |
592 | |
593 z = gaim_base16_encode(result, 16); | |
594 | |
595 g_free(convnode); | |
596 g_free(convpasswd); | |
597 g_free(x); | |
598 g_free(a1); | |
599 g_free(ha1); | |
600 g_free(ha2); | |
601 g_free(kd); | |
602 | |
603 return z; | |
604 } | |
605 | |
606 void | |
607 jabber_auth_handle_challenge(JabberStream *js, xmlnode *packet) | |
608 { | |
609 | |
610 if(js->auth_type == JABBER_AUTH_DIGEST_MD5) { | |
611 char *enc_in = xmlnode_get_data(packet); | |
612 char *dec_in; | |
613 char *enc_out; | |
614 GHashTable *parts; | |
615 | |
616 if(!enc_in) { | |
617 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
618 return; | |
619 } | |
620 | |
621 dec_in = (char *)gaim_base64_decode(enc_in, NULL); | |
622 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded challenge (%d): %s\n", | |
623 strlen(dec_in), dec_in); | |
624 | |
625 parts = parse_challenge(dec_in); | |
626 | |
627 | |
628 if (g_hash_table_lookup(parts, "rspauth")) { | |
629 char *rspauth = g_hash_table_lookup(parts, "rspauth"); | |
630 | |
631 | |
632 if(rspauth && js->expected_rspauth && | |
633 !strcmp(rspauth, js->expected_rspauth)) { | |
634 jabber_send_raw(js, | |
635 "<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl' />", | |
636 -1); | |
637 } else { | |
638 gaim_connection_error(js->gc, _("Invalid challenge from server")); | |
639 } | |
640 g_free(js->expected_rspauth); | |
641 } else { | |
642 /* assemble a response, and send it */ | |
643 /* see RFC 2831 */ | |
644 GString *response = g_string_new(""); | |
645 char *a2; | |
646 char *auth_resp; | |
647 char *buf; | |
648 char *cnonce; | |
649 char *realm; | |
650 char *nonce; | |
651 | |
652 /* we're actually supposed to prompt the user for a realm if | |
653 * the server doesn't send one, but that really complicates things, | |
654 * so i'm not gonna worry about it until is poses a problem to | |
655 * someone, or I get really bored */ | |
656 realm = g_hash_table_lookup(parts, "realm"); | |
657 if(!realm) | |
658 realm = js->user->domain; | |
659 | |
660 cnonce = g_strdup_printf("%x%u%x", g_random_int(), (int)time(NULL), | |
661 g_random_int()); | |
662 nonce = g_hash_table_lookup(parts, "nonce"); | |
663 | |
664 | |
665 a2 = g_strdup_printf("AUTHENTICATE:xmpp/%s", realm); | |
666 auth_resp = generate_response_value(js->user, | |
667 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm); | |
668 g_free(a2); | |
669 | |
670 a2 = g_strdup_printf(":xmpp/%s", realm); | |
671 js->expected_rspauth = generate_response_value(js->user, | |
672 gaim_connection_get_password(js->gc), nonce, cnonce, a2, realm); | |
673 g_free(a2); | |
674 | |
675 | |
676 g_string_append_printf(response, "username=\"%s\"", js->user->node); | |
677 g_string_append_printf(response, ",realm=\"%s\"", realm); | |
678 g_string_append_printf(response, ",nonce=\"%s\"", nonce); | |
679 g_string_append_printf(response, ",cnonce=\"%s\"", cnonce); | |
680 g_string_append_printf(response, ",nc=00000001"); | |
681 g_string_append_printf(response, ",qop=auth"); | |
682 g_string_append_printf(response, ",digest-uri=\"xmpp/%s\"", realm); | |
683 g_string_append_printf(response, ",response=%s", auth_resp); | |
684 g_string_append_printf(response, ",charset=utf-8"); | |
685 | |
686 g_free(auth_resp); | |
687 g_free(cnonce); | |
688 | |
689 enc_out = gaim_base64_encode((guchar *)response->str, response->len); | |
690 | |
691 gaim_debug(GAIM_DEBUG_MISC, "jabber", "decoded response (%d): %s\n", response->len, response->str); | |
692 | |
693 buf = g_strdup_printf("<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>%s</response>", enc_out); | |
694 | |
695 jabber_send_raw(js, buf, -1); | |
696 | |
697 g_free(buf); | |
698 | |
699 g_free(enc_out); | |
700 | |
701 g_string_free(response, TRUE); | |
702 } | |
703 | |
704 g_free(enc_in); | |
705 g_free(dec_in); | |
706 g_hash_table_destroy(parts); | |
707 } | |
708 #ifdef HAVE_CYRUS_SASL | |
709 else if (js->auth_type == JABBER_AUTH_CYRUS) { | |
710 char *enc_in = xmlnode_get_data(packet); | |
711 unsigned char *dec_in; | |
712 char *enc_out; | |
713 const char *c_out; | |
714 unsigned int clen; | |
715 gsize declen; | |
716 xmlnode *response; | |
717 | |
718 dec_in = gaim_base64_decode(enc_in, &declen); | |
719 | |
720 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen, | |
721 NULL, &c_out, &clen); | |
722 g_free(enc_in); | |
723 g_free(dec_in); | |
724 if (js->sasl_state != SASL_CONTINUE && js->sasl_state != SASL_OK) { | |
725 gaim_debug_error("jabber", "Error is %d : %s\n",js->sasl_state,sasl_errdetail(js->sasl)); | |
726 gaim_connection_error(js->gc, _("SASL error")); | |
727 return; | |
728 } else { | |
729 response = xmlnode_new("response"); | |
730 xmlnode_set_namespace(response, "urn:ietf:params:xml:ns:xmpp-sasl"); | |
731 if (c_out) { | |
732 enc_out = gaim_base64_encode((unsigned char*)c_out, clen); | |
733 xmlnode_insert_data(response, enc_out, -1); | |
734 g_free(enc_out); | |
735 } | |
736 jabber_send(js, response); | |
737 xmlnode_free(response); | |
738 } | |
739 } | |
740 #endif | |
741 } | |
742 | |
743 void jabber_auth_handle_success(JabberStream *js, xmlnode *packet) | |
744 { | |
745 const char *ns = xmlnode_get_namespace(packet); | |
746 #ifdef HAVE_CYRUS_SASL | |
747 const int *x; | |
748 #endif | |
749 | |
750 if(!ns || strcmp(ns, "urn:ietf:params:xml:ns:xmpp-sasl")) { | |
751 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
752 return; | |
753 } | |
754 | |
755 #ifdef HAVE_CYRUS_SASL | |
756 /* The SASL docs say that if the client hasn't returned OK yet, we | |
757 * should try one more round against it | |
758 */ | |
759 if (js->sasl_state != SASL_OK) { | |
760 char *enc_in = xmlnode_get_data(packet); | |
761 unsigned char *dec_in = NULL; | |
762 const char *c_out; | |
763 unsigned int clen; | |
764 gsize declen = 0; | |
765 | |
766 if(enc_in != NULL) | |
767 dec_in = gaim_base64_decode(enc_in, &declen); | |
768 | |
769 js->sasl_state = sasl_client_step(js->sasl, (char*)dec_in, declen, NULL, &c_out, &clen); | |
770 | |
771 g_free(enc_in); | |
772 g_free(dec_in); | |
773 | |
774 if (js->sasl_state != SASL_OK) { | |
775 /* This should never happen! */ | |
776 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
777 } | |
778 } | |
779 /* If we've negotiated a security layer, we need to enable it */ | |
780 sasl_getprop(js->sasl, SASL_SSF, &x); | |
781 if (*x > 0) { | |
782 sasl_getprop(js->sasl, SASL_MAXOUTBUF, &x); | |
783 js->sasl_maxbuf = *x; | |
784 } | |
785 #endif | |
786 | |
787 jabber_stream_set_state(js, JABBER_STREAM_REINITIALIZING); | |
788 } | |
789 | |
790 void jabber_auth_handle_failure(JabberStream *js, xmlnode *packet) | |
791 { | |
792 char *msg = jabber_parse_error(js, packet); | |
793 | |
794 if(!msg) { | |
795 gaim_connection_error(js->gc, _("Invalid response from server.")); | |
796 } else { | |
797 gaim_connection_error(js->gc, msg); | |
798 g_free(msg); | |
799 } | |
800 } |